ISE Can't join Multiple domain
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-25-2016 05:24 AM
Hi Experts,
My customer is using ISE 2.0 to serve multiple domain user for AAA process. However, I can only join one AD into ISE. Every time I try to join the second AD, it will fail.
I check the fail reason, it shows because ISE can't resolve the domain by DNS. For example, if the second domain is demo.local, it will show ISE can't find the domain controller of demo.local.
I check the SVR is correct on DNS, and when I use SSH to log in ISE console and use nslookup, the demo.local can be resolve as the right AD's address.
Do you have any experience it? Is it a bug?
The error code is LW_ERROR_FAILED_FIND_DC
Thank you for your help
- Labels:
-
Identity Services Engine (ISE)
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-25-2016 12:40 PM
Please review the DNS server section in Prerequisites for Integrating Active Directory and Cisco ISE
Then, from ISE admin CLI, the DNS query test is illustrated as below, where the domain is “lab.local”:
ise/admin# nslookup _ldap._tcp.dc._msdcs.LAB.LOCAL querytype srv
Trying "_ldap._tcp.dc._msdcs.LAB.LOCAL"
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 17149
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; QUESTION SECTION:
;_ldap._tcp.dc._msdcs.LAB.LOCAL. IN SRV
;; ANSWER SECTION:
_ldap._tcp.dc._msdcs.LAB.LOCAL. 320 IN SRV 0 100 389 ws2012r2.lab.local.
;; ADDITIONAL SECTION:
ws2012r2.lab.local. 3320 IN A 10.1.99.10
Received 102 bytes from 10.1.100.10#53 in 8 ms
If the deployment is meeting the DNS server requirements and the “SRV” query looking ok, then need to debug further.
- Alter the debug level of "Active Directory" to TRACE.
- Perform the join step.
- Download and examine the debug log "ad_agent.log"
Here is an sample error entry:
…,VERBOSE,...,DNS lookup for '_ldap._tcp.dc._msdcs.TEST1.LOCAL' failed with errno 0, h_errno = 1, error=LW_ERROR_DNS_ERROR_DOMAIN_NOT_FOUND,LWNetDnsQueryWithBuffer(),netlogon/utils/lwnet-dns.c:1935
If you need help in looking at the debug log, please share the file directly to me via box.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-25-2016 07:50 PM
The log file has been to share to you via box.
The domain name is “icesnet.local” and AD admin user is “iseuser”
As I can see from the log, “failed to find domain controller in domain ICESNET.LOCAL”, but I can see from the DNS, the domain does exist in DNS
Best Regards,
Gaspard Liu (刘洪曦) .:|:.:|:.
CCIE Wireless
Travel Plan:
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-14-2016 10:30 AM
Closing this thread, as Gaspard opened a TAC case.
