Honeywell Process Solutions
Experion LX
Windows Domain/Workgroup
Implementation Guide
EXDOC-X148-en-110A
R110
February 2014
Release 110
Honeywell
Notices and Trademarks
Copyright 2014 by Honeywell International Sarl.
Release 110 February 2014
While this information is presented in good faith and believed to be accurate, Honeywell disclaims
the implied warranties of merchantability and fitness for a particular purpose and makes no
express warranties except as may be stated in its written agreement with and for its customers.
In no event is Honeywell liable to anyone for any indirect, special or consequential damages. The
information and specifications in this document are subject to change without notice.
Honeywell, PlantScape, Experion LX, and TotalPlant are registered trademarks of Honeywell
International Inc.
Other brand or product names are trademarks of their respective owners.
Honeywell Process Solutions
1860 W. Rose Garden Lane
Phoenix, AZ 85027 USA
About This Document
This document describes how to implement Windows domain/workgroups in Experion LX.
Release Information
Document Name
Document ID
Release
Number
Publication
Date
Windows Domain/Workgroup
Implementation Guide
EXDOC-X148-en-110A
R110
February
2014
Document Category
Configuration
References
The following list identifies all documents that may be sources of reference for material discussed
in this publication.
•
Experion LX Software Installation User’s Guide
•Experion LX Network Security and Planning Guide
•Experion LX R110 Software Change Notice
Support and Other Contacts
Support and Other Contacts
People’s Republic of China
Contact:
Phone:
Mail:
Email:
Honeywell Global TAC – China
+86- 21-5257-4568
Honeywell (China) Co., Ltd
33/F, Tower A, City Center, 100 Zunyi Rd.
Shanghai 200051, People’s Republic of China
[email protected]
Symbol Definitions
Symbol Definitions
The following table lists those symbols used in this document to denote certain conditions.
Symbol
Definition
ATTENTION: Identifies information that requires special
consideration.
TIP: Identifies advice or hints for the user, often in terms of
performing a task.
REFERENCE -EXTERNAL: Identifies an additional source of
information outside of the bookset.
REFERENCE - INTERNAL: Identifies an additional source of
information within the bookset.
CAUTION
Indicates a situation which, if not avoided, may result in equipment
or work (data) on the system being damaged or lost, or may result in
the inability to properly operate the process.
CAUTION: Indicates a potentially hazardous situation which, if not
avoided, may result in minor or moderate injury. It may also be used
to alert against unsafe practices.
CAUTION symbol on the equipment refers the user to the product
manual for additional information. The symbol appears next to
required information in the manual.
WARNING: Indicates a potentially hazardous situation, which, if not
avoided, could result in serious injury or death.
WARNING symbol on the equipment refers the user to the product
manual for additional information. The symbol appears next to
required information in the manual.
WARNING, Risk of electrical shock: Potential shock hazard where
HAZARDOUS LIVE voltages greater than 30 Vrms, 42.4 Vpeak, or
60 VDC may be accessible.
Symbol Definitions
Symbol
Definition
ESD HAZARD: Danger of an electro-static discharge to which
equipment may be sensitive. Observe precautions for handling
electrostatic sensitive devices.
Protective Earth (PE) terminal: Provided for connection of the
protective earth (green or green/yellow) supply system conductor.
Functional earth terminal: Used for non-safety purposes such as
noise immunity improvement. NOTE: This connection shall be
bonded to Protective Earth at the source of supply in accordance
with national local electrical code requirements.
Earth Ground: Functional earth connection. NOTE: This
connection shall be bonded to Protective Earth at the source of
supply in accordance with national and local electrical code
requirements.
Chassis Ground: Identifies a connection to the chassis or frame of
the equipment shall be bonded to Protective Earth at the source of
supply in accordance with national and local electrical code
requirements.
Contents
1.
PLANNING A WINDOWS DOMAIN/WORKGROUP... 13
1.1
Overview of Windows domain ... 13
1.2
Overview of a Windows Workgroup ... 14
1.3
Overview of a Domain Controller ... 15
1.4
System requirements for a Domain Controller ... 16
Overview of a Read-only Domain Controller ... 17
Choosing the right OS for a Domain Controller ... 17
Software requirements for implementing a domain in Experion LX ... 17
1.5
Active Directory and its components ... 19
Overview of Active Directory ... 19
Overview of domain trees ... 19
Overview of Forests ... 21
Overview of Organizational Units ... 21
Considerations for using a single domain with multiple OUs ... 22
TPS domains as Organizational Units ... 22
Overview of sites ... 22
1.6
Group Policy ... 24
Overview of Group Policy ... 24
Computer Configuration Settings ... 25
User Configuration Settings ... 26
Controlling the scope of GPOs ... 26
Experion LX Group Policy descriptions ... 27
1.7
Domain Users, Computers, and Groups ... 28
User Account ... 28
Computer Account ... 28
Groups ... 28
Distribution Groups ... 28
Group Scope ... 29
1.8
Support for DNS ... 30
DNS as a name resolution service ... 30
DNS deployment ... 30
DNS integration with Active Directory ... 30
DNS naming conventions ... 31
BDNS tools ... 31
1.9
Active Directory replication ... 31
Contents
1.11
Functional levels in Active Directory ... 33
1.12
Domain controllers in a Experion LX FTE network ... 34
Domain controller placement ... 34
Domain controller as a non-FTE node in an FTE community ... 34
1.13
Domain controller backup strategies ... 34
1.14
Guidelines for upgrading a DC ... 34
2.
