Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
293
Views
1
Helpful
1
Replies

Replacing AD servers in a network with ISE

Go to solution
BoomShakaLak
Level 1
Level 1

‎08-10-2023 10:34 PM

The server team will be replacing the existing AD servers with new ones shortly.  The new servers have been added to the network using new hostnames and IPS and will live side by side the old servers until everything else is confirmed OK at which point the old servers will be turned off.  The new servers will then have their IPs updated to that of the old servers.  These servers are also the DNS servers for the network.

I currently do not see these new AD servers in the External Identity Sources list which leads me to believe that the AD controller discovery only happens upon joining the ISE to the AD domain.  Is this true?  And since these servers will inheret the old server IPs eventually, will there be a need to actually do anything on the ISE side?

Would I have to Leave the AD domain and join the ISE back to it?  If so, what are the consequences of doing so?  Will all rules that reference AD groups need to be recreated?

Any other Gotcha's?

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Milos_Jovanovic
VIP Alumni
VIP Alumni

‎08-11-2023 01:31 AM

Hi @BoomShakaLak,

ISE is relying on AD Sites and Services and standard AD integration, same (or quite similar) as any other domain joined PC. This means that ISE is capable of discovering DC servers simply based on domain name and whatever magic happens in the backend. You don't have any specific IPs, because you used only domain name during integration, where ISE discovered DC servers automatically, based on DNS entries.

For as long as server team do their part ok and inherit everything, there is nothing you need to do. ISE will discover those servers and will continue talking to them. No AD leave/join action should be required as ISE creates machine account under AD upon join, and uses machine credentials to communicate to AD afterwards. With migration, this account should be unaffected, thus no need to do anything from your end.

Kind regards,

Milos

View solution in original post

1 Reply 1

Go to solution
Milos_Jovanovic
VIP Alumni
VIP Alumni

‎08-11-2023 01:31 AM

Hi @BoomShakaLak,

ISE is relying on AD Sites and Services and standard AD integration, same (or quite similar) as any other domain joined PC. This means that ISE is capable of discovering DC servers simply based on domain name and whatever magic happens in the backend. You don't have any specific IPs, because you used only domain name during integration, where ISE discovered DC servers automatically, based on DNS entries.

For as long as server team do their part ok and inherit everything, there is nothing you need to do. ISE will discover those servers and will continue talking to them. No AD leave/join action should be required as ISE creates machine account under AD upon join, and uses machine credentials to communicate to AD afterwards. With migration, this account should be unaffected, thus no need to do anything from your end.

Kind regards,

Milos

Customers Also Viewed These Support Documents