Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2120
Views
0
Helpful
3
Replies

ISE dependency with functional upgrade of Windows Active Directory

Go to solution
Jithishkkuttappan
Level 1
Level 1

‎08-28-2020 08:34 AM

Hi ,

 

There is a functional upgrade in Active Directory from Windows 2003 to 2008 then 2008 to 2012.I have gone through the Cisco documents and it says above mentioned windows version is supports in ISE 2.2 patch 15.

 

https://www.cisco.com/c/en/us/td/docs/security/ise/2-2/release_notes/ise22_rn.html#pgfId-627762

 

a) Doing functional level upgrade , do ISE have any dependency with regards to above mentioned functional level?

b) What is the major role for Forest and Domain Functional levels with Cisco ISE.?

 

Please help 

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Arne Bier
VIP
VIP
In response to Jithishkkuttappan

‎09-01-2020 12:07 AM

That's a very good and valid concern. I have not been through such an exercise myself, but I think that if an AD Controller goes from being 2003 to 2008 (reboot etc.) then ISE will lose connection obviously. ISE will use the other AD during that time. The concern might be that ISE never reconnects properly with the upgraded 2008 server. But if that is the case, then simply un-join ISE from the AD and re-join.

Without a lab test it's hard to say what would happen.

If you're not changing the IP address or DNS records then you're already on the road to success - I think there might be issues if the IP address of the AD controller were to change, and ISE has a stale DNS record.

 

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Arne Bier
VIP
VIP

‎08-30-2020 04:08 PM

Hi @Jithishkkuttappan 

 

I don't quite follow your question. What version of Windows Server do you want to integrate ISE 2.2 with?

 

I have never had any issues with this. When you join ISE to the domain you literally just specify the AD domain, and then provide admin cred for the join process. ISE does a discovery using that domain as a starting point. Some customers have multiple domains linked together and ISE figures all this out. You can then select which of these domains you want to use for authentication.

 

0 Helpful

Go to solution
Jithishkkuttappan
Level 1
Level 1
In response to Arne Bier

‎08-31-2020 11:41 PM

Hi @Arne Bier 

 

Currently ISE is integrated with Active directory ( Windows 2003) and AD team is planning to do a functional upgrade from Windows 2003 to 2008.

I was concerned on how it impacts our ISE authentication environment and what are the pre-requisite checks i need to take care of  and what are possible issues happen during the functional upgrade of AD.

0 Helpful

Go to solution
Arne Bier
VIP
VIP
In response to Jithishkkuttappan

‎09-01-2020 12:07 AM

That's a very good and valid concern. I have not been through such an exercise myself, but I think that if an AD Controller goes from being 2003 to 2008 (reboot etc.) then ISE will lose connection obviously. ISE will use the other AD during that time. The concern might be that ISE never reconnects properly with the upgraded 2008 server. But if that is the case, then simply un-join ISE from the AD and re-join.

Without a lab test it's hard to say what would happen.

If you're not changing the IP address or DNS records then you're already on the road to success - I think there might be issues if the IP address of the AD controller were to change, and ISE has a stale DNS record.

 

0 Helpful
Customers Also Viewed These Support Documents