10-24-2018 11:48 AM
We are standing up our ISE 2.3 env and the node has been configured and joined to AD.
The problem we are running into is that some of our UPN suffixes are not returning a successful query when we run the test user lookup command.
We have 8 alternate suffixes defined in our domain and the lookup query is looking with all but 2 of them so I do not feel it is AD related because by it returning successfully for 6 of the 8 suffixes tells me that ISE can query the global catalog and find a match.
I feel it is DNS related and it not having all suffixes indicated as valid or "mapped" correctly there. We use Infoblox DNS that I do not manage so I am trying to get ahold of the admin to have them also look there but also trying to see if there are similar experiences someone can share and what may have resolved it for them.
Thank you.
10-24-2018 12:13 PM
If possible, please open a TAC case to investigate, as your deployment involving several alternative UPN suffices.
If you would like to check yourself first, then please turn the debugging level to TRACE for the component Active Directory and check ad_agent.log during the issue recreated.
10-24-2018 12:30 PM
If you think it could be related to DNS, have you verified that all SRV records for all 8 domains are resolvable by the ISE nodes? Compare the 6 that are working to the 2 that are not working.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide