Windows Security and Domains for Experion

Presenter’s name here
Date of presentation (optional)
Windows Security and

Domains for Experion
 Honeywell.com
Today’s Webinar Agenda
• Overview of Domains
• Common Setup of a Domain in an Experion Environment
• Best Practices
• Troubleshooting
2
Document control number Honeywell Proprietary
 Honeywell.com
Overview of Domains
3
 Honeywell.com
Domains
• Differs from a Workgroup in that the Domain is more secure and
requires less administration overhead
• Active Directory acts as a Centralized Repository of Domain
objects
• Some of the object types are: Domains, Forests, Sites,
Organizational Units, Groups, and Users
• Tightly integrated with DNS
• Major differences from pre-windows 2000 domains
• All Domain Controllers in a single domain are peers no BDCs
• Dynamic DNS is required
4
 Honeywell.com
Domains
• Although all of the Domain Controllers in a domain are peers
some functions require a single Domain Controller to act as the
master for a particular function these operations are called
Flexible Single Master Operations (FSMO)
– PDC Emulator
– Schema Master
– Domain Naming Master
– Infrastructure Master
– Relative ID (RID) Master
• For proper domain authentication to occur each domain must
have at least one Global Catalog server, note that you can have
multiple Global Catalog servers
5
 Honeywell.com
Common Setup of a Domain in an Experion

Environment
6
 Honeywell.com
Domain Setup
• Experion Security Policy – Domain
• Includes Standard Honeywell Groups: DCS Administrators,
Engineers, Supervisors, Operators
• Standard Honeywell Group Policy Objects: Operators Policy,
Engineer Policy…
• TPS Domain Configuration Tool
• Allow you to flag an OU as a TPS Domain
• In R400 both items are in the Domain Controller Security Policy
7
 Honeywell.com
Domain Setup
• PDC Role holder is the authoritative time source for the domain
• The PDC Role holder can be set to sync its time with its own
clock
or
• The Preferred method is to sync its time with a GPS time
source
• Domain Controller placement:
• Recommendation of at least one Domain Controller on each
network that services clients
8
 Honeywell.com
Client Setup
• Experion Security Policy – Workstation
• Creates the linkdomaingroups.vbs script
• Also has other utilities like lockdownlocal user
• Also changes the local policy specifically the allow log on
locally policy, it removes the users group. Pre-R400
• Linkdomaingroups.vbs
• All of the local directory security is based on the Honeywell
Local Groups
• Puts the standard Honeywell Domain Groups in the
Honeywell Local Groups
• C:\Program Files\Honeywell\wkstasecurity\
9
 Honeywell.com
Client Setup
• NTPSetup
• If Servers were authoritative time
servers in a workgroup but now
they are in a domain you must
use the Disable All NTP
configuration button. Once this is
complete hit the
Change/Configure Client button
• Experion Servers can run as a
secondary NTP time source
• Should be run on every client
node after it joins the domain
10
 Honeywell.com
Client Setup
• Users Defined as a Domain Operator will have a locked down
desktop and will need a logon script defined to launch Station,
Safeview or Native Window
• Hosts file are still required on client nodes: Servers, Stations,
ACE nodes… for proper Experion functionality
• The domain controllers do not have to be in the hosts file.
11
 Honeywell.com
Station Operator Setup

• Domain Integrated Operators
• Single Domain User accounts
• Can be set to multi-user (concurrent logons)
• Can override any group setting
• Domain Group accounts
• If errors are returned when defining the operator definition
• “The Windows users could not be found”
• The Experion Operator Management Service will need to run
as a domain account (does not have to be an administrator).
This is normally a result of not allowing Pre-Windows 2000
authentication while setting up the Domain.
12
 Honeywell.com
Station Operator Setup

• In general no cached logins for Honeywell software
• When single signon is enabled there are two exceptions
• Initial logon into station and connecting to a
server/system in Configuration Studio
• The above is still authenticating with the domain only it
uses the cached credentials in windows that it passes to
the domain
• In all cases (Station, Signon Manager, Configuration
Studio) of domain operator authentication if the domain is
unavailable the login attempt will fail.
13
 Honeywell.com
Best Practices
14
 Honeywell.com
Domain Best Practices

• Domain Naming
• Should not use a single label domain name ie a domain
without .local or .com
• Domain names should correspond to NetBIOS names
• like FQDN customernet.local with NetBIOS name
customernet
• Reverse Lookup Zones
• Should be created for each subnet
• Experion does use reverse lookup calls ie calls that lookup
the IP address to find the host name
• Window hostname resolution order
• DNS cache
• DNS server
• NetBIOS resolution method
15
 Honeywell.com

