ISE 2.1 FULL domain name change

Is there a way to change the complete domain name without having to re - configure ISE from scratch?

I have a 2-node deployment.  The area is changing - so I have a new cert of wildcard for the new domain, but the fqdn of the server classes won't work w / the new cert.

Hey Moody,

Domain name can be changes using below command.

ISE3395/admin (config) # ip domain name?
DNS domain name search (Max Size - 64)

If you update the domain name for the Cisco ISE server with this command, it displays the following warning message:

Warning: Updating the domain name will cause any certificate using the old
domain name to become invalid. Therefore, a new self-signed certificate using the new domain
name will be generated now for use with HTTPs/EAP.  If CA-signed certificates were used on this
node, please import them with the correct domain name. In addition, if this ISE node will be
joining a new Active Directory domain, please leave your current Active Directory domain before
proceeding. Prior to this change: 1 untie the knots of ISE area 2. Ensure that the computer name is removed AD 3. Update the DNS 4 records. Ensure that the DNS records have been replicated 5. Change the names on ISE 6. Join nodes to the new domain. Hope this helps! Gagan cordially

Tags: Cisco Security

Similar Questions

  • ISE profiling - matching with endpoint of FULL domain name

    I am trying to achieve a condition of profiling to match the FULL domain name.  In this example all ministerial posts have the following common FQDN:

    ABCD -

    I would like to match on everything except the machinename, which can be a joker.  I tried to configure the condition of profiling is

    IP:FQDN CONTAINS ^(abcd)*(\.xyz\.com)$

    I never get any matches on this page or any variation I've tried.  When I look at endpoint in the identity, I see the entire FQDN as an attribute.

    Can someone help me with the correct syntax to match to a FULL domain in this way?

    Thank you


    Hello Brian,.

    1.2 forthcoming ISE to be released soon, has operators ' begins by "&" ends by "additional operators that will be useful.

    For the DHCP host name, you can use begins with


    Domain name ends with

  • Operations Manager 6.1 5.5 Web client on vSphere link refer to the IP address instead of the FULL domain name


    We have a new environment vROps 6.1. Everything works like a charm, except when I get the Web Client vSphere. Hosts and Clusters - monitor - health, I try to click on the "see details in vCenter Operations Manager" and I get sent to the IP address to one of the nodes in the cluster vROps. This translates into a certificate error. We have signed all the certificates for the solution of vROps, but that doesn't help us when the link refers to one IP address. Any way to change the behavior of the link to go instead of the full domain name?

    Thanks in advance for your comments.



    Yes, here is a code snippet PowerCLI to do:

    to connect-viserver

    $extMgr = get-view ExtensionManager

    $vRops = $extMgr.ExtensionList |? {$_.key - eq "com.vmware.vcops"}

    $vRops.Server [0]. URL = "https://vrops-fqdn/".

    $ExtExtendedProductInfo = new-Object VMware.Vim.ExtExtendedProductInfo

    $ExtSolutionManagerInfo = new-Object VMware.Vim.ExtSolutionManagerInfo

    $vRops.ExtendedProductInfo = $ExtExtendedProductInfo

    $vRops.SolutionManagerInfo = $ExtSolutionManagerInfo

    $extMgr.UpdateExtension ($vRops)


  • VimService returns localhost instead of the FULL domain name?

    Hi all

    I'm looking to automate the deployment of virtual machines under vSphere 4 Update 1 via the SOAP using PHP service.  When I ask the vimService.wsdl file, I see the following XML:

    <?xml version="1.0" encoding="UTF-8" ?>
       Copyright 2005-2009 VMware, Inc.  All rights reserved.
    <definitions targetNamespace="urn:vim25Service"
       <import location="vim.wsdl" namespace="urn:vim25"></import>
       <service name="VimService">
          <port binding="interface:VimBinding" name="VimPort">
             <soap:address location="https://localhost/sdk/vimService"></soap:address>

    Why is the referenced host here 'localhost '?  Should not the XML continue my code of points my vCenter Server's FULL domain name?  It's throwing me for a loop, because when I try for any transaction on the service established by PHP SoapClient instance, my code expires because it tries to connect to localhost instead of the actual address of my Server vCenter.

    Any ideas would be greatly appreciated.  Even more useful would be a code example using PHP 5.3 SoapClient class (as opposed to nusoap, that I've seen it used, because it is not fully functional under PHP 5.3).  Thank you!


    "< soap: address location ="https://localhost/sdk/vimService"/ > in the vimService.wsdl specifies localhost in the address location because the wsdk is generated from the server and the server is localhost to himself." However, the location of the address can be changed. Now, when we're trying to establish a connection to a particular server (vCenter or host), when running, that the location of the address is replaced with the URL that we spend in the VimServiceLocator method getVimPort. In this way, established the connection to a particular server when running.

  • Network error mystery - Windows cannot access \\server\users when you use the netbios name, but works fine when you use the full domain name.

    Hi all:

    Mystery - I have a Win 7 work company that cannot access a particular action.  I get the following error-"you are not allowed to access \\server\users.  Contact your network administrator to request access.  However, these users can access these files successfully on other computers, and also if I use the fqdn or the IP instead of the "netbios name server", it connects successfully.


    -Workstation and server at the same time in the same AD Windows 2008 r2 domain.

    -All users, admin and non admin, cannot access this share when connecting to this computer only.

    -ACCESS to the other actions on the same server, as well as actions on other servers.

    -The biggest mystery to me - if I type the FQDN, \\server.domain.local\users, it works!  What the?

    I tried:

    -Deletion of the domain and add it again, no improvement.

    -Check Event Viewer, nothing jumps (not red or yellow).

    -Enabled auditing for access to objects on the server, it does not show a failure in the security event log.

    -Turn off the firewall of my computer.

    -UN-share and re - share the directory.

    -Give everyone full control (the fact that it works well with de facto authorities a little full domain name, a candidate little likely, but I have an open mind).

    For anyone wishing to offer their 'help' by asking me to make some sort of workaround as re - install windows or turn off netbios or use only of the full domain name here on out or whatever, please Don ' t bother.  I appreciate your help, but I am quite able to reinstall and I'm not interested unique hacks that affect this otherwise network well managed, I'm looking for a solution that will allow me to save time and is a long-term solution.

    In my view, that a key point here maybe I can connect successfully using \\server.domain.local\users, but not \\server\users.  Someone at - it some thoughts?

    In DNS server of youe, go to the area in question and in the use of select search before Wins wins tab and enter the address of your wins server if you have one. If not, install one.

  • Customer view Windows - FULL domain name question

    I was wondering if someone had met before?

    I have a small view Horizon 5.3.1 of the network running test. I have 1 connection to the server and paired 1 security server. I have no problem with my security server sitting in my DMZ for use with remote access. The problems begin when I try to connect to the server of connection when I'm on the internal network. When you use the latest version of the Windows client view (running on Windows 8.1 x 64) and tryping in the FQDN of the server connection, I just get an error immediately says "unable to connect to the server. If I use the IP address then it works fine, but obviously is of no use, because I can't verify the cert.

    I had problems in the past with the help of short DNS (which does not), but I am not concerened that I want to use full domain in any case names.

    I checked the DNS and everything seems fine. If I ping domain name FULL of the connection to the server, I get a reply, all other servers are accessible by their FULL domain name and access HTML works fine using the FULL domain name and my certs check out OK.

    It sounds like a problem in the Windows Vista client. If anyone has any ideas, I would be very grateful.

    Thank you


    It really depends on the whole upward. But we use the same URL for both. Ours are the same.

    Example of


    And we even put Blast Gateway for HTTPS for security servers and the connection.

    then when you pull up to your customer. To connect to the server, simply type in and it should work if you have DNS entries on the DNS server for your domain.

  • Health HQ-&gt; Agents tab issue with FULL domain name

    When I go to the HQ health-> Agents tab, I see some of my platforms have the FULL domain name noted quite rightly (or other). However, some of them only the IP address of the list and have no FULL domain name. I checked and these IP addresses do not have matching PTR DNS records, so I don't know why this should happen.

    Can someone tell me why this is happening?

    Hyperic entering these data? It does not appear to conduct research at the time the listing agent is created. Maybe when the platform is created? If so, how I would solve this? Can I just update a column in the database with the correct information?

    Thank you

    Opps, I forgot a

    Platform.Name =
    Platform.FQDN =

    Unfortunately, I don't remember if the agent should be reconfigure (clear data directory and redemarrees) or not.

