Installation and Upgrade. Guide. For PI Asset Framework included with PI Server 2014 R2

Transcription

1 Installation and Upgrade Guide For PI Asset Framework included with PI Server 2014 R2

2 OSIsoft, LLC 777 Davis St., Suite 250 San Leandro, CA USA Tel: (01) Fax: (01) Web: PI Asset Framework Installation and Upgrade Guide by OSIsoft, LLC. All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means, mechanical, photocopying, recording, or otherwise, without the prior written permission of OSIsoft, LLC. OSIsoft, the OSIsoft logo and logotype, PI Analytics, PI ProcessBook, PI DataLink, ProcessPoint, PI Asset Framework (PI AF), IT Monitor, MCN Health Monitor, PI System, PI ActiveView, PI ACE, PI AlarmView, PI BatchView, PI Coresight, PI Data Services, PI Event Frames, PI Manual Logger, PI ProfileView, PI Web API, PI WebParts, ProTRAQ, RLINK, RtAnalytics, RtBaseline, RtPortal, RtPM, RtReports and RtWebParts are all trademarks of OSIsoft, LLC. All other trademarks or trade names used herein are the property of their respective owners. U.S. GOVERNMENT RIGHTS Use, duplication or disclosure by the U.S. Government is subject to restrictions set forth in the OSIsoft, LLC license agreement and as provided in DFARS , DFARS , FAR , FAR , as applicable. OSIsoft, LLC. Version: Published: July 2014

3 Contents PI Asset Framework deployment...1 PI System components... 1 PI Server and PI Asset Framework (PI AF)... 2 PI AF architecture... 3 PI Server, PI AF server, and SQL Server configuration options... 3 Small system, single PI Server... 4 Larger, higher performance PI System... 4 Distributed, highly available PI System... 5 PI AF deployment options... 5 Simple PI AF deployment... 6 PI AF on a mirrored SQL Server...7 PI AF server in a failover cluster...7 PI AF collectives... 8 Deployment considerations for PI AF...10 Frequently asked questions about PI AF deployment PI AF high availability solutions...12 Microsoft SQL Server-based high-availability solutions...12 PI AF-based high availability solutions...13 PI System installation order PI AF server pre-installation tasks...17 System requirements...17 Hardware requirements Windows requirements for AF Server and AF Client SQL Server requirements...18 Synchronization of time settings on PI System computers Download the PI AF setup kit...19 Install Microsoft SQL Server SQL Server considerations SQL Server installation guidelines SQL Server roles and permissions for use with PI AF PI AF installation and upgrade on a single computer or separate computers Install or upgrade PI AF server on a single computer Run the PI AF server setup kit for new installation Run the PI AF setup program for upgrade Install or upgrade PI AF server components on separate computers Select features for installation Create or upgrade the PI AF SQL database manually Create the AFServers local group on the PI AF SQL database computer Execute the SQL scripts to create and populate the PI AF SQL database Modify the PI AF application service connect string Direct PI AF application service to a different PI AF SQL database PI AF Client installation and upgrade Install PI AF Client PI Asset Framework Installation and Upgrade Guide iii

4 Contents Connect to a PI AF server...34 Add a PI AF server to the connection list Fill in the Account field Configure Active Directory access for contacts Upgrade PI AF Client Enable multiple languages for PI AF Client...38 Analysis Management plug-in for PI System Explorer Where to install the Analysis Management plug-in PI AF installation in a mirrored SQL Server session Pre-installation tasks for PI AF in a mirrored SQL Server session Install PI AF SQL database on principal and mirror servers Set PIFD database recovery model on principal and mirror servers Configure domain group for the PI AF application service in a mirrored SQL Server session Install the PI AF application service in a mirrored SQL Server session Create and map login and user accounts in a mirrored SQL Server system Delete local logins and user...47 Configure PIFD database backups and restoration in a mirrored SQL Server session Create a mirrored SQL Server session on the principal server PI AF upgrade in a mirrored SQL Server session Before you upgrade PI AF in a mirrored SQL Server session...51 Prepare principal server for PI AF upgrade in a mirrored SQL Server session Prepare mirror server for PI AF upgrade in a mirrored SQL Server session...51 Upgrade machines for PI AF in a mirrored SQL Server session Verify PI AF upgrade in a mirrored SQL Server session...53 PI AF installation in a failover cluster Architecture for PI AF in a failover cluster Pre-installation tasks for PI AF in a failover cluster...56 Security considerations for PI AF application service on a failover cluster Security considerations for the AF Link to PI feature in failover clusters Configure a domain group for the PI AF application service account in a failover cluster PI AF SQL database installation in a failover cluster...59 Install PI AF SQL database feature on each SQL Server failover cluster machine Execute SQL scripts in a failover cluster Create and map a SQL Server login Delete local logins and user Verify SQL Server service in a failover cluster...63 PI AF application service installation in a failover cluster...64 Install the PI AF application service in the failover cluster Configure PI AF application service on Windows Server 2008 R2 in a failover cluster Modify the default number of failovers on Windows Server Configure PI AF application service on Windows Server 2012 in a failover cluster...68 Verify PI AF application service after failover cluster installation...69 Configure certificates for PI AF high availability in a failover cluster PI AF upgrade in a failover cluster Take PI AF server offline before failover cluster upgrade...73 Upgrade the PI AF SQL database in a failover cluster...74 Upgrade the PI AF SQL database on non-active nodes in a SQL Server Cluster iv PI Asset Framework Installation and Upgrade Guide

5 Contents Upgrade the PI AF SQL database on active node in a SQL Server Cluster Upgrade the PI AF application service in a failover cluster Upgrade PI AF application service on active node in a failover cluster...77 Upgrade PI AF application service on non-active nodes in a failover cluster...78 Verify PI AF application service after cluster upgrade...79 PI AF installation and upgrade in a SQL Server availability group...81 PI AF installation in a SQL Server availability group Pre-installation requirements for PI AF in a SQL Server availability group...81 Install PI AF on the primary replica machine in the SQL Server availability group...82 Install PI AF in a SQL Server availability group Install PI AF on the secondary replica machines in the SQL Server availability group...83 Install PI AF application service for use with a SQL Server availability group Create a SQL login for the primary replica machine in the SQL Server availability group Back up the PIFD database for a SQL Server availability group Create SQL logins for the secondary replica machines in a SQL Server availability group Create a network share for a SQL Server availability group...84 Create a SQL Server availability group for use with PI AF...85 Configure the PI AF connection string for use with a SQL Server availability group Add a PI AF database to an existing SQL Server availability group Upgrade a PI AF database that is in a SQL Server availability group member PI AF collective setup and configuration Prepare to create a PI AF collective...91 Configuration requirements for PI AF collectives SQL Server requirements for PI AF collectives Security requirements for PI AF collectives Create a PI AF collective Configure distributor database security Configure PI AF collective properties...99 Check PI AF collective status PI AF collective status details Add a secondary server to a PI AF collective Connect or switch to a specific member of a PI AF collective Remove a secondary server from a PI AF collective Stop or start replication Stop replication on a secondary server Stop replication on the primary server Start replication on a server Reinitialize a PI AF collective member Configure permissions on the replication data folder PI AF collective upgrades Upgrade the primary PI AF server Backup of the primary PI AF SQL databases Stop replication on the primary PI AF SQL database computer Shut down the primary PI AF application service Run the setup program on the primary PI AF server Upgrade secondary PI AF servers Restart replication on upgraded PI AF computers Troubleshoot PI AF collectives PI Asset Framework Installation and Upgrade Guide v

6 Contents Status details indicate no configured subscriber PI AF collective creation fails due to login failure Snapshot creation fails due to access error PI AF collective cannot be created when SQL Server Agent is not running PI AF silent installations Configure silent installation for PI AF server Command-line arguments for PI AF server installation PI AF server syntax examples for silent install Silent upgrade of PI AF server Configure silent installation for PI AF Client Command-line arguments for PI AF Client installation PI AF Client syntax examples for silent install Silent upgrade of PI AF Client PI AF security overview General PI AF security recommendations Security requirements for PI AF collectives PI AF collectives in a domain or workgroup Check security credentials and connections for PI AF collectives Security configuration for the PI AF application service account Run the PI AF application service under a domain account PI AF application service and PI AF SQL database considerations Configure PI AF to use SQL Server security Configure SQL Server to use mixed mode authentication Create and configure SQL Server login About the PI AF Server connect string Specify SQL Server security mode and add user Specify a PI AF SQL database in the connect string Configure PI AF and SQL database in untrusted domains PI AF clients and Windows authentication Run PI System Explorer with elevated permissions Connect PI System Explorer and PI AF server Set audit policy Set sharing and security model for local account Configure Active Directory access for contacts Security configuration for external tables Authentication for linked tables Risk of using non-impersonated connections Data access recommendations for linked tables Linked table access on PI System Explorer 2.0.x Changing security settings for linked tables PI AF and Kerberos authentication PI AF and Kerberos delegation Configure PI AF for Kerberos general delegation Configure PI AF for Kerberos constrained delegation Assign permissions to service accounts with ADSI Edit snap-in Manage SPNs for the PI AF application service View existing SPNs for the PI AF application service Create SPNs for the PI AF application service vi PI Asset Framework Installation and Upgrade Guide

7 Contents Delete SPNs for the PI AF application service Configure Active Directory objects for delegation Configure delegation settings for the AFServer service computer Configure delegation settings for the machine account where the external data resides Configure delegation settings for the domain account under which the AFServer service runs Configure delegation settings for the domain account that controls access to the external data Firewalls and PI AF security Examples of firewall topology Firewall with all servers installed within the DMZ Firewall with PI Server in the DMZ and PI AF and SQL Server on the LAN Firewall with SQL Server outside of the DMZ Network connection types for PI AF Considerations for firewalls and ports for PI AF Firewall between PI AF Server and PI AF Client Firewall between PI AF Server and SQL Server Firewall between PI AF Client and PI Server PI AF object security Setting permissions for objects How to change access permissions on AF objects Element security Event frame and transfer security UOM security Database object security AF object access permission settings When to use the Deny option Setting permissions for collections PI AF configuration and maintenance PI AF backup considerations PI AF collective SQL Server backups Monitor PI AF Server and SQL Server communication Troubleshoot connection problems Monitor PI AF Server and SQL Server communication Cannot connect to AF server Cannot connect to specified SQL Server Cannot connect to SQL database Cannot connect to PIFD database EXECUTE permission denied SQL Error (229) Missing stored procedure SQL Error (2812) Replication does not complete waiting for a Good SyncStatus Troubleshoot PI AF collectives Status details indicate no configured subscriber PI AF collective creation fails due to login failure Snapshot creation fails due to access error PI AF collective cannot be created when SQL Server Agent is not running Technical support and other resources PI Asset Framework Installation and Upgrade Guide vii

8 Contents viii PI Asset Framework Installation and Upgrade Guide

9 PI Asset Framework deployment Topics in this section PI System components PI AF architecture PI Server, PI AF server, and SQL Server configuration options PI AF deployment options PI AF high availability solutions PI System components At its simplest, PI is a data infrastructure. A basic PI System consists of the data source, the data collector for that data source (they might be on the same computer), a PI Server combined with an Asset Framework server, and an appropriate visualization tool on a PC. The PI System collects, stores, and manages data from your plant or process. The PI System can include many different products. PI interfaces retrieve data from your data sources and send it to one or more PI Servers. Users on other computers can get data from PI Servers and display it with client tools. The PI System includes: Data sources Data sources are the instruments that generate your data. They can be almost anything, and they can connect to the interface nodes in a variety of different ways. PI Performance Equations, PI ACE, and Totalizer are also considered data sources, even though they may be hosted on the PI Server computer. Interfaces PI interfaces get the data from the data sources and send it to the PI Server. Each different data source needs a PI interface that can interpret it. OSIsoft has over 300 different interfaces. PI Servers The PI Server gets the data and routes it in real time throughout the PI System and your entire information infrastructure, making it possible for everyone to work from a common set of real-time data. Operators, engineers, managers, and other plant personnel can use client applications to connect to the PI Server and view manufacturing data from the PI data archives or from external data storage systems. PI Asset Framework Installation and Upgrade Guide 1

10 PI Asset Framework deployment PI Server typically runs on a separate computer from those that run PI interfaces and client applications. This distributed data collection architecture is scalable, robust, and flexible. When the high availability (HA) architecture is used, the PI Server runs on two or more computers that are automatically synchronized and act as one logical PI Server, called a PI Server collective. These computers can be geographically dispersed. PI Asset Framework (PI AF) PI AF allows the definition of consistent representations of organizational assets and/or equipment and uses these representations in simple or complex analyses that yield critical and actionable information. PI points and assets PI points and assets are the basic building blocks of the PI System. You use PI points to track the events that comprise your data history. When system managers or OSIsoft field services engineers install a PI Server, they create a PI point for every source of data that the PI System must track. PI Base Subsystem stores points and their attributes in the point database. The PI Asset Framework (AF) server contains asset or "metadata" that is usually organized according to the assets that contain the points being monitored. Assets can be helpful to users of the PI System who do not know or are not familiar with points. Using assets, they can find the data they need without understanding the technical details of each piece of equipment. Assets are also helpful in finding all of the points associated with a specific piece of equipment. Data access PI System components communicate with each other through the PI SDK, PI API, and the PI AF SDK. PI data access components include PI OLEDB with Microsoft SQL Server (Standard or Enterprise) and PI Web Services with Microsoft IIS. They may also include relational data providers such as PI ODBC and PI JDBC. PI Web Services retrieves PI System data using the PI SDK and AF SDK, and other data access layers. In general, the PI Web Services host must be configured with connection information to the desired PI Servers and PI AF servers. Client applications Operators, engineers, managers and other plant personnel use a variety of client applications to connect to PI Servers and PI application servers to view plant data. PI Coresight, PI ProcessBook, PI DataLink, and PI WebParts are all client applications. PI Server and PI Asset Framework (PI AF) PI Server 2010 and later includes and requires PI Asset Framework (PI AF). You need a connection to a PI AF server in order to install a PI Server. If you do not have a PI AF server 2 PI Asset Framework Installation and Upgrade Guide

11 PI Asset Framework deployment installed, then you must install one before you begin the PI Server installation. The PI AF server is included with your upgrade to PI Server 2010, but requires a separate installation kit. PI AF replaces the PI Module Database (MDB). New client applications will support PI AF only. To provide backward compatibility, PI Server migrates the contents of PI MDB over to PI AF. After migration, PI Server constantly synchronizes the MDB content with PI AF, allowing you to access MDB content from PI AF clients as well as MDB clients. Similarly, you can access PI AF content from MDB clients, as well as PI AF clients. This allows you to access your PI AF content with MDB-based tools, such as PI ACE, or with a PI AF client such as PI System Explorer. During an install or upgrade to PI Server 2010 or later: The PI Server setup program prompts you for a path to PI AF server and then attempts to connect to the PI AF server that you specify. You cannot complete the installation or upgrade unless the setup program can make that connection. The single exception to this rule is when you are upgrading an existing PI Server that does not use PI MDB. If you are installing a new PI Server or upgrading a PI Server that does not use MDB, then the setup program asks if you want to enable MDB. You must run the MDB to AF Preparation wizard before the upgrade. You cannot upgrade until you successfully run the wizard. After upgrade, the migration of MDB to PI AF starts automatically and the MDB content is thereafter synchronized with PI AF. PI AF architecture PI AF uses a multi-tiered architecture. A minimal system consists of a client application or the PI AF SDK, the PI AF server application service, and the PI AF SQL database. In terms of physical topology, any configuration of the three tiers is possible, including running all tiers on the same system or on separate systems. Clients can communicate with multiple PI AF servers and multiple PI Servers. A single PI AF server can service multiple clients. A single PI AF SQL database can host multiple PI AF servers. High availability features can be configured many ways, including load-balanced PI AF servers, SQL Server mirroring, SQL Server replication, Microsoft Cluster Service (MSCS), or combinations of these methods. PI Server, PI AF server, and SQL Server configuration options For PI Server, PI AF server, and Microsoft SQL Server, you need one or more Microsoft Windows compatible computers, preferably a 64-bit operating system. It is possible to install a 32-bit version of Windows on a 64-bit computer. However, the computer would not have the benefits of 64-bit Windows operating systems, such as more than 2GB of RAM per process. For best performance and improved security, OSIsoft recommends that you install SQL Server on a different computer from PI Server. OSIsoft also recommends at least two physical drives on the PI Server computer. OSIsoft recommends that you install PI AF server and PI Server on different computers if: PI Asset Framework Installation and Upgrade Guide 3

12 PI Asset Framework deployment PI AF server will use time-series data from multiple PI Servers. PI AF server is configured for high availability (such as a PI AF collective, load-balanced PI AF servers, PI AF servers connected to a mirrored SQL Server, or PI AF servers connected to clustered SQL Servers.) The number of required computers depends on the size and complexity of your PI System. Small system, single PI Server For systems with few assets (10,000 or less) and low-to-moderate workloads (25,000 PI points or fewer), OSIsoft recommends that you: Install PI Server, PI AF server, and SQL Server on the same computer. Use SQL Server Express edition. (In general, OSIsoft recommends that you use SQL Server Enterprise edition, except for the case of a small PI AF SQL database with few users and low usage.) Consider installing SQL Server on a different computer from PI Server, or use a shared SQL Server that supports many applications in addition to PI AF. Larger, higher performance PI System For systems with more than 10,000 assets, and moderate-to-high workloads and point counts, OSIsoft recommends that you: Install Microsoft SQL Server on a separate computer from PI Server. Install PI AF server on either the PI Server or SQL Server computer. Use Microsoft SQL Server Standard or Enterprise edition instead of Express edition. Consider using PI Server collectives and PI AF collectives for higher performance and scalability. 4 PI Asset Framework Installation and Upgrade Guide

13 PI Asset Framework deployment Distributed, highly available PI System For distributed systems with large workloads and point counts, and with multiple PI Servers or PI Server collectives that link to a central PI AF database, OSIsoft recommends that you install PI Server collectives, PI AF collectives, and Microsoft SQL Server on separate, redundant computers to achieve the best level of performance and scalability. PI AF deployment options Depending on your needs and goals, you have various options for deploying PI Asset Framework, ranging from a simple deployment that uses one computer to a complex mirrored PI Asset Framework Installation and Upgrade Guide 5

14 PI Asset Framework deployment collective that uses multiple computers. Carefully consider which deployment is best for your needs before installation. Topics in this section Simple PI AF deployment PI AF on a mirrored SQL Server PI AF server in a failover cluster PI AF collectives Deployment considerations for PI AF Frequently asked questions about PI AF deployment Simple PI AF deployment For systems with few assets (10,000 or less) and low to moderate workloads (25,000 PI points or fewer), OSIsoft recommends that you follow these guidelines: Install PI Server, PI AF server, and SQL Server on the same computer. Consider installing SQL Server on a different computer from the PI Server. Installing SQL Server Standard or Enterprise edition on the same computer as the PI Server can significantly degrade PI Server performance. Possible deployment scenarios include: Deploy the PI AF application service and PI AF SQL database on the same computer, and deploy a PI AF client on the same computer or on a different computer. Deploy the PI AF application service and PI AF SQL database on separate computers, and deploy a PI AF client on one of these computers or on a different computer. Deploy the PI AF application service on multiple computers that point to a single PI AF SQL database, and deploy a network load balancer between the PI AF client and the AF application services. For example: 6 PI Asset Framework Installation and Upgrade Guide

15 PI Asset Framework deployment PI AF on a mirrored SQL Server Deploy PI AF on a mirrored SQL Server for a highly available system. Possible scenarios include: Deploy the PI AF application service and PI AF SQL database on separate computers, with the PI AF SQL database on a mirrored SQL Server, and deploy the PI AF client on a different computer. Deploy the PI AF application service on multiple computers pointing to a PI AF SQL database that is installed on a mirrored SQL Server, and deploy a network load balancer between the PI AF client and the PI AF application services. PI AF server in a failover cluster Two scenarios demonstrate high availability deployment for the components of PI AF server in a failover cluster: The first scenario is to deploy the PI AF application service and the PI AF SQL database on separate computers. Install the PI AF application service on a separate machine that uses Microsoft Failover Clustering. As recommended, the PI AF application service is configured to run under a domain account. PI Asset Framework Installation and Upgrade Guide 7

16 PI Asset Framework deployment Install the PI AF SQL database on a SQL Server failover cluster. Install the PI AF client on a different computer. Install the PI AF application service on a separate machine that uses Microsoft Failover Clustering. As recommended, the PI AF application service is configured to run under a domain account. The second scenario is to deploy the PI AF application service on multiple computers that point to a PI AF SQL database that installed on a SQL Server failover cluster. Deploy a network load balancer between the PI AF client and the PI AF application services. OSIsoft assumes that you are familiar with the configuration and operation of failover cluster features, and with the cluster administration tools in your Windows operating system: Windows Server 2008 R2 Failover Cluster Management snap-in Windows Server 2012 Failover Cluster Management Tools PI AF collectives A PI AF collective is a set of PI AF servers that acts as the logical PI AF server in a PI System to provide high availability (HA), disaster recovery, load distribution, and increased scalability. Deployment scenarios for a PI AF collective include: Multiple pairs of a PI AF application service and a PI AF SQL database (the PI AF application service and PI AF SQL database pair can be on the same computer or different computers) configured into an PI AF collective, with a PI AF client on the same computer or on a different computer. Multiple pairs of a PI AF application service and a PI AF SQL database configured into a PI AF collective, with each pair configured as a SQL Server cluster or mirrored SQL Server. PI Server collectives and PI AF collectives are independent; you do not need a PI Server collective to create a PI AF collective or vice-versa. Neither the primary nor the secondary PI AF server needs a PI Server installed. A PI AF collective uses SQL Server replication to copy data from the primary PI AF SQL database computer (publisher) to each of the secondary PI AF SQL database computers. The PIFD database is the Microsoft SQL Server database where configuration information and userdefined PI AF databases are stored. When you create a PI AF collective, a distributor database (PIFD_Distribution) is created to allow for SQL Server replication. Each secondary server communicates with the primary server through a Windows Communication Foundation (WCF) connection and reports its status information. The server authenticates the WCF connection using a Windows certificate that the PI AF server generates when it is started. SQL Server replication transmits the primary PI AF server s certificate to each secondary server. After the secondary server receives the primary server s certificate, it can communicate its status to the primary server. When PI AF data is changed on the primary PI AF server: The log reader agent sends any changes from PIFD to the PIFD_Distribution database. For each secondary server, its agent pushes changes to the SQL Server instance on the secondary server. 8 PI Asset Framework Installation and Upgrade Guide

17 PI Asset Framework deployment If the secondary server is not reachable (if there is a network problem or the computer is offline), the agent retries later. Sample PI AF collective configuration The high availability (HA) feature, implemented with PI AF, uses a PI AF collective. Because the failover and load balancing logic is implemented at the level of the PI AF SDK, each PI AF SDK instance must know the address of at least one of the PI AF servers in a PI AF collective. After the PI AF SDK connects to the PI AF server, the PI AF SDK is updated with the information about the other members of the PI AF collective. The PI AF SDK will select the appropriate PI AF server, detect failure, and switch to the next appropriate PI AF server. Each PI AF server / PI AF SQL database pair can be on the same computer or on different computers. Each PI AF server must know its server role (primary or secondary), each primary server must know where the secondary servers are located to allow for replication, and each secondary server must know where the primary server is located in order to send its status to the primary. SQL Server replication enables the secondary database server(s) to contact the primary database server and replicate metadata and data. In the figure, R/W indicates that the primary server supports reading and writing of data by PI AF clients. R/O indicates the secondary servers only support reading of data by PI AF clients. The primary server could be located at headquarters and each plant could have a secondary server. Data writers always connect to the primary server to make changes. Users at each plant PI Asset Framework Installation and Upgrade Guide 9

18 PI Asset Framework deployment connect to their local secondary server, except to write, in which case they connect to the primary server. The primary server and all secondary servers will contain the same exact data. Note: Back up your data even if you use SQL Server replication. For example, if you mistakenly delete the PI AF SQL database from the primary server, SQL Server will replicate this deletion to the secondary servers, and all your PI AF data would be lost. Deployment considerations for PI AF The main components in a PI System are PI Asset Framework, Microsoft SQL Server, and PI Server. OSIsoft recommends that you use these guidelines to deploy PI AF within a PI System: If the PI Server computer is heavily loaded, move SQL Server to a different computer. If multiple PI Servers use the same PI AF SQL database, move SQL Server to a different computer. It is acceptable to use a shared SQL Server that contains databases for other non-osisoft applications. Often these are already running on a cluster. Hardware sizing should be based upon workload, not AF object count, since they do not correlate. RAM is the most important hardware sizing consideration for implementing PI AF, due to SQL Server. As I/O workload increases, it is important to consider the disk subsystem to handle the IO count as well as the storage requirements. Specifications to consider include: number of disk spindles, solid-state drives, and so on. For very large PI AF systems, use drive arrays that can sustain at least 3000 random read I/O Per Second (IOPS). Adding SQL Server RAM improves SQL Server read and write performance and is the variable that most affects performance of PI AF. In particular, if you use a very large PI AF system, specify that the SQL Server RAM to be percent of the database size. Frequently asked questions about PI AF deployment The following table provides answers to frequently asked questions about PI AF deployment. Question Answer Explanation Can the PI AF application service run on the database server system? Can the PI AF application service run on a different system from the database server? Can the PI AF application service run on a system in a domain that is not trusted by the domain of the database server system? Can the database server use the default instance? Yes Yes Yes Yes Configure the PI AF application service to use a SQL Server login, instead of Windows Authentication when connecting to the SQL Server. Modify the PI AF application service connection string to use the default instance or an appropriate alias. 10 PI Asset Framework Installation and Upgrade Guide

19 PI Asset Framework deployment Question Answer Explanation Can the database server use a named instance? If the PI AF application service is not installed on the database server system, what software, other than the SQL Server components, gets installed on the database server system? Will PI AF server operate correctly when the database is installed on a shared SQL Server instance? How many SQL Server databases does the application require? Yes None Yes Modify the PI AF application service connection string to use the named instance or an appropriate alias. 1 (without PI HA) or 2 (with HA) The setup program creates a single PI AF SQL database named PIFD. PI AF creates a second user database named PIFD_Distribution on the primary for SQL Server replication. Is any specific collation required? Yes. It is case insensitive. Although the installation procedure does not specify any particular collation, SQL_Latin1_General_CP1_CI _AS has had the most testing. Does PI AF expect SQL Server to listen on a specific port? Does the database run in MULTI_USER mode? Are any additional SQL Server features required? No Yes Yes SQL Server Agent service is required for automated backup or if PI AF is configured for high availability. PI AF high availability requires the replication feature of SQL Server. SQL Server Audit Trail requires the Change Data Capture feature that is only available from SQL Server Enterprise Edition. Is IIS required on the database server system? Is.NET Framework required on the database server system? No Yes Is MS-DTC required? No Unless the DBA manually installs the PI AF database objects, the setup program requires.net Framework version 4.0. However, this can be removed after the installation. PI Asset Framework Installation and Upgrade Guide 11

20 PI Asset Framework deployment Question Answer Explanation Is it necessary to enable remote database connections? Yes Yes, if the PI AF application service is not installed on the database server system. PI AF high availability solutions To implement high availability in PI AF, you can use either a Microsoft SQL Server-based solution or a PI AF-based solution. The following sections compare the options available in each solution. Topics in this section Microsoft SQL Server-based high-availability solutions PI AF-based high availability solutions Microsoft SQL Server-based high-availability solutions The following table compares Microsoft SQL Server-based high availability solutions: MS SQL Server solution Advantages Disadvantages Clustered Allows for full-time read/write access to PI AF database. No re-synchronization required. Cluster members always use latest shared copy of PI AF SQL database. Mirrored Allows for full-time R/W access to AF database. Fast failover time (compared to SQL clustering). Two copies of the database on independent hardware. The members can physically be separated by a long distance. Requires significant initial investment in cluster hardware. PI AF server unavailable during cluster failover period. No real advantage over having single server service restart itself on failure. Network Load Balancing can be single point of failure if unavailable. 12 PI Asset Framework Installation and Upgrade Guide

21 PI Asset Framework deployment MS SQL Server solution Transactional replication (with PI AF collective) Advantages Low cost entry into HA (reuse existing hardware, easy to implement, can use SQL express for secondary servers). The members can physically be separated by a long distance. Two or more copies of the database on independent hardware. PI AF reads are scaled out across PI AF SQL servers with PI AF collective static load balancing. Disadvantages Allows R/W access only to PI AF database on primary AF server in the collective, read-only access on secondary members. Renaming the PIFD database is not supported. Not appropriate if PI AF metadata writes are required around-theclock. SQL express members will scale poorly for heavily used PI AF databases. Unless clustering or mirroring is used on the primary SQL Server, writing will not be possible if the primary SQL Server is not available. PI AF-based high availability solutions The following table shows a comparison of PI AF-based high availability solutions: PI AF-based solution Advantages Disadvantages Clustered Network Load Balancing (NLB) PI AF collective (with static load balancing) No real advantages, other than it can help restart the service if it fails. Allows for load balancing across multiple servers using NLB clusters or round-robin DNS. Requires significant initial investment in cluster hardware. PI AF server unavailable during cluster failover period. No real advantage over having single server service restart itself on failure. Network Load Balancing can be single point of failure if unavailable. Low-cost entry into high availability. Static load balancing across PI AF collective members requires perclient PI AF SDK configuration. As of February 2012, there is no dynamic load balancing available. PI Asset Framework Installation and Upgrade Guide 13

22 PI Asset Framework deployment 14 PI Asset Framework Installation and Upgrade Guide

23 PI System installation order The PI System consists of Interfaces, PI Server, and clients. The PI Server consists of the PI Data Archive, PI Asset Framework, PI Notifications, PI ACE and PI Interfaces for System Monitoring. Refer to each PI System product installation guide for detailed installation procedures. 1. Install Microsoft SQL Server. 2. Install the PI AF server components. You are not required to install the PI AF application service on the same computer as Microsoft SQL Server. If you want to install the PI AF application service on a different computer than SQL Server: a. On the SQL Server computer, run the PI AF Server setup program and install the PI AF SQL database feature. b. If you are installing the SQL scripts without executing them, follow the steps for manually creating or upgrading the PI AF SQL database. c. On the PI AF application service computer, run the PI AF Server setup program and install the PI AF application service feature. 3. Install any PI Data Archive Servers. 4. Install the PI AF Client. The PI AF Client installation also includes these optional features: PI System Explorer PI System Explorer supports multiple languages. Install the PI System Explorer MUI Language Pack to enable multi-language access. If PI System Explorer does not support a particular language, the user interface displays English. Analysis Management plug-in PI Builder PI AF User Documentation a. Install the Analysis Management plug-in on a PI System Explorer computer if you plan to be using the PI Analysis Service to do bulk operations or troubleshoot the system. You can install the Analysis Management plug-in on a separate computer from the PI Analysis Service. 5. Install any PI AF-dependent applications, such as PI Notifications or PI AF Compatibility Layer, on the same computer where the PI AF Client is installed. PI Asset Framework Installation and Upgrade Guide 15

24 PI System installation order 16 PI Asset Framework Installation and Upgrade Guide

25 PI AF server pre-installation tasks 1. Review PI System installation order. 2. Log on to your Windows system using an account with administrator privileges. 3. Close OSIsoft applications that are currently running. 4. Verify system requirements. Refer to the PI AF 2014 Release Notes for the latest system requirements. 5. Determine SQL Server roles and permissions for use with PI AF. 6. Synchronization of time settings on PI System computers. 7. Download the PI AF setup kit. System requirements Refer to the PI AF Release Notes for detailed system requirements. Topics in this section Hardware requirements Windows requirements for AF Server and AF Client SQL Server requirements Hardware requirements PI AF is extremely flexible and supports the storage of many different kinds of objects. For example: a PI AF object can be as simple as a static numeric value or string of text, or it can be a much more complicated object such as PI Event Frames, custom data references, or even binary objects. As such, it is not possible to definitely correlate the number of PI AF objects to hardware requirements. However, there are some general guidelines. Your hardware sizing should be based upon workload, not PI AF object count, because they do not correlate. As input and output (I/O) workload increases, it is important to ensure the disk subsystem can handle the I/O count as well as the storage requirements. Adding memory (RAM) improves SQL Server read and write performance. Increasing the number or performance of the CPU is helpful for concurrent users. PI Asset Framework Installation and Upgrade Guide 17

26 PI AF server pre-installation tasks Windows requirements for AF Server and AF Client Windows Operating System Windows Server 2012 Windows Server 2012 R2 Windows Server 2012 Core Windows Server 2012 R2 Core AF Server and PI Analysis service support Yes AF Client support Yes Windows Server 2008 R2 SP1 Yes Yes Windows 8, 64-bit and 32-bit Test only Yes Windows 7 SP1, 64-bit and 32- bit Windows Server 2008 SP2, 64- bit and 32-bit Windows Vista SP2, 64-bit and 32-bit Test only No No Windows Server 2003 No No Windows XP No No Yes Yes Yes SQL Server requirements General Supported SQL Server editions Details Express Standard Enterprise Datacenter Supported SQL Server versions SQL Server 2014 SQL Server 2012 SQL Server bit x86 and 64-bit x64 There is no support for the Itanium CPU. Required SQL Server components Database engine, SQL Agent (backup and replication) In general, OSIsoft recommends that you use SQL Server 2012 Enterprise edition, except in the case of a small PI AF SQL database (PIFD) with few users and low usage. Although supported by PI AF, SQL Server 2012 Express has a 1 GB memory limitation and 10 GB database size limitation. In addition, SQL Server 2012 Express does not support Microsoft Business Intelligence (BI) tools such as SQL Reporting Services and SQL Analysis Services. PI AF high availability features are not supported with SQL Server 2012 Express. When estimating the SQL Server disk space required for the PIFD, consider the type and quantity of your PI AF objects. As a first order estimate, a PIFD with 50,000 elements each with 20 attributes of double data type would consume approximately 3 GB of disk space. If you use 18 PI Asset Framework Installation and Upgrade Guide

27 PI AF server pre-installation tasks PI AF objects such as PI Event Frames, PI Notifications, or other data types, your disk space requirements will increase. In the case of custom PI AF data references, OSIsoft recommends that you use a test environment to test size implications. See also SQL Server requirements for PI AF collectives. Synchronization of time settings on PI System computers For all machines that are part of the PI System, you must ensure that the time is set correctly and synchronized to PI Server. In addition, make sure that all Windows machines have the proper time-zone settings and that they are set to automatically adjust for daylight-saving changes. OSIsoft recommends that you synchronize the PI Server clock with a network time protocol (NTP) server. For details, see the Handling DST on PI Server, PI Interface, and PI Client nodes ( techsupport.osisoft.com/troubleshooting/kb/kb00876 ) web page. Download the PI AF setup kit 1. From the OSIsoft Technical Support Web site, click My Support > My Products. 2. Find the PI AF Server software that you want to install and click Download. The Download page displays a table of all the setup kits available to you. 3. Select the install kit and click Download Now. 4. Read the OSIsoft, LLC. ( OSIsoft ) Software License and Services Agreement and click I Agree. 5. When prompted to run or save the executable (.exe) file, click Save and click OK. Install Microsoft SQL Server For information related to the installation of Microsoft SQL Server, see: SQL Server requirements SQL Server roles and permissions for use with PI AF PI AF security overview SQL Server requirements for PI AF collectives Topics in this section SQL Server considerations SQL Server installation guidelines SQL Server roles and permissions for use with PI AF PI Asset Framework Installation and Upgrade Guide 19

28 PI AF server pre-installation tasks SQL Server considerations The following table contains frequently asked questions regarding SQL Server. Question Do end users connect to SQL Server? Must end users be granted access to SQL Server objects? Does the PI AF server control user access to data stored in the SQL Server database? Does each user require a login to SQL Server? Does the DBA have to manage user permissions to SQL Server objects? Does the remote application require any Windows permissions on the SQL Server computer? Is PI AF compatible with SQL Server clustering, mirroring, and replication? Answer No. OSIsoft recommends that end users not be granted privileges on the SQL Server instance. No. Yes. Users do not connect to the SQL Server database. The PI AF server uses Windows authentication to identify users and performs AccessCheck on Windows security descriptors stored in the SQL Server tables to control user access to application data. No. Users do not connect to SQL Server. No. Users do not connect to SQL Server. Yes. Except for managing PI AF collectives (SQL Server replication), the PI AF SDK never connects to SQL Server and therefore the user does not need any permission on SQL Server. For PI AF highavailability management, the user running PI AF SDK must have the SysAdmin role on the SQL Server instance, but no Windows O/S level privileges are required. Yes. SQL Server installation guidelines Question Does the PI AF installation program install SQL Server? What Microsoft Windows privileges are required on the database server for the database installation program? Is it possible for the DBA to manually install the SQL objects without help from the installation program? Are SQL Server scripts available for review by the DBA prior to running? Answer No. Optionally, none. The installation of the SQL scripts, as well as verification of the SQL connection, can be optionally deselected. Yes. Yes. The setup kit installs the SQL scripts to the PIPC\AF\SQL directory and can optionally be instructed not to execute them as part of the installation. These scripts can be run manually after the installation is complete. Alternately, install on a test system or virtual server image. Capture the SQL scripts or back up or detach the PIFD database and restore it on the production database server. 20 PI Asset Framework Installation and Upgrade Guide

29 PI AF server pre-installation tasks Question What SQL Server privileges are required on the database server for the database installation program? In a database-only installation, what configuration changes are made to the Windows operating system? Are any objects created in the master database? Are any objects created in the MSDB database? Are any objects created in the model database? Can the DBA control where the database data and log files are created? Can the DBA create the database manually? Answer SysAdmin privilege is required if opting for the installation program to create the database. If opting for manual installation, no privileges are necessary. See Create or upgrade the PI AF SQL database manually. None. No files are installed on the database server, other than database files. No registry keys are modified. No. No. No. Yes. Prior to running the installation program, set the paths in the 'database settings' for the SQL Server instance. If manually installing, modify schema1.sql to explicitly set the paths. Yes. CREATE DATABASE PIFD; The DBA can specify any paths and database options. Then, either run the installation program or run the SQL Server scripts manually. See Create or upgrade the PI AF SQL database manually. SQL Server roles and permissions for use with PI AF This topic can help you determine the appropriate SQL Server user roles and permissions for your PI AF environment. Question Does PI AF require the SysAdmin role? Does PI AF require a login through the sa account? Does PI AF require db_owner role? Answer No. No. No. How many logins are required? 1 or 2. Low privileged login for account that runs the PI AF server needs db_afserver role. Should not be granted higher privilege. Never allow the PI AF server to connect to SQL Server with SysAdmin privileges. For PI AF with high availability, SQL Server replication is used and the PIAdmin user requires the db_owner role during setup or during changes to the SQL Server replication. What roles / permissions does the PI AF server need during runtime? The account that runs the PI AF application service must be assigned the db_afservers database role membership for the PIFD database. You can use SQL Server Management Studio to edit the SQL Server login for the account. See Create and configure SQL Server login. PI Asset Framework Installation and Upgrade Guide 21

30 PI AF server pre-installation tasks 22 PI Asset Framework Installation and Upgrade Guide

31 PI AF installation and upgrade on a single computer or separate computers You can install PI AF on a single computer, or you can install the PI AF application service and the PI AF SQL database on separate computers. Topics in this section Install or upgrade PI AF server on a single computer Install or upgrade PI AF server components on separate computers Install or upgrade PI AF server on a single computer 1. Download the PI AF setup kit. 2. Do one of the following: Run the PI AF server setup kit for new installation Run the PI AF setup program for upgrade. Run the PI AF server setup kit for new installation 1. Go to the directory where you downloaded the PI AF install kit. a. Double-click the AFServer[VersionInfo]_.exe installation file, where [VersionInfo] describes the version of the PI AF Server installation kit. You may be prompted by a User Account Control message to allow the installation to run. Click Yes to allow the installation to continue. The Self-Extracting Executable window opens. b. In the Self-Extracting Executable window, click Browse, select the directory where you want to extract the files, and click OK. The files are extracted, then the Welcome window opens. A list displays all of the modules that will be installed or upgraded. Review the list of modules and comments to ensure there are no warnings displayed. 2. Click OK to start the installation of Microsoft.NET Framework 4.5. Once the.net Framework 4.5 installation is complete, the Microsoft SQL Server 2012 Native Client Setup window opens. 3. Click Next to start the SQL Server 2012 Native Client installation. The Native Client License Agreement window opens. a. Read the License Terms. If you accept the terms, select the I accept the terms in the license agreement option and click Next. PI Asset Framework Installation and Upgrade Guide 23

32 PI AF installation and upgrade on a single computer or separate computers The Feature Selection window opens. b. Do not make any changes to the selections, as both features need to be installed. Click Next. The Ready to Install the Program window opens. c. Click Install to continue the SQL Server 2012 Native Client installation. The Completing the SQL Server 2012 Native Client installation window opens when the installation is complete. d. Click Finish to continue with the AF Server installation. The installation executable installs the Microsoft Visual C++ Redistributables, requiring no interaction. The welcome page of the PI AF Server [VersionInfo] Setup opens. 4. Review the welcome information. When you are ready to proceed, click Next. The User Information window opens. a. Click Next to accept the default Full Name and Organization values, or change the values then click Next. The Destination Folder window opens. b. Click Next to accept the default destination folder, or click Browse to locate and select a different folder. The Select Features window opens. A description for the selected feature is shown in the right pane, including amount of disk space required for the feature. c. Click Next to accept the selected features. The Local SQL Server Connection window opens. This window has a drop-down list that includes all SQL Server instances on the local server. d. Choose the default SQL Server instance by selecting it, entering a. or leaving the field blank. You can accept the SQL Server instance shown in the drop-down list, select a different instance, or manually type a local SQL Server instance name in the list. e. Click Next. The Ready to Install the Application window opens and displays the features that will be installed. Click Back if changes are required. f. Click Next to install the PI AF Server. The Updating System window opens. The Installation Complete window opens when the installation is complete. 5. Click Close. After you finish Note: If you cancel the installation before it is complete, the PI AF SQL database might have already been created and you will need to remove the database manually. Verify that the AF application service is running under the correct account. See General PI AF security recommendations. 24 PI Asset Framework Installation and Upgrade Guide

33 PI AF installation and upgrade on a single computer or separate computers Run the PI AF setup program for upgrade Before you start Warning: If you are updating from a version prior to 2.6, audit trail is not enabled after an upgrade, and audit trail tables do not exist. Before upgrade make sure you have a valid backup of the SQL PIFD database. If you are upgrading from version 2.6 or later, the audit trail tables are left in place. 1. Before starting the upgrade process, ensure that the PI AF server service is stopped: a. Click Control Panel > Administrative Tools > Services. b. Right-click PI AF Server [VersionInfo] Application Service and select Stop. 2. Back up the PIFD SQL database. When upgrading, the setup program may make update changes to the existing PIFD database. After these changes are complete, a downgrade of the PIFD database will not be possible. 1. Go to the directory where you downloaded the PI AF install kit. a. Double-click the AFServer[VersionInfo]_.exe installation file, where [VersionInfo] describes the version of the PI AF server installation kit. You may be prompted by a User Account Control message to allow the installation run. Click Yes to allow the installation to continue. The Self-Extracting Executable window opens. b. In the Self-Extracting Executable window, click Browse, select the directory where you want to extract the files, and click OK. The files are extracted, then the Welcome window opens. A list of the modules that will be installed/upgraded is displayed. Review the list of modules and comments to ensure there are no warnings displayed. 2. Click Next to start the installation of Microsoft.NET Framework 4.5. If the PI AF server service was not stopped prior to beginning the upgrade, a Microsoft.NET Framework 4.5 window opens, indicating the PI AF Server service is still running. You are prompted to allow the setup to stop the service. If this is acceptable, click Yes. Or, you can click No to cancel the setup. Alternatively, stop the service yourself and return to this dialog and click Refresh, which closes this dialog and allows the.net Framework 4.5 setup to continue. Once the.net Framework 4.5 installation is complete, the Microsoft SQL Server 2012 Native Client Setup window opens. 3. Click Next to start the SQL Server 2012 Native Client installation. The SQL Server 2012 Native Client License Agreement window opens. a. Read the License Terms. If you accept the terms, select the I accept the terms in the license agreement option and click Next. PI Asset Framework Installation and Upgrade Guide 25

34 PI AF installation and upgrade on a single computer or separate computers The SQL Server 2012 Native Client Feature Selection window opens. b. Do not make any changes to the selections, both features need to be installed. Click Next. The SQL Server 2012 Native Client - Ready to Install the Program window opens. c. Click Install to continue the SQL Server 2012 Native Client installation. The Completing the SQL Server 2012 Native Client installation page opens when the installation is complete. d. Click Finish to continue with the AF Server installation. The Microsoft Visual C++ Redistributables are installed, requiring no interaction. The Welcome page of the PI AF Server [VersionInfo] Setup window opens. 4. Review the welcome information. When you are ready to proceed, click Next. The User Information window opens. a. Accept the default Full Name and Organization values, or change these values. Click Next. The Destination Folder window opens. b. Accept the default destination folder, or click Browse to locate and select a different folder. Click Next. c. Read the warning message about backing up PIFD, select the Warning Acknowledged check box, and click Next. The Ready to Install the Application window opens. Click Back if changes are required. d. Click Next to install the PI AF server. The Updating System window opens. The Installation Complete window opens when the installation has completed. 5. Click Close. After you finish Note: If you cancel the installation before it its complete, the PI AF SQL database might have already been created and you will need to remove the database manually. If the SQL scripts were manually executed in the original installation: 1. Create or upgrade the PI AF SQL database manually. 2. Verify that the PI AF application service is running under the correct account. See General PI AF security recommendations. 1. Connect PI System Explorer to upgraded AF server. Connect PI System Explorer to upgraded AF server Following an upgrade to AF server 2.6, the first time a client connects to the upgraded AF server, some final upgrade operations will occur that may cause a brief period of slow 26 PI Asset Framework Installation and Upgrade Guide

35 PI AF installation and upgrade on a single computer or separate computers performance. OSIsoft recommends that you force the occurrence of these operations by connecting PI System Explorer to your upgraded AF server immediately after the upgrade program completes. Install or upgrade PI AF server components on separate computers You are not required to install all components of PI AF server on the same computer as SQL Server. For example, you might install the PI AF SQL database on your SQL Server computer, but the PI AF application service on a different computer. When you run the setup program, the Select Features window lets you select the features to install. By default, both the PI AF application service and the PI AF SQL database features are selected for installation. Select features for installation During the setup program, you can choose the features to install by clicking the arrow on each feature and selecting: Entire feature will be installed on local hard drive. Entire feature will be unavailable. For example, you might want to install the PI AF application service on the SQL Server computer and the PI AF SQL database on a separate computer. See also Create or upgrade the PI AF SQL database manually. 1. If this is an upgrade, stop any PI AF application services. 2. On the SQL Server computer: a. Run the setup program. b. Click the arrow next to AF Application Service and select Entire feature will be unavailable. The AF application service will remain uninstalled. The PI AF SQL scripts needed to set up the AF SQL database will be executed. Note: During the installation, you will be prompted to provide the domain and name of the system where the remote application server can be found so that the proper authentication can be granted to the PI AF application service. 3. On the PI AF application service computer: a. Run the setup program. b. Click the arrow next to AF SQL Database and select Entire feature will be unavailable. The AF SQL Scripts needed to setup the AF SQL database will not be executed. The AF application service will be installed on the local hard drive. PI Asset Framework Installation and Upgrade Guide 27

36 PI AF installation and upgrade on a single computer or separate computers 28 PI Asset Framework Installation and Upgrade Guide

37 Create or upgrade the PI AF SQL database manually You can choose to manually install or upgrade the PI AF SQL database (PIFD) by disabling the AF SQL Script Execution feature during the PI AF server installation. When you run the setup kit, you can cancel selection of the AF SQL Script Execution feature so that the SQL Server scripts are not executed as part of the installation process. The SQL Server scripts and the GO.bat file are placed in the..\pipc\af\sql folder. The GO.bat file contains the commands that execute the deployed SQL Server scripts manually. Upon execution, the scripts create the PI AF SQL database (PIFD) and populate its tables. The execution of the scripts must occur from an account with sysadmin privileges on the SQL Server instance. 1. Create the AFServers local group on the PI AF SQL database computer. 2. Execute the SQL scripts to create and populate the PI AF SQL database. 3. Modify the PI AF application service connect string. 4. Direct PI AF application service to a different PI AF SQL database. Create the AFServers local group on the PI AF SQL database computer Before you run the SQL scripts, follow these steps to enable interaction between the PI AF application service and the PI AF SQL database. During a new installation, you create the local AFServers group when you run the PI AF Server kit on the PI AF SQL Server (unless you decide not to select the SQL Script Execution feature as part of the setup program). It does not matter whether you are running the setup program on a single computer or on separate computers. If you are performing an upgrade, the setup program assumes that the group already exists, so it will not be created. 1. On the computer on which the PI AF SQL database is installed, open Computer Management. 2. Create the AFServers local group if it does not already exist. 3. If the PI AF application service is not running under a domain account, use this syntax to add the PI AF application service computer name to the AFServers group: DOMAIN\ComputerName In this example, the domain is OSI and the computer name is RADAT. PI Asset Framework Installation and Upgrade Guide 29

38 Create or upgrade the PI AF SQL database manually If the PI AF application service is running under a domain account, add the name of the domain account under which the PI AF application service is running to the AFServers group. Be sure to include domain information for the system using this format: DOMAIN\DomainAccount 4. Create a SQL Server login and map it to both the AFServers local user group and the db_afserver database role. Execute the SQL scripts to create and populate the PI AF SQL database To manually create or upgrade the PI AF SQL database after installing the SQL scripts, run the SQL scripts from the SQL folder. Here is some example syntax: SQL Server authentication example The following command is an example of using SQL Server authentication on a SQL Server that includes an instance name: GO.bat MySQL\MyInstance PIFD MySQLLogin MySQLLoginPwd Windows authentication example The following command is an example of using Windows Authentication on a SQL Server that does not include an instance name: GO.bat MySQL PIFD 1. If this is an upgrade, stop the PI AF server service: 30 PI Asset Framework Installation and Upgrade Guide

39 Create or upgrade the PI AF SQL database manually a. Open the Services administrative tool on the PI AF server computer. b. Right-click the PI AF Application Service and select Stop. 2. Open a command prompt window. Use the following syntax to execute the SQL scripts found in the SQL folder: GO.bat <SQLName>[\<SQLInstanceName>] PIFD [<SQLUserName> <SQLUserPassword>] where: <SQLName> is the name of the SQL Server into which the PI AF SQL database (PIFD) will be installed. \<SQLInstanceName> is optional, and should be included if SQL Server was installed with an instance name. PIFD is the name of the PI AF SQL database. <SQLUserName> and <SQLUserPassword> are optional, and should be used if SQL Server authentication is required to connect to SQL Server. If not provided, the scripts use Windows authentication to connect to SQL Server. The process is complete when the command line looks like: c:\..\pipc\af\sql\pisysoledb>_ 3. If you stopped the PI AF server service, restart the service now. a. Open the Services administrative tool on the PI AF server computer. b. Right-click the PI AF Application Service and select Start. Modify the PI AF application service connect string Modify the PI AF application service connect string to enable communication between the PI AF server and the PI AF SQL database. 1. In Windows Explorer, navigate to the..\pipc\af folder on the PI AF application service computer. 2. Use a text editor to open the PI AF application service configuration file, AFService.exe.config. 3. Enter the name of the remote SQL Server, and the named instance if applicable, in the connect string server. Refer to the following lines of code: <?xml version="1.0" encoding="utf-8"?> <configuration> <appsettings> <add key="connectstring" value="persist Security Info=False;Integrated Security=SSPI;server=<SQLName>[\SQLInstance];database=PIFD;Application Name=AF Application Server;"/> <add key="streamedport" value="5459"/> If SQL Server is running on a cluster, it is important to use the clustered resource IP address, instead of a computer name. <?xml version="1.0" encoding="utf-8"?> <configuration> <appsettings> PI Asset Framework Installation and Upgrade Guide 31

40 Create or upgrade the PI AF SQL database manually <add key="connectstring" value="persist Security Info=False;Integrated Security=SSPI;server=<SQLClusterName>[\SQLInstance];database=PIFD;Application Name=AF Application Server;"/> <add key="streamedport" value="5459"/> If SQL Server is configured to use SQL Server mirroring, then add Failover Partner=<SQLServerName>[\<InstanceName>] after the server=, as shown in the following lines of code: <?xml version="1.0" encoding="utf-8"?> <configuration> <appsettings> <add key="connectstring" value="persist Security Info=False;Integrated Security=SSPI;server=<SQLName>[\SQLInstance];failover partner=<sqlservername>[\sqlinstance];database=pifd;application Name=AF Application Server;"/> <add key="streamedport" value="5459"/> To enable encrypted communication, add encrypt=yes; to the code. See the Microsoft SQL Native Client ( documentation for other options. 4. If the PI AF application service is running, stop and restart it for your changes to take effect. Direct PI AF application service to a different PI AF SQL database If you need to direct your PI AF application service to a different PI AF SQL database, you can configure PI AF to specify a new SQL Server instance and enable communications. 1. On the PI AF application service computer, edit the AFService.exe.config file in the PIPC\AF folder and replace the server information with the name of the remote SQL Server to be accessed. 2. Choose one of the following actions. If the PI AF application service is using the NetworkService or LocalSystem account, add the Domain\Machine Name for the remote PI AF server to the local AFServers Windows group (on the PI AF SQL database computer). If the PI AF application service has been modified to use any other account, add the account under which it is running to the local AFServers Windows group (on the PI AF SQL database computer). 3. Using an account with sufficient privileges to run the PI AF application service, perform one of the following actions: If the PI AF application service is running, restart the service for your changes to take effect. If the PI AF application service is not running, start the service for your changes to take effect. 32 PI Asset Framework Installation and Upgrade Guide

41 PI AF Client installation and upgrade Topics in this section Install PI AF Client Connect to a PI AF server Add a PI AF server to the connection list Upgrade PI AF Client Enable multiple languages for PI AF Client Install PI AF Client The AF SDK and the PI SDK are installed as part of the PI AF Client installation. The PI AF Client installation also includes these optional features: PI System Explorer PI System Explorer supports multiple languages. Install the PI System Explorer MUI Language Pack to enable multi-language access. If PI System Explorer does not support a particular language, the user interface displays English. See Enable multiple languages for PI AF Client. Note: The PI System Explorer installation is not optional if you want to install the Analysis Management plug-in. Analysis Management PI Builder PI AF User Documentation Before you start If you are running the PI AF Client setup program on the same computer as the PI AF server, OSIsoft recommends that you install PI AF server first. If you intend to use PI Builder on this computer, you must install Microsoft Excel 2007 SP3 or later first. 1. Verify that you are logged in with administrative rights. 2. Go to the directory where you downloaded the PI AF install kit. 3. Double-click the AFClient[VersionInfo]_.exe, where [VersionInfo] describes the version of the PI AF Client Kit. 4. You may be prompted by a User Account Control message to allow the installation to run. Click Yes to allow the installation to continue. The Self-Extracting Executable window opens. PI Asset Framework Installation and Upgrade Guide 33

42 PI AF Client installation and upgrade 5. Click Browse and select the directory where you want to extract the files, then click OK. The files are extracted and the Welcome window opens and displays a list of the Modules that will be installed. 6. Review the list of modules and comments to ensure there are no warnings displayed and click OK. The Welcome to the PI AF Client 2014 Installation window opens. 7. Click Next. The Destination Folder window opens. The Installation Directories window opens. The installation wizard has a default folder destination for new installations and will detect the correct file locations for updating PI AF Client. You may not choose a different location at this time. a. Click Next. If no AF Server is detected, the Default System Information window opens. b. Optional: Enter the name of the AF server to be used with this installation of the PI AF Client. c. Click Next. The Select Features window opens. d. Choose the features to install by clicking the arrow on each feature list and selecting the installation type you want. If you want to install the Analysis Management plug-in, you must also install the PI System Explorer. All the features except for the Analysis Management plug-in are set to install by default. e. Click Next. The Ready to Install the Application window opens. f. Review the features that will be installed. When you are ready to proceed, click Next. 8. If you have selected the PI Builder feature to install, the Microsoft Visual Studio Tools for Office Runtime Setup window opens: a. Review the License Terms and select I have read and accept the license terms if you accept the terms. b. Click Install. When the Microsoft Visual Studio Tools for Office Runtime Setup is finished, the Installation Is Complete window opens. c. Click Finish. The PI AF Client setup briefly continues. The PI AF Client Installation Complete window opens. 9. Click Close. Connect to a PI AF server 34 PI Asset Framework Installation and Upgrade Guide

43 PI AF Client installation and upgrade 1. In PI System Explorer, choose File > Connections. The Servers window opens, displaying a list of any PI Server or PI AF server for which a connection is configured. The currently connected servers are indicated with green circles. PI Servers versions and are indicated with a yellow triangle and a warning that you are connected to an unsupported server. Connections to pre servers are not allowed. 2. To connect to a different PI AF server, right-click on the server name in the list and choose Connect. Note: If the server you need is not displayed, you can add it as described in Add a PI AF server to the connection list. For any connected AF server, you can click Rename to enter a different name for it. Note, however, that renaming the server impacts all clients. Name does not have to match Description. Add a PI AF server to the connection list 1. In PI System Explorer, click File > Connections. The Servers window opens. This window lists any PI Server or PI AF server for which a connection is configured. Currently connected servers are indicated with a green circle. The default PI and PI AF servers are indicated with a check mark. PI Servers versions and are indicated with a yellow triangle and a warning that you are connected to an unsupported server. Connections to pre servers are not allowed. 2. Click Add AF Server. 3. Enter the PI AF server properties. The Name does not have to match the host name. Once you connect to a PI AF server, you can change Name for it by clicking Rename to enter a new name. Warning: Renaming the AF server impacts all clients The Host name may be the fully qualified domain name, server name, or IP address. IPv6 addresses must be enclosed in brackets [ ]. Leave the Account field blank. PI Asset Framework Installation and Upgrade Guide 35

44 PI AF Client installation and upgrade The default Timeout value of 300 seconds is acceptable in most cases. If you experience timeout errors as you work in the PI System Explorer, increase the time in the Timeout box. (Optional) Aliases are alternate names that can be used for the PI AF server when users look for the PI AF server. PI AF server aliases are stored only locally on the client where they are configured. (Optional) The Configure Active Directory link is for setting up the PI Notifications contacts list. This is a PI AF system administrator function. 4. Click OK. Note: If an error message opens saying that you cannot connect to the PI AF server, then you need to fill in the Account field. Topics in this section Fill in the Account field Configure Active Directory access for contacts Fill in the Account field When you add a new PI AF server connection to PI System Explorer, the Account field is left blank. If, after clicking connect, an error message appears stating that you cannot connect to the PI AF server, one reason for this error could be that you need to fill in the Account field. If you know that the PI AF application service is run under a domain account, you need to fill in the Account field. 1. Type in the name of the account under which the PI AF application service runs. For example: company.net\afcollective Note: You can modify the account only when disconnected from the server. 2. If you still cannot connect, see the troubleshooting topics in the PI AF Installation and Upgrade guide. Configure Active Directory access for contacts When using PI Notifications with PI AF server, you may need to specify how to access Microsoft s Active Directory to retrieve contact names for the PI Notifications Contacts lists. Each PI AF server provides the option to specify the domain and contact sub-folder, as well as the account needed to access Active Directory and retrieve contact names. By default, the account under which the PI AF server application service is running is used for Active Directory access. To use a different account or to access an Active Directory in a different domain, configure access from the Configure Active Directory Access for Contacts window. 36 PI Asset Framework Installation and Upgrade Guide

45 PI AF Client installation and upgrade 1. Open PI System Explorer and connect to a database that belongs to the PI AF server for which you want to configure Active Directory access. 2. From the File menu, select AF Server Properties and from that window click the Configure Active Directory Access for Contacts link. 3. In the Active Directory Domain Name text box, enter the full DNS name of the Active Directory domain from which the contact names will be retrieved for the PI Notifications Contacts (for example, contoso.com). If this field is left blank, the domain in which the PI AF application service resides will be used. 4. In the Active Directory Contact Sub-Folder text box, enter the path to the folder containing the list of contacts for this domain. In larger Active Directory domains, contacts may be organized within sub-folders. The use of sub-folders can allow for faster retrieval of a list of Active Directory contacts. Use the following structure for the sub-folder: DomainUserFolder/SubDomainUserFolder/Sub SubDomainUserFolder 5. Choose an option for Active Directory Access Account: Use the account the AF Server runs as This is the default option. Select it to access Active Directory using the account under which the PI AF application service runs. By default, the PI AF server is installed using the Network Service account. However, the PI AF server service account can be changed. If the PI AF server service account does not have the necessary permission to read the Active Directory, no contact names will be retrieved in the Contacts list. If your Active Directory security is configured to allow the PI AF server service account to read the Active Directory, then this is the simplest option. Use the account the AF Client is running as Select this option to use the credentials of the user account under which the connecting client application is running. If the PI AF server service is running under an account (Network Service is the default account) that does not have permission to read the Active Directory, this option can be used. As long as the user account under which the connecting client application is running has permission to read Active Directory, a list of contact names is returned to the Contacts list. The contents of the Contacts list may vary, depending upon the access account used, since the security to read the contact list is determined by Active Directory. Note: Specifying this option may require Kerberos configuration if an AF SDK application will be using impersonation in a middle tier, such as a Web Service. Use the specified account This option allows you to specify an account to use to read the Active Directory. This can be useful when the Active Directory and PI AF server are in different domains or when the accounts in the first two options have no permission to read the Active Directory. For Account Name, use the format Domain\User. Make sure the specified account has the appropriate permission to read the target Active Directory. PI Asset Framework Installation and Upgrade Guide 37

46 PI AF Client installation and upgrade 6. Check Use Active Directory's locally cached Global Catalog to use the global catalog for Active Directory domain controller searches. Otherwise searches must go to the owning domain controller. Active Directory holds information in a distributed data repository called a global catalog. For installations where there are multiple, distributed domain controllers, each domain controller has a cache of the portions of the global catalog for which it is not responsible, so that Active Directory searches do not have to be referred to the owning domain controller. This improves performance for queries that must otherwise have to access a remote domain controller. 7. Choose a setting for Return All Persons. Active Directory objects are derived from one another as follows: Top>Persons>OrganizationalPerson>Contact and Top>Persons>OrganizationalPerson>User Select this check box to return Persons, Organizational Persons, Contacts and Users from the target Active Directory. Clear the check box to return only Users. Upgrade PI AF Client 1. Verify that you are logged in with administrative rights. 2. Go to the directory where you downloaded the PI AF install kit. 3. Double-click the AFClient[VersionInfo]_.exe, where [VersionInfo] describes the version of the PI AF Client Kit. 4. You may be prompted by a User Account Control message to allow the installation run. Click Yes to allow the installation to continue. The Self-Extracting Executable window opens. 5. Click Browse and select the directory where you want to extract the files, then click OK. The files are extracted and the Welcome window opens and displays a list of the Modules that will be upgraded. 6. Review the list of modules and comments to ensure there are no warnings displayed and click OK. The Welcome to the PI AF Client 2014 Installation window opens. 7. Click Next. 8. Click Close. Enable multiple languages for PI AF Client PI AF Client supports multiple languages. Install the PI Asset Framework (PI AF) 2014 MUI language pack to enable multi-language access. If PI AF Client components do not support a particular language, the user interface appears in English. 38 PI Asset Framework Installation and Upgrade Guide

47 PI AF Client installation and upgrade 1. Download the PI Asset Framework (PI AF) 2014 MUI language pack from the OSIsoft Technical Support website ( 2. Install the PI Asset Framework (PI AF) 2014 MUI language pack. PI Asset Framework Installation and Upgrade Guide 39

48 PI AF Client installation and upgrade 40 PI Asset Framework Installation and Upgrade Guide

49 Analysis Management plug-in for PI System Explorer The Analysis Management plug-in is a PI System Explorer plug-in. This plug-in enables advanced users to: Manage bulk operations on all the analyses in a database Edit service configuration View service statistics To install the plug-in, you can use either the PI Analysis Service setup kit or the AF client setup kit. If you use the AF client setup kit to install the Analysis Management plug-in, then you must manually select the plug-in when you run the setup kit; it is not installed by default. For details about using the plug-in, see the topic "PI Analysis Service management" in PI Live Library ( Where to install the Analysis Management plug-in You can install the Analysis Management plug-in on as many instances of the PI System Explorer (PSE) as you like. Depending on usage in your organization, you might install the plug-in on every instance of PSE in your organization or on only a few, or on only one. The Analysis Management plug-in provides features aimed mainly at system administrators and process engineers performing bulk operations. If you have a variety of PI System Explorer users, consider restricting access to these advanced features by installing the plug-in only on instances of the PI System Explorer that are designated for these advanced users. PI Asset Framework Installation and Upgrade Guide 41

50 Analysis Management plug-in for PI System Explorer 42 PI Asset Framework Installation and Upgrade Guide

51 PI AF installation in a mirrored SQL Server session You can run PI Asset Framework (PI AF) in a mirrored SQL Server session. Although there are various ways to implement a mirrored SQL Server session, the instructions provided in this section use one example. In this example: The mirrored SQL Server session includes three machines: a principal server; a mirror server; and a witness server. Identical SQL Server editions are installed on the principal and mirror SQL Server machines using an instance name, while SQL Server Express edition is installed on the witness machine. The PI AF application service is installed on a machine that is separate from the machines used in the mirrored SQL Server session. The PI AF application service runs under a domain account. The PI AF client is installed on a separate machine, not on the machines that host the PI AF application service or PI AF SQL databases. Note: For more details, see Microsoft Database Mirroring (SQL Server) ( msdn.microsoft.com/en-us/library/ms aspx). 1. Pre-installation tasks for PI AF in a mirrored SQL Server session. 2. Install PI AF SQL database on principal and mirror servers. 3. Configure domain group for the PI AF application service in a mirrored SQL Server session. 4. Install the PI AF application service in a mirrored SQL Server session. 5. Create and map login and user accounts in a mirrored SQL Server system. 6. Configure PIFD database backups and restoration in a mirrored SQL Server session. 7. Create a mirrored SQL Server session on the principal server. Pre-installation tasks for PI AF in a mirrored SQL Server session Complete these tasks before you install PI AF server for the first time in a mirrored SQL Server session. 1. Review PI AF security requirements. 2. Ensure the correct ports are open between each machine in the mirrored SQL Server session and the PI AF application service computer. 3. Configure a domain group for the PI AF application service account. 4. Review the PI AF Link Subsystem user accounts. PI Asset Framework Installation and Upgrade Guide 43

52 PI AF installation in a mirrored SQL Server session Install PI AF SQL database on principal and mirror servers Before you start Verify that both the principal and mirror SQL Server machines use identical editions of SQL Server 2008 Standard or SQL Server 2012 and use an instance name. Optional: See Create or upgrade the PI AF SQL database manually to manually build a PI AF SQL database. 1. Run the PI AF server setup kit. 2. Deselect AF Application Service in the Select Features window. 3. Click Next. The Remote SQL Server Connection window opens with a drop-down list of SQL instance names. 4. Review the name of the SQL Server instance in the drop-down list and choose one of these options to validate the SQL Server connection: Accept the name of the SQL Server instance that is listed by default. Select the name of another SQL Server instance in the list. Enter the name of a local SQL Server instance. Enter a period (.) or leave the field blank to select the default SQL Server. If you install the SQL scripts manually and cannot validate the SQL Server connection due to security issues, deselect the Validate connection to the remote SQL Server check box. The PI AF server will not function until the SQL scripts are installed. 5. Click Next. 6. Leave the values blank in the Remote Application Server Connection window because the PI AF application service is required to run under a domain account. 7. Click Next and continue to run through the setup kit prompts that remain until the installation is complete. Set PIFD database recovery model on principal and mirror servers 1. Open Microsoft SQL Server Management Studio, and connect to the SQL Server instance that stores the PI AF SQL Server database (PIFD). 2. Expand Databases, right-click PIFD, and choose Properties. 3. In the Database Properties PIFD window, select the Options page. 4. Set the Recovery model to Full. 5. Click OK. 44 PI Asset Framework Installation and Upgrade Guide

53 PI AF installation in a mirrored SQL Server session Configure domain group for the PI AF application service in a mirrored SQL Server session When you run the PI AF SQL database in a mirrored SQL Server session, OSIsoft recommends that you run the PI AF application service under a domain user account that belongs to a domain group. This domain user group is used to create a SQL login account, which is assigned specific roles within the PI AF SQL databases. You must have permissions that allow you to create or configure a domain user group. That is, you must be a member of the Account Operators group, the Domain Admins group, or the Enterprise Admins group in Microsoft Windows Active Directory, or you must be delegated by the appropriate authority. 1. Open the Active Directory Users and Computers utility and connect to the domain that contains the PI AF application service account: a. Open a command window. b. Type dsa.msc. c. Click OK. 2. Right-click the Users node in the left pane, and select New Group. 3. In the Group name field, enter a name, such as AFServers. 4. Set the Group Scope to Global. 5. Set the Group Type to Security. 6. Click OK to create the domain group. 7. Right-click the newly created group (such as AFServers) and select Properties. 8. Select the Members tab and click Add. 9. In the Enter the object names to select field, enter the name of the domain user under which the PI AF server application service runs. 10. Click OK. 11. Close the Active Directory Users and Computers utility. Install the PI AF application service in a mirrored SQL Server session The PI AF application service must be installed on a machine that is separate from other machines that are used in the mirrored SQL Server session. 1. Run the PI AF server setup kit on the machine that will run the PI AF application service. 2. On the Select Features window, cancel the AF SQL Database feature selection. 3. Click Next. PI Asset Framework Installation and Upgrade Guide 45

54 PI AF installation in a mirrored SQL Server session The SQL Server Connection window opens. 4. Enter the SQL Server name for the principal database server and, if applicable, the SQL instance name, in the format: <SQLServerName>[\<InstanceName>] If you are installing the SQL scripts manually, and cannot validate the SQL Server connection because of security issues, clear the Validate connection to the remote SQL Server check box to skip the validation step. Note that the PI AF server will not function until the SQL scripts are run. 5. Click Next and continue to run through the setup kit prompts that remain until the installation is complete. 6. Verify that the PI AF application service runs under a domain account. For details, see Configure a domain group for the PI AF application service account in a failover cluster. 7. The AFService.exe.config file must be updated to reference the failover partner. Follow the instructions in Modify the PI AF application service connect string, ensuring the connection string includes the " failover partner" entry. Restart the PI AF Service after you update the connection string and save the file. Create and map login and user accounts in a mirrored SQL Server system A SQL login that is mapped to a domain user group is required for communication between a PI AF SQL database and PI AF application service. Before starting this procedure, ensure that you have configured a domain group for the account under which the PI AF application service runs. Complete these steps on both the principal and mirror machines. 1. Open Microsoft SQL Server Management Studio, and connect to the SQL Server instance that stores the PI AF SQL database (PIFD). 2. Under the SQL Server instance, expand Security > Logins. a. Right-click the Logins folder and select New Login. b. To include the groups object type, click Search. c. Click Object Types in the Select User Group window. d. Select Groups in the Object Types window. e. Click OK to return to the window. f. In the Select User Group window, click Locations. g. In the Locations window, select the Entire Directory folder and click OK. h. Enter the domain user group and include the domain name in the Enter the object name to select field with this format: YourDomain\YourAFDomainGroup i. Click OK to return to the General page. 3. Select the Windows authentication option. 4. Select the User Mapping page. 5. Under Users mapped to this login, select Map in the PIFD database row. 46 PI Asset Framework Installation and Upgrade Guide

55 PI AF installation in a mirrored SQL Server session 6. Ensure that the User column for the PIFD row is set to the domain user group YourDomain \YourAFDomainGroup. 7. Under Database role membership for: PIFD, select db_afserver. 8. Verify that the public role is selected; if it is not, select the public role check box. 9. Click OK to save the new SQL Server login. Delete local logins and user When you install the PI AF SQL database (PIFD) with the SQL Script Execution feature selected, SQL scripts create and populate the PI AF SQL database and create local SQL Server logins and AF database users. The PI AF application service is required to run under a domain account that belongs to a domain group; that domain group has a SQL Server login that is mapped to the PIFD database and is assigned specific database roles. As a result, you can delete the local user accounts that the SQL scripts create. 1. Open Microsoft SQL Server Management Studio, and connect to the SQL Server instance that stores the PI AF SQL database (PIFD). 2. Expand Databases > PIFD > Security > Users. 3. Delete the PI AF database user: AFServers Deleting a user automatically deletes the corresponding schema, if one exists. Configure PIFD database backups and restoration in a mirrored SQL Server session 1. On the principal server computer, make a full backup of the PI AF SQL database (PIFD) and a transaction log backup of PIFD. 2. Place a copy of the two backup files on the mirror server computer. 3. On the mirror server computer, right-click the PIFD database and select Task > Restore > Database > in the backup file to open the Restore Database PIFD window. 4. In the Source for restore area, select the From device option. 5. Click Device to browse to and select the backup file. Return to the Restore Database PIFD window. 6. Select the Restore check box for the newly added back-up file in the list of backup sets. 7. In the Options page: a. Select the Overwrite the existing database (WITH REPLACE) check box. b. Select the Recovery State that includes the text: (RESTORE WITH NO RECOVERY). The method of selection may vary between versions of SQL Server. PI Asset Framework Installation and Upgrade Guide 47

56 PI AF installation in a mirrored SQL Server session c. Click OK to start the restore operation. d. When a message opens that indicates the restore operation finished successfully, click OK to return to Microsoft SQL Server Management Studio. The PIFD database is shown in the Restoring mode. 8. On the mirror server computer, use the copy of the log file you saved earlier, right-click the PIFD database and select Task > Restore > Transaction Log to open the Restore Transaction Log - PIFD window. 9. In the Restore Source area, select the From file or tape option. 10. Click From file or tape to browse to and select the log file. Return to the Restore Transaction Log - PIFD window. 11. Select the Restore check box for the newly added back-up file in the list of back-up sets. 12. In the Options page: a. Click OK to start the restore operation. b. When a message opens that indicates the restore operation finished successfully, click OK to return to Microsoft SQL Server Management Studio. The PIFD database is shown in the Restoring mode. Create a mirrored SQL Server session on the principal server 1. On the principal server computer, right-click the PI AF SQL database (PIFD) and select Task > Mirror. The Database Properties PIFD window opens with the Mirroring page selected. 2. Click Configure Security. The Configure Database Mirroring Security Wizard opens. a. On the Include Witness Server page, select Yes. b. Click Next. c. On the Choose Servers to Configure page, select Witness server instance. d. Click Next. e. On the Principal Server Instance page, click Next. The Mirror Server Instance page opens. f. Select the mirror server from the Mirror Server Instance list. The Connect to Server window opens with the selected server/instance. g. Click Connect to verify that you are able to connect to the mirror server. If you are unable to connect, verify that the Listener port is available to the principal SQL Server. h. Click Next in the Mirror Server Instance page. 3. Select the witness server on the Witness Server Instance page. 48 PI Asset Framework Installation and Upgrade Guide

57 The Connect to Server window opens with the selected server/instance. a. Click Connect to verify that you are able to connect to the witness server. If you are unable to connect, verify that the listener port is available to the principal SQL Server. b. Click Next in the Witness Server Instance page. The Service Accounts page opens. c. Enter the account name under which each SQL Server Database Engine runs under the same domain account in the Principal, Witness, and Mirror fields. d. Click Next. e. Review the choices on the Complete Wizard page. If changes are required, click Back to go back and make the changes, and then click Next to return to the Complete Wizard page. 4. Click Finish. The Configuring Endpoints window opens. When the endpoint configuration is complete, the Status column displays Success. 5. Click Close. 6. Click Start Mirroring in the Database Properties window. The Database Properties PIFD window opens. The Operating mode is set to High safety with automatic failover (synchronous). 7. Click OK. After you finish PI AF installation in a mirrored SQL Server session If there are now errors, the mirrored SQL Server system configuration is complete and the system is ready to use. The PIFD database is shown in the Principal, Synchronized mode. If there are errors, check the Mirroring page in the PIFD properties for invalid entries and make any required corrections. PI Asset Framework Installation and Upgrade Guide 49

58 PI AF installation in a mirrored SQL Server session 50 PI Asset Framework Installation and Upgrade Guide

59 PI AF upgrade in a mirrored SQL Server session The process explained in this section to upgrade the PI AF SQL database (PIFD) in a mirrored SQL Server session is called a "rolling upgrade". Note: This process requires some steps be repeated for creating a PI AF SQL database in a mirrored SQL Server session. Topics in this section Before you upgrade PI AF in a mirrored SQL Server session Upgrade machines for PI AF in a mirrored SQL Server session Verify PI AF upgrade in a mirrored SQL Server session Before you upgrade PI AF in a mirrored SQL Server session 1. Notify your PI AF users that the system will be unavailable for a short period of time. 2. When you are ready to initiate the upgrade, stop the PI AF service on the PI AF application service machine. 3. Make a backup of the file named AFService.exe.config that is in the folder where PI AF is installed. For example, if you use the default installation, this file is in the C:\Program Files\PIPC\AF folder. You might need this file after the PI AF application service machine is upgraded. 4. Prepare principal server for PI AF upgrade in a mirrored SQL Server session. 5. Prepare mirror server for PI AF upgrade in a mirrored SQL Server session. Prepare principal server for PI AF upgrade in a mirrored SQL Server session 1. On the principal server, right-click the PI AF SQL database (PIFD) and select Mirror. 2. In the Database Properties PIFD window, click Remove Mirroring. 3. Move a copy of the PIFD backup files to the mirror server. Prepare mirror server for PI AF upgrade in a mirrored SQL Server session Before you start On the mirror server, restore the backup file and transaction log for the PI AF SQL database (PIFD) that was created on the principal server. PI Asset Framework Installation and Upgrade Guide 51

60 PI AF upgrade in a mirrored SQL Server session 1. Right-click PIFD and select Tasks > Restore > Database. 2. In the Restore Database PIFD window, click the Device option to open the Select backup devices window. 3. Click Add to open the Locate Backup File window. 4. Navigate to and select the files for the PIFD database backup and the transaction log and click OK. Click OK to return to the Restore Database PIFD window. 5. In the Options page, select the Overwrite the existing database (WITH REPLACE) check box. 6. Ensure the Recovery State is set to RESTORE WITH RECOVERY. 7. Click OK. When the restoration is complete, a message indicates that a successful restore was completed. Click OK. The PIFD database no longer shows any text to the right of the PIFD text. Upgrade machines for PI AF in a mirrored SQL Server session Before you start See Before you upgrade PI AF in a mirrored SQL Server session. Upgrade PI AF on the principal server machine a. Run the PI AF server setup kit on the machine that was used as the principal server in the mirrored SQL Server session. You will not be prompted to select installation features or enter any information. Ensure the PI AF server setup kit runs through to completion, without errors. Upgrade PI AF on the mirror server machine a. Run the PI AF server setup kit on the machine that was used as the mirror server in the mirrored SQL Server session. You will not be prompted to select installation features or enter any information. Ensure the PI AF server setup kit runs through to completion, without errors. Upgrade PI AF on the application server machine a. Run the PI AF server setup file on the machine used to run the PI AF application service, selecting the option to upgrade the PI AF application server. When the upgrade is complete, verify the PI AF service is still running under the correct domain account. Then, start the PI AF service. After you finish Create a new backup file and transaction log of the PIFD database on the principal server and copy the files to the mirror server. Use the procedure in Configure PIFD database backups and restoration in a mirrored SQL Server session. Next, see Create a mirrored SQL Server session on the principal server to create a mirrored SQL Server session on the principal server. 52 PI Asset Framework Installation and Upgrade Guide

61 PI AF upgrade in a mirrored SQL Server session Verify PI AF upgrade in a mirrored SQL Server session Before you start Upgrade machines for PI AF in a mirrored SQL Server session. 1. Review the connect string in the AFService.exe.config file in the C:\Program Files \PIPC\AF folder. Verify that the string references the correct failover partner. To find the connect string, review the backup copy of the file that was made when you prepared for the upgrade. 2. If the connect string is not correct, use the backup copy of the file in the AFService.exe.config file to overwrite the file in the C:\Program Files\PIPC\AF folder. 3. In the Services applet, restart the PI AF application service. PI Asset Framework Installation and Upgrade Guide 53

62 PI AF upgrade in a mirrored SQL Server session 54 PI Asset Framework Installation and Upgrade Guide

63 PI AF installation in a failover cluster You can use PI Asset Framework (PI AF) on Microsoft Windows Servers that use Windows Failover Clustering. PI AF server is composed of two components: a SQL database and an application service. The PI AF SQL database and the PI AF application service must reside on separate machines, within two separate clusters. For details, see Architecture for PI AF in a failover cluster. For the purposes of these procedures, Windows Servers that use Windows Failover Clustering are referred to as failover clusters; the individual machines that use Windows Failover Clustering are referred to as failover cluster machines. SQL Server Clusters are always referred to as SQL Server Clusters. OSIsoft assumes that you are familiar with the configuration and operation of failover clustering features, and with the cluster administration tools in your Windows operating system: Windows Server 2008 R2 Failover Cluster Management snap-in Windows Server 2012 Failover Cluster Management Tools If you are installing PI AF server in a failover cluster for the first time, it is important that you complete the steps in the order specified here for the machines that include PI AF server components. Topics in this section Architecture for PI AF in a failover cluster Pre-installation tasks for PI AF in a failover cluster PI AF SQL database installation in a failover cluster PI AF application service installation in a failover cluster Architecture for PI AF in a failover cluster A failover cluster that includes PI Asset Framework requires an environment that includes at least four machines that are divided two separate clusters. The installation instructions in this chapter demonstrate how to install the PI AF SQL database feature on a SQL Server Cluster and the PI AF application service on a separate Windows failover cluster. Install the PI AF SQL database in a SQL Server Cluster with at least two machines. Then install the PI AF application service on a separate cluster made up of at least two machines that use Windows Failover Clustering. OSIsoft recommends that you run the PI AF application service account under a domain group account in a failover cluster. For details, see Configure a domain group for the PI AF application service account in a failover cluster. Note: The PI AF application service and the SQL Server Cluster cannot be installed on the same machine if PI AF is to function correctly. PI Asset Framework Installation and Upgrade Guide 55

64 PI AF installation in a failover cluster Pre-installation tasks for PI AF in a failover cluster Perform the tasks in this section before you install PI AF server in a failover cluster for the first time. 1. Review the following Microsoft documentation: Windows Server 2008 R2: Failover Clusters in Windows Server 2008 R2 Windows Server 2012: What's New in Failover Clustering in Windows Install and configure these failover clustering features on the machines that you use for PI Asset Framework: Note: It is important that you install Microsoft Failover Clustering before you install the SQL Server Cluster. Microsoft Failover Clustering. Create one failover cluster for the machines on which the SQL Server Cluster will be installed. Create a separate failover cluster for the machines on which the PI AF application services will be installed. SQL Server Cluster. Install SQL Server Cluster on the machines that are used for the PI AF database only. 3. Review PI AF security overview. a. Verify that an AFServers domain user group has been created and that it contains the correct members. See Configure a domain group for the PI AF application service account in a failover cluster for details. b. Review and verify that the failover cluster environment that you use for PI Asset Framework is configured as described in Security considerations for the AF Link to PI feature in failover clusters. 4. On each SQL Server Cluster node, verify that the correct ports are open between each computer. See Firewalls and PI AF security for details. Topics in this section Security considerations for PI AF application service on a failover cluster Security considerations for the AF Link to PI feature in failover clusters Configure a domain group for the PI AF application service account in a failover cluster Security considerations for PI AF application service on a failover cluster By default, PI System Explorer and other PI AF clients attempt to connect to the PI AF application service using Kerberos authentication. There are special issues that need to be addressed when running the PI AF application service in a failover cluster and using Kerberos security. Please review PI AF and Kerberos authentication. 56 PI Asset Framework Installation and Upgrade Guide

65 PI AF installation in a failover cluster OSIsoft recommends that the PI AF application service be run under a domain account. When the PI AF application service is run under a domain account, the AF server always attempts to register a Service Principal Name (SPN) for that domain account, as long as the serviceprincipalname value is defined in the AFService.exe.config file. If the serviceprincipalname value is not defined in the AFService.exe.config file, the SPN will not be registered. By default, if the SPN is registered, it will be registered on each node in the failover cluster with the machine name as the Host name. For example, in a two node failover cluster with the PI AF application service installed, two SPNs would be registered, one for each node in the failover cluster. The SPN would be registered when the PI AF application service runs on the failover cluster node. So, you might have the following SPNs registered to your PI AF application service installed on a failover cluster: AFSERVER/Node1.domain.com and AFSERVER/ Node2.domain.com. In a failover cluster, a single SPN should be registered for the PI AF application service using the virtual name of the failover cluster as the Host, rather than one SPN for each node in the failover cluster, using the machine names as the Host name. Using a single SPN with the virtual cluster name as the Host ensures that PI AF clients always connect to the correct node within the failover cluster and allows for the use of Kerberos authentication. In Windows Server 2008 R2, by default the _CLUSTER_NETWORK_NAME_ environment variable is not defined (unlike some previous versions of Windows Server). The environment variable appears when the Use Network Name for computer name check box is selected in the Parameters tab for the cluster resource in Failover Cluster Manager. The cluster resource must also have a dependency of a Network Name resource type, else the checkbox will be disabled in the Parameters tab. Once the _CLUSTER_NETWORK_NAME_ environment variable is defined, the Network Name is assigned to variable value. This variable is stored in the registry in the multi-string value Environment in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services \AFService. In the case that the _CLUSTER_NETWORK_NAME_ environment variable is not defined, the Host name can be overridden by setting the hostname value in the appsettings section of the AFService.exe.config file. The value needs to be set to the virtual name of the failover cluster. Note: Should you want to remove the Environment multi-string value that holds the _CLUSTER_NETWORK_NAME_ environment variable, use the Failover Cluster Manager to take the PI AF application service resource offline. Next, deselect the Use Network Name for computer name check box for the PI AF application service resource. Then, bring the PI AF application service resource back online. The Environment multi-string value that holds the _CLUSTER_NETWORK_NAME_ environment variable is then removed from the registry. Security considerations for the AF Link to PI feature in failover clusters A failover cluster that includes PI Asset Framework (PI AF) server components requires that you complete these configuration steps to enable the AF Link to PI feature. PI Asset Framework Installation and Upgrade Guide 57

66 PI AF installation in a failover cluster Create and configure a domain group to support AF Link to PI. If configuring PI MDB migration to the target AF server for the first time, run the PI MDB to AF Migration Wizard and specify the domain group on the wizard's AF Information page. The wizard will set the correct permissions for the domain group on the AF server. If the Wizard was already run prior to the cluster installation, then the following manual steps are required. This domain group must have: Read, read data, write, write data, delete and admin access to the target AF database and the PI Server Element. Read, write, delete and admin access to AF Categories collection on the target AF database. Edit the AFGroupSID property under MDB - >%OSI - >MDBAFMigrationData to point to the SID of the newly created domain group. Use the Mappings & Trusts tool in PI SMT to find this SID. It is recommended that the PI AF Link Subsystem be run under a domain account. This domain account must be added to the domain group created to support AF Link to PI. OSIsoft recommends that you set the password on this domain account to not expire. This domain group must have: Read and write permissions on pi\dat and pi\log folders. Read and execute on pi\bin and pi\bin\piaflink.exe. Note: The default installation of PI AF Link subsystem is to run as NT AUTHORITY\Network Service. This default is not ideal for a PI AF cluster installation. If for some reason the PI AF Link Subsystem must continue to run as NT AUTHORITY\Network Service, then add the computer name of the PI Data Archive machine to the new domain group. If the PI Data Archive is configured as a cluster (for PI Data Archive 2010), then add the computer names of both the PI Data Archive machines to the new domain group. For more details on configuring security for PI AF Link System on PI AF server to allow MDB migration and synchronization, refer to the "Access Permissions for Migration and Synchronization" section in the PI MDB to PI AF Transition Guide. Configure a domain group for the PI AF application service account in a failover cluster When you run the PI AF application service or the PI AF SQL database in a failover cluster, OSIsoft recommends that you run the PI AF application service under a domain user account that belongs to a domain group with a name such as AFServers. This domain user group is used to create a SQL login account, which enables appropriate communications between the PI AF application service and the PI AF SQL databases. Note: You must have permissions that allow you to create or configure a domain user group. That is, you must be a member of the Account Operators group, the Domain Admins group, or the Enterprise Admins group in Microsoft Windows Active Directory, or you must be delegated by the appropriate authority. 58 PI Asset Framework Installation and Upgrade Guide

67 PI AF installation in a failover cluster 1. Open the Active Directory Users and Computers utility and connect to the domain that contains the PI AF application service account: a. Open a command window. b. Type dsa.msc. c. Click OK. 2. Right-click the Users node in the left pane, and select New Group. 3. In the Group name field, enter a name, such as AFServers. 4. Set the Group Scope to Global. 5. Set the Group Type to Security. 6. Click OK to create the domain group. 7. Right-click the newly created group (such as AFServers) and select Properties. 8. Select the Members tab and click Add. 9. In the Enter the object names to select field, enter the name of the domain user under which the PI AF server application service runs. 10. Click OK. 11. Close the Active Directory Users and Computers utility. PI AF SQL database installation in a failover cluster Complete these procedures in the SQL Server Cluster that holds the PI AF SQL database. It is important that you complete these procedures to install and configure the PI AF SQL database before you install and configure the PI AF application service on a machine in a separate failover cluster. Before you start You must use two separate Windows failover clusters when you set up the PI AF SQL database in a failover cluster; one for the SQL Server Cluster that holds the AF SQL database, another for the machines that run the PI AF application service. For details, see Architecture for PI AF in a failover cluster. 1. Install PI AF SQL database feature on each SQL Server failover cluster machine. 2. Execute SQL scripts in a failover cluster. 3. Create and map a SQL Server login. 4. Delete local logins and user. 5. Verify SQL Server service in a failover cluster. PI Asset Framework Installation and Upgrade Guide 59

68 PI AF installation in a failover cluster Install PI AF SQL database feature on each SQL Server failover cluster machine Install the PI AF SQL database feature on each machine in the SQL Server Cluster before you install the PI AF application service in the other failover cluster. Before you start Complete the tasks in Pre-installation tasks for PI AF in a failover cluster. 1. Open the directory where the PI AF installation program files are located and run the setup kit. The PI AF Server Self Extracting Executing window opens. 2. Select an extraction path in the PI AF Server Self Extracting Executing window. You can use the default installation path, or enter a new path. 3. Click OK to open the Welcome to the PI AF Server Setup window. 4. Review the list of components that are required as part of the PI AF server installation in the Welcome to the PI AF Server Setup window. For each component, a Status column in the list indicates whether the component is installed and whether it will be installed. 5. Click OK. Microsoft.NET Framework 4.5 installs if it is not installed. 6. Click Next. If the Microsoft SQL Server Native Client is not installs, it begins to install. 7. Click Next. 8. To install the Microsoft SQL Server Native Client: a. Click Next in the Microsoft SQL Server Native Client window if you accept the terms of the license agreement for the Microsoft SQL Server Native Client. b. Keep the default selections of the choices for the Microsoft SQL Server Native Client and click Next. c. Click Install. d. Click Finish to complete the installation of the Microsoft SQL Server Native Client. The Microsoft Visual C re-distributable components are installed. 9. Review the PI AF Server Installation page and click Next. 10. Click Browse to select a path to the directory for the PI AF installation, or leave the path to the default directory and click Next. The Select Features window opens. 11. Deselect AF Application Service and AF SQL Script Execution to remove these features from the list of items to be installed. 12. Click Next. Note: The PI AF server setup kit does not support the feature that installs the AF database when the setup kit is run on a SQL Server Cluster. Instead, the SQL scripts that install the AF database must be manually executed. For details, see Execute SQL scripts in a failover cluster. 13. Enter the name of the SQL Server Cluster in the MSSQLSERVER field. If applicable, include the SQL instance name. Do not include the SQL instance name in the MSSQLSERVER field if 60 PI Asset Framework Installation and Upgrade Guide

69 the default name is blank; a blank field indicates that the default SQL instance is used and you are not required to include the SQL instance name. Enter these names with this format: <SQLClusterName>[\<SQLClusterInstanceName>] Where: <SQLClusterName> is the name of the SQL Server cluster into which the PI AF SQL database (PIFD) will be installed. <SQLClusterInstanceName> is optional, and should be included if the SQL Server Cluster does not use the default instance name. 14. Deselect Validate connection to the SQL Server and PIFD Database Version next to the PIFD database version that you are using. You do not need to validate the connection to the SQL Server at this time because you must first execute the SQL scripts that create and populate the tables of the PI SQL AF database. 15. Click Next. 16. Verify that the correct components were installed and make changes, if required: a. Review the Ready to Install Application page. b. Click Back to make changes as required. c. If no changes are required, click Next to start the installation. 17. Review the results on the Installation Complete page and verify that there are no errors. 18. Click Close. After you finish Execute SQL scripts in a failover cluster. PI AF installation in a failover cluster Execute SQL scripts in a failover cluster Execute the AF SQL scripts to create and populate the tables of the PI AF SQL database (PIFD). The GO.bat file contains the commands that execute the deployed SQL Server scripts. The scripts and the GO.bat file are located in the..\pipc\af\sql folder and must be run manually. Before you start See Install PI AF SQL database feature on each SQL Server failover cluster machine. Use an account that has sysadmin privileges on the SQL Server instance to execute SQL scripts in a failover cluster. 1. On the active SQL Server Cluster node only, open a command prompt window. 2. Change the directory to the SQL folder in the \PIPC\AF folder (for example: cd c: \program files\pipc\af\sql). 3. Use the following syntax to execute the SQL scripts found in the SQL folder: PI Asset Framework Installation and Upgrade Guide 61

70 PI AF installation in a failover cluster GO.bat <SQLClusterName>[\<SQLClusterInstanceName>] PIFD [<SQLUserName> <SQLUserPassword>] where: <SQLClusterName> is the name of the SQL Server Cluster machine for the PI AF SQL database (PIFD). <SQLClusterInstanceName> is optional, and should be included if the SQL Server Cluster was installed with a named instance. PIFD is the name of the PI AF SQL database. <SQLUserName> and <SQLUserPassword> are only needed if mixed mode authentication is required to connect to the SQL Server cluster. Omit these to use Windows authentication. Typically, mixed mode authentication is required when the PI AF SQL database and PI AF application service are on different, non-trusted domains. When the process is complete, the command line looks like the following: c:\..\pipc\af\sql\pisysoledb>_ Create and map a SQL Server login A SQL Server login that is mapped to the domain user group is required for communication between PI AF SQL database and PI AF application service. Before you start Verify that you have configured the domain user group for PI AF before you map the domain user group required for communication between PI AF SQL database and PI AF application service. See Configure a domain group for the PI AF application service account in a failover cluster. 1. Open Microsoft SQL Server Management Studio, and connect to the SQL Server cluster instance that stores the PI AF SQL database (PIFD). 2. Under the SQL Server cluster instance, expand Security > Logins. a. Right-click the Logins folder and select New Login:. b. Enter the domain user group including the domain name (YourDomain \YourAFDomainGroup) in the Login name field. 3. If you receive a message that the value entered is invalid, it is necessary to search for a group name. In order to do such a search, you must manually include the Groups as a search object type. To include the groups object type: a. Click Search. b. In the Select User Group window, click Object Types. c. In the Object Types window, select Groups. d. Click OK to return to the Select User Group window. e. Enter the domain user group, including the domain name YourDomain \YourAFDomainGroup, in the Enter the object name to select field. f. Click OK to return to the General page. 62 PI Asset Framework Installation and Upgrade Guide

