Our ISE admin servers were inadvertently built with 16 character hostnames. Active directory has a 15 character limit for hostnames. This causes the 16th character to be truncated. The secondary admin server fails to connect to AD because the hostname no longer looks unique. Is there a work around for this other than rebuilding the ISE servers?
It is important to limit Cisco ISE hostnames to 15 characters or less in length if you use Active Directory on your network. Active Directory does not validate hostnames larger than 15 characters. This can cause a problem if you have multiple ISE hosts in your deployment whose hostnames are identical through the first 15 characters, and are only distinguishable by the characters that follow.
Check the link : Cisco ISE Hostname Character Length Limitation with Active Directory
You can change the hostname in the cli and then you'd probably need to remove your ISE nodes from the domain and delete the host in AD then re-add the name. This is a guess more than me knowing it will work for sure.
you need not rebuild your entire ISE nodes. You have to follow the below steps.
You can change the hostname, IP address, or domain name of standalone Cisco ISE nodes. You cannot use “localhost” as the hostname for a node.
Before You Begin
If the Cisco ISE node is part of a distributed deployment, you must remove it from the deployment and ensure that it is a standalone node.
Step 1 Change the hostname or IP address of the Cisco ISE node using the hostname , ip address, or ip domain-name command from the Cisco ISE CLI.
Step 2 Restart the Cisco ISE application configuration using the application stop ise command from the Cisco ISE CLI to restart all the services.
Step 3 Register the Cisco ISE node to the primary Administration node if it part of a distributed deployment.
Note If you are using the hostname while registering the Cisco ISE node, the fully qualified domain name (FQDN) of the standalone node that you are going to register, for example, abc.xyz.com must be DNS-resolvable from the primary Administration node. Otherwise, node registration fails. You must enter the IP addresses and FQDNs of the Cisco ISE nodes that are part of your distributed deployment in the DNS server.
After you register the Cisco ISE node as a secondary node, the primary Administration node replicates the change in the IP address, hostname, or domain name to the other Cisco ISE nodes in your deployment.
Make sure that you also update the DNS record with new hostname and replace the certificate unless you are using wildcard cert.
Unfortunately there isn't a workaround. I had the same issue happen with one of my deployments and I had to have the customer change the hostnames.
Thank you for rating helpful posts!