cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
507
Views
0
Helpful
2
Replies

For AD to ISE integration using domain joint, do we need to join all nodes or just the primary node?

fkaleem
Cisco Employee
Cisco Employee

Hi All,

For AD to ISE integration using domain joint, do we need to join all nodes or just the primary node?

We have four node currently in our deployment, PAN primary and PAN secondary. MnT Primary and MnT secondary. Then two dedicated PSN.  Thanks

1 Accepted Solution

Accepted Solutions

Arne Bier
VIP
VIP

It depends what you're using AD for.  If you need AD for your PSN Policies, then technically speaking, you only need to join your two PSN nodes to the AD domain. However, if you want your ISE node Web Admin logins to use AD then you need to join all the nodes.

One bug I found in this respect is that if you selectively join only a subset of nodes to AD, then ISE will complain bitterly that the remaining ISE nodes have not joined the AD domain.  You can disable this, but then you will not be notified of a real issue with your PSN's if they should have AD issues.

So, my advice is to join ALL the ISE nodes because

1) Web admin to all ISE nodes with controlled AD creds is a good idea

2) Stop the stupid AD 'not-Joined' alarms from occurring

View solution in original post

2 Replies 2

Arne Bier
VIP
VIP

It depends what you're using AD for.  If you need AD for your PSN Policies, then technically speaking, you only need to join your two PSN nodes to the AD domain. However, if you want your ISE node Web Admin logins to use AD then you need to join all the nodes.

One bug I found in this respect is that if you selectively join only a subset of nodes to AD, then ISE will complain bitterly that the remaining ISE nodes have not joined the AD domain.  You can disable this, but then you will not be notified of a real issue with your PSN's if they should have AD issues.

So, my advice is to join ALL the ISE nodes because

1) Web admin to all ISE nodes with controlled AD creds is a good idea

2) Stop the stupid AD 'not-Joined' alarms from occurring

Many Thanks Arne for your excellent and timely assistance.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: