Currently our DeltaV workstations are setup to login to a workgroup which will be an Administration headache once we start adding individual accounts on multiple workstations.
Would a Domain controller on the Proplus help without adding headaches in other areas such as when the domain controller is down or being worked on?
Would changing a computer's membership from Workgroup to Domain interrupt the current DeltaV environment?
In order to establish your proplus as a dc, you will basically need to rebuild it. Uninstall deltav, assign the dc role, reinstall dv.
Then all workstations will need to join domain and rerun workstation configuration.
It is really the sort of activity done during a turnaround or maintenance outage, though on line upgrades are offered though Emerson sure service, I believe (the controllers can be left operational during the procezs).
The benefits of a domain are worth it, ultimately. Be aware, you should set up at least two domain controllers to ensure authentication and dns is not interrupted.
Youssef El-Bahtimy | Systems Integration Technologist PROCONEX | 103 Enterprise Drive | Royersford, PA 19468 USA Proconex Office: 610 495 2970 | Cell: 267 275 7513 Youssef.El-Bahtimy@ProconexDirect.com
A very good suggestion regarding terminal service role installation.
Just don't activate the terminal server. If you do, after the grace period expires, you will either have to deactivate or license in order to continue to use either the free admin sessions or any additional licensed sessions.
The deltav installation will occur aware of the role so that registration can progress correctly, even if you never use it.
To piggy back upon this topic, I have a question about a hang up I ran into last night:
On a new project I'm creating a Pro+. Apparently Windows 7 does not have the necessary functionality to be a domain controller (I read this on a MS chat board after failing to get the Pro+ Workstation config to complete using a Domain Environment.)
Can anyone confirm that this is the case and thus in order to use a domain environment for the Pro+, the server must be running on Server 2008?
Thanks, Brian
Brian McWhorter ISA:CAP OPC:SI PE:CSE
In reply to bmcwhorter:
I was discussing this exact question today with our local rep. We have been using work groups and a work station for the ProPlus since we first installed DeltaV in 2000, mainly to get 2 monitors on the ProPlus. Based on the upcoming security enhancements that we will be required to follow (automated A/V patching, automated MS patching, individual user accounts, etc), we will have to move to the domain enviornment.
Per our local rep, the ProPlus must be the primary domain controller. That means that the ProPlus must be a server if the domain enviornment is used.
In reply to Alan K:
Alan, you may want to confirm the requirement that the ProPlus must be the doman controller. I know this was the case in the past, but I was told recently that it is no longer true. It might depend on the version of DeltaV you are running.
@ bmcwhorter, I can confirm, you must use a server os for domain controller functionality.
In reply to Tyler Anderson:
It does require server OS. That is actually a Windows requirement I believe.
The other question is whether the primary domain controller HAS to be on the ProPlus. Our local rep says it does. Others on this forum are suggesting that maybe it could be on another DeltaV server such as the App Station or Base Station.
Consider the following: If your DeltaV system is large enough for a domain architecture to be worthwhile, then selecting a Server class machine for the fundamental infrastructure of the control system makes sense. If you don't need to manage dozens of appstations and workstations, then a workgroup and all Windows 7 machines might suffice.
I would suggest following the system capacities and compatibility guidelines (in the release notes) to ensure you correctly estimate and size the loading needed for your system. You wouldn't want a Windows 7 box acting as database server if you intend on having +20 engineers working simultaneously on database configuration, for instance.
In reply to Youssef.El-Bahtimy:
Anything over one workstation in a system, make it a domain system. You'll thank us later!
In reply to Otto Von Steele:
The Pro Plus must be a Domain Controller and only Server OS can be set up as a DC. This is primarily because DeltaV software install of the Pro Plus links DeltaV User Manager to the local accounts on the pro plus, and these accounts happen to be the Domain accounts. You cannot run DeltaV in a domain unless the Pro Plus is set up as a domain controller. Some have installed Server OS on Workstation computers, but then you are left with an Unsupported combination of OS and hardware. You should use a Server platform for Server OS and install the Pro Plus in a fully supported environment. Current release of DeltaV uses Server 2008 R2.
Domain accounts are cached on each workstation when ever some one logs on to that workstation with a domain account. If the DC is unavailable, you can still log on to any workstation provided it is with a domain account that at one point logged on to that computer. Say you had two operators, Bert and Ernie. If Bert always logged on to station 1 but Ernie logged on to both stations, if the DC were shutdown, Ernie would still be able to log on to both stations, but Bert would only be able to log on to station 1 because his domain account was never used on station 2, and so is not cached there.
A second Domain controller is recommended, more to preserve the domain incase of a loss of the Pro Plus, requiring a rebuild. The new server can join the domain maintained by the second DC, and save you rebuilding the domain. It also allows any logon to occur on any station as the domain accounts are still available and you are not using a cached account. The second DC can be an App station or a non DeltaV node dedicated to this function. If it is not a DeltaV Node, make sure you use the reserved network addresses for such nodes.
For smaller systems that use generic accounts (Operator, Maintenance, Supervisor etc) and do not use individual user accounts, a Domain has marginal benefit. But as soon as you start looking at implementing a structured security model, individual accounts or add more than a few workstations, the Domain Controller becomes indispensable as a tool for managing the system accounts. How many stations are needed to warrant a DC? that depends on several factors, including user familiarity with domains. DeltaV has minimal requirements on the DC and DeltaV User Manager will create the Windows Domain users on the Pro Plus so you don't have to know much to make use of the DC. Once a DC is deemed necessary, it must be set up on the Pro Plus, which as Youssef explained, requires a re-install of DeltaV. If you have a Windows 7 OS machine, you're re-installing on the Server anyway.
Andre Dicaire
According to the replies, Domain is preferred but it would be advantages to build the domain servers at install or during downtime. Thanks for the shared info..
During DeltaV installation the DC has to be ProPlus but once everything is up and running you can have another DC and DNS (App Station). In fact for really large installation, like DeltaV configuration database + VCAT, you probably want to offload your ProPlus as DC. Note that DC role is pretty taxing to the machine.
In reply to Lun.Raznik:
I would state that having a second DC is almost a necessity to ensure continuity of authentication, and in the event the Pro-plus fails, the trouble of rebuilding the domain as opposed to rebuilding just the pro-plus.
I cannot find any documentation to support off-loading the DC role from the pro-plus, however.
As far as I know the Pro+ has to be the main DC in a DeltaV system. At least this is the only supported implementation. Since authentication is very important both for user and services to ensure availability to the system I would be very, very careful not to try and "back-door" any attempt to create a separate main DC on DeltaV as it will likely lead to user access issues. Considering the infrequent logging into DeltaV at the Windows level on most system and the relatively small user database compared to a IT system I am not sure why the DC role would be "taxing to the machine".