cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
49430
Views
61
Helpful
25
Replies

ISE integration with AD fails

Dears,

I am trying to join the ISE with our AD with no success, below the error logged in the ISE:

Error Description: Failed to find domain controller, please check network connectivity

Support Details...

Error Name: LW_ERROR_FAILED_FIND_DC

Error Code: 40049

 

Detailed Log:

 

Error Description :

Failed to find domain controller in domain 10.10.10.10 : domain does not exists in DNS

 

Error Resolution :

Please make sure that your DNS contains records for domain : 10.10.10.10, For further information please refer to the AD DNS diagnostic tools

 

Join steps :

13:51:40 Joining to domain 10.10.10.10 using user ise

13:51:40   Searching for DC in domain 10.10.10.10

13:51:40   Failed to find domain controller in domain 10.10.10.10 : domain does not exists in DNS

Although we are having valid records for both AD and ISE in the DNS, i am able to resolve the DNS of our AD when making NSlookup in the ISE.

I am not sure what is the issue?

Looking forward to hearing from you.

Regards,

Muhannad

1 Accepted Solution

Accepted Solutions

Francesco Molino
VIP Alumni
VIP Alumni

Hi 

First of all, does your dns can answer srv request by sending AD IP address? Do you set the ntp on AD and ISE? 

Which version of ISE are you using? Have you applied the latest patches?

When all these steps have been soon, did you took some traces on ISE?

On ISE to check your dns server you can run the command below :

nslookup _ldap._tcp.dc._msdcs.AD.DOMAIN querytype srv

Replace AD.DOMAIN by your real AD domain name and paste your result.

After getting those informations, if not working yet, you need to do some traces on ISE. If you don't know how, let me know I will try to do some screenshot on my lab to give you a guidance.

Thanks 

PS: Please don't forget to rate and mark as correct answer if this solved your issue 


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

View solution in original post

25 Replies 25

Francesco Molino
VIP Alumni
VIP Alumni

Hi 

First of all, does your dns can answer srv request by sending AD IP address? Do you set the ntp on AD and ISE? 

Which version of ISE are you using? Have you applied the latest patches?

When all these steps have been soon, did you took some traces on ISE?

On ISE to check your dns server you can run the command below :

nslookup _ldap._tcp.dc._msdcs.AD.DOMAIN querytype srv

Replace AD.DOMAIN by your real AD domain name and paste your result.

After getting those informations, if not working yet, you need to do some traces on ISE. If you don't know how, let me know I will try to do some screenshot on my lab to give you a guidance.

Thanks 

PS: Please don't forget to rate and mark as correct answer if this solved your issue 


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Dears,

The issue was in the Domain name when we configure the External identity, once it has been fixed the integration worked fine.

Regards,
Muhannad

Nice to hear that.

Thanks

PS: Please don't forget to rate and mark as correct answer if this solved your issue 


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Hi

i have the same problem can you help me please

Status: Join Operation Failed: Failed to find domain controller, please check network connectivity

Hi,

First of all, could you check your ntp configuration. AD and ISE must have the same clock to be able to be joined to your AD infrastructure.

On ISE cli, could you run this nslookup command and paste the output on a txt file:

nslookup _ldap._tcp.dc._msdcs.DOMAIN.SUFFIXE querytype srv 

--> Example: nslookup _ldap._tcp.dc._msdcs.MYCOMPANY.COM querytype srv 

Please check out on that link (http://www.cisco.com/c/en/us/td/docs/security/ise/2-0/ise_active_directory_integration/b_ISE_AD_integration_20.html#reference_8DC463597A644A5C9CF5D582B77BB24F). All AD and DNS requirements must be setup.

If it's not working, please activate some debugs and attach the log file to this post:

1. Activate traces for Active directory component:

2. Try to join your ISE to your AD.

3. Take the logs of the debug traces:

Thanks

PS: Please don't forget to rate and mark as correct answer if this solved your issue 


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Hi thanks for the answer

but i did not find how to "Activate traces for Active directory component:" !!

sorry

how can i do that please ?

thanks

Hi

Did you go into this menu:  Administration > System > Logging > Debug Log Configuration

Thanks


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Hi

the domain name was not correct

well now i wanna know how to assign unknown mac address to a vlan ?

thx

This has been solved. I was prepending the hostname to the AD. It should only be the AD at the joinpoint.

I hope you have forward and reverse entries of ISE node in DNS server.

Can you do nslookup to IP and ISE hostname and share the output here.

Solved!

Good to know that.. Thank u for update.

Hi

I have the same problem :

"Error Description: Failed to find domain controller, please check network connectivity
 
Support Details...
Error Name: LW_ERROR_FAILED_FIND_DC
Error Code: 40049

Detailed Log:

Error Description :
Failed to find domain controller in domain PFE.LOCAL : domain does not exists in DNS

Error Resolution :
Please make sure that your DNS contains records for domain : PFE.LOCAL, For further information please refer to the AD DNS diagnostic tools

Join steps :
14:26:46 Joining to domain PFE.LOCAL using user bougamra
14:26:46   Searching for DC in domain PFE.LOCAL
14:26:46   Failed to find domain controller in domain PFE.LOCAL : domain does not exists in DNS "

Can you help me please ?

Hi Francesco,

Thanks you've already been helpful.

I am facing the same problem, the AD and ISE have the same Clock along with a NTP server.

Please find below :

- the operation detail

- the result of the command

- The ad_agent.log file

PS: I changed the real domain by MY.DOMAIN :p

### the operation detail ###

Error Description :
Failed To Find Domain Controller In Domain MY.DOMAIN : Domain Does Not Exists In DNS

Error Resolution :
Please Make Sure That Your DNS Contains Records For Domain : MY.DOMAIN, For Further Information Please Refer To The AD DNS Diagnostic Tools

Join Steps :
12:55:20 Joining To Domain MY.DOMAIN Using User Administrator
12:55:20 Searching For DC In Domain MY.DOMAIN
12:55:20 Failed To Find Domain Controller In Domain MY.DOMAIN : Domain Does Not Exists In DNS

    ### Result of nslookup _ldap._tcp.dc._msdcs.MY.DOMAIN querytype srv ###

Trying "_ldap._tcp.dc._msdcs.MY.DOMAIN"
Received 102 bytes from 172.20.127.1#53 in 0 ms
Trying "_ldap._tcp.dc._msdcs.MY.DOMAIN.MY.DOMAIN"
Host _ldap._tcp.dc._msdcs.MY.DOMAIN not found: 3(NXDOMAIN)
Received 109 bytes from 172.20.127.1#53 in 0 ms

Thank you very much! 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: