Windows Domain/Workgroup

Transcription

1 Process Solutions Experion LX Windows Domain/Workgroup Implementation Guide EXDOC-X148-en-110A R110 February 2014 Release 110

2 Notices and Trademarks Copyright 2014 by International Sarl. Release 110 February 2014 While this information is presented in good faith and believed to be accurate, disclaims the implied warranties of merchantability and fitness for a particular purpose and makes no express warranties except as may be stated in its written agreement with and for its customers. In no event is liable to anyone for any indirect, special or consequential damages. The information and specifications in this document are subject to change without notice., PlantScape, Experion LX, and TotalPlant are registered trademarks of International Inc. Other brand or product names are trademarks of their respective owners. Process Solutions 1860 W. Rose Garden Lane Phoenix, AZ USA ii Experion LX Windows Domain/Workgroup Implementation Guide R110 February 2014

3 About This Document This document describes how to implement Windows domain/workgroups in Experion LX. Release Information Document Name Document ID Release Number Publication Date Windows Domain/Workgroup Implementation Guide EXDOC-X148-en-110A R110 February 2014 Document Category Configuration References The following list identifies all documents that may be sources of reference for material discussed in this publication. Experion LX Software Installation User s Guide Experion LX Network Security and Planning Guide Experion LX R110 Software Change Notice R110 Experion LX Windows Domain/Workgroup Implementation Guide iii February 2014

4 Support and Other Contacts Support and Other Contacts People s Republic of China Contact: Phone: Mail: Global TAC China (China) Co., Ltd 33/F, Tower A, City Center, 100 Zunyi Rd. Shanghai , People s Republic of China Global-TAC-China@honeywell.com iv Experion LX Windows Domain/Workgroup Implementation Guide R110 February 2014

5 Symbol Definitions Symbol Definitions The following table lists those symbols used in this document to denote certain conditions. Symbol Definition ATTENTION: Identifies information that requires special consideration. TIP: Identifies advice or hints for the user, often in terms of performing a task. REFERENCE -EXTERNAL: Identifies an additional source of information outside of the bookset. REFERENCE - INTERNAL: Identifies an additional source of information within the bookset. CAUTION Indicates a situation which, if not avoided, may result in equipment or work (data) on the system being damaged or lost, or may result in the inability to properly operate the process. CAUTION: Indicates a potentially hazardous situation which, if not avoided, may result in minor or moderate injury. It may also be used to alert against unsafe practices. CAUTION symbol on the equipment refers the user to the product manual for additional information. The symbol appears next to required information in the manual. WARNING: Indicates a potentially hazardous situation, which, if not avoided, could result in serious injury or death. WARNING symbol on the equipment refers the user to the product manual for additional information. The symbol appears next to required information in the manual. WARNING, Risk of electrical shock: Potential shock hazard where HAZARDOUS LIVE voltages greater than 30 Vrms, 42.4 Vpeak, or 60 VDC may be accessible. R110 Experion LX Windows Domain/Workgroup Implementation Guide v February 2014

6 Symbol Definitions Symbol Definition ESD HAZARD: Danger of an electro-static discharge to which equipment may be sensitive. Observe precautions for handling electrostatic sensitive devices. Protective Earth (PE) terminal: Provided for connection of the protective earth (green or green/yellow) supply system conductor. Functional earth terminal: Used for non-safety purposes such as noise immunity improvement. NOTE: This connection shall be bonded to Protective Earth at the source of supply in accordance with national local electrical code requirements. Earth Ground: Functional earth connection. NOTE: This connection shall be bonded to Protective Earth at the source of supply in accordance with national and local electrical code requirements. Chassis Ground: Identifies a connection to the chassis or frame of the equipment shall be bonded to Protective Earth at the source of supply in accordance with national and local electrical code requirements. vi Experion LX Windows Domain/Workgroup Implementation Guide R110 February 2014

7 Contents 1. PLANNING A WINDOWS DOMAIN/WORKGROUP Overview of Windows domain Overview of a Windows Workgroup Overview of a Domain Controller System requirements for a Domain Controller Overview of a Read-only Domain Controller Choosing the right OS for a Domain Controller Software requirements for implementing a domain in Experion LX Active Directory and its components Overview of Active Directory Overview of domain trees Overview of Forests Overview of Organizational Units Considerations for using a single domain with multiple OUs TPS domains as Organizational Units Overview of sites Group Policy Overview of Group Policy Computer Configuration Settings User Configuration Settings Controlling the scope of GPOs Experion LX Group Policy descriptions Domain Users, Computers, and Groups User Account Computer Account Groups Distribution Groups Group Scope Support for DNS DNS as a name resolution service DNS deployment DNS integration with Active Directory DNS naming conventions BDNS tools Active Directory replication Multiple Domain Controllers in a domain R110 Experion LX Windows Domain/Workgroup Implementation Guide vii February 2014

