Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
168
Views
2
Helpful
2
Replies

ISE (Identity Services Engine) FQDN Change

wmiketyson
Level 1
Level 1

‎03-13-2025 09:27 AM

I would like to change our ISE FQDN. What issue could arise by changing the ISE FQDN? Say from Host.A to Host.B. I would like to do this in order to apply a certificate we now have.

0 Helpful
2 Replies 2

marce1000
Hall of Fame
Hall of Fame

‎03-13-2025 10:17 AM

 

  - ISE requires that PTR records for all nodes point to the correct FQDN.

  M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

Arne Bier
VIP
VIP

‎03-13-2025 02:01 PM

I haven't done this procedure in a while, but if I recall, changing the domain has the following effect:

rnolabise02/admin#configure t
Entering configuration mode terminal
rnolabise02/admin(config)#ip domain-name newdomain.local
  % Warning: Updating the domain name will cause any certificate using the old
% domain name to become invalid. Therefore, a new self-signed
% certificate using the new domain name will be generated now for
% use with HTTPs/EAP. If CA-signed certs were used on this node,
% please import them with the correct domain name. If Internal-CA
% signed certs are being used, please regenerate ISE Root CA certificate.
% In addition, if this ISE node will be joining a new Active Directory
% domain, please leave your current Active Directory domain before
% proceeding.
% Changing the IP domain-name will cause ise services to restart
Proceed? [yes,no]

 If you don't need the self-signed certs for anything, then you can ignore the message above about certificate re-generation. 

And you'd need to do this on every node. One at a time, waiting for services to restart. 

Ensure that the nodes are all still registered to one another during this process - that's the part I would test in the lab (unless someone can confirm).  From memory, I think I de-registered all the nodes, did the domain name change on each one, created new Admin certs for all, and then registered them all back again. A lot of work, but it felt like the right thing to do. And it succeeded.

Customers Also Viewed These Support Documents