71 PI AF installation in a failover cluster 4. Select the Windows authentication option. 5. In Default database, select PIFD. 6. Select the User Mapping page. 7. Under Users mapped to this login, select the Map check box for PIFD database row. 8. Ensure that the User column for the PIFD row is set to the domain user group YourDomain \YourAFDomainGroup. 9. Under Database role membership for: PIFD, select the db_afserver check box. 10. The public role should be selected by default; if it is not, select its check box. 11. Click OK to save the new SQL Server login. Delete local logins and user When you install the PI AF SQL database (PIFD) with the SQL Script Execution feature selected, SQL scripts create and populate the PI AF SQL database and create local SQL Server logins and AF database users. The PI AF application service is required to run under a domain account that belongs to a domain group; that domain group has a SQL Server login that is mapped to the PIFD database and is assigned specific database roles. As a result, you can delete the local user accounts that the SQL scripts create. 1. Open Microsoft SQL Server Management Studio, and connect to the SQL Server instance that stores the PI AF SQL database (PIFD). 2. Expand Databases > PIFD > Security > Users. 3. Delete the PI AF database user: AFServers Deleting a user automatically deletes the corresponding schema, if one exists. Verify SQL Server service in a failover cluster Verify that the SQL Server service can run on all machines in the SQL Server Cluster. Before you start Use the cluster administration tool for your operating system to bring the SQL Server service online. 1. On each machine in the SQL Server Cluster: a. Click Start > Administrative Tools > Services. The Services window opens. 2. Scroll to the SQL Server service. All nodes should show the service s Startup Type as Manual. Only one node should show the service as Started. PI Asset Framework Installation and Upgrade Guide 63

72 PI AF installation in a failover cluster 3. Use the cluster administration tool for your operating system to move the service to another node: Windows Server 2008: In the Failover Cluster Management snap-in, right-click the service and select Move this service or application to another node > Move to node <name of non-active node in Microsoft Cluster>. Windows 2012: In the Failover Cluster Manager, right-click the service Role and select Move Select Node. In the Move Clustered Role window, select the next AF Server node and click OK. 4. Verify that the service is running on the machine that you moved the service to and that the service Startup Type is Manual. The service should not be running on the other nodes. After you finish See PI AF application service installation in a failover cluster and Configure PI AF application service on Windows Server 2008 R2 in a failover cluster or Configure PI AF application service on Windows Server 2012 in a failover cluster. PI AF application service installation in a failover cluster Before you start Install and verify the SQL Server Cluster for the PI AF SQL database. See PI AF SQL database installation in a failover cluster. 1. Install the PI AF application service in the failover cluster. 2. Configure PI AF application service on Windows Server 2008 R2 in a failover cluster. 3. Modify the default number of failovers on Windows Server Configure PI AF application service on Windows Server 2012 in a failover cluster. 5. Verify PI AF application service after failover cluster installation. 6. Configure certificates for PI AF high availability in a failover cluster. Install the PI AF application service in the failover cluster The PI AF application service must be installed on each Windows Server in the failover that will run the PI AF application service. This procedure assumes that the failover cluster for the PI AF application service has at least two machines. For details, see Architecture for PI AF in a failover cluster. Before you start See Pre-installation tasks for PI AF in a failover cluster. 64 PI Asset Framework Installation and Upgrade Guide

73 PI AF installation in a failover cluster 1. Open the directory where the PI AF installation program files are located and run the setup kit. The PI AF Server Self Extracting Executing window opens. 2. Select an Extraction path in the PI AF Server Self Extracting Executing window. You can use the default installation path, or enter a new path. 3. Click OK. The Welcome to the PI AF Server Setup window opens. 4. Review the list of components that are required as part of the PI AF server installation in the Welcome to the PI AF Server Setup window. For each component, a Status indicates whether the component is installed and whether it will be installed. 5. Click OK. Microsoft.NET Framework 4.5 installs if it is not installed. 6. Click Next. If the Microsoft SQL Server Native Client is not installed, it begins to install. 7. Click Next. 8. In the Microsoft SQL Server Native Client window: a. Click Next if you accept the terms of the license agreement for the Microsoft SQL Server Native Client. b. Keep the default selections of the choices for the Microsoft SQL Server Native Client and click Next. c. Click Install. d. Click Finish to complete the installation of the Microsoft SQL Server Native Client. The Microsoft Visual C re-distributable components are installed. 9. Review the PI AF Server Installation window and click Next. 10. Click Browse to select a path to the directory for the PI AF installation, or leave the path to the default directory and click Next. The Select Features window opens. 11. Deselect AF Application Service and AF SQL Script Execution to remove these features from the list of items to be installed. When the PI AF server setup kit is run on a SQL Server Cluster; the AF SQL Script Execution feature is not supported. Therefore, the SQL scripts must be manually executed. See Execute SQL scripts in a failover cluster. 12. Click AF SQL Database and select Entire feature will be unavailable. You will install only the AF Application Service feature. 13. Click Next. 14. Enter the name of the SQL Server Cluster in the MSSQLSERVER field. If applicable, include the SQL instance name. Do not include the SQL instance name in the MSSQLSERVER field if the default name is blank; a blank field indicates that the default SQL instance is used and you are not required to include the SQL instance name. Enter these names with this format: <SQLClusterName>[\<SQLClusterInstanceName>] Where: <SQLClusterName> is the name of the SQL Server cluster into which the PI AF SQL database (PIFD) will be installed. PI Asset Framework Installation and Upgrade Guide 65

74 PI AF installation in a failover cluster <SQLClusterInstanceName> is optional, and should be included if the SQL Server Cluster was installed with an instance name. 15. To validate the SQL Server connection, try to connect to the SQL Server Cluster. If a connection is made, select the Warning Acknowledged check box in the warning that indicates a version of the PI AF SQL database already exists and click Next. 16. If you cannot validate the SQL Server machine connection, click Back, deselect Validate connection to the SQL Server and the PIFD Database Version check box and click Next to continue with the installation. 17. Review the Ready to Installation Application window. Click Back to make changes as required; if no changes are required, click Next to start the installation. 18. Review the results on the Installation Complete window and verify that there are no errors. 19. Click Close. 20. Complete the procedure in Remove NetworkService account access to the PI AF SQL database. The PI AF application service is installed using the local NetworkService account, but needs to be run under a domain account to provide the most secure method for protecting your PI AF server. 21. Ensure the PI AF application service is shut down. See Run the PI AF application service under a domain account. Configure PI AF application service on Windows Server 2008 R2 in a failover cluster After you install PI AF on a Microsoft Windows Server for use with a failover cluster, add the PI AF application service as a resource of the failover cluster, create dependencies, and bring the service online. Use this procedure for Windows Server 2008 R2. Before you start Install the PI AF application service on each node of the failover cluster. 1. Using Failover Cluster Manager: a. Right-click Services and applications. b. Select More Actions. c. Select Create Empty Service or Application. A new entry is added with the name of New service or application. d. Right-click the newly created New service or application and select Rename. e. Enter a name for your PI AF application service cluster, such as AF SERVER. f. Right-click the newly renamed application service cluster; in this example, select AF SERVER. g. Select Add a Resource. h. Select Click Access Point. 2. In the New Resource Wizard: 66 PI Asset Framework Installation and Upgrade Guide

75 PI AF installation in a failover cluster a. Specify the name and IP address of the PI AF application service cluster. A new DNS entry will be created using the Network name and IP address values. The Network name and/or IP address will be used by AF clients to connect to the PI AF application service cluster. b. Enter the Network Name of the PI AF application service cluster in the Name box, such as AFServerCluster. c. Enter the appropriate static IP address in the row that represents the Public network connection in the cluster. d. De-select the check mark that is beside any other networks listed in the box. Ensure you do not already have an Active Directory entry for the Network Name you entered. e. Click Next. The Confirmation page appears. f. If the Network Name and/or IP Address are not correct, click Previous and make the required corrections. Otherwise, click Next to create the new DNS entry. g. If there are errors displayed, click View Report to review the results and troubleshoot the errors. Otherwise, click Finish 3. Right-click the new AF SERVER: a. Select Add a resource. b. Select Generic Service. The New Resource Wizard opens. 4. In the New Resource Wizard: a. Select the PI AF application service to be added to the AF SERVER cluster. b. Scroll through the list of services and select PI AF Server 2.x. c. Click Next. The Confirmation page appears. d. If the Service and/or Parameters are not correct, click Previous and make the required corrections. Otherwise, click Next. The Summary page displays the creation and configuration results for the new resource. e. If errors appear, click View Report to review the results and troubleshoot the errors. Otherwise, click Finish. 5. Select and right-click on the newly created resource PI AF Server 2.x and choose Properties. 6. In the PI AF Server 2.x Properties window: a. Click the Dependencies tab. b. In the Resource column, click Click here to add a dependency. c. From the drop-down list, select the Name of the PI AF application service cluster previously defined. d. Click OK. e. If the PI AF application service cluster is not online, right-click on the server name and select Bring this service or application online. The status of each resource for the PI AF application service cluster changes from Offline to Online. 7. Verify PI AF application service after failover cluster installation. PI Asset Framework Installation and Upgrade Guide 67

76 PI AF installation in a failover cluster Modify the default number of failovers on Windows Server 2008 In Windows Server 2008 R2, a group in a two-node cluster is scheduled to fail over one time every six hours. You can change this default setting. 1. In the Failover Cluster Management snap-in, right-click the service and select Properties. 2. Select the Failover tab and modify the number. Configure PI AF application service on Windows Server 2012 in a failover cluster After you install PI AF on a Microsoft Windows Server for use with a failover cluster, add the PI AF application service as a resource of the failover cluster, create dependencies, and bring the service online. Use this procedure for Windows Server Using Failover Cluster Manager: a. Right-click Roles. b. Select Create Empty Role. A new entry is added with the name of New Role. c. Right-click the newly created New Role and select Properties. d. In the New Roles Properties window, change the name to identify your PI AF server. For example, AFSERVER. In the Preferred Owners section, select the check boxes of the machines that are in the failover cluster for PI AF and click OK. e. Right-click the newly renamed application service cluster; in this example, select AF SERVER. f. Select Add a Resource. g. Select Click Access Point. 2. In the New Resource Wizard: a. Specify the name and IP address of the PI AF application service cluster. A new DNS entry will be created using the Network name and IP address values. The Network name and/or IP address will be used by AF clients to connect to the PI AF application service cluster. b. Enter the Network Name of the PI AF application service cluster in the Name box, such as AFServerCluster. c. Enter the appropriate static IP address in the row that represents the Public network connection in the cluster. d. De-select the check mark that is beside any other networks listed in the box. Ensure you do not already have an Active Directory entry for the Network Name you entered. e. Click Next. The Confirmation window appears. 68 PI Asset Framework Installation and Upgrade Guide

77 PI AF installation in a failover cluster f. If the Network Name and/or IP Address are not correct, click Previous and make the required corrections. Otherwise, click Next to create the new DNS entry. g. If there are errors displayed, click View Report to review the results and troubleshoot the errors. Otherwise, click Finish 3. Right-click the new AF SERVER: a. Select Add a resource. b. Select Generic Service. The New Resource Wizard opens. 4. In the New Resource Wizard: a. Select the PI AF application service to be added to the AF SERVER cluster. b. Scroll through the list of services and select PI AF Server 2.x. c. Click Next. The Confirmation window appears. d. If the Service and/or Parameters are not correct, click Previous and make the required corrections. Otherwise, click Next. The Summary window displays the creation and configuration results for the new resource. e. If errors appear, click View Report to review the results and troubleshoot the errors. Otherwise, click Finish. 5. Select and right-click on the newly created resource PI AF Server 2.x and choose Properties. 6. In the PI AF Server 2.x Properties window: a. Click the Dependencies tab. b. In the Resource column, click Click here to add a dependency. c. From the drop-down list, select the Name of the PI AF application service cluster previously defined. d. Click OK. e. If the PI AF application service cluster is not online, right-click on the server name and select Bring this service or application online. The status of each resource for the PI AF application service cluster changes from Offline to Online. 7. Verify PI AF application service after failover cluster installation. Verify PI AF application service after failover cluster installation Verify that the PI AF application service can run on the active node of the failover cluster. Before you start See Install the PI AF application service in the failover cluster and Configure PI AF application service on Windows Server 2008 R2 in a failover cluster or Configure PI AF application service on Windows Server 2012 in a failover cluster. Use the failover cluster administration tool for your operating system to bring the PI AF server service online. PI Asset Framework Installation and Upgrade Guide 69

78 PI AF installation in a failover cluster 1. Click Start > Administrative Tools > Services on the active node in the failover cluster. The Services window opens. 2. Scroll to the AF Server service. The active node should show the service as Started. 3. Use the cluster administration tool for your operating system to move the service to another node: Windows Server 2008 R2: In the Failover Cluster Management snap-in, right-click the service and select Move this service or application to another node > Move to node <name of non-active node in Microsoft Cluster>. Windows 2012: In the Failover Cluster Manager, right-click the service Role and select Move Select Node. In the Move Clustered Role window, select the next AF Server node and click OK. 4. Verify that the service is running on the new owner node and shows the service s Startup Type as Manual. 5. Repeat the previous steps until you have verified that all nodes in the cluster can take control of the service. 6. If the clustered PI AF application service will be part of a PI AF collective, see Configure certificates for PI AF high availability in a failover cluster. 7. For failover clusters on Windows Server 2008 R2, you can change the frequency and number of times that a cluster machine will fail over. See Modify the default number of failovers on Windows Server Configure certificates for PI AF high availability in a failover cluster Complete the steps in this section if the machine that you will use to for the PI AF application service will: connect to the AF SQL database on the SQL Server failover cluster, and is in a PI AF collective. If this PI AF server that includes the PI AF application service will be a member of a PI AF collective, each computer in the failover cluster that must use the same Windows certificate that supports communication with the PI AF application service that used in the failover cluster. Before you start Ensure that the PI AF application service has been installed and verified on each cluster that you want to include in the collective. 70 PI Asset Framework Installation and Upgrade Guide

79 PI AF installation in a failover cluster 1. Copy the AF server certificate, named AFServer.pfx and located in the C:\ProgramData \OSIsoft\AF directory, from the active node in the failover cluster to the same location on other machines in the failover cluster. 2. Use the cluster administration tool for your operating system to restart the PI AF application service on each machine in the failover cluster. Windows Server 2008 R2: In the Failover Cluster Management snap-in, right-click the service and select Move this service or application to another node > Move to node <name of non-active node in Microsoft Cluster>. PI Asset Framework Installation and Upgrade Guide 71

80 PI AF installation in a failover cluster 72 PI Asset Framework Installation and Upgrade Guide

81 PI AF upgrade in a failover cluster A failover cluster that includes PI Asset Framework requires an environment that includes at least four machines that are divided two separate clusters. This section demonstrates how to upgrade the PI AF SQL database feature for the machines in a SQL Server cluster and upgrade the PI AF application service for the machines in a separate failover cluster. Note: The first time a client connects to the upgraded AF server after an upgrade to PI Asset Framework 2.6, some final upgrade operations will occur that may cause a brief period of slow performance. OSIsoft recommends that you use PI System Explorer to connect to your upgraded AF server immediately after the upgrade to force these operations to occur. 1. Take PI AF server offline before failover cluster upgrade. 2. Upgrade the PI AF SQL database in a failover cluster. 3. Upgrade the PI AF application service in a failover cluster. 4. Verify PI AF application service after cluster upgrade. Take PI AF server offline before failover cluster upgrade Take the active PI AF server machine offline and pause the inactive PI AF server machines before you upgrade machines in a failover cluster. This prevents changes to the PI AF SQL database during the upgrade of the failover cluster. Use the procedure for the operating system that applies to your system. 1. Open the failover cluster tool for your operating system. 2. On the failover cluster machine that is active: For Windows 2008 R2: In the Failover Cluster Manager, select the AFSERVER service in the left pane. In the right pane, the Server Name and Other Resources list appears. Right-click the PI AF application service in the list and select Take this resource offline. For Windows 2012: Select Roles in the left pane and then in the right pane, right-click the AF SERVER role and select Stop Role. In the right pane, the Server Name and Other Resources list displays. Right-click the PI AF application service in the list and select Take this resource offline. PI Asset Framework Installation and Upgrade Guide 73

82 PI AF upgrade in a failover cluster a. Select Roles in the left pane and then in the right pane, right-click the AF SERVER role and select Stop Role. b. In the right pane, the Server Name and Other Resources list displays. c. Right-click the PI AF application service in the list and select Take this resource offline. 3. For each of the non-active nodes in the failover cluster, right-click each node in the Nodes list and select: Pause if you use Windows 2008 R2 Pause Do Not Drain nodes if you use Windows 2012 After you finish Note: By pausing the non-active nodes, you ensure that the PI AF server resource does not fail over. See Upgrade the PI AF SQL database on non-active nodes in a SQL Server Cluster. Upgrade the PI AF SQL database in a failover cluster 1. Upgrade the PI AF SQL database on non-active nodes in a SQL Server Cluster. 2. Upgrade the PI AF SQL database on active node in a SQL Server Cluster. Upgrade the PI AF SQL database on non-active nodes in a SQL Server Cluster Run the PI AF setup kit on the non-active machines of the SQL Server Cluster to begin the upgrade of the PI AF SQL database. The PI AF SQL database must be installed on each machine in the SQL Server Cluster that runs the PI AF SQL database. This procedure assumes that the SQL Server Cluster has at least two machines. For details, see Architecture for PI AF in a failover cluster. Before you start Ensure that the PI AF application service resource is offline before you run the setup kit. See Take PI AF server offline before failover cluster upgrade. 1. Go to the directory where you downloaded the PI AF installation program files on the Windows server that uses Microsoft Failover Clustering and run the setup kit. 2. After the files are extracted to a temporary directory, click OK and then click Next. The Welcome to the PI AF Server Setup window shows a list of modules that are required for the PI AF installation. 3. Click OK. Microsoft.NET Framework 4.5 is installed if it is not on the machine. Microsoft SQL Server Native Client installation begins, if it is not installed. 4. Click Next. 74 PI Asset Framework Installation and Upgrade Guide

83 PI AF upgrade in a failover cluster 5. If you accept the license terms, click the option to accept the terms and then click Next. 6. Use the default selections of the features for Microsoft SQL Server Native Client and then click Install. 7. Click Finish. The Microsoft Visual C re-distributable files are installed. 8. Review the Welcome to the PI AF Server Installation window and then click Next. 9. Accept the default Destination Folder and click Next. Note: The PI AF setup kit does not allow you to change the destination folder on an upgrade. 10. Review the information in the Ready to Install the Application window. Click Back to make changes if changes are required. Otherwise, click Next to start the installation of PI AF. On the Installation Complete page, review the Status and Comments for each Module to verify that no errors occurred. Click Close. After you finish See Upgrade the PI AF SQL database on active node in a SQL Server Cluster. Upgrade the PI AF SQL database on active node in a SQL Server Cluster This active node runs on the Windows server that uses Microsoft Failover Clustering. Note: The SQL scripts for PI AF must be run manually to upgrade the PI AF SQL database on the active node of the SQL Cluster. Before you start Verify that the PI AF application service resource is offline and that the PI AF SQL database feature has been upgraded on all non-active cluster nodes before you upgrade the PI AF SQL database on the active PI AF SQL database machines in the SQL Server Cluster. See Take PI AF server offline before failover cluster upgrade and Upgrade the PI AF SQL database on nonactive nodes in a SQL Server Cluster. 1. Go to the directory where you downloaded the PI AF installation program files and run the setup kit. 2. After the files are extracted to a temporary directory, click OK and then click Next. The Welcome to the PI AF Server Setup window shows a list of modules that are required for the PI AF installation. 3. Click OK. Microsoft.NET Framework 4.5 is installed if it is not on the machine. Microsoft SQL Server Native Client installation begins, if it is not installed. 4. Click Next. 5. If you accept the license terms, click the option to accept the terms and then click Next. PI Asset Framework Installation and Upgrade Guide 75

84 PI AF upgrade in a failover cluster 6. Use the default selections of the features for Microsoft SQL Server Native Client and then click Install. 7. Click Finish. The Microsoft Visual C re-distributable files are installed. 8. Review the Welcome to the PI AF Server Installation window and then click Next. 9. Accept the default Destination Folder and click Next. Note: The PI AF setup kit does not allow you to change the destination folder on an upgrade. 10. Review the information in the Ready to Install the Application window. Click Back to make changes if changes are required. Otherwise, click Next to start the installation of PI AF. On the Installation Complete page, review the Status and Comments for each Module to verify that no errors occurred. Click Close. 11. Complete these steps to manually execute the SQL scripts: a. Open a command prompt window. b. Change the directory to the SQLfolder in the \PIPC\AF folder (for example: cd c: \program files\pipc\af\sql). c. Use the following syntax to execute the SQL scripts found in the SQL folder: GO.bat <SQLClusterName>[\<SQLClusterInstanceName>] PIFD [<SQLUserName> <SQLUserPassword>] where: <SQLClusterName> is the name of the SQL Server Cluster node for the PI AF SQL database (PIFD). <SQLClusterInstanceName> is optional, and should be included if the SQL Server Cluster was installed with a named instance. PIFD is the name of the PI AF SQL database. <SQLUserName> and <SQLUserPassword> are only needed if mixed mode authentication is required to connect to the SQL Server cluster. To use Windows authentication, omit these. Typically, mixed mode authentication is required when the PI AF SQL database and PI AF application service are on different, non-trusted domains. When the process is complete, the command line looks like the following: c:\..\pipc\af\sql\pisysoledb>_ 12. Contact your SQL Server administrator and verify that the local NTAUTHORITY \NetworkService login is not required for other uses. If the login is not required, delete it. 13. Delete the following local SQL Server login if it exists: LocalMachineName\AFservers. 14. In Microsoft SQL Server Management Studio, expand SQLClusterInstance > PIFD > Security > Users. 15. Delete the following SQL Server users, if they exist. PIFD AF Servers NTAUTHORITY\NetworkService 76 PI Asset Framework Installation and Upgrade Guide

85 PI AF upgrade in a failover cluster Upgrade the PI AF application service in a failover cluster Before you start See Take PI AF server offline before failover cluster upgrade and Upgrade the PI AF SQL database in a failover cluster. 1. Upgrade PI AF application service on active node in a failover cluster. 2. Upgrade PI AF application service on non-active nodes in a failover cluster. Upgrade PI AF application service on active node in a failover cluster Run the setup kit on the active machine in the failover cluster to begin the upgrade of the PI AF application service. The PI AF application service must be installed on each machine in the failover cluster that runs the PI AF application service. This procedure assumes that the failover cluster for the PI AF application service has at least two machines. For details, see Architecture for PI AF in a failover cluster. Before you start Ensure that the PI AF SQL database has been upgraded on all SQL Server Cluster machines and that the PI AF application service resource is offline. See Upgrade the PI AF SQL database in a failover cluster and Take PI AF server offline before failover cluster upgrade. 1. Go to the directory where you downloaded the PI AF installation program files and run the setup kit. 2. After the files are extracted to a temporary directory, click OK and then click Next. The Welcome to the PI AF Server Setup window shows a list of modules that are required for the PI AF installation. 3. Click OK. Microsoft.NET Framework 4.5 is installed if it is not on the machine. Microsoft SQL Server Native Client installation begins, if it is not installed. 4. Click Next. 5. If you accept the license terms, click the option to accept the terms and then click Next. 6. Use the default selections of the features for Microsoft SQL Server Native Client and then click Install. 7. Click Finish. The Microsoft Visual C re-distributable files are installed. 8. Review the Welcome to the PI AF Server 2013 Installation window and then click Next. 9. Accept the default Destination Folder and click Next. Note: The PI AF setup kit does not allow you to change the destination folder on an upgrade. PI Asset Framework Installation and Upgrade Guide 77

86 PI AF upgrade in a failover cluster 10. Review the information in the Ready to Install the Application window. Click Back to make changes if changes are required. Otherwise, click Next to start the installation of PI AF. On the Installation Complete page, review the Status and Comments for each Module to verify that no errors occurred. Click Close. 11. Make sure that the PI AF application service is configured to run under the correct domain account. In the Windows Services list, scroll to the PI AF Server 2.x Application Service and verify that: Status column is empty. Startup type is Manual. Log On As is for the previously assigned domain user. If you have a 64-bit cluster that uses PI Asset Framework version 2.5 or earlier, enter the new installation directory in the Startup Parameters of Other Resources 12. If necessary, make any corrections to the PI AF application service configuration: a. Stop the service and right-click the service and select Properties. Change the Startup Type to Manual. b. Select the Log On window and enter the previously assigned domain user that is under This account. c. Enter the domain user name and password and click OK to close the window. d. Click OK to acknowledge that the change will not take effect until the service is restarted. Upgrade PI AF application service on non-active nodes in a failover cluster Before you start 1. Upgrade the PI AF application service on the active cluster node. 2. Ensure that the PI AF application service resource is offline and that all non-active nodes are paused. 1. Log onto the non-active PI AF application service cluster node. 2. Go to the directory where you downloaded the PI Asset Framework installation files and run the setup kit. 3. Select or enter an extraction path in the PI AF Server Self Extracting Executing window. Use the default installation path, or enter a new path. 4. Click OK. 5. Ensure the PI AF Server 2.x Application service is still configured to run under the correct domain account. 78 PI Asset Framework Installation and Upgrade Guide

87 PI AF upgrade in a failover cluster 6. Open the Windows Services list and review the PI AF Server 2.x Application Service. It must remain configured to run under the correct domain account: a. In the Windows Services list, scroll to the PI AF Server 2.x Application Service and verify that: Status column is empty. Startup type is Manual. Log On As for the previously assigned domain user. If you have a 64-bit cluster that uses PI Asset Framework version 2.5 or earlier, enter the new installation directory in the Startup Parameters of Other Resources. If it does not: Stop the service and right-click the service and select Properties. Change the Startup Type to Manual. Select the Log On page and enter the previously assigned domain user that is under This account. Enter the domain user name and password and click OK to close the window. Click OK to acknowledge that the change will not take effect until the service is restarted. 7. For failover clusters on Windows Server 2008, you might want to change the default number of failovers. See Modify the default number of failovers on Windows Server After you finish If you have a 64-bit cluster that uses PI Asset Framework, you must change the installation directory to point to the correct directory for the PI AF service file. 1. Open the Failover Cluster Manager: 2. In Windows 2008: Select the PI AF Application service in the left pane, and then rightclick the PI AF Server 2.x Application Service in the right pane and select Properties. In Windows 2012: Select Roles in the left pane and then right-click the PI AF server role in the right pane and select Properties. 3. In the Startup parameters list, change the text to refer to the correct path and file name for the AFService file. For example, by default the AFService file is installed as: Files\PIPC\AF \AFService.exe. This should be changed to: C:\Program Files\PIPC\AF \AFService.exe 4. Click OK to close the Properties window. Verify PI AF application service after cluster upgrade Start the service, verify that the service can run on all nodes of the cluster, and verify that client applications can connect. Before you start Upgrade the PI AF application service. PI Asset Framework Installation and Upgrade Guide 79

88 PI AF upgrade in a failover cluster 1. Log on to the active node of the cluster on which the PI AF application service is installed. 2. Resume the non-active node or nodes in the cluster. In Windows 2012, click Do Not Fail Roles Back 3. Bring the PI AF server resource/role online. 4. Open the Services list and ensure that the Startup Type is Manual for the PI AF Server service on each machine in the cluster. Only one machine should show the service as Started. 5. Verify a client application can connect using the network name assigned to the cluster. 6. Repeat the previous steps to verify that all nodes in the failover cluster can run the PI AF Server service and that a client application can connect. Results The upgrade of PI AF server on in a failover cluster is now complete. 80 PI Asset Framework Installation and Upgrade Guide

89 PI AF installation and upgrade in a SQL Server availability group Microsoft SQL Server 2012 offers the AlwaysOn availability group feature as a way to improve database high availability. Availability groups allow multiple databases in a single SQL Server instance to fail over together. SQL Server 2012 s AlwaysOn technology allows for multiple high availability and disaster recovery deployment solutions. PI Asset Framework is compatible with the Microsoft SQL Server 2012 AlwaysOn availability group feature. While this document does not address the possible deployment solutions, it is important that you have a plan for the solution you will implement before you begin to install PI Asset Framework (PI AF). These topics explain how to install and configure PI AF within an availability group that already exists, or within an availability group that you plan to set up. Note: The topics in this section are written for users who are familiar with the structure and function of Microsoft SQL Server 2012 availability groups. See AlwaysOn Availability Groups (SQL Server) ( for detailed information. Topics in this section PI AF installation in a SQL Server availability group Upgrade a PI AF database that is in a SQL Server availability group member PI AF installation in a SQL Server availability group Pre-installation requirements for PI AF in a SQL Server availability group PI Asset Framework with the SQL Server AlwaysOn feature requires an environment that meets these minimum requirements: A SQL Server 2012 Availability Group requires a minimum of two SQL Server 2012 machines. The SQL Server database engine services should run under domain accounts for each of the machines that will be included in the availability group. Each machine involved in the availability group must be in a failover cluster; that is, Microsoft Windows Servers that are included in a group of machines that use the Windows Failover Clustering feature. A Windows Server machine that is not included in the failover cluster. This machine will be used to run the PI AF application service. For details, see Prerequisites, Restrictions, and Recommendations for AlwaysOn Availability Groups (SQL Server) ( edbab896-42bb-4d17-8d75-e92ca11f7abb). PI Asset Framework Installation and Upgrade Guide 81

90 PI AF installation and upgrade in a SQL Server availability group Install PI AF on the primary replica machine in the SQL Server availability group Complete these steps on the SQL Server machine that serves as, or is designated to serve as, the primary replica of the SQL Server Availability Group. Before you start Be prepared to provide the domain name and the name of the machine that is used to run the PI Asset Framework application service. 1. Run the PI AF server setup kit. When prompted to select PI AF features, select only the PI AF SQL Database and PI AF SQL Script Execution features. 2. When prompted, enter the domain and name of the machine on which the PI AF application service feature will be installed. After you finish When the PI AF installation is complete, set the Recovery Model of the PIFD database to Full. For more information, see PI AF backup considerations. Install PI AF in a SQL Server availability group You can use PI Asset Framework (PI AF) for use with a SQL Server availability group when an availability group does not yet exist or within an existing availability group. Use the procedures in these sections to install PI AF and its components on the machines that will be used for the SQL Server availability group. Before you start Verify that the SQL Server machines are configured to support AlwaysOn Availability Groups: 1. On each SQL Server machine to be used in the availability group, open the SQL Server Configuration Manager. 2. Right-click the SQL Server service and select Properties. Select the AlwaysOn High Availability page. 3. Verify that the AlwaysOn Availability Groups check box is selected. If it is not selected, select it and restart the SQL Server service. 1. Follow these steps to install PI AF while you are creating an availability group. It is important to complete the procedures in the order listed here. a. Install PI AF on the primary replica machine in the SQL Server availability group. b. Install PI AF on the secondary replica machines in the SQL Server availability group. c. Install PI AF application service for use with a SQL Server availability group. d. Create a SQL login for the primary replica machine in the SQL Server availability group. 82 PI Asset Framework Installation and Upgrade Guide

91 PI AF installation and upgrade in a SQL Server availability group e. Back up the PIFD database for a SQL Server availability group. f. Create SQL logins for the secondary replica machines in a SQL Server availability group. g. Create a network share for a SQL Server availability group. h. Create a SQL Server availability group for use with PI AF. i. Configure the PI AF connection string for use with a SQL Server availability group. 2. Follow these steps to install PI AF in an existing SQL Server availability group. It is important to complete the procedures in the order listed here. a. Install PI AF on the primary replica machine in the SQL Server availability group. b. Install PI AF on the secondary replica machines in the SQL Server availability group. c. Install PI AF application service for use with a SQL Server availability group. d. Create a SQL login for the primary replica machine in the SQL Server availability group. e. Back up the PIFD database for a SQL Server availability group. f. Create SQL logins for the secondary replica machines in a SQL Server availability group. g. Configure the PI AF connection string for use with a SQL Server availability group. h. Add a PI AF database to an existing SQL Server availability group. Install PI AF on the secondary replica machines in the SQL Server availability group Complete these steps on each SQL Server machine that serves as, or is designated to serve as, a secondary replica of the SQL Server AlwaysOn availability group. 1. Run the PI AF server setup kit. When prompted, select only the AF SQL Database feature without the AF SQL Script Execution option. 2. Click Next and continue to run through the setup kit prompts that remain until the installation of the PI AF SQL database is complete. Install PI AF application service for use with a SQL Server availability group Install the PI AF application service on a machine that is not included in the Windows Server failover cluster. Before you start Be familiar with the name and, if appropriate, instance, of the SQL Server machine that is, or is designated to serve as the primary replica of the availability group. You will be prompted to enter this information during the installation. PI Asset Framework Installation and Upgrade Guide 83

