Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
364
Views
0
Helpful
1
Replies

ISE nodes - AD join question

miclacs13
Level 1
Level 1

‎05-15-2017 11:57 AM - edited ‎03-11-2019 12:43 AM

We have a distributed deployment and each ISE node is joined to different Domain Controllers. Some of these Domain Controllers are going away and new DCs will be built to replace the old ones. How do I remove the ISE nodes from the old DCs and join to the new DC with zero-downtime?

Labels:
0 Helpful
1 Reply 1

agrissimanis
Level 1
Level 1

‎05-16-2017 12:47 AM

The failover will be handled automatically by ISE, but you must have at least one of the name servers available (specified with ip name-server x.x.x.x from ISE cli)

As long as there is at least one other DC available for ISE to join to when the old ones are switched off, you should be fine.

The success of this operation depends on the health of your AD (SRV records, etc). One way to check is to run the AD diagnostics tool from ISE.

Best to do this during off-peak hours or maintenance window of course...

0 Helpful
Customers Also Viewed These Support Documents