8 Contents 1.11 Functional levels in Active Directory Domain controllers in a Experion LX FTE network Domain controller placement Domain controller as a non-fte node in an FTE community Domain controller backup strategies Guidelines for upgrading a DC DOMAIN CONTROLLER INSTALLATION Installing the Windows Server operating system Installing Windows Server 2003, Windows Server 2008, Windows Server 2008 R Setting local administrator password Setting time and date Changing the computer name Configuring the TCP/IP settings Promoting the Windows server to root Domain Controller Installing Active Directory and DNS Adding Reverse lookup zone to DNS Installing the Domain Controller package Domain Controller Security on Windows Server 2003/ 2008/ 2008 R Install domain security, optional components on Windows server Domain Controller Security and Optional Component Installation SET UP A WINDOWS DOMAIN ENVIRONMENT Creating Active Directory users and groups Create a user Create a group Change group membership Creating Organizational Units (OUs) Create a TPS Domain OU Create a Experion LX/TPS domain OU or a console OU within a TPS domain OU Creating a Group Policy INTEGRATING COMPUTERS INTO A WINDOWS DOMAIN viii Experion LX Windows Domain/Workgroup Implementation Guide R110 February 2014

9 Contents 4.1 Adding a node to a Windows domain Adding global Experion LX domain account groups to local account groups on this computer SET UP A WINDOWS WORKGROUP ENVIRONMENT Creating Windows Workgroup users and groups REVIEW HONEYWELL SECURITY TEMPLATE Reviewing security templates in domain/workgroup environment SET UP TIME SYNCHRONIZATION About time synchronization in a domain SECURING THE OPERATING SYSTEM Using login scripts Station command line options Lock Station in full screen mode and disabling menus Example script: Starting Station Assign logon scripts to domain groups and users using group policy Assign logon scripts to individual domain accounts Assign logon scripts to local accounts Removing access to Task Manager, Windows Explorer, Internet Explorer Setting up automatic logon Set up automatic logon in a domain Set up automatic logon in a workgroup Preventing operator shut down Disabling the lock computer option MANAGING DOMAINS AND WORKGROUPS Installing a peer Domain Controller Overview Considerations and Prerequisites Managing Group/domain policy R110 Experion LX Windows Domain/Workgroup Implementation Guide ix February 2014

10 Contents Overview Edit a Group Policy Copy a group policy Move a group policy from the default domain to OUs Managing Security Renaming a Domain Controller Removing a Domain Controller ADVANCED DOMAIN ADMINISTRATION Troubleshooting Group Policy Objects Overview Resultant Set of Policy Using gpupdate and gpresult gpupdate gpresult DNS Recommendations for large FTE networks Overview Recommendation APPENDIX Experion LX domain group policy settings Workstation Security Settings Security Model Specific Permissions Local Policy Settings x Experion LX Windows Domain/Workgroup Implementation Guide R110 February 2014

11 Contents Figures Figure 1 Windows domain Figure 2 Domain controller Figure 3 Contiguous namespace of a tree Figure 4 Non-contiguous namespace of a forest Figure 5 Group Policy objects R110 Experion LX Windows Domain/Workgroup Implementation Guide xi February 2014

12 Contents xii Experion LX Windows Domain/Workgroup Implementation Guide R110 February 2014

13 1. Planning a Windows Domain/Workgroup 1.1 Overview of Windows domain A Windows domain is a logical group of computers that are managed by a central database that is used for control user access and resource access. The central database is known as Active Directory. Active Directory uses a structured database as the basis for describing both the logical and physical design of the network in a hierarchical format. Active Directory contains information about the users and resources that are controlled in the Domain. This design allows administrators to define security permissions for users and the resources that they have access to. Each domain has at least one server running as a Domain Controller, which holds the database for the domain. The Domain Controller is used for managing all security-related aspects between users and resources, centralizing security and administration. Both windows computers and non-windows computers can be part of the domain. A Windows domain can be used by any size organization and its design allows a single domain to be used for managing multiple physical locations that could be located anywhere across the world. The following figure shows a typical Windows domain: Figure 1 Windows domain R110 Experion LX Windows Domain/Workgroup Implementation Guide 13 February 2014

14 1. Planning a Windows Domain/Workgroup 1.2. Overview of a Windows Workgroup REFERENCE - EXTERNAL For detailed description about the Windows domain concepts, refer to the following Microsoft documentation Overview of a Windows Workgroup A Windows workgroup is a group of standalone computers in a peer-to-peer network. Each computer in the workgroup uses its own local accounts database to authenticate resource access. The computers in a workgroup also do not have a common authentication process. The default-networking environment for a clean windows load is workgroup. In general, a workgroup environment is most appropriate for networks with a small number of computers (say, less than 10); all located in the same general area. The computers in a workgroup are considered peers because they are all equal and share resources among each other without requiring a server. Since the workgroup does not share a common security and resource database, users and resources must be defined on each computer. This increases administration overhead since common user accounts must be created on every computer that holds a resource that the user account requires access to. Resources can be shared across the workgroup but this requires common user accounts that have the same password. The main disadvantages of workgroups are: If a user account will be used for accessing resources on multiple machines, the user account will need to be created on those machines this requires that the same username and password be used. The low security protocol used for authentication between nodes Desktop computers have a fixed limit of 10 connections. Note that this is in reference to connections to an individual desktop. 14 Experion LX Windows Domain/Workgroup Implementation Guide R110 February 2014

