Recovery

In the Event of a True Disaster

Important: If this is a true disaster, and the original NMC is no longer available, proceed immediately to “Installing the Nasuni Management Console Software” on page 7.

Warning: Do not attempt to restore from a virtual machine snapshot or backup.

General Introduction

Warning: If you ever need to transition from one hypervisor platform to a different hypervisor platform, DO NOT use any of the migration tools of either hypervisor platform. Instead, perform a recovery procedure, using the new hypervisor platform as the destination.

There are a number of reasons for performing a recovery:

Hardware failures.
Software failures.
Power outages.
Human error.
Changing storage platforms.
Moving data around the world.
True natural disaster.

Performing a recovery procedure on the Nasuni Management Console does not affect any of your Nasuni Edge Appliances or access to your data.

Before Recovering the Nasuni Management Console

This section explains procedures before recovering the Nasuni Management Console. Before recovering the Nasuni Management Console, follow these steps:

Safeguard at least one of the encryption keys for the Nasuni Management Console. See “Encryption Keys” on page 26.
Obtain the serial number and authorization code for the Nasuni Management Console. You use these in step 6. If you have the credentials to log in to your Nasuni.com account (https://account.nasuni.com/account/login/), you can obtain the serial number and authorization code there. If you don’t have these credentials, obtain the serial number and authorization code from the person who has the credentials.
Important: Authorization codes (also called “Auth codes”) are intended for a single use, and are not permanent. Authorization codes change if the associated serial number is used successfully, if the authorization code is refreshed via the NMC (Account Status --> Serial Numbers, then click Refresh), and if the authorization code is regenerated via the NOC (visit https://account.nasuni.com/account/serial_numbers/, then click show, then click regen).
Important:
Note: You can perform the recovery process to the same version of the software that you were running, or to a newer version than you were running, but not to an older version.
Because Native Users and Groups are lost when recovering the NMC, Nasuni recommends using Active Directory users and groups rather than Native Users and Groups. If Native Users and Groups are used, Nasuni recommends documenting Native Users and Groups before recovering, so that they can be manually recreated after recovery.

Installing the Nasuni Management Console Software

The Nasuni Management Console runs as a virtual appliance on your network and is distributed as a downloadable image. You need to register on the Nasuni Web site for a user account and password to access the download page.

Note: You can perform the recovery process to the same version of the software that you were running, or to a newer version than you were running, but not to an older version.

Note: Downloading and executing the installation program for the virtual appliance is contingent upon the virtual platform you are using.

Important: When using virtual machine Edge Appliances or NMCs, Nasuni recommends running under a hypervisor that is still supported by its vendor. If a customer runs an Edge Appliance or NMC on an unsupported hypervisor version, a warning is logged at boot time. The warning is of the form:
“Nasuni recommends running the Management Console on ESX 7.0 or later.”

To download the Nasuni Management Console software from the Nasuni Web site, follow these steps:

