Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1775
Views
10
Helpful
3
Replies

ISE 2.7 AD join - remove 2008 DC

Go to solution
rajitoor55
Level 1
Level 1

‎11-29-2021 08:33 AM

We have AD joined ISE servers and 3 Doman Controllers. One of them is an old 2008 which we are trying to get rid of.

As soon as I block the traffic on the intermediate firewall, all authentications start failing. All traffic is confirmed allowed to new 2016 DC's. Why ISE is not moving to the new DC's and what can I do to make it work with new DC's.

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
rajitoor55
Level 1
Level 1
In response to Greg Gibbs

‎12-01-2021 07:12 AM

@Greg Gibbs and @marce1000 Thanks for your suggestions. We don't have Default-First-Site and all DC's show under there relative site names. I however looked into SRV records and all our DC's for this site were set to default priority and weight. I lowered the priority of 2008 server and now I see ldap and kerberos going to our preferred DC's. I then blocked all traffic to our DC's and everything still works. yay..

View solution in original post

0 Helpful
3 Replies 3

Go to solution
marce1000
VIP
VIP

‎11-29-2021 08:44 AM

 

 - Not sure how traffic blocking is experienced by ISE when trying to connect to the  old-DC , perhaps turn it off and keep it reachable. Sometimes there is a subtle difference between lost . unreachable or rejected connections. ? FYI : https://www.cisco.com/c/en/us/td/docs/security/ise/2-2/ise_active_directory_integration/b_ISE_AD_integration_2x.html#reference_42F562CACEA745348AE47B601A29E151 but it does not immediately clear-up the subject.

 M.



-- ' 'Good body every evening' ' this sentence was once spotted on a logo at the entrance of a Weight Watchers Club !
0 Helpful

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee

‎11-29-2021 03:23 PM

The Primary DC that the ISE nodes communicate with is controlled by the configuration in AD Sites and Services. If the Site showing in the ISE AD section says 'Default-First-Site' then you have not configured Sites correctly. You should have a Site that represents the physical/logical location(s) of the ISE nodes. The closet Domain Controller should be associated with that Site as should the IP address or subnet for the respective ISE nodes. After updating Sites, ISE will automatically begin communication with the relevant (non-2008) DC.

Go to solution
rajitoor55
Level 1
Level 1
In response to Greg Gibbs

‎12-01-2021 07:12 AM

@Greg Gibbs and @marce1000 Thanks for your suggestions. We don't have Default-First-Site and all DC's show under there relative site names. I however looked into SRV records and all our DC's for this site were set to default priority and weight. I lowered the priority of 2008 server and now I see ldap and kerberos going to our preferred DC's. I then blocked all traffic to our DC's and everything still works. yay..

0 Helpful
Customers Also Viewed These Support Documents