How to add an existing NetBackup client to another NetBackup domain, or change the default master server

• Creating a multi-domain NetBackup Client by adding it to another NetBackup domain
• Changing the Default Primary Server for a NetBackup Client
• Removing a NetBackup Client from a NetBackup domain
   

Creating a multi-domain NetBackup Client by adding it to another NetBackup domain

Use this procedure to establish communications between an existing NetBackup client host and the NetBackup server hosts in an additional NetBackup domain.  Make sure this is successful before removing connectivity with NetBackup servers in the current domain.

1. On the new primary server, make sure the hostname for the client is resolvable by name services.
   
   bpclntcmd -hn <client>
    
2. On the new primary server, add the client to one or more backup policies; preferably inactive until the client is operational.  This is the network hostname that the NB servers will use to connect to the client.
    
3. On the new media servers, confirm there is network connectivity to the client.  TCP Port 1556 should be open and network routable to the client. 
   
   Make a note of the source and destination IP addresses used for the connections.  They will be verified on the client in steps 4 and 5.
    
4. On the client host, verify hostname resolution for all local IP addresses that will be used to communicate with the NetBackup servers.  Update the hosts file if necessary, and make sure name services will read the hosts file.
   
   If the host has multiple network interfaces, the new domain may be using one that was previously unused.
   
   bpclntcmd -ip <local_ip_address>
... repeat for each local IP address used by NetBackup ...
    
5. On the client host, verify the hostname resolution for all IP addresses on the new primary and media servers that will be used to connect to the client host.  Update name services for any that do not resolve.
   
   bpclntcmd -ip <server_ip_address>
... repeat for each remote IP address connecting to the client host ...
   
   Make a note of the resolved hostnames.  They are needed in step 7.
    
6. On the client host, confirm there is network connectivity to the new domain.  TCP Port 1556 must be open and network routable either to the new primary server or to one of the new media servers.
    
7. On the client host, update the servers list to include the new domain.  Do not remove any servers yet.
   
   From the Windows Backup, Archive and Restore (BAR GUI) interface:
   * Go to File > Specify NetBackup machines and policy type.
   * Add the primary and media servers for the new domain.
   
   From the Java Backup, Archive, and Restore (Java GUI) interface:
   * Got to Actions > Specify NetBackup Machines and Policy Type.
   * Edit Server List.
   * Add the primary and media servers for the new domain.
   
   From the command line:
   * Capture the current servers list to a file:
   * Edit the file and add a SERVER entry for the new primary server.
   * Edit the file and add MEDIA_SERVER entries for any new media servers.
   * Review the file contents to make sure it is correct.
   * Replace the current configuration with the updated file contents.
   
   nbgetconfig SERVER > servers-list.tmp
nbgetconfig MEDIA_SERVER >> servers-list.tmp
... edit servers-list.tmp ...
nbsetconfig < servers-list.tmp|
   
   Note: The hostnames added to the servers list should be those to which the name services on the client host resolves the source IP addresses from which the server hosts connect to the client.  These are how the client O/S sees/knows the new servers.
   
   Note: The servers list update could also be performed from the Host Properties of the original primary server if it has connectivity to the client host.
    
8. On NetBackup 8.1+ client hosts, fetch needed secure comms items from the new primary server.  The target -server is the network hostname by which the client can connect to the new primary server.
   
   * The CA certificate for the new domain.
   * An Host ID certificate and CRL for the new domain.  A token may be needed depending on the global security level of the new domain.
   
   nbcertcmd -getCertificate -server <new_primary_server> [-token <tokenvalue>]
nbcertcmd -getCACertificate -server <new_primary_server>
    
9. Test communications from the new primary server and/or new media servers to the client.
   
   bptestbpcd -client <client>
    
10. Review below section: Changing the Default Primary Server for a multi-domain NetBackup Client.
     
11. Review below section: Removing a NetBackup Client from a NetBackup domain.

Changing the Default Primary Server for a NetBackup Client

Every NetBackup client has a default primary server, it is the first one in the servers list.  This hostname is used as the default target for operation requests that are initiated from the client host without the user explicitly specifying a target server; client-initiated backup/list/restore.  The default primary server also receives discovery updates from the client.

Use this procedure if the NetBackup client host should use the new primary server as the default instead of the original primary server.  Keep in mind that any backup scripts on the client, that previously specified the original primary server, will need to also be updated to reference the new primary server unless those backups should continue to the original primary server.

1. From a command prompt, capture the current servers list to a file.
   
   nbgetconfig SERVER > servers-list.tmp
    
2. Edit the file and move the desired primary server to the top of the file. 
   
   This should be the same hostname that was previously used by 'nbcertcmd -getCertificate' to fetch the Host ID certificate for that domain.  It will match the "serverName" in the appropriate stanza of the certmapinfo.json file.
   
   Linux/UNIX: /usr/openv/var/vxss/certmapinfo.json
   Windows: <install>\NetBackup\var\vxss\certmapinfo.json
    
3. Review the file contents to make sure it is correct.
    
4. Replace the current configuration with the updated file contents.
   
   nbsetconfig < servers-list.tmp
   
   Note: The servers list update could also be performed from the Host Properties of any primary server that has connectivity to the client host.

Removing a NetBackup Client from a NetBackup domain

Use this procedure to remove a NetBackup client host from a NetBackup domain.  This will prevent communications between the client and the server hosts that are not expected, and which may otherwise consume bandwidth and other resources.

Part A

Prevent the primary server from starting jobs for the client and update the certificate revocation list so that other hosts in the domain will reject communication attempts using the certificate that was previously issued to the client.

1. On the old primary server, remove the client from all policies, backup, deployment, etc.
    
2. On the old primary server, revoke the certificate for the client host.
   
   Security Management
   Certificate Management
   ... select Host/certificate ...
   Revoke Certificate

Part B

Ensure the nbdisco and bpcd services on the client are no longer attempting to contact the previous primary server.

Part B - Option 1

If the client is no longer going to be using NetBackup, stop the NetBackup processes on the client and then uninstall the NetBackup client software.  The software can be reinstalled if the host is later added to a new NetBackup domain.

Part B - Option 2

If the client is part of another NetBackup domain, then remove the configuration settings for the old domain to prevent spurious communication attempts to those servers.

1. On the client, prevent services from even accepting connections from the old servers by pruning the servers list.
   
   From the Windows Backup, Archive and Restore (BAR GUI) interface:
   * Go to File > Specify NetBackup machines and policy type.
   * Remove the primary and media servers for the old domain.
   
   From the Java Backup, Archive, and Restore (Java GUI) interface:
   * Got to Actions > Specify NetBackup Machines and Policy Type.
   * Edit Server List.
   * Remove the primary and media servers for the old domain.
   
   From the command line:
   * Capture the current servers list to a file:
   * Edit the file and delete the SERVER entry for the old primary server.
   * Edit the file and delete MEDIA_SERVER entries for any old media servers.
   * Review the file contents to make sure it is correct.
   * Replace the current configuration with the updated file contents.
   
   nbgetconfig SERVER > servers-list.tmp
nbgetconfig MEDIA_SERVER >> servers-list.tmp
... edit servers-list.tmp ...
nbsetconfig < servers-list.tmp
   
   Note: The servers list update could also be performed from the Host Properties of any/new primary server that has connectivity to the client host.
    
2. On the client, list all Host ID certificates and note the Host ID of the one from the old primary server.
   
   nbcertcmd -listCertDetails
    
3. On the client, delete the certificate for that Host ID.
   
   nbcertcmd -deleteCertificate -hostId <hostID>
    
4. On the client, list all CA certificates and note the fingerprint of the one from the old primary server.
   
   nbcertcmd -listCACertDetails
   
   This information is retrieved from the local configuration on the client that needs to be pruned.  Do not use -displayCACertDetail, it requires connectivity to and returns information only from nbwmc on the default (or -server specified) primary server, which may or may not have a fingerprint that matches the local CA certificate to be removed.
    
5. On the client, remove the CA certificate for that fingerprint.
   
   nbcertcmd -removeCACertificate -fingerPrint <fingerprint>