currently we are migrating our windows clients. We migrate our servers Windows 2008 and 20012 to Windows 2016. In the past, we made a migration to windows 2016 and I know we had problems with the token. We had to do a reissu token. Is there a way that the administrator of the Windows server can do everything without calling me. I would not want to do a reissu token with every server migration. I tried to find some documentation about this but find nothing.
AFAIK there is no way around this... because as soon as NetBackup certificate management becomes aware of a client name, then that client can never be removed from certificate management - and any and all client names that are ever "learned" are remembered forever, and can only ever be in a state of authorised, blocked, or revoked. When blocked or revoked the only way to re-authorise a client is to use a re-issue token.
I'm also hoping that I am wrong, and that someone else can explain how there is a way of making handling this process a bit easier.
if acceptable for you, use Medium Security Level instead of High (Global Security Settings). With this setting clients (even new) should not ask for tokens.
If your NetBackup master server version is 8.1.2 or greater, then you could also look into providing the Windows admins WebUI access to generate the tokens they require. With RBAC, you should be able to restrict their level of access to prevent them playing where they should not.
If this is an option - have a look at the WebUI Security admin Guide.