Cisco Cisco Identity Services Engine 1.3
Step 4
Check the check box next to the new Active Directory join point that you created and click Edit, or click on the new Active
Directory join point from the navigation pane on the left. The deployment join/leave table is displayed with all the Cisco
ISE nodes, the node roles, and their status.
Directory join point from the navigation pane on the left. The deployment join/leave table is displayed with all the Cisco
ISE nodes, the node roles, and their status.
Step 5
Check the check box next to the relevant Cisco ISE nodes and click Join to join the Cisco ISE node to the Active Directory
domain.
You must do this explicitly even though you saved the configuration. To join multiple Cisco ISE nodes to a domain in a
single operation, the username and password of the account to be used must be the same for all join operations. If different
username and passwords are required to join each Cisco ISE node, the join operation should be performed individually
for each Cisco ISE node.
domain.
You must do this explicitly even though you saved the configuration. To join multiple Cisco ISE nodes to a domain in a
single operation, the username and password of the account to be used must be the same for all join operations. If different
username and passwords are required to join each Cisco ISE node, the join operation should be performed individually
for each Cisco ISE node.
Step 6
Enter the Active Directory username and password.
The user used for the join operation should exist in the domain itself. If it exists in a different domain or subdomain, the
username should be noted in a UPN notation, such as jdoe@acme.com.
The user used for the join operation should exist in the domain itself. If it exists in a different domain or subdomain, the
username should be noted in a UPN notation, such as jdoe@acme.com.
Step 7
(Optional) Check the Specify Organizational Unit check box.
You should check this check box in case the Cisco ISE node machine account is to be located in a specific Organizational
Unit other than CN=Computers,DC=someDomain,DC=someTLD. Cisco ISE creates the machine account under the
specified organizational unit or moves it to this location if the machine account already exists. If the organizational unit
is not specified, Cisco ISE uses the default location. The value should be specified in ful distinguished name (DN) format.
The syntax must conform to the Microsoft guidelines. Special reserved characters, such as /'+,;=<> line feed, space, and
carriage return must be escaped by a backslash (\). For example, OU=Cisco ISE\,US,OU=IT Servers,OU=Servers\, and
Workstations,DC=someDomain,DC=someTLD. If the machine account is already created, you need not check this check
box. You can also change the location of the machine account after you join to the Active Directory domain.
You should check this check box in case the Cisco ISE node machine account is to be located in a specific Organizational
Unit other than CN=Computers,DC=someDomain,DC=someTLD. Cisco ISE creates the machine account under the
specified organizational unit or moves it to this location if the machine account already exists. If the organizational unit
is not specified, Cisco ISE uses the default location. The value should be specified in ful distinguished name (DN) format.
The syntax must conform to the Microsoft guidelines. Special reserved characters, such as /'+,;=<> line feed, space, and
carriage return must be escaped by a backslash (\). For example, OU=Cisco ISE\,US,OU=IT Servers,OU=Servers\, and
Workstations,DC=someDomain,DC=someTLD. If the machine account is already created, you need not check this check
box. You can also change the location of the machine account after you join to the Active Directory domain.
Step 8
Click OK.
You can select more than one node to join to the Active Directory domain.
You can select more than one node to join to the Active Directory domain.
If the join operation is not successful, a failure message appears. Click the failure message for each node to view detailed
logs for that node.
logs for that node.
When the join is complete, Cisco ISE checks whether any group SIDS are still in the old format. If so, Cisco ISE
automatically starts the SID update process. You must ensure that this process is allowed to complete.
automatically starts the SID update process. You must ensure that this process is allowed to complete.
Note
You might not be able to join Cisco ISE with an Active Directory domain if the DNS SRV records are missing
(the domain controllers are not advertising their SRV records for the domain that you are trying to join to). Refer
to the following Microsoft Active Directory documentation for troubleshooting information:
(the domain controllers are not advertising their SRV records for the domain that you are trying to join to). Refer
to the following Microsoft Active Directory documentation for troubleshooting information:
Note
•
•
What to Do Next
Configure authentication domains.
Related Topics
Configure Authentication Domains, on page 8
Leave the Active Directory Domain
If you no longer need to authenticate users or machines from an Active Directory domain or from this join point, you can leave the
Active Directory domain.
Active Directory domain.
7