We have chosen UCS as our AD infrastructure, which has worked ot fine for us for about a year now. Now we will have to integrate Cisco ISE with AD. The consultants setting up ISE are very sceptical to our setup, as they are having problems authenicating users using password, and they demand that we provide a proper Windows DC for ISE to authenticate with.
Could you please tell me whether it possible to integrate a Windows 2016 server as a DC with UCS? It would to be shame having to scrap the UCS entirely.
Well, from a support standpoint Cisco supports Active Directory - as in MS AD. If you want guaranteed support from Cisco if you get into issues, you’ll have to provide an MS AD to ISE. That’s part of the “blame game”, even if I dislike writing this.
Joining a Windows system as member server isn’t an issue, the issue would be promoting that system to a DC. In short: Don’t do that. There are things where Samba AD and Windows AD differ internally and where you shouldn’t mix them. (i.e. the SYSVOL replication on Windows is using DFS-R while on UCS it’s using rsync)
If you absolutely need a Windows DC, consider creating a separate domain (i.e. if your UCS domain is ucs.your.tld, create ad.your.tld) and then configure synchronization using the UCS AD connector. If you go that route I’d recommend creating a test setup so you can tune and test the configuration of the AD connector. You may not want to synchronize all of UCS AD to Windows AD and you have to decide how and if groups are synchronized etc.
If they don’t require very specific things from your UCS S4 AD, then chances are it might work with some time invested in debugging. You’ll have to decide if you want to invest time into debugging what ISE is doing which makes it fail against UCS S4 AD services or if you bite the bullet and synchronize UCS to an AD domain and join ISE to the AD domain.
Keep in mind what I initially wrote. Cisco expects AD to behave like MS AD. Any deviation between Samba AD and MS AD causing issues in ISE will eventually be blamed on you and Samba AD not being MS AD.