DOMAIN CONTROLLER INSTALLATION ... 37
2.1
Installing the Windows Server operating system ... 37
Installing Windows Server 2003, Windows Server 2008, Windows Server 2008 R2 ... 37
2.2
Setting local administrator password ... 37
2.3
Setting time and date ... 37
2.4
Changing the computer name ... 38
2.5
Configuring the TCP/IP settings ... 39
2.6
Promoting the Windows server to root Domain Controller ... 42
2.7
Installing Active Directory and DNS ... 42
2.8
Adding Reverse lookup zone to DNS ... 43
2.9
Installing the Honeywell Domain Controller package ... 43
Domain Controller Security on Windows Server 2003/ 2008/ 2008 R2 ... 43
Install domain security, optional components on Windows server 2008 ... 45
Domain Controller Security and Optional Component Installation ... 46
3.
SET UP A WINDOWS DOMAIN ENVIRONMENT ... 49
3.1
Creating Active Directory users and groups ... 49
Create a user... 49
Create a group ... 50
Change group membership ... 50
3.2
Creating Organizational Units (OUs) ... 51
Create a TPS Domain OU ... 51
Create a Experion LX/TPS domain OU or a console OU within a TPS domain OU ... 52
3.3
Creating a Group Policy ... 52
Contents
4.1
Adding a node to a Windows domain ... 55
4.2
Adding global Experion LX domain account groups to local account
groups on this computer ... 56
5.
SET UP A WINDOWS WORKGROUP ENVIRONMENT ... 59
5.1
Creating Windows Workgroup users and groups ... 59
6.
REVIEW HONEYWELL SECURITY TEMPLATE ... 61
6.1
Reviewing security templates in domain/workgroup environment ... 61
7.
SET UP TIME SYNCHRONIZATION... 63
7.1
About time synchronization in a domain ... 63
8.
SECURING THE OPERATING SYSTEM ... 65
8.1
Using login scripts ... 65
Station command line options ... 65
Lock Station in full screen mode and disabling menus ... 65
Example script: Starting Station ... 65
Assign logon scripts to domain groups and users using group policy ... 67
Assign logon scripts to individual domain accounts ... 68
Assign logon scripts to local accounts ... 69
8.2
Removing access to Task Manager, Windows Explorer, Internet Explorer
70
8.3
Setting up automatic logon ... 72
Set up automatic logon in a domain ... 72
Set up automatic logon in a workgroup ... 73
8.4
Preventing operator shut down ... 74
8.5
Disabling the lock computer option ... 75
9.
MANAGING DOMAINS AND WORKGROUPS ... 77
9.1
Installing a peer Domain Controller ... 77
Overview ... 77
Considerations and Prerequisites ... 77
Contents
Overview ... 79
Edit a Group Policy ... 79
Copy a group policy ... 79
Move a group policy from the default domain to OUs ... 80
9.3
Managing Security ... 81
9.4
Renaming a Domain Controller ... 81
9.5
Removing a Domain Controller ... 81
10.
ADVANCED DOMAIN ADMINISTRATION ... 83
10.1
Troubleshooting Group Policy Objects ... 83
Overview ... 83
Resultant Set of Policy ... 83
Using gpupdate and gpresult ... 84
gpupdate ... 84
gpresult ... 85
10.2
DNS Recommendations for large FTE networks ... 86
Overview ... 86
Recommendation ... 86
11.
APPENDIX ... 89
11.1
Experion LX domain group policy settings ... 89
11.2
Workstation Security Settings ... 179
Security Model Specific Permissions ... 179
Contents
Figures
Figure 1 Windows domain
... 13
Figure 2 Domain controller
... 15
Figure 3 Contiguous namespace of a tree
... 20
Figure 4 Non-contiguous namespace of a forest
... 21
1. Planning a Windows Domain/Workgroup
1.1 Overview of Windows domain
A Windows domain is a logical group of computers that are managed by a central
database that is used for control user access and resource access. The central database is
known as Active Directory. Active Directory uses a structured database as the basis for
describing both the logical and physical design of the network in a hierarchical format.
Active Directory contains information about the users and resources that are controlled in
the Domain. This design allows administrators to define security permissions for users
and the resources that they have access to.
Each domain has at least one server running as a Domain Controller, which holds the
database for the domain. The Domain Controller is used for managing all security-related
aspects between users and resources, centralizing security and administration. Both
windows computers and non-windows computers can be part of the domain.
A Windows domain can be used by any size organization and its design allows a single
domain to be used for managing multiple physical locations that could be located
anywhere across the world.
The following figure shows a typical Windows domain:
1. Planning a Windows Domain/Workgroup
1.2. Overview of a Windows Workgroup
REFERENCE - EXTERNAL
For detailed description about the Windows domain concepts, refer to the
following Microsoft® documentation.
•
http://www.microsoft.com/windowsserver2008/en/us/ad-main.aspx
•
http://technet.microsoft.com/en-us/library/cc780336(WS.10).aspx
1.2 Overview of a Windows Workgroup
A Windows workgroup is a group of standalone computers in a peer-to-peer network.
Each computer in the workgroup uses its own local accounts database to authenticate
resource access. The computers in a workgroup also do not have a common
authentication process. The default-networking environment for a clean windows load is
workgroup.
In general, a workgroup environment is most appropriate for networks with a small
number of computers (say, less than 10); all located in the same general area. The
computers in a workgroup are considered peers because they are all equal and share
resources among each other without requiring a server. Since the workgroup does not
share a common security and resource database, users and resources must be defined on
each computer. This increases administration overhead since common user accounts must
be created on every computer that holds a resource that the user account requires access
to. Resources can be shared across the workgroup but this requires common user
accounts that have the same password.
The main disadvantages of workgroups are:
•
If a user account will be used for accessing resources on multiple machines, the user
account will need to be created on those machines this requires that the same
username and password be used.
•
The low security protocol used for authentication between nodes
•
Desktop computers have a fixed limit of 10 connections. Note that this is in reference
to connections to an individual desktop.
1. Planning a Windows Domain/Workgroup
1.3. Overview of a Domain Controller
1.3 Overview of a Domain Controller
The Domain Controller for Experion LX is a server machine that:
•
Runs on a Windows Server 2003, Windows Server 2008, or Windows Server 2008
R2 operating system
•
Stores the read-write copy of the Active Directory database
•Manages the following user and domain interactions:
−
User account control
−Resource control
You must setup at least one Domain Controller in every Windows domain. The following
figure shows the Domain Controller in a Windows domain:
Figure 2 Domain controller
REFERENCE - EXTERNAL
For more information about implementing a Windows Domain Controller,
refer to the following Microsoft documentation:
1. Planning a Windows Domain/Workgroup
1.4. System requirements for a Domain Controller
1.4 System requirements for a Domain Controller
The following is a list of minimum system requirements for a basic Domain Controller in
Experion LX.
Component
Windows Server
2003 32-bit
Windows Server
2008 32-bit
Windows Server
2008 R2 64-bit
Computer and
processor
Server Computer
with a 133-MHz
processor
Server Computer
with a Minimum
1GHz processor
x64, 1.4 GHz if
single core, 1.3GHz
if multi core
Memory
128 MB RAM
512 MB RAM
512 MB RAM
Hard disk
1.5 GB available
hard-disk space
20 GB available
hard-disk space
32 GB available
hard-disk space
ATTENTION
•
Honeywell qualified this document with the Standard Editions of
Windows Server 2003, Windows Server 2008, and Windows Server
2008 R2. Although, Windows Server 2003 R2 may work as a Domain
Controller in Experion LX, Honeywell has not explicitly qualified the
configuration.
•
Honeywell qualified this document with the following operating systems.
− Windows Server 2003 32-bit
− Windows Server 2008 32-bit
− Windows Server 2008 R2 64-bit
•
The following versions of Windows are qualified for use as Domain
Controllers.
− Windows Server 2003 32-bit
− Windows Server 2008 32-bit
− Windows Server 2008 R2 64-bit
•
Refer to Microsoft documentation if you want requirements from a
performance perspective.
− For a Windows Server 2008/Windows Server 2008 R2 Domain
Controller system requirements, refer to
http://www.microsoft.com/windowsserver2008/en/us/WS08-system-requirements.aspx
1. Planning a Windows Domain/Workgroup
1.4. System requirements for a Domain Controller
Overview of a Read-only Domain Controller
With Windows Server 2008, Microsoft introduced the concept of a Read-only Domain
Controller (RODC). An RODC is a server that performs most of the functions of a
normal Domain Controller, except that, it forwards Active Directory updates to a
writable Domain Controller. This is well suited in sites where the organization requires
the Domain Controller to reside in levels above the process control network for security
and/or administrative purposes. Adding an RODC to the PCN can preserve these
purposes while providing a local source of authentication for performance and reliability
reasons:
•
With the RODC local to the PCN, link speeds and firewall traversals to remote
Domain Controllers do not affect performance.
•
If the PCN becomes isolated from the IT network where the normal Domain
Controller resides, access to the PCN is not impacted.
Choosing the right OS for a Domain Controller
Choosing the OS for a Domain Controller depends on your organization requirements.
Experion LX R110 supports Domain Controllers running Windows Server 2003,
Windows Server 2008, and Windows Server 2008 R2.
However, if you are installing a new Domain Controller, choose Windows Server 2008,
as it is the current supported version. If you already have a Windows Server 2003 DC,
you can continue to use that, or choose to upgrade to Windows Server 2008.
There are some limitations when selecting the OS for the Domain Controller. Windows
Server 2008 can host the Experion LX R110 Domain Controller Security Package,
optionally FTE.
Windows Server 2003 or Windows Server 2008 R2 domain controllers can host the
Experion LX R110 Domain Controller Security Package. However, they cannot host
FTE.
REFERENCE - EXTERNAL
To understand the changes in functionality for Windows Server 2008 and
Windows Server 2008 R2, refer to the following Microsoft documentation:
http://technet.microsoft.com/en-us/library/cc753208(WS.10).aspx
Software requirements for implementing a domain in Experion LX
To implement a domain in Experion LX, you need the following media/software:
•Operating System media (Windows Server 2003 or Windows Server 2008 or
1. Planning a Windows Domain/Workgroup
1.4. System requirements for a Domain Controller
•
Experion LX Installation media
−
Honeywell Domain Controller Package
−FTE (optional)
1. Planning a Windows Domain/Workgroup
1.5. Active Directory and its components
1.5 Active Directory and its components
Overview of Active Directory
The Active Directory directory service is a distributed database that stores and manages
information about network resources and application-specific data from
directory-enabled applications. Active Directory allows administrators to organize objects of a
network (such as users, computers, and devices) into a hierarchical collection of
containers known as the logical structure. The following are the logical components of an
Active Directory:
•
Domain trees
•Forests
•Domains
•
Organizational Units (OUs)
•Site Objects
REFERENCE - INTERNAL
Refer to the following Microsoft documentation:
•
For information on Active Directory structure and its components –
http://technet.microsoft.com/en-us/library/cc759073(WS.10).aspx#w2k3tr_logic_what_feaw
•
For information on Active Directory Domain Services server role in
Windows Server 2008 and Windows Server 2008 R2 –
http://technet.microsoft.com/en-us/library/cc731053.aspx
Overview of domain trees
A domain tree is a collection of domains that share a contiguous namespace. The tree
structure starts with a single root domain and branches out into child domains. The first
Active Directory domain created becomes the root of the domain tree structure. The other
domains created later become the child domains.
