cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1689
Views
5
Helpful
2
Replies

ISE 2.3 cannot remove AD join

DaveInCbr
Level 1
Level 1

Two ISE appliances running version 2.3.0.298 (no patches installed).

 

Added an AD join when the appliances were in a pre-prod lab. The appliances were moved to the prod network in a development state and have been functional for several months. The appliances were removed from the lab network before cleaning up the lab configuration. Now trying to remove the clutter of the lab config however the lab AD join cannot be removed due to a referential integrity error. I have search every config pane and cannot see any reference to the join. Also now the identity sources in source sequences cannot be changed, the > (add) and < (remove) buttons are grayed out. The source list in source sequences was modifiable last week while doing development configuration.

 

Could the lack of network access to the lab AD servers be preventing the join removal?

 

Are there any suggestions for investigation to re-enable add/remove source list buttons?

 

Thanks in advance,

David

2 Replies 2

agrissimanis
Level 1
Level 1

Looks like you are hitting something similar to CSCva73322 , TAC might be able to help.

 

Also if you export the policies with Policy export tool you get a single xml file with all policies and conditions listed, which makes it easy to search for references.

 

The offending AD join does not appear in the policy export. I noticed the join listed in a session trace as being part of the inbuilt identity source sequence "All_User_ID_Stores". It appears that membership of this sequence is handled automatically as part of join/leave processes and cannot be manually changed (I guess for referential integrity sake). I tried creating a sequence that replicated all ID stores except the one I want to delete and replaced the inbuilt sequence with the new one hoping that would remove dependence on the join I want to remove. No luck unfortunately the join could not be deleted still. 

 

Perhaps I need to stand up a temp LAB AD, rejoin it, then leave it cleanly. Maybe then the join can be deleted.

 

Thanks for trying.

 

David