cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
6510
Views
0
Helpful
6
Replies

ISE Multiple domain join issue

ymadheka
Level 4
Level 4

Hi Team,

In one of the ISE deployments we have facing issue with integration of the node with two AD domains, although one has been integrated the second one is still under process of integrating with ISE node. The issue is briefed as below:

ISE (Primary and Secondary) have been deployed in the management network of primary domain (xyx.com as a example) that is shared by all the Network Devices across all the companies with the gateway of the management subnet is configured on the firewall for the organization with the above domain. Both the ISE Nodes are added in the WLC as the RADIUS Servers. Domain Server Configured on both the ISE Nodes is pointed towards xyz.com DNS Server. The issue faced is when the ISE is added to one more domain (abc.com as an example) we are getting the attached error. Please note that ABC and XYZ (as quoted example above) are two separate entities of the same group. They are having multiple AD domains but are using same WLC controller. ABC AD is not getting integrated with main XYZ without configuring two-way trust, although this scenario is supported by ISE. The TAC (SR 683511589) has already conveyed that the issue is with availability of AD services from ISE and has asked to check AD logs, check the firewall rules, fix revers DNS issue.

Do we have a clear prerequisites specific to DNS records (creating A record, PTR record, SRV record etc) for integrating with multiple domains? Not much specific is available in the configuration guide specific to multiple domain integration.

Kindly help.

1 Accepted Solution

Accepted Solutions

hslai
Cisco Employee
Cisco Employee

As you already have a case open, please continue working with Cisco TAC.

In essence, all those Microsoft AD integrated records need to be resolvable. It's easier to either make the configured DNS servers as slave for the AD DNS for ABC, or using conditional forwarding, or using stub zone.

View solution in original post

6 Replies 6

hslai
Cisco Employee
Cisco Employee

As you already have a case open, please continue working with Cisco TAC.

In essence, all those Microsoft AD integrated records need to be resolvable. It's easier to either make the configured DNS servers as slave for the AD DNS for ABC, or using conditional forwarding, or using stub zone.

Thanks for the quick revert.

Although the TAC has correctly narrowed down the issue, the concern is do we have a ready documentation for the DNS requirements in terms of multiple domain scenarios?

This would really be helpful for deployments with multiple domain environments to be shared as a prerequisites.

we rely on sites and services working correctly to resolve DNS. I would recommend working through the TAC to get a deeper analysis

The info is documented in Active Directory Integration with Cisco ISE 2.x and ISE admin guides.

Once DNS resolution is met, you should be able to join to the 2nd domain.

The customer has the WLC common for both the domains, will having a separate PSN nodes for each domain resolve the issue.

Do we have any specific recommendations for the multiple domain scenario for ISE deployments like here with no two-way trust between these domains?

Each AD domain/controller which PSN must auth and perform lookups should be able to resolve all forward and reverse (A and PTR) records. 

The best detailed overview on large scale AD integration can be found in this Cisco Live session (BRKSEC-2134  What's New in ISE Active Directory Connector) by the author himself.   Content is available on CiscoLive.com.

Craig