  • The vCenter server's FULL domain name.


    Using vSphere SDK Web services, is it possible to get the domain name FULL of the vCenter server that I have connected to? For example, foo - is the name of a field FULL of my RESUME, but I can connect to the Victoria Cross with SDK giving the name as foo-test. Once connected, is their any property by which I can get the FQDN of my CV, IE like foo -

    Help in this regard is highly appreciated.

    Many thanks in advance,


    (1) this property reflects maybe just how the guestOS has been set up if she had the FULL domain name or not, I'm not 100% sure but I always put my host names a FQDN. You can watch the underlying guestOS to see how it is set up compared to others which show the COMPLETE domain name

    (2) your original question was on vCenter FQDN, this property as mentioned is only for vCEnter and not for ESX (i). If you need to search for this information, you must watch the HostSystem that represents your ESX or ESXi host. You'll want to take a look at the HostDnsConfig property to find the short hostname under the host name and the domain under the domain name and that will provide COMPLETE domain name.

    I think the best way to interrogate this information actually uses your DNS infrastructure, it is what it is. Looks like not all your environments are configured using domain name FULL which in my books, is not a best practice. If this is the case, what data are only as good as the original configuration in order to make virtual infrastructure out of the image and simply use DNS to query for it. It is trivial to extract the IP addresses of your vCenter and the host ESX (i), so you can use it as a base to make your look up.

    I also recommend to take a look at the API reference documentation, it is the best place to find this information and using the search feature is also very useful to fine-tune the properties that interest you -

    I hope this makes sense


    William Lam

    VMware vExpert 2009,2010

    VMware VCP3, 4

    VMware VCAP-DCA4

    VMware scripts and resources at:

    Twitter: @lamw

    repository scripts vGhetto

    Introduction to the vMA (tips/tricks)

    Getting started with vSphere SDK for Perl

    VMware Code Central - Scripts/code samples for developers and administrators

    VMware developer community

    If you find this information useful, please give points to "correct" or "useful".

  • Cann add host with FULL domain name

    Hi guys

    I removed a host esx cluster 1 and he added in another but the esx host name does not appear as a FULL domain name. I enter the FULL domain name. I also checked (ESX), network (ESX) host and to host files to the server VC 2.5, have all FULL domain name.

    It is not somehow domain FULL of taste. now, some administrators are complaing about error when you open the console virtual machine that is on the host in question "address host for server search failed.

    any help will be appreicated

    Thank you


    You can remove the ESX host to vCenter?  Once removed, connect you to the service console and update the host name?

    Root@server root # hostname newname

    say so your ESX host FQDN is (below would be the command)

    Root@server root # hostname

    Once that is done, try to add it to vCenter as FULL domain name.  You are also, that there is no entry of host file on your host, which can be listed with vCenter shortname?

  • FULL domain name v IP to install &amp; matching site

    During the installation of SRM, the local VC is specified. ADX FQDN or IP can be used but FQDN is recommended. At the time of the twinning of sites, remote VC is specified, and even once, FQDN or IP with the FULL domain name as best practices. But what is important, regardless of the method is used to install, then same method should be used when matching.

    My question is what do I do if you do not have? In other words, what happens if you use opposing methods (FQDN and IP or vice versa) installation and then matching? What breaks?

    The documentation is strict for the sake of simplicitly.  Basically, the need for the game has to do with SSL and server certificates verification.  By default, when the SRM connects to the VC Server he expects the DNS assertion made in another name for the subject certificate VC to be an exact match of the IP/domain name FULL used to access this VC.  If the local SRM uses the IP addr to reach a given VC and MRS. remote uses the FQDN to reach this same VC, for example, the statement in the certificate can not compete two values.

    An exception to this is the case where, during installation, the user chooses to accept the certificate of the VC based on the footprint.  In this case a VC certificate gets checked on each SSL connection that is only based on the footprint and the affirmation of DNS is not required to match.  I guess that's the case, you see here.

  • How can I know the FULL domain name &amp; names for the installation of a digital certificate Public in ISE?

    We are implemented a project with Cisco ISE; but comments Portal appears to users as a "untrusted site". For problems, a public digital certificate must be installed in Cisco ISE, so he can send it to users who enter the comments Web portal.

