Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2580
Views
0
Helpful
3
Replies

ISE Can't join Multiple domain

gasliu
Level 1
Level 1

‎02-25-2016 05:24 AM

Hi Experts,

My customer is using ISE 2.0 to serve multiple domain user for AAA process. However, I can only join one AD into ISE. Every time I try to join the second AD, it will fail.

I check the fail reason, it shows because ISE can't resolve the domain by DNS. For example, if the second domain is demo.local, it will show ISE can't find the domain controller of demo.local.

I check the SVR is correct on DNS, and when I use SSH to log in ISE console and use nslookup, the demo.local can be resolve as the right AD's address.

Do you have any experience it? Is it a bug?

The error code is LW_ERROR_FAILED_FIND_DC

Thank you for your help

0 Helpful
3 Replies 3

hslai
Cisco Employee
Cisco Employee

‎02-25-2016 12:40 PM

Please review the DNS server section in Prerequisites for Integrating Active Directory and Cisco ISE

Then, from ISE admin CLI, the DNS query test is illustrated as below, where the domain is “lab.local”:

ise/admin# nslookup _ldap._tcp.dc._msdcs.LAB.LOCAL querytype srv


Trying "_ldap._tcp.dc._msdcs.LAB.LOCAL"


;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 17149


;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1




;; QUESTION SECTION:


;_ldap._tcp.dc._msdcs.LAB.LOCAL.        IN      SRV




;; ANSWER SECTION:


_ldap._tcp.dc._msdcs.LAB.LOCAL. 320 IN  SRV    0 100 389 ws2012r2.lab.local.




;; ADDITIONAL SECTION:


ws2012r2.lab.local.    3320    IN      A      10.1.99.10




Received 102 bytes from 10.1.100.10#53 in 8 ms

If the deployment is meeting the DNS server requirements and the “SRV” query looking ok, then need to debug further.

  • Alter the debug level of "Active Directory" to TRACE.
    • Screen Shot 2016-02-25 at 12.06.39 PM.png
  • Perform the join step.
  • Download and examine the debug log "ad_agent.log"
    • Screen Shot 2016-02-25 at 12.16.08 PM.png

Here is an sample error entry:

…,VERBOSE,...,DNS lookup for '_ldap._tcp.dc._msdcs.TEST1.LOCAL' failed with errno 0, h_errno = 1, error=LW_ERROR_DNS_ERROR_DOMAIN_NOT_FOUND,LWNetDnsQueryWithBuffer(),netlogon/utils/lwnet-dns.c:1935

If you need help in looking at the debug log, please share the file directly to me via box.

0 Helpful

gasliu
Level 1
Level 1
In response to hslai

‎02-25-2016 07:50 PM

The log file has been to share to you via box.

The domain name is “icesnet.local” and AD admin user is “iseuser”

As I can see from the log, “failed to find domain controller in domain ICESNET.LOCAL”, but I can see from the DNS, the domain does exist in DNS

Best Regards,

Gaspard Liu (刘洪曦) .:|:.:|:.

CCIE Wireless

Travel Plan:

0 Helpful

hslai
Cisco Employee
Cisco Employee
In response to gasliu

‎03-14-2016 10:30 AM

Closing this thread, as Gaspard opened a TAC case.

0 Helpful
Customers Also Viewed These Support Documents