Re: Cisco ISE 2.0 - Removing References to Old AD after a Domain Name

Matthew Martin · ‎06-07-2016

Hello All,

Cisco ISE v2.0 (*on VMWare)

We recently did a Domain Name change within our organization and I am in the Process of trying to remove all references to the old Domain within ISE (*and replacing them with the new AD's data). I believe I got all references to it from the Policy Sets and now I am trying to get rid of the Admin Group which contains a AD "Admin Group" from the: External Identity Sources > Active Directory > [old_domain_name] > Groups. So first, I wanted to create a new Admin Group, containing the new Active Directory's Admin Group from the Domain. But, when I go to create a new Admin Group and I check the checkbox for "Type [ ] External" the only option I am given is the OLD Active Directory name. How come it doesn't show the new one here..?

My goal here is to delete the OLD Active Directory still saved in: Administration > Identities > External Identity Sources > Active Directory...

But, when I try to delete I am still getting the message:

"Referential Integrity error: This item is referred to by another object."

I did a Policy Export from Backup and Restore page and did a text search through that and was able to find one or two references to the Old Domain, so removed those and replaced it with the new Domain's data. Then, I exported the Policy again and did another search for the old Domain, and it found nothing this time. So I'm thinking the Admin Group referencing the "Admin Group" of the old Domain might be all that's left, but not sure...

Any thoughts or suggestions would be greatly appreciated..!!

Thanks in Advance,
Matt

nspasov · ‎06-14-2016

Hey Matt, I had to do this once before and it was not an easy task. I wish ISE had an "Integrity/Reference" checker for objects like Call Manager does so you can actually see what is referencing the old domain.

I know you listed policy sets but there are other places that you need to check:

- Identity Store Sequences

- Guest portals

- Client Provisioning and Posture Policies

- ISE Admin Management via AD

I hope this helps!

Thank you for rating helpful posts!

Matthew Martin · ‎06-14-2016

Hey Neno, thanks for the reply!

Yea, that would be pretty nice if they had that, or even a way to save the configuration of the entire server to a text file so it can be searched through almost like a Router's running-config....

But anyway, we had our ASA/ISE contractor come by today to help us with something and we had him help us look around and find the last few missing bits and pieces referencing the old Domain... Some of them were in a Guest Portal config, Auth Profile somewhere, Admin Access Group for the ISE server, and a few others... Not to mention the one's NOT referenced by the External ID Source like the allowed domains with the AnyConnect ISE Posture Profile, which we discovered a little later.

But, we finally got it to where we were able to delete the OLD domain... Wheww that was a pain.!

Thanks again for your reply, very much appreciated!

-Matt

nspasov · ‎06-14-2016

Fantastic! Glad that you were able to solve the problem!

Best regards!

Neno

_|brt.drml|_ · ‎08-30-2023

Old issues Solved this by:

removing all references in policy (Write down what you have changed !)

removing references in admin accounts (Administration > System > Administrators > Admin Groups )

Then it all was OK to remove old groups and import them.

Cisco ISE 2.0 - Removing References to Old AD after a Domain Name Change and AD Admin Access