cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1995
Views
10
Helpful
3
Replies

ISE 2.7 AD join - remove 2008 DC

rajitoor55
Level 1
Level 1

We have AD joined ISE servers and 3 Doman Controllers. One of them is an old 2008 which we are trying to get rid of.

As soon as I block the traffic on the intermediate firewall, all authentications start failing. All traffic is confirmed allowed to new 2016 DC's. Why ISE is not moving to the new DC's and what can I do to make it work with new DC's.

1 Accepted Solution

Accepted Solutions

@Greg Gibbs and @marce1000 Thanks for your suggestions. We don't have Default-First-Site and all DC's show under there relative site names. I however looked into SRV records and all our DC's for this site were set to default priority and weight. I lowered the priority of 2008 server and now I see ldap and kerberos going to our preferred DC's. I then blocked all traffic to our DC's and everything still works. yay..

View solution in original post

3 Replies 3

marce1000
VIP
VIP

 

 - Not sure how traffic blocking is experienced by ISE when trying to connect to the  old-DC , perhaps turn it off and keep it reachable. Sometimes there is a subtle difference between lost . unreachable or rejected connections. ? FYI : https://www.cisco.com/c/en/us/td/docs/security/ise/2-2/ise_active_directory_integration/b_ISE_AD_integration_2x.html#reference_42F562CACEA745348AE47B601A29E151 but it does not immediately clear-up the subject.

 M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

Greg Gibbs
Cisco Employee
Cisco Employee

The Primary DC that the ISE nodes communicate with is controlled by the configuration in AD Sites and Services. If the Site showing in the ISE AD section says 'Default-First-Site' then you have not configured Sites correctly. You should have a Site that represents the physical/logical location(s) of the ISE nodes. The closet Domain Controller should be associated with that Site as should the IP address or subnet for the respective ISE nodes. After updating Sites, ISE will automatically begin communication with the relevant (non-2008) DC.

@Greg Gibbs and @marce1000 Thanks for your suggestions. We don't have Default-First-Site and all DC's show under there relative site names. I however looked into SRV records and all our DC's for this site were set to default priority and weight. I lowered the priority of 2008 server and now I see ldap and kerberos going to our preferred DC's. I then blocked all traffic to our DC's and everything still works. yay..