04-09-2013 07:32 PM - edited 03-10-2019 08:17 PM
Hi,
I have a ISE 1.1.3.124 VM operating in standalone mode that is authenticating devices against AD. The AD environment consists of multiple member servers, and while this is working fine, when the Domain controller that the ISE Displays it is connected to fails,
However when I shutdown the this domain controller, it displays the following status even there are more Domain Controllers in the network.
"Joined to Domain but Disconnected"
In the CLI config, I have added all of the Domain Controllers IP addresses using the "ip name-server" command
Now any authentications fail with the following message "24444 Active Directory operation has failed because of an unspecified error in the ISE"
Can the ISE be configured to look at more than 1 AD server?
Appreciate any help on this.
04-10-2013 06:45 AM
Could someone shed some light into this?
I'm curious as well.
Both of our ISE nodes are joined to the same DC, even though I've tried leaving domain, and re-joining.
If a DC failure would disable the entire external ID store, we'd like to know if there's a wordaround.
thx
07-28-2016 12:51 PM
Bumping this thread...can someone please clarify how ISE handles the availability of the domain controllers in a windows domain?
Server admins need to perform patches/maintenance/decommission of their AD servers, so it would be very beneficial to know exactly how ISE would behave in these cases.
04-10-2013 11:38 PM
04-11-2013 06:55 AM
Thank you for providing the link.
I've read that TrustSec2.1 guide.
While it provides instruction on how to allow ISE to communicate to multiple AD domain's, it does not address the specific issue that the OP and I have.
When an ISE node joins to an AD domain, and says , why does ISE lose connection to the domain altogether, when "mydc01" fails, and there are other domain controllers available?
04-12-2013 12:55 PM
I have ISE in VMWare standalone mode with IP address of 192.168.1.3 and AD1 server of 192.168.1.1 and AD2 server of 192.168.1.2 in Active Directory of CCIESEC. I've successfully added ISE into the Active Directory and it is shown as "connected"
When i shutdown AD1, I still can run the "detail test connection" on ISE to AD with AD1 offline without any issues. The same thing when AD2 is offline and AD1 is online. In other words, ISE function fine.
It works with both ISE 1.1.2 patch-5 and 1.1.3 patch-1 in my test environment.
04-12-2013 01:38 PM
Thanks David, yes the detailed test does seem to work in this scenario (it did for me) but have you tried to actually authenticate a device against AD while it is down. This is when it fails.
Sent from Cisco Technical Support iPhone App
04-12-2013 02:00 PM
I've NOT tried that yet. I do notice the followings: AD1 is ad1.cciesec.com AD2 is ad2.cciesec.com
On the ISE, it shows me that it is connected to ad1.cciesec.com. When I shutdown ad1.cciesec.com, if I refresh the page, it shows me that it is connected to ad2.cciesec.com
04-12-2013 02:11 PM
Steve,
Have you opened a TAC case with Cisco on this? This has definitely made me very nervous about this.
04-12-2013 02:40 PM
No I haven't yet David, thought I'd put it to the forum first, but like you said maybe I should.
Sent from Cisco Technical Support iPhone App
04-12-2013 02:43 PM
Steve,
What version of ISE are you running? appliance or VM? Can you share the "show version output"?
Thanks,
David
04-14-2013 05:39 PM
Hi David,
I am running VM.
"show version" output below.
Thanks,
Steve.
Cisco Application Deployment Engine OS Release: 2.0
ADE-OS Build Version: 2.0.4.018
ADE-OS System Architecture: i386
Copyright (c) 2005-2011 by Cisco Systems, Inc.
All rights reserved.
Hostname: alxise01
Version information of installed applications
---------------------------------------------
Cisco Identity Services Engine
---------------------------------------------
Version : 1.1.3.124
Build Date : Thu Feb 7 17:55:38 2013
Install Date : Thu Mar 14 10:27:53 2013
04-23-2013 05:47 PM
An Active Directory Forest also has “Domain Resource Records” in DNS, which are required to locate a domain controller. It seems the additional domain controllers are having some issues with “Domain Resource Records” which you need to fix. When “Domain Resource Records” in Active Directory integrated DNS zone become corrupt, even the domain controller machine itself will be unable to find the Domain Controller for the AD Domain. Please check for any warning or error notifications in the event logs on Additional Domain Controllers, especially the netlogon service events.
To fix those issues you may use the following utilities of Windows Support Tools:
Dcdiag
netdiag
portqry
nltest
10-04-2013 01:07 PM
Hi all,
What's the verdict on this one?
I had an issue similar this morning on 1.2 with a failed DC and clients failing authentication to the ISE node bound to it, but not my other one that was bound to a different controller.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide