Way to latch the ISE to a specific domain controller.

shubham patki · ‎04-25-2023

We have ISE 2.6 in our environment and are testing some stuff with AD connection.

Is there a way to connect to a specific AD Domain controller?

TIA

Shubham

Nancy Saini · ‎04-25-2023

You can leverage the feature of Whitelisted Domains in Active Directory page of ISE.

ahollifield · ‎04-25-2023

If I understand your question correctly. AD Sites and Services is what you are looking for.https://www.cisco.com/c/en/us/products/collateral/security/identity-services-engine/bulletin-c25-2503911.html

shubham patki · ‎04-25-2023

I think so too. I read somewhere that using AD Sites and services can be helpful. But that's it, no more details on how can we leverage that to force ISE/PSN to connect to a specific Domain Controller.

Greg Gibbs · ‎04-25-2023

See a similar discussion here:

https://community.cisco.com/t5/network-access-control/ise-ad-sites-and-services/td-p/3335406

ISE joins the domain as a computer account, so it leverages standard AD functions for determining which Domain Controller(s) it should communicate with and in which order. With properly configured AD Sites and the IP/subnet of the ISE node(s) mapped to the correct Site in AD, the ISE nodes will automatically communicate with the DC associated with that Site.

You can read more about AD Sites here:

https://www.windows-active-directory.com/active-directory-sites.html

poongarg · ‎04-26-2023

Agree with Greg. Use the AD Sites and Services. However, If there is very specific requirement to connect to specific DC in a domain, then open a TAC case. TAC may help with Advanced Tuning of Active Directory Connection.