Using your Web browser, log in to your Nasuni account at https://account.nasuni.com/account/ Click Downloads. The Downloads page appears.
Figure 4-1: Downloads page.
Select the appropriate format for your virtual environment from these choices:
- AMAZON EC2: Scroll down to the “Appliance AMIs on EC2” area, and follow the instructions to continue installation using appliance AMIs.
- AZURE FORMAT: A .vhd file, appropriate for Microsoft Azure environments.
- GOOGLE CLOUD FORMAT: A disk.raw file contained in a .tar.gz file, appropriate for Google Cloud environments.
- HYPER-V FORMAT: Hyper-V format is appropriate for Microsoft Hyper-V environments: versions 2019 and later.
- NUTANIX FORMAT: A .qcow2 file appropriate for Nutanix AHV environments.
- SCALE FORMAT: A file appropriate for Scale HyperCore environments.
- OVF FORMAT: OVF format is appropriate for VMware ESXi 7.0 and above environments.
From the drop-down list, select an available release for the Nasuni Management Console. The list of available releases can change.
Figure 4-2: Sample release drop-down list.
Important: When performing a recovery procedure, unsupported upgrade paths are blocked. If so, the error message displayed during the procedure might incorrectly state that you are attempting to update to an older version. To avoid this issue, before beginning the recovery process, deploy a Nasuni version that corresponds to the major version of the source appliance.
For all supported update paths, see Compatibility and Support. In summary:
- Edge Appliance update paths:
  9.12.x → 9.15.4 → 10.0
- NMC update paths:
  23.1.2 → 23.2.x → 24.1.6 → 25.1
Note: If you are running a recovery procedure, select the same version family as your existing Nasuni Management Console to ensure software compatibility. For example, if the existing Nasuni Management Console is running version 21.1, you could select version 21.2 (which is in the same 21.1.x version family), but not version 22.1 (which is in a different version family). If you need to use a different version than those offered, contact Nasuni Customer Support.”
Tip: For update paths, see Compatibility and Support.
Note: You can perform the Recovery process to the same version of the software that you were running, or to a newer version than you were running, but not to an older version.
Note: If you already have the software installation file, you do not have to download it again.
However, the software installation file must not be older than the version you are recovering.
Unzip the Nasuni Management Console software .zip file.
To install the Nasuni Management Console into VMware ESXi, use the vSphere Client to deploy the NasuniNMC.ovf OVF template file. Power on the new Nasuni Management Console virtual machine. Click the Console tab.
Alternatively, to install the Nasuni Management Console into Microsoft Hyper-V, use the Hyper- V Manager to import the virtual machine. Start the new Nasuni Management Console virtual machine. Right-click the Nasuni Management Console virtual machine, and select Connect from the drop-down menu.
Alternatively, to install the Nasuni Management Console into Nutanix AHV, use the Prism Web Console to import the virtual machine. Start the new Nasuni Management Console virtual machine. Right-click the Nasuni Management Console virtual machine, and select Power On from the drop-down menu. Unlike the installation of the Nasuni Edge Appliance, the installation of the Nasuni Management Console requires only one virtual disk.
The Nasuni Management Console screen appears with a plain white bar on the bottom that indicates the progress of the installation.
Figure 4-3: Nasuni Management Console installation progress screen.
After a few moments, the Nasuni Management Console console screen appears.
Figure 4-4: Nasuni Management Console console screen.
If DHCP is available on the network, make note of the IP address that appears on the console screen.
If DHCP is not available, log into the console service screen by pressing Enter and signing in. The default login username is service, and the default password is service. Enter editnetwork. Enter the command: setall static. Enter a new IP address. Note the IP address.
Note: For security, use the changepassword command to change the password for the service console.
Note: For more information on console commands, see the Nasuni Edge Appliance Initial Configuration Guide.
Make note of the initial IP address of your Nasuni Management Console.

Recovering the Nasuni Management Console

This section explains how to recover the Nasuni Management Console in the event of a disaster or planned transition.

Important: Edge Appliances and the NMC must be configured with operational DNS servers and a time server (internal or external) within your environment.

Important: The following settings, if configured, are not retained after the NMC Recovery procedure. You should record your settings so that you can reconfigure these settings after the NMC Recovery procedure.
Escrow passphrase.
Automatic Software Updates.
Time Zone settings.
NTP Time Server settings.

Tip: To access the NEA or NMC appliance using the serial console, instead of using the IP address obtained when installing the appliance, follow one of these procedures:
If the appliance is running on Amazon EC2, see instructions in EC2 Serial Console for Linux instances.
If the appliance is running on Google Cloud, see instructions in Troubleshooting using the serial console.
If the appliance is running on Microsoft Azure, see instructions in Azure Serial Console.
All supported hypervisors include a serial console that works with Nasuni. For other hypervisors, consult your vendor’s documentation for connection instructions.

To recover the Nasuni Management Console, follow these steps:

