Solved: NTP servers and Time Zones configuration on Cisco ISE 2.7 Large Deployment

aaggarwal23 · ‎07-20-2021

Dear Community,

I have a query here regarding Cisco ISE large setup in multi AD Forest with Time zone and NTP servers setup.

My Deployment could be like below:-

PAN/MNT - located in Czech Republic and having local NTP servers and Time Zone as Europe/Prague. This PAN/MNT is joined to local Active Directory domain which is having different Active Directory Forest. Example - abc.local. We will join this PAN to PSN AD forest as well.

PSNs - One Located in London and have local NTP server and Time zone as Europe/London. This PSN will be joined to its local office AD forest through PAN. Example xyz.local. Which is totally different AD forest compare to where PAN.MNT is joined

Secondary PSN - This PSN is located in Tokyo and have local NTP server and time zone as Asia/Tokyo. This PSN will be joined to its local office AD forest. Example xyz.local same as First PSN. Which is totally different AD forest compare to where PAN.MNT is joined.

and There are some 5-6 PSNs which is already joined to PAN/MNT and having same (Like PAN/MNT) time zone and NTP configured on it and also Joined to same active directory forest where PAN/MNT is joined.

So my query here if i create new PSN in Tokyo with its local time zone (Asia/Tokyo) and local NTP server. Will it give issue while joining this PSN to PAN which is having different time zone as Europe/Prague and local NTP server?

I heard Cisco ISE supports 50 AD forest to join. However if there is any difference with time on PAN AD server and PSN AD server what could be the impact? because PAN AD server will be be using Europe/Prague and PSN AD server will be using Asia/Tokyo time zone.

I am Sure i am clear on my query however please let me know if you need more info.

Surendra · ‎07-20-2021

Ideally.. Cisco recommends having the same timezone across the deployment. You can have your NTP servers located at various places but it does not have anything to do with the timezone.

View solution in original post

Surendra · ‎07-20-2021

Ideally.. Cisco recommends having the same timezone across the deployment. You can have your NTP servers located at various places but it does not have anything to do with the timezone.

aaggarwal23 · ‎07-23-2021

Thanks for your response and sorry about replying you bit late.

Is it fine if i change the time zone in 2.7 Patch 4 installed ISE node now which is Standalone ISE node now? This ISE Node is not part of Distributed deployment yet.

Marcelo Morais · ‎07-23-2021

Hi @aaggarwal23 ,

please take a look at: CSCvo49755 To enable CLI clock timezone command.
"This functionality has been returned in ISE 2.2 patch 17, ISE 2.4 patch 11, ISE 2.6 patch 5, and ISE 2.7 patch 1 with the note below

% On ISE Distributed Deployments, it is recommended all nodes be
% configured with the same time zone.
% Changing the time zone may result in undesired side effects
% Recommended to reimage the node after changing the time zone
Are you sure you want to proceed with time zone change? Y/N [N]: Y
System timezone was modified. You must restart ISE for change to take effect."

Take a look at the command at: ISE CLI Commands, search for clock timezone.

Hope this helps !!!