03-19-2019 03:07 PM
Hello, I am working to deploy ISE-PIC agent. I installed thes ISE agent on a server 2012 box (non DC) and pointed the agent to a 2012 DC box. When I add the ISE PIC service account to the DC admin group I am able to send ID from DC--->AGENT BOX---->ISE.However, when I pull DC admin rights from user I am unable to pull context.
I have a few questions...
1.What operation takes place between the DC agent and the member DCs?
Are the events shared via API, WMI, etc. From DC---->AGENT?
2.What rights do we need to provide the a non domain admin user?
I am pretty sure, I applied all the non dc admin rules highlighted in this document.
Error logs from ISEPIC agent
2019-03-19 14:57:34,421 ERROR - Domain Controller 192.168.100.15, Error qureing events, Waiting one minute before trying again : Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))
2019-03-19 14:58:34,438 ERROR - Domain Controller 192.168.100.15, Error occurred while reading events : Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))
2019-03-19 14:58:34,438 ERROR - Domain Controller 192.168.100.15, Error qureing events, Waiting one minute before trying again : Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))
2019-03-19 14:59:34,455 ERROR - Domain Controller 192.168.100.15, Error occurred while reading events : Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))
2019-03-19 14:59:34,455 ERROR - Domain Controller 192.168.100.15, Error qureing events, Waiting one minute before trying again : Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))
Solved! Go to Solution.
03-19-2019 03:58 PM
When I have asked Cisco this in the past they said they really only have tested with Domain Admin level privileges. There is really no difference installing the DC agent on a member server or just doing WMI queries from ISE. They both need highly elevated privileges to do their job. if you want to avoid having to use a service account all together manually install the DC agent on the domain controllers and then point them at the ISE nodes.
03-19-2019 03:58 PM
When I have asked Cisco this in the past they said they really only have tested with Domain Admin level privileges. There is really no difference installing the DC agent on a member server or just doing WMI queries from ISE. They both need highly elevated privileges to do their job. if you want to avoid having to use a service account all together manually install the DC agent on the domain controllers and then point them at the ISE nodes.
03-20-2019 01:09 PM
Thanks Paul, so it appears its WMI communication between the member server (agent) and DCs?
thanks,
Tim
03-20-2019 08:26 PM
It is supposed to use some Windows API calls I believe instead of WMI, but it still needs to authenticate to the DCs. So in my mind I am not really sure what running the DC agent on a member server buys you. I usually tell customers either do WMI calls from ISE PSNs or install DC agent on the DCs.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide