cancel
Showing results for 
Search instead for 
Did you mean: 

How to make 100% sure that hostname of NBU server wasn't changed

quebek
Moderator
Moderator
   VIP    Certified

Hello

I am about to inherit some NBU domains and wanted to make sure no one was playing around with hostname change on these NBU master servers.

I will for sure check the nbemmcmd -listhosts -verbose 

but is there anything else I can check to make sure this was not tampered - without VRTS consultancy services?? Please advise.

13 REPLIES 13

sdo
Moderator
Moderator
Partner    VIP    Certified

For any clients which leverage accelerator which may have also experienced a change in name of master server, then old "track" folders of the old / previous master server name may still exist on such clients - unless such folders have since been manually removed.

quebek
Moderator
Moderator
   VIP    Certified

Good point! But cannot be used - unfortunatelly all clients are being backed up to tape... :(

Anythnig else?

Marianne
Moderator
Moderator
Partner    VIP    Accredited Certified

@quebek 

If everything is working fine and NBU on the master server can be restarted without any issues, I won't even look further. 
If EMM_SERVER, and master name in NBU config matches local hostname, all should be fine.

You could possibly check server.log on the master (not sure how far back logging goes for this one). Check if hostname is the same right through. 

nbsu output on all servers may also help to perform your own health check on the system.

Another option could be to request NBAT assessment from you local Veritas SE. 

quebek
Moderator
Moderator
   VIP    Certified

Thank you @Marianne !

The problem is I know that this company was changing domain name and I do have feeling some of their master servers were affected due to that - and they did never done this using VRTS consultancy services - they were not aware that hostname change is not supported.... Now I am wondering if current NBU admins are not cheating, manipulating registry on these systems. So I came with an idea to audit this prior hand over - but I am not sure if nbemmcmd is the only thing I should have checked as I am not 100% positive this is enough. I would like to check whatever is possible to make sure that server hostname on NBU end was not tampered.

You could perform a DB unload to examine how the NBDB understands the master server hostname.

Also depending on version, looking at the host certificates and CA certificate may indicate the original hostname used to configure them.

quebek
Moderator
Moderator
   VIP    Certified

Hello

About certificates I did that yesterday -> nbcertcmd -listCACertDetails

there was one more to check the tomact Subject Alternative Names or so... Can you please remind me this cmd? it was vxsslcmd or something....

About db unload... good one will test it out.

For the tomcat - I never recall all the individual commands and just use the "nbcertcmd -listallcertificates" and look for the tomcat one.

quebek
Moderator
Moderator
   VIP    Certified

Hey

So I did unload and have now plenty of files... which one do show master server details?

root on hostname:/inst/dbunload $ ls
738.dat 749.dat 760.dat 771.dat 782.dat 793.dat 809.dat 820.dat 831.dat 842.dat 853.dat 865.dat 876.dat 887.dat 920.dat 931.dat 942.dat 953.dat 964.dat 992.dat
739.dat 750.dat 761.dat 772.dat 783.dat 794.dat 810.dat 821.dat 832.dat 843.dat 854.dat 866.dat 877.dat 888.dat 921.dat 932.dat 943.dat 954.dat 965.dat reload.sql
740.dat 751.dat 762.dat 773.dat 784.dat 795.dat 811.dat 822.dat 833.dat 844.dat 855.dat 867.dat 878.dat 889.dat 922.dat 933.dat 944.dat 955.dat 966.dat unload.log
741.dat 752.dat 763.dat 774.dat 785.dat 796.dat 812.dat 823.dat 834.dat 845.dat 856.dat 868.dat 879.dat 890.dat 923.dat 934.dat 945.dat 956.dat 967.dat
742.dat 753.dat 764.dat 775.dat 786.dat 797.dat 813.dat 824.dat 835.dat 846.dat 857.dat 869.dat 880.dat 891.dat 924.dat 935.dat 946.dat 957.dat 968.dat
743.dat 754.dat 765.dat 776.dat 787.dat 798.dat 814.dat 825.dat 836.dat 847.dat 858.dat 870.dat 881.dat 892.dat 925.dat 936.dat 947.dat 958.dat 969.dat
744.dat 755.dat 766.dat 777.dat 788.dat 799.dat 815.dat 826.dat 837.dat 848.dat 860.dat 871.dat 882.dat 915.dat 926.dat 937.dat 948.dat 959.dat 973.dat
745.dat 756.dat 767.dat 778.dat 789.dat 805.dat 816.dat 827.dat 838.dat 849.dat 861.dat 872.dat 883.dat 916.dat 927.dat 938.dat 949.dat 960.dat 974.dat
746.dat 757.dat 768.dat 779.dat 790.dat 806.dat 817.dat 828.dat 839.dat 850.dat 862.dat 873.dat 884.dat 917.dat 928.dat 939.dat 950.dat 961.dat 976.dat
747.dat 758.dat 769.dat 780.dat 791.dat 807.dat 818.dat 829.dat 840.dat 851.dat 863.dat 874.dat 885.dat 918.dat 929.dat 940.dat 951.dat 962.dat 977.dat
748.dat 759.dat 770.dat 781.dat 792.dat 808.dat 819.dat 830.dat 841.dat 852.dat 864.dat 875.dat 886.dat 919.dat 930.dat 941.dat 952.dat 963.dat 978.dat

You will need to look at the reload.sql file to see which file is used to load particular tables. I'd start by looking for the files that load these tables:
"EMM_MAIN"."EMM_Machine"
"EMM_MAIN"."EMM_Host" 

But in general search for the master server name (short) and see what FQDN's appear. 

quebek
Moderator
Moderator
   VIP    Certified

About CERTS I was reffering to these commands...

Windows:
"C:\Program Files\Veritas\NetBackup\jre\bin\keytool.exe" -list -v -keystore "C:\Program Files\Veritas\NetBackup\var\global\vxss\tomcatcreds\nbwebservice.jks" < "C:\Program Files\Veritas\NetBackup\var\global\jkskey" | findstr "until Owner"
"C:\Program Files\Veritas\NetBackup\jre\bin\keytool.exe" -list -v -keystore "C:\Program Files\Veritas\NetBackup\var\global\wsl\credentials\nbwebservice.jks" < "C:\Program Files\Veritas\NetBackup\var\global\jkskey" | findstr "until Owner"

UNIX/Linux:
/usr/openv/java/jre/bin/keytool -list -v -keystore /usr/openv/var/global/vxss/tomcatcreds/nbwebservice.jks < /usr/openv/var/global/jkskey | grep -e until -e Owner
/usr/openv/java/jre/bin/keytool -list -v -keystore /usr/openv/var/global/wsl/credentials/nbwebservice.jks < /usr/openv/var/global/jkskey | grep -e until -e Owner

taken from https://www.veritas.com/support/en_US/article.100043900

Mike_Gavrilov
Moderator
Moderator
Partner    VIP    Accredited Certified

If master server was installed using short name and admins are smart enough it isn't possible to get this information

quebek
Moderator
Moderator
   VIP    Certified

Hello Mike

But shortname is not an issue as the domain name change will not affect NBU, right? So I am only looking for NBU machines installed via FQDN and than this server changed AD domain (windows based OS)

Nonetheless thank you!

mph999
Level 6
Employee Accredited

You could install as shortname and then later add FQDN without an issue.

If the machine was installed as FQDN and then the domanin changed, NBU will now not be working - or put another way, if you change the hostname of the master, NBU will for 100% certain not work (with the exceprion of adding the FQDN to a shortname).

If NBU is working, the hostname didn't change ...   (unless it was done viia consulting/ catman tool).