The name of the tree is always the DNS name of the root domain. The child domains are
always in the same DNS name space as the root domain. Note that the Domain
Controllers in the child domains are not peer Domain Controllers of the Domain
Controllers in the root domain.
1. Planning a Windows Domain/Workgroup
1.5. Active Directory and its components
The following figure shows the contiguous namespace of a tree structure:
Figure 3 Contiguous namespace of a tree
The main reason for creating multiple domains is the management of the domain
structure. Most settings are bound by the domain security boundary like password
policies. In addition, all child domains have transitive trusts with other domains in the
same tree.
The following are additional reasons for creating multiple domains in a network:
•To manage different organizations or to provide unit identities
•
To enforce different security settings and password policies
•To control Active Directory replication
1. Planning a Windows Domain/Workgroup
1.5. Active Directory and its components
Overview of Forests
By strict definition, the first Domain Controller in a domain is the forest root. A forest
does not require multiple trees, but can have other trees with a non-contiguous name
space. Forests act independently of each other but can trust each other.
Forests are defined as:
•
Collections of domain containers that trust each other
•Units of replication
•
Security boundaries
•Units of delegation
REFERENCE - INTERNAL
For information, see “What are forests?” in the following Microsoft
documentation –
http://technet.microsoft.com/en-us/library/cc759073(WS.10).aspx#w2k3tr_logic_what_ovkc
The following are the characteristics of a child domain in a forest structure.
•Can have a non-contiguous with the root domain
•
Each domain tree operates independently
•belongs to the same network
The following figure shows the non-contiguous namespace of a forest structure:
Figure 4 Non-contiguous namespace of a forest
Overview of Organizational Units
An OU is an Active Directory container. You can place domain objects like users,
groups, computers, and other OUs in an OU. An OU cannot contain objects from other
1. Planning a Windows Domain/Workgroup
1.5. Active Directory and its components
Using OUs, you can breakdown a very large domain into smaller units to ease
management.
You can arrange the OUs hierarchically in a tree-like structure. An organization can
divide a large domain into OUs based on their department. For example, within
business.com, an OU can be created each for Sales, Support, Marketing, Development,
and Q/A. An organization can extend the hierarchy of OUs, as required by the
organization’s hierarchy within a domain. The OUs created in a domain helps to reduce
the number of domains required for a network.
OUs can be used for delegating administrative control over objects contained in them to a
subset of users in Active Directory. For instance, the domain administrator needs to
designate one person in each department as the official Password Change Administrator.
This reduces the administrative load. The domain administrator can delegate the
authority to modify users' passwords to each user over only their respective OU. OUs can
also be used for easy administration by grouping like objects together, which can then be
used for applying security settings contained in Group Policy Objects.
REFERENCE - EXTERNAL
For more information about OUs, refer the following Microsoft documentation
– http://technet.microsoft.com/en-us/library/cc759073(WS.10).aspx
Considerations for using a single domain with multiple OUs
Honeywell recommends that you use a single domain with multiple OUs. The OUs
created in the domain are visible to the Experion LX Network Tree. OUs provide a
means for logical grouping of domain objects that have a similar function.
TPS domains as Organizational Units
TPS domains are created as Windows Server 2003/2008 Organizational Units (OUs).
The Active Directory Users and Computers snap-in in Windows Server 2003, Windows
Server 2008, Windows Server 2008 R2, which is used for administering domains, can be
modified to designate an OU as a TPS domain.
Overview of sites
Sites represent the physical structure of your network, while domains represent the
logical structure of your organization.
In Active Directory, a site is a set of computers that are well connected by a high-speed
network, such as a local area network (LAN). All computers within the same site
typically reside in the same building, or on the same campus network. A single site
consists of one or more Internet Protocol (IP) subnets.
1. Planning a Windows Domain/Workgroup
1.5. Active Directory and its components
Subnets are subdivisions of an IP network, with each subnet possessing its own unique
network address. Use of sites allows administrators greater control of domain replication
traffic across the entire domain. In addition, Group Policy Objects can also be applied to
the site.
Refer to the following Microsoft documentation for more information:
1. Planning a Windows Domain/Workgroup
1.6. Group Policy
1.6 Group Policy
Overview of Group Policy
Group Policy is an infrastructure used for delivering and applying one or more
configurations/policy settings to the users and the computers within an Active Directory
environment. The Group Policy Objects (GPOs) contain the Group Policy settings. You
can link GPOs in a domain to sites, domains, or OUs.
An organization can have different types of users. For example, you want to deliver and
maintain a customized desktop configuration for different types of users, such as
operators who do not require access to Internet Explorer, but Engineers and
Administrators need access to Internet Explorer. Group Policy helps in applying a
customized configuration to a group of users.
The following figure shows the customized group policies assigned to the OUs within a
domain:
Figure 5 Group Policy objects
You can infer the following from the preceding figure:
•The Admin Policy is applied to the Administration OU.
•The Engineering Policy is applied to the Engineering OU.
•The Operations Policy is applied to the Operations OU.
•
The Hardware Engineering Policy and the Engineering Policy are applied to the
Hardware Engineering OU.
1. Planning a Windows Domain/Workgroup
1.6. Group Policy
When you link GPOs to sites, domains, or OUs, the GPO links affect users and
computers in the following ways:
•
GPOs are applied to the domain object by the closest linked GPO in the domain
hierarchy.
−
Site>Domain>OU>Domain Object, meaning if there were linked GPOs that
conflicted with each other at each level, the GPO applied is at the OU level.
•A GPO linked to a domain applies to all users and computers in the domain. By
default, any domain object in an OU will have the domain GPO applied.
−The policies linked at the domain level are not applicable to child domains.
•The scope of a GPO can also be controlled. Refer to the topic “Controlling the scope
of GPOs” for more information.
Group Policy includes the following types of policy settings:
•Computer Configuration Settings
•
User Configuration Settings
Computer Configuration Settings
The Computer Configuration Settings contain policy settings that affect computers,
regardless of who logs on to the computers.
The following are the computer-related policies specified in the Computer Configuration
settings:
•
Operating system behavior
•Desktop behavior
•
Application settings
•Security settings
•
Assigned software applications
•Computer startup and shutdown scripts
Computer-related policy settings are applied:
•when the machine is restarted
•
during a periodic refresh of the Group Policy
1. Planning a Windows Domain/Workgroup
1.6. Group Policy
User Configuration Settings
The User Configuration Settings contain policy settings that affect users, regardless of
which computer they log on to.
The following are the user-related policies specified in the User Configuration settings:
•Operating system related settings
•
Desktop settings
•Application settings
•Security settings
•
Assigned and published software applications
•User logon and logoff scripts
•
Folder redirection options
User-related policy settings are applied:
•when the users log on to the computer
•
during the periodic refresh of the Group Policy
Note: The Administrator can also apply the user-related policy settings manually.
The Group Policy Management Console is used for viewing and editing the Group Policy
Settings. The settings under ‘Computer Configuration’ are applied to all computers that
have this Group Policy enforced on them. The settings under ‘User Configuration’ are
applied to all users that have this Group Policy enforced on them.
ATTENTION
•
A GPO with settings limited to computer configuration does not have any
effect when it is applied to a user.
•
A GPO with settings limited to user configuration does not have any
effect when it is applied to a computer.
Controlling the scope of GPOs
GPOs are applied to users and computers. To apply a GPO to a user or computer, you
must first link the GPO with a domain, an OU, or a site. You can control the scope of
GPOs in the following ways –
•
Change the default order in which GPOs are processed (by changing the GPO link
order)
1. Planning a Windows Domain/Workgroup
1.7. Domain Users, Computers, and Groups
•
Security and WMI filtering (for applying greater precision)
•
Loopback processing (applying a consistent set of policies to any user logging on to a
computer)
For more information, refer to the following Microsoft documentation:
http://technet.microsoft.com/en-us/library/cc786768(WS.10).aspx
Experion LX Group Policy descriptions
The following table lists the Group Policy Objects (GPOs) that the Experion LX PKS –
High Security Domain Controller package creates in Active Directory, and the
corresponding Global Group that is used for "filter" the scope of the group object.
Group Policy
Name
Filter
(Global Group)
Description
Honeywell
Product
Administrator
Role
DCS Administrators
A minimally restricted user environment. This
account is typically used for day-to-day DCS
administrative tasks for Windows 7/2008.
Honeywell
Engineering
Role
Engineers
A restricted user environment that allows
members to perform relevant process control
activities. Administrative actions in the Windows
7/2008 environment are limited.
Honeywell
Operational
Roles
Operators,
Supervisors, View
only users, ACK view
only users
A very restricted user environment that permits
members of this group to run only allowed
applications. Typically, members of this group
have a specified logon script that automatically
starts relevant applications. Usage of the
Microsoft Internet Explorer browser is limited to
intranet or local applications.
For more information on Group Policy, refer to
Creating a Group Policy
and
Managing
Group/domain policy
in this guide.
1. Planning a Windows Domain/Workgroup
1.7. Domain Users, Computers, and Groups
1.7 Domain Users, Computers, and Groups
User Account
An Active Directory user account is used for authenticating the domain, which then
allows access to domain resources. This account provides an identity on the network for
the user. The operating system uses this identity for the following purposes:
•
To authenticate the user
•
To grant access privileges to specific domain resources
To enable user authentication and authorization features, perform the following:
•Create an individual user account for each user on the network.
•
Assign appropriate group membership to the user.
•Assign appropriate rights and permissions to each group.
TIP
Although rights and permissions can be assigned directly to user accounts, it
is a best practice to assign rights and permissions to groups and put
individual user accounts in those groups.
Computer Account
Every computer that is part of the domain has a specific computer account. This account
is created automatically when a computer is added to the domain. However, this account
can also be created before the computer joins the domain. The computer account
provides the following:
•
Authenticates the computer to access the network
•
Audits the computer’s access to the network and the domain resources
Groups
A Group is an Active Directory container object. The Group can contain users, contacts,
computers, and other groups. The following are the two different types of Groups:
•Distribution Groups
•
Security Groups
Distribution Groups
Distribution Groups have only one function that is creating e-mail distribution lists.
Distribution Groups can be used with e-mail applications (like Microsoft Exchange) to
send e-mail to the members of the group. Changing group membership follows the same
process as Security Groups. Distribution groups cannot be used to apply security.
1. Planning a Windows Domain/Workgroup
1.7. Domain Users, Computers, and Groups
ATTENTION
Honeywell does not recommend the usage of e-mail on the Process Control
Domain used by Experion LX and TPS.
Security Groups
Security Groups are an essential component of the relationship between users and
resources. Security Groups perform the following functions:
•
Manages user and computer access to the shared resources on the domain
•Filters Group Policy settings
Security groups can contain users, computers, and other groups. Using Security Groups
simplifies security administration by letting you assign permissions to the group rather
than assigning permissions to the individual users. When you add a new user to the
group, the user receives all access permissions assigned to the security group.
Group Scope
Every security group or distribution group has a defined scope, which determines to what
extent the group is applied. The following are the different scopes that can be applied to a
group:
•
Universal – indicates that a group can be assigned permissions in any domain or any
trusted forest.
•
Global – indicates that a group can be assigned permissions in any domain.
•Domain local – indicates that a group can be assigned permissions within the same
domain.
For more information on Group Scope, refer to the following Microsoft documentation:
1. Planning a Windows Domain/Workgroup
1.8. Support for DNS
1.8 Support for DNS
DNS as a name resolution service
Domain Name System (DNS) is the default name resolution service in a Windows Server
2003/2008 network. It is part of the TCP/IP protocol suite and all TCP/IP network
connections by default, are configured with the IP address of one or more DNS Servers.
For more information on DNS, refer to the following Microsoft documentation:
What is DNS? –
http://technet.microsoft.com/en-us/library/cc787921(WS.10).aspx
DNS deployment
DNS can be deployed in two ways – with Active Directory support and without Active
Directory support. It is deployed without Active Directory support if you want to host
information outside of the domain environment. For domains in Experion LX, DNS must
be deployed with Active Directory support. When deployed with Active Directory, the
Active Directory service uses DNS as its Domain Controller location mechanism. For
example, when an Active Directory user logs in to a domain, the user’s computer uses
DNS to locate a Domain Controller in the Active Directory domain.
For more information on how DNS works, refer to the following Microsoft
documentation:
http://technet.microsoft.com/en-us/library/cc772774(WS.10).aspx
DNS integration with Active Directory
Active Directory uses DNS as a Domain Controller locator and uses DNS domain
naming system in the architecture of Active Directory domains. Active Directory
depends on the following components of DNS:
•
Domain controller locator (Locator)
•Active Directory domain names in DNS
•Active Directory DNS objects
For more information on DNS integration with Active Directory, refer to the following
Microsoft documentation:
•
How DNS support for Active Directory works:
http://technet.microsoft.com/en-us/library/cc759550(WS.10).aspx
1. Planning a Windows Domain/Workgroup
1.9. Active Directory replication
DNS naming conventions
The following are some of the DNS requirements for Active Directory hierarchy:
•A node in the DNS hierarchy must be a domain or a computer
•
A child domain cannot have more than one parent domain
•
Two child domains of a parent domain cannot have identical names
For more information on DNS naming conventions, refer to the following Microsoft
documentation:
http://technet.microsoft.com/en-us/library/cc978006.aspx
ATTENTION
Domain names must have a domain designator like .com, .org, or .local.
Domain names without domain designators will cause name resolution issues
on the network.
BDNS tools
A variety of tools is associated with DNS for use with Active Directory. The DNS
management application and the command line utilities nslookup and ipconfig are
some of the examples. For more information, refer to the following Microsoft
documentation:
•
DNS tools and settings –
http://technet.microsoft.com/en-us/library/cc775464(WS.10).aspx
•
DNS support for Active Directory tools and settings –
http://technet.microsoft.com/en-us/library/cc738266(WS.10).aspx
1.9 Active Directory replication
Active Directory replication is the means by which changes to directory data are
transferred between Domain Controllers in an Active Directory forest. The Active
Directory replication model defines mechanisms to transfer directory updates
automatically between Domain Controllers, thereby providing a seamless replication
solution for the Active Directory database.
For more information, refer to the following Microsoft documentation:
Active Directory Replication Model Technical Reference –
1. Planning a Windows Domain/Workgroup
1.10. Multiple Domain Controllers in a domain
1.10 Multiple Domain Controllers in a domain
A domain can have multiple Domain Controllers. Multiple Domain Controllers in a
domain provide the following benefits:
•
Improves availability and reliability of the domain by allowing the domain to
continue operation if at least one Domain Controller is operational and available to
the process control network
•
Improves the performance by sharing the load across multiple Domain Controllers
When there are multiple Domain Controllers in a domain, all Domain Controllers are
peers. All Domain Controllers in a domain have read/write copies of the domain
database. You can setup an additional Domain Controller (Peer Domain Controller)
through the Active Directory installation wizard in one of the following ways:
•Over the network
•
By restoring an existing Domain Controller backup
Although all Domain Controllers in a domain are peers, some domain operations require
a single Domain Controller to perform a specific function. To perform these specific
functions, Domain Controllers are assigned specialized roles known as Flexible Single
Master Operations (FSMO) roles.
The Domain Controller Flexible Single Master Operation roles are:
• Schema master
• Domain naming master
• Primary Domain Controller (PDC) emulator
• Infrastructure master
• Relative ID (RID) master
Another Domain Controller role is “Global Catalog Server.” This role can be run on
multiple Domain Controllers in a domain. There is at least one Global Catalog Server per
domain.
The first Domain Controller in the forest automatically holds all five FSMO roles and is a
Global Catalog Server. When peer Domain Controllers are introduced into the domain,
the FSMO roles can be redistributed to different Domain Controllers.
Refer to the following Microsoft documentation for more information on Domain
Controller roles:
1. Planning a Windows Domain/Workgroup
1.11. Functional levels in Active Directory
1.11 Functional levels in Active Directory
Functional level is defined as the set of advanced Active Directory features and Windows
operating systems that can run on Domain Controllers in a domain or a forest. This is
essential for efficient Active Directory replication and domain renaming activities.
