Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3743
Views
5
Helpful
2
Replies

ISE and AD synchronization

Go to solution
angelito_mas
Level 1
Level 1

‎04-05-2022 03:36 AM

Hello everybody!

I would like to know how long it takes the ISE to synchronize with the AD after a change has been made on the AD.

Is there a default parameter set on the ISE that forces it to synchronize with the AD?
Is it possible to change it?

 

Thanks in advance for the reply!

 

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Damien Miller
VIP Alumni
VIP Alumni

‎04-05-2022 10:00 AM

ISE does not synchronize or cache the Active Directory database. This is more of a function of AD replication than anything else and it's a deep topic with many intricacies. Depending on what the change in AD is, and how the domain is set up, some changes can be replicated within 15 seconds, while some things could be more than an hour. Intrasite (same site) replication happens within a minute regardless of how many domain controllers there are in the site, while intersite (site to site) replication by default happens on a 180 minute interval. 

Each ISE node asks it's "peered" AD domain controller for authentication and attributes when an authentication comes in. Which group of DCs the PSN hits is mostly determined by the AD sites and Services configuration within AD. 

View solution in original post

2 Replies 2

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎04-05-2022 03:58 AM

as per i know ISE keeping checking the LDAP connection every 10Seconds get updates. (this can be changerd depends on requirement)

 

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Go to solution
Damien Miller
VIP Alumni
VIP Alumni

‎04-05-2022 10:00 AM

ISE does not synchronize or cache the Active Directory database. This is more of a function of AD replication than anything else and it's a deep topic with many intricacies. Depending on what the change in AD is, and how the domain is set up, some changes can be replicated within 15 seconds, while some things could be more than an hour. Intrasite (same site) replication happens within a minute regardless of how many domain controllers there are in the site, while intersite (site to site) replication by default happens on a 180 minute interval. 

Each ISE node asks it's "peered" AD domain controller for authentication and attributes when an authentication comes in. Which group of DCs the PSN hits is mostly determined by the AD sites and Services configuration within AD. 

Customers Also Viewed These Support Documents