Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1204
Views
1
Helpful
9
Replies

ISE deployment with 2 different Active Directory servers

Go to solution
victor-hugo
Level 1
Level 1

‎01-22-2025 08:00 AM

Hello all,

I am running ISE v3.1.0 with 2 nodes as PAN/PSN/MnT.
I need for second node to connect with different Active Directory Server in other subnet.
I've try with second node to Leave domain, but when I Join again is connecting to the same AD server as primary node.
In tab 'PassiveID' there is AD server that I want to connect to.
In CLI on second node I've setup new AD servers:
'ip name-server AD1newIPaddress AD2newIPaddress'
Reboot the ISE node, try to join domain again - did not work.
How this can be done?
Any ideas what I can try?

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Aref Alsouqi
VIP
VIP
In response to victor-hugo

‎01-27-2025 06:15 AM

That will be what I expect. In fact when we join ISE to the domain we don't specify the individual AD servers, we just use the domain and then through DNS ISE finds all the involved domain controllers.

I think you can use one of the following commands on ISE CLI to get an idea of what ISE sees in terms of the AD servers in the background:

nslookup _ldap._tcp.dc._msdcs.< your-domain-name > querytype SRV
nslookup _ldap._tcp.gc._msdcs.< your-domain-name > querytype SRV

View solution in original post

9 Replies 9

Go to solution
ccieexpert
VIP
VIP

‎01-22-2025 12:52 PM

if they are part of a single cluster, then the config is shared.. so all nodes will have the same AD and other configuraiton parameters.

You can add a 2nd AD domain to the cluster, and have a identity source sequence to authenticate with both AD servers, or authentication policy can use one AD join point for some devices/other criteria and 2nd AD join point for other NAS/criteria.. what is your use case ?

0 Helpful

Go to solution
victor-hugo
Level 1
Level 1

‎01-24-2025 03:48 AM

I have single cluster.
I want migrate AD server. I want to second ISE node use only different AD server. Then shutdown primary ISE node and promote secondary as primary with new AD server.
Should I setup nodes as standalone to be able to do it?

0 Helpful

Go to solution
Marcelo Morais
VIP
VIP
In response to victor-hugo

‎01-24-2025 06:25 AM

Hi @victor-hugo ,

 as @ccieexpert already said, you are able to:

In Administration > Identity Management > External Identity Sources > Active Directory > Add the new Joint Point (Active Directory):

Active Directory New Joint Point.png

 

In Administration > Identity Management > Identity Source Sequences > select the Join Points (both Active Directory) to the Authentication Search List:

Identity Source Sequences.png

 

After that in Policy > Policy Sets > you should select the new Identity Source Sequence in your Authentication Policy:

Policy Sets.png

 

Hope this helps !!!

0 Helpful

Go to solution
ccieexpert
VIP
VIP
In response to victor-hugo

‎01-24-2025 04:50 PM

It is not clear what you are trying to do exactly other than migrate AD server... but if you want to different AD server for each ISE, then it is best to keep them standalone. If you just need to sync the database (like NAS and policies etc), you can make them a cluster and sync from primary to secondary ,and then make them standalone after that, or you can take a backup from one device and restore on the other. Ofcourse, on the 2nd ISE BOX, you have to delete the first AD join point, and add the 2nd AD join point only... does that help ?

0 Helpful

Go to solution
Aref Alsouqi
VIP
VIP

‎01-25-2025 07:04 AM

I don't believe you can manage that unless you break ISE cluster into two standalone servers. The command "ip name-server" is just to define the DNS servers on ISE, however, it does decide which AD server will be elected as the primary from ISE perspective. I'm assuming that all the old and the new AD servers are in the same forest, if so, then nothing should happen when you migrate to the new AD and you shutdown the old one. For instance, you can keep working on your AD migration without thouching anything on ISE, and once you finish the migration and the old AD servers are decommisioned, ISE will then find its way to the new AD servers.

0 Helpful

Go to solution
victor-hugo
Level 1
Level 1

‎01-27-2025 12:39 AM

Hey all, thanks for your help. I am new to ISE, so please understand my lack of experience. 
For now I just want to have ISE with 2 different AD server to tested.
End goal here is that old ADs will be shutdown as we moving to new data center with new AD servers.
ISE 'see' new AD servers in Administration > Identity Management > External Identity Sources > Active Directory > PassiveID

victorhugo_0-1737967011195.png

If old ADs will be shutdown, will ISE automatically switch to AD servers that are available - the once form PassiveID list?

Thank you all for your input.

0 Helpful

Go to solution
Aref Alsouqi
VIP
VIP
In response to victor-hugo

‎01-27-2025 06:15 AM

That will be what I expect. In fact when we join ISE to the domain we don't specify the individual AD servers, we just use the domain and then through DNS ISE finds all the involved domain controllers.

I think you can use one of the following commands on ISE CLI to get an idea of what ISE sees in terms of the AD servers in the background:

nslookup _ldap._tcp.dc._msdcs.< your-domain-name > querytype SRV
nslookup _ldap._tcp.gc._msdcs.< your-domain-name > querytype SRV

Go to solution
victor-hugo
Level 1
Level 1

‎01-27-2025 07:52 AM

@Aref thanks for your help.
From ISE CLI I get new AD server IP.
Once again thank you all for your help here.

0 Helpful

Go to solution
Aref Alsouqi
VIP
VIP
In response to victor-hugo

‎01-28-2025 01:09 AM

You are very welcome, Victor.

0 Helpful
Customers Also Viewed These Support Documents