Solved: ISE 2.1 define a list of preferred DC

Alexander Kravtsov · ‎08-14-2017

Good day, Colleagues

We would like to add new AD in External Identity Source, but this AD didn't resolved by DNS

Cisco Documentation says:

<snip>

Cisco ISE also provides the ability to define a list of preferred DCs per domain. This list of DCs will be prioritized for selection before DNS SRV queries. But this list of preferred DCs is not an exclusive list. If the preferred DCs are unavailable, other DCs are selected. You can create a list of preferred DCs in the following cases:

The SRV records are bad, missing or not configured.
The site association is wrong or missing or the site cannot be used.
The DNS configuration is wrong or cannot be edited.

Advanced Tuning

The advanced tuning feature provides node-specific changes and settings to adjust the parameters deeper in the system. This page allows configuration of preferred DCs, GCs, DC failover parameters, and timeouts

</snip>

But no any information how to do this list. Is it possible ?

hslai · ‎08-14-2017

Defining the preferred DC list using the registry keys is not going to help with this.

If ISE deployment using multiple domains without trust, the DNS servers configured in ISE need to able to resolve all the AD domain records and use multiple join.

In our training labs, I used stub zones

It's also possible to use conditional forwarding, etc.

View solution in original post

Charlie Moreton · ‎08-14-2017

The Admin Guide is clear that this should only be used during a support case:

Cisco ISE 2.1 Admin Guide on AD Advanced Tuning

If you poke around long enough, you'll find it at:

With these configurable parameters:

Having said that, I highly encourage you to work through TAC to set the parameters correctly.

Alexander Kravtsov · ‎08-14-2017

Thanks a lot.

As I said in topic we knows where this may be done but didn't know how to do this.

What parameters and values can be used for this list.

TAC is puzzled already but without susccess yet

hslai · ‎08-14-2017

Please provide the TAC case number, if possible.

Alexander Kravtsov · ‎08-14-2017

Here is SR 682828830

It seems, our customer has two different DCs without trust relationships.

hslai · ‎08-14-2017

Defining the preferred DC list using the registry keys is not going to help with this.

If ISE deployment using multiple domains without trust, the DNS servers configured in ISE need to able to resolve all the AD domain records and use multiple join.

In our training labs, I used stub zones

It's also possible to use conditional forwarding, etc.

Alexander Kravtsov · ‎08-15-2017

Thanks for your reply. I suspected this. It remains only to understand why preferred DC list need and why cisco doc indicate the following:

. You can create a list of preferred DCs in the following cases:

The SRV records are bad, missing or not configured.

* The DNS configuration is wrong or cannot be edited.

This only confuses us.

hslai · ‎08-14-2017

Adding to Charles.

The proper way to define the preferred DCs is use Microsoft AD Sites and Services.