Is there any reason why an ISE node in my cluster would suddenly have the AD join point domain controller no longer showing listed? You can see in the image ise4 has a blank entry in Domain Controller column, however the status is operational.

Diagnostic tool test comes back with the following failed tests:

• Kerberos test obtaining join point TGT on instance
• Kerberos check SASL connectivity to AD on instance

The reason being "The password is incorrect for the given account".

In the test LDAP test DCs response time - I can see the correct domain controller was the first to respond. So ISE should use this domain controller, but the entry is blank in the table.

Only thing I can think of is the account that ISE node did the domain join has had it's password changed. Is my thinking correct and would doing a new domain join for this node resolve the issue?