![Page 1: Windows Security and Domains for Experion - … Security and Domains for Experion Presenter’s name here Date of presentation (optional) Honeywell Proprietary ... • DCdiag. Honeywell](https://reader034.vdocuments.net/reader034/viewer/2022042502/5aba98bc7f8b9a441d8bd640/html5/thumbnails/1.jpg)
Windows Security and Domains for Experion
Presenter’s name hereDate of presentation (optional)
![Page 2: Windows Security and Domains for Experion - … Security and Domains for Experion Presenter’s name here Date of presentation (optional) Honeywell Proprietary ... • DCdiag. Honeywell](https://reader034.vdocuments.net/reader034/viewer/2022042502/5aba98bc7f8b9a441d8bd640/html5/thumbnails/2.jpg)
Honeywell Proprietary
Honeywell.com
2Document control number
Today’s Webinar Agenda
• Overview of Domains• Common Setup of a Domain in an Experion Environment• Best Practices• Troubleshooting
![Page 3: Windows Security and Domains for Experion - … Security and Domains for Experion Presenter’s name here Date of presentation (optional) Honeywell Proprietary ... • DCdiag. Honeywell](https://reader034.vdocuments.net/reader034/viewer/2022042502/5aba98bc7f8b9a441d8bd640/html5/thumbnails/3.jpg)
Honeywell Proprietary
Honeywell.com
3Document control number
Overview of Domains
![Page 4: Windows Security and Domains for Experion - … Security and Domains for Experion Presenter’s name here Date of presentation (optional) Honeywell Proprietary ... • DCdiag. Honeywell](https://reader034.vdocuments.net/reader034/viewer/2022042502/5aba98bc7f8b9a441d8bd640/html5/thumbnails/4.jpg)
Honeywell Proprietary
Honeywell.com
4Document control number
Domains
• Differs from a Workgroup in that the Domain is more secure and requires less administration overhead
• Active Directory acts as a Centralized Repository of Domain objects
• Some of the object types are: Domains, Forests, Sites, Organizational Units, Groups, and Users
• Tightly integrated with DNS• Major differences from pre-windows 2000 domains
• All Domain Controllers in a single domain are peers no BDCs• Dynamic DNS is required
![Page 5: Windows Security and Domains for Experion - … Security and Domains for Experion Presenter’s name here Date of presentation (optional) Honeywell Proprietary ... • DCdiag. Honeywell](https://reader034.vdocuments.net/reader034/viewer/2022042502/5aba98bc7f8b9a441d8bd640/html5/thumbnails/5.jpg)
Honeywell Proprietary
Honeywell.com
5Document control number
Domains
• Although all of the Domain Controllers in a domain are peers some functions require a single Domain Controller to act as the master for a particular function these operations are called Flexible Single Master Operations (FSMO)– PDC Emulator– Schema Master– Domain Naming Master– Infrastructure Master– Relative ID (RID) Master
• For proper domain authentication to occur each domain must have at least one Global Catalog server, note that you can have multiple Global Catalog servers
![Page 6: Windows Security and Domains for Experion - … Security and Domains for Experion Presenter’s name here Date of presentation (optional) Honeywell Proprietary ... • DCdiag. Honeywell](https://reader034.vdocuments.net/reader034/viewer/2022042502/5aba98bc7f8b9a441d8bd640/html5/thumbnails/6.jpg)
Honeywell Proprietary
Honeywell.com
6Document control number
Common Setup of a Domain in an Experion Environment
![Page 7: Windows Security and Domains for Experion - … Security and Domains for Experion Presenter’s name here Date of presentation (optional) Honeywell Proprietary ... • DCdiag. Honeywell](https://reader034.vdocuments.net/reader034/viewer/2022042502/5aba98bc7f8b9a441d8bd640/html5/thumbnails/7.jpg)
Honeywell Proprietary
Honeywell.com
7Document control number
Domain Setup
• Experion Security Policy – Domain• Includes Standard Honeywell Groups: DCS Administrators,
Engineers, Supervisors, Operators• Standard Honeywell Group Policy Objects: Operators Policy,
Engineer Policy…• TPS Domain Configuration Tool
• Allow you to flag an OU as a TPS Domain• In R400 both items are in the Domain Controller Security Policy
![Page 8: Windows Security and Domains for Experion - … Security and Domains for Experion Presenter’s name here Date of presentation (optional) Honeywell Proprietary ... • DCdiag. Honeywell](https://reader034.vdocuments.net/reader034/viewer/2022042502/5aba98bc7f8b9a441d8bd640/html5/thumbnails/8.jpg)
Honeywell Proprietary
Honeywell.com
8Document control number
Domain Setup
• PDC Role holder is the authoritative time source for the domain• The PDC Role holder can be set to sync its time with its own
clockor
• The Preferred method is to sync its time with a GPS time source
• Domain Controller placement:• Recommendation of at least one Domain Controller on each
network that services clients
![Page 9: Windows Security and Domains for Experion - … Security and Domains for Experion Presenter’s name here Date of presentation (optional) Honeywell Proprietary ... • DCdiag. Honeywell](https://reader034.vdocuments.net/reader034/viewer/2022042502/5aba98bc7f8b9a441d8bd640/html5/thumbnails/9.jpg)
Honeywell Proprietary
Honeywell.com
9Document control number
Client Setup
• Experion Security Policy – Workstation• Creates the linkdomaingroups.vbs script• Also has other utilities like lockdownlocal user• Also changes the local policy specifically the allow log on
locally policy, it removes the users group. Pre-R400• Linkdomaingroups.vbs
• All of the local directory security is based on the Honeywell Local Groups
• Puts the standard Honeywell Domain Groups in the Honeywell Local Groups
• C:\Program Files\Honeywell\wkstasecurity\
![Page 10: Windows Security and Domains for Experion - … Security and Domains for Experion Presenter’s name here Date of presentation (optional) Honeywell Proprietary ... • DCdiag. Honeywell](https://reader034.vdocuments.net/reader034/viewer/2022042502/5aba98bc7f8b9a441d8bd640/html5/thumbnails/10.jpg)
Honeywell Proprietary
Honeywell.com
10Document control number
Client Setup
• NTPSetup• If Servers were authoritative time
servers in a workgroup but now they are in a domain you must use the Disable All NTP configuration button. Once this is complete hit the Change/Configure Client button
• Experion Servers can run as a secondary NTP time source
• Should be run on every client node after it joins the domain
![Page 11: Windows Security and Domains for Experion - … Security and Domains for Experion Presenter’s name here Date of presentation (optional) Honeywell Proprietary ... • DCdiag. Honeywell](https://reader034.vdocuments.net/reader034/viewer/2022042502/5aba98bc7f8b9a441d8bd640/html5/thumbnails/11.jpg)
Honeywell Proprietary
Honeywell.com
11Document control number
Client Setup
• Users Defined as a Domain Operator will have a locked down desktop and will need a logon script defined to launch Station, Safeview or Native Window
• Hosts file are still required on client nodes: Servers, Stations, ACE nodes… for proper Experion functionality
• The domain controllers do not have to be in the hosts file.
![Page 12: Windows Security and Domains for Experion - … Security and Domains for Experion Presenter’s name here Date of presentation (optional) Honeywell Proprietary ... • DCdiag. Honeywell](https://reader034.vdocuments.net/reader034/viewer/2022042502/5aba98bc7f8b9a441d8bd640/html5/thumbnails/12.jpg)
Honeywell Proprietary
Honeywell.com
12Document control number
Station Operator Setup
• Domain Integrated Operators• Single Domain User accounts
• Can be set to multi-user (concurrent logons)• Can override any group setting
• Domain Group accounts• If errors are returned when defining the operator definition
• “The Windows users could not be found”• The Experion Operator Management Service will need to run
as a domain account (does not have to be an administrator). This is normally a result of not allowing Pre-Windows 2000 authentication while setting up the Domain.
![Page 13: Windows Security and Domains for Experion - … Security and Domains for Experion Presenter’s name here Date of presentation (optional) Honeywell Proprietary ... • DCdiag. Honeywell](https://reader034.vdocuments.net/reader034/viewer/2022042502/5aba98bc7f8b9a441d8bd640/html5/thumbnails/13.jpg)
Honeywell Proprietary
Honeywell.com
13Document control number
Station Operator Setup
• In general no cached logins for Honeywell software• When single signon is enabled there are two exceptions
• Initial logon into station and connecting to a server/system in Configuration Studio
• The above is still authenticating with the domain only it uses the cached credentials in windows that it passes to the domain
• In all cases (Station, Signon Manager, Configuration Studio) of domain operator authentication if the domain is unavailable the login attempt will fail.
