10-15-2012 09:44 AM - edited 03-10-2019 07:40 PM
Hello,
I'm trying to join ISE to my AD. i have a linux vm as my time source for both AD/DC ( a vm) and ISE(actual appliance), both have sycn and time is the same on ISE and AD. I've opened all the ports and took off NAT between the two.
i get a successful join message, then it says "joined to domain but not connected"
i've turned off the windows firewall just in case.
in ISE i see:
base.bind.cache can't resolve LDAP service provider for test.com, check DNS
base.bind.healing disconnect reconnect failed
osutil module=LDAP SASL bind to ldap/ad.test.com@test.com GSSAP mechanism with LDAP error invalid credentials
network.state favorite DC marked as dead
but i see other information that is being pulled from the domain correctly.
everything is in DNS.
any clues?
thanks
10-15-2012 11:33 AM
Jaray,
From ISE can you issue "nslookup test.com" and see if the dns records that returned are accurate. Also do you have PTR records in DNS? Issue "nslookup x.x.x.x" and see if the hostname is correct for the domain controller.
Also what are you using for the binding account? Is it a domain admin account, if it is a new account is the flag to change password at next login disabled?
Thanks,
Tarik Admani
*Please rate helpful posts*
10-16-2012 04:03 AM
Tarik
nslookup test.com
status noerror query:1 answer:3 authority:0
test.com in A 192.168.3.3
NS ad.test.com
SOA ad.test.com, hostmaster.test.com
nslookup 192.168.3.3
status noerror query:1 answer:1
3.3.168.192.in-add.arpa in PTR ad.test.com
i'm using my original domain admin account to do the join, flag is disabled.
in wireshark i see a "bindrequest
08-04-2013 10:02 PM
I recently ran in to this issue and here is what I did :
Did a "netstat -a -p tcp" on the Windows domain controller. Saw that Port 389 (LDAP) wasnt enabled (not sure on why this happened however). Got in to Windows services console (services.msc), "Stopped" and "Started" the "Active Directory Service". Checked with netstat to see if the port was open now, it was. I did a test from ISE and later "Joined" the AD, it turned successful!
Other options to look for:
Its evident that this errror corps up when ISE has problem with the LDAP service. So to resolve this, here are somethings to look at/do :
(1) Check connectivity between the ISE and the DC.
(2) Check if ISE can resolve the DC name (from the CLI mode)
(3) Check if the NTP is set properly on ISE (Administration -> Settings -> System Time)
(4) Check if port 389 (LDAP) is open on the domain controller.
(5) See if a router/Firewall is blocking the LDAP port
The "Detailed" test under "Test Connection" from ISE gives verbose information about the failure cause.
-Hari
08-17-2013 03:33 AM
Kindly go through below video :
08-18-2013 07:33 PM
Please also check that your AD should not work in 2000 mixed mode. It should be in 2003 or 2008 native mode because some parameter of AD 2000 is not supported by ISE.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide