Half way through our ISE pre-production testing it was decided to move all of the nodes into a new sub-domain. Moving the PSN and secondary Administration node was simply a case of de-registering and re-adding the nodes.
From notes I had read online, it was not possible to do the same with the Primary Administration node and not recommended by Cisco. See below for how to do it.
Excuse the License Violation warning, I had dabbled with some ‘My Devices’ config. It has been removed long ago but ISE has never forgotten and moans at me on a daily basis!?
- 1. Log into current secondary (ise-adm2): System → Deployment → General Settings → ‘Promote to Primary’
- 2. Confirm the dialog box warning about Administration node reboot
- 3. Log into the current Primary Administration node just sanity check pre-reboot statuses of nodes.
- 4. 10 minutes later log into the new Primary Administration node and confirm status:
- 5. Select the old Primary Administration node and click ‘Deregister’. This will allow us to change the domain name via the CLI.
- 6. Log onto the old Primary Administration node once it has rebooted. It will start moaning about licence violation and that you are running an evaluation licence. Confirm that it is has a Standalone role:
- 7. Now log onto the old Primary and change its domain name and let services restart:
- 8. Take the public SSL certificate from Primary Administration node and install it on the Secondary Administration node
- 9. Remove the previously installed ise-adm1 SSL certificates from ise-adm2. Take the Primary Administration node SSL certificate and install it as a Trusted Certificate on the Secondary Administration node, ensure that ‘Trust for authentication within ISE’ is checked:
- 10. Now from the new Primary Administration node (ise-adm2) Register the new old Primary Administration (ise-adm1) node:
Looking good….make sure to un-check ‘Policy Service’ check box:
- 11. ise-adm1: Node Status ‘In progress…’
- 12. As a final courtesy, select ise-adm1 and click the ‘Syncup’ button:
- 13. Once ise-adm1 has reboot it is time to make it the Primary Administration node:
- 14. ise-adm1 now the Primary Administration node using the new sub-domain.