Thanks for your reply.

I want to change dns from 10.0.10.200 to 10.0.10.233, The below is how I did. Looks like I need to remove the original dns before adding new dns. so even I used the second command "no ip name-server 10.0.100.200", and restart, I still have the problem when I use the first command "ip name-server 10.0.10.233"

ISE2/admin(config)# ip name-server 10.0.10.233
% duplicate name-server found
ISE2/admin(config)# no ip name-server 10.0.10.200
DNS Server was modified. If you modified this setting for AD connectivity, you must restart ISE for the change to take effect. Also note for ISE connectivity to AD, ensure all configured DNS servers can resolve all relevant AD DNS records. If this is not the case and current AD join points may not resolve under new DNS settings then it is recommended to manually perform leave and rejoin.
Do you want to restart ISE now? (yes/no)

I let the two dns working(DC1 is old and DC3 is new one). and the IES2 still cannot join. Please the below:

Error Description: Join failed, reached the maximum number of failover attempts

Support Details...
Error Name: LW_ERROR_JOIN_FAILED_REACHED_MAX_RETRIES
Error Code: 60113

Detailed Log:

Error Description :
Join to ABC.LOCAL failed : reached maximum number of failovers

Error Resolution :
Please check for domain controllers connectivity replication problems in domain ABC.LOCAL

