When troubleshooting issues with users, specifically those where their Active Directory Account may be locked, our Windows teams will check the AD security logs. However, they see the attempted login as though it has come from the ISE devices (as expected), however, the server name that they see in their logs is not the same as the hostnames configured on the ISE devices?
As an example - they may see the entry as below for the server -
Where the 'AAADC01' is an expected and recognised part of the name (only the first few characters) but the rest '-983EZXB' is unknown... Apparently the Windows logs don't record the source IP of the request, only the name sent so it's impossible to work out which of the nodes in the ISE clusters this is coming from...
Does anyone know how I can relate the above back to the real hostname/identify the source within the ISE cluster?
Unless the ISE nodes have long hostnames that are longer than 15 characters, I could not think of a reason for such hostname character substitutions. If the hostnames are indeed more than 15 characters, check the NetBIOS names of the computer accounts for these ISE nodes.
If that is not it, please contact Cisco TAC for further troubleshooting.