08-28-2024 11:41 AM
Hey guys,
I needed to create the ISE secondary node again, however I am unable to insert it into our domain.
The ISE log reports the message below and the ISE TCP DUMP capture.
ISE version: 3.3.0.181
Do you have any suggestions for testing or troubleshooting?
08-28-2024 01:32 PM
Not sure of the exact mechanism ISE uses to join the Domain, but you could try to delete the existing AD machine account for the domain (if it was previously joined?) and then try the join again. I have never had an issue with joining ISE nodes to an AD domain as the Domain Admin. That user might be total overkill, but in the absence of Cisco documenting this in more detail (that a non-Windows admin like myself can understand), I just take the big hammer to solve this problem.
08-28-2024 03:09 PM
See the following document for permissions required for the various Join/Leave functions. If the computer account is being created ahead of time, ensure it has the necessary permissions. If the computer account is being created at the time of the Join operation, ensure the admin account doing the join has the necessary permissions.
08-28-2024 03:26 PM
@Greg Gibbs thanks for that link - one of these days I plan to have a look at Windows Server Users and Computers to see what this looks like for a user account - the tables in the Cisco document are very wordy and I wasn't 100% confident I would know what to look for in the Windows user interface to comply with those rules.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide