Fix Cisco ISE Alert “SRV record found. Not all SRV  records have IP.”

If you have Cisco ISE 2.4 integrated with Active Directory in a Windows DNS Server environment you may run into the following error if you’ve made any major changes to your Domain Controllers (such as replacing or renaming them):

Warning: SRV record found. Not all SRV records have IP.

In our case this error was because someone had renamed and replaced a domain controller and there were still SRV records referencing the old Domain Controller’s name that they didn’t clean up.

We were able to confirm this by running the following commands in an elevated command prompt on one of our Domain Controllers:

nslookup
Set type=all
_ldap._tcp.dc._msdcs.mydomain.com

Which resulted in the following output:

You can see there are four addresses listed at the bottom yet there are five SRV records. The fifth record (ending in a R3) is the erroneous record.

There were extra SRV records for _kerberos._tcp.dc._msdcs.mydomain.com as well.

Browsing DNS we can see evidence of these extra records:

Browsing through all the _* folders in AD revealed several records from that “3” Domain Controller that no longer existed.

The fix is to delete all these erroneous SRV records, which you can see I did here (right click, delete):

You can see that we now only have SRV records left for the IPs that were returned in the nslookup command ran earlier.

Going back to Cisco ISE 2.4 and re-running the AD tests results in a pass this time:

If you receive errors relating to AD within Cisco ISE after making changes to Domain Controllers (such as renaming and replacing) you either need to correct something on your domain or re-join ISE to your domain.

It’s generally recommended to just rejoin ISE to your domain after replacing domain controllers. Doing this is simple and may save you headaches with other errors.

To leave a domain and rejoin it:

    1. Navigate to the Administration -> Identity Management -> External Identity Sources page.
    2. Expand Active Directory and click on your domain.
    3. Check the box next to your ISE node and click Leave.

  1. To rejoin check the box next to your ISE node and click Join. That’s it!

Related: Cisco ISE 2.4 Active Directory Admin Login Configuration

Recommended for You: Solarwinds Server & Application Monitor (SAM)

Know which applications are having issues in your environment before users complain? Know which systems are causing those problems? How about which servers are about to have problems like running out of space or memory?

Automate collection of data and alerting on your applications and servers with Solarwinds Server & Application Monitor so you have these answers.

Get insight into Active Directory, DNS, DHCP, and your Virtual environment without needing to mess with complex templates or knowing a single line of code.

Leave a Reply

Your email address will not be published. Required fields are marked *