![Page 14: Windows Security and Domains for Experion - … Security and Domains for Experion Presenter’s name here Date of presentation (optional) Honeywell Proprietary ... • DCdiag. Honeywell](https://reader034.vdocuments.net/reader034/viewer/2022042502/5aba98bc7f8b9a441d8bd640/html5/thumbnails/14.jpg)
Honeywell Proprietary
Honeywell.com
14Document control number
Best Practices
![Page 15: Windows Security and Domains for Experion - … Security and Domains for Experion Presenter’s name here Date of presentation (optional) Honeywell Proprietary ... • DCdiag. Honeywell](https://reader034.vdocuments.net/reader034/viewer/2022042502/5aba98bc7f8b9a441d8bd640/html5/thumbnails/15.jpg)
Honeywell Proprietary
Honeywell.com
15Document control number
Domain Best Practices
• Domain Naming• Should not use a single label domain name ie a domain
without .local or .com• Domain names should correspond to NetBIOS names
• like FQDN customernet.local with NetBIOS name customernet
• Reverse Lookup Zones• Should be created for each subnet• Experion does use reverse lookup calls ie calls that lookup
the IP address to find the host name• Window hostname resolution order
• DNS cache• DNS server• NetBIOS resolution method
![Page 16: Windows Security and Domains for Experion - … Security and Domains for Experion Presenter’s name here Date of presentation (optional) Honeywell Proprietary ... • DCdiag. Honeywell](https://reader034.vdocuments.net/reader034/viewer/2022042502/5aba98bc7f8b9a441d8bd640/html5/thumbnails/16.jpg)
Honeywell Proprietary
Honeywell.com
16Document control number
Domain Best Practices
• Windows Firewall setup on a Domain Controller• For Domains with multiples Domain Controllers
• You must define specific ports for Active Directory Replication and File Replication Service (FRS) http://support.microsoft.com/kb/555381
• Add the following Exceptions to the Windows firewall
![Page 17: Windows Security and Domains for Experion - … Security and Domains for Experion Presenter’s name here Date of presentation (optional) Honeywell Proprietary ... • DCdiag. Honeywell](https://reader034.vdocuments.net/reader034/viewer/2022042502/5aba98bc7f8b9a441d8bd640/html5/thumbnails/17.jpg)
Honeywell Proprietary
Honeywell.com
17Document control number
Domain Best Practices
• Do not put the Domain Administrator in a restrictive group like Operators, Supervisors, Ack view Only User or View Only Users
• DNS on an FTE Domain Controller• Only the Yellow adapter should be bound to DNS Pre-R400
![Page 18: Windows Security and Domains for Experion - … Security and Domains for Experion Presenter’s name here Date of presentation (optional) Honeywell Proprietary ... • DCdiag. Honeywell](https://reader034.vdocuments.net/reader034/viewer/2022042502/5aba98bc7f8b9a441d8bd640/html5/thumbnails/18.jpg)
Honeywell Proprietary
Honeywell.com
18Document control number
Domain Best Practices
• Site Configuration• Define a subnet for each corresponding subnet• Define a Site for each Subnet• Move the Domain Controllers that service each subnet to the
correct Site• WINS is not recommended for Experion Domain Controllers
![Page 19: Windows Security and Domains for Experion - … Security and Domains for Experion Presenter’s name here Date of presentation (optional) Honeywell Proprietary ... • DCdiag. Honeywell](https://reader034.vdocuments.net/reader034/viewer/2022042502/5aba98bc7f8b9a441d8bd640/html5/thumbnails/19.jpg)
Honeywell Proprietary
Honeywell.com
19Document control number
Troubleshooting
![Page 20: Windows Security and Domains for Experion - … Security and Domains for Experion Presenter’s name here Date of presentation (optional) Honeywell Proprietary ... • DCdiag. Honeywell](https://reader034.vdocuments.net/reader034/viewer/2022042502/5aba98bc7f8b9a441d8bd640/html5/thumbnails/20.jpg)
Honeywell Proprietary
Honeywell.com
20Document control number
Troubleshooting issues
• Slow Logon• Make sure that the primary DNS and secondary DNS are
defined on the primary NIC on the workstation• Could also be a Site Configuration issue
• Use echo %logonserver%• Troubleshooting Group Policy
• Using Resultant Set of Policy• Logging mode: Can be run a client node and Domain
Controllers• Planning mode on Domain Controller only
• Group Policy Management Console• gpupdate and gpresult
![Page 21: Windows Security and Domains for Experion - … Security and Domains for Experion Presenter’s name here Date of presentation (optional) Honeywell Proprietary ... • DCdiag. Honeywell](https://reader034.vdocuments.net/reader034/viewer/2022042502/5aba98bc7f8b9a441d8bd640/html5/thumbnails/21.jpg)
Honeywell Proprietary
Honeywell.com
21Document control number
Troubleshooting Issues
• Troubleshooting Time on the Domains• Each client needs to be within 5 minutes of the domain time• On clients:
• Net time - show the time
• net time /set - to set the time
