Hi again, 

The ISE and the AD are on the same network, and yes everything is correctly configured I checked more than once every detail.

It turned out to be a problem within the AD, we are working in a new environment with a brand new AD, so the sys admin recreated a new one and then everything went great and it instantly joined the ISE and I retrieved the groups, so "smooth" :p

I still haven't figured out the origine of the problem, however everything is working.

I really appreciate your help thanks ;)

Ok well done! 

You're welcome

Hi Francesco,

I'm facing the same problem.

And here is the output from the windows machine

C:\Users\Administrator>nslookup
1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa
primary name server = 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0
0.0.0.0.0.0.0.ip6.arpa
responsible mail addr = (root)
serial = 0
refresh = 28800 (8 hours)
retry = 7200 (2 hours)
expire = 604800 (7 days)
default TTL = 86400 (1 day)
Default Server: UnKnown
Address: ::1

> set type=all
> type_ldap._tcp.dc._msdcs.ualab.com
Server: UnKnown
Address: ::1

*** UnKnown can't find type_ldap._tcp.dc._msdcs.ualab.com: Non-existent domain

Could you please help on this issue.

Hi

You need to recreate all servers records in AD.

Here are 2 sites I used when I faced the same issue. Sorry I'm not an AD expert but this worked for me:

http://www.windowsnetworking.com/kbase/WindowsTips/WindowsServer2008/AdminTips/ActiveDirectory/AQuickTipToFixDCSRVsinActiveDirectoryDomain.html

https://blogs.msdn.microsoft.com/servergeeks/2014/07/12/dns-records-that-are-required-for-proper-functionality-of-active-directory/

Thanks 

PS: please don't forget to rate and mark as correct answer if this answered your question

Hi Franceso,

Thank you so much for the prompt reply.

I looked into the below link,

http://www.windowsnetworking.com/kbase/WindowsTips/WindowsServer2008/AdminTips/ActiveDirectory/AQuickTipToFixDCSRVsinActiveDirectoryDomain.html

Could you please help me how to do this first step:

• Import SRV records from C:\SystemRoot\Config\NetLogon.dns file.

Highly appreciate the help.

Thanks,

Hema

Hi 

This file is used when you're using a third party dns server. 

You need to focus on creating all entry by yourself or doing a netdiag fix command if I remember.

I'm sorry to not being able to help you more but in that case I'll follow Microsoft technote.

Thanks

Hi Francesco,

I have similar problem and my AD and ISE are on the same network and there no firewall rule created.

and this is the output of command executed on ise

nslookup _ldap._tcp.dc._msdcs.(Mydomain)1 querytype srv
Trying "_ldap._tcp.dc._msdcs.Mydomain"
Received 126 bytes from 10.1.51.41#53 in 0 ms
Trying "_ldap._tcp.dc._msdcs.Mydomain"
Host _ldap._tcp.dc._msdcs.Mydomain not found: 3(NXDOMAIN)
Received 139 bytes from 10.1.51.41#53 in 0 ms

attached diagnostic tool results

hi francesco,

thank you for your reply.

For the ntp : the time for ISE and AD is same without ntp server.

ISE version is : 2.6 

AD : windows server 2012 r2

nslookup _ldap._tcp.dc._msdcs.abdo.com querytype srv :

ise/admin# nslookup _ldap._tcp.dc._msdcs.abdo.com querytype srv
Trying "_ldap._tcp.dc._msdcs.abdo.com"
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 45453
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; QUESTION SECTION:
;_ldap._tcp.dc._msdcs.abdo.com. IN SRV

;; ANSWER SECTION:
_ldap._tcp.dc._msdcs.abdo.com. 600 IN SRV 0 100 389 abdo123.abdo.com.

;; ADDITIONAL SECTION:
abdo123.abdo.com. 3600 IN A 10.1.1.253

Received 99 bytes from 10.1.1.253#53 in 0 ms

Can you please give me some traces on ISE to do ?

Thank you.