- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-20-2021 02:06 PM
Recently we had a major power outage that knocked all of our domain controllers, after power was restored and all of our servers came up we noticed that we could no longer login our network gear. ISE showed that it was no longer joined to the domain. We've rejoined it, but the issue continues.
We are getting a ton of
LsaDmConnectDomain: failed with error 40095
I've searched the internet for references to this error without success. I did find a reference to a BUG, specifically addressing multiple DCs rebooting at the same time and the version we are running seems to be fit.
Has anyone seen this error? if so what was done to address the issue?
Thanks
Ivan Chacon
Solved! Go to Solution.
- Labels:
-
Identity Services Engine (ISE)
Accepted Solutions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-21-2021 12:13 AM
If you go to external identity sources in ISE, what is the status of your
AD servers? Also try to run a test for one of your ADs and see what errors
you get.
This error code represents LW_ERROR_RPC_NETLOGON_FAILED which is an error
authenticating with AD. So you need to investigate your DC environment.
It's highly not ISE problem.
***** please remember to rate useful posts
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-21-2021 12:13 AM
If you go to external identity sources in ISE, what is the status of your
AD servers? Also try to run a test for one of your ADs and see what errors
you get.
This error code represents LW_ERROR_RPC_NETLOGON_FAILED which is an error
authenticating with AD. So you need to investigate your DC environment.
It's highly not ISE problem.
***** please remember to rate useful posts
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-21-2021 04:34 AM
Thanks for the response. After we rejoined them they both show operational, and we are able to successfully test user authentications from the External Identity test user option. I will reach out to my AD team to see if they see anything in the logs, or can schedule another reboot of the PDC.
What do you think about completely removing ISE from the domain, initially I picked the option to leave the domain but left the computer account?
Thanks again.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-25-2021 08:45 AM
Hi,
Could be that ISE is trying to reach another DC that doesn't have connectivity to? Or maybe clock is not synchronized between your ISE and AD?
Ask your AD team to confirm if ISE is on the correct AD Site, have a look on the following guide regarding ISE AD discovery.
I remember that I had a case where ISE was trying to reach a specific AD DC but there was no network connectivity. We have forced ISE to use specific DC under AD Advanced Tuning.
Please Rate Posts (by clicking on Star) and/or Mark Solutions as Accepted, when applies