![Page 22: Windows Security and Domains for Experion - … Security and Domains for Experion Presenter’s name here Date of presentation (optional) Honeywell Proprietary ... • DCdiag. Honeywell](https://reader034.vdocuments.net/reader034/viewer/2022042502/5aba98bc7f8b9a441d8bd640/html5/thumbnails/22.jpg)
Honeywell Proprietary
Honeywell.com
22Document control number
Troubleshooting Issues
• On Domain Controllers• w32tm /monitor - to view the current time configuration in
the domain
• W32tm /resync /computer:targetserver – to update this Domain Controller to the targetserver
• w32tm /resync /rediscover – to force update with time source
![Page 23: Windows Security and Domains for Experion - … Security and Domains for Experion Presenter’s name here Date of presentation (optional) Honeywell Proprietary ... • DCdiag. Honeywell](https://reader034.vdocuments.net/reader034/viewer/2022042502/5aba98bc7f8b9a441d8bd640/html5/thumbnails/23.jpg)
Honeywell Proprietary
Honeywell.com
23Document control number
Troubleshooting Issues
• Controlling local settings that cannot be controlled through Domain Group Policy
• Change the default profile of the machine1. Have to login as a local administrator
a. Make changes like mouse pointer or power management settings
2. Login as another local administrator3. Right Click My Computer select Properties4. Select the Advanced tab then select Settings under
User Profiles
![Page 24: Windows Security and Domains for Experion - … Security and Domains for Experion Presenter’s name here Date of presentation (optional) Honeywell Proprietary ... • DCdiag. Honeywell](https://reader034.vdocuments.net/reader034/viewer/2022042502/5aba98bc7f8b9a441d8bd640/html5/thumbnails/24.jpg)
Honeywell Proprietary
Honeywell.com
24Document control number
Troubleshooting Issues5. Highlight the profile for the
user used in step 16. In Copy To click Browse
a. In the Copy profile to select C:\documents and settings\default user
7. In the Permitted to use click Changea. Set to everyone note may
have to change the location to the local machine
8. Click Ok
![Page 25: Windows Security and Domains for Experion - … Security and Domains for Experion Presenter’s name here Date of presentation (optional) Honeywell Proprietary ... • DCdiag. Honeywell](https://reader034.vdocuments.net/reader034/viewer/2022042502/5aba98bc7f8b9a441d8bd640/html5/thumbnails/25.jpg)
Honeywell Proprietary
Honeywell.com
25Document control number
Troubleshooting Issues
• Overriding a Default Honeywell Group Policy Object• Do not change the default Honeywell Group Policy Objects• Create new GPOs that enable or disable specific settings
• Do not use not configured• These GPO need to have their security filter set correctly• Also they need to be the original Honeywell GPO in GPO
application order
![Page 26: Windows Security and Domains for Experion - … Security and Domains for Experion Presenter’s name here Date of presentation (optional) Honeywell Proprietary ... • DCdiag. Honeywell](https://reader034.vdocuments.net/reader034/viewer/2022042502/5aba98bc7f8b9a441d8bd640/html5/thumbnails/26.jpg)
Honeywell Proprietary
Honeywell.com
26Document control number
Troubleshooting Issues
• Replace a Domain Controller• Create new Domain Controller then add it the domain
• Use dcpromo once the server is a member of the domain• Move any FSMO roles off of the server that will be replaced• Be sure client nodes have the new Domain Controllers DNS
address in their primary or secondary DNS entries• Use dcpromo on the old Domain Controller to demote the old
Domain Controller
![Page 27: Windows Security and Domains for Experion - … Security and Domains for Experion Presenter’s name here Date of presentation (optional) Honeywell Proprietary ... • DCdiag. Honeywell](https://reader034.vdocuments.net/reader034/viewer/2022042502/5aba98bc7f8b9a441d8bd640/html5/thumbnails/27.jpg)
Honeywell Proprietary
Honeywell.com
27Document control number
Troubleshooting Issue
• Upgrading a Domain• Use domainprep and forestprep to expand the schema to
the new Window version• Create new Domain controllers then add it to the domain
• Similar to replacing a Domain controller the new Domain Controller needs to be a member of the domain before running DCpromo
• Windows Support Tools• DCdiag
![Page 28: Windows Security and Domains for Experion - … Security and Domains for Experion Presenter’s name here Date of presentation (optional) Honeywell Proprietary ... • DCdiag. Honeywell](https://reader034.vdocuments.net/reader034/viewer/2022042502/5aba98bc7f8b9a441d8bd640/html5/thumbnails/28.jpg)
Honeywell Proprietary
Honeywell.com
28Document control number
Further Information
• This presentation will be posted on OLS• The Experion Domain/Workgroup Implementation Guide for
R400 EP-DPCX13 • http://hpsweb.honeywell.com/NR/rdonlyres/B89823DA-B7F2-
45F1-A1A3-6FB6040F5CA7/96616/Experion_Domain_Workgroup_Implementation_Guide_EPD.pdf
• For further information please contact your Local Honeywell Account Manager