[cisco-voip] CUCM DNS/CTL configuration - follow-up

Jason Burns burns.jason at gmail.com
Mon May 18 10:21:45 EDT 2015 

Ed.

All changes that cause an ITL file to update, such as regenerating
certain certificates or changing host or domain names (which cause cert
regens themselves) cause an "Enterprise Phone Reset". Changing names
(certs) on multiple CUCM servers causes multiple enterprise resets. This
is by design to stop people from locking themselves out of their ITL.
The enterprise phone resets cause the phones to go get the new ITL file
and new certificates when there is a change, preventing the accidental
case where all valid certs in the ITL on the phone no longer exist on
the servers. I think this was an 8.6 enhancement.

Second, yeah - the certs have been shipped around by the Certificate
Replication service or a similar named service for quite some time. Run
"utils service list" and you'll see it in there. This makes sure all
nodes in the cluster share their trust certs with each other.

--
Burns


On 05/17/2015 10:06 AM, Ed Leatherman wrote:
> Good morning,
> 
> This morning I enabled DNS servers, domain name on our CUCM Cluster,
> which involved regenerating all the certs on the cluster. Note I have
> cluster mixed mode. Everything appears to have gone smoothly, but I had
> 2 odd things happen that I did not expect.. tossing them out here in
> case it helps someone else, or if someone has commentary on "why" :)
> 
> Reference: CUCM v9.1, mixed mode, never had dns servers or domain set
> before.
> 
> - After setting primary, secondary DNS and domain name, and the
> subsequent reboot on each node ALL my phones on the cluster restarted or
> at least re-registered each time, even for phones that do not use that
> node as a CM. Is this CM process restarting everywhere each time or ? I
> didnt think to check runtime on the CM process while I was working.
> 
> - I expected to have to import tomcat certificates back and forth to the
> publisher at each node once the certs were regenerated, as this was
> necessary in the past. Apparently now they automagically download them
> from each other? I went in to do it and the tomcat-trust was already
> there with the new domain name.
> 
> Cheers!
> 
> Ed
> 
> -- 
> Ed Leatherman
> 
> 
> _______________________________________________
> cisco-voip mailing list
> cisco-voip at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-voip
>

More information about the cisco-voip mailing list