02-10-2021 09:01 PM
ISE cannot join AD. I got below error messages. One of them mentions "Unreachable Server List:", its right. the dns ip address already changed. but I do not know where i can change the ip address in ISE accordingly. If this is case, can you show where to change the ip address in ISE? Thank you
Detailed Log:
Error Description :
Cannot retrieve TGT for account administrator@ABC.LOCAL , Invalid username or password
Error Resolution :
please check machine account : administrator@ABC.LOCAL password in dc DC3.ABC.local , this error might occur due to replication errors
Join steps :
23:36:35 Joining to domain ABC.LOCAL using user administrator
23:36:35 Searching for DC in domain ABC.LOCAL
23:36:35 Found DC: DC3.ABC.local , client site is Default-First-Site-Name , dc site is Default-First-Site-Name
23:36:35 Checking credentials for user administrator
23:36:35 Getting TGT for account administrator@ABC.LOCAL
23:36:36 Cannot retrieve TGT for account administrator@ABC.LOCAL , Invalid username or password
-------------------------------
Result And Remedy...
The Following Servers Could Not Be Reached, Please Check DNS And Network Configuration. Unreachable Server List:
10.0.10.200
---------------------------------
Test Name :Kerberos check SASL connectivity to AD
Description :Checks secure connectivity to AD (using SASL mechanism)
Instance :DC3
Status :Failed
Start Time :23:54:01 10.02.2021 EST
End Time :23:54:01 10.02.2021 EST
Duration :<1 sec
Result and Remedy...
Could not get Machine account info : Machine is not joined to AD. PBIS error code: NERR_SetupNotJoined. Check Kerberos configuration and network settings
Solved! Go to Solution.
02-11-2021 09:22 AM
You might want to make sure you have correct DNS record created on AD for ISE.
Once done, make sure you are able to nslookup AD from ISE and vice versa.
You might not be able to join Cisco ISE with an Active Directory domain if the DNS SRV records are missing (the domain controllers are not advertising their SRV records for the domain that you are trying to join to).
Please review this doc to make sure you have the prerequisites: https://www.cisco.com/c/en/us/td/docs/security/ise/2-0/ise_active_directory_integration/b_ISE_AD_integration_2x.html
If that doesn't help,please put the following components on trace and debug respectively
1. active Directory on trace
2. identity-store-AD on debug
Path for this System > Logging > Debug log configuration > Choose ISE Node >
Run the following commands on ISE CLI
terminal length 0
show logging application ad_agent.log tail
and attempt to join the AD again.
02-10-2021 10:55 PM
Hi David,
Please make sure the AD join credentials are correct and clock is in sync between AD and ISE.
To change DNS server IP, you can use
ise/admin# config t
ise/admin(config)# ip name-server
OR
To do manual mapping of AD IP to name, you may use the following
ise/admin# config t
ise/admin(config)# ip host 1.1.1.1 abc.cisco.com
Thank you,
Dinesh Moudgil
P.S. Please rate helpful posts.
02-11-2021 06:04 AM - edited 02-11-2021 06:07 AM
Thanks for your reply.
I want to change dns from 10.0.10.200 to 10.0.10.233, The below is how I did. Looks like I need to remove the original dns before adding new dns. so even I used the second command "no ip name-server 10.0.100.200", and restart, I still have the problem when I use the first command "ip name-server 10.0.10.233"
ISE2/admin(config)# ip name-server 10.0.10.233
% duplicate name-server found
ISE2/admin(config)# no ip name-server 10.0.10.200
DNS Server was modified. If you modified this setting for AD connectivity, you must restart ISE for the change to take effect. Also note for ISE connectivity to AD, ensure all configured DNS servers can resolve all relevant AD DNS records. If this is not the case and current AD join points may not resolve under new DNS settings then it is recommended to manually perform leave and rejoin.
Do you want to restart ISE now? (yes/no)
02-11-2021 06:31 AM
I let the two dns working(DC1 is old and DC3 is new one). and the IES2 still cannot join. Please the below:
Error Description: Join failed, reached the maximum number of failover attempts
Support Details...