15 1. Planning a Windows Domain/Workgroup 1.3. Overview of a Domain Controller 1.3 Overview of a Domain Controller The Domain Controller for Experion LX is a server machine that: Runs on a Windows Server 2003, Windows Server 2008, or Windows Server 2008 R2 operating system Stores the read-write copy of the Active Directory database Manages the following user and domain interactions: User account control Resource control You must setup at least one Domain Controller in every Windows domain. The following figure shows the Domain Controller in a Windows domain: Figure 2 Domain controller REFERENCE - EXTERNAL For more information about implementing a Windows Domain Controller, refer to the following Microsoft documentation: R110 Experion LX Windows Domain/Workgroup Implementation Guide 15 February 2014

16 1. Planning a Windows Domain/Workgroup 1.4. System requirements for a Domain Controller 1.4 System requirements for a Domain Controller The following is a list of minimum system requirements for a basic Domain Controller in Experion LX. Component Windows Server bit Windows Server bit Windows Server 2008 R2 64-bit Computer and processor Server Computer with a 133-MHz processor Server Computer with a Minimum 1GHz processor x64, 1.4 GHz if single core, 1.3GHz if multi core Memory 128 MB RAM 512 MB RAM 512 MB RAM Hard disk 1.5 GB available hard-disk space 20 GB available hard-disk space 32 GB available hard-disk space ATTENTION qualified this document with the Standard Editions of Windows Server 2003, Windows Server 2008, and Windows Server 2008 R2. Although, Windows Server 2003 R2 may work as a Domain Controller in Experion LX, has not explicitly qualified the configuration. qualified this document with the following operating systems. Windows Server bit Windows Server bit Windows Server 2008 R2 64-bit The following versions of Windows are qualified for use as Domain Controllers. Windows Server bit Windows Server bit Windows Server 2008 R2 64-bit Refer to Microsoft documentation if you want requirements from a performance perspective. For a Windows Server 2008/Windows Server 2008 R2 Domain Controller system requirements, refer to 16 Experion LX Windows Domain/Workgroup Implementation Guide R110 February 2014

17 1. Planning a Windows Domain/Workgroup 1.4. System requirements for a Domain Controller Overview of a Read-only Domain Controller With Windows Server 2008, Microsoft introduced the concept of a Read-only Domain Controller (RODC). An RODC is a server that performs most of the functions of a normal Domain Controller, except that, it forwards Active Directory updates to a writable Domain Controller. This is well suited in sites where the organization requires the Domain Controller to reside in levels above the process control network for security and/or administrative purposes. Adding an RODC to the PCN can preserve these purposes while providing a local source of authentication for performance and reliability reasons: With the RODC local to the PCN, link speeds and firewall traversals to remote Domain Controllers do not affect performance. If the PCN becomes isolated from the IT network where the normal Domain Controller resides, access to the PCN is not impacted. Choosing the right OS for a Domain Controller Choosing the OS for a Domain Controller depends on your organization requirements. Experion LX R110 supports Domain Controllers running Windows Server 2003, Windows Server 2008, and Windows Server 2008 R2. However, if you are installing a new Domain Controller, choose Windows Server 2008, as it is the current supported version. If you already have a Windows Server 2003 DC, you can continue to use that, or choose to upgrade to Windows Server There are some limitations when selecting the OS for the Domain Controller. Windows Server 2008 can host the Experion LX R110 Domain Controller Security Package, optionally FTE. Windows Server 2003 or Windows Server 2008 R2 domain controllers can host the Experion LX R110 Domain Controller Security Package. However, they cannot host FTE. REFERENCE - EXTERNAL To understand the changes in functionality for Windows Server 2008 and Windows Server 2008 R2, refer to the following Microsoft documentation: Software requirements for implementing a domain in Experion LX To implement a domain in Experion LX, you need the following media/software: Operating System media (Windows Server 2003 or Windows Server 2008 or Windows Server 2008 R2) R110 Experion LX Windows Domain/Workgroup Implementation Guide 17 February 2014

18 1. Planning a Windows Domain/Workgroup 1.4. System requirements for a Domain Controller Experion LX Installation media Domain Controller Package FTE (optional) 18 Experion LX Windows Domain/Workgroup Implementation Guide R110 February 2014

19 1. Planning a Windows Domain/Workgroup 1.5. Active Directory and its components 1.5 Active Directory and its components Overview of Active Directory The Active Directory directory service is a distributed database that stores and manages information about network resources and application-specific data from directoryenabled applications. Active Directory allows administrators to organize objects of a network (such as users, computers, and devices) into a hierarchical collection of containers known as the logical structure. The following are the logical components of an Active Directory: Domain trees Forests Domains Organizational Units (OUs) Site Objects REFERENCE - INTERNAL Refer to the following Microsoft documentation: For information on Active Directory structure and its components For information on Active Directory Domain Services server role in Windows Server 2008 and Windows Server 2008 R2 Overview of domain trees A domain tree is a collection of domains that share a contiguous namespace. The tree structure starts with a single root domain and branches out into child domains. The first Active Directory domain created becomes the root of the domain tree structure. The other domains created later become the child domains. The name of the tree is always the DNS name of the root domain. The child domains are always in the same DNS name space as the root domain. Note that the Domain Controllers in the child domains are not peer Domain Controllers of the Domain Controllers in the root domain. R110 Experion LX Windows Domain/Workgroup Implementation Guide 19 February 2014

20 1. Planning a Windows Domain/Workgroup 1.5. Active Directory and its components The following figure shows the contiguous namespace of a tree structure: Figure 3 Contiguous namespace of a tree The main reason for creating multiple domains is the management of the domain structure. Most settings are bound by the domain security boundary like password policies. In addition, all child domains have transitive trusts with other domains in the same tree. The following are additional reasons for creating multiple domains in a network: To manage different organizations or to provide unit identities To enforce different security settings and password policies To control Active Directory replication To de-centralize administration 20 Experion LX Windows Domain/Workgroup Implementation Guide R110 February 2014

21 1. Planning a Windows Domain/Workgroup 1.5. Active Directory and its components Overview of Forests By strict definition, the first Domain Controller in a domain is the forest root. A forest does not require multiple trees, but can have other trees with a non-contiguous name space. Forests act independently of each other but can trust each other. Forests are defined as: Collections of domain containers that trust each other Units of replication Security boundaries Units of delegation REFERENCE - INTERNAL For information, see What are forests? in the following Microsoft documentation The following are the characteristics of a child domain in a forest structure. Can have a non-contiguous with the root domain Each domain tree operates independently belongs to the same network The following figure shows the non-contiguous namespace of a forest structure: Figure 4 Non-contiguous namespace of a forest Overview of Organizational Units An OU is an Active Directory container. You can place domain objects like users, groups, computers, and other OUs in an OU. An OU cannot contain objects from other domains. The domain for any organization can enlarge and becomes difficult to manage. R110 Experion LX Windows Domain/Workgroup Implementation Guide 21 February 2014

22 1. Planning a Windows Domain/Workgroup 1.5. Active Directory and its components Using OUs, you can breakdown a very large domain into smaller units to ease management. You can arrange the OUs hierarchically in a tree-like structure. An organization can divide a large domain into OUs based on their department. For example, within business.com, an OU can be created each for Sales, Support, Marketing, Development, and Q/A. An organization can extend the hierarchy of OUs, as required by the organization s hierarchy within a domain. The OUs created in a domain helps to reduce the number of domains required for a network. OUs can be used for delegating administrative control over objects contained in them to a subset of users in Active Directory. For instance, the domain administrator needs to designate one person in each department as the official Password Change Administrator. This reduces the administrative load. The domain administrator can delegate the authority to modify users' passwords to each user over only their respective OU. OUs can also be used for easy administration by grouping like objects together, which can then be used for applying security settings contained in Group Policy Objects. REFERENCE - EXTERNAL For more information about OUs, refer the following Microsoft documentation Considerations for using a single domain with multiple OUs recommends that you use a single domain with multiple OUs. The OUs created in the domain are visible to the Experion LX Network Tree. OUs provide a means for logical grouping of domain objects that have a similar function. TPS domains as Organizational Units TPS domains are created as Windows Server 2003/2008 Organizational Units (OUs). The Active Directory Users and Computers snap-in in Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, which is used for administering domains, can be modified to designate an OU as a TPS domain. Overview of sites Sites represent the physical structure of your network, while domains represent the logical structure of your organization. In Active Directory, a site is a set of computers that are well connected by a high-speed network, such as a local area network (LAN). All computers within the same site typically reside in the same building, or on the same campus network. A single site consists of one or more Internet Protocol (IP) subnets. 22 Experion LX Windows Domain/Workgroup Implementation Guide R110 February 2014

23 1. Planning a Windows Domain/Workgroup 1.5. Active Directory and its components Subnets are subdivisions of an IP network, with each subnet possessing its own unique network address. Use of sites allows administrators greater control of domain replication traffic across the entire domain. In addition, Group Policy Objects can also be applied to the site. Refer to the following Microsoft documentation for more information: R110 Experion LX Windows Domain/Workgroup Implementation Guide 23 February 2014

24 1. Planning a Windows Domain/Workgroup 1.6. Group Policy 1.6 Group Policy Overview of Group Policy Group Policy is an infrastructure used for delivering and applying one or more configurations/policy settings to the users and the computers within an Active Directory environment. The Group Policy Objects (GPOs) contain the Group Policy settings. You can link GPOs in a domain to sites, domains, or OUs. An organization can have different types of users. For example, you want to deliver and maintain a customized desktop configuration for different types of users, such as operators who do not require access to Internet Explorer, but Engineers and Administrators need access to Internet Explorer. Group Policy helps in applying a customized configuration to a group of users. The following figure shows the customized group policies assigned to the OUs within a domain: Figure 5 Group Policy objects You can infer the following from the preceding figure: The Admin Policy is applied to the Administration OU. The Engineering Policy is applied to the Engineering OU. The Operations Policy is applied to the Operations OU. The Hardware Engineering Policy and the Engineering Policy are applied to the Hardware Engineering OU. The members in each OU receive the Group Policy assigned to their respective OU. 24 Experion LX Windows Domain/Workgroup Implementation Guide R110 February 2014

25 1. Planning a Windows Domain/Workgroup 1.6. Group Policy When you link GPOs to sites, domains, or OUs, the GPO links affect users and computers in the following ways: GPOs are applied to the domain object by the closest linked GPO in the domain hierarchy. Site>Domain>OU>Domain Object, meaning if there were linked GPOs that conflicted with each other at each level, the GPO applied is at the OU level. A GPO linked to a domain applies to all users and computers in the domain. By default, any domain object in an OU will have the domain GPO applied. The policies linked at the domain level are not applicable to child domains. The scope of a GPO can also be controlled. Refer to the topic Controlling the scope of GPOs for more information. Group Policy includes the following types of policy settings: Computer Configuration Settings User Configuration Settings Computer Configuration Settings The Computer Configuration Settings contain policy settings that affect computers, regardless of who logs on to the computers. The following are the computer-related policies specified in the Computer Configuration settings: Operating system behavior Desktop behavior Application settings Security settings Assigned software applications Computer startup and shutdown scripts Computer-related policy settings are applied: when the machine is restarted during a periodic refresh of the Group Policy Note: The Administrator can also apply the computer-related policy settings manually. R110 Experion LX Windows Domain/Workgroup Implementation Guide 25 February 2014

26 1. Planning a Windows Domain/Workgroup 1.6. Group Policy User Configuration Settings The User Configuration Settings contain policy settings that affect users, regardless of which computer they log on to. The following are the user-related policies specified in the User Configuration settings: Operating system related settings Desktop settings Application settings Security settings Assigned and published software applications User logon and logoff scripts Folder redirection options User-related policy settings are applied: when the users log on to the computer during the periodic refresh of the Group Policy Note: The Administrator can also apply the user-related policy settings manually. The Group Policy Management Console is used for viewing and editing the Group Policy Settings. The settings under Computer Configuration are applied to all computers that have this Group Policy enforced on them. The settings under User Configuration are applied to all users that have this Group Policy enforced on them. ATTENTION A GPO with settings limited to computer configuration does not have any effect when it is applied to a user. A GPO with settings limited to user configuration does not have any effect when it is applied to a computer. Controlling the scope of GPOs GPOs are applied to users and computers. To apply a GPO to a user or computer, you must first link the GPO with a domain, an OU, or a site. You can control the scope of GPOs in the following ways Change the default order in which GPOs are processed (by changing the GPO link order) Block a GPO inheritance (by disabling a GPO link or by enforcing (previously known as no override) a GPO) 26 Experion LX Windows Domain/Workgroup Implementation Guide R110 February 2014

27 1. Planning a Windows Domain/Workgroup 1.7. Domain Users, Computers, and Groups Security and WMI filtering (for applying greater precision) Loopback processing (applying a consistent set of policies to any user logging on to a computer) For more information, refer to the following Microsoft documentation: Experion LX Group Policy descriptions The following table lists the Group Policy Objects (GPOs) that the Experion LX PKS High Security Domain Controller package creates in Active Directory, and the corresponding Global Group that is used for "filter" the scope of the group object. Group Policy Name Product Administrator Role Engineering Role Operational Roles Filter (Global Group) DCS Administrators Engineers Operators, Supervisors, View only users, ACK view only users Description A minimally restricted user environment. This account is typically used for day-to-day DCS administrative tasks for Windows 7/2008. A restricted user environment that allows members to perform relevant process control activities. Administrative actions in the Windows 7/2008 environment are limited. A very restricted user environment that permits members of this group to run only allowed applications. Typically, members of this group have a specified logon script that automatically starts relevant applications. Usage of the Microsoft Internet Explorer browser is limited to intranet or local applications. For more information on Group Policy, refer to Creating a Group Policy and Managing Group/domain policy in this guide. R110 Experion LX Windows Domain/Workgroup Implementation Guide 27 February 2014

28 1. Planning a Windows Domain/Workgroup 1.7. Domain Users, Computers, and Groups 1.7 Domain Users, Computers, and Groups User Account An Active Directory user account is used for authenticating the domain, which then allows access to domain resources. This account provides an identity on the network for the user. The operating system uses this identity for the following purposes: To authenticate the user To grant access privileges to specific domain resources To enable user authentication and authorization features, perform the following: Create an individual user account for each user on the network. Assign appropriate group membership to the user. Assign appropriate rights and permissions to each group. TIP Although rights and permissions can be assigned directly to user accounts, it is a best practice to assign rights and permissions to groups and put individual user accounts in those groups. Computer Account Every computer that is part of the domain has a specific computer account. This account is created automatically when a computer is added to the domain. However, this account can also be created before the computer joins the domain. The computer account provides the following: Authenticates the computer to access the network Audits the computer s access to the network and the domain resources Groups A Group is an Active Directory container object. The Group can contain users, contacts, computers, and other groups. The following are the two different types of Groups: Distribution Groups Security Groups Distribution Groups Distribution Groups have only one function that is creating distribution lists. Distribution Groups can be used with applications (like Microsoft Exchange) to send to the members of the group. Changing group membership follows the same process as Security Groups. Distribution groups cannot be used to apply security. 28 Experion LX Windows Domain/Workgroup Implementation Guide R110 February 2014

29 1. Planning a Windows Domain/Workgroup 1.7. Domain Users, Computers, and Groups ATTENTION does not recommend the usage of on the Process Control Domain used by Experion LX and TPS. Security Groups Security Groups are an essential component of the relationship between users and resources. Security Groups perform the following functions: Manages user and computer access to the shared resources on the domain Filters Group Policy settings Security groups can contain users, computers, and other groups. Using Security Groups simplifies security administration by letting you assign permissions to the group rather than assigning permissions to the individual users. When you add a new user to the group, the user receives all access permissions assigned to the security group. Group Scope Every security group or distribution group has a defined scope, which determines to what extent the group is applied. The following are the different scopes that can be applied to a group: Universal indicates that a group can be assigned permissions in any domain or any trusted forest. Global indicates that a group can be assigned permissions in any domain. Domain local indicates that a group can be assigned permissions within the same domain. For more information on Group Scope, refer to the following Microsoft documentation: R110 Experion LX Windows Domain/Workgroup Implementation Guide 29 February 2014

30 1. Planning a Windows Domain/Workgroup 1.8. Support for DNS 1.8 Support for DNS DNS as a name resolution service Domain Name System (DNS) is the default name resolution service in a Windows Server 2003/2008 network. It is part of the TCP/IP protocol suite and all TCP/IP network connections by default, are configured with the IP address of one or more DNS Servers. For more information on DNS, refer to the following Microsoft documentation: What is DNS? DNS deployment DNS can be deployed in two ways with Active Directory support and without Active Directory support. It is deployed without Active Directory support if you want to host information outside of the domain environment. For domains in Experion LX, DNS must be deployed with Active Directory support. When deployed with Active Directory, the Active Directory service uses DNS as its Domain Controller location mechanism. For example, when an Active Directory user logs in to a domain, the user s computer uses DNS to locate a Domain Controller in the Active Directory domain. For more information on how DNS works, refer to the following Microsoft documentation: DNS integration with Active Directory Active Directory uses DNS as a Domain Controller locator and uses DNS domain naming system in the architecture of Active Directory domains. Active Directory depends on the following components of DNS: Domain controller locator (Locator) Active Directory domain names in DNS Active Directory DNS objects For more information on DNS integration with Active Directory, refer to the following Microsoft documentation: How DNS support for Active Directory works: DNS integration: 30 Experion LX Windows Domain/Workgroup Implementation Guide R110 February 2014

31 1. Planning a Windows Domain/Workgroup 1.9. Active Directory replication DNS naming conventions The following are some of the DNS requirements for Active Directory hierarchy: A node in the DNS hierarchy must be a domain or a computer A child domain cannot have more than one parent domain Two child domains of a parent domain cannot have identical names For more information on DNS naming conventions, refer to the following Microsoft documentation: ATTENTION Domain names must have a domain designator like.com,.org, or.local. Domain names without domain designators will cause name resolution issues on the network. BDNS tools A variety of tools is associated with DNS for use with Active Directory. The DNS management application and the command line utilities nslookup and ipconfig are some of the examples. For more information, refer to the following Microsoft documentation: DNS tools and settings DNS support for Active Directory tools and settings Active Directory replication Active Directory replication is the means by which changes to directory data are transferred between Domain Controllers in an Active Directory forest. The Active Directory replication model defines mechanisms to transfer directory updates automatically between Domain Controllers, thereby providing a seamless replication solution for the Active Directory database. For more information, refer to the following Microsoft documentation: Active Directory Replication Model Technical Reference R110 Experion LX Windows Domain/Workgroup Implementation Guide 31 February 2014

32 1. Planning a Windows Domain/Workgroup Multiple Domain Controllers in a domain 1.10 Multiple Domain Controllers in a domain A domain can have multiple Domain Controllers. Multiple Domain Controllers in a domain provide the following benefits: Improves availability and reliability of the domain by allowing the domain to continue operation if at least one Domain Controller is operational and available to the process control network Improves the performance by sharing the load across multiple Domain Controllers When there are multiple Domain Controllers in a domain, all Domain Controllers are peers. All Domain Controllers in a domain have read/write copies of the domain database. You can setup an additional Domain Controller (Peer Domain Controller) through the Active Directory installation wizard in one of the following ways: Over the network By restoring an existing Domain Controller backup Although all Domain Controllers in a domain are peers, some domain operations require a single Domain Controller to perform a specific function. To perform these specific functions, Domain Controllers are assigned specialized roles known as Flexible Single Master Operations (FSMO) roles. The Domain Controller Flexible Single Master Operation roles are: Schema master Domain naming master Primary Domain Controller (PDC) emulator Infrastructure master Relative ID (RID) master Another Domain Controller role is Global Catalog Server. This role can be run on multiple Domain Controllers in a domain. There is at least one Global Catalog Server per domain. The first Domain Controller in the forest automatically holds all five FSMO roles and is a Global Catalog Server. When peer Domain Controllers are introduced into the domain, the FSMO roles can be redistributed to different Domain Controllers. Refer to the following Microsoft documentation for more information on Domain Controller roles: 32 Experion LX Windows Domain/Workgroup Implementation Guide R110 February 2014

33 1. Planning a Windows Domain/Workgroup Functional levels in Active Directory 1.11 Functional levels in Active Directory Functional level is defined as the set of advanced Active Directory features and Windows operating systems that can run on Domain Controllers in a domain or a forest. This is essential for efficient Active Directory replication and domain renaming activities. The Windows Server 2003 Active Directory service enables you to introduce advanced features into your environment by raising the domain or forest functional level. You can raise the functional level when all Domain Controllers in the domain or forest are running an appropriate version of Windows. Raising the functional level allows you to introduce new features but also limits the versions of Windows that can run on Domain Controllers in your environment. ATTENTION Experion requires functional level Windows Server 2003/2008 or higher. For more information about functional levels in a forest or a domain, refer to the following Microsoft documentation: For information on how to raise functional levels in a forest or a domain, refer to the following Microsoft documentation: ATTENTION Functional levels define a set of operating systems only for the Domain Controllers in a domain or a forest. It does not define the client operating systems in a domain or a forest. Before raising the functional level for a domain, or a forest, assess your requirements appropriately. Once raised, you cannot lower the functional level for a domain or a forest. R110 Experion LX Windows Domain/Workgroup Implementation Guide 33 February 2014

34 1. Planning a Windows Domain/Workgroup Domain controllers in a Experion LX FTE network 1.12 Domain controllers in a Experion LX FTE network Domain controller placement REFERENCE - INTERNAL For a basic overview of FTE, refer to the Experion LX FTE Overview and Implementation Guide. For Domain Controller topology diagrams, refer to the Network and Security Planning Guide. In a Experion LX FTE network, the Domain Controller can be an FTE node or a non- FTE node. A Domain Controller can be placed on level 2 or on level 3 depending on your site network requirements. For example, if you have PHD integrated with Experion LX, you can have one Domain Controller as an FTE node at level 2 and another Domain Controller as a non-fte node at level 3. Domain controller as a non-fte node in an FTE community When connecting multiple non-fte Domain Controllers in the same FTE community, the Domain Controllers themselves must be connected to different legs of the FTE network tree. An example of this is, connecting one non-fte Domain Controller to the yellow network and another non-fte Domain Controller to the green network Domain controller backup strategies REFERENCE - EXTERNAL does not have any specific recommendations for Domain Controller backup. Refer to Microsoft documentation Guidelines for upgrading a DC REFERENCE - EXTERNAL Refer to the following Microsoft documentation: This activity requires sufficient planning before execution. The following is a summary of tasks that need to be performed for upgrading a Windows Server 2003 Domain Controller to a Windows Server 2008 and Windows Server 2008 R2 Domain Controller. 34 Experion LX Windows Domain/Workgroup Implementation Guide R110 February 2014

35 1. Planning a Windows Domain/Workgroup Guidelines for upgrading a DC 1. Prepare the domain for Windows Server 2008 and Windows Server 2008 R2 Active Directory 2. Introduce a Windows Server 2008 computer as a member server in the domain. 3. Install Windows Server 2008 or Windows Server 2008 R2 Domain Controller on the member server. 4. Move required roles from the old (Windows Server 2003) Domain Controller to the new Domain Controller. 5. On the old Domain Controller, perform the following tasks: a) Demote the Domain Controller b) Reload (not upgrade) Windows Server 2008 / Windows Server 2008 R2 OS c) Promote as peer Domain Controller d) Move back any of the required roles R110 Experion LX Windows Domain/Workgroup Implementation Guide 35 February 2014

36 1. Planning a Windows Domain/Workgroup Guidelines for upgrading a DC 36 Experion LX Windows Domain/Workgroup Implementation Guide R110 February 2014

37 2. Domain Controller Installation 2.1 Installing the Windows Server operating system Installing Windows Server 2003, Windows Server 2008, Windows Server 2008 R2 If the operating system is not installed already, install the operating system. Install service packs and Windows updates as recommended for Experion LX. Refer to the Experion LX R110 Software Change Notice. 2.2 Setting local administrator password For Windows Server 2003, you are prompted to enter the local administrator account and password when installing the OS. For Windows Server 2008 /Windows Server 2008 R2, you are prompted to enter the local administrator account and password during the first log on to Windows after the OS installation. To change the password, perform the following steps. Step Action 1 Log on to the server as the local Administrator. 2 Press <Ctrl> <Alt> <Delete> and change the password, if necessary. CAUTION Record and store the domain Administrator password in a secure place. If you forget the password, you have to reinstall the OS to recover. Note: When a member server is promoted to a Domain Controller, the local accounts database is removed. The local admin account and password become the domain admin account. In addition, any local accounts on the server are changed to domain accounts. However, this is only true for the first Domain Controller in a domain. 2.3 Setting time and date This is generally done as part of the OS installation. Time is crucial to the domain and hence, the time and the time zone must be verified before promoting a server to a Domain Controller. R110 Experion LX Windows Domain/Workgroup Implementation Guide 37 February 2014

38 2. Domain Controller Installation 2.4. Changing the computer name 2.4 Changing the computer name ATTENTION This procedure MUST be completed BEFORE promoting the computer to a Domain Controller, as it would be difficult to do so afterwards. This is normally done as part of the OS installation. If necessary, you can change the computer name by performing the following steps: Step Windows Server 2003 Windows Server 2008/Windows Server 2008 R2 1 Log on to the server as the local administrator. 2 Right-click the My Computer icon on Start menu and select Properties. 3 Select the Computer Name tab and click Change. 4 Change the computer name of the server. Log on to the server as local administrator. Choose Start > Administrative Tools > Server Manager. Under Computer Information in the Server Summary, click the Change System Properties link. The System Properties dialog box appears. Click the Change button. The Computer Name/Domain Changes dialog box appears. 5 Restart the node. In the Computer name box, type the new computer and then click OK. 6 If a restart your computer message dialog box appears, click OK. 7 Click OK in the System Properties dialog box. 38 Experion LX Windows Domain/Workgroup Implementation Guide R110 February 2014

39 2. Domain Controller Installation 2.5. Configuring the TCP/IP settings Step Windows Server 2003 Windows Server 2008/Windows Server 2008 R2 8 In the restart your computer message dialog box, click Yes to restart the computer. After the computer restarts, an unable to locate dll event message may be displayed. This message can be ignored. Click OK to continue. ATTENTION It is important to restart the server after changing the name and before promoting the server to a Domain Controller. 2.5 Configuring the TCP/IP settings For the actual data that needs to be entered, refer to your Domain Controller Configuration Data Sheet. Note that Domain Controllers must use static IP addresses. Step Windows Server 2003 Windows Server 2008/Windows Server 2008 R2 1 Log on to the server as the local administrator. 2 Right-click My Network Places from the Start menu and select Properties. 3 Right-click Local Area Connection and select Properties. Log on to the server as the local administrator. Choose Start > Control Panel. Do one of the following: If you use the Control Panel Home view, under the Network and Internet section, click View network status and tasks. If you use the Classic View, click Network and Sharing Center. 4 Double-click Internet Protocol. In the Tasks section, click Manage Network Connections. 5 Select Use the following IP address. Right-click Local Area Connection and select Properties. R110 Experion LX Windows Domain/Workgroup Implementation Guide 39 February 2014

40 2. Domain Controller Installation 2.5. Configuring the TCP/IP settings Step Windows Server 2003 Windows Server 2008/Windows Server 2008 R2 6 Enter the IP address. Select Internet Protocol Version 4 (TCP/IPv4) and click Properties. Note: Leave the IPv6 address empty. 7 Enter the Subnet mask. Select Use the following IP address. 8 Enter the Default gateway. Enter the IP address. 9 Select the Use the following DNS Server addresses. 10 Enter the IP address of the Preferred DNS server (this must be local address). 11 Enter the IP address of the Alternate DNS server. Note: If you are installing the first Domain Controller, when using Active Directory integrated DNS, the alternate DNS server must be left blank. Once a Peer Domain Controller running DNS is added to the domain, the alternate DNS server address can be entered. If you are installing a peer Domain Controller running DNS, the Alternate DNS server must be the root Domain Controller that runs DNS. Enter the Subnet mask. Enter the Default gateway. Select the Use the following DNS Server addresses. 12 Click OK. Enter the IP address of the Preferred DNS server (this must be local address). 13 Click OK on the Local Area Connection Properties dialog box. Enter the IP address of the Alternate DNS server. Note: If you are installing the first Domain Controller, when using Active Directory integrated DNS, the alternate DNS server must be left blank. Once a Peer Domain Controller running DNS is added to the domain, the alternate DNS server address can be entered. If you are installing a peer Domain 40 Experion LX Windows Domain/Workgroup Implementation Guide R110 February 2014