Join steps :
09:19:27 Joining to domain ABC.LOCAL using user administrator
09:19:27 Searching for DC in domain ABC.LOCAL
09:19:27 Found DC: DC3.ABC.local , client site is Default-First-Site-Name , dc site is Default-First-Site-Name
09:19:27 Checking credentials for user administrator
09:19:27 Getting TGT for account administrator@ABC.LOCAL
09:19:27 TGT for account administrator@ABC.LOCAL was retrieved successfully
09:19:27 Credentials for user administrator were verified
09:19:27 Searching for DC in domain ABC.LOCAL
09:19:27 Found DC: DC3.ABC.local , client site is Default-First-Site-Name , dc site is Default-First-Site-Name
09:19:27 Generating account name for ISE machine in ABC.LOCAL
09:19:27 Searching for an existing machine account
09:19:27 Searching object by filter : (&(objectCategory=computer)(servicePrincipalName=host/ise2.ABC.local))
09:19:27 Account: ise2 was not found
09:19:27 Searching for an existing machine account
09:19:27 Searching object by filter : (&(objectClass=computer)(sAMAccountName=ISE2$))
09:19:27 Account: ISE2$ was found
09:19:27 ISE Machine account name is : ISE2$
09:19:27 Creating machine account ISE2$
09:19:27 Connecting to AD using DC DC3.ABC.local
09:19:27 Connection to DC3.ABC.local established
09:19:27 Opening domain ABC
09:19:27 Domain ABC was opened successfully
09:19:27 Creating machine account object ISE2$
09:19:27 Cannot Join with DC DC3.ABC.local , searching another DC to join with
09:19:27 Searching for DC in domain ABC.LOCAL
09:19:27 Found DC: DC1.ABC.local , client site is Default-First-Site-Name , dc site is Default-First-Site-Name
09:19:28 Cannot Join with DC DC1.ABC.local , searching another DC to join with
09:19:28 Searching for DC in domain ABC.LOCAL
09:19:28 Found DC: DC3.ABC.local , client site is Default-First-Site-Name , dc site is Default-First-Site-Name
09:19:28 Generating account name for ISE machine in ABC.LOCAL
09:19:28 Searching for an existing machine account
09:19:28 Searching object by filter : (&(objectCategory=computer)(servicePrincipalName=host/ise2.ABC.local))
09:19:28 Account: ise2 was not found
09:19:28 Searching for an existing machine account
09:19:28 Searching object by filter : (&(objectClass=computer)(sAMAccountName=ISE2$))
09:19:28 Account: ISE2$ was found
09:19:28 ISE Machine account name is : ISE2$
09:19:28 Creating machine account ISE2$
09:19:28 Connecting to AD using DC DC3.ABC.local
09:19:28 Connection to DC3.ABC.local established
09:19:28 Opening domain ABC
09:19:28 Domain ABC was opened successfully
09:19:28 Creating machine account object ISE2$
09:19:28 Cannot Join with DC DC3.ABC.local , searching another DC to join with
09:19:28 Searching for DC in domain ABC.LOCAL
09:19:28 Found DC: DC1.ABC.local , client site is Default-First-Site-Name , dc site is Default-First-Site-Name
09:19:28 Cannot Join with DC DC1.ABC.local , searching another DC to join with
09:19:28 Searching for DC in domain ABC.LOCAL
09:19:28 Found DC: DC3.ABC.local , client site is Default-First-Site-Name , dc site is Default-First-Site-Name
09:19:28 Generating account name for ISE machine in ABC.LOCAL
09:19:28 Searching for an existing machine account
09:19:28 Searching object by filter : (&(objectCategory=computer)(servicePrincipalName=host/ise2.ABC.local))
09:19:28 Account: ise2 was not found
09:19:28 Searching for an existing machine account
09:19:28 Searching object by filter : (&(objectClass=computer)(sAMAccountName=ISE2$))
09:19:28 Account: ISE2$ was found
09:19:28 ISE Machine account name is : ISE2$
09:19:28 Creating machine account ISE2$
09:19:28 Connecting to AD using DC DC3.ABC.local
09:19:28 Connection to DC3.ABC.local established
09:19:28 Opening domain ABC
09:19:28 Domain ABC was opened successfully
09:19:28 Creating machine account object ISE2$
09:19:28 Cannot Join with DC DC3.ABC.local , searching another DC to join with
09:19:28 Searching for DC in domain ABC.LOCAL
09:19:28 Found DC: DC1.ABC.local , client site is Default-First-Site-Name , dc site is Default-First-Site-Name
09:19:28 Cannot Join with DC DC1.ABC.local , searching another DC to join with
09:19:28 Searching for DC in domain ABC.LOCAL
09:19:28 Found DC: DC3.ABC.local , client site is Default-First-Site-Name , dc site is Default-First-Site-Name
09:19:28 Generating account name for ISE machine in ABC.LOCAL
09:19:28 Searching for an existing machine account
09:19:28 Searching object by filter : (&(objectCategory=computer)(servicePrincipalName=host/ise2.ABC.local))
09:19:28 Account: ise2 was not found
09:19:28 Searching for an existing machine account
09:19:28 Searching object by filter : (&(objectClass=computer)(sAMAccountName=ISE2$))
09:19:28 Account: ISE2$ was found
09:19:28 ISE Machine account name is : ISE2$
09:19:28 Creating machine account ISE2$
09:19:28 Connecting to AD using DC DC3.ABC.local
09:19:28 Connection to DC3.ABC.local established
09:19:28 Opening domain ABC
09:19:28 Domain ABC was opened successfully
09:19:28 Creating machine account object ISE2$
09:19:28 Cannot Join with DC DC3.ABC.local , searching another DC to join with
09:19:28 Searching for DC in domain ABC.LOCAL
09:19:28 Found DC: DC1.ABC.local , client site is Default-First-Site-Name , dc site is Default-First-Site-Name
09:19:28 Cannot Join with DC DC1.ABC.local , searching another DC to join with
09:19:28 Searching for DC in domain ABC.LOCAL
09:19:28 Found DC: DC3.ABC.local , client site is Default-First-Site-Name , dc site is Default-First-Site-Name
09:19:28 Generating account name for ISE machine in ABC.LOCAL
09:19:28 Searching for an existing machine account
09:19:28 Searching object by filter : (&(objectCategory=computer)(servicePrincipalName=host/ise2.ABC.local))
09:19:28 Account: ise2 was not found
09:19:28 Searching for an existing machine account
09:19:28 Searching object by filter : (&(objectClass=computer)(sAMAccountName=ISE2$))
09:19:28 Account: ISE2$ was found
09:19:28 ISE Machine account name is : ISE2$
09:19:28 Creating machine account ISE2$
09:19:28 Connecting to AD using DC DC3.ABC.local
09:19:28 Connection to DC3.ABC.local established
09:19:28 Opening domain ABC
09:19:28 Domain ABC was opened successfully
09:19:28 Creating machine account object ISE2$
09:19:28 Cannot Join with DC DC3.ABC.local , searching another DC to join with
09:19:28 Searching for DC in domain ABC.LOCAL
09:19:28 Found DC: DC1.ABC.local , client site is Default-First-Site-Name , dc site is Default-First-Site-Name
09:19:28 Cannot Join with DC DC1.ABC.local , searching another DC to join with
09:19:28 Join to ABC.LOCAL failed : reached maximum number of failovers

Can you please run "show run | in name-server" and check the exact servers configured ?

Negate that command that you see from the above output under configure terminal (skip the ISE restart this time) and then configure the command again i.e.

ip name-server 10.0.10.233

ISE2/admin# show running-config | i name-server
ip name-server 10.0.10.233

Looks like ISE already use the new dns, but it still cannot join. I run test based on the Diagnostic Tool. Two of them failed: "Kerberos check SASL connectivity to AD"

and "Kerberos test obtaining join point TGT" the detail messages are as below respectively

"Could not get Machine account info : Machine is not joined to AD. PBIS error code: NERR_SetupNotJoined. Check Kerberos configuration and network settings"

"Could not get Machine account info : Machine is not joined to AD. PBIS error code: NERR_SetupNotJoined. Check Kerberos related AD configuration"

I found a link as below, it has the similar situation with me. I checked and did something based on the article, but still not resolve it

https://community.cisco.com/t5/network-access-control/kerberos-check-sasl-connectivity-to-ad/td-p/2785648

Its server issue. Once replacing the server, it can work well. Thank you!

Glad to hear, David!

Hey @eigrpy,
I am facing this same error in my environment.
Could you please share the issue that server had and resolution join ISE back in AD?