Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
345
Views
1
Helpful
3
Replies

ISE Migration To New AD Domain

ChuckMcF
Level 1
Level 1

‎01-26-2024 12:22 PM

(Names have been changed for anonymity.)

Background: We have been taken over by a new organization and are in the process of migrating domains in a rather complex SDA deployment. The first planned phase is to migrate all users to the new domain and phase two will be to create a new Fabric in that domain (new DNAC & ISE clusters) then migrate the network and connected users during a scheduled outage to that Fabric. SDA is, and will only be, deployed for devices at our subdomain level. We have full control of ISE, DNAC, the previous domain and the new subdomain. The new organization controls the new forest.

Current domain: original.OldDomain.com

New subdomain (what we control): SiteA.main.newdomain.com

New domain (what we do not control): main.newdomain.com

Issue: I have modified our 802.1x policy sets to include AD groups from "original.OldDomain.com" OR "SiteA.main.newdomain.com". When testing user for all join points, I enter a known good user ID and password from SiteA.main.newdomain.com and here are the results:
Resolving identity - <known good user>
Search for matching accounts at join point - original.OldDomain.com
No matching account found in forest - original.OldDomain.com
Search for matching accounts at join point - SiteA.main.newdomain.com
Skipping unavailable forest - main.newdomain.com
Identity resolution detected no matching account
Identity resolution failed - ERROR_NO_SUCH_USER_SOME_DOMAINS_NOT_AVAILABLE

ISE has been joined to SiteA.main.newdomain.com with a service account that has full permission to AD at that level. ISE is also joined to original.OldDomain.com with a different AD account with appropriate permissions. I am confused why it is "skipping the unavailable forest" since we only want ISE to authenticate to the subdomain. Is it possible to authenticate ONLY to the subdomain or does ISE require a service account at the forest level as well? It is going to be extremely difficult to get the forest owners to give us a service account with that level of access so any way around this would be appreciated.

TIA

ChuckMcF

0 Helpful
3 Replies 3

marce1000
VIP
VIP

‎01-27-2024 12:20 AM

 

    - What ISE version is being used ?
    - Examine the content of show logging application ad_agent.log
    - Check DNS ; make sure that the  new AD servers are known by PTR records on the ISE environment (too)

 M.



-- ' 'Good body every evening' ' this sentence was once spotted on a logo at the entrance of a Weight Watchers Club !
0 Helpful

ChuckMcF
Level 1
Level 1
In response to marce1000

‎01-29-2024 04:53 AM

Apologies - ISE version is 3.2P4. Parsing the log files that you recommended at the moment. Troubleshooting is slower due to working with an outside entity. Will update this thread as it progresses. Currently showing that the "domain marked as offline", which is odd because Admin-->id mgmt-->ext id sources-->AD--><new domain>-->Diagnostic Tools shows all tests as green.

0 Helpful

ChuckMcF
Level 1
Level 1
In response to ChuckMcF

‎01-29-2024 07:34 AM

Found the solution to get ISE to authenticate to the subdomain:

Administration-->Identity Management-->External Identity Sources-->Active Directory-->SiteA.main-->Advanced Settings-->Identity Rewrite--><choose>Apply the Rewrite Rules Below to modify username:
If Identity Matches [IDENTITY] Rewrite as [IDENTITY]@SiteA.main.newdomain.com

We are now able to resolve to the new subdomain that we control.

Customers Also Viewed These Support Documents