Joining Cisco ISE Node with RODC Active Directory Issue

Andryan Viryadi Tanamir · ‎02-28-2017

Hello guys,

I am trying to join my CIsco ISE Nodes to RODC Active Directory and there's an issue when joining.

Are there any limitations when joining Cisco ISE to RODC Active Directory?

Does Cisco ISE needs to join to RWDC Active Directory not RODC?

*Attached is the log produced when trying to join domain.

Ps: Customer didnt permit any communication directly to RWDC.

Hope to hear your response.

shah.vinit · ‎11-08-2021

Hello,

Did you able to solve this issue, i have to implement ISE PSN node with RODC, will it work?

thomas · ‎12-04-2021

Active Directory Account Permissions Required to Perform Various Operations

Join Operations

Cisco Machine Accounts

The join operation requires the following account permissions:

Search Active Directory (to see if a Cisco machine account exists)
Create Cisco machine account to domain (if the machine account does not already exist)
Set attributes on the new machine account (for example, Cisco machine account password, SPN, dnsHostname)

The machine account that communicates to the Active Directory connection requires the following permissions:

Change password
Read the user and machine objects corresponding to users and machines that are
Query Active Directory to get information (for example, trusted domains, alternative UPN suffixes, and so on)
Read the tokenGroups attribute

You can precreate the machine account in Active Directory. If the SAM name matches the Cisco appliance hostname, it is located during the join operation and re-used.

If there are multiple join operations, multiple machine accounts are maintained inside Cisco , one for each join.