Fix Cisco ISE Alert “SRV record found. Not all SRV  records have IP.”

If you have Cisco ISE 2.4 integrated with Active Directory in a Windows DNS Server environment you may run into the following error if you’ve made any major changes to your Domain Controllers (such as replacing or renaming them):

Warning: SRV record found. Not all SRV records have IP.

Screenshot showing cisco ise dns error not all srv records have ip

In our case this error was because someone had renamed and replaced a domain controller and there were still SRV records referencing the old Domain Controller’s name that they didn’t clean up.

We were able to confirm this by running the following commands in an elevated command prompt on one of our Domain Controllers:

nslookup
Set type=all
_ldap._tcp.dc._msdcs.mydomain.com

Which resulted in the following output:

Screenshot showing cisco ise dns error not all srv records have ip nslookup

You can see there are four addresses listed at the bottom yet there are five SRV records. The fifth record (ending in a R3) is the erroneous record.

There were extra SRV records for _kerberos._tcp.dc._msdcs.mydomain.com as well.

Browsing DNS we can see evidence of these extra records:

Screenshot showing cisco ise dns error not all srv records have ip records

Browsing through all the _* folders in AD revealed several records from that “3” Domain Controller that no longer existed.

The fix is to delete all these erroneous SRV records, which you can see I did here (right click, delete):

Screenshot showing cisco ise dns error not all srv records have ip records cleanedup

You can see that we now only have SRV records left for the IPs that were returned in the nslookup command ran earlier.

Going back to Cisco ISE 2.4 and re-running the AD tests results in a pass this time:

Screenshot showing cisco ise dns all srv records found

If you receive errors relating to AD within Cisco ISE after making changes to Domain Controllers (such as renaming and replacing) you either need to correct something on your domain or re-join ISE to your domain.

It’s generally recommended to just rejoin ISE to your domain after replacing domain controllers. Doing this is simple and may save you headaches with other errors.

To leave a domain and rejoin it:

  1. Navigate to the Administration -> Identity Management -> External Identity Sources page.
  2. Expand Active Directory and click on your domain.
  3. Check the box next to your ISE node and click Leave.
Screenshot showing cisco ise rejoin domain
  1. To rejoin check the box next to your ISE node and click Join. That’s it!

Related: Cisco ISE 2.4 Active Directory Admin Login Configuration

Recommended Tool: ManageEngine OpManager

  • Multi-vendor Network Monitoring
  • Simple Installation & Setup
  • Intuitive UI
  • Complete Visibility
  • Intelligent Detections
  • Easy Resolutions

One Comment

  1. thanks a lot!! this is great document!!

Leave a Reply

Your email address will not be published. Required fields are marked *