92 PI AF installation and upgrade in a SQL Server availability group 1. Run the PI AF setup kit. When prompted, specify the name and, if appropriate, instance, of the SQL Server machine that is designated as the primary replica of the availability group. 2. Click Next and continue to run through the setup kit prompts that remain until the installation of the PI AF application service is complete. After you finish 1. Change the PI AF application service to run under a domain account that belongs to a domain group. 2. Restart the service. Create a SQL login for the primary replica machine in the SQL Server availability group Create a SQL login on the SQL Server machine that is designated as the primary replica for the SQL Server availability group and is: Based on the domain group that contains the domain account under which the PI AF application service is running. Mapped to the PI AF SQL database (PIFD) database. Assigned to the db_afserver role. Back up the PIFD database for a SQL Server availability group Back up the PI AF SQL database (PIFD) and the log file for the PIFD database on the SQL Server machine that is designated as the primary replica of the availability group. Create SQL logins for the secondary replica machines in a SQL Server availability group On each SQL Server machine that is designated as a secondary replica in the availability group, create a SQL login that is based on the domain group that contains the domain account under which the PI AF application service is running. These SQL logins do not need to be assigned any role memberships at this time. Create a network share for a SQL Server availability group Create a network share that can be accessed by each of the SQL Server machines that will belong to the SQL Server availability group. The network share can be located anywhere, provided that: For the primary replica, the account used to start the Database Engine service has read and write file-system permissions on the network share. For secondary replicas, the account has read permission on the network share. 84 PI Asset Framework Installation and Upgrade Guide

93 PI AF installation and upgrade in a SQL Server availability group This share will be used to restore the PI AF SQL database (PIFD) to each of the secondary replicas. Create a SQL Server availability group for use with PI AF Complete this procedure to create a SQL Server AlwaysOn availability group for use with PI Asset Framework. For more information about how to create a SQL Server availability group, see Use the New Availability Group Wizard (SQL Server Management Studio) ( msdn.microsoft.com/en-us/library/hh aspx). 1. On the SQL Server machine that will serve as the primary replica of the availability group, open the SQL Server Management tool and connect to the instance that will host the availability group. 2. Expand the AlwaysOn High Availability folder. 3. Expand and right-click the Availability Groups folder and select New Availability Group Wizard. 4. Enter a name for the availability group in the Specify Availability Group Name window and click Next. 5. Review the list of databases in the Select Databases window. This list shows databases that are installed in the instance of SQL Server within which the availability group is included. To set up an availability group for use with PI AF: a. Review the status messages for each of the databases listed in the Select Databases window, to determine whether a database can be selected. For example, a database cannot be used in an availability group if it belongs to an existing availability group, does not meet the prerequisites for being added to an availability group. b. Select the check boxes for the PI AF SQL database (PIFD) that you want to include in the availability group. You can also add other databases to the availability group; you can choose as many databases as you want, provided that the PIFD is included and that all databases that you include meet the prerequisites. c. Resolve any such issues before you continue with the availability group creation. You do not need to close the New Availability Group wizard to make corrections; leave it open while you return to SQL Server Management Studio to make corrections. After the corrections have been made, return to the New Availability Group wizard and click Refresh. When the database statuses indicate Meets prerequisites, you can continue with the process. d. Click Next. If you select Create an availability group listener now use the New Availability Group Wizard to: Enter the Listener DNS Name. Enter the Port number. See Configure a Server to Listen on a Specific TCP Port (SQL Server Configuration Manager) ( and Availability PI Asset Framework Installation and Upgrade Guide 85

94 PI AF installation and upgrade in a SQL Server availability group Group Listeners, Client Connectivity, and Application Failover (SQL Server) ( technet.microsoft.com/en-us/library/hh aspx) for more information. Set the Network Mode as Static IP Click the Add button Select the correct subnet and enter the static IP address as the IPv4 Address in the Add IP Address window. 6. Click Next in the Specify Replicas page: a. Add each SQL Server instance that is designated as a secondary replica for the availability group in the Replicas tab. For each added secondary replica, configure its Automatic Failover, Synchronous Commit, and Readable Secondary settings. Refer to Microsoft's Replicas Tab help ( for additional information. b. Verify that the SQL Server Service Account for each replica is set to the correct domain and user account in the Endpoints tab. Do not change the other settings on this tab. Refer to Microsoft's Endpoints Tab help ( hh aspx#replicastab) for more information. c. Select the Prefer Secondary option as the location where backups will occur, or another selection if you prefer a different option on the Backup Preferences tab. Refer to Microsoft's Backup Preferences Tab help ( hh aspx#backuppreferencestab) for more information. d. Choose one of two options in the Listener tab: Create an availability group listener now Create an availability group listener later If you select Create an availability group listener later use the New Availability Group Wizard to: Enter the Listener DNS Name. Enter the Port number. Set the Network Mode as Static IP Click the Add button Select the correct subnet and enter the static IP address as the IPv4 Address in the Add IP Address window. See Specify Replicas Page (New Availability Group Wizard/Add Replica Wizard) ( msdn.microsoft.com/en-us/library/hh aspx#listener) for more information. 7. Click Next in the Select Databases window. 8. Select the Full option in the Select Initial Data Synchronization window. 9. Enter, or browse to and select, the network share location created before you started the availability group creation process and click Next. 10. Review the information in the Validation window. For any results other than Success, click the Status link for the result and review the details. Some issues can be resolved before you continue and then the validation step can be re-run. Other issues must be resolved 86 PI Asset Framework Installation and Upgrade Guide

95 manually after the availability group is created. When you are satisfied with the validation results, click Next 11. Review the information about the choices you made in the Summary window. 12. If changes are required click Previous to move back through the wizard to make any required changes. 13. Click Finish to create the availability group. The Results window displays. After you finish PI AF installation and upgrade in a SQL Server availability group For any steps that result in an error, click the error link for the result and review the details. It might be necessary to manually complete the configuration of the availability group if there are failed steps. Configure the PI AF connection string for use with a SQL Server availability group 1. On the AF server machine, open the AFService.exe.config file in the..\pipc\af folder. 2. Edit the server portion of the connect string so that it is directed at the availability group listener and the availability group listener s port that you defined in Create a SQL Server availability group for use with PI AF. You must change the ListenerName,Port in this string: <add key="connectstring" value="persist Security Info=False;Integrated Security=SSPI;server=ListenerName,Port;database=PIFD;Application Name=AF Application Server;" /> After you finish Restart the PI AF service. The process of installing PI AF to a new availability group is complete. Add a PI AF database to an existing SQL Server availability group Before you start On the primary replica machine, back up the PI AF SQL database (PIFD) and log file. On each of the secondary replicas, restore the backups of the PIFD database and log file at one time, with the No Recovery option; and Restoring mode for the database. Then add the database to the availability group on the primary, using the Join Only option. 1. On the SQL Server machine that is the primary replica of the availability group, open the SQL Server Management tool and connect to the instance that will host the availability group. 2. Expand the AlwaysOn High Availability folder. 3. Expand and right-click the Availability Groups folder and select New Availability Group Wizard. PI Asset Framework Installation and Upgrade Guide 87

96 PI AF installation and upgrade in a SQL Server availability group 4. Locate the primary replica machine, and right-click the availability group and select Add Database. The Add Database to Availability Group wizard opens to the Select Databases window. 5. Review the list of databases in the Select Databases window. This list shows databases that are installed in the instance of SQL Server within which the availability group is included. To set up an availability group for use with PI AF: a. Review the status messages for each of the databases listed in the Select Databases window, to determine whether a database can be selected. For example, a database cannot be used in an availability group if it belongs to an existing availability group, does not meet the prerequisites for being added to an availability group. b. Select the check boxes for the PI AF SQL database (PIFD) that you want to include in the availability group. You can also add other databases to the availability group; you can choose as many databases as you want, provided that the PIFD is included and that all databases that you include meet the prerequisites. c. Resolve any such issues before you continue with the availability group creation. You do not need to close the New Availability Group wizard to make corrections; leave it open while you return to SQL Server Management Studio to make corrections. After the corrections have been made, return to the New Availability Group wizard and click Refresh. When the database statuses indicate Meets prerequisites, you can continue with the process. d. Click Next. 6. In the Select Data Synchronization window, select the Join Only option and click Next. 7. In the Connect to Replicas window, click Connect All. Enter the required credentials to connect to the replicas when prompted. Click Next to open the Validation window. Most of the validation checks will be skipped, due to the type of Data Synchronization selected. For any results that show a result other than Success, click the Status link of the result and review the details. 8. If there are any errors, make the required corrections and click Re-run Validation. Continue until all errors have been corrected. 9. Click Next. In the Summary window, verify that your choices are accurate. 10. Click Script, if you want to save or copy the SQL script required to add the PI AF SQL database (PIFD) to the availability group. Upgrade a PI AF database that is in a SQL Server availability group member Before you start Before beginning the upgrade, you should notify your PI AF users that the system will be unavailable for a short period of time. When you are ready to initiate the upgrade, and you are sure all transactions have completed, stop the PI AF service on the PI AF Application server machine. 1. Run the PI AF server setup kit on the SQL Server machine that is the primary replica of the availability group; select only the AF SQL Database and AF SQL Script Execution options. If 88 PI Asset Framework Installation and Upgrade Guide

97 you are prompted to enter the PI AF server machine name, you can leave it blank. When the upgrade is complete on the primary replica, the data and schema updates will be automatically replicated to the databases on the secondary replica machines. 2. Run the PI AF server setup kit on each of the secondary replica machines in the availability group; select only the AF SQL Database option without the AF SQL Script Execution options. It is unnecessary to provide the SQL Server name or validate the SQL Server connection. It is also unnecessary to enter the AF Server machine name, if prompted. 3. Run the PI AF server setup kit on the PI AF Application server machine to upgrade the PI AF application server. After you finish 1. Verify that the PI AF service is running under the correct domain account. 2. Start the PI AF service. PI AF installation and upgrade in a SQL Server availability group The upgrade the PI AF database in the availability group is now complete. PI Asset Framework Installation and Upgrade Guide 89

98 PI AF installation and upgrade in a SQL Server availability group 90 PI Asset Framework Installation and Upgrade Guide

99 PI AF collective setup and configuration PI AF collectives use SQL Server replication to copy data from the primary PI AF SQL database computer (publisher) to each of the secondary PI AF SQL database computers. Each secondary server communicates with the primary server through a Windows Communication Foundation (WCF) connection and reports its status information. The server authenticates the WCF connection using a Windows certificate that the PI AF server generates when it is started. SQL Server replication transmits the primary PI AF server s certificate to each secondary server. After the secondary server receives the primary server s certificate, it can communicate its status to the primary server. When PI AF data is changed on the primary PI AF server: The log reader agent sends any changes from PIFD to the PIFD_distribution database. For each secondary server, its agent pushes changes to the SQL Server instance on the secondary server. If the secondary server is not reachable (if there is a network problem or the computer is offline), the agent retries later. Follow these procedures to create and configure a PI AF collective. 1. Prepare to create a PI AF collective. 2. Create a PI AF collective. 3. Configure PI AF collective properties. 4. Check PI AF collective status. 5. Add a secondary server to a PI AF collective. 6. Connect or switch to a specific member of a PI AF collective. 7. Remove a secondary server from a PI AF collective. 8. Stop or start replication. 9. Reinitialize a PI AF collective member. 10. Configure permissions on the replication data folder. Prepare to create a PI AF collective Before you begin creating a PI AF collective, follow these steps: 1. Make sure that you meet all general collective creation requirements. See Configuration requirements for PI AF collectives. 2. Make sure that you meet all SQL Server requirements. See SQL Server requirements for PI AF collectives. 3. Make sure that you meet all security requirements. See Security requirements for PI AF collectives. PI Asset Framework Installation and Upgrade Guide 91

100 PI AF collective setup and configuration 4. A single instance of PI AF server consists of the AF application service and the AF SQL database. These components may be installed on separate machines. Make sure that PI AF server is installed on each member of the collective. This means that at least two complete PI AF server systems must be installed. This could be two machines (AF application service and AF SQL database installed on both machines), or four machines (two machines with AF application service only, and two machines with AF SQL database only). 5. Make a full backup of the PIFD database. OSIsoft highly recommends that you make regular backups of SQL Server data, especially on the primary server. The PI AF installation process creates a SQL Server backup job that is scheduled to run by SQL Server Agent. Make sure you copy these backups to media other than the media that contains the data. 6. Verify that TCP/IP and Named Pipes are enabled on all SQL Server computers for the correct instance. Run SQL Server Configuration Manager, choose your instance, and verify that the correct protocols are enabled. 7. Make sure the SQL Agent service is running on the primary SQL Server computer. 8. All computers upon which the PI AF application service runs must be in a domain. Check the domain for each computer: a. Click Start and right-click Computer. b. Select Properties to view workgroup and domain settings. Topics in this section Configuration requirements for PI AF collectives SQL Server requirements for PI AF collectives Security requirements for PI AF collectives Configuration requirements for PI AF collectives PI AF collectives have the following configuration requirements: PI AF collectives are supported for PI AF 2.1 or later. The PI AF application service computers must be in a domain; workgroups are not allowed. The PI AF server version must be the same on all PI AF collective computers. The PI AF collective consists of at least two PI AF servers. The PI AF client is not required on either PI AF server, but If you install it, your work with PI AF will be more convenient. The PI AF SQL database on the primary and secondary servers must be named PIFD. You may not rename the PIFD database in a PI AF collective. The Named Pipes and TCP/IP protocols must be enabled for the instances where the PI AF SQL databases are installed. SQL Server requirements for PI AF collectives PI AF collectives have these SQL Server requirements: 92 PI Asset Framework Installation and Upgrade Guide

101 PI AF collective setup and configuration Two SQL Server instances are required, each on separate physical hardware. The PI AF SQL database computers can be in a workgroup or a domain. If the PI AF SQL database computers are in a workgroup, see PI AF collectives in a domain or workgroup. The primary PI AF server requires SQL Server (SQL Server 2008 or later, Developer, Standard, or Enterprise edition). The secondary SQL Server computer can use the SQL Express edition, with limitations (these limits have increased in SQL Server 2008 Express; refer to Microsoft's web site for details.) SQL Server Compact edition is not supported. It is not necessary to have the same SQL Server edition and version for all members of a collective, but it is recommended. SQL Server Agent must be running on the primary SQL Server computer. SQL Server Replication must be installed on the primary SQL Server computer; it is not required on the secondary collective members. If replication is subsequently added or installed, you must restart SQL Server Agent to prevent errors. When the SQL Agent is run under a domain account and the primary AF database server is 64-bit SQL Server 2008, you must configure the C:\Program Files\Microsoft SQL Server\100\COM\ folder on the primary AF database server to allow read/write access to the SQL Agent domain account. Security requirements for PI AF collectives For security, the following accounts (or users) in a PI AF collective require a reduced-level of permissions: SQL Server Database Engine service SQL Server Agent service PI AF application service AF collective creator user AFServers local group For more information about minimum privilege levels required for replication, see the following Microsoft articles: Replication Agent Security Model at ms151868(v=sql.105) ( 105)) Security Role Requirements for Replication at ms152528(v=sql.105) ( 105)) Each PI AF collective account has the following access requirements. PI Asset Framework Installation and Upgrade Guide 93

102 PI AF collective setup and configuration SQL Server Database Engine Component Action required Permissions Run as a low-privileged account. Do not run the SQL Server Database Engine service under an account with local or domain administrative privileges. SQL Server Agent Component Action required Permissions Run as a low-privileged account. Primary PI AF server Secondary PI AF servers Primary PI AF SQL database Secondary PI AF SQL databases Do not run as NetworkService. No action required. No action required. If it does not already exist, create a login in SQL Server for the account under which the SQL Server Agent service runs. Assign the db_owner database role on the PIFD database to this account. Do not grant the SysAdmin server role to this account. Assign write permission to the \repldata folder. Sample path: C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS \MSSQL\repldata For more information, refer to Configure permissions on the replication data folder. If it does not already exist, create a login in SQL Server for the account under which the SQL Agent service runs on the primary. Assign the db_owner database role on the PIFD database to this account. Do not grant the SysAdmin server role to this account. PI AF application service By default, the PI AF application service is run under the NT Authority\Network Service account. However, NT Authority\Network Service is not required for this service. Do not run it under the Local System account either. The best practice is to use a low-privileged domain account, as this account does not require special access to the PI AF SQL database. The PI AF application service account is added to a local Windows security group, which is assigned the appropriate access in the PI AF SQL database. Component Action required Permissions Run as a low-privileged account. Primary PI AF server Secondary PI AF servers Do not run as Local System. No action required. No action required. 94 PI Asset Framework Installation and Upgrade Guide

103 PI AF collective setup and configuration Component Primary PI AF SQL database Secondary PI AF SQL databases Action required In Windows, add the domain account under which the PI AF application service runs to the local AFServers group. Do not create a SQL login for the PI AF application service account. Do not assign the db_owner database role on the PIFD database to the PI AF application service account. Do not grant the SysAdmin server role to the PI AF application service account. In Windows, add the domain account under which the PI AF application service runs to the local AFServers group. Do not create a SQL login for the PI AF application service account. Do not assign the db_owner database role on the PIFD database to the PI AF application service account. Do not grant the SysAdmin server role to the PI AF application service account. PI AF collective creator A domain user, with Windows credentials that are authenticated by PI AF, Windows, and SQL Server, runs the PI System Explorer client that is used to create the AF collective. Component Permissions Primary PI AF server Secondary PI AF servers Primary PI AF SQL database Secondary PI AF SQL databases Action required The credentials that are used to create the AF collective are used only once to create the PI AF collective. After you create the AF collective, you can remove the special permissions. Add the credentials used to create the AF Collective in PI System Explorer to the Local Administrators group. Add the credentials used to create the AF Collective in PI System Explorer to the Local Administrators group. If it does not already exist, create a login in SQL Server for the PI AF collective creator's domain account. Add the credentials used to create the AF Collective in PI System Explorer to the Local Administrators group. Grant the SysAdmin server role to this account. If it does not already exist, create a login in SQL Server for the PI AF collective creator's domain account. Grant the SysAdmin server role to this account. AFServers local group The only account that should exist in the AFServers local Windows group is the account under which the PI AF application service runs. Note: The AFServers local Windows group is typically created during the installation of the PI AF SQL database. If you use SQL scripts to install the PIFD database, however, you need to set up this user group manually. Component Permissions Action required This group should never be given local or domain administrator privileges. PI Asset Framework Installation and Upgrade Guide 95

104 PI AF collective setup and configuration Component Primary PI AF server Secondary PI AF servers Primary PI AF SQL database Secondary PI AF SQL databases Action required No action required. No action required. If it does not already exist, create a login in SQL Server for the AFServers local group. Note: The db_afserver database role for the PIFD_distribution database is automatically assigned to this account when the AF collective is created. Grant the db_afserver database role on the PIFD database to this account. Do not assign the db_owner database role on the PIFD database to this account. Do not grant the SysAdmin server role to this account. If it does not already exist, create a login in SQL Server for the AFServers local group. Grant the db_afserver database role on the PIFD database to this account. Do not assign the db_owner database role on the PIFD database to this account. Do not grant the SysAdmin server role to this account. Check security credentials and connections for PI AF collectives To ensure that you have the required access permissions and that you can connect to each SQL Server in the collective, follow these steps: 1. Using the Windows credentials that you will use to create the collective, login to the workstation from which you will create the collective (do not do this on the SQL Server computer) and connect to each PI AF server that will be part of the collective. 2. On the same workstation, verify that you can perform a simple file share access to each SQL Server: a. Select Start > Run. b. Enter \\SQL_Server_computer_name for each SQL server. This ensures that your credentials authenticate to each SQL Server at the Windows level. 3. Establish a connection to each SQL Server via SQL Server Management Studio (SSMS) or sqlcmd.exe. 4. Once connected, run the following query: SELECT IS_SRVROLEMEMBER ( sysadmin ) "is sysadmin", CURRENT_USER "connected as", SYSTEM_USER "login user" ; where "is sysadmin" returns 1=true, 0=false 96 PI Asset Framework Installation and Upgrade Guide

105 PI AF collective setup and configuration "connected as" returns "dbo" "login user" returns the user s Windows user principal Do not proceed until the connection and query succeeds for each SQL Server that will be part of your PI AF collective. PI AF collectives in a domain or workgroup Any PI AF server (a computer where the PI AF application service is installed) in a PI AF collective must be in a domain; workgroups are not supported. The PI AF SQL database computers can be in a workgroup or a domain. If the PI AF SQL database computers are in a workgroup, you must use a local Windows account that exists on the computer where PI System Explorer (PSE) is run to create the collective on the SQL Server computer. The accounts must have matching passwords, be in the local Windows administrators group on all computers, and be a member of the SQL Server SysAdmin role. This local account will be used to run PSE and create the PI AF collective. Note: If you run PSE as a domain account that is mapped to sysadmin in SQL Server but your SQL Server is in a workgroup, you will get this error: cannot open service control manager on computer ' '. This operation might require other privileges. Do you wish to continue? Create a PI AF collective Before you start Perform all the steps in Prepare to create a PI AF collective. 1. Start the SQL Server Agent Service. SQL Server replication depends on the SQL Server Agent service. If it is not running, when you attempt to set up a PI AF collective, the setup fails without warning. The only way to recover is to delete the collective, start the SQL Server Agent service, then set up the collective. 2. In PI System Explorer (PSE), select File > Connections to open the Servers window. 3. Right-click on an AF server that you want in the collective and select Create Collective. The Create New Collective - Verify Backup Completed window opens. 4. Click to select the I have verified my backups are valid check box and click Next. The Create New Collective - Select Primary window opens. 5. Choose your primary server. 6. Click Next. The Create New Collective - Select Secondary Servers window opens. 7. From the Server list, select a PI AF server to add to the collective as a secondary server and click Add. Repeat to add additional secondary servers. If you want to create the collective without adding a secondary, then skip this step. PI Asset Framework Installation and Upgrade Guide 97

106 PI AF collective setup and configuration You can add secondary servers after the collective is created. See Add a secondary server to a PI AF collective. 8. Click Next. The Create New Collective Verify Selections window opens. 9. Optional: Click Advanced Options. See Configure PI AF collective properties for a description of the advanced option fields. 10. Click Next. The collective is created and the Create New Collective Finishing window opens. 11. Click OK. The Create New Collective Finishing window opens and the replication process begins. If you click Exit before the secondary servers are listed in the lower area of the window, the replication process stops on any secondary servers in the collective. A message appears that indicates the replication process is not complete. You will need to start the replication process on any secondary servers that currently belong to the collective. If you click Finish before the replication is complete, a message appears indicating the replication is not complete, and where to look for the current replication status. Results When the replication process is complete, the status for the first row (the snapshot creation) shows Succeeded. The status for the second row (the replication process as it relates to the primary server) shows Idle. The status for the third row and subsequent rows (the replication process as it relates to the secondary servers) shows Idle. For details about the collective status, see PI AF collective status details. Configure distributor database security When you create a PI AF collective, a distributor database (PIFD_distribution) is created to allow for SQL Server replication. The AFServers group must have the db_afserver role for this database. This role is automatically assigned to the local AFServers group during the PI AF collective creation. However, if you are installing a PI AF collective on a SQL Server cluster, the local AFServers group does not exist; it was replaced with a domain group as part of the process of installing PI AF on a SQL Server cluster. If the AFServers domain group does not have the db_afserver role for the PIFD_distribution database, the collective creation will fail with an error message: Waiting on a (Good) SyncStatus.. Current SyncStatus(Snapshot Not Ready) This error can be corrected during the PI AF collective creation process; it is not necessary to exit the Create New Collective window. The PI AF collective creation process will continue normally after the following steps are completed. 1. Open Microsoft SQL Server Management Studio, and connect to the SQL Server instance for the primary server in the PI AF collective. 2. Under the SQL Server cluster instance, expand Security > Logins. 3. Right-click the login created for the AFServers domain group and select Properties. 98 PI Asset Framework Installation and Upgrade Guide

107 PI AF collective setup and configuration 4. Select the User Mapping page. 5. Under Users mapped to this login, select the Map check box for PIFD_distribution database row. 6. Ensure the User column for the PIFD_distribution row is set to the domain user group (YourDomain\YourAFDomainGroup). 7. With the PIFD_distribution row selected, select the db_afserver role check box under Database role membership for: PIFD_distribution. The public role should be selected by default; if it is not, select its check box. 8. Click OK to save the SQL Server login. Configure PI AF collective properties 1. In PI System Explorer, click File > Connections. The Servers window opens. 2. Right-click on an AF collective and then click the Properties button. The AF Server Properties window opens. 3. Click the Collective tab. 4. Select a collective member and edit the following settings: Timeout The number of seconds for an operation to finish on the PI AF server. Priority The priority order for selecting the collective member on the current computer. You can modify this value for each collective member. Period The frequency, in seconds, in which a collective member checks the status of the remaining collective members. Grace The time, in seconds, that is allowed before the communication status is set to TimedOutOnPrimary when there is no communication with the primary server. Port Note: The Port, Account, Role, and Status settings on the Collective tab are read-only. See the descriptions of these settings for information on how each one is set. The port through which the PI AF server communicates. This value is set in the configuration of the AF server, before the server became a collective member. PI Asset Framework Installation and Upgrade Guide 99

108 PI AF collective setup and configuration Account The account under which the PI AF application service is running. This value is set in the configuration of the AF server, before the server became a collective member. Role The role within the collective of the selected collective member, primary or secondary. This value is set when the AF server is added to the collective. Status The status of the selected collective member, including the last time communication was verified with the primary server the last time the collective member was synchronized, current synchronization status, and current communication status. 5. Click More to display the Collective Status Details window. See PI AF collective status details. Check PI AF collective status 1. In PI System Explorer, select File > Connections. The Servers window opens. 2. Right-click on a member of the collective and then click the Properties button. The AF Server Properties window opens. 3. Click File > AF Server Properties to open the AF Server Properties window. 4. Click the Collective tab to see the collective configuration information as well as information specific to the selected collective member. For a description of these settings, see Configure PI AF collective properties. The status of the selected member is in the Status area of the Collective tab. 5. Click More in the Status area. The Collective Status Details window opens. Collective status details explains how to interpret the data. 1. PI AF collective status details. PI AF collective status details The Collective Status Details window shows the last status messages for the primary and secondary servers: 100 PI Asset Framework Installation and Upgrade Guide

109 PI AF collective setup and configuration The first row shows the status of the snapshot creation process. This row will always appear in the status details. The second row shows the status of the replication process between primary server and secondary server(s). This row will always appear in the status details. The third row and below show the latest replication status messages for the secondary server(s). Check Show Errors Only to only show errors for secondary servers. Select a number of rows to display in the Max. Secondary Details field. If there is no current activity, the Details area is empty. The Details window has the following columns: Name The name of the collective member. Timestamp Commands Delivered The number of commands being sent from the primary server to the secondary server. Status The synchronization status between the server members in the collective. The status of the replication process from the primary server to the secondary server(s). Comment The current stage of the replication process. Error Code If an error occurs, the associated error code. Error Message If an error occurs, the associated error message. Note: If you click Exit before the dialog box lists a newly added secondary server, the replication process stops on the secondary server. A message appears that indicates the replication process is not complete. You will need to start the replication process on the newly added secondary server. Add a secondary server to a PI AF collective You can add a secondary server to a PI AF collective when you create the collective, or after you create it. When you add a secondary PI AF server to a collective: A push subscription is set up in the PIFD_distribution database. A push subscription agent is started for each secondary server added to the collective. The push subscription agent pushes the current snapshot to the secondary servers to initialize them. All the tables that are marked for replication are pushed to the secondary PI Asset Framework Installation and Upgrade Guide 101

110 PI AF collective setup and configuration server. The existing snapshot data is replicated from the primary server to the newly added secondary server. Any pre-existing data on the secondary server is lost. Note: The Audit Trail feature is not supported on secondary members of PI AF collectives. For more information, see "Enabling AF Audit Trail" in the PI System Explorer User Guide. 1. In PI System Explorer (PSE), click File > Connections to open the Servers window. 2. Right-click the primary PI AF server and select Add Server to Collective. The Adding Secondaries Select Secondary Servers window opens. 3. From the Server list, select the PI AF server to add to the collective as a secondary server. 4. Click Add to add the PI AF server to the list. 5. Click Next. The Adding Secondaries - Verify Selections window opens. 6. Click Next. The secondary server is added to the collective. The Adding Secondaries Finishing window appears. The process of replicating data to the secondary server begins and the window displays collective status details during the process. When the replication process is complete on the secondary server, the Status for the third and subsequent rows display Idle. For more on status details, see PI AF collective status details. Note: If you click Exit before the window lists the newly added secondary server, the replication process stops on that secondary server. A message appears that indicates the replication process is not complete. You will need to start the replication process on any secondary servers that currently belong to the collective. Connect or switch to a specific member of a PI AF collective When you connect to a PI AF collective, PI AF automatically connects you to the collective member with the highest priority (lowest number). You can switch to a specific member of the collective. You have the choice of selecting "Connect to Collective Member" or "Switch Collective Member". The first choice lets you choose the collective member from the list, the second choice selects the next collective member based on its assigned priority. 1. In PI System Explorer, select Connections. 2. Right-click the collective and choose Connect to Collective Member. The Choose Collective Member window opens. 3. In the Collective Member list, select the collective member to which you want to connect. 4. Click OK. You are now connected to the selected collective member. 102 PI Asset Framework Installation and Upgrade Guide

111 PI AF collective setup and configuration Remove a secondary server from a PI AF collective When you remove a secondary server from a collective, the subscription is dropped on both ends (primary server and secondary server), the push agent for the secondary server is stopped, and the secondary server is deleted from the collective. Caution: If you remove a primary PI AF server from a collective, the entire collective is removed. The subscription is dropped on both ends (primary server and secondary server). All agents are stopped. The PIFD_distribution database is deleted. All replication is halted and cannot be restarted. The primary server is available as a stand-alone PI AF server. 1. In PI System Explorer (PSE), select File > Connections to open the Servers window. 2. Select the AF Collective that contains the secondary server to be removed and click the Properties button. 3. Click the Collective tab. 4. Right-click the secondary server and select Delete. Stop or start replication There is no pause or resume option for replication; replication is either running or stopped. Test these procedures in PSE. When you stop replication, the subscription is dropped on both ends (primary server and secondary server). The push agent for the secondary server is stopped. All agents are stopped, and all replication is halted. Topics in this section Stop replication on a secondary server Stop replication on the primary server Start replication on a server Stop replication on a secondary server 1. In PI System Explorer, select File > Connections. 2. Right-click the AF Collective that contains the secondary server on which you want to stop replication and click the Properties button. 3. Click the Collective tab. 4. Right-click the secondary server and select Stop Replication. Replication is stopped on the secondary server. As long as the server is a member of the collective, you can start replication at a later time. PI Asset Framework Installation and Upgrade Guide 103

112 PI AF collective setup and configuration Stop replication on the primary server 1. In PI System Explorer, select File > Connections. 2. Right-click the AF Collective that contains the primary server on which you want to stop replication and click the Properties button. 3. Click the Collective tab. 4. Right-click the primary server and select Stop Replication. Replication is stopped on the primary server and all secondary servers. As long as the collective still exists, you can start replication on the primary server at a later time; you will need to start replication on each secondary server, too. Start replication on a server If you have stopped replication on a collective member, it does not restart automatically. If you want the collective member to be involved in replication, you must start the replication on that member. 1. In PI System Explorer, select File > Connections. 2. Right-click the AF Collective that contains the servers on which you want to start replication and click the Properties button. 3. Click the Collective tab. 4. Right-click the server and select Start Replication. If this is the primary server, you also need to start replication on each secondary server. Reinitialize a PI AF collective member You can force a new snapshot of the database on the primary PI AF server to be created and pushed out to a secondary server by reinitializing the secondary server. If you have multiple secondary servers, you must reinitialize each individually. When a secondary server is reinitialized, a new snapshot is created on the primary server. An agent pushes the snapshot to the secondary servers to initialize them. All the tables that are marked for replication are pushed to the secondary servers. Any preexisting data on the secondary servers is lost. 1. In PI System Explorer, select File > Connections. 2. Right-click the AF Collective that contains the server you want to reinitialize and click the Properties button. 3. Click the Collective tab. 4. Right-click the server and select Reinitialize Replication. 104 PI Asset Framework Installation and Upgrade Guide

113 PI AF collective setup and configuration Configure permissions on the replication data folder On the primary PI AF SQL database computer, configure permissions on SQL Server s \repldata folder to allow the SQL Server Agent service account to have access. 1. On the primary PI AF SQL database computer, open Windows Explorer. 2. Navigate to the \repldata folder for the SQL Server instance where the PI AF SQL database is installed. 3. Right-click the \repldata folder and select Properties. 4. Click the Security tab and click Edit. The Permissions for repldata window opens. 5. Click Add. The Select Users, Computers, or Groups window opens. 6. Check that the From this location: field shows the correct domain. If not, click Location and navigate to and select the correct domain. 7. In the Enter the object names to select field, enter the name of the domain account under which the SQL Server Agent service runs. 8. Click OK. The Permissions for repldata window opens. 9. In the Permissions for [SQL Agent Account Name] area, select the Modify check box, ensuring that all check boxes except Full control and Special permissions are selected. 10. Click OK. 11. Click OK to return to Windows Explorer. PI Asset Framework Installation and Upgrade Guide 105

114 PI AF collective setup and configuration 106 PI Asset Framework Installation and Upgrade Guide

115 PI AF collective upgrades The PI AF upgrade process requires that you run the upgrade s executable file on each computer in the PI AF collective. All of the PI AF servers in a PI AF collective must be the same PI AF version. To minimize the amount of time when your PI AF users cannot write to the PI AF SQL database, and to maximize the availability of the PI AF data as read-only to your PI AF users, upgrade the primary PI AF server first. Then upgrade the secondary PI AF servers. 1. Upgrade the primary PI AF server. 2. Upgrade secondary PI AF servers. 3. Restart replication on upgraded PI AF computers. Upgrade the primary PI AF server Follow these procedures to upgrade the primary PI AF server. Note: Following an upgrade to AF Server 2.6, the first time a client connects to the upgraded AF Server, some final upgrade operations will occur that may cause a brief period of slow performance. OSIsoft recommends that you force the occurrence of these operations by connecting to your upgraded AF server with PI System Explorer immediately after the upgrade program completes. 1. Backup of the primary PI AF SQL databases. 2. Stop replication on the primary PI AF SQL database computer. 3. Shut down the primary PI AF application service. 4. Run the setup program on the primary PI AF server. Backup of the primary PI AF SQL databases Make a full backup of the PIFD and PIFD_Distribution databases. The PIFD_Distribution database is located in the System Databases container. Stop replication on the primary PI AF SQL database computer 1. Notify users to stop making changes. Make sure replication is completed and all changes are fanned out to secondary servers. PI Asset Framework Installation and Upgrade Guide 107

116 PI AF collective upgrades Caution: Any updates that are in progress are likely to be lost. It is recommended that you notify your users ahead of time that they should not attempt to make any changes to the PI AF SQL data during the brief period of time it takes to install the PI AF upgrade. 2. On the primary PI AF SQL database computer, verify that replication is complete: a. Check the synchronization status of primary PI AF server under Replication > Local Publications > [PIFD]: PIAF > [Primary Database Server Name].[PIFD]. b. Right-click and select View Synchronization Status. 3. On the secondary PI AF SQL database computers, verify that replication is complete: a. Check the synchronization status of each secondary PI AF server under Replication > Local Subscriptions > [PIFD]: PIAF > [Secondary Database Server Name].[PIFD]. b. Right-click and select View Synchronization Status. 4. In PI System Explorer, select File > Connections. The Servers window opens. 5. Right click the AF Collective and select Properties. 6. Select the Collective tab. 7. Right-click the primary server and select Stop Replication. Replication is stopped on the primary server and all secondary servers. As long as the collective still exists, you can start replication on the primary server at a later time; you will need to start replication on each secondary server, too. Shut down the primary PI AF application service Shut down the PI AF application service on the primary AF application service computer. Run the setup program on the primary PI AF server If your PI AF application service and PI AF SQL database are on a single computer, see Install or upgrade PI AF server on a single computer. If your PI AF application service and PI AF SQL database are on separate computers, see Install or upgrade PI AF server components on separate computers. Upgrade secondary PI AF servers 1. Shut down the PI AF application service on each secondary collective member. 2. For each of your secondary PI AF servers: If your PI AF application service and PI AF SQL database are on a single computer, see Install or upgrade PI AF server on a single computer. If your PI AF application service and PI AF SQL database are on separate computers, see Install or upgrade PI AF server components on separate computers. 108 PI Asset Framework Installation and Upgrade Guide

117 PI AF collective upgrades Restart replication on upgraded PI AF computers Restart replication on the primary PI AF server computer and all collective members that have been upgraded. If you have stopped replication on a collective member, it does not restart automatically. If you want the collective member to be involved in replication, you must start the replication on that member. 1. In PI System Explorer, select File > Connections. 2. Right-click on a member of the collective, then click Properties. 3. Click the Collective tab. 4. Right-click the server and select Start Replication. If this is the primary server, you also need to start replication on each secondary server. The PI AF collective upgrade process is complete. PI Asset Framework Installation and Upgrade Guide 109

118 PI AF collective upgrades 110 PI Asset Framework Installation and Upgrade Guide

119 Troubleshoot PI AF collectives Use the topics in this section to troubleshoot issues with PI AF collectives. Topics in this section Status details indicate no configured subscriber PI AF collective creation fails due to login failure Snapshot creation fails due to access error PI AF collective cannot be created when SQL Server Agent is not running Status details indicate no configured subscriber PI AF collective creation fails due to login failure Snapshot creation fails due to access error PI AF collective cannot be created when SQL Server Agent is not running Status details indicate no configured subscriber This message indicates no secondary server has been configured for replication. If a secondary server has already been added to the collective, the error could indicate there is a communication problem between the primary PI AF server and secondary server, or between the secondary PI AF server and the secondary PI AF SQL database. If the failure was due to a problem between the primary and secondary PI AF server, review the PI AF event log on the secondary server for possible causes of the error. Verify the user account used in PI System Explorer has the proper access to the PI AF server. If the failure was due to a problem between the secondary PI AF server and the secondary PI AF SQL database, review the PI AF event log on the secondary PI AF SQL database for possible causes of the error. Verify the user account used in the PI System Explorer has the proper access to the PI AF SQL database. PI AF collective creation fails due to login failure When creating a collective, the Create New Collective Finishing window displays the following message in the top section: Login failed for user [DOMAIN]\[UserName]. This message indicates that the logged-on user is unable to access one of the servers included in the collective. The error is most likely related to the fact that the logged-on user does not have the correct permissions on the primary PI AF SQL database computer. Review the Application event logs on the PI AF server and PI AF SQL database computers, beginning with the primary PI AF server, to determine which computer is receiving the connection error. Be sure that the login account is given sysadmin privileges to SQL Server on the AF SQL database computer. PI Asset Framework Installation and Upgrade Guide 111

120 Troubleshoot PI AF collectives Snapshot creation fails due to access error During creation of a PI AF collective, the Create New Collective Finishing window displays the following message in the middle section: Current SyncStatus(Snapshot not ready). In the SnapShot status row (the first row in the bottom section), the message displays: Access to the path [..\repldata\...] is denied. This message indicates that the SQL Server Agent service account does not have Write access to the \repldata folder for the SQL Server instance into which the primary PI AF SQL database was installed. See Configure permissions on the replication data folder. After setting the proper security permissions on the \repldata folder, exit the Create New Collective Finishing window. A message displays, indicating the primary server s replication has not finished. Click OK and return to the Collective tab in the AF Server Properties window. Delete the collective, then recreate the collective, and the snapshot is created correctly. PI AF collective cannot be created when SQL Server Agent is not running You attempt to create a collective by right-clicking a PI AF server in the AF Servers window, and selecting Create Collective. If the SQL Server Agent service for the selected PI AF server is not running, a message displays, indicating the SQL Server Agent is not running on the PI AF SQL database computer. Click OK to return to the AF Servers window. Start the SQL Server Agent service on the primary server, then create the new collective. You attempt to create a collective by right-clicking in the white area of the AF Servers window, and an error window opens, along with the Create New Collective Finishing window, indicating: SQL Server Agent is not running. Click OK to exit the error window. In the Create New Collective Finishing window the same message appears. Click Cancel to exit the window. The collective was not created. Start the SQL Server Agent service on the primary server, then create the new collective. 112 PI Asset Framework Installation and Upgrade Guide

121 PI AF silent installations The bundled PI AF server installations extract several installation modules. The setup.ini configuration file specifies the components of the installation process, their order, and the arguments used to launch them. Modify this file to specify different command-line arguments to different stages of the setup. This may be useful for situations where the environment is well controlled and the options are known in advance, such as an embedded installation. The PI AF Server bundle also includes a silent.ini file that contains modifications to setup.ini that are typically needed to run a silent installation. You can augment these arguments by adding any of the options described below. Note: You must run command-line examples from an Administrator command prompt when running on Windows 7 or other recent operating systems when running as a normal user. Topics in this section Configure silent installation for PI AF server Configure silent installation for PI AF Client Configure silent installation for PI AF server Topics in this section Command-line arguments for PI AF server installation PI AF server syntax examples for silent install Silent upgrade of PI AF server Command-line arguments for PI AF server installation Argument ADDLOCAL ALLUSERS REBOOT FDSQLDBSERVER Description Specifies features to install. See Features specified by ADDLOCAL argument for PI AF server installation. Specifies the per-computer or per-user installation context. Use a value of 1 for silent installations. Restarts the computer. Use a value of Suppress for silent installations. Specifies the SQL Server instance. PI Asset Framework Installation and Upgrade Guide 113

122 PI AF silent installations Argument FDSQLDBNAME FDSQLDBVALIDATE FD_REMOTEAPPS Description Specifies the SQL Server database. Note: You must specify database name PIFD if you are installing an AF collective. If you are not using a collective, if you specify any database name other than PIFD the backup bat file will not work. Specifies that the SQL Server connection is validated if the SQL Server Script Execution feature is not selected. A value of 0 will bypass the connection validation. If not specified, then the SQL Server connection will be validated. Specifies the domain\machine name or domain \account name of a remote PI AF application service. This option is only used for initial SQL Server-only installations. Features specified by ADDLOCAL argument for PI AF server installation This table lists the features specified by the ADDLOCAL argument. Feature names are casesensitive. ADDLOCAL values consist of a comma-separated list and cannot contain any spaces. To install all features, use ADDLOCAL=ALL. Internal Feature Name / Name Used in Command Line External Feature Name Description ALL N/A All features are installed. FD_AppsServer PI AF Application Service This feature installs the PI AF Server 2.x application service. FD_SQLServer PI AF SQL Database This feature installs the PI AF SQL Server scripts to the AF\SQL folder. FD_SQLScriptExecution PI AF SQL Script Execution This feature handles the execution of the PI AF SQL Server scripts during the installation process. If this feature is included for installation, the SQL Server scripts are executed. If it is not included, the scripts are not executed. If you include this feature in a silent installation, you must also use the FD_SQLServer feature. PI AF server syntax examples for silent install For a silent PI AF server installation, use the syntax demonstrated by one of the examples in the following table. 114 PI Asset Framework Installation and Upgrade Guide

123 PI AF silent installations Note the following information about the syntax: The /i argument specifies an installation. The /qn argument specifies quiet mode, which suppresses dialog boxes and prompts. For Version #, specify either x64 or x86 to run the.msi script that is appropriate for your operating system. If the ADDLOCAL property is not defined on the command line, it defaults to ALL. Spaces are not allowed between ADDLOCAL= and its value. Components to install All PI AF server features PI AF application service PI AF SQL database scripts, without script execution PI AF SQL database, and execute the SQL scripts Syntax msiexec.exe /i AFServer_Version #.msi REBOOT=Suppress ADDLOCAL=ALL FDSQLDBSERVER=.\sqlexpress FDSQLDBNAME=PIFD ALLUSERS=1 /qn msiexec.exe /i AFServer_Version #.msi REBOOT=Suppress ADDLOCAL=FD_AppsServer FDSQLDBSERVER=machine.\sqlexpress FDSQLDBNAME=PIFD ALLUSERS=1 /qn msiexec.exe /i AFServer_Version #.msi REBOOT=Suppress ADDLOCAL=FD_SQLServer FDSQLDBSERVER=.\sqlexpress FDSQLDBNAME=PIFD FD_REMOTEAPPS=domain\machine ALLUSERS=1 /qn msiexec.exe /i AFServer_Version #.msi REBOOT=Suppress ADDLOCAL=FD_SQLServer,FD_SQLScriptExecution FDSQLDBSERVER=.\sqlexpress FDSQLDBNAME=PIFD FD_REMOTEAPPS=domain\machine ALLUSERS=1 /qn Notes You need to manually execute the scripts after installation. The FD_SQLScriptExecution feature is part of the FD_SQLServer feature. Therefore, to include FD_SQLScriptExecution specify ADDLOCAL=FD_ SQLServer,FD_SQLScr iptexecution. Silent upgrade of PI AF server When PI AF server is upgraded, it is not necessary to specify the arguments or features. To upgrade a previous installation of PI AF server, run this command: msiexec.exe /i AFServer_<Version #>.msi REBOOT=Suppress ALLUSERS=1 /qn Configure silent installation for PI AF Client PI Asset Framework Installation and Upgrade Guide 115

124 PI AF silent installations Command-line arguments for PI AF Client installation Argument ADDLOCAL ALLUSERS REBOOT AFSERVER ONLYSHOWSERVER AFSDKONLY Description Specifies features to install. See Features specified by ADDLOCAL argument for PI AF Client installation. Specifies the per-computer or per-user installation context. Use a value of 1 for silent installations. Restarts the computer. Use a value of Suppress for silent installations. Specifies the default PI AF server name (the computer where the PI AF application service resides) for the client. If a value is not defined by the user and the PI AF application service is not resident on the target installation computer, the default PI AF server name is not set during the installation. If not set, the default PI AF server name can be set manually after the installation has completed. If a value is not defined and the PI AF application service has already been installed on the same computer, then the current computer will be set as the default PI AF server. The AF_SERVER argument is not used during an upgrade. 0: Default. No change to the install. 1: Only displays the dialog to enter the Server Name for AF Client and the progress dialog. 0: Default. No change to the install. 1: On a clean install, installs AF SDK only. If it is an upgrade, it will upgrade normally. Features specified by ADDLOCAL argument for PI AF Client installation This table lists the features specified by the ADDLOCAL argument. Feature names are casesensitive. ADDLOCAL values consist of a comma-separated list and cannot contain any spaces. To install all features, use ADDLOCAL=ALL. Note: PI AF SDK is a required feature. It must be specified if individual features are to be included. Internal Feature Name / Name Used in Command Line External Feature Name Description ALL N/A All features are installed. 116 PI Asset Framework Installation and Upgrade Guide

125 PI AF silent installations Internal Feature Name / Name Used in Command Line External Feature Name Description FD_AFSDK PI AF SDK This feature installs PI AF Client core files: the PI AF SDK and the AF Common Controls. This is a required feature. FD_AFExplorer PI System Explorer This feature installs PI System Explorer, which provides a user interface for displaying the hierarchical structure of the PI AF servers and other PI AF entities. The AFImport, AFExport, and RegPlugIn utilities are also included. FD_AFBuilder PI Builder This feature installs the PI Builder add-in to Excel. FD_AFAnalysisMgmt Analysis Management This feature installs the analysis management client in PI System Explorer. FD_AFDocs PI AF documentation This feature installs the documentation, which is a set of PI AF.CHM help files. PI AF Client syntax examples for silent install To install PI AF SDK or PI System Explorer silently, use the syntax shown in one of the examples in the following table. Note the following information about the syntax: The /i argument specifies an installation. The /qn argument specifies quiet mode, which suppresses dialog boxes and prompts. For Version #, specify either x64 or x86 to run the.msi script that is appropriate for your operating system. If the ADDLOCAL property is not defined on the command line, it defaults to ALL. Spaces are not allowed between ADDLOCAL= and its value. Components to install Syntax Notes PI AF Client on AF application service computer To specify the default PI AF Server when you install the PI AF Client msiexec.exe /i AFClient_Version #.msi REBOOT=Suppress ALLUSERS=1 /qn msiexec.exe /i AFClient_Version #.msi REBOOT=Suppress ALLUSERS=1 AF_SERVER=PI AF server name /qn When you install the PI AF Client after the PI AF server installation, it is not necessary to specify the default PI AF server, as the setup program will have already done so. You specify the default PI AF server by using the AF_SERVER argument. PI Asset Framework Installation and Upgrade Guide 117

126 PI AF silent installations Components to install Syntax Notes Specific features of the PI AF Client To install the PI AF SDK, the common files, and documentation without PI System Explorer and Analysis Management: msiexec.exe /i AFClient_Version #.msi REBOOT=Suppress ADDLOCAL=FD_AFSDK, FD_AFDocs ALLUSERS=1 /qn To install the PI AF SDK, PI System Explorer, and common files without the documentation: msiexec.exe /i AFClient_Version #.msi REBOOT=Suppress ADDLOCAL=FD_AFSDK,FD_AFExplorer ALLUSERS=1 /qn The PI AF SDK feature is required. Silent upgrade of PI AF Client When upgrading a previous client installation, it is not necessary to re-specify the PI AF arguments or features: msiexec.exe /i AFClient_Version #.msi REBOOT=Suppress ALLUSERS=1 /qn 118 PI Asset Framework Installation and Upgrade Guide

127 PI AF security overview This section discusses security guidelines for PI AF. Topics in this section General PI AF security recommendations Security requirements for PI AF collectives Security configuration for the PI AF application service account Configure PI AF to use SQL Server security Configure PI AF and SQL database in untrusted domains PI AF clients and Windows authentication Connect PI System Explorer and PI AF server General PI AF security recommendations This topic contains general recommendations for securing PI AF: The SQL Server database engine should run as a low-privilege account. Some versions of SQL Server will by default run this service with the Local System identity, but Network Service or Local Service is a better choice, and a specifically created account with limited privileges is better still. Do not grant administrator privilege to the identity under which the PI AF application service runs on any SQL Server instance. Note: By default, the PI AF installation configures the PI AF application service account to run as Network Service and configures SQL Server to grant minimal privileges to this login. Do not run the PI AF application service under the Local System account, as that will typically grant it SysAdmin privilege on any local SQL Server instances. The PI AF application service logs a warning message to the Windows AF event log if the service is running under an account or with a SQL login with unnecessarily high privileges. Limit access to the AFService.exe.config file to authorized users. Use File and folder security to ensure only those users who should be able to change this file can change this file. Do this either by limiting access to log on to the PI AF server, or by setting a security descriptor on the AFService.exe.config file or its directory. Disable Xp_cmdshell and OLE Automation in SQL Server. Be aware that an attacker with SysAdmin privileges can re-enable these features. Make sure that the account that runs the SQL Server database engine does not have access to any Windows objects that it does not need to access (files, registry keys, other services, and so on). PI Asset Framework Installation and Upgrade Guide 119

128 PI AF security overview Do not grant non-admin PI AF users any SQL Server access privileges on a PI AF SQL database, except for PI AF collective administrators, who must have SysAdmin privilege for their Windows account. See these Microsoft SQL Server Security documents for further information: Security Considerations for a SQL Server Installation ( Securing SQL Server ( Security requirements for PI AF collectives For security, the following accounts (or users) in a PI AF collective require a reduced-level of permissions: SQL Server Database Engine service SQL Server Agent service PI AF application service AF collective creator user AFServers local group For more information about minimum privilege levels required for replication, see the following Microsoft articles: Replication Agent Security Model at ms151868(v=sql.105) ( 105)) Security Role Requirements for Replication at ms152528(v=sql.105) ( 105)) Each PI AF collective account has the following access requirements. SQL Server Database Engine Component Action required Permissions Run as a low-privileged account. Do not run the SQL Server Database Engine service under an account with local or domain administrative privileges. SQL Server Agent Component Action required Permissions Run as a low-privileged account. Primary PI AF server Secondary PI AF servers Do not run as NetworkService. No action required. No action required. 120 PI Asset Framework Installation and Upgrade Guide

129 PI AF security overview Component Primary PI AF SQL database Secondary PI AF SQL databases Action required If it does not already exist, create a login in SQL Server for the account under which the SQL Server Agent service runs. Assign the db_owner database role on the PIFD database to this account. Do not grant the SysAdmin server role to this account. Assign write permission to the \repldata folder. Sample path: C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS \MSSQL\repldata For more information, refer to Configure permissions on the replication data folder. If it does not already exist, create a login in SQL Server for the account under which the SQL Agent service runs on the primary. Assign the db_owner database role on the PIFD database to this account. Do not grant the SysAdmin server role to this account. PI AF application service By default, the PI AF application service is run under the NT Authority\Network Service account. However, NT Authority\Network Service is not required for this service. Do not run it under the Local System account either. The best practice is to use a low-privileged domain account, as this account does not require special access to the PI AF SQL database. The PI AF application service account is added to a local Windows security group, which is assigned the appropriate access in the PI AF SQL database. Component Action required Permissions Run as a low-privileged account. Primary PI AF server Secondary PI AF servers Primary PI AF SQL database Secondary PI AF SQL databases Do not run as Local System. No action required. No action required. In Windows, add the domain account under which the PI AF application service runs to the local AFServers group. Do not create a SQL login for the PI AF application service account. Do not assign the db_owner database role on the PIFD database to the PI AF application service account. Do not grant the SysAdmin server role to the PI AF application service account. In Windows, add the domain account under which the PI AF application service runs to the local AFServers group. Do not create a SQL login for the PI AF application service account. Do not assign the db_owner database role on the PIFD database to the PI AF application service account. Do not grant the SysAdmin server role to the PI AF application service account. PI Asset Framework Installation and Upgrade Guide 121

130 PI AF security overview PI AF collective creator A domain user, with Windows credentials that are authenticated by PI AF, Windows, and SQL Server, runs the PI System Explorer client that is used to create the AF collective. Component Permissions Primary PI AF server Secondary PI AF servers Primary PI AF SQL database Secondary PI AF SQL databases Action required The credentials that are used to create the AF collective are used only once to create the PI AF collective. After you create the AF collective, you can remove the special permissions. Add the credentials used to create the AF Collective in PI System Explorer to the Local Administrators group. Add the credentials used to create the AF Collective in PI System Explorer to the Local Administrators group. If it does not already exist, create a login in SQL Server for the PI AF collective creator's domain account. Add the credentials used to create the AF Collective in PI System Explorer to the Local Administrators group. Grant the SysAdmin server role to this account. If it does not already exist, create a login in SQL Server for the PI AF collective creator's domain account. Grant the SysAdmin server role to this account. AFServers local group The only account that should exist in the AFServers local Windows group is the account under which the PI AF application service runs. Note: The AFServers local Windows group is typically created during the installation of the PI AF SQL database. If you use SQL scripts to install the PIFD database, however, you need to set up this user group manually. Component Permissions Primary PI AF server Secondary PI AF servers Primary PI AF SQL database Action required This group should never be given local or domain administrator privileges. No action required. No action required. If it does not already exist, create a login in SQL Server for the AFServers local group. Note: The db_afserver database role for the PIFD_distribution database is automatically assigned to this account when the AF collective is created. Grant the db_afserver database role on the PIFD database to this account. Do not assign the db_owner database role on the PIFD database to this account. Do not grant the SysAdmin server role to this account. 122 PI Asset Framework Installation and Upgrade Guide

131 PI AF security overview Component Secondary PI AF SQL databases Action required If it does not already exist, create a login in SQL Server for the AFServers local group. Grant the db_afserver database role on the PIFD database to this account. Do not assign the db_owner database role on the PIFD database to this account. Do not grant the SysAdmin server role to this account. PI AF collectives in a domain or workgroup Any PI AF server (a computer where the PI AF application service is installed) in a PI AF collective must be in a domain; workgroups are not supported. The PI AF SQL database computers can be in a workgroup or a domain. If the PI AF SQL database computers are in a workgroup, you must use a local Windows account that exists on the computer where PI System Explorer (PSE) is run to create the collective on the SQL Server computer. The accounts must have matching passwords, be in the local Windows administrators group on all computers, and be a member of the SQL Server SysAdmin role. This local account will be used to run PSE and create the PI AF collective. Note: If you run PSE as a domain account that is mapped to sysadmin in SQL Server but your SQL Server is in a workgroup, you will get this error: cannot open service control manager on computer ' '. This operation might require other privileges. Do you wish to continue? Check security credentials and connections for PI AF collectives To ensure that you have the required access permissions and that you can connect to each SQL Server in the collective, follow these steps: 1. Using the Windows credentials that you will use to create the collective, login to the workstation from which you will create the collective (do not do this on the SQL Server computer) and connect to each PI AF server that will be part of the collective. 2. On the same workstation, verify that you can perform a simple file share access to each SQL Server: a. Select Start > Run. b. Enter \\SQL_Server_computer_name for each SQL server. This ensures that your credentials authenticate to each SQL Server at the Windows level. 3. Establish a connection to each SQL Server via SQL Server Management Studio (SSMS) or sqlcmd.exe. 4. Once connected, run the following query: SELECT IS_SRVROLEMEMBER ( sysadmin ) "is sysadmin", CURRENT_USER "connected as", SYSTEM_USER "login user" ; PI Asset Framework Installation and Upgrade Guide 123

132 PI AF security overview where "is sysadmin" returns 1=true, 0=false "connected as" returns "dbo" "login user" returns the user s Windows user principal Do not proceed until the connection and query succeeds for each SQL Server that will be part of your PI AF collective. Security configuration for the PI AF application service account The PI AF setup kit configures default access that grants PI AF application service the permissions required for the PI AF SQL database server. As part of this default configuration, the setup kit configures the application service to run under the NetworkService account on the PI AF server computer. For security reasons, OSIsoft recommends that you change the PI AF application service to run under a domain account (Run the PI AF application service under a domain account). Note: If PI AF application service and PI AF SQL database computers are located in different domains, and a trust does not exist between those domains, then the default configuration will not work. You must use SQL Server authentication to enable communication between the computers (Configure PI AF to use SQL Server security). Topics in this section Run the PI AF application service under a domain account PI AF application service and PI AF SQL database considerations Run the PI AF application service under a domain account The PI AF server setup kit configures the PI AF application service to run under the NetworkService account. It also configures access for the NetworkService account to the PIFD database on the PI AF SQL database server. This means that any local process running under the NetworkService account will have the same privileges to the PIFD database on the PI AF SQL database server. For security reasons, OSIsoft recommends that you change the PI AF application service to run under a domain account, and then remove the privileges for the NetworkService account on the SQL server. This provides you with the most secure method for protecting your PI AF and SQL servers. 1. Identify the domain account that you want to use for the PI AF Server application service. 2. Add a domain user to the AFServers local user group. The application service gets the required access to the PI AF SQL database through this local group on the SQL database computer. 3. Open the Services administrative tool on the PI AF server computer. 124 PI Asset Framework Installation and Upgrade Guide

133 PI AF security overview 4. Right-click the PI AF Application Service and select Properties. 5. Click the Log On tab and change the account to a domain account, using the DOMAIN \account format, or click the Browse button to search for and select the domain account to use. 6. Enter the account's Password twice, and click OK. 7. Right-click the PI AF Application Service and select Restart. A message appears indicating the service is being stopped, and then started. The service is now running under the new account. 8. Remove the previous account s access to the PIFD database. Most often, the previous account was the default account, NetworkService. For example, see Remove NetworkService account access to the PI AF SQL database. Note: After you remove the NetworkService account from the PIFD database, any time you run the setup program (repair or upgrade), you might need to repeat this step. 9. Reconfigure the properties on the PI AF server to reference the new PI AF application service account: a. In PI System Explorer, select File > Connections. b. Right-click the AF server in the list and click Disconnect, if it is available. c. Right-click the AF server in the list and click Properties. d. Type in name of the account under which the AFServer service runs. For example: DomainName\AccountName. e. Click Connect. If PI System Explorer cannot make connection to the PI AF server, see Cannot connect to AF server. f. Click OK. 10. Click Close. Check and set permissions for SPN creation An SPN (Service Principal Name) is a name that a client application uses to definitively identify an instance of a service. Microsoft introduced SPNs to make communicating with specific services more secure and manageable. SPNs are in conjunction with Kerberos security. By default, PI System Explorer and other PI AF clients connect to the PI AF Server using Kerberos security, which requires an SPN for the PI AF application service. If the PI AF clients cannot connect to the PI AF Server using Kerberos security, the authentication method rolls back to the less secure NTLM security. By default, for PI AF 2.2 and 2.3, a PI AF server attempts to register an SPN for the PI AF application service upon startup, if the AFServer service is running under the NetworkService account and the SPN is identified in the AFService.exe.config (which it is by default). By default, for PI AF 2.4 and greater, PI AF server attempts to register an SPN for the PI AF application service upon startup. If the AFServer service is running under the NetworkService account, the SPN is created for the machine account for the machine on which the service is running. If the AFServer service is running under a domain account, the SPN is created for that domain account. PI Asset Framework Installation and Upgrade Guide 125

134 PI AF security overview Local computer accounts, such as NetworkService, typically have permission to set an SPN. However, domain accounts often do not. If the PI AF application service is running under an account that does not have the privileges to create an SPN then extra configuration is needed for a client such as PI System Explorer to connect to that PI AF server using an SPN. See View the PI AF application service domain account permissions. 1. View the PI AF application service domain account permissions. 2. Manipulate an SPN with setspn. View the PI AF application service domain account permissions If you configure the PI AF application service to run under a domain account, then you need to check that the domain account has privileges to set the Service Principal Name (SPN) for the service. This can be accomplished using the Active Directory Service Interfaces Editor (ADSI Edit) snap-in to view the permissions for the service's domain account. See Assign permissions to service accounts with ADSI Edit snap-in. Manipulate an SPN with setspn See Manage SPNs for the PI AF application service. Configure PI AF server to use a UPN To configure PI AF server to use a user principal name (UPN), edit the AFServer.exe.config file. The file contains the following element in a default installation: <identity> <serviceprincipalname value="afserver" /> <!-- <userprincipalname value="username@domain"/> --> </identity> Note that the UPN setting (userprincipalname) is commented out and the SPN (serviceprincipalname) setting is enabled. To configure the PI AF server to use a UPN instead of an SPN, comment out the serviceprincipalname element and uncomment the userprincipalname element. The value of the userprincipalname would be the domain credentials under which the PI AF server is running. For example: <identity> <!--<serviceprincipalname value="afserver" />--> <userprincipalname value="username@domain"/> </identity> Remove NetworkService account access to the PI AF SQL database If you change the PI AF application service so that it does not run under the NetworkService account, you must remove the NetworkService account s access to the PI AF SQL database (PIFD). After you remove the NetworkService account from the PIFD database, any time you run the setup program (repair or upgrade), you may have to repeat this procedure. 126 PI Asset Framework Installation and Upgrade Guide

135 PI AF security overview 1. On the PI AF SQL database computer, click Start > Administrative Tools > Computer Management. 2. Under Computer Management (Local), expand System Tools > Local Users and Groups > Groups. 3. In the list of groups, double-click AFServers. 4. Select the NetworkService account and click Remove. 5. Click OK and click Close. 6. Open SQL Server Management Studio and connect to the SQL Server instance in which the PIFD database resides. 7. Expand the PIFD database and navigate to the Security > Schemas folder. 8. Right-click the NT AUTHORITY\NetworkService schema and select Delete. 9. Click OK to remove the schema. 10. Under the SQL Server instance, expand the Security folder; then expand the Logins folder. 11. Right-click NT AUTHORITY\NetworkService and select Properties. 12. Select the User Mapping page. 13. Select the row for the PIFD database. 14. Clear the check box under Map for the PIFD database. PI Asset Framework Installation and Upgrade Guide 127

136 PI AF security overview 15. Click OK. The NT AUTHORITY\NetworkService user in the PIFD database is removed, and the NT AUTHORITY\NetworkService login no longer has access to the PIFD database. Add a domain user to the AFServers local user group When the PI AF application service is run under a domain account, you need to add that domain account to the AFServers local user group on the PI AF SQL database computer. 1. On the PI AF SQL database computer, click Start > Administrative Tools > Computer Management. 2. Under Computer Management (Local), expand System Tools > Local Users and Groups > Groups. 3. In the list of groups, double-click AFServers. 128 PI Asset Framework Installation and Upgrade Guide

137 PI AF security overview 4. Add the domain account under which the PI AF application service is running to the AFServers group. If it is running under the NT AUTHORITY\NetworkService account, add the PI AF server s system account to this group. Note: If the PI AF application service is running as the LocalService account, then you will likely need to use SQL Server security instead of integrated security. 5. Close Computer Management. PI AF application service and PI AF SQL database considerations By default, the PI AF application service runs under the NT AUTHORITY\NetworkService user account on the PI AF server computer. That user account is a member of a local group, called the AFServers user group, on the PI AF SQL database computer. The AFServers user group provides the required access on the SQL database computer through a SQL Server login that is mapped to the AFServers group. Here is how the installation applications create the default configuration: The PI AF server setup kit creates the PI AF application service on the PI AF server computer. It configures this application service to run under the NT AUTHORITY \NetworkService user account on that computer. The PI AF SQL database installation application: Creates a local user group, AFServers, on the PI AF SQL database computer. This process will fail if SQL Server is on a domain controller or on a cluster. Adds the application service account (NT AUTHORITY\NetworkService) to the local AFServers group on the PI AF SQL database computer. Note: If you install the PI AF SQL database separately from the PI AF server installation, then the installation application prompts for the domain and computer name of the PI AF server. It then adds the computer account of the PI AF server to the local AFServers group on the PI AF SQL database computer. Creates a SQL Server login that is mapped to the AFServers local user group. The SQL Server login has the necessary access required for the PI AF application service. Configure PI AF to use SQL Server security By default, PI AF uses Windows authentication to connect to the PI AF SQL database. However, when the PI AF server and SQL server are on different non-trusted domains, you need to configure PI AF to use SQL Server authentication instead. Follow these steps: 1. Configure SQL Server to use mixed mode authentication. 2. Create and configure SQL Server login. 3. Specify SQL Server security mode and add user. 4. Specify a PI AF SQL database in the connect string. PI Asset Framework Installation and Upgrade Guide 129

138 PI AF security overview Topics in this section Configure SQL Server to use mixed mode authentication Create and configure SQL Server login About the PI AF Server connect string Specify SQL Server security mode and add user Specify a PI AF SQL database in the connect string Configure SQL Server to use mixed mode authentication 1. Open Microsoft SQL Server Management Studio, and connect to the SQL Server instance that stores the PI AF SQL database (PIFD). 2. Right-click the SQL Server instance and select Properties. The Server Properties window opens. 3. Select the Security page. 4. Select the SQL Server and Windows Authentication mode option. 5. Click OK to return to Microsoft SQL Server Management Studio. If the SQL Server service has not been restarted since mixed mode authentication was selected, you must restart the SQL Server database engine service to make mixed mode authentication available. Create and configure SQL Server login Create a SQL Server login, grant the SQL Server login account access to the PI AF SQL database (PIFD), and grant the SQL Server user the db_afserver database role. 1. In the Microsoft SQL Server Management Studio, connect to the SQL Server instance that stores the PI AF SQL database (PIFD). 2. Under the SQL Server instance, expand Security > Logins. 3. Create a new login and enter a name in the Login name field. 4. Select the SQL Server authentication option. 5. Enter the password in the Password and Confirm password fields. 6. In Default database, select PIFD. 130 PI Asset Framework Installation and Upgrade Guide

139 PI AF security overview 7. Select the User Mapping page. 8. Select the row for the PIFD database. 9. Select the Map check box for the PIFD database. PI Asset Framework Installation and Upgrade Guide 131

140 PI AF security overview 10. Under Database role membership for: PIFD, select the db_afserver check box. 11. Click OK. About the PI AF Server connect string The connect string defines the location of the PI AF SQL database and the security mode used to connect to the database. This is a standard ADO.NET connection string. The connect string is defined in the AFService.exe.config file. You can modify the connect string to indicate that the new authentication mode is being used, and to provide the credentials for connecting. Some of the changes you may need to make to the connect string are: Specify the SQL Server security mode. Add the SQL Server user and password. Specify the PI AF SQL database. 132 PI Asset Framework Installation and Upgrade Guide

141 PI AF security overview Note: OSIsoft recommends that you limit access to the AFService.exe.config file to authorized users, including the account under which the PI AF application service runs. To do so: limit access to log on to the PI AF Server, or set a security descriptor on the AFService.exe.config file or its directory. Connect string examples Integrated Security: <add key="connectstring" value="persist Security Info=False;Integrated Security=SSPI;server=AFSQLDB\SQLEXPRESS;database=PIFD;Application Name=AF Application Server;"/> SQL Server Security: <add key="connectstring" value="persist Security Info=False;Trusted_Connection=no;server=AFSQLDB \SQLEXPRESS;database=PIFD;Application Name=AF Application Server;uid=af_sql_user;pwd=af_sql_password;"/> Specify SQL Server security mode and add user If you want to use SQL Server security, you need to change the connect string to reference the correct security mode and add a SQL Server user and password. 1. Open the AFService.exe.config file with a text editor, such as Notepad. 2. Locate the connect-string key. It has the following format: <add key="connectstring" value="persist Security Info=False;Integrated Security=SSPI;server=.\phxtest;database=PIFD;Application Name=AF Application Server;"/> 3. Modify the connect string by replacing Integrated Security=SSPI with Trusted_Connection=no. 4. Add the SQL Server user ID (uid) and password (pwd) at the end of the connect string. After your changes, the connect string should resemble this example: <add key="connectstring" value="persist Security Info=False;Trusted_Connection=no;server=AFSQLDB \SQLEXPRESS;database=PIFD;Application Name=AF Application Server;uid=af_sql_user;pwd=af_sql_password;"/> 5. Save and close the file. 6. Restart the PI AF application service. Specify a PI AF SQL database in the connect string If your PI AF SQL database is moved to a new server, or you need to work with a different PI AF SQL database, you can specify the change within the connect string. Follow these steps: PI Asset Framework Installation and Upgrade Guide 133

142 PI AF security overview 1. On the PI AF server computer, open the AFService.exe.config file with a text editor, such as Notepad. 2. Locate the connect-string key. It has the following format: Integrated Security: <add key="connectstring" value="persist Security Info=False;Integrated Security=SSPI;server=.\phxtest;database=PIFD;Application Name=AF Application Server;"/> SQL Server Security: <add key="connectstring" value="persist Security Info=False;Trusted_Connection=no;server=.\phxtest;database=PIFD;Application Name=AF Application Server;uid=af_sql_user;pwd=af_sql_password;"/> 3. Modify the connect string, specifying the new location of the server. You can use a computer name or an IP address, and can include the SQL Server instance name. Integrated Security: <add key="connectstring" value="persist Security Info=False;Integrated Security=SSPI;server=AFSQLDB\SQLEXPRESS;database=PIFD;Application Name=AF Application Server;"/> SQL Server Security: <add key="connectstring" value="persist Security Info=False;Trusted_Connection=no;server=AFSQLDB \SQLEXPRESS;database=PIFD;Application Name=AF Application Server;uid=af_sql_user;pwd=af_sql_password;"/> 4. Save and close the file. 5. Restart the PI AF application service. Configure PI AF and SQL database in untrusted domains Communication must be configured between a PI AF application service and PI AF SQL database that reside in different domains and are not trusted, or are in workgroups. 1. Configure SQL Server to allow remote connections. See the Microsoft SQL Server library ( 2. Configure PI AF to use SQL server security. See Configure PI AF to use SQL Server security. 3. If you are using a named instance of SQL Server and have not specified a port in the connect string, then make sure the SQL Server Browser service is running on the SQL Server computer. To promote the most secure environment, you should specify the port in the connection string. 4. Ensure that your system security is configured as described in Firewalls and PI AF security. PI AF clients and Windows authentication The AF SDK and the PI SDK are installed as part of the PI AF Client installation. The PI AF Client installation also includes these optional features: 134 PI Asset Framework Installation and Upgrade Guide

143 PI AF security overview PI System Explorer Analysis Management PI Builder PI AF User Documentation PI System Explorer and other PI AF SDK clients communicate with PI AF server using Windows authentication. Except for configuration of a PI AF collective, the PI AF SDK never connects directly to SQL Server. When you attempt to connect to a PI AF server through PI System Explorer, your login credentials are used. If you have permission to access the PI AF server, the connection is made. If you do not have the appropriate rights, a login dialog box appears where you can enter credentials. For example, this can occur if you are logged in as a local user, are not a domain user, or if the client computer is in a domain other than the domain of the PI AF server. Run PI System Explorer with elevated permissions If you run PI System Explorer or other PI AF client directly on the PI AF server computer and the operating system has user-account control enabled, then using a local administrative account will not elevate the account. You will be prompted to restart with elevated permissions. To avoid this prompt, choose one of these options: Run PI System Explorer as Administrator: a. On the Start menu, right-click PI System Explorer or other PI AF client. b. Select Run as Administrator. Set PI System Explorer to run as Administrator every time it is started: a. On the Start menu, right-click PI System Explorer (or other PI AF client). b. Select Properties. c. On the Compatibility tab, select the Run this program as an administrator check box. Modify the PI AF security settings so that the user or a group containing the user (other than local Administrators) has appropriate privileges. Connect PI System Explorer and PI AF server Ensure a successful connection between your PI System Explorer and PI AF server. 1. Make sure that the PI AF server is version or later. If the version is older, upgrade it first. 2. Create the same local account on both computers. Use the same password, too. 3. Set the firewalls to open the incoming connections on PI AF server. See Considerations for firewalls and ports for PI AF to determine which ports should be open. 4. Log on to the PI System Explorer client computer using the new local account. PI Asset Framework Installation and Upgrade Guide 135

144 PI AF security overview 5. Open PI System Explorer and try to connect to the target PI AF server. 6. In PI System Explorer, on either the Database Properties dialog box or the Select Database dialog box, click to open the System Properties dialog box. 7. Set Name and Host to the actual settings of your PI AF server. Account remains empty. 8. Click OK. 9. Click Connect to initiate a connection. 10. If you have a connection problem, see Set audit policy and Set sharing and security model for local account. 1. Set audit policy. 2. Set sharing and security model for local account. 3. Configure Active Directory access for contacts. Set audit policy The best way to understand the root cause of the connection problem is to turn auditing on, and to check the security-related events in Windows Event Viewer. 1. Click Start > Administrative Tools > Local Security Policy. 2. Under Security Settings, select Local Policies > Audit Policy. 3. Set the security setting to Success, Failure for the following policies: Audit account logon events Audit logon events Audit object access Audit privilege use To do so: a. Right-click each policy and choose Properties. b. Select the Success and Failure check boxes. c. Click OK. Set sharing and security model for local account A probable cause of a connection problem is that the PI AF node did not authenticate the client user as a local user, but used the Guest account instead. 1. On the PI AF server computer, click Start > Administrative Tools > Local Security Policy. 2. Under Security Settings, select Local Policies > Security Options. 136 PI Asset Framework Installation and Upgrade Guide

145 PI AF security overview 3. Right-click Network access: Sharing and security model for local account and choose Properties. 4. Set the security setting to Classic - local users authenticate as themselves. 5. Click OK to save your change. Configure Active Directory access for contacts When using PI Notifications with PI AF server, you may need to specify how to access Microsoft s Active Directory to retrieve contact names for the PI Notifications Contacts lists. Each PI AF server provides the option to specify the domain and contact sub-folder, as well as the account needed to access Active Directory and retrieve contact names. By default, the account under which the PI AF server application service is running is used for Active Directory access. To use a different account or to access an Active Directory in a different domain, configure access from the Configure Active Directory Access for Contacts window. 1. Open PI System Explorer and connect to a database that belongs to the PI AF server for which you want to configure Active Directory access. 2. From the File menu, select AF Server Properties and from that window click the Configure Active Directory Access for Contacts link. 3. In the Active Directory Domain Name text box, enter the full DNS name of the Active Directory domain from which the contact names will be retrieved for the PI Notifications Contacts (for example, contoso.com). If this field is left blank, the domain in which the PI AF application service resides will be used. 4. In the Active Directory Contact Sub-Folder text box, enter the path to the folder containing the list of contacts for this domain. In larger Active Directory domains, contacts may be organized within sub-folders. The use of sub-folders can allow for faster retrieval of a list of Active Directory contacts. Use the following structure for the sub-folder: DomainUserFolder/SubDomainUserFolder/Sub SubDomainUserFolder 5. Choose an option for Active Directory Access Account: Use the account the AF Server runs as This is the default option. Select it to access Active Directory using the account under which the PI AF application service runs. By default, the PI AF server is installed using the Network Service account. However, the PI AF server service account can be changed. If the PI AF server service account does not have the necessary permission to read the Active Directory, no contact names will be retrieved in the Contacts list. If your Active Directory security is configured to allow the PI AF server service account to read the Active Directory, then this is the simplest option. Use the account the AF Client is running as Select this option to use the credentials of the user account under which the connecting client application is running. If the PI AF server service is running under an account (Network Service is the default account) that does not have permission to read the Active PI Asset Framework Installation and Upgrade Guide 137

146 PI AF security overview Directory, this option can be used. As long as the user account under which the connecting client application is running has permission to read Active Directory, a list of contact names is returned to the Contacts list. The contents of the Contacts list may vary, depending upon the access account used, since the security to read the contact list is determined by Active Directory. Note: Specifying this option may require Kerberos configuration if an AF SDK application will be using impersonation in a middle tier, such as a Web Service. Use the specified account This option allows you to specify an account to use to read the Active Directory. This can be useful when the Active Directory and PI AF server are in different domains or when the accounts in the first two options have no permission to read the Active Directory. For Account Name, use the format Domain\User. Make sure the specified account has the appropriate permission to read the target Active Directory. 6. Check Use Active Directory's locally cached Global Catalog to use the global catalog for Active Directory domain controller searches. Otherwise searches must go to the owning domain controller. Active Directory holds information in a distributed data repository called a global catalog. For installations where there are multiple, distributed domain controllers, each domain controller has a cache of the portions of the global catalog for which it is not responsible, so that Active Directory searches do not have to be referred to the owning domain controller. This improves performance for queries that must otherwise have to access a remote domain controller. 7. Choose a setting for Return All Persons. Active Directory objects are derived from one another as follows: Top>Persons>OrganizationalPerson>Contact and Top>Persons>OrganizationalPerson>User Select this check box to return Persons, Organizational Persons, Contacts and Users from the target Active Directory. Clear the check box to return only Users. 138 PI Asset Framework Installation and Upgrade Guide

147 Security configuration for external tables A PI AF table can be linked to data from external data sources such as Excel, Access, SQL Server, or other OLEDB/ODBC data sources. A PI AF table linked to an external data source is called a linked table or an external table. There are potential security risks for external tables in general. Risks vary depending on how an external table connects to the foreign data source. You can restrict the use of certain connection types. You can also disable external tables altogether. The following sections explain how external tables get their data and what the security options for external tables on a PI AF server. See also PI AF and Kerberos authentication. Topics in this section Authentication for linked tables Changing security settings for linked tables Authentication for linked tables When a client application requests external data, the PI AF server queries the external data source and returns the data to the client as a read-only PI AF table. For externally linked tables, OSIsoft recommends that the OLE DB provider and the PI AF Server have the same bitness (32-bit or 64-bit). To configure an external table connection in PI System Explorer, for example, you would use a PI AF server of the same bitness (typically, 64- bit). When you configure the linked table, you are required to specify the credentials that the PI AF server uses to connect to the database. The authentication options are: Impersonate Client If the source database supports Windows authentication, then use the Windows identity of the client that is requesting the data. This is an impersonated connection. This is the most secure method of authentication; use it wherever possible. Supply Password If the source database does not support Windows authentication, or if the database and PI AF server are on different, non-trusted domains, then specify a user name and password with the necessary access on the source database. PI AF uses this hard-coded account to read the data in the external data source. For example, MySQL database does not support Windows authentication, so you would use the user name and password of an account on the MySQL database. No additional security context This option usually applies when you use Excel or other file-based data sources; otherwise every user needs to be granted read access to the file on the server. With this option, the external table will be accessed using the PI AF Server's identity. In this case, you do not need to specify a username or password when configuring the linked table, nor is Kerberos configuration required. However, take care to configure the SQL Security in such a way that the AF Server's identity does not have more privilege than necessary to retrieve the data. PI Asset Framework Installation and Upgrade Guide 139

148 Security configuration for external tables Only PI AF Administrators are allowed to configure external tables for security reasons, and for that reason, PI AF Administrator privilege should be given out to a limited set of users when this connection mode is enabled. Topics in this section Risk of using non-impersonated connections Data access recommendations for linked tables Linked table access on PI System Explorer 2.0.x Risk of using non-impersonated connections Depending on the configuration of the SQL Server, a user with PI AF administrator privileges could create attacks on the SQL Server and take full control of the system if these following conditions exist: A PI AF table is configured to use the PI AF server identity for linking to an external database. Non-impersonated linked (external) tables are enabled on the PI AF server. By default, non-impersonated linked tables are disabled on the PI AF server. In order for a user to execute an attack, that user would need to enable non-impersonated external tables. The PI AF server account has administrative rights on a SQL Server. By default, the AF server runs under the NetworkService account and does not have administrative rights to the locally-configured SQL Server or access to remote computer databases. Without administrator rights to the remote database, the possibility for elevation of privilege attacks is limited. Caution: For security reasons, do not grant the PI AF server administrative privileges on the computer or SQL Server when running with non-impersonated queries. Data access recommendations for linked tables If access to linked tables is not needed, disable it altogether. Do not grant the PI AF application service account administrative privileges on the PI AF server or SQL Server when running with non-impersonated queries. You must have administrative privileges on the PI AF Server to configure an external table that runs non-impersonated queries. See Changing security settings for linked tables for instructions. Linked table access on PI System Explorer 2.0.x For security reasons, PI AF server 2.1 and later do not by default allow access to linked tables from the following versions of PI System Explorer: 140 PI Asset Framework Installation and Upgrade Guide

149 Security configuration for external tables Changing security settings for linked tables The PI AF Diagnostics utility is a command-line utility that you can use to enable or disable PI AF server features and perform other administrative functions. The utility makes a direct connection with the associated SQL Server database and requires the SQL Server sysadmin or db_afadmin role. The utility name is afdiag and it is located in the \PIPC\AF folder. Use the AF Diagnostics utility to adjust security settings for external tables. Task Command Default Setting Enable support for external PI AF tables Disable support for external PI AF tables Enable support for external PI AF tables for nonimpersonated users Disable support for external PI AF tables for nonimpersonated users Change security settings for a specific PI AF table Change security settings for all tables. afdiag /DT afdiag /DT afdiag /DTImp afdiag /DTImp- In PI System Explorer, right-click on the table in the Browser and choose Security from the resulting menu. In PI System Explorer, right-click on Tables in the Browser and choose Security from the resulting menu. enabled disabled By default, table configuration requires administrative privileges on the PI AF server. By default, table configuration requires administrative privileges on the PI AF server. PI Asset Framework Installation and Upgrade Guide 141

150 Security configuration for external tables 142 PI Asset Framework Installation and Upgrade Guide

151 PI AF and Kerberos authentication Kerberos is a secure method for authenticating requests for a service on a computer in a network. By default, PI System Explorer and other PI AF clients attempt to connect to the PI AF Server using Kerberos authentication. If the PI AF clients cannot connect to the PI AF server using Kerberos security, the authentication method rolls back to the less-secure Windows Challenge/Response (NTLM) authentication. An SPN (Service Principal Name) is a name that a client application uses to definitively identify an instance of a service. Microsoft introduced SPNs to make communicating with specific services more secure and manageable. SPNs are used in conjunction with Kerberos security. The PI AF application service requires SPNs in order to support Kerberos authentication between the PI AF clients and the PI AF Server. By default, for PI AF 2.2 and 2.3, a PI AF server attempts to register a Service Principal Name (SPN) for the PI AF application service upon startup, if the PI AF application service is running under the NetworkService account and the serviceprincipalname value is defined in the AFService.exe.config file. This value is defined by default. For PI AF 2.4 and greater, the PI AF application service attempts to register an SPN upon startup, if the serviceprincipalname value is defined in the AFService.exe.config. This value is defined by default. Depending on the account type, the SPN is created in different ways: If the PI AF application service is running under the NetworkService account, the SPN is created for the machine account for the machine on which the service is running. If the PI AF application service is running under a domain account, the SPN is created for that domain account. If the PI AF application service is running on a Windows Cluster, there are special circumstances surrounding SPN registration. See PI AF installation in a failover cluster. Local computer accounts, such as NetworkService, typically have permission to set an SPN. However, domain accounts often do not. If the PI AF application service is running under an account that does not have the privilege to create an SPN, then extra configuration is needed for a client such as PI System Explorer to connect to that PI AF application service using an SPN. There are multiple ways to set the necessary configurations: Have an administrative user manually create the SPN. For detailed instructions, see Manage SPNs for the PI AF application service. Assign permissions to the domain account under which the PI AF application service runs so the service can manage the SPN creation. For detailed instructions, see Assign permissions to service accounts with ADSI Edit snap-in. If you configure the PI AF application service to run under a domain account, the account needs to have the associated SPNs created, and you can do this in one of two ways: The PI AF application service s domain account can be assigned privileges that allow it to manage its own SPNs. The SPNs can be created for the PI AF application service s domain account by a user with the appropriate permissions. Alternatively, the Active Directory Service Interfaces Editor (ADSI Edit) snap-in is used to view and edit the permissions for active directory objects; this is the tool used to assign permissions PI Asset Framework Installation and Upgrade Guide 143

152 PI AF and Kerberos authentication to the PI AF application service s domain account that would allow the server to manage its own SPNs. SetSPN is a command line tool used to view, edit and remove the SPN property associated with an active directory object. Users must have permissions to create and remove SPNs to use this tool, which is also the tool used to create SPNs for the PI AF application service s domain account. Note: If you want to create an AF Table that links to a table in a SQL Server instance where the SQL Server Engine runs under a domain account, and you want to impersonate the client s credentials when connecting to the SQL Server table (this is often referred to as a Kerberos double-hop), then both the Read serviceprincipalname and Write serviceprincipalname permissions need to be assigned to the SQL Server Engine s domain account. Additionally, the accounts and machines involved will need to be configured for delegation. See Configure Active Directory objects for delegation. Topics in this section PI AF and Kerberos delegation Assign permissions to service accounts with ADSI Edit snap-in Manage SPNs for the PI AF application service Configure Active Directory objects for delegation PI AF and Kerberos delegation Kerberos authentication supports two types of Kerberos delegation: General delegation Allows an application or service to use a user s credentials to access another application or service on another machine. Constrained delegation Similar to general delegation, but you must define the specific application/service on each specific machine that is to be allowed to delegate a user s credentials. Note: OSIsoft recommends that you use Kerberos constrained delegation rather than general delegation, because it is more secure. For further information, you can refer to the following articles: What's New in Kerberos Authentication ( hh aspx) Understanding Kerberos Double Hop ( 2008/06/13/understanding-kerberos-double-hop.aspx) Delegation example Here is an example of how PI AF might use Kerberos delegation: Rita, a PI AF Client user, has permission to access data from a table in a SQL Server database. 144 PI Asset Framework Installation and Upgrade Guide

153 PI AF and Kerberos authentication 1. In PI System Explorer, Rita creates an AF Table Connection object that defines how to connect to the SQL Server database. 2. She creates an AF Table object that uses the AF Table Connection definition and includes a valid Query. 3. She then links the AF Table to a table in a SQL Server (or some other external data source) that is not part of the PI AF System. If the user has the appropriate permissions to access the table on the external SQL Server AND if the involved machines and user accounts have been correctly configured for delegation, when the user connects to the linked AF Table, the AF Server authenticates the PI System Explorer user via Kerberos Delegation, and retrieves the data from the table in the external SQL Server using the user s delegated credentials. Topics in this section Configure PI AF for Kerberos general delegation Configure PI AF for Kerberos constrained delegation Configure PI AF for Kerberos general delegation Kerberos General Delegation can be used in PI AF when a PI AF client user wants to access data from a source external to PI AF via a linked AF Table. If the PI AF Client user has the appropriate permissions to access this external data, and Kerberos delegation has been properly configured as described in the instructions below, the user can view the external data via a linked AF Table in the PI System Explorer, or other PI AF client. Note: OSIsoft recommends that you use Kerberos constrained delegation because it is more secure than general delegation. Follow this procedure to support Kerberos general delegation for a linked AF Table. 1. Assign the Read serviceprincipalname and Write serviceprincipalname permissions to the following Active Directory objects: Domain account under which the AFServer service runs, if you want its SPNs to be automatically managed. Domain account under which the SQL Server service runs, assuming the linked AF Table is a SQL Server table AND you want its SPNs to be automatically managed. See Assign permissions to service accounts with ADSI Edit snap-in. 2. Create the required SPNs for the following objects: SPNs must be manually created by an Administrative user for the AFServer service, IF you did not assign the Read serviceprincipalname and Write serviceprincipalname permissions to the AFServer service's domain account. SPNs must be manually created by an Administrative user for the SQL Server service, IF the AF Table is linked to a SQL Server table and IF you did not assign the Read serviceprincipalname and Write serviceprincipalname permissions to the SQL Server service s domain account. PI Asset Framework Installation and Upgrade Guide 145

154 PI AF and Kerberos authentication See Create SPNs for the PI AF application service. 3. Configure Active Directory objects as trusted for general delegation: The AFServer service's domain account. The domain account for the service that controls access to the data configured in the linked AF Table. The machine account for the machine on which the AFServer service runs. The machine account for the machine on which the data for the linked AF Table resides. See Configure Active Directory objects for delegation. Configure PI AF for Kerberos constrained delegation OSIsoft recommends that you use Kerberos constrained delegation rather than general delegation, because it is more secure. Kerberos constrained delegation can be used in PI AF when a PI AF client user wants to access data from a source external to PI AF via a linked AF Table. If the PI AF Client user has the appropriate permissions to access this external data, and the objects in Active Directory are correctly configured, the user can view the external data via a linked AF Table in the PI System Explorer, or other PI AF client. To use constrained delegation, you must define the specific service(s) on the specific machines that will be involved in the delegation process, including: the PI AF application service, the machine on which the PI AF application service resides, the machine on which the external data resides, and any service(s) required to access the data. Follow this procedure to support Kerberos constrained delegation for a linked AF Table. 1. Assign the Read serviceprincipalname and Write serviceprincipalname permissions to the following Active Directory objects: Domain account under which the AFServer service runs if you want its SPNs to be automatically managed. Domain account under which the SQL Server service runs, assuming the linked AF Table is a SQL Server table AND you want its SPNs to be automatically managed. See Assign permissions to service accounts with ADSI Edit snap-in. 2. Create the Required SPNs for the following objects: The AFServer service. SPNs must be manually created by an Administrative user for the AFServer service, if you did not assign the Read serviceprincipalname and Write serviceprincipalname permissions to the AFServer service's domain account. The SQL Server service. SPNs must be manually created by an Administrative user for the SQL Server service, if: 146 PI Asset Framework Installation and Upgrade Guide

155 PI AF and Kerberos authentication the AF Table is linked to a SQL Server table, and you did not assign the Read serviceprincipalname and Write serviceprincipalname permissions to the SQL Server service s domain account. See Create SPNs for the PI AF application service. 3. Configure the following Active Directory objects as trusted for constrained delegation: the AFServer service's domain account, the domain account for the service that controls access to the data configured in the linked AF Table, the machine account for the machine on which the AFServer service runs, and the machine account for the machine on which the data for the linked AF Table resides. See Configure Active Directory objects for delegation. Assign permissions to service accounts with ADSI Edit snap-in The ADSI Edit snap-in is used to view and assign permissions to active directory objects. When the PI AF application service is run under a domain account, that domain account requires special permissions to create and delete SPNs for the AFServer service. The ADSI Edit snap-in allows you to assign these permissions to the domain account, if the account you are logged in with has the appropriate access. Contact your domain administrator if you do not have the required access. Before you start 1. Log into the domain to which the AFServer service s domain account belongs. 2. Verify that the ADSI Edit snap-in is installed on computer that you will be using to assign permissions to service accounts. See Microsoft's article about installing ADSI Edit ( library/cc773354(v=ws.10).aspx#bkmk_installingadsiedit). Log into the domain to which the AFServer service s domain account belongs. Verify ADSI Edit is installed on computer from which you will be executing the following steps. 1. From the Start menu, type adsiedit.msc in the Search box and press Enter. If the ADSI Edit snap-in is installed on the machine, the ADSI Edit snap-in opens in the Microsoft Management Console window. a. If this is the first time the ADSI Edit snap-in has been opened, there are no active connections for Active Directory Services. Right-click ADSI Edit in the console and select Connect to to open the Connection Settings window. b. Leave the default settings and click OK. A new entry is added to the console with the following format "Default naming context [mymachine.mydomain.com]". PI Asset Framework Installation and Upgrade Guide 147

156 PI AF and Kerberos authentication c. Select the new entry, and then expand it to view a new sub-entry DC-[mydomain],DC- [com]. d. Expand the new sub-entry to show Active Directory contents. 2. Locate and expand the container in which the AFServer service account resides. 3. Right-click the account and select Properties. The account's Properties window opens with the Attribute Editor tab selected. 4. In the Security tab, select SELF in the Group or user names section, and then click Advanced. The Advanced Security Settings for [Account Name] window opens. 5. In the Permissions tab, scroll through the Permissions entries list, ensuring there are no entries for SELF with a blank entry for Permission. 6. In the Permissions tab, click Add. 7. In the Select User, Computer, Service Account, or Group window, type SELF in the Enter the object name to select field, and then click OK. The Permission Entry for [AccountName] window opens. 8. In the Properties tab, in the Apply to list, select This object only. a. Scroll down through the Permissions list and select the Allow check box for Read serviceprincipalname and Write serviceprincipalname, and then click OK. In the Advanced Security Settings for [Account Name] window there is a new entry for SELF with a blank entry for Permission. 9. Click OK. 10. In the account's Properties window, click OK to return to the ADSI Edit snap-in. The AFServer service account will now create the required SPNs when the service starts, and delete these same SPNs when the service stops. Manage SPNs for the PI AF application service The setspn command line tool allows a user with appropriate permissions to view, edit and delete the Service Principal Names (SPN) property associated with active directory objects. Contact your domain administrator if you do not have the required permissions. The setspn tool can be used to verify that the correct SPNs have been created for the PI AF application service, whether it is running under the NetworkService account or a domain account. It can also be used to create or delete SPNs for the PI AF application service, which is only necessary if the account under which the service is running does not have the permissions to read and write SPNs. Topics in this section View existing SPNs for the PI AF application service Create SPNs for the PI AF application service Delete SPNs for the PI AF application service 148 PI Asset Framework Installation and Upgrade Guide

157 PI AF and Kerberos authentication View existing SPNs for the PI AF application service Before creating SPNs, you must verify that SPNs do not already exist for the PI AF application service. Note: You must run the setspn command from a command prompt. To view SPNs for a PI AF application service running under the NetworkService account, enter this command: setspn -l machine_name where machine_name is the machine on which the PI AF application service runs. SPNs assigned to this machine are returned in this list format: AFServer/machine_FQDN AFServer/machine_name where: machine_fqdn is the fully-qualified domain name of the machine on which the PI AF application service runs machine_name is the machine on which the PI AF application service runs To view SPNs for a PI AF application service running under a domain account, enter this command: setspn -l domain\account_name where domain\account_name is the domain account under which the PI AF application service runs. SPNs assigned to this domain account are returned in this list format: AFServer/machine_FQDN AFServer/machine_name where: machine_fqdn is the fully-qualified domain name of the machine on which the PI AF application service runs machine_name is the machine on which the PI AF application service runs Create SPNs for the PI AF application service The type of SPN you create for the PI AF application service depends on the account under which the service is running. If the service is running under the NetworkService account, you must create two SPNs for the machine on which the PI AF application service is running. If the service is running under a domain account, you must create two SPNs for that domain account. Note: You must run the setspn command from a command prompt. PI Asset Framework Installation and Upgrade Guide 149

158 PI AF and Kerberos authentication Before you start Before creating SPNs, you must verify that SPNs do not already exist for the PI AF application service. See View existing SPNs for the PI AF application service. To create two SPNs for a PI AF application service running under the NetworkService account, enter these two commands in sequence: setspn -s AFServer\machine_FQDN machine_name c:\> setspn s AFServer\[machine_name] [machine_name] where: machine_fqdn is the fully-qualified domain name of the machine on which the PI AF application service runs machine_name is the machine on which the PI AF application service runs The -s option of setspn checks for duplicate SPNs before creating new SPNs. To create two SPNs for a PI AF application service running under a domain account, enter these two commands in sequence: setspn -s AFServer\machine_FQDN domain\account_name setspn -s AFServer\machine_name domain\account_name where: machine_fqdn is the fully-qualified domain name of the machine on which the PI AF application service runs machine_name is the machine on which the PI AF application service runs domain\account_name is the domain account under which the PI AF application service runs For information on working with SPNs for SQL Server, see the Microsoft website technet.microsoft.com/en-us/library/ms aspx. Delete SPNs for the PI AF application service You do not need to delete SPNs related to the PI AF application service unless you have changed the account under which the service runs or you have uninstalled the service and the SPNs have not been deleted. For information on determining if SPNs exist for the application service, see View existing SPNs for the PI AF application service. Depending on whether the service is running under the NetworkService account or a domain account, you must use different setspn options to delete the SPNs for the machine or the domain account. Note: You must run the setspn command from a command prompt. To delete the two SPNs created for a PI AF application service that runs under the NetworkService account, enter these two commands in sequence: setspn -d AFServer\machine_FQDN machine_name 150 PI Asset Framework Installation and Upgrade Guide

159 setspn -d AFServer\machine_name machine_name where: machine_fqdn is the fully-qualified domain name of the machine on which the PI AF application service runs machine_name is the machine on which the PI AF application service runs To delete the two SPNs created for a PI AF application service that runs under a domain account, enter these two commands in sequence: setspn -d -AFServer\machine_FQDN domain\account_name setspn -d AFServer\machine_name domain\account_name where: machine_fqdn is the fully-qualified domain name of the machine on which the PI AF application service runs machine_name is the machine on which the PI AF application service runs domain\account_name is the domain account under which the PI AF application service runs Configure Active Directory objects for delegation The Active Directory Users and Computers snap-in is used to view and administer Active Directory objects. This section describes how to use the snap-in to configure your user and computer accounts to use Kerberos Delegation. You need to be logged in with an account that has the appropriate access. Contact your domain administrator if you do not have the required access. Topics in this section Configure delegation settings for the AFServer service computer Configure delegation settings for the machine account where the external data resides Configure delegation settings for the domain account under which the AFServer service runs Configure delegation settings for the domain account that controls access to the external data Configure delegation settings for the AFServer service computer Before you start Ensure you are logged into the domain to which the AFServer service's domain account belongs. 1. From the Start menu, type dsa.msc in the Search box and press Enter. PI AF and Kerberos authentication PI Asset Framework Installation and Upgrade Guide 151

160 PI AF and Kerberos authentication The Active Directory Users and Computers snap-in opens in the Microsoft Management Console window. 2. Locate and expand the container in which the computer account for the AFServer service resides. 3. Right-click the account, and then click Properties. The computer account's Properties window opens with the General tab selected. 4. For General Delegation, select the Trust this computer for delegation to any service (Kerberos only) option and click OK to close the window. 5. For Constrained Delegation, select the Trust this computer for delegation to specified services only option. a. Select the Use Kerberos only option. b. Click the Add button. The Add Services window opens. c. Click the Users or Computers button. The Select Users or Computers window opens. d. Enter the name of the domain account under which the service that allows for access to the external data runs and click OK to return to the Add Services window. For example, if the external data resides in a SQL Server table, enter the name of the domain account under which the SQL Server runs. A list is shown with the Service Type(s)/User or Computer combinations for the specified domain account. e. Select each of the combinations that allow for access to the external data and click OK to return to the computer's Properties window. The selected combinations are shown in the Services to which this account can present delegated credentials list. f. Click OK to return to the Active Directory Users and Computers snap-in. 6. Repeat these steps if the AFServer service needs to access any other external data sources using delegated authentication. Configure delegation settings for the machine account where the external data resides Before you start Ensure you are logged into the domain to which the AFServer service's domain account belongs. 1. From the Start menu, type dsa.msc in the Search box and press Enter. 152 PI Asset Framework Installation and Upgrade Guide

161 The Active Directory Users and Computers snap-in opens in the Microsoft Management Console window. 2. Locate and expand the container in which the computer account for the external data resides. 3. Right-click the account, and then click Properties. The computer account's Properties window opens with the General tab selected. 4. For General Delegation, select the Trust this computer for delegation to any service (Kerberos only) option and click OK to close the window. 5. For Constrained Delegation, select the Trust this computer for delegation to specified services only option. a. Select the Use Kerberos only option. b. Click the Add button. The Add Services window opens. c. Click the Users or Computers button. The Select Users or Computers window opens. d. Enter the name of the domain account under which the service that allows for access to the AFServer service runs and click OK to return to the Add Services window. A list is shown with the Service Type(s)/User or Computer combinations for the specified domain account. e. Select each of the AFServer service accounts with which you want to allow constrained delegation to occur with the computer account being edited and click OK to return to the computer's Properties window. The selected combinations are shown in the Services to which this account can present delegated credentials list. f. Click OK to return to the Active Directory Users and Computers snap-in. 6. Repeat these steps if there are other AFServers that run under different domain accounts that need to access the data on this computer via delegation. Configure delegation settings for the domain account under which the AFServer service runs Before you start Ensure you are logged into the domain to which the AFServer service's domain account belongs. 1. From the Start menu, type dsa.msc in the Search box and press Enter. PI AF and Kerberos authentication The Active Directory Users and Computers snap-in opens in the Microsoft Management Console window. 2. Locate and expand the container in which the computer account for the AFServer service resides. PI Asset Framework Installation and Upgrade Guide 153

162 PI AF and Kerberos authentication 3. Right-click the account, and then click Properties. The user account's Properties window opens with the General tab selected. 4. For General Delegation, select the Trust this computer for delegation to any service (Kerberos only) option and click OK to close the window. 5. For Constrained Delegation, select the Trust this computer for delegation to specified services only option. a. Select the Use Kerberos only option. b. Click the Add button. The Add Services window opens. c. Click the Users or Computers button. The Select Users or Computers window opens. d. Enter the name of the domain account under which the service that allows for access to the external data runs and click OK to return to the Add Services window. For example, if the external data resides in a SQL Server table, enter the name of the domain account under which the SQL Server runs. A list is shown with the Service Type(s)/User or Computer combinations for the specified domain account. e. Select each of the combinations that you want to allow constrained delegation to occur with the user account being edited and click OK to return to the computer's Properties window. The selected combinations are shown in the Services to which this account can present delegated credentials list. f. Click OK to return to the Active Directory Users and Computers snap-in. 6. Repeat these steps if the AFServer service needs to access any other external data sources using delegated authentication. Configure delegation settings for the domain account that controls access to the external data Before you start Ensure you are logged into the domain to which the AFServer service's domain account belongs. 1. From the Start menu, type dsa.msc in the Search box and press Enter. The Active Directory Users and Computers snap-in opens in the Microsoft Management Console window. 2. Locate and expand the container in which the user account under which the service that controls access to the external data source resides. 3. Right-click the account, and then click Properties. The user account's Properties window opens with the General tab selected. 154 PI Asset Framework Installation and Upgrade Guide

163 PI AF and Kerberos authentication 4. For General Delegation, select the Trust this computer for delegation to any service (Kerberos only) option and click OK to close the window. 5. For Constrained Delegation, select the Trust this computer for delegation to specified services only option. a. Select the Use Kerberos only option. b. Click the Add button. The Add Services window opens. c. Click the Users or Computers button. The Select Users or Computers window opens. d. Enter the name of the domain account under which the AFServer service runs and click OK to return to the Add Services window. A list is shown with the Service Type(s)/User or Computer combinations for the specified domain account. e. Select each of the AF Server service accounts with which you want to allow constrained delegation to occur with the user account being edited and click OK to return to the computer's Properties window. The selected combinations are shown in the Services to which this account can present delegated credentials list. f. Click OK to return to the Active Directory Users and Computers snap-in. 6. Repeat these steps if there are other AFServers that run under different domain accounts that need to access the data on through this user account via delegation. Results Your system is now configured to support constrained delegation between the AFServer service and the specified service that allows access to the external data. PI Asset Framework Installation and Upgrade Guide 155

164 PI AF and Kerberos authentication 156 PI Asset Framework Installation and Upgrade Guide

165 Firewalls and PI AF security Customers are often required to isolate the process control part of their network from the rest of their network. They might also configure a buffer zone, or demilitarized zone (DMZ), to install servers and software that needs to transfer data between the process control network and the local area network. The DMZ is usually isolated between firewalls. There are three server components in a PI System: PI Server PI AF server Microsoft SQL Server that hosts the PI AF SQL database. While these components could be installed on a single computer, this section assumes that each component is installed on a separate computer in order to illustrate the complexity of connectivity and security configuration. In addition to this being a more interesting topology to discuss, it also distributes the processor load across several computers, which can increase system performance. Caution: Opening ports in your firewall can leave your server exposed to malicious attacks. Make sure that you understand firewall systems before you open ports. For more information, see Security considerations for a SQL Server installation. Topics in this section Examples of firewall topology Network connection types for PI AF Considerations for firewalls and ports for PI AF Examples of firewall topology This section presents three scenarios that illustrate possible locations for a firewall. Topics in this section Firewall with all servers installed within the DMZ Firewall with PI Server in the DMZ and PI AF and SQL Server on the LAN Firewall with SQL Server outside of the DMZ Firewall with all servers installed within the DMZ In this example, all the servers are installed in the DMZ. This simplifies the security settings between the servers because they all reside within the firewalls. PI Asset Framework Installation and Upgrade Guide 157

166 Firewalls and PI AF security Firewall with PI Server in the DMZ and PI AF and SQL Server on the LAN In this scenario, only the PI Server resides in the DMZ. The SQL Server and PI AF server are connected to the LAN. This scenario might occur when customers want to access data from foreign databases or synchronize PI AF assets with an ERP or maintenance system. 158 PI Asset Framework Installation and Upgrade Guide

167 Firewalls and PI AF security Firewall with SQL Server outside of the DMZ In this scenario, only the SQL Server resides outside of the DMZ. This may happen when customers want to use an existing SQL Server to host the PI AF SQL database. PI Asset Framework Installation and Upgrade Guide 159

168 Firewalls and PI AF security Network connection types for PI AF A PI AF system includes multiple network connections. 160 PI Asset Framework Installation and Upgrade Guide

169 Firewalls and PI AF security Connection Type A B C D Description The connection between the PI AF server and any PI AF SDK client, including PI System Explorer, allows the client to read and write structure information such as elements and models between the PI AF SDK and the PI AF server. The connection between PI AF server and Active Directory allows the PI AF server to read a list of Active Directory users, which are in turn exposed through PI AF as contacts. The connection between PI AF server and SQL Server allows the PI AF server to read and write structure information, such as elements and models, to a SQL Server database. The connection between a PI AF client and a PI Server allows a PI AF client to write PI data, but attribute values (non PI point) are written with connection type A. PI Asset Framework Installation and Upgrade Guide 161

170 Firewalls and PI AF security Considerations for firewalls and ports for PI AF This section presents port considerations for firewall configurations. You should also refer to the following OSIsoft Knowledge Base article for up-to-date information on firewall ports: ( techsupport.osisoft.com/troubleshooting/kb/kb00751) Topics in this section Firewall between PI AF Server and PI AF Client Firewall between PI AF Server and SQL Server Firewall between PI AF Client and PI Server Firewall between PI AF Server and PI AF Client All connectivity between a PI AF client and a PI AF server occurs through PI AF SDK. The appropriate ports must be open. The PI AF server connection must use the IP address or DNS name of the PI AF server, not the computer name. By default, PI AF SDK communicates with PI AF server through port 5457 and port Port 5457 is the primary port that PI AF SDK uses to communicate with PI AF server from the client. Port 5459 is used by some client products, such as PI OLEDB Enterprise and PI WebParts to communicate with PI AF server. Depending on how connections are defined, PI AF server may perform a reverse-name lookup of the connecting client IP address as part of the authentication process. The method chosen for name resolution may require that PI AF server be able to open outbound connections on some ports: Resolution by way of entries in the HOSTS file (no port requirement, but clients must have fixed IP addresses). Resolution by way of DNS (usually port 53). Resolution by way of NETBIOS name services (port 137). Firewall between PI AF Server and SQL Server To access an instance of the SQL Server database engine through a firewall, you must configure the firewall on the computer running SQL Server to allow access. For detailed information, review the Microsoft SQL Server article Configure a Windows firewall for database engine access ( ms aspx) and Configure the Windows Firewall to Allow SQL Server Access ( technet.microsoft.com/en-us/library/cc aspx). 162 PI Asset Framework Installation and Upgrade Guide

171 Firewalls and PI AF security Firewall between PI AF Client and PI Server PI AF clients need to connect to the PI AF application service to access the PI AF SQL database. They may also need to connect directly to PI Server if PI AF elements have been configured with PI point data references. The connection to PI Server is established directly from the PI AF client. No direct connection or authentication is needed against the SQL Server or PI AF server. By default, communication to the PI Server requires port 5450 to be open; however, you can change this. For detailed information, review the OSIsoft KB article Which firewall ports should be opened for a PI Server ( PI Asset Framework Installation and Upgrade Guide 163

172 Firewalls and PI AF security 164 PI Asset Framework Installation and Upgrade Guide

173 PI AF object security Security in PI AF is tightly bound to Windows security. Objects and their effective permissions are based on the Windows user identity. You can set permissions for individual objects and for collections. Note: If users have administration privileges on the PI AF server, then they are granted all security rights to all objects within the PI AF server, including all databases. This is true regardless of whether the user is granted or denied specific rights on individual objects. Topics in this section Setting permissions for objects Setting permissions for collections Setting permissions for objects Some PI AF objects have a set of access control information associated with them. This information is a security descriptor that controls the type of access allowed to a set of Windows users and groups. The security descriptor is created automatically when you create the AF object. For child elements, the default security is the security on the parent element. For other object types, the collection security is used as the default security. Note: Library objects are categories, templates, enumeration sets, reference types, and UOMs. Library objects always have Read permission regardless of their security settings. The following top-level AF objects are securable: PISystem AFContact AFCategory AFDatabase AFAnalysis AFAnalyisTemplate AFElement AFElementTemplate AFEnumerationSet AFReferenceType AFTable AFNotification AFNotificationContactTemplate UOMDatabase Topics in this section How to change access permissions on AF objects Element security Event frame and transfer security UOM security Database object security AF object access permission settings When to use the Deny option PI Asset Framework Installation and Upgrade Guide 165

174 PI AF object security How to change access permissions on AF objects Set permissions for objects in the Browser, in the Viewer, and in property sheets where they appear. 1. Right-click the object and select Security from the menu. The permission properties dialog box for the selected object appears. 2. Select users and set permissions as needed. Permissions are defined in AF object access permission settings. Groups and users used to define security are based on Windows security. It is better to assign permissions to groups, rather than users. It is inefficient to maintain user accounts directly. Element security When you change access permissions for an element, the access permissions for any parent or child elements might also change. The behavior depends on the reference type. Reference type Weak Composition Parent-child Description Access permissions are never inherited. Access permissions for child and parent are always the same. If you change the access permissions for the child, the parent access permissions are automatically changed to match the child permissions. Similarly, if you change the access permissions for the parent, the child access permissions are automatically changed to match the parent permissions. These changes cascade down (and up) through the hierarchy. Child elements do not inherit the access permissions from the parent element. You can copy the parent's access permissions to all of the child objects in the primary path. This process needs to be repeated each time the parent's access permissions change and you want the child elements in the primary path to have the new access permissions. Child elements in the primary path are easily noted: they have strong references to their parent element and are owned by the parent element. They have the standard element icon in the hierarchy. Child elements that have a strong reference to the parent element, but are owned by a different element, are not in the primary path. These child elements have a reference arrow on the standard element icon, making it obvious that they are not in the primary path. Copy the access permissions of a parent object to child objects Follow these steps to copy the parent's access permissions to its child objects in the primary path. Note: To determine the primary parent, select the child and then click the Parents link in PI System Explorer. The primary parent has a check mark on its icon. 166 PI Asset Framework Installation and Upgrade Guide

175 PI AF object security 1. In the Browser, right-click on the object for which you want to change permission inheritance and choose Security from the menu. 2. In the Permissions for <Object> window, click Advanced. 3. In the Advanced Security Settings for <Object> window, make the desired access permission changes. a. Select the Principal you want to change. b. Click Edit. c. In the Permission Entry for <Object> window, select the desired permissions and click OK. 4. At the bottom of the Advanced Security Settings for <Object> window, click the Replace all child object permission entries with inheritable permission entries from this object checkbox. 5. Click OK. Note: If you are using an older operating system, this checkbox is worded slightly differently, but has the same effect. 6. In the Windows Security window, click Yes. 7. Click OK to close the Permissions for <Object> window. Results The parent object's access permissions are copied to all child objects in the primary path, this one time. You need to repeat this process any time the parent's access permissions change and you want to once again copy those permissions to all child objects in the primary path. Event frame and transfer security Event frame At the time of creation, the access permissions assigned to an event frame that does not have a strong reference parent are calculated from the event frame template from which it was created. If access permissions are not created from a template, they are based on the event frame security item associated with the current PI AF database. When you add a child event frame to an existing event frame, the child event frame s access permissions are assigned based on the parent event frame at the time the child event frame was added. You can copy the parent's access permissions to all of the child event frames in the primary path. This process needs to be repeated each time the parent's access permissions change and you want the child event frames in the primary path to have the new access permissions. Child event frames in the primary path are easily noted, as they have strong references to their parent event frame and are owned by the parent event frame. They have the standard event frame icon in the hierarchy. Child event frames that have a strong reference to the parent event frame, but are owned by a different event frame, are not in the primary path. These child event PI Asset Framework Installation and Upgrade Guide 167

176 PI AF object security frames have a reference arrow on the standard event frame icon, making it obvious that they are not in the primary path. Transfer When you create a new transfer, its access permissions are assigned based on the new transfer's assigned transfer template, if it was created based on a template. Transfers that are not created based on a transfer template are assigned access permissions based on the transfer security item associated with the current PI AF database. Access permission modification You can modify event frame access permission as follows: In AF SDK, use the applytochildren parameter in AFSecurity.SetAccessControl Method on an event frame object. In the PI System Explorer Browser, right-click on the event frame for which you want to change permission inheritance and follow the same procedure as described in Copy the access permissions of a parent object to child objects. UOM security You cannot set permissions for individual UOMs or UOM classes. However, you can set permissions for the entire UOM database. Right-click in a blank area, as shown in the following figure, and select Security. Note: UOMs are always readable (always have the Read permission) regardless of their security settings. 168 PI Asset Framework Installation and Upgrade Guide

177 PI AF object security Database object security The write permission on an AF database is enforced automatically on every other object in the database. This allows for a simpler mechanism for disabling Write permission without having to recompute security descriptors for all objects within the database. AF object access permission settings Permission Read Write Delete Admin ReadData WriteData Execute Subscribe Subscribe Others Definition The ability to read or see the object. Without this permission, it is not possible to obtain the object. The ability to create and modify an object. The exception is that event frames and transfers require WriteData permission on the element template from which they are created, and cases require WriteData permission on the analysis in which they are contained. Additionally, if users do not have Write permission on the AF database, then they cannot modify any object within the database, regardless of the specific permission on that object. The ability to delete an object. The ability to modify the security settings, or owner, of an object. The ability to read non-configuration values from attributes of elements. Additionally, this permission controls whether a user can see transfers created from a specific transfer element template. Similarly, it controls whether a user can see cases created in a specific analysis. The ability to write non-configuration values to an element's attributes. Additionally, this permission controls whether a user can create or modify event frames or transfers created from a specific transfer element template. Similarly, it controls whether a user can create or modify cases in a specific analysis. The ability to run analysis cases. The ability to subscribe and unsubscribe notifications to oneself. The ability to subscribe and unsubscribe others for notifications. When to use the Deny option Select the Deny option for these cases: PI Asset Framework Installation and Upgrade Guide 169

178 PI AF object security To exclude a subset of a group that has allowed permissions. To exclude one special permission when you have already granted full control to a user or group. Note: PI Module Database does not support the Deny option. If you are using both PI MDB and PI AF, avoid the Deny option to prevent synchronization problems. Setting permissions for collections You can assign default access permissions for each type of collection in a PI AF database. For example, you can assign default access permissions for all tables in the database. Security is based on Windows identities. Access permissions defined on a collection: Control whether a user has the permission to create new objects in the collection Are used as the default access permissions for newly created objects in the collection 1. Open PI System Explorer and click the Library button in the Navigator pane. 2. Right-click on the PI AF database icon (the root object in the Browser) and choose Security then the desired collection type. The Permissions window appears. 3. Set the appropriate permissions for the collection. 4. To set the permissions for existing members of a collection, click Advanced. The Advanced Security Settings window appears. 5. Select the Replace permission entries check box. 6. Select the permission entry and then click Edit. 7. Specify the permissions, which are described in Setting permissions for objects. 170 PI Asset Framework Installation and Upgrade Guide

179 PI AF configuration and maintenance Topics in this section PI AF backup considerations PI AF collective SQL Server backups Monitor PI AF Server and SQL Server communication Troubleshoot connection problems Troubleshoot PI AF collectives PI AF backup considerations Perform backups of your database on a regular basis. Use Microsoft SQL Server Management Studio or the sqlcmd command utility. Consider these points as you design a backup strategy: Standard maintenance best practices include log backups, daily data backups, and periodic re-index on all databases. When the SQL Server Agent is available (all editions of SQL Server except Express), PI AF will automatically install and schedule a nightly SQL Server backup. Refer to the Maintenance.sql file located in the PIPC\AF\SQL directory. Releases beginning with PI AF 2.1 schedule a SQL Server Agent job to back up data and logs. SQL Server replication requires the SQL Server Agent on the publisher (primary) instance. Frequency of backup depends on your application; nightly backups might be best. The default backup does a complete backup every night at 0315, local time. However, you can change the time and can change the frequency and whether full or differential backups are done. Place the back up file on a different physical disk from where the SQL Server data is located. You might not be able to write to the root folder of C:\ drive. Use another drive, such as a network drive, or a subfolder. SQL Express 2008 does not include a job scheduler, so you need to use a Windows utility to schedule the backup. You can use the following command to run the backup: sqlcmd -S <SQLINSTANCE> -d PIFD -Q "EXEC = = 1;" -E You will need the sysadmin, db_owner, or db_backupoperator role. The least privilege is the best security practice. Back up the master database regularly. This database contains the metadata for the PIFD database, such as the database properties, table definitions, and so forth. The PI AF scheduled backup backs up the PIFD, master, msdb, and PIFD_distribution databases. OSIsoft recommends that you change your PIFD database from the simple recovery model to the full recovery model to allow point-in-time recovery. The PI AF Server installation kit configures the PIFD database with a simple recovery model by default. With this simple recovery model, transaction logs cannot be backed up and point-of-failure recovery is not possible. If you set the PIFD database to the full recovery model, the PIFD transaction logs PI Asset Framework Installation and Upgrade Guide 171

180 PI AF configuration and maintenance are also backed up. The transaction logs are truncated so they do not grow without bounds and either point-in-time or point-of-failure recovery is allowed. PI AF collective SQL Server backups OSIsoft highly recommends that you make regular backups of SQL Server data, especially on the primary server. The PI AF installation process creates a SQL Server backup job that is scheduled to run by SQL Server Agent. Make sure you copy these backups to media other than the media that contains the data. If you accidentally delete data on the primary, the deletions will be replicated to the secondary. The only way to recover accidentally deleted data is from backup. Make a full backup of the PIFD and PIFD_Distribution databases. The PIFD_Distribution database is located in the System Databases container. Monitor PI AF Server and SQL Server communication You can monitor the overall readiness of PI AF server with PI AF Server Health counter in the Windows Performance Monitor. 1. On the PI AF server computer, select Control Panel > Administrative Tools > Performance Monitor. 2. In the Performance Monitor window, under Monitoring Tools, select Performance Monitor. 3. In the right-hand pane, click the green plus sign. 4. In the Add Counters dialog box, scroll down to and expand PI AF Server to show the Health counter. 5. Select the Health counter and click OK. The Performance Monitor now displays the PI AF Server Health counter in the chart. The performance counter can have two values: 0 1 PI AF server is not running or cannot establish a successful connection with SQL Server, or the PI AF Service account is not member of the Windows Performance Monitor Users group. PI AF server is running and communicating successfully with SQL Server. Troubleshoot connection problems This section explains how to monitor the overall readiness of PI AF server with PI AF Server Health counter in the Windows Performance Monitor, presents some connection errors that you might encounter, and provides some possible solutions. 172 PI Asset Framework Installation and Upgrade Guide

181 PI AF configuration and maintenance Topics in this section Monitor PI AF Server and SQL Server communication Cannot connect to AF server Cannot connect to specified SQL Server Cannot connect to SQL database Cannot connect to PIFD database EXECUTE permission denied SQL Error (229) Missing stored procedure SQL Error (2812) Replication does not complete waiting for a Good SyncStatus Monitor PI AF Server and SQL Server communication You can monitor the overall readiness of PI AF server with PI AF Server Health counter in the Windows Performance Monitor. 1. On the PI AF server computer, select Control Panel > Administrative Tools > Performance Monitor. 2. In the Performance Monitor window, under Monitoring Tools, select Performance Monitor. 3. In the right-hand pane, click the green plus sign. 4. In the Add Counters dialog box, scroll down to and expand PI AF Server to show the Health counter. 5. Select the Health counter and click OK. The Performance Monitor now displays the PI AF Server Health counter in the chart. The performance counter can have two values: 0 1 PI AF server is not running or cannot establish a successful connection with SQL Server, or the PI AF Service account is not member of the Windows Performance Monitor Users group. PI AF server is running and communicating successfully with SQL Server. Cannot connect to AF server Check the following: Verify the domain and account name have been entered in the correct format. For example: DomainName\AccountName. Has the domain account been added to the appropriate group to provide the AFServer service permissions to connect to the SQL Server? See PI Asset Framework Installation and Upgrade Guide 173

182 PI AF configuration and maintenance Create the AFServers local group on the PI AF SQL database computer Configure a domain group for the PI AF application service account in a failover cluster Configure domain group for the PI AF application service in a mirrored SQL Server session Are the firewall settings correct? See Considerations for firewalls and ports for PI AF. Do you have possible DNS errors on your network? Check with your network administrator. A Service Principal Name (SPN) has not been generated for the AFServer service's domain account, if the AFServer service is running under a domain account. If the service is running under the NetworkService account, then a Service Principal Name has not been generated for the machine on which the AFServer service is running (the latter is an unlikely scenario because the NetworkService, by default, has the required permissions to generate an SPN for the machine). See Check and set permissions for SPN creation. Cannot connect to specified SQL Server Try the following: Verify that the SQL Server database engine service is running. Verify that remote communication is enabled. Verify that the protocol is enabled. Cannot connect to SQL database Try the following: Check the PI AF server s connect string for correct server\instance and database name. See Modify the PI AF application service connect string. Check SQL Server, to verify the PIFD database is not offline. Cannot connect to PIFD database Try the following: 174 PI Asset Framework Installation and Upgrade Guide

183 PI AF configuration and maintenance The account under which the PI AF application service is running does not have permission to connect to the PIFD database. Assign this account the appropriate permission. EXECUTE permission denied SQL Error (229) System.Application.Exception: The EXECUTE permission was denied on the object 'usp_afdatabase_insert', database 'PIFD' schema 'dbo'.'. System.Data.SqlClient.SqlException: The EXECUTE permission was denied on the object 'usp_getcollection', database 'PIFD', schema 'dbo'. Database role db_afserver has not been granted permission to execute this stored procedure. Try the following: Assign this account the appropriate permission. Missing stored procedure SQL Error (2812) 'SQL Error (2812) Could not find stored procedure 'dbo.usp_afdatabase_insert'.'. Use Event Viewer to see the AF service log file for more information. at OSIsoft.AF.PISystem.CheckServerError(dcServerError err) Try the following: A stored procedure is missing from the PI AF SQL database. Run GO.BAT to rerun the SQL scripts. See Execute the SQL scripts to create and populate the PI AF SQL database. Replication does not complete waiting for a Good SyncStatus If you install a PI AF collective on a SQL Server cluster, you must give the SQL Server login created for the AFServers domain group access to the PIFD_distribution database created during PI AF collective creation. See Configure distributor database security for details. If the AFServers domain group does not have the db_afserver role for the PIFD_distribution database, the collective creation will fail and display the following messages continuously in the PI AF Creation wizard: The collective <name of collective> was created successfully. The replication has started on the collective member <name of member>. This action can take some time to complete. Waiting on a (Good) SyncStatus.. Current SyncStatus(Snapshot Not Ready). Troubleshoot PI AF collectives Use the topics in this section to troubleshoot issues with PI AF collectives. Topics in this section Status details indicate no configured subscriber PI AF collective creation fails due to login failure PI Asset Framework Installation and Upgrade Guide 175

184 PI AF configuration and maintenance Snapshot creation fails due to access error PI AF collective cannot be created when SQL Server Agent is not running Status details indicate no configured subscriber PI AF collective creation fails due to login failure Snapshot creation fails due to access error PI AF collective cannot be created when SQL Server Agent is not running Status details indicate no configured subscriber This message indicates no secondary server has been configured for replication. If a secondary server has already been added to the collective, the error could indicate there is a communication problem between the primary PI AF server and secondary server, or between the secondary PI AF server and the secondary PI AF SQL database. If the failure was due to a problem between the primary and secondary PI AF server, review the PI AF event log on the secondary server for possible causes of the error. Verify the user account used in PI System Explorer has the proper access to the PI AF server. If the failure was due to a problem between the secondary PI AF server and the secondary PI AF SQL database, review the PI AF event log on the secondary PI AF SQL database for possible causes of the error. Verify the user account used in the PI System Explorer has the proper access to the PI AF SQL database. PI AF collective creation fails due to login failure When creating a collective, the Create New Collective Finishing window displays the following message in the top section: Login failed for user [DOMAIN]\[UserName]. This message indicates that the logged-on user is unable to access one of the servers included in the collective. The error is most likely related to the fact that the logged-on user does not have the correct permissions on the primary PI AF SQL database computer. Review the Application event logs on the PI AF server and PI AF SQL database computers, beginning with the primary PI AF server, to determine which computer is receiving the connection error. Be sure that the login account is given sysadmin privileges to SQL Server on the AF SQL database computer. Snapshot creation fails due to access error During creation of a PI AF collective, the Create New Collective Finishing window displays the following message in the middle section: Current SyncStatus(Snapshot not ready). In the SnapShot status row (the first row in the bottom section), the message displays: Access to the path [..\repldata\...] is denied. 176 PI Asset Framework Installation and Upgrade Guide

185 PI AF configuration and maintenance This message indicates that the SQL Server Agent service account does not have Write access to the \repldata folder for the SQL Server instance into which the primary PI AF SQL database was installed. See Configure permissions on the replication data folder. After setting the proper security permissions on the \repldata folder, exit the Create New Collective Finishing window. A message displays, indicating the primary server s replication has not finished. Click OK and return to the Collective tab in the AF Server Properties window. Delete the collective, then recreate the collective, and the snapshot is created correctly. PI AF collective cannot be created when SQL Server Agent is not running You attempt to create a collective by right-clicking a PI AF server in the AF Servers window, and selecting Create Collective. If the SQL Server Agent service for the selected PI AF server is not running, a message displays, indicating the SQL Server Agent is not running on the PI AF SQL database computer. Click OK to return to the AF Servers window. Start the SQL Server Agent service on the primary server, then create the new collective. You attempt to create a collective by right-clicking in the white area of the AF Servers window, and an error window opens, along with the Create New Collective Finishing window, indicating: SQL Server Agent is not running. Click OK to exit the error window. In the Create New Collective Finishing window the same message appears. Click Cancel to exit the window. The collective was not created. Start the SQL Server Agent service on the primary server, then create the new collective. PI Asset Framework Installation and Upgrade Guide 177

186 PI AF configuration and maintenance 178 PI Asset Framework Installation and Upgrade Guide

187 Technical support and other resources For technical assistance, contact OSIsoft Technical Support at or through the OSIsoft Tech Support Contact Us page ( The website offers additional contact options for customers outside of the United States. When you contact OSIsoft Technical Support, be prepared to provide this information: Product name, version, and build numbers Details about your computer platform (CPU type, operating system, and version number) Time that the difficulty started Log files at that time Details of any environment changes prior to the start of the issue Summary of the issue, including any relevant log files during the time the issue occurred The OSIsoft Virtual Campus (vcampus) website ( has subscription-based resources to help you with the programming and integration of OSIsoft products. PI Asset Framework Installation and Upgrade Guide 179

188 Technical support and other resources 180 PI Asset Framework Installation and Upgrade Guide