Exam 300-715 topic 1 question 108 discussion

Global Catalog is automatically established when join Active directory join point, Another alternetive as external identity source is LDAP. Correct answer is A , D

Here the administrator will use AD as the third party identity source. Here there are the prerequisite asked for this: Join ISE to AD Prerequisites for Active Directory and ISE integration Verify that you have the privileges of a Super Admin or System Admin in ISE. Use the Network Time Protocol (NTP) server settings to synchronize the time between the Cisco server and Active Directory. The maximum allowed time difference between ISE and AD is 5 minutes The configured DNS on ISE must be able to answer SRV queries for DCs, GCs, and KDCs with or without additional Site information. Ensure that all the DNS servers can answer forward and reverse DNS queries for any possible Active Directory DNS domain. AD must have at least one global catalog server operational and accessible by Cisco, in the domain to which you join Cisco. Below the link: https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/215233-identity-service-engine-ise-and-active.html

A&C https://www.cisco.com/c/en/us/td/docs/security/ise/2-3/ise_active_directory_integration/b_ISE_AD_integration_2x.html#reference_8DC463597A644A5C9CF5D582B77BB24F

I will go with A and C, another BAD question from SISE Dump, A is the only 100% correct answer, then we have two possible choices: C:It is not necessary have domain administrator access (we need only a user that could create an ISE machine account inside the AD) as rhylos response, not the best in terms of security but ok. D:is not mandatory (but of course more secure) Also in you configure ldaps you need also to trust Certifcate or each other's certifcates CA.

The other options are not required to implement this change. Ensure that the NAT address is properly configured is not required because Cisco ISE can communicate with Active Directory directly. Provide domain administrator access to Active Directory is not required because the network administrator only needs access to the Global Catalog server. Enable IPC access over port 80 is not required because Cisco ISE does not use IPC to communicate with Active Directory.

The correct answers are - Establish access to one Global Catalog server and - Configure a secure LDAP connection. To implement this change, the network administrator must first establish access to one Global Catalog server. This is because Active Directory uses Global Catalog servers to store information about users and groups from all domains in the forest. Once access to a Global Catalog server has been established, the network administrator must then configure a secure LDAP connection. This is because LDAP is a protocol that is used to access directory services, such as Active Directory. A secure LDAP connection ensures that the traffic between Cisco ISE and Active Directory is encrypted.

Poorly worded question A. Establish access to one Global Catalog server YES B. Ensure that the NAT address is properly configured NO. Cant be behind NAT C. Provide domain administrator access to Active Directory - YES. Domain Admin not requires as long as can create COmputer Objects. OK but not great answer D. Configure a secure LDAP connection NO. THis is AD< not LDAP server E. Enable IPC access over port 80 . No. Huh? Use for what .

I think AB, look at prerequisites for 2 and 5 below. Only need admin access for ISE, not AD. Join ISE to AD 1)Verify that you have the privileges of a Super Admin or System Admin in ISE. 2)Use the Network Time Protocol (NTP) server settings to synchronize the time between the Cisco server and Active Directory. The maximum allowed time difference between ISE and AD is 5 minutes 3)The configured DNS on ISE must be able to answer SRV queries for DCs, GCs, and KDCs with or without additional Site information. 4)Ensure that all the DNS servers can answer forward and reverse DNS queries for any possible Active Directory DNS domain. 5)AD must have at least one global catalog server operational and accessible by Cisco, in the domain to which you join Cisco https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/215233-identity-service-engine-ise-and-active.html