Error Name: LW_ERROR_JOIN_FAILED_REACHED_MAX_RETRIES
Error Code: 60113
Detailed Log:
Error Description :
Join to ABC.LOCAL failed : reached maximum number of failovers
Error Resolution :
Please check for domain controllers connectivity replication problems in domain ABC.LOCAL
Join steps :
09:19:27 Joining to domain ABC.LOCAL using user administrator
09:19:27 Searching for DC in domain ABC.LOCAL
09:19:27 Found DC: DC3.ABC.local , client site is Default-First-Site-Name , dc site is Default-First-Site-Name
09:19:27 Checking credentials for user administrator
09:19:27 Getting TGT for account administrator@ABC.LOCAL
09:19:27 TGT for account administrator@ABC.LOCAL was retrieved successfully
09:19:27 Credentials for user administrator were verified
09:19:27 Searching for DC in domain ABC.LOCAL
09:19:27 Found DC: DC3.ABC.local , client site is Default-First-Site-Name , dc site is Default-First-Site-Name
09:19:27 Generating account name for ISE machine in ABC.LOCAL
09:19:27 Searching for an existing machine account
09:19:27 Searching object by filter : (&(objectCategory=computer)(servicePrincipalName=host/ise2.ABC.local))
09:19:27 Account: ise2 was not found
09:19:27 Searching for an existing machine account
09:19:27 Searching object by filter : (&(objectClass=computer)(sAMAccountName=ISE2$))
09:19:27 Account: ISE2$ was found
09:19:27 ISE Machine account name is : ISE2$
09:19:27 Creating machine account ISE2$
09:19:27 Connecting to AD using DC DC3.ABC.local
09:19:27 Connection to DC3.ABC.local established
09:19:27 Opening domain ABC
09:19:27 Domain ABC was opened successfully
09:19:27 Creating machine account object ISE2$
09:19:27 Cannot Join with DC DC3.ABC.local , searching another DC to join with
09:19:27 Searching for DC in domain ABC.LOCAL
09:19:27 Found DC: DC1.ABC.local , client site is Default-First-Site-Name , dc site is Default-First-Site-Name
09:19:28 Cannot Join with DC DC1.ABC.local , searching another DC to join with
09:19:28 Searching for DC in domain ABC.LOCAL
09:19:28 Found DC: DC3.ABC.local , client site is Default-First-Site-Name , dc site is Default-First-Site-Name
09:19:28 Generating account name for ISE machine in ABC.LOCAL
09:19:28 Searching for an existing machine account
09:19:28 Searching object by filter : (&(objectCategory=computer)(servicePrincipalName=host/ise2.ABC.local))
09:19:28 Account: ise2 was not found
09:19:28 Searching for an existing machine account
09:19:28 Searching object by filter : (&(objectClass=computer)(sAMAccountName=ISE2$))
09:19:28 Account: ISE2$ was found
09:19:28 ISE Machine account name is : ISE2$
09:19:28 Creating machine account ISE2$
09:19:28 Connecting to AD using DC DC3.ABC.local
09:19:28 Connection to DC3.ABC.local established
09:19:28 Opening domain ABC
09:19:28 Domain ABC was opened successfully
09:19:28 Creating machine account object ISE2$
09:19:28 Cannot Join with DC DC3.ABC.local , searching another DC to join with
09:19:28 Searching for DC in domain ABC.LOCAL
09:19:28 Found DC: DC1.ABC.local , client site is Default-First-Site-Name , dc site is Default-First-Site-Name
09:19:28 Cannot Join with DC DC1.ABC.local , searching another DC to join with
09:19:28 Searching for DC in domain ABC.LOCAL
09:19:28 Found DC: DC3.ABC.local , client site is Default-First-Site-Name , dc site is Default-First-Site-Name
09:19:28 Generating account name for ISE machine in ABC.LOCAL
09:19:28 Searching for an existing machine account
09:19:28 Searching object by filter : (&(objectCategory=computer)(servicePrincipalName=host/ise2.ABC.local))
09:19:28 Account: ise2 was not found
09:19:28 Searching for an existing machine account
09:19:28 Searching object by filter : (&(objectClass=computer)(sAMAccountName=ISE2$))
09:19:28 Account: ISE2$ was found
09:19:28 ISE Machine account name is : ISE2$
09:19:28 Creating machine account ISE2$
09:19:28 Connecting to AD using DC DC3.ABC.local
09:19:28 Connection to DC3.ABC.local established
09:19:28 Opening domain ABC
09:19:28 Domain ABC was opened successfully
09:19:28 Creating machine account object ISE2$
09:19:28 Cannot Join with DC DC3.ABC.local , searching another DC to join with
09:19:28 Searching for DC in domain ABC.LOCAL
09:19:28 Found DC: DC1.ABC.local , client site is Default-First-Site-Name , dc site is Default-First-Site-Name
09:19:28 Cannot Join with DC DC1.ABC.local , searching another DC to join with
09:19:28 Searching for DC in domain ABC.LOCAL
09:19:28 Found DC: DC3.ABC.local , client site is Default-First-Site-Name , dc site is Default-First-Site-Name
09:19:28 Generating account name for ISE machine in ABC.LOCAL
09:19:28 Searching for an existing machine account
