ISE AD failover

steveklem · ‎04-09-2013

Hi,

I have a ISE 1.1.3.124 VM operating in standalone mode that is authenticating devices against AD. The AD environment consists of multiple member servers, and while this is working fine, when the Domain controller that the ISE Displays it is connected to fails,

In normal operating mode under External Identity Sources -> Active Directory the management web page displays the following status:

"Connected to: mydc01.mydomain.com"

However when I shutdown the this domain controller, it displays the following status even there are more Domain Controllers in the network.

"Joined to Domain but Disconnected"

In the CLI config, I have added all of the Domain Controllers IP addresses using the "ip name-server" command

Now any authentications fail with the following message "24444 Active Directory operation has failed because of an unspecified error in the ISE"

Can the ISE be configured to look at more than 1 AD server?

Appreciate any help on this.

huangedmc · ‎04-10-2013

Could someone shed some light into this?

I'm curious as well.

Both of our ISE nodes are joined to the same DC, even though I've tried leaving domain, and re-joining.

If a DC failure would disable the entire external ID store, we'd like to know if there's a wordaround.

thx

CSCO10662744_2 · ‎07-28-2016

Bumping this thread...can someone please clarify how ISE handles the availability of the domain controllers in a windows domain?

Server admins need to perform patches/maintenance/decommission of their AD servers, so it would be very beneficial to know exactly how ISE would behave in these cases.

Venkatesh Attuluri · ‎04-10-2013

This link might be helpfull

http://www.cisco.com/en/US/solutions/collateral/ns340/ns414/ns742/ns744/docs/howto_45_multiple_active_directories.pdf

huangedmc · ‎04-11-2013

Thank you for providing the link.

I've read that TrustSec2.1 guide.

While it provides instruction on how to allow ISE to communicate to multiple AD domain's, it does not address the specific issue that the OP and I have.

When an ISE node joins to an AD domain, and says "Connected to: mydc01.mydomain.com", why does ISE lose connection to the domain altogether, when "mydc01" fails, and there are other domain controllers available?

david.tran · ‎04-12-2013

I have ISE in VMWare standalone mode with IP address of 192.168.1.3 and AD1 server of 192.168.1.1 and AD2 server of 192.168.1.2 in Active Directory of CCIESEC. I've successfully added ISE into the Active Directory and it is shown as "connected"

When i shutdown AD1, I still can run the "detail test connection" on ISE to AD with AD1 offline without any issues. The same thing when AD2 is offline and AD1 is online. In other words, ISE function fine.

It works with both ISE 1.1.2 patch-5 and 1.1.3 patch-1 in my test environment.

steveklem · ‎04-12-2013

Thanks David, yes the detailed test does seem to work in this scenario (it did for me) but have you tried to actually authenticate a device against AD while it is down. This is when it fails.

Sent from Cisco Technical Support iPhone App

david.tran · ‎04-12-2013

I've NOT tried that yet. I do notice the followings: AD1 is ad1.cciesec.com AD2 is ad2.cciesec.com

On the ISE, it shows me that it is connected to ad1.cciesec.com. When I shutdown ad1.cciesec.com, if I refresh the page, it shows me that it is connected to ad2.cciesec.com

david.tran · ‎04-12-2013

Steve,

Have you opened a TAC case with Cisco on this? This has definitely made me very nervous about this.

steveklem · ‎04-12-2013

No I haven't yet David, thought I'd put it to the forum first, but like you said maybe I should.

Sent from Cisco Technical Support iPhone App

david.tran · ‎04-12-2013

Steve,

What version of ISE are you running? appliance or VM? Can you share the "show version output"?

Thanks,

David

steveklem · ‎04-14-2013

Hi David,

I am running VM.

"show version" output below.

Thanks,

Steve.

Cisco Application Deployment Engine OS Release: 2.0

ADE-OS Build Version: 2.0.4.018

ADE-OS System Architecture: i386

Hostname: alxise01

Version information of installed applications

---------------------------------------------

Cisco Identity Services Engine

---------------------------------------------

Version : 1.1.3.124

Build Date : Thu Feb 7 17:55:38 2013

Install Date : Thu Mar 14 10:27:53 2013

askhuran · ‎04-23-2013

An Active Directory Forest also has “Domain Resource Records” in DNS, which are required to locate a domain controller. It seems the additional domain controllers are having some issues with “Domain Resource Records” which you need to fix. When “Domain Resource Records” in Active Directory integrated DNS zone become corrupt, even the domain controller machine itself will be unable to find the Domain Controller for the AD Domain. Please check for any warning or error notifications in the event logs on Additional Domain Controllers, especially the netlogon service events.

To fix those issues you may use the following utilities of Windows Support Tools:

Dcdiag

netdiag

portqry

nltest

ryan.lambert · ‎10-04-2013

Hi all,

What's the verdict on this one?

I had an issue similar this morning on 1.2 with a failed DC and clients failing authentication to the ISE node bound to it, but not my other one that was bound to a different controller.