• Windows Firewall setup on a Domain Controller
• For Domains with multiples Domain Controllers
• You must define specific ports for Active Directory
Replication and File Replication Service (FRS)
http://support.microsoft.com/kb/555381
• Add the following Exceptions to the Windows firewall
16
 Honeywell.com

• Do not put the Domain Administrator in a restrictive group like
Operators, Supervisors, Ack view Only User or View Only Users
• DNS on an FTE Domain Controller
• Only the Yellow adapter should be bound to DNS Pre-R400
17
 Honeywell.com
• Site Configuration
• Define a subnet for each corresponding subnet
• Define a Site for each Subnet
• Move the Domain Controllers that service each subnet to the
correct Site
• WINS is not recommended for Experion Domain Controllers
18
 Honeywell.com
Troubleshooting
19
 Honeywell.com
Troubleshooting issues
• Slow Logon
• Make sure that the primary DNS and secondary DNS are
defined on the primary NIC on the workstation
• Could also be a Site Configuration issue
• Use echo %logonserver%
• Troubleshooting Group Policy
• Using Resultant Set of Policy
• Logging mode: Can be run a client node and Domain
Controllers
• Planning mode on Domain Controller only
• Group Policy Management Console
• gpupdate and gpresult
20
 Honeywell.com
Troubleshooting Issues
• Troubleshooting Time on the Domains

• Each client needs to be within 5 minutes of the domain time
• On clients:
• Net time - show the time
• net time /set - to set the time
21
 Honeywell.com
• On Domain Controllers
• w32tm /monitor - to view the current time configuration in
the domain
• W32tm /resync /computer:targetserver – to update this

Domain Controller to the targetserver
• w32tm /resync /rediscover – to force update with time
source
22
 Honeywell.com
• Controlling local settings that cannot be controlled through

Domain Group Policy
• Change the default profile of the machine
1. Have to login as a local administrator
a. Make changes like mouse pointer or power
management settings
2. Login as another local administrator
3. Right Click My Computer select Properties
4. Select the Advanced tab then select Settings under
User Profiles
23
 Honeywell.com
5. Highlight the profile for the
user used in step 1
6. In Copy To click Browse
a. In the Copy profile to
select C:\documents and
settings\default user
7. In the Permitted to use click
Change
a. Set to everyone note may
have to change the
location to the local
machine
8. Click Ok
24
 Honeywell.com
• Overriding a Default Honeywell Group Policy Object
• Do not change the default Honeywell Group Policy Objects
• Create new GPOs that enable or disable specific settings
• Do not use not configured
• These GPO need to have their security filter set correctly
• Also they need to be the original Honeywell GPO in GPO
application order
25
 Honeywell.com
• Replace a Domain Controller
• Create new Domain Controller then add it the domain
• Use dcpromo once the server is a member of the domain
• Move any FSMO roles off of the server that will be replaced
• Be sure client nodes have the new Domain Controllers DNS
address in their primary or secondary DNS entries
• Use dcpromo on the old Domain Controller to demote the old
Domain Controller
26
 Honeywell.com
Troubleshooting Issue
• Upgrading a Domain
• Use domainprep and forestprep to expand the schema to
the new Window version
• Create new Domain controllers then add it to the domain
• Similar to replacing a Domain controller the new Domain
Controller needs to be a member of the domain before
running DCpromo
• Windows Support Tools

• DCdiag
27
 Honeywell.com
Further Information
• This presentation will be posted on OLS

• The Experion Domain/Workgroup Implementation Guide for
R400 EP-DPCX13
• http://hpsweb.honeywell.com/NR/rdonlyres/B89823DA-B7F2-
45F1-A1A3-
6FB6040F5CA7/96616/Experion_Domain_Workgroup_Imple
mentation_Guide_EPD.pdf
• For further information please contact your Local Honeywell

Account Manager
28

Windows Security and Domains for Experion

Uploaded by

Document Informationclick to expand document information

Copyright:

Available Formats

Windows Security and Domains for Experion

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Windows Security and Domains for Experion

Uploaded by

Copyright:

Available Formats

Presenter’s name here

Date of presentation (optional)

Windows Security and

Today’s Webinar Agenda

Common Setup of a Domain in an Experion

Station Operator Setup

Station Operator Setup

Domain Best Practices

Domain Best Practices

Domain Best Practices

Domain Best Practices

• Troubleshooting Time on the Domains

• net time /set - to set the time

• W32tm /resync /computer:targetserver – to update this

• Controlling local settings that cannot be controlled through

• Windows Support Tools

• This presentation will be posted on OLS

• For further information please contact your Local Honeywell

You might also like