Presenter s name here Date of presentation (optional) Windows Security and Domains for Experion
Today s Webinar Agenda Overview of Domains Common Setup of a Domain in an Experion Environment Best Practices Troubleshooting 2
Overview of Domains 3
Domains Differs from a Workgroup in that the Domain is more secure and requires less administration overhead Active Directory acts as a Centralized Repository of Domain objects Some of the object types are: Domains, Forests, Sites, Organizational Units, Groups, and Users Tightly integrated with DNS Major differences from pre-windows 2000 domains All Domain Controllers in a single domain are peers no BDCs Dynamic DNS is required 4
Domains Although all of the Domain Controllers in a domain are peers some functions require a single Domain Controller to act as the master for a particular function these operations are called Flexible Single Master Operations (FSMO) PDC Emulator Schema Master Domain Naming Master Infrastructure Master Relative ID (RID) Master For proper domain authentication to occur each domain must have at least one Global Catalog server, note that you can have multiple Global Catalog servers 5
Common Setup of a Domain in an Experion Environment 6
Domain Setup Experion Security Policy Domain Includes Standard Honeywell Groups: DCS Administrators, Engineers, Supervisors, Operators Standard Honeywell Group Policy Objects: Operators Policy, Engineer Policy TPS Domain Configuration Tool Allow you to flag an OU as a TPS Domain In R400 both items are in the Domain Controller Security Policy 7
Domain Setup PDC Role holder is the authoritative time source for the domain The PDC Role holder can be set to sync its time with its own clock or The Preferred method is to sync its time with a GPS time source Domain Controller placement: Recommendation of at least one Domain Controller on each network that services clients 8
Client Setup Experion Security Policy Workstation Creates the linkdomaingroups.vbs script Also has other utilities like lockdownlocal user Also changes the local policy specifically the allow log on locally policy, it removes the users group. Pre-R400 Linkdomaingroups.vbs All of the local directory security is based on the Honeywell Local Groups Puts the standard Honeywell Domain Groups in the Honeywell Local Groups C:\Program Files\Honeywell\wkstasecurity\ 9
Client Setup NTPSetup If Servers were authoritative time servers in a workgroup but now they are in a domain you must use the Disable All NTP configuration button. Once this is complete hit the Change/Configure Client button Experion Servers can run as a secondary NTP time source Should be run on every client node after it joins the domain 10
Client Setup Users Defined as a Domain Operator will have a locked down desktop and will need a logon script defined to launch Station, Safeview or Native Window Hosts file are still required on client nodes: Servers, Stations, ACE nodes for proper Experion functionality The domain controllers do not have to be in the hosts file. 11
Station Operator Setup Domain Integrated Operators Single Domain User accounts Can be set to multi-user (concurrent logons) Can override any group setting Domain Group accounts If errors are returned when defining the operator definition The Windows users could not be found The Experion Operator Management Service will need to run as a domain account (does not have to be an administrator). This is normally a result of not allowing Pre-Windows 2000 authentication while setting up the Domain. 12
Station Operator Setup In general no cached logins for Honeywell software When single signon is enabled there are two exceptions Initial logon into station and connecting to a server/system in Configuration Studio The above is still authenticating with the domain only it uses the cached credentials in windows that it passes to the domain In all cases (Station, Signon Manager, Configuration Studio) of domain operator authentication if the domain is unavailable the login attempt will fail. 13
Best Practices 14
Domain Best Practices Domain Naming Should not use a single label domain name ie a domain without.local or.com Domain names should correspond to NetBIOS names like FQDN customernet.local with NetBIOS name customernet Reverse Lookup Zones Should be created for each subnet Experion does use reverse lookup calls ie calls that lookup the IP address to find the host name Window hostname resolution order DNS cache DNS server NetBIOS resolution method 15
Domain Best Practices Windows Firewall setup on a Domain Controller For Domains with multiples Domain Controllers You must define specific ports for Active Directory Replication and File Replication Service (FRS) http://support.microsoft.com/kb/555381 Add the following Exceptions to the Windows firewall 16
Domain Best Practices Do not put the Domain Administrator in a restrictive group like Operators, Supervisors, Ack view Only User or View Only Users DNS on an FTE Domain Controller Only the Yellow adapter should be bound to DNS Pre-R400 17
Domain Best Practices Site Configuration Define a subnet for each corresponding subnet Define a Site for each Subnet Move the Domain Controllers that service each subnet to the correct Site WINS is not recommended for Experion Domain Controllers 18
Troubleshooting 19
Troubleshooting issues Slow Logon Make sure that the primary DNS and secondary DNS are defined on the primary NIC on the workstation Could also be a Site Configuration issue Use echo %logonserver% Troubleshooting Group Policy Using Resultant Set of Policy Logging mode: Can be run a client node and Domain Controllers Planning mode on Domain Controller only Group Policy Management Console gpupdate and gpresult 20
Troubleshooting Issues Troubleshooting Time on the Domains Each client needs to be within 5 minutes of the domain time On clients: Net time - show the time net time /set - to set the time 21
Troubleshooting Issues On Domain Controllers w32tm /monitor - to view the current time configuration in the domain W32tm /resync /computer:targetserver to update this Domain Controller to the targetserver w32tm /resync /rediscover to force update with time source 22
Troubleshooting Issues Controlling local settings that cannot be controlled through Domain Group Policy Change the default profile of the machine 1. Have to login as a local administrator a. Make changes like mouse pointer or power management settings 2. Login as another local administrator 3. Right Click My Computer select Properties 4. Select the Advanced tab then select Settings under User Profiles 23
Troubleshooting Issues 5. Highlight the profile for the user used in step 1 6. In Copy To click Browse a. In the Copy profile to select C:\documents and settings\default user 7. In the Permitted to use click Change a. Set to everyone note may have to change the location to the local machine 8. Click Ok 24
Troubleshooting Issues Overriding a Default Honeywell Group Policy Object Do not change the default Honeywell Group Policy Objects Create new GPOs that enable or disable specific settings Do not use not configured These GPO need to have their security filter set correctly Also they need to be the original Honeywell GPO in GPO application order 25
Troubleshooting Issues Replace a Domain Controller Create new Domain Controller then add it the domain Use dcpromo once the server is a member of the domain Move any FSMO roles off of the server that will be replaced Be sure client nodes have the new Domain Controllers DNS address in their primary or secondary DNS entries Use dcpromo on the old Domain Controller to demote the old Domain Controller 26
Troubleshooting Issue Upgrading a Domain Use domainprep and forestprep to expand the schema to the new Window version Create new Domain controllers then add it to the domain Similar to replacing a Domain controller the new Domain Controller needs to be a member of the domain before running DCpromo Windows Support Tools DCdiag 27
Further Information This presentation will be posted on OLS The Experion Domain/Workgroup Implementation Guide for R400 EP-DPCX13 http://hpsweb.honeywell.com/nr/rdonlyres/b89823da-b7f2-45f1-a1a3-6fb6040f5ca7/96616/experion_domain_workgroup_imple mentation_guide_epd.pdf For further information please contact your Local Honeywell Account Manager 28