09:19:28 Searching object by filter : (&(objectCategory=computer)(servicePrincipalName=host/ise2.ABC.local))
09:19:28 Account: ise2 was not found
09:19:28 Searching for an existing machine account
09:19:28 Searching object by filter : (&(objectClass=computer)(sAMAccountName=ISE2$))
09:19:28 Account: ISE2$ was found
09:19:28 ISE Machine account name is : ISE2$
09:19:28 Creating machine account ISE2$
09:19:28 Connecting to AD using DC DC3.ABC.local
09:19:28 Connection to DC3.ABC.local established
09:19:28 Opening domain ABC
09:19:28 Domain ABC was opened successfully
09:19:28 Creating machine account object ISE2$
09:19:28 Cannot Join with DC DC3.ABC.local , searching another DC to join with
09:19:28 Searching for DC in domain ABC.LOCAL
09:19:28 Found DC: DC1.ABC.local , client site is Default-First-Site-Name , dc site is Default-First-Site-Name
09:19:28 Cannot Join with DC DC1.ABC.local , searching another DC to join with
09:19:28 Searching for DC in domain ABC.LOCAL
09:19:28 Found DC: DC3.ABC.local , client site is Default-First-Site-Name , dc site is Default-First-Site-Name
09:19:28 Generating account name for ISE machine in ABC.LOCAL
09:19:28 Searching for an existing machine account
09:19:28 Searching object by filter : (&(objectCategory=computer)(servicePrincipalName=host/ise2.ABC.local))
09:19:28 Account: ise2 was not found
09:19:28 Searching for an existing machine account
09:19:28 Searching object by filter : (&(objectClass=computer)(sAMAccountName=ISE2$))
09:19:28 Account: ISE2$ was found
09:19:28 ISE Machine account name is : ISE2$
09:19:28 Creating machine account ISE2$
09:19:28 Connecting to AD using DC DC3.ABC.local
09:19:28 Connection to DC3.ABC.local established
09:19:28 Opening domain ABC
09:19:28 Domain ABC was opened successfully
09:19:28 Creating machine account object ISE2$
09:19:28 Cannot Join with DC DC3.ABC.local , searching another DC to join with
09:19:28 Searching for DC in domain ABC.LOCAL
09:19:28 Found DC: DC1.ABC.local , client site is Default-First-Site-Name , dc site is Default-First-Site-Name
09:19:28 Cannot Join with DC DC1.ABC.local , searching another DC to join with
09:19:28 Join to ABC.LOCAL failed : reached maximum number of failovers
02-11-2021 06:32 AM
Can you please run "show run | in name-server" and check the exact servers configured ?
Negate that command that you see from the above output under configure terminal (skip the ISE restart this time) and then configure the command again i.e.
ip name-server 10.0.10.233
02-11-2021 07:18 AM - edited 02-11-2021 07:19 AM
ISE2/admin# show running-config | i name-server
ip name-server 10.0.10.233
Looks like ISE already use the new dns, but it still cannot join. I run test based on the Diagnostic Tool. Two of them failed: "Kerberos check SASL connectivity to AD"
and "Kerberos test obtaining join point TGT" the detail messages are as below respectively
"Could not get Machine account info : Machine is not joined to AD. PBIS error code: NERR_SetupNotJoined. Check Kerberos configuration and network settings"
"Could not get Machine account info : Machine is not joined to AD. PBIS error code: NERR_SetupNotJoined. Check Kerberos related AD configuration"
I found a link as below, it has the similar situation with me. I checked and did something based on the article, but still not resolve it
02-11-2021 09:22 AM
You might want to make sure you have correct DNS record created on AD for ISE.
Once done, make sure you are able to nslookup AD from ISE and vice versa.
You might not be able to join Cisco ISE with an Active Directory domain if the DNS SRV records are missing (the domain controllers are not advertising their SRV records for the domain that you are trying to join to).
Please review this doc to make sure you have the prerequisites: https://www.cisco.com/c/en/us/td/docs/security/ise/2-0/ise_active_directory_integration/b_ISE_AD_integration_2x.html
If that doesn't help,please put the following components on trace and debug respectively
1. active Directory on trace
2. identity-store-AD on debug
Path for this System > Logging > Debug log configuration > Choose ISE Node >
Run the following commands on ISE CLI
terminal length 0
show logging application ad_agent.log tail
and attempt to join the AD again.
02-12-2021 10:26 AM - edited 02-14-2021 10:01 AM
Its server issue. Once replacing the server, it can work well. Thank you!
02-14-2021 09:52 PM
Glad to hear, David!
10-06-2022 12:25 AM
Hey @eigrpy,
I am facing this same error in my environment.
Could you please share the issue that server had and resolution join ISE back in AD?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide