08-25-2016 01:30 PM - edited 03-11-2019 12:01 AM
Is there a way to change the fqdn w/o needing to re-configure ISE from scratch?
I have a 2-node deployment. The domain is changing - so I have a new wildcard cert for the new domain, but the server's current fqdn won't work w/ the new cert.
Solved! Go to Solution.
08-26-2016 02:58 PM
Hi Moody,
Domain name can be changes using below command.
ISE3395/admin(config)# ip domain-name ?
<WORD> DNS search domain name (Max Size - 64)
If you update the domain name for the Cisco ISE server with this command, it displays the following warning message:
Warning: Updating the domain name will cause any certificate using the old domain name to become invalid. Therefore, a new self-signed certificate using the new domain name will be generated now for use with HTTPs/EAP. If CA-signed certificates were used on this node, please import them with the correct domain name. In addition, if this ISE node will be joining a new Active Directory domain, please leave your current Active Directory domain before proceeding.
http://www.cisco.com/c/en/us/td/docs/security/ise/2-1/cli_ref_guide/b_ise_CLIReferenceGuide_21/b_ise_CLIReferenceGuide_21_chapter_011.html#ID-1364-0000064d
Prior to this change:
1. Disjoin the ISE nodes from the domain
2. Ensure that their computer name is removed from AD
3. Update DNS records
4. Ensure that DNS records have replicated
5. Change names on ISE
6. Join nodes to the new domain.
Hope this helps!!!!
Regards
Gagan
09-08-2016 01:52 PM
Thanks Gagan -
You were right w/ your steps to make the change. I guess the real hurdle for us was getting the certificate changed.
Thanks again - huge help!
08-26-2016 02:58 PM
Hi Moody,
Domain name can be changes using below command.
ISE3395/admin(config)# ip domain-name ?
<WORD> DNS search domain name (Max Size - 64)
If you update the domain name for the Cisco ISE server with this command, it displays the following warning message:
Warning: Updating the domain name will cause any certificate using the old domain name to become invalid. Therefore, a new self-signed certificate using the new domain name will be generated now for use with HTTPs/EAP. If CA-signed certificates were used on this node, please import them with the correct domain name. In addition, if this ISE node will be joining a new Active Directory domain, please leave your current Active Directory domain before proceeding.
http://www.cisco.com/c/en/us/td/docs/security/ise/2-1/cli_ref_guide/b_ise_CLIReferenceGuide_21/b_ise_CLIReferenceGuide_21_chapter_011.html#ID-1364-0000064d
Prior to this change:
1. Disjoin the ISE nodes from the domain
2. Ensure that their computer name is removed from AD
3. Update DNS records
4. Ensure that DNS records have replicated
5. Change names on ISE
6. Join nodes to the new domain.
Hope this helps!!!!
Regards
Gagan
09-08-2016 11:43 AM
Hi Moody,
Any queries!!!
Regards
Gagan
PS: please rate if it helps
09-08-2016 01:52 PM
Thanks Gagan -
You were right w/ your steps to make the change. I guess the real hurdle for us was getting the certificate changed.
Thanks again - huge help!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide