<div dir="ltr"><div>Phone config files are signed by the CallManager.pem from the node serving up the files.</div><div><br></div>Phones with SBD using ITLs will be able to authenticate the new certificates right away using TVS. I would just make sure the phones get the new ITL before moving onto the next node.<div><br></div><div>For phones only using CTLs, they are not going to trust config files until the CTL client is re-ran, TFTP service restarted, and new CTL downloaded. The phones are probably fine to use the cached configs for a little bit until you finish the whole cluster and run the CTL client once assuming you're doing it all in one window.</div></div><div class="gmail_extra"><br><div class="gmail_quote">On Thu, Mar 26, 2015 at 11:34 AM, Ed Leatherman <span dir="ltr"><<a href="mailto:ealeatherman@gmail.com" target="_blank">ealeatherman@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Sorry for resurrecting this old thread, now that I have some spare cycles to devote to this I wanted to follow up about it..<div><br></div><div>- The node names are not changing, just adding DNS servers and domain name to each node</div><div><br></div><div>- Call Manager servers are defined by IP address, and IP's are also not changing.</div><div><br></div><div>- with respect to database replication, it seems configuring DNS and setting a domain name should take care of itself just with rebooting each node one at a time</div><div><br></div><div>- production cluster is mixed-mode security. Currently no domain name is setup, and in the certificates this is reflected in the CN. On my test cluster, which already has dns and a domain name configured, I see that the CN has the domain as part of it - so when I add a domain name to my production cluster all the certs will need to be regenerated, requiring a CTL update</div><div><br></div><div>My initial thoughts on this were just to update the dns info and reboot one at a time on each node (pub first), letting dbrep settle down between reboots, and then run the CTL client to update that, then restart CM and TFTP services on each node.</div><div><br></div><div>So, do I just need to do one CTL update after I have made the change and rebooted all my nodes, or will I have to update the CTL after each reboot? I'm picturing in my head getting halfway into the process and having phones unable to pull config files until I update the CTL at the end, but does TVS take care of this interim case?</div><div><br></div><div>Thanks!!</div><div>Ed</div><div><br></div><div><br></div><div><br><div><br></div></div></div><div class="gmail_extra"><div><div class="h5"><br><div class="gmail_quote">On Mon, Aug 11, 2014 at 9:43 AM, Ryan Ratliff (rratliff) <span dir="ltr"><<a href="mailto:rratliff@cisco.com" target="_blank">rratliff@cisco.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div style="word-wrap:break-word"><span>
<blockquote type="cite">Kind of makes me want to enable mixed-mode on the 2nd cluster.</blockquote>
<br></span>
If you've got the eTokens handy then it will certainly make you life a lot easier when it comes to SBD and endpoints.
<div><br>
<div>-Ryan </div>
<br>
<div><span>
<div>On Aug 11, 2014, at 8:41 AM, Ed Leatherman <<a href="mailto:ealeatherman@gmail.com" target="_blank">ealeatherman@gmail.com</a>> wrote:</div>
<br>
</span><div><span>
<div dir="ltr">Thanks Matt,
<div><br>
</div>
<div>So it sounds like purely from database replication perspective enabling DNS by itself isn't an issue.</div>
<div><br>
</div>
<div>If I do need to change the domain or hostnames on the cluster then it becomes a certificate operation of some variety depending on the security state of the particular cluster - in addition to minding replication. Kind of makes me want to enable mixed-mode
on the 2nd cluster.</div>
<div><br>
</div>
<div>Thanks!</div>
<div><br>
Ed</div>
</div>
</span><div class="gmail_extra"><br>
<br>
<div class="gmail_quote"><span>On Mon, Aug 11, 2014 at 8:19 AM, Matthew Loraditch <span dir="ltr">
<<a href="mailto:MLoraditch@heliontechnologies.com" target="_blank">MLoraditch@heliontechnologies.com</a>></span> wrote:<br>
</span><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div lang="EN-US" link="#0563C1" vlink="#954F72">
<div><span>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><a href="https://supportforums.cisco.com/document/68701/communications-manager-security-default-and-itl-operation-and-troubleshooting#Changing_Host_Names_or_Domain_Names" target="_blank">https://supportforums.cisco.com/document/68701/communications-manager-security-default-and-itl-operation-and-troubleshooting#Changing_Host_Names_or_Domain_Names</a><u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">Take a look there, pretty much covers every scenario, I just did a multi-node with ITL only for the same reasons as you and it worked like a charm.<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">Rebuild definitely not necessary.<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u> <u></u></span></p>
</span><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#003366"><image001.jpg></span><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u><u></u></span></p><span>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">Matthew G. Loraditch – CCNP-Voice, CCNA-R&S, CCDA<u></u><u></u></span></p>
<p class="MsoNormal" style="margin-bottom:12.0pt"><span style="font-size:9.0pt;font-family:"Arial","sans-serif";color:#1f497d">1965 Greenspring Drive</span><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><br>
</span><span style="font-size:9.0pt;font-family:"Arial","sans-serif";color:#1f497d">Timonium, MD 21093</span><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><br>
</span><span style="font-size:9.0pt;font-family:"Arial","sans-serif";color:#1f497d"><br>
direct voice. <a href="tel:443.541.1518" value="+14435411518" target="_blank">443.541.1518</a><br>
fax. <a href="tel:410.252.9284" value="+14102529284" target="_blank">410.252.9284</a><br>
<br>
<a href="http://twitter.com/heliontech" target="_blank"><span style="color:blue">Twitter</span></a> |
<a href="http://www.facebook.com/#!/pages/Helion/252157915296" target="_blank"><span style="color:blue">Facebook</span></a> |
<a href="http://www.heliontechnologies.com/" target="_blank"><span style="color:blue">Website</span></a> |
<a href="mailto:support@heliontechnologies.com?subject=Technical%20Support%20Request" target="_blank">
<span style="color:blue">Email Support</span></a><u></u><u></u></span></p>
<p class="MsoNormal" style="margin-bottom:12.0pt"><span style="font-size:9.0pt;font-family:"Arial","sans-serif";color:#1f497d">Support Phone.
<a href="tel:410.252.8830" value="+14102528830" target="_blank">410.252.8830</a></span><span style="font-size:11.0pt;font-family:"Arial","sans-serif";color:#1f497d"><u></u><u></u></span></p>
</span><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><span><image002.png></span><u></u><u></u></span></p><span>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u> <u></u></span></p>
<p class="MsoNormal"><b><span style="font-size:11.0pt;font-family:"Calibri","sans-serif"">From:</span></b><span style="font-size:11.0pt;font-family:"Calibri","sans-serif""> cisco-voip [mailto:<a href="mailto:cisco-voip-bounces@puck.nether.net" target="_blank">cisco-voip-bounces@puck.nether.net</a>]
<b>On Behalf Of </b>Ed Leatherman<br>
<b>Sent:</b> Monday, August 11, 2014 8:00 AM<br>
<b>To:</b> Cisco VOIP<br>
<b>Subject:</b> [cisco-voip] Question about enabling DNS on CUCM cluster(s)<u></u><u></u></span></p>
<div>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
<div>
<p class="MsoNormal">Good morning!<u></u><u></u></p>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
<div>
<p class="MsoNormal">Was hoping someone with a little more experience on the jabber/collab edge side could point me in the right direction here.<u></u><u></u></p>
</div>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
<div>
<p class="MsoNormal">I have 2 CUCM clusters that I am researching configuring jabber and/or collab edge for. Up till now I've never had a need for DNS resolution on the either. One of them has been operational since version 3 dot something and back then it
seemed the recommendation to stay away from DNS in general on CUCM unless there was a good reason otherwise.<u></u><u></u></p>
</div>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
<div>
<p class="MsoNormal">I see there are just a few commands to enable it and setup servers etc - are there any gotchas with database replication or security that I need to be aware of? I don't plan on changing the hostname of the servers themselves or their IP
addresses.<u></u><u></u></p>
</div>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
<div>
<p class="MsoNormal">The old cluster has CTLs/USB tokens. The "slightly" newer cluster is just running in security-by-default mode. Both clusters are @ version 9.1.<u></u><u></u></p>
</div>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
<div>
<p class="MsoNormal">My research thus far seems to say turning DNS up on earlier versions of CUCM required rebuilds but seems to not be the case now, but I haven't turned up anything in the official docs. I have a TAC case open to ask about it but I'm still
at the explain DNS and what my business case is stage ;)<u></u><u></u></p>
</div>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
<div>
<p class="MsoNormal">Appreciate any tips!<u></u><u></u></p>
</div>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
<div>
<p class="MsoNormal">Thanks,<u></u><u></u></p>
</div>
<div>
<p class="MsoNormal">Ed<u></u><u></u></p>
</div>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
<div>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
<p class="MsoNormal">-- <br>
Ed Leatherman<u></u><u></u></p>
</div>
</div>
</div>
</div>
</div>
</span></div><span><font color="#888888">
</font></span></div><span><font color="#888888">
</font></span></blockquote><span><font color="#888888">
</font></span></div><span><font color="#888888">
<br>
<br clear="all">
<div><br>
</div>
-- <br>
Ed Leatherman<br>
</font></span></div><span><font color="#888888">
_______________________________________________<br>
cisco-voip mailing list<br>
<a href="mailto:cisco-voip@puck.nether.net" target="_blank">cisco-voip@puck.nether.net</a><br>
<a href="https://puck.nether.net/mailman/listinfo/cisco-voip" target="_blank">https://puck.nether.net/mailman/listinfo/cisco-voip</a><br>
</font></span></div>
</div>
<br>
</div>
</div>
</blockquote></div><br><br clear="all"><div><br></div></div></div><span class="HOEnZb"><font color="#888888">-- <br><div>Ed Leatherman<br></div>
</font></span></div>
<br>_______________________________________________<br>
cisco-voip mailing list<br>
<a href="mailto:cisco-voip@puck.nether.net">cisco-voip@puck.nether.net</a><br>
<a href="https://puck.nether.net/mailman/listinfo/cisco-voip" target="_blank">https://puck.nether.net/mailman/listinfo/cisco-voip</a><br>
<br></blockquote></div><br></div>