Hi

Now that my fully distributed ISE 2.2 deployment is working quite nicely, my customer has decided that the DNS domain has to be changed

I am slightly dreading this because, as I understand, it will involve the de-registration of all joined nodes, and a few application restarts.  Has anyone in this forum done this before?

The Admin certs will be re-issued from the same PKI - so I won't need to install a different chain of trust.

The only service being offered thus far is Sponsored Guest and some TACACS+.  I can afford to be somewhat disruptive (i.e. down time).

Here are the steps as I currently see them

1. Create the new DNS domain (at least created the nodes' A records - not sure if PTR records can be done since there would be ambiguity with existing PTR records)
2. Disable PAN failover
3. De-register all the nodes until each one is STANDALONE (except Primary PAN)
4. On the CLI configure new ip domain-name (I assume node will either want a reboot or application restart)
5. Delete old PTR records and create new PTR records
6. On each node, import/install the new Admin role cert (node will restart again)
7. When all nodes stable, then on Primary PAN register the secondary PAN
8. Register MnT nodes (Primary PAN will yet again restart because it was the Primary MnT) .. coffee break
9. Register PSN nodes into their respective Node Groups
10. Delete any old self-signed certs lying around with the old domain name
11. Enable PAN failover again

Open questions:

1. I have one AD join point - do I need to do anything here or will the config stay in place?  I don't mind if I need to re-join the AD, but I can't afford to delete that join point because of all the dependencies involved in doing that.
2. Is there a smarter way of doing this?  What would happen if I simply changed the domain on each node's CLI - will it break the registration ?  I know I would have to reissue the Admin cert anyway, but perhaps this would be a smoother approach, rather than de-registering everything.

thanks for any pearls of wisdom

Arne