Ahh I see that now. Is ISE going through the skip unusable domains logic every time something authenticates? It appears in the step data each time.

I had the same issue.  I only whitelist the Domains I want but ISE is too clever sometimes and tries to connect with domain controllers that I am not even interested in.  And to make matters worse, we have a massive forest with domain controllers that I should/must not try to contact (hence, I don't whitelist them) and ISE tries anyway.  It can't establish a TCP connection and fails miserably all day long.  Filling up logs etc.  I have had to turn the syslog down from INFO to ERROR to stop the  Splunk sales guy from grinning so much

If you have a TAC case open on this, please ask TAC to log a bug.

Otherwise, please email me a copy of some sample logs with such issue.

Thanks.

I found those are logged at INFO level:

1. DCPriorityList::updatePriorityListDC: update score of existing entry,updatePriorityListDC(),lwadvapi/threaded/dc_pri_list.cpp:319
2. LWNetSrvSelectDCInfoByScore: selected DC name=...
3. MemDbExportToFileThread: Exporting registry to save file completed....
4. Skipping forest name discovery for external trust at someDomainName

Are you suggesting not to log any of these or only some specific ones?

I've discussed this with our engineering team so am getting ready to log a bug once the specifics provided.

I recently read ISE requires a two-way trust between the domains. Does it not support the authentication in a domain where a one-way trust exists? Maybe the book I am reading is outdated and changes have been made? I am referring to the ability of the authentication server to query a domain with a one-way trust rather than a two way. Looking at implementing 802.1x which requires authentication into a domain I do not have access. Allowing a one-way trust should fix this but, it doesn't seem to be supported. Anyone have a work around?

Book I read requirement

CCNP-Security

SISAS 300-208

Aaron T. Woland

Kevin Redmond