Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1861
Views
5
Helpful
2
Replies

ISE and Demotion of Domain Controllers

Go to solution
Wes Schochet
Level 3
Level 3

‎06-17-2021 12:24 PM - edited ‎06-17-2021 12:25 PM

Hi All-

 

I have an ISE 2.7 cluster - two admin nodes and three PSNs.  I have an AD External Identity Source that I use for computer based EAP-TLS authentication.   

 

We currently have about 10 domain controllers, several of which are going to be retired.  If I look at the External Identity Sources list, some of the ones listed as connections for my nodes will be retired.  The question is, what if anything should I do about it?  ISE is attached to the domain.  I would think that if one of the DCs went away, a connection to another one would be established without intervention?   Or, do I need to rejoin the nodes to the domain once the DC is demoted?

 

Thanks

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marcelo Morais
VIP
VIP

‎06-17-2021 01:30 PM

Hi @Wes Schochet ,

 please take a look at: AD Integration with ISE 2.x.

"...

Cisco ISE supports multiple joins to Active Directory domains. Cisco ISE supports up to 50 Active Directory joins.

...

You can influence the Domain Controllers that Cisco ISE uses by creating and using an Active Directory Site

...
Cisco ISE also provides the ability to define a list of preferred DCs per domain. This list of DCs will be prioritized for selection before DNS SRV queries. But this list of preferred DCs is not an exclusive list. If the preferred DCs are unavailable, other DCs are selected. You can create a list of preferred DCs in the following cases:

The SRV records are bad, missing or not configured.

The Site association is wrong or missing or the site cannot be used.

The DNS configuration is wrong or cannot be edited

..."

 

Hope this helps !!!

View solution in original post

2 Replies 2

Go to solution
Marcelo Morais
VIP
VIP

‎06-17-2021 01:30 PM

Hi @Wes Schochet ,

 please take a look at: AD Integration with ISE 2.x.

"...

Cisco ISE supports multiple joins to Active Directory domains. Cisco ISE supports up to 50 Active Directory joins.

...

You can influence the Domain Controllers that Cisco ISE uses by creating and using an Active Directory Site

...
Cisco ISE also provides the ability to define a list of preferred DCs per domain. This list of DCs will be prioritized for selection before DNS SRV queries. But this list of preferred DCs is not an exclusive list. If the preferred DCs are unavailable, other DCs are selected. You can create a list of preferred DCs in the following cases:

The SRV records are bad, missing or not configured.

The Site association is wrong or missing or the site cannot be used.

The DNS configuration is wrong or cannot be edited

..."

 

Hope this helps !!!

Go to solution
Wes Schochet
Level 3
Level 3

‎06-18-2021 07:34 AM

This is great - thanks!

0 Helpful
Customers Also Viewed These Support Documents