ISE - AD Join vs LDAP Identity Source

tyresebro24596 · ‎02-06-2020

Hi all, I need to ask you one thing about External Identity Source:

In my deployment I joined Cisco ISE with my main Domain Controller, with my own domain. Now I need to add the others Domain Controllers, but ISE says that the domain for which I want to use the new DCs is already in use with the first DC.

showboxIf I need redundancy between ISE and all my DCs, do I have to use LDAP Identity Source instead?
If I add more DCs as LDAP Id Source, what will happen to the first usps trackingDC added with AD Join?

Thank you very much

marce1000 · ‎02-06-2020

Better to re-post in the Identity Services Engine (ISE) group.

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

Indranil.Sarkar · ‎02-06-2020

Hi

In our client place, we are using Samba OpenLDAP server. There are 5 Domain controllers in the Forest. There is a DNS record in our dns server which points to all the 5 DCs. I used this dns entry in the hostname field in Primary LDAP server field. Test binding was successful and ISE was able to fetch all the user entities.

To cross check, I verified the following.

NSlookup from ISE cli to verify that ISE is able to resolve this canonical dns entry as well as resolve individual DCs using their host names.

Binding using the dns entry for individual DCs - which was successful and returned same number of objects.

Before this, I had pointed to only 1 DC ip and we used to have frequent AD connectivity issues. However, after adding this new dns entry, the number of such connection errors have come down drastically. Maybe, LDAP load balancing has caused this improvement.

Not sure, if this was what you were asking for. Hopefully this will help.

Regards,

Indranil.