- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-27-2018 11:59 PM
I have implement Cisco ISE as TACACS server, I configured NTP point to my AD server for time synchronization. Unfortunately ISE always select LOCAL(*127.127.1.0) as a time source. Does we have any configuration to force the ISE to sync time with AD? Thank for your kindly support.
Solved! Go to Solution.
- Labels:
-
Identity Services Engine (ISE)
Accepted Solutions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-28-2018 10:51 PM
It seems to me the main issue is that your AD servers are both of Stratum 16. Clock_strata explains that
... The upper limit for stratum is 15; stratum 16 is used to indicate that a device is unsynchronized. ...
Please check on support documents on Microsoft servers for troubleshooting. For example,
- How to configure an authoritative time server in Windows Server
- Support boundary to configure the Windows Time service for high-accuracy environments
[2018-Mar-29] Looking at it again, I think your AD servers are not responding to NTP requests from ISE, because the column "reach" showing 0. Please troubleshoot that issue first.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-28-2018 12:26 AM
Hi,
Below Technote should help you.
Troubleshoot ISE and NTP Server Synchronization Failures on Microsoft Windows - Cisco
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-28-2018 12:40 AM
Hi bbharathan,
How can I get into Cisco ISE root level?
Thanks.

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-28-2018 05:19 AM
We don’t let you into root level.
I would recommend making sure your NTP source is a good one per the document
Tac can assist in troubleshooting
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-28-2018 10:51 PM
It seems to me the main issue is that your AD servers are both of Stratum 16. Clock_strata explains that
... The upper limit for stratum is 15; stratum 16 is used to indicate that a device is unsynchronized. ...
Please check on support documents on Microsoft servers for troubleshooting. For example,
- How to configure an authoritative time server in Windows Server
- Support boundary to configure the Windows Time service for high-accuracy environments
[2018-Mar-29] Looking at it again, I think your AD servers are not responding to NTP requests from ISE, because the column "reach" showing 0. Please troubleshoot that issue first.
