HPS/PMT

Experion PKS
Windows Domain Implementation Guide
for Windows Server 2016

EPDOC-X472-en-A

July 2018
© Honeywell International Sàrl 2018. All Rights Reserved.

This document is the confidential and proprietary information of Honeywell. Reproduction and distribution of these
materials without the express written consent of Honeywell is strictly forbidden.

While this information is presented in good faith and believed to be accurate, Honeywell disclaims the implied
warranties of merchantability and fitness for a purpose and makes no express warranties except as may be
stated in its written agreement with and for its customer.

In no event is Honeywell liable to anyone for any direct, special, or consequential damages. The information and
specifications in this document are subject to change without notice.

These commodities, technology, or software were exported from the United States in accordance with the Export
Administration Regulations. Diversion contrary to U.S. law prohibited.

This product may contain or be derived from materials, including software, of third parties. The third party
materials may be subject to licenses, notices, restrictions and obligations imposed by the licensor. The licenses,
notices, restrictions and obligations, if any, may be found in the materials accompanying the product, in the
documents or files accompanying such third party materials, in a file named third_party_licenses on the media
containing the product, or at http://www.honeywell.com/ps/thirdpartylicenses.

Honeywell, Experion, and TotalPlant are US registered trademarks of Honeywell International Inc.

Other brand or product names are trademarks of their respective owners.

EPDOC-X472-en-A 2 www.honeywellprocess.com
Symbol definitions

The following table lists the symbols used in this document to denote certain conditions.

Symbol Definition
NOTICE is used to address practices not related to physical injury.

CAUTION indicates a hazardous situation that, if not avoided, could result in minor or moderate injury.
CAUTION symbol on the equipment refers the user to the product manual for additional information.
The symbol appears next to required information in the manual.

WARNING indicates a hazardous situation that, if not avoided, could result in death or serious injury.
WARNING symbol on the equipment refers the user to the product manual for additional information.
The symbol appears next to required information in the manual.

DANGER indicates a hazardous situation that, if not avoided, will result in death or serious injury.

EPDOC-X472-en-A 3 www.honeywellprocess.com
EPDOC-X472-en-A 4 www.honeywellprocess.com
Table of contents

About this guide ......................................................................................................................................................................... 9

Chapter 1 Getting started ............................................................................................................................................. 11

1.1 Hardware and software requirements............................................................................................................ 11

1.1.1 Software requirements for a domain controller ................................................................................ 11

1.2 System requirements for a domain controller ................................................................................................ 11

Chapter 2 Guidelines .................................................................................................................................................... 13

2.1 General guidelines for implementing a domain controller .............................................................................. 13

Chapter 3 Installing a Windows domain controller .................................................................................................... 15

3.1 Hardware and software requirements ............................................................................................................ 15

3.2 Preparing a Windows domain controller ........................................................................................................ 16

3.2.1 Installing Microsoft Windows Server 2016 operating system .......................................................... 17
3.2.2 Define an alternate Administrative User .......................................................................................... 17
3.2.3 Changing the computer name ......................................................................................................... 19
3.2.4 Configuring TCP/IP settings ............................................................................................................ 19
3.2.5 Preconfiguring Network Configuration for FTE ................................................................................ 21
3.2.6 Installing Microsoft service packs and Windows updates ................................................................ 21

3.3 Preparing a Windows domain controller ........................................................................................................ 21

3.3.1 Preparing Microsoft Windows Server 2016 to be a domain controller ............................................. 23
3.3.1.1. Adding Roles and Features to Microsoft Windows Server 2016 ..................................................... 23

3.4 Configuring Microsoft Windows Server 2016 as a domain controller ............................................................. 33

3.4.1 Set up a new domain in a new forest .............................................................................................. 34
3.4.1.1. Adjust Alternate Administrative User’s Group membership ............................................................. 41
3.4.2 Set up a new domain in an existing forest ....................................................................................... 43
3.4.3 Add a Domain Controller to an existing domain .............................................................................. 48
3.4.4 Setting up a Read-only Domain Controller ...................................................................................... 55

3.5 Common tasks for setting up a domain controller.......................................................................................... 57

