ā03-14-2013 07:24 AM - edited ā03-10-2019 08:11 PM
Hello Techies,
I am facing challenge while configuring ISE to join AD. Domain Name lookup fails. DNS is working perfectly fine;
nslookup works fine on ISE for simple domain names, but on long domain names it fails while throwing the following error;
;; Truncated, retrying in TCP mode.
;; connection timed out; no servers could be reached
Upon searching on google, may threads discuss that it a common issue with linux, when multiple IP's are returned for DNS query. Solution is to make static entries in;
/etc/resolv.conf
Not able to find it in ISE, as it does not give access to the OS. I am running it on VMware.
Looking forward to get your valuable inputs to resolve this.
Thanks
Solved! Go to Solution.
ā03-14-2013 09:23 PM
Hi,
You will need to work this with TAC for this issue, I am not aware of any bugs regarding joining AD due to a long suffix, but it would be something to work with them on. Also are there any ACLs or firewalls blocking tcp from ISE to the DNS environment?
Also check if you can resolve the ise hostname and its ip address (forward and reverse).
Thanks,
Tarik Admani
*Please rate helpful posts*
ā03-14-2013 09:23 PM
Hi,
You will need to work this with TAC for this issue, I am not aware of any bugs regarding joining AD due to a long suffix, but it would be something to work with them on. Also are there any ACLs or firewalls blocking tcp from ISE to the DNS environment?
Also check if you can resolve the ise hostname and its ip address (forward and reverse).
Thanks,
Tarik Admani
*Please rate helpful posts*
ā03-15-2013 02:37 AM
Thanks for your response. Port 53(TCP) was opened on firewall & voila........nslookup was able to resolve the hostname.
Now there is another challenge because of huge environment. Active Directory forest contains more than 50+ child domain controllers. Policy is open for one particular hostname/ip. But authentication is not successful & ISE is not able to join domain. CISCO forums says that ports for all server should be open for ISE on the intermediate firewall, but it is a huge challenge for testing.
While I tried to give the FQDN of specific server(from whom ports are open on firewall), it is not getting resolved again.
Please sugeest
ā03-15-2013 04:27 AM
If you add ise servers ip to a sites and services definition in ad' you can control which ad server it will try join
Sent from Cisco Technical Support Android App
ā03-15-2013 05:46 AM
Jan is correct,
However if your sites and services do not allow this flexibility then your best bet would be to deploy your own DNS environment, but Jan's comments are the best way because ISE is very sensitive to DNS server changes and I dont recommend this option if you are deploying this for production eventually.
Thanks,
Tarik Admani
*Please rate helpful posts*
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide