Ransomware attackers specifically target and attempt to destroy backup systems to increase the probability of payment. Hardening your system is critical. Please ensure you have reviewed your platform security using the Security Hardening Checklist
Cohesity

COHESITY Documentation

Explore our documentation to get started, discover products & new features, access troubleshooting guides, register sources, platforms support.

Products
Data Security Alliance
Visit Cohesity.com
Demos
Support
Blogs
Developers
Partner Portals
Cohesity Community
© 2026 Cohesity, Inc. All Rights Reserved.
Terms of Use|
Privacy Policy|
Legal|
  1. Home
  2. NetBackup™ Security and Encryption Guide
  3. Section II. Encryption of data-in-transit
  4. NetBackup CA and NetBackup certificates
  5. About host management
  6. Decommission a client
NetBackup™ Security and Encryption Guide

Decommission a client

This operation is applicable only for NetBackup clients.

To decommission a host with special roles like media server, remote primary server, or Flex WORM storage server, you should first downgrade its role and then decommission the host.

When you decommission a client, NetBackup removes the client from the domain by revoking its identity. It resets the host's communication status and other attributes like Operating System version, NetBackup machine type and so on for that client. Primary servers and media servers from the same domain cannot communicate with the decommissioned client.

Review the following notes before decommissioning a client host:

  • If the specified client is configured with NetBackup certificate, the associated certificates are revoked.

  • If the specified client is configured with external certificate, its enrollment is removed.

  • You should remove the client that needs to be decommissioned from the policies and protection plan, and expire the associated images of that client.

  • Alternatively, you can use the -force option to decommission the client irrespective of the associated policies or images. With the -force option, you do not need to delete the data.

A user with the following RBAC roles can decommission a host:

  • NetBackup Administrator

  • Default Security Administrator

  • A custom role with the 'Decommission host' permission

To decommission a client using the NetBackup web UI

  1. On the left, select Security > Host mappings.
  2. Locate the host and click Actions > Decommission client.
  3. Enter the reason to decommission the client.
Decommission a client using RESTful APIs

To decommission a client, use the following API: POST - /config/hosts/{hostId}/decommission

To list decommissioned clients, use the following API: GET - /config/hosts

Use the filter 'decommissionedDateTime'

Decommission a client using the command-line interface

To decommission a client using command-line interface

  • Run the following command:

    nbhostmgmt {{-dh | -decommissionhost} {{-i | -hostid} <hostid> | {-n | -host} <host>} {{-r | -reason} "<reason>"} [-f | -force] [{-j | -json} | { -jc | -json_compact}]

Recommission a client

If you want to recommission a previously decommissioned client with host ID-based (NBCA) certificate, provision a new certificate on that client host.

To recommission a client with NetBackup certificate

  • Run the following command on the client:

    Install_Path/bin/nbcertcmd -getCertificate -reissue -token value -force

To recommission a client with external certificate

  • Run the following command on the client:

    Install_Path/bin/nbcertcmd -enrollCertificate -force

After a client is recommissioned, restart the NetBackup services on the client host or run the following command:

Install_Path/bin/nbhostdbcmd -update -force

Feedback

Was this page helpful?
Previous

Resetting NetBackup host attributes

Next

Allowing or disallowing automatic certificate reissue

Feedback

Was this page helpful?