Disaster recovery

The system is restored in two phases: configuration first, then data. Right after configuration restore, the system is ready to be used if the proper packages are installed. When the machine is functional, a full data restore can be performed while the machine is already in production. You can install additional packages before or after the restore. For example, if the mail-server is installed, the system can send and receive mails.

Other restored configurations:

  • Users and groups

  • SSL certificates


Do not restore a configuration backup from an old minor version into a newer version. The backup should come from a NethServer having the same operating system version of the new installation, i.e., avoid restoring a configuration backup from a 7.4.1708 installation on a new 7.6.1810 system, as it may lead to unexpected results.


Third-party repositories are not restored by the disaster recovery procedure. If the original machine has some third-party repositories enabled, remember to install them before proceeding with the restore.


The root password is not restored.

New Server Manager

Please, follow below steps:

  1. Install the new machine (refer to installation section), access the new Server Manager and make sure the machine is able to access the internet and resolve public names correctly

  2. If the machine has a Community subscription entitlement, please follow Subscription, otherwise you can skip this step

  3. Install all the available core updates from the Software updates

  4. Access the Backup page and click on the Restore button under the Configuration Backup section, then upload the configuration backup or download it directly from an HTTP/S URL.

    For NethServer Enterprise, all cloud backups will be automatically downloaded and ready to be restored directly from the From backup field.

  5. Map network interface names from the backup to the running system. This step is required only if Restore network configuration option is enabled.

  6. During disaster recovery, to obtain a machine identical to original one, it’s mandatory to keep the option Reinstall packages enabled! Its deactivation could introduce unexpected behavior on restored system!

  7. Click the Restore to start the restore process.


    If you’re connected to a network interface that will change the IP address during the restore, you will be disconnected from the Server Manager and you will need to login again using the new IP address.

  8. Verify the system is functional and then access the Backup page. To restore all files, click on Restore button under the Data Backup section, select the name of the backup and click the Restore button.

Please bear in mind that the restore process can last from minutes to hours depending on the storage backend speed.

If the Restore network configuration was not enabled, further steps may be required to restore all applications. See Skip network restore for more details.

Old Server Manager

Please, follow below steps:

  1. Install the new machine (refer to installation section), access the Server Manager and complete the basic server configuration

  2. Ensure that NethServer is able to access the internet and resolve public names correctly

  3. Install all the available core updates in the Software Center

  4. Restore the configuration backup using the Backup (configuration) panel

  5. If a warning message requires it, reconfigure the network roles assignment. See Restore network roles below.

  6. Verify the system is functional

  7. Restore data backup executing on the console

    restore-data -b <name>

    where name is the name of the data backup you want to restore from.

Please note that the disaster recovery should be always performed from a local media (eg. NFS or USB) to speed up the process.

Restore network roles

If a role configuration points to a missing network interface, the Dashboard, Backup (configuration) > Restore and Network pages pop up a warning. This happens for instance in the following cases:

  • configuration backup has been restored on a new hardware

  • one or more network cards have been substituted

  • system disks are moved to a new machine

The warning message points to a page that lists the network cards present in the system, highlighting those not having an assigned role. Such cards have a drop down menu where to select a role available for restoring.

For instance, if a card with the orange role has been replaced, the drop down menu will list an element orange, near the new network card.

The same applies if the old card was a component of a logical interface, such as a bridge or bond.

By picking an element from the drop down menu, the old role is transferred to the new physical interface.

Click the Submit button to apply the changes.


Choose carefully the new interfaces assignment: doing a mistake here could lead to a system isolated from the network!

If the missing role is green an automatic procedure attempts to fix the configuration at boot-time, to ensure a minimal network connectivity and login again on the Server Manager.

Skip network restore

Network configuration is restored by default, but sometimes it is necessary to restore an installation on a different hardware without migrating the network configuration. This is a common scenario when moving a virtual machine from a VPS provider to another.

To disable the network restore, make sure to disable the Restore network configuration option from the new Server Manager.

Since some application configurations depend on network interface names, not everything can be automatically restored.


DHCP servers on non-existing interfaces will be deleted. If needed, please reconfigure the DHCP from the Server Manager. See also DHCP and PXE server for more general information.

Samba Active Directory


Restoring a local Samba Active Directory without the Restore network configuration option enabled is highly discouraged. Read carefully this section.

Samba Active Directory requires a network bridge and an additional, free IP address in the green zone for the local running container.

If both the bridge exists and the IP address suits the current network configuration, the container will continue running after the restore.

Otherwise Samba Active Directory is forcibly stopped. To enable it again:

  • from the Network page, create the bridge, e.g. br0

  • find an unused IP address in your green network, e.g.

  • reconfigure the container from command line:

    config setprop nsdc bridge br0 status enabled
    signal-event nethserver-dc-change-ip
  • fix the DC sysvol ACLs:


More info about Samba Active Directory local provider installation.


At the end of restore the firewall will:

  • delete all WAN providers

  • delete all zones connected to non-existing network interface

  • disable all rules using a non-existing zone or a non-existing role

The administrator can access the Server Manager to create missing zones and roles. Finally, all previously disabled rules can be manually enabled again.

See Firewall.

Web proxy

Web proxy priority rules using non-existing zones will be disabled. Before re-enabling such rules, make sure the zones have been created.

More info on priority rules: Priority and divert rules.

OpenVPN tunnels

OpenVPN tunnel servers contain a field named Public address. If such field uses only public DNS names, no action is required. Otherwise, insert the new public IP address inside the field and update tunnel clients accordingly.

See also OpenVPN Tunnel (net2net).

OpenVPN roadwarrior

OpenVPN roadwarrior server exposes a field named Contact this server on public IP / host. If such field uses only public DNS names, no action is required. Otherwise, insert the new public IP address inside the field and update roadwarrior clients accordingly.

See also OpenVPN Roadwarrior.

IPSec tunnels

Only IPSec tunnels configured with a dynamic red interface will be disabled. Access the Server Manager, edit the disabled tunnel by selecting a new red interface and enable it again.

More info at IPsec.

Dedalo hotspot

Dedalo hotspot will be disabled if the system does not have a network interface configured with the hotspot role. If the Dedalo is disabled, just reconfigure following Hotspot (Dedalo) chapter.


ntopng must be reconfigured. Access the Bandwidth monitor page inside the old Server Manager. Then enable the service and select network interfaces to monitor.

See also Bandwidth monitor.