Fix Cisco ISE Alert “SRV record found. Not all SRV  records have IP.”

If you have Cisco ISE 2.4 integrated with Active Directory in a Windows DNS Server environment you may run into the following error if you’ve made any major changes to your Domain Controllers (such as replacing or renaming them):

Warning: SRV record found. Not all SRV records have IP.

In our case this error was because someone had renamed and replaced a domain controller and there were still SRV records referencing the old Domain Controller’s name that they didn’t clean up.

We were able to confirm this by running the following commands in an elevated command prompt on one of our Domain Controllers:

nslookup
Set type=all
_ldap._tcp.dc._msdcs.mydomain.com

Which resulted in the following output:

You can see there are four addresses listed at the bottom yet there are five SRV records. The fifth record (ending in a R3) is the erroneous record.

There were extra SRV records for _kerberos._tcp.dc._msdcs.mydomain.com as well.

Browsing DNS we can see evidence of these extra records:

Browsing through all the _* folders in AD revealed several records from that “3” Domain Controller that no longer existed.

The fix is to delete all these erroneous SRV records, which you can see I did here (right click, delete):

You can see that we now only have SRV records left for the IPs that were returned in the nslookup command ran earlier.

Going back to Cisco ISE 2.4 and re-running the AD tests results in a pass this time:

If you receive errors relating to AD within Cisco ISE after making changes to Domain Controllers (such as renaming and replacing) you either need to correct something on your domain or re-join ISE to your domain.

It’s generally recommended to just rejoin ISE to your domain after replacing domain controllers. Doing this is simple and may save you headaches with other errors.

To leave a domain and rejoin it:

  1. Navigate to the Administration -> Identity Management -> External Identity Sources page.
  2. Expand Active Directory and click on your domain.
  3. Check the box next to your ISE node and click Leave.
  1. To rejoin check the box next to your ISE node and click Join. That’s it!

Related: Cisco ISE 2.4 Active Directory Admin Login Configuration

Recommended for You: Solarwinds Hybrid Systems Monitoring Bundle

Know which applications are having issues in your environment before users complain? Know which systems are causing those problems or were recently changed by someone? How about which servers are about to have problems like running out of space or memory?

Automate collection of data and alerting on your local or cloud applications and servers with Solarwinds Hybrid Systems Bundle so you have these answers.

Get insight into Active Directory, DNS, DHCP, and your Virtual and Applications environments, both locally and cloud hosted, without needing to mess with complex templates or knowing a single line of code.

Chase Smith, CCNP

Chase Smith, CCNP is a Network Engineer III who has spent the last decade elbow deep in enterprise system administration and networking. He can usually be found trying to warm up behind the storage in the datacenter.

Leave a Reply

Your email address will not be published. Required fields are marked *