Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1994
Views
0
Helpful
7
Replies

Trouble setting up AD integration with ISE

brianjthornton
Level 1
Level 1

‎07-31-2016 06:30 PM - edited ‎03-10-2019 11:57 PM

We setup a service account to use with ISE for AD integration...however when I try and go through the steps to join:

Join Operation Failed: The account's computer join limit has been exceeded.

If I use a domain admin account...it works...BUT...that's not ideal.  Domain users have a default 10 adds per day...not sure why it's failing?

Any thoughts?

Labels:
0 Helpful
7 Replies 7

Marvin Rhoads
Hall of Fame
Hall of Fame

‎07-31-2016 07:32 PM

In a couple of dozen deployments, I've never had a problem using a dedicated service account to join ISE to AD.

At first glance it sounds like an AD issue. Are you using a new service account dedicated to ISE?

Are you using a recent ISE version?

0 Helpful

brianjthornton
Level 1
Level 1
In response to Marvin Rhoads

‎07-31-2016 08:42 PM

ISE 2.0

New Service Account created just for this.

I've reached out to the sysadmins to see what they say...it's just weird

0 Helpful

wenqianyu
Level 3
Level 3
In response to brianjthornton

‎05-08-2017 10:50 PM

Hi Brian,

I have exactly the same problem when testing ISE 2.2. How did you get around this?

Thanks,

Wenqian Yu

0 Helpful

agrissimanis
Level 1
Level 1
In response to wenqianyu

‎05-10-2017 04:00 AM

Not sure why a newly created account would have the join limit exceeded, but is there a particular reason why you would want to use a dedicated account or service account to join the ISE nodes to AD (AD permissions I guess)?

That account is used only once, for the join operation. It is not used at all for any of the other ISE authentication operations/group lookups, the ISE node computer account does that.

0 Helpful

wenqianyu
Level 3
Level 3
In response to agrissimanis

‎05-10-2017 04:57 PM

We use an existing Service Account for our ISE system to get newly added nodes join Domain. I do think there is a limit for this type of account to get servers join Domain. Will find this out from Domain Admin.

0 Helpful

ajc
Level 7
Level 7
In response to wenqianyu

‎05-11-2017 10:52 AM

When you test the service account (using ISE option) before trying to join it to AD, what is the error you are getting?. Using our AD service account I was able to join our distributed environment with 4 Admin Nodes + 10 PSN's.

0 Helpful

wenqianyu
Level 3
Level 3
In response to ajc

‎05-11-2017 05:26 PM

We experience issues when adding new ISE nodes to Active Directory. If the server name was already in Active Directory, link ISE node to Active Directory was successful. If the ISE node was not in Active Directory, the process should create an computer account for this server in Active Directory and then do the link. The error we got indicating that the service account reached to a limit creating an account in AD.

Workaround: I asked our system admin to create computer accounts in AD. Then link ISE Nodes to AD was successful.

Thanks

0 Helpful
Customers Also Viewed These Support Documents