FYI. I opened a TAC case on this, but thought I'd also post here in case someone has come across this:
I realize that in the end, I will likely have to just rename my hosts. I am, however curious about this because the character limitation impedes the ability to adhere to device naming conventions that an organization may have.
Hostnames Longer than 15 characters
I am in the process of installing and migrating to 3595’s. During the installation I mistakenly named the devices with a host name longer than 15 characters (oversight on my part). Now, due to the 15-character hostname limitation, I cannot join them to active directory (see error log below). The actual access denied message that I received was not because my account didn't have permission. It was because AD saw it as an invalid object. I tested AD Users and Computers with the account in question and was able to create accounts just fine.
At any rate, I had a couple of thoughts about a workaround for this but am unclear as to whether it is supported and what the effects may be. Curious to know if anyone else has tried this.
Prestage Computer Object in AD with a Pre-2000 Account Name
I tested this by creating a pre-windows 2000 name in Active Directory. This is a field that is available in the menu when creating and object using Active Directory Users and Computers. It still failed, but I noticed in the error log (see below) that it appears to randomize a name for the SAM Account name. I assume that ISE does this if the host name is too long so that it will avoid creating and AD object that is too long and ensure that if each host name starts the same, as is traditional with device naming conventions, that the AD SAM Account name object would be unique.
1. What is the random name that it is generating and what is the mechanism through which it is generating that name?
2. Can I take that randomly generated samName and populate that in a staged AD Computer account that has its object name reflected as the true hostname and the pre-windows 2000 accout name be the randomly generated account name as seen below in the logs. EDIT: I have tested this and you can take that sAmAccountName from below and set it as the pre-windows 2000 Account name when prestaging. It allows a successful join to Active Directory.
3. If that is possible, are there any ramifications, from an ISE perspective, in terms of User or Machine auth?
4. The log below says it found the random name below (XXX-XXX-6EL5K0B$). However, no AD object with that name actually exists. The log is a bit ambiguous as to where it actually found that object. Is this a reference to a created object in the ISE database from the first join attempt that failed?
ERROR LOG
Error Description: Access is denied
Support Details...
Error Name: ERROR_ACCESS_DENIED
Error Code: 5
Detailed Log:
Error Description :
Cannot create machine account (empty) : access denied.
Error Resolution :
Please check for sufficient permissions to create machine account object
Join steps :
06:56:40 Joining to domain mydomain.com using user iseuser
06:56:40 Searching for DC in domain mydomain.com
06:56:40 Found DC: dc.mydomain.com , client site is myDataCenter , dc site is myDataCenter
06:56:40 Checking credentials for user iseuser
06:56:40 Getting TGT for account iseuser@mydomain.com
06:56:40 TGT for account iseuser@mydomain.com was retrieved successfully
06:56:40 Credentials for user iseuser were verified
06:56:40 Searching for DC in domain mydomain.com
06:56:40 Found DC: dc.mydomain.com , client site is myDataCenter , dc site is myDataCenter
06:56:40 Generating account name for ISE machine in mydomain.com
06:56:40 Searching for an existing machine account
06:56:40 Searching object by filter : (&(objectCategory=computer)(servicePrincipalName=host/XXX-XXX-ise-adm1.mydomain.com))
06:56:40 Account: XXX-XXX-ise-adm1 was not found
06:56:40 Searching for an existing machine account
06:56:40 Searching object by filter : (&(objectClass=computer)(sAMAccountName=XXX-XXX-6EL5K0B$))
06:56:40 Account: XXX-XXX-6EL5K0B$ was found
06:56:40 ISE Machine account name is : XXX-XXX-6EL5K0B$
06:56:40 Creating machine account XXX-XXX-6EL5K0B$
06:56:40 Connecting to AD using DC dc.mydomain.com
06:56:40 Connection to dc.mydomain.com established
06:56:40 Opening domain MYDOMAIN
06:56:40 Domain MYDOMAIN was opened successfully
06:56:40 Creating machine account object XXX-XXX-6EL5K0B$
06:56:40 Cannot create machine account (empty) : access denied.
