07-03-2016 02:46 PM - edited 03-10-2019 11:54 PM
Dears,
I am trying to join the ISE with our AD with no success, below the error logged in the ISE:
Error Description: Failed to find domain controller, please check network connectivity
Support Details...
Error Name: LW_ERROR_FAILED_FIND_DC
Error Code: 40049
Detailed Log:
Error Description :
Failed to find domain controller in domain 10.10.10.10 : domain does not exists in DNS
Error Resolution :
Please make sure that your DNS contains records for domain : 10.10.10.10, For further information please refer to the AD DNS diagnostic tools
Join steps :
13:51:40 Joining to domain 10.10.10.10 using user ise
13:51:40 Searching for DC in domain 10.10.10.10
13:51:40 Failed to find domain controller in domain 10.10.10.10 : domain does not exists in DNS
Although we are having valid records for both AD and ISE in the DNS, i am able to resolve the DNS of our AD when making NSlookup in the ISE.
I am not sure what is the issue?
Looking forward to hearing from you.
Regards,
Muhannad
Solved! Go to Solution.
05-17-2017 08:25 PM
Hi
Is there ISE on the same network add your AD server or is there an ACL or firewall in between?
If not on the same network, have you opened dns port? (UDP 53)
Have you configured the right dns server?
Can you do the following command from your windows machine (not from the AD)?
First be sure that your machine has same dns server add your ISE.
From a command line, type nslookup, then type set type=all, and finally type_ldap._tcp.dc._msdcs.YOURDOMAIN
Could you please paste the output of the result?
Thanks
PS: please don't forget to rate and mark as correct answer if this answered your question
05-18-2017 05:04 AM
Hi again,
The ISE and the AD are on the same network, and yes everything is correctly configured I checked more than once every detail.
It turned out to be a problem within the AD, we are working in a new environment with a brand new AD, so the sys admin recreated a new one and then everything went great and it instantly joined the ISE and I retrieved the groups, so "smooth" :p
I still haven't figured out the origine of the problem, however everything is working.
I really appreciate your help thanks ;)
05-18-2017 05:06 AM
Ok well done!
You're welcome
05-22-2017 06:13 PM
Hi Francesco,
I'm facing the same problem.
And here is the output from the windows machine
C:\Users\Administrator>nslookup
1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa
primary name server = 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0
0.0.0.0.0.0.0.ip6.arpa
responsible mail addr = (root)
serial = 0
refresh = 28800 (8 hours)
retry = 7200 (2 hours)
expire = 604800 (7 days)
default TTL = 86400 (1 day)
Default Server: UnKnown
Address: ::1
> set type=all
> type_ldap._tcp.dc._msdcs.ualab.com
Server: UnKnown
Address: ::1
*** UnKnown can't find type_ldap._tcp.dc._msdcs.ualab.com: Non-existent domain
Could you please help on this issue.
05-23-2017 04:56 AM
Hi
You need to recreate all servers records in AD.
Here are 2 sites I used when I faced the same issue. Sorry I'm not an AD expert but this worked for me:
http://www.windowsnetworking.com/kbase/WindowsTips/WindowsServer2008/AdminTips/ActiveDirectory/AQuickTipToFixDCSRVsinActiveDirectoryDomain.html
https://blogs.msdn.microsoft.com/servergeeks/2014/07/12/dns-records-that-are-required-for-proper-functionality-of-active-directory/
Thanks
PS: please don't forget to rate and mark as correct answer if this answered your question
05-23-2017 09:23 AM
Hi Franceso,
Thank you so much for the prompt reply.
I looked into the below link,
Could you please help me how to do this first step:
Highly appreciate the help.
Thanks,
Hema
05-25-2017 01:31 PM
Hi
This file is used when you're using a third party dns server.
You need to focus on creating all entry by yourself or doing a netdiag fix command if I remember.
I'm sorry to not being able to help you more but in that case I'll follow Microsoft technote.
Thanks
05-26-2021 02:47 AM
Hi Francesco,
I have similar problem and my AD and ISE are on the same network and there no firewall rule created.
and this is the output of command executed on ise
nslookup _ldap._tcp.dc._msdcs.(Mydomain)1 querytype srv
Trying "_ldap._tcp.dc._msdcs.Mydomain"
Received 126 bytes from 10.1.51.41#53 in 0 ms
Trying "_ldap._tcp.dc._msdcs.Mydomain"
Host _ldap._tcp.dc._msdcs.Mydomain not found: 3(NXDOMAIN)
Received 139 bytes from 10.1.51.41#53 in 0 ms
attached diagnostic tool results
12-06-2017 07:31 PM
03-28-2020 12:38 PM
hi francesco,
thank you for your reply.
For the ntp : the time for ISE and AD is same without ntp server.
ISE version is : 2.6
AD : windows server 2012 r2
nslookup _ldap._tcp.dc._msdcs.abdo.com querytype srv :
ise/admin# nslookup _ldap._tcp.dc._msdcs.abdo.com querytype srv
Trying "_ldap._tcp.dc._msdcs.abdo.com"
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 45453
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; QUESTION SECTION:
;_ldap._tcp.dc._msdcs.abdo.com. IN SRV
;; ANSWER SECTION:
_ldap._tcp.dc._msdcs.abdo.com. 600 IN SRV 0 100 389 abdo123.abdo.com.
;; ADDITIONAL SECTION:
abdo123.abdo.com. 3600 IN A 10.1.1.253
Received 99 bytes from 10.1.1.253#53 in 0 ms
Can you please give me some traces on ISE to do ?
Thank you.
11-21-2018 02:00 AM
I know this is an old thread,but still replying so that anyone facing this problem can be helped.
This problem arises when the windows server fails to create SRV records for the domain controller.
I faced this problem too and the issue got resolved after i re-installed AD services on the windows server without installing the DNS server which lead to an automatic creation of the DNS server along with the required records.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide