I'm trying to join ISE to my AD. i have a linux vm as my time source for both AD/DC ( a vm) and ISE(actual appliance), both have sycn and time is the same on ISE and AD. I've opened all the ports and took off NAT between the two.
i get a successful join message, then it says "joined to domain but not connected"
i've turned off the windows firewall just in case.
in ISE i see:
base.bind.cache can't resolve LDAP service provider for test.com, check DNS
base.bind.healing disconnect reconnect failed
osutil module=LDAP SASL bind to firstname.lastname@example.org GSSAP mechanism with LDAP error invalid credentials
network.state favorite DC marked as dead
but i see other information that is being pulled from the domain correctly.
everything is in DNS.
From ISE can you issue "nslookup test.com" and see if the dns records that returned are accurate. Also do you have PTR records in DNS? Issue "nslookup x.x.x.x" and see if the hostname is correct for the domain controller.
Also what are you using for the binding account? Is it a domain admin account, if it is a new account is the flag to change password at next login disabled?
*Please rate helpful posts*
status noerror query:1 answer:3 authority:0
test.com in A 192.168.3.3
SOA ad.test.com, hostmaster.test.com
status noerror query:1 answer:1
184.108.40.206.in-add.arpa in PTR ad.test.com
i'm using my original domain admin account to do the join, flag is disabled.
in wireshark i see a "bindrequest
I recently ran in to this issue and here is what I did :
Did a "netstat -a -p tcp" on the Windows domain controller. Saw that Port 389 (LDAP) wasnt enabled (not sure on why this happened however). Got in to Windows services console (services.msc), "Stopped" and "Started" the "Active Directory Service". Checked with netstat to see if the port was open now, it was. I did a test from ISE and later "Joined" the AD, it turned successful!
Other options to look for:
Its evident that this errror corps up when ISE has problem with the LDAP service. So to resolve this, here are somethings to look at/do :
(1) Check connectivity between the ISE and the DC.
(2) Check if ISE can resolve the DC name (from the CLI mode)
(3) Check if the NTP is set properly on ISE (Administration -> Settings -> System Time)
(4) Check if port 389 (LDAP) is open on the domain controller.
(5) See if a router/Firewall is blocking the LDAP port
The "Detailed" test under "Test Connection" from ISE gives verbose information about the failure cause.
Please also check that your AD should not work in 2000 mixed mode. It should be in 2003 or 2008 native mode because some parameter of AD 2000 is not supported by ISE.