Solved: LDAP search in forest failed

antonioyan99 · ‎12-12-2018

Hi Cisco ISE guru,

I am deploying a medium ISE solution, however, run into an AD issue, here is the detail.

ISE joined AD domain abcd.com under forest abcd.com. And there is trusted domain ef.abcd.net under forest abcd.net.

when a computer host/PC1234.ef.abcd.net is trying to authenticate, ISE tried to search ALL_AD_Join_Points and returned error message:

24321

LDAP search in forest failed - abcd.net,ERROR_NO_SUCH_DOMAIN

24352

Identity resolution failed - ERROR_NO_SUCH_USER_SOME_DOMAINS_NOT_AVAILABLE

however, when I check the joined AD I can retrieve groups from domain ef.abcd.net, can you please advise what could have caused this issue?

The trusted domain seemed to be working before, the ISE was restored from a backup, and then installed patch 4.

The AD were re-joined after the restore, and the joined domain abcd.com has no issue.

Thanks.

Damien Miller · ‎12-12-2018

There is an AD bug in 2.4 patch 4 that was resolved in patch 5. It was a regression in patch 4, so p1, p2 and p3 were unaffected.

I suspect you are hitting this and applying patch 5 would fix it. You can work with TAC of you want to confirm you are hitting this or not.

Damien Miller · ‎12-12-2018

There is an AD bug in 2.4 patch 4 that was resolved in patch 5. It was a regression in patch 4, so p1, p2 and p3 were unaffected.

I suspect you are hitting this and applying patch 5 would fix it. You can work with TAC of you want to confirm you are hitting this or not.

antonioyan99 · ‎03-13-2019

Yes this issue has been resolved.
Thanks.