The Windows Server 2003 Active Directory service enables you to introduce advanced
features into your environment by raising the domain or forest functional level. You can
raise the functional level when all Domain Controllers in the domain or forest are
running an appropriate version of Windows. Raising the functional level allows you to
introduce new features but also limits the versions of Windows that can run on Domain
Controllers in your environment.
ATTENTION
Experion requires functional level Windows Server 2003/2008 or higher.
For more information about functional levels in a forest or a domain, refer to the
following Microsoft documentation:
http://technet.microsoft.com/en-us/library/cc738038(WS.10).aspx
For information on how to raise functional levels in a forest or a domain, refer to the
following Microsoft documentation:
http://technet.microsoft.com/en-us/library/cc787290(WS.10).aspx
ATTENTION
•
Functional levels define a set of operating systems only for the Domain
Controllers in a domain or a forest. It does not define the client operating
systems in a domain or a forest.
•
Before raising the functional level for a domain, or a forest, assess your
requirements appropriately. Once raised, you cannot lower the functional
level for a domain or a forest.
1. Planning a Windows Domain/Workgroup
1.12. Domain controllers in a Experion LX FTE network
1.12 Domain controllers in a Experion LX FTE network
Domain controller placement
REFERENCE - INTERNAL
•
For a basic overview of FTE, refer to the Experion LX FTE Overview and
Implementation Guide.
•
For Domain Controller topology diagrams, refer to the Network and
Security Planning Guide.
In a Experion LX FTE network, the Domain Controller can be an FTE node or a
non-FTE node. A Domain Controller can be placed on level 2 or on level 3 depending on
your site network requirements. For example, if you have PHD integrated with Experion
LX, you can have one Domain Controller as an FTE node at level 2 and another Domain
Controller as a non-FTE node at level 3.
Domain controller as a non-FTE node in an FTE community
When connecting multiple non-FTE Domain Controllers in the same FTE community,
the Domain Controllers themselves must be connected to different legs of the FTE
network tree. An example of this is, connecting one non-FTE Domain Controller to the
yellow network and another non-FTE Domain Controller to the green network.
1.13 Domain controller backup strategies
REFERENCE - EXTERNAL
Honeywell does not have any specific recommendations for Domain
Controller backup. Refer to Microsoft documentation.
http://technet.microsoft.com/en-us/library/aa997537(EXCHG.65).aspx
1.14 Guidelines for upgrading a DC
REFERENCE - EXTERNAL
Refer to the following Microsoft documentation:
http://technet.microsoft.com/en-us/library/cc731188(WS.10).aspx
1. Planning a Windows Domain/Workgroup
1.14. Guidelines for upgrading a DC
1. Prepare the domain for Windows Server 2008 and Windows Server 2008 R2 Active
Directory –
http://technet.microsoft.com/en-us/library/cc771461(WS.10).aspx
2. Introduce a Windows Server 2008 computer as a member server in the domain.
3. Install Windows Server 2008 or Windows Server 2008 R2 Domain Controller on the
member server.
4. Move required roles from the old (Windows Server 2003) Domain Controller to the
new Domain Controller.
5. On the old Domain Controller, perform the following tasks:
a) Demote the Domain Controller
b) Reload (not upgrade) Windows Server 2008 / Windows Server 2008 R2 OS
c) Promote as peer Domain Controller
1. Planning a Windows Domain/Workgroup
2. Domain Controller Installation
2.1 Installing the Windows Server operating system
Installing Windows Server 2003, Windows Server 2008, Windows Server 2008 R2
If the operating system is not installed already, install the operating system. Install
service packs and Windows updates as recommended for Experion LX. Refer to the
Experion LX R110 Software Change Notice.
2.2 Setting local administrator password
For Windows Server 2003, you are prompted to enter the local administrator account and
password when installing the OS.
For Windows Server 2008 /Windows Server 2008 R2, you are prompted to enter the
local administrator account and password during the first log on to Windows after the OS
installation.
To change the password, perform the following steps.
Step
Action
1
Log on to the server as the local Administrator.
2
Press <Ctrl> <Alt> <Delete> and change the password, if necessary.
CAUTION
Record and store the domain Administrator password in a secure place. If
you forget the password, you have to reinstall the OS to recover
.
Note: When a member server is promoted to a Domain Controller, the local
accounts database is removed. The local admin account and password
become the domain admin account. In addition, any local accounts on the
server are changed to domain accounts. However, this is only true for the first
Domain Controller in a domain.
2.3 Setting time and date
This is generally done as part of the OS installation. Time is crucial to the domain and
hence, the time and the time zone must be verified before promoting a server to a
Domain Controller.
2. Domain Controller Installation
2.4. Changing the computer name
2.4 Changing the computer name
ATTENTION
This procedure MUST be completed BEFORE promoting the computer to a
Domain Controller, as it would be difficult to do so afterwards.
This is normally done as part of the OS installation. If necessary, you can change the
computer name by performing the following steps:
Step
Windows Server 2003
Windows Server 2008/Windows Server
2008 R2
1
Log on to the server as the local
administrator.
Log on to the server as local
administrator.
2
Right-click the My Computer icon
on Start menu and select
Properties.
Choose Start > Administrative Tools >
Server Manager.
3
Select the Computer Name tab and
click Change.
Under Computer Information in the
Server Summary, click the Change
System Properties link.
The System Properties dialog box
appears.
4
Change the computer name of the
server.
Click the Change button.
The Computer Name/Domain Changes
dialog box appears.
5
Restart the node.
In the Computer name box, type the
new computer and then click OK.