3.5.1 Adding Microsoft Windows Server 2016 to a Windows domain ...................................................... 57
3.5.2 Verifying if DNS server role is active ............................................................................................... 58
3.5.3 Verifying if Global Catalog server role is active ............................................................................... 59
3.5.4 Adding reverse lookup zone ............................................................................................................ 61
3.5.5 Adjusting DNS Configuration ........................................................................................................... 62

Chapter 4 Post Installation Tasks ................................................................................................................................ 65

EPDOC-X472-en-A 5 www.honeywellprocess.com
 4.1 Configuring Active Directory sites .................................................................................................................. 65
4.1.1 Creating a site in Active Directory ................................................................................................... 65
4.1.2 Moving domain controllers to sites .................................................................................................. 66
4.1.3 Verifying the availability of Global Catalog server in a site .............................................................. 66
4.1.4 Adjusting replication interval for a site ............................................................................................. 67

4.2 Creating Organizational Unit.......................................................................................................................... 68

4.3 Creating Active Directory users and groups .................................................................................................. 68

4.3.1 Creating Honeywell Active Directory users ..................................................................................... 68
4.3.2 Creating Active Directory groups ..................................................................................................... 69
4.3.3 Changing group membership .......................................................................................................... 70

4.4 Configuring time synchronization in a domain ............................................................................................... 70

4.5 Adding workstation/server to Windows domain ............................................................................................. 71

4.5.1 Setting the DNS server IP address ................................................................................................. 71
4.5.2 Adding a node to a Windows domain .............................................................................................. 72
4.5.3 Viewing the workstation/server added to a domain ......................................................................... 74

4.6 Configuring time synchronization on the workstations/servers added to a Windows domain ........................ 74

Chapter 5 Honeywell Experion PKS Software Support for Domain Controllers ..................................................... 77

5.1 Initiating Setup ............................................................................................................................................... 77

5.2 Domain Controller Policies ............................................................................................................................ 78

5.3 .Net Framework ............................................................................................................................................. 81

5.4 Experion Optional Features ........................................................................................................................... 82

Chapter 6 Preparing the domain for migration ........................................................................................................... 89

6.1 Recording the current domain controller configuration information................................................................ 89

6.2 Inventorying the current domain controller configuration ............................................................................... 90

6.2.1 Installing Windows Support Tools on Windows Server 2003 domain controllers ............................ 90
6.2.2 Identifying the domain controllers holding the FSMO roles ............................................................. 93
6.2.3 Identifying GC servers configured in the domain ............................................................................. 93
6.2.4 Identifying DNS servers configured in the domain .......................................................................... 94
6.2.5 Identifying the domain operation mode ........................................................................................... 96

6.3 Verifying domain controller readiness for migration ....................................................................................... 97

6.3.1 Verifying domain health ................................................................................................................... 97
6.3.2 Ensuring availability of multiple domain controllers ......................................................................... 98
6.3.3 Ensuring availability of multiple DNS servers .................................................................................. 99

6.4 Preparing the Active Directory ....................................................................................................................... 99

6.4.1 Evaluating the functional level of the domain .................................................................................. 99
6.4.2 Upgrading existing Domain Controllers to Windows Server 2016 ................................................. 100
6.4.3 Raising the functional level of the domain ..................................................................................... 100

EPDOC-X472-en-A 6 www.honeywellprocess.com
 6.4.4 Expanding the Active Directory schema ........................................................................................ 102

6.5 Joining a Server 2016 Domain Controller to replace an existing Controller ................................................. 102
6.5.1 Remove the DNS Role (if configured) ........................................................................................... 121
6.5.2 Installing New Windows Server 2016 Domain Controller .............................................................. 141
6.5.3 Promote and Join Existing Domain ............................................................................................... 149
6.5.4 Transfer roles and functions from Old DC to New DC ................................................................... 156
6.5.5 Decommission Old DC .................................................................................................................. 157
6.5.6 Raising Functional Levels ............................................................................................................. 159
6.5.7 FRS to DFS Migration ................................................................................................................... 165

Support Information............................................................................................................................................................... 170

EPDOC-X472-en-A 7 www.honeywellprocess.com
EPDOC-X472-en-A 8 www.honeywellprocess.com
About this guide

This guide describes how to perform the following:

 Implementing Microsoft Windows domain controllers for Experion.

 Implementing stand-alone