Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1362
Views
0
Helpful
7
Replies

PassiveID add Domain Controller (missing DC)

Go to solution
csco11552159
Level 5
Level 5

‎09-20-2018 12:28 PM

Recently we are trying to add new DCs into PassiveID list to use WMI monitoring.

The problems how ISE find the DCs, in our Dev environment, we found some DCs are missing from the list. and we have no way to add them.

 

when use :

nltest /dclist:dev  

We will see 4 DCs.

But from PassiveID "Add Domain Controllers" list, cannot find all of them.

Then we test our production DCs, we have same issues, some "site" DCs are totally missing.

Is some kind reasons about DC"Site" ? 

How does ISE find all DCs available  to add? 

 

 

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to csco11552159

‎09-20-2018 07:01 PM

I would suspect some issue with AD sites and services and misconfiguration of AD infrastructure since ISE cannot see them. I would open a TAC case to start and work with Microsoft as well to see where the problem lies

View solution in original post

0 Helpful
7 Replies 7

Go to solution
Timothy Abbott
Cisco Employee
Cisco Employee

‎09-20-2018 01:30 PM

Hi,

 

It sounds like a configuration issue with AD. ISE gets the list of domain controllers when it joins the domain. There is no way to manually add DCs in ISE today. 

 

Regards,

Tim

0 Helpful

Go to solution
csco11552159
Level 5
Level 5
In response to Timothy Abbott

‎09-20-2018 02:36 PM

we saw the same result for other domains. it seems site impacted PassiveID DCs....

 

 

0 Helpful

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to csco11552159

‎09-20-2018 07:01 PM

I would suspect some issue with AD sites and services and misconfiguration of AD infrastructure since ISE cannot see them. I would open a TAC case to start and work with Microsoft as well to see where the problem lies
0 Helpful

Go to solution
csco11552159
Level 5
Level 5
In response to Jason Kunst

‎09-20-2018 09:20 PM

Opened a ticket with TAC wait for some updates. 

 

Psn with passive ID enabled only see the "site" DC which are auto associated with.

 

Passive wmi should see everything .. 

0 Helpful

Go to solution
csco11552159
Level 5
Level 5
In response to csco11552159

‎09-21-2018 10:44 AM

checked with our AD admin, our DNS only resolve some of DC based on domain

but ISE seems not to use API or similar cmd like" nltest /dclist:xxx.com" to resolve the DCs.

 

if this is the case, PassiveID wont work for lots cases especially when large amount DCs in the enterprise.

No one will display 100 DCs based on domain name ....

 

 

 

 

 

0 Helpful

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to csco11552159

‎09-21-2018 11:42 AM

I would think that ISE needs all domains in DNS to be able to resolve and work with them. @Timothy Abbott is our SME will await for him to confirm. Right now it sounds like as before will need to tune AD to work with ISE. 

0 Helpful

Go to solution
csco11552159
Level 5
Level 5
In response to Jason Kunst

‎09-24-2018 12:27 PM

what if we deploy PSN to each "Site", witll ISE use site based DNS resolution to find all DC? 

we do have all site based DNS resolution. If ISE is using this way, it should be able to see all DC at the "site".

0 Helpful
Customers Also Viewed These Support Documents