    Now... to sell me the certificate, VERISIGN needs to know settings ISE of the certificate, such as name of area COMPLETE, names subnames, etc... How can these parameters of ISE?

    Thaks a lot!

    This isn't an easy question to answer, there are a ton of variables to include

    Local web site Central Web Auth or Auth

    LWA, the WLC is the "man in the Middle" to the request of the customer for PSN (server nodes), the WLC takes the request webauth and resembles webauth then the redirect URL that you put in the WLC

    If the redirect webauth URL is, the WLC is a redirect but the virtual IP address comes in, who was as trustworthy or redirection complains, then you may have to get the public certificate for the fqdn of, and the comment server. You can create a CSR using openssl or you can just enter in ISE and create a CSR, but you can only set CN = and nothing else, as long you have a single NHP is good, but if you have several Ssnp, you need to change your CSR so that you have to use openssl to create CSR using a file openssl.cnf and then with openssl, you do the following:

    openssl req - new - nodes-out openssl.cnf omf-01 - ise04.csr - config

    You must do it the way I said above regardless of CWA or LWA, if you have more than one PSN, you must point to a FULL VIP domain name and then configure your DNS to answer for these host names. With LWA, you get virtual IP WLC involved, so you don't have to worry about getting a certificate for this, it is a cleaner installation, but you must always do all the rest. It must ensure that users of your guests have the opportunity to join the portal comments and be able to solve the given DNS the dns server that they have been configured with.

    Content of the file openssl.cnf:

    nom_distinctif = req_distinguished_name
    req_extensions = v3_req
    default_bits = 2048

    countryName = name of the country (2-letter codes)
    countryName_default = en
    localityName = name of the locality (for example, City)
    organizationalUnitName = organizational unit name (for example, section)
    commonName = Common Name (eg, YOUR name)
    commonName_max = 64
    emailAddress = Email address
    emailAddress_max = 40

    keyUsage = keyEncipherment, dataEncipherment
    extendedKeyUsage = AutClient, serverAuth
    subjectAltName = @alt_names

    DNS.1 =
    DNS.2 =
    DNS.3 =

  • Configuration remote access VPN (IPSec) using FULL domain name

    Hi friends of Cisco,

    We have the DNS (only the internal IP) within our network, right now that we have configured VPN for remote access using public IP address and connect us with the same public IP address. I need help to use the domain name FULL rather than use public IP.

    Can you please provide the configuration for this.

    Feature: ASA 5520

    Type of configuration: IPSec

    Thank you


    Hi Philippe,.

    You can use one of the free Web of DNS dynamic sites and configure ASA to dynamic DNS.

    Reference -



  • Help with a script. Need to host name, not the FULL domain name

    I'm trying to gather a workflow that will create a user in Active directory and then install SQL server using this account for the service.

    the format of the username I want is SQL_servername

    I use ' hostname = vm.guest.guestId; ' to remove the host name of the virtual machine, but it returns the domain (i.e. FULL name

    I tried various methods (rtrim, trim, righttrim, etc.) to remove the domain name to leave me with only the name server, but not appear to work.

    Is there a way of Orchestrator to delete the domain name, or is there another function, I should use to get the short server name.

    Thank you

    server = hostname.substring(0, hostname.indexOf("."));
  • How can I get the full domain name host name

    I don't know that it should be easy enough, however I have not had much chance to figure it out myself.

    Basically, I have a simple script that gets all hosts in a cluster, and rename the first store of data, of ServerName_Boot, however when I have this, I just can't find a way truncated fqdn hostname just. In this case my hostname IS exactly 14 characters if it helps.

    Thanks in advance!

    You try to run the split on the host object, not the name itself.

    Just update it $Shortname = $VMHostname.Name.Split('.') [0]

  • Get the FULL domain name host name

    I'm trying to use Split() to reduce the FQDN down to the host name.

    For example:

    Get - vm | Select name, @{N = 'ESXi host name'; E = {$_.vmhost.} Split(".") [0]}}

    For some reason any my split function returns a white instead of just the host name.

    Any ideas?

    Thank you!

    VMHost is an object, not a string. You must use:

    Get - vm | Select name, @{N = 'ESXi host name'; E = {$_.vmhost.} Name.Split(".") [0]}}

Maybe you are looking for