Solved: I had a similar problem. I

James Smith · ‎06-24-2013

G'day All,

I am attempting to ad my primary admin node to AD, but I am receving the following error message in the ISE gui.

using Writable Domain Controller: addc01.abc.com

Update Computer DnsName Failed.

User Does Not Have Update Privileges On The DNSHostName Attribute.

Error: Either User ise_ad@abc.com Does Not Have Sufficient Permissions To Join

Domain Abc.com, Zone Null

Or This Computer Already Has An Account In The Domain.

In Order To Rejoin, You Must Have Domain Administrator Privileges.

Join To Domain Abc.com , Zone Null Failed

The detailed test passes fine. I don't see any NTP errors and DNS is completely resolvable at both ends.

Any assistance is greatly appreciated guys.

James

khernandezruiz · ‎03-18-2014

I had a similar problem.

I received the following error:

Using domain controller: paprowdc.domain.corp writable=true
Update Computer dnsName failed.
User does not have update privileges on the dNSHostName attribute.

Error: Either user user_ad@domain.corp does not have sufficient permissions to join
domain domain.corp, zone null
or this computer already has an account in the domain.
In order to rejoin, you must have Domain Administrator privileges.

Join to domain `domain.corp`, zone `null` failed.

The problem was solved, adding the privilege for add machine object on the AD to the user user_ad.

Regards,

View solution in original post

Przemyslaw Konitz · ‎06-24-2013

hi,

I think I had similar problem in the past so check:

- whether u got PTR record (so reverse lookup zone must be configured as well).

- your CLI dns points the right server with this records

- your CLI domain name is the same as AD

regards

Przemek

Ravi Singh · ‎06-25-2013

This happen due to incorrect DNS entry on DNS server also make sure that your user which you are using to join the domain have administrator right on AD. Cross check that you are able to resolve the name of your domain and vice versa.

For more detail you can check the below link

http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_troubleshooting.html#wp1049448

James Smith · ‎06-25-2013

thanks for the replies. I'll work through the information and post back the outcome.

Sent from Cisco Technical Support iPhone App

Jatin Katyal · ‎03-18-2014

James, I agree with the above reply by khernandezruiz

AD account required for domain access in ACS should have either of the following:
- Add workstations to domain user right in corresponding domain.
- Create Computer Objects or Delete Computer Objects permission on corresponding computers container where ACS machine's account is precreated (created before joining ACS to the domain).

Regards,

Jatin Katyal

*Do rate helpful posts*

~Jatin

khernandezruiz · ‎03-18-2014

I had a similar problem.

I received the following error:

Using domain controller: paprowdc.domain.corp writable=true
Update Computer dnsName failed.
User does not have update privileges on the dNSHostName attribute.

Error: Either user user_ad@domain.corp does not have sufficient permissions to join
domain domain.corp, zone null
or this computer already has an account in the domain.
In order to rejoin, you must have Domain Administrator privileges.

Join to domain `domain.corp`, zone `null` failed.

The problem was solved, adding the privilege for add machine object on the AD to the user user_ad.

Regards,

ISE AD Integration Issues