I am a bit annoyed that ISE doesn't report what is wrong when it is unable to retrieve an AD group.
I have different branches in my AD tree, but ISE is only able to retrieve groups from one of them.
For example it can find groups under domain/company/abc/123 but not domain/company/xyz/987
That is probably a permission problem on the ISE-object in AD. I will have the AD ppl look in to that.
What annoys me is that ISE doesn't give an error. It just say "0 Groups Retrieved" when I do the search and the AD connector Operations report say that everything is fine and successfull.
Is there a way to get ISE to report something like "The group you are searching for doesn't exist" or "you dont have permission to search in domain/company/xyz/987"?
This subject is not my strong suite, but I would argue that the user account that was used when you joined the AD (to create the ISE machine account in AD) should have sufficient privileges to search the entire domain. This is where I usually default to using a domain admin service account when joining my ISE nodes and I have never had an issue.
Yes that is when joining the AD. After the join ISE will use it's computer object (that we created in AD) to do the search for AD-groups. So the problem has probably to do with that objects permission.
However, my issue is that when ISE don't have permission to do a search in AD I don't get an error when I try to retrieve a group under the AD-settings.
The answer to the question is no.
Really this is a feature request - "please add better error / reporting feedback to ISE when AD searches result in a failure"
I believe it's likely a security thing that MS AD side giving vague responses so that ISE is unable to inform more specifically. This usually takes to enable auditing in MS AD and check on the audit log there.