6
If a restart your computer message
dialog box appears, click OK.
7
Click OK in the System Properties
2. Domain Controller Installation
2.5. Configuring the TCP/IP settings
Step
Windows Server 2003
Windows Server 2008/Windows Server
2008 R2
8
In the restart your computer message
dialog box, click Yes to restart the
computer.
After the computer restarts, “an unable to
locate dll” event message may be
displayed. This message can be ignored.
Click OK to continue.
ATTENTION
It is important to restart the server after changing the name and before
promoting the server to a Domain Controller.
2.5 Configuring the TCP/IP settings
For the actual data that needs to be entered, refer to your Domain Controller
Configuration Data Sheet. Note that Domain Controllers must use static IP addresses.
Step
Windows Server 2003
Windows Server 2008/Windows Server
2008 R2
1
Log on to the server as the local
administrator.
Log on to the server as the local
administrator.
2
Right-click My Network Places
from the Start menu and select
Properties.
Choose Start > Control Panel.
3
Right-click Local Area
Connection and select
Properties.
Do one of the following:
If you use the Control Panel Home view,
under the Network and Internet section,
click View network status and tasks.
If you use the Classic View, click
Network and Sharing Center.
4
Double-click Internet Protocol.
In the Tasks section, click Manage
Network Connections.
5
Select Use the following IP
address.
Right-click Local Area Connection and
select Properties.
2. Domain Controller Installation
2.5. Configuring the TCP/IP settings
Step
Windows Server 2003
Windows Server 2008/Windows Server
2008 R2
6
Enter the IP address.
Select Internet Protocol Version 4
(TCP/IPv4) and click Properties.
Note: Leave the IPv6 address empty.
7
Enter the Subnet mask.
Select Use the following IP address.
8
Enter the Default gateway.
Enter the IP address.
9
Select the Use the following DNS
Server addresses.
Enter the Subnet mask.
10
Enter the IP address of the
Preferred DNS server (this must
be local address).
Enter the Default gateway.
11
Enter the IP address of the
Alternate DNS server.
Note: If you are installing the first
Domain Controller, when using
Active Directory integrated DNS,
the alternate DNS server must be
left blank. Once a Peer Domain
Controller running DNS is added to
the domain, the alternate DNS
server address can be entered.
If you are installing a peer Domain
Controller running DNS, the
Alternate DNS server must be the
root Domain Controller that runs
DNS.
Select the Use the following DNS
Server addresses.
12
Click OK.
Enter the IP address of the Preferred
DNS server (this must be local address).
13
Click OK on the Local Area
Connection Properties dialog
box.
Enter the IP address of the Alternate
DNS server.
Note: If you are installing the first Domain
Controller, when using Active Directory
integrated DNS, the alternate DNS server
must be left blank. Once a Peer Domain
Controller running DNS is added to the
domain, the alternate DNS server
address can be entered.
2. Domain Controller Installation
2.5. Configuring the TCP/IP settings
Step
Windows Server 2003
Windows Server 2008/Windows Server
2008 R2
Controller running DNS, the Alternate
DNS server must be the root Domain
Controller that runs DNS.
14
Physically connect the network
(Ethernet) cable(s), if not already
connected.
Click OK.
15
Click OK on the Local Area Connection
Properties dialog box.
16
Physically connect the network (Ethernet)
2. Domain Controller Installation
2.6. Promoting the Windows server to root Domain Controller
2.6 Promoting the Windows server to root Domain
Controller
Step
Action
1
Log on to the server as local administrator.
2
To begin the promotion of the standalone Windows Server 2003/2008 server
machine to a root or peer Domain Controller, run the Microsoft application
dcpromo.exe:
Start > Run, type dcpromo, and click OK.
RESULT: The dcpromo application initiates the Active Directory Installation
Wizard.
2.7 Installing Active Directory and DNS
At the Active Directory installation wizard, enter the appropriate configuration to install
the Active Directory for a Root Domain Controller and install DNS, if necessary.
Regarding domain naming, refer to the section
Support for DNS
of this guide.
When installing DNS on a Windows Server 2008/Windows Server 2008 R2, the
installation wizard may display a warning stating that one of the network adapters is not
set to a static IP address. This message can be ignored as long as you have verified the
IPv4 IP address information as mentioned in the section
Configuring the TCP/IP settings
.
The error message in this situation is based on the IPv6 IP address that is neither
configured nor required to be configured.
ATTENTION
Record and store the Directory Services Restore Mode Administrator
password in a secure place. If you forget the password, authoritative restores
on the domain will not be possible. This
is not the same account as the
Domain Administrator.
Refer to the following Microsoft documentation for detailed instructions to Install Active
Directory and DNS:
•
Using the Active Directory installation wizard (Windows Server 2003) –
http://technet.microsoft.com/en-us/library/cc785263(WS.10).aspx
•
Using the Active Directory installation wizard (Windows Server 2008) – WS2008
2. Domain Controller Installation
2.8. Adding Reverse lookup zone to DNS
2.8 Adding Reverse lookup zone to DNS
Using the DNS management application, add a Reverse Lookup Zone:
Start >Administrative Tools >DNS.
Note: The reverse lookup zone for the domain must be a primary zone and with “Store
the zone in Active Directory” selected. In addition, once this is complete, the following
command must be executed from the Command prompt on each node in the domain,
including the Domain Controller.
ipconfig /registerdns
Refer to Microsoft documentation for detailed instructions to add reverse lookup zone to
DNS –
•
Windows Server 2003 –
http://technet.microsoft.com/en-us/library/cc783250(WS.10).aspx
•
