Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
416
Views
3
Helpful
7
Replies

ISE server will not join AD

kyle311
Level 1
Level 1

‎08-27-2024 09:10 AM

I have a client who has 2 cisco ise 3.2 servers.  When we try to join the first server to AD, it will fail out halfway through.  There is connectivity between the ISE server and AD, as the network object will be created.  However, the process dies out.

 

Any suggestions on what may be causing this?

1 person had this problem
7 Replies 7

Rob Ingram
VIP
VIP

‎08-27-2024 09:16 AM

@kyle311 is ISE and Active Directory time in sync, the maximum time difference between AD and ISE can be is 5 minutes. https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/215233-identity-service-engine-ise-and-active.html

Does ISE provide an error?

Can ISE resolve the AD DNS names?

 

0 Helpful

kyle311
Level 1
Level 1
In response to Rob Ingram

‎08-27-2024 12:51 PM

Also, yes, ISE can resolve DNS names.  devices can resolve the servers by FQDN, also

kyle311
Level 1
Level 1

‎08-27-2024 12:35 PM

Thanks for the response, Rob!  the DC's and ISE servers are all in sync timewise.  It will go through the point of creating an object in AD>  It will then give an error "Cannot Join with DC (name of device), searching for another DC"  

 

The Creds are valid and the user appears to have access if it is creating the object.  

 

Any Idea what is causing this? I cannot create the Dot1x policies without this

Abdullah@LTI
Level 1
Level 1

‎08-28-2024 02:10 AM

Hi Kyle311,

I once ran into this issue as well. Is there a firewall between the ISE servers and AD? If so, make sure that all mentioned ports are allowed in the firewall. Besides that, you mentioned that there are DNS entries created, did you also created the pointer records?

 

Best of luck.

0 Helpful

kyle311
Level 1
Level 1
In response to Abdullah@LTI

‎08-28-2024 06:38 AM

Hey Abdullah!

Thank you for your response.  Unfortunately, there doesn't appar to be a firewall between the ISE Servers and the AD servers.  The DNS and pointers are in place.  I can ping the DC's fqdn from the servers command line.  I can ping the ise server from the dc by fqdn. It makes absolutely no sense to me

0 Helpful

Abdullah@LTI
Level 1
Level 1
In response to kyle311

‎08-28-2024 07:08 AM

Can you share some screenshots and maybe the errors?

0 Helpful
Customers Also Viewed These Support Documents