After you obtain the initial IP address, open the specific URL to continue. The Install Wizard — Network Configuration page appears.
Figure 4-5: Install Wizard — Network Configuration page.
1. In the Hostname box, a default hostname for the Nasuni Management Console appears. You can accept the default hostname or change it to a customized hostname. The name that you enter is the name you provide to users so they can access the Nasuni Management Console. You can use ASCII letters a through z, digits 0 through 9, and hyphens.
  Note: The Nasuni Management Console attempts to register the hostname in the DNS server, so that users can access this host by name.
  To change this name later, see the Nasuni Management Console Guide.
2. From the Network Type drop-down list, select either Static or DHCP.
  Important: Edge Appliances and the NMC must be configured with operational DNS servers and a time server (internal or external) within your environment.
  If you select DHCP (Dynamic Host Configuration Protocol), the IP Address, Netmask, Default Gateway, and MTU Value fields become unavailable.
  If you select Static, you must provide Network Device Settings and System Settings. See your IT administrator for assistance.
  If you select Static as a source, enter the following information:
  - Enter the static IP address in the IP Address text box.
  - Enter a netmask address in the Netmask text box.
  - Enter a default gateway address in the Default Gateway text box. The gateway address must match a subnet of a defined static network.
  - Enter the MTU value in the MTU Value text box. MTU settings above 1500 are supported.
  The maximum transmission unit (MTU) is the size (in bytes) of the largest protocol data unit that the layer can pass onwards. A larger MTU brings greater efficiency, because each packet carries more user data while protocol overheads, such as headers, remain fixed; the resulting higher efficiency means a slight improvement in the bulk protocol throughput. A larger MTU also means processing fewer packets for the same amount of data. However, large packets can occupy a slow link for some time, causing greater delays to following packets, and increasing lag and minimum latency.
3. In the System Settings area:
  If you selected DHCP (Dynamic Host Configuration Protocol), the Search Domain, Primary DNS Server, and Secondary DNS Server fields become unavailable.
  If you select Static as a source, enter the following information:
  - Enter one or more local search domains in the Search Domain text box. If you enter multiple search domains, make sure you include a space between each entry. You must enter valid hostnames.
    You can use search domains to avoid typing the complete address of domains that you use frequently. The search domains that you enter are automatically appended to names that you specify for purposes such as Active Directory configuration, data migration sources, HTTPS proxy, and NTP server. For example, if you specify the search domain “mycompany.com”, then typing “server1” for one of these purposes would connect to “server1.mycompany.com”.
    Note: There are no search domains for LDAP.
  - Enter the IP address for your primary DNS server in the Primary DNS server text box. You must enter a valid hostname or IP address.
  - Enter the IP address for your secondary DNS server in the Secondary DNS server text box (if applicable). You must enter a valid hostname or IP address.
4. Click Continue to proceed.
The Install Wizard — Proxy Network Configuration page appears.
Figure 4-6: Install Wizard — Proxy Network Configuration page.
1. To enable proxy support, click Proxy Support: On (enabled) or Off (disabled).
2. In the Proxy Server text box, enter the hostname or IP address of a host running an HTTPS proxy.
3. In the Port text box, enter the port number used by the HTTPS proxy server.
4. Optionally, enter a valid username (case-sensitive) as configured by the proxy server in the
  User Name text box and the password (case-sensitive) in the Password text box.
  Caution: The Password cannot include the symbols “/” (slash) and “#” (pound sign).
5. Optionally, in the Do Not Proxy text box, enter a list of hostnames or IP addresses not to proxy (one per line).
6. Click Continue. To return to the previous page to change parameters, click Back.
The Install Wizard — Review Network Settings page appears.
Figure 4-7: Install Wizard — Review Network Settings page.
To accept the network settings, click Continue. return to the previous page to change parameters, click Back.
The Reconfiguring Network Settings page appears.
Figure 4-8: Configuring Network Settings page.
The “Terms of Service and License Agreement” page appears.
Figure 4-9: “Terms of Service and License Agreement” page.
You can print or download a copy of the Terms of Service and License Agreement by clicking the appropriate icon.
Select “I accept the Terms of Service”, then click Continue.
The Install Wizard — Authorization page appears.
Figure 4-10: Install Wizard — Authorization page.
Enter the NMC Serial Number and Authorization code, found under the Account section of ww w.nasuni.com. Click Continue to proceed.
Important: Authorization codes (also called “Auth codes”) are intended for a single use, and are not permanent. Authorization codes change if the associated serial number is used successfully, if the authorization code is refreshed via the NMC (Account Status --> Serial Numbers, then click Refresh), and if the authorization code is regenerated via the NOC (visit https://account.nasuni.com/account/serial_numbers/, then click show, then click regen).
Important:
The Install Wizard — Confirm NMC Recovery page appears.
Figure 4-11: Install Wizard — Confirm NMC Recovery page.
Note: If the “Confirm New NMC” page appears instead of the “Confirm NMC Recovery” page, contact Nasuni Technical Support.
Enter “Perform Disaster Recovery” in the Confirmation text box, then click Continue to proceed.
The Install Wizard — Disaster Recovery page appears.
Figure 4-12: Install Wizard — Disaster Recovery page.
Note: Only one of the NMC encryption keys is necessary for this step.
- If you escrowed any of your encryption keys (including the backup key) with Nasuni, and you intend to use your escrow passphrase to de-escrow your escrowed encryption keys, perform the following steps:
  1. Select “Yes - Escrow Passphrase” from the drop-down list.
    Tip: You can select Yes even if you also have non-escrowed encryption keys, which you provide separately.
    Tip: For details about the escrow passphrase, see “NMC Escrow Passphrase” on page 32.
  2. The Escrow Passphrase text box becomes available.
    Figure 4-13 : Escrow Passphrase text box.
  3. If you set an encryption key escrow passphrase and you have the passphrase, enter the passphrase.
    Alternatively, if you do not have an encryption key escrow passphrase available: Contact Nasuni Support to verify your identity and obtain your one-time-use recovery key. Then perform step 8 on page 18 again.
  4. Click Continue.
  5. Continue with step 10 on page 21.
    Important: If you have previously escrowed your encryption keys with Nasuni, and you use these escrowed encryption keys as part of the recovery process, you MUST re-escrow those encryption keys with Nasuni if you want those encryption keys to continue to be escrowed with Nasuni. After the recovery is complete, the Nasuni Edge Appliance treats all encryption keys as if they were not created by this Nasuni Edge Appliance. For details, see “Escrowing encryption keys with Nasuni” on page 30.
- If you escrowed any of your encryption keys (including the backup key) with Nasuni, and you intend to have Nasuni de-escrow your escrowed encryption keys, perform the following steps:
  1. Select “Yes - Recovery Key” from the drop-down list.
    Tip: You can select Yes even if you also have non-escrowed encryption keys, which you provide separately.
  2. The Recovery Key text box becomes available.
    Figure 4-14: Recovery Key text box.
  3. Contact Nasuni Support to verify your identity and obtain your one-time-use recovery key. Then enter the recovery key.
  4. Read the text and then click the Acknowledgement box.
  5. Click Continue.
  6. Continue with step 10 on page 21.
    Important: If you have previously escrowed your encryption keys with Nasuni, and you use these escrowed encryption keys as part of the recovery process, you MUST re-escrow those encryption keys with Nasuni if you want those encryption keys to continue to be escrowed with Nasuni. After the recovery is complete, the Nasuni Edge Appliance treats all encryption keys as if they were not created by this Nasuni Edge Appliance. For details, see “Escrowing encryption keys with Nasuni” on page 30.
- Otherwise, select No from the drop-down list, then click Continue.
  This means that either you do not have any encryption keys escrowed with Nasuni at all, or that you do have encryption keys escrowed with Nasuni, but you intend to provide your escrowed encryption keys yourself.
If you selected No, the Install Wizard — Upload Encryption Keys page appears.
Figure 4-15: Install Wi zard — Upload Encryption Keys page.
Click Choose File to navigate to your encryption key file, enter the Key Passphrase if necessary, then click Upload Key(s). All uploaded encryption keys must be at least 2048 bits long.
The maximum length of a file name is 255 bytes.
In addition, the length of a path, including the file name, must be less than 4,000 bytes.
Since the UTF-8 representation of characters from some character sets can occupy several bytes, the maximum number of characters that a file path or a file name might contain can vary. If a particular client has other limits, the smaller of the two limits applies.
Important: For security reasons, encryption keys that you upload cannot be downloaded from the system.
Important: It is possible that not all encryption keys are uploaded as part of the recovery. After the recovery process is complete, the Encryption Keys page indicates
which encryption keys were not uploaded. Uploading these encryption keys is optional.
Figure 4-16: Encryption Keys page.
The Install Wizard - About to Recover page appears.
Figure 4-17: Install Wizard - About to Recover page.
Click Continue. Recovery of the Nasuni Management Console begins.
After recovery, the Install Wizard - Recovery Complete page appears.
Figure 4-18: Install Wizard - Recovery Complete page.
The Install Wizard — Create Admin User page appears.
Figure 4-19: Install Wizar d — Create Admin User page.
Create a Username (case-sensitive) and a Password (case-sensitive) for the administration of this Nasuni Management Console. An indicator of password strength appears. Although password strength is not enforced, you should use strong passwords. Click Continue.
The Rebooting page appears.
Figure 4-20: Rebooting page.
It can take several minutes for this process to complete.
The Login page appears.
Figure 4-21: Login page.
Log in to the Nasuni Management Console with your Username (case-sensitive) and Password (case-sensitive). Click Log in.
The Nasuni Management Console Home page appears.
Figure 4-22: Nasuni Management Console Home page.
A message appears confirming that the recovery process is complete.
Important: The following settings, if configured, are not retained after the NMC Recovery procedure. You should record your settings so that you can reconfigure these settings after the NMC Recovery procedure.
- Escrow passphrase.
- Automatic Software Updates.
- Time Zone settings.
- NTP Time Server settings.
Tip: A best practice is to join an Active Directory or LDAP domain as soon as recovery is complete.
If the previous NMC was in Active Directory or LDAP mode, re-join Active Directory or LDAP. Before rejoining the Active Directory domain, delete the original Active Directory computer object. Deleting the computer object requires a Domain Administrator account with Full Control permissions.
If the previous NMC has not previously joined any domain, see the Nasuni Management Console Guide.
Important: After the recovery, it might be necessary to recreate Native Users and Groups, because they are lost when recovering the NMC. Nasuni recommends using Active Directory users and groups rather than Native Users and Groups. If you have documented the Native Users and Groups, you can recreate them now. See the Nasuni Management Console Guide.