11-29-2021 08:33 AM
We have AD joined ISE servers and 3 Doman Controllers. One of them is an old 2008 which we are trying to get rid of.
As soon as I block the traffic on the intermediate firewall, all authentications start failing. All traffic is confirmed allowed to new 2016 DC's. Why ISE is not moving to the new DC's and what can I do to make it work with new DC's.
Solved! Go to Solution.
12-01-2021 07:12 AM
@Greg Gibbs and @marce1000 Thanks for your suggestions. We don't have Default-First-Site and all DC's show under there relative site names. I however looked into SRV records and all our DC's for this site were set to default priority and weight. I lowered the priority of 2008 server and now I see ldap and kerberos going to our preferred DC's. I then blocked all traffic to our DC's and everything still works. yay..
11-29-2021 08:44 AM
- Not sure how traffic blocking is experienced by ISE when trying to connect to the old-DC , perhaps turn it off and keep it reachable. Sometimes there is a subtle difference between lost . unreachable or rejected connections. ? FYI : https://www.cisco.com/c/en/us/td/docs/security/ise/2-2/ise_active_directory_integration/b_ISE_AD_integration_2x.html#reference_42F562CACEA745348AE47B601A29E151 but it does not immediately clear-up the subject.
M.
11-29-2021 03:23 PM
The Primary DC that the ISE nodes communicate with is controlled by the configuration in AD Sites and Services. If the Site showing in the ISE AD section says 'Default-First-Site' then you have not configured Sites correctly. You should have a Site that represents the physical/logical location(s) of the ISE nodes. The closet Domain Controller should be associated with that Site as should the IP address or subnet for the respective ISE nodes. After updating Sites, ISE will automatically begin communication with the relevant (non-2008) DC.
12-01-2021 07:12 AM
@Greg Gibbs and @marce1000 Thanks for your suggestions. We don't have Default-First-Site and all DC's show under there relative site names. I however looked into SRV records and all our DC's for this site were set to default priority and weight. I lowered the priority of 2008 server and now I see ldap and kerberos going to our preferred DC's. I then blocked all traffic to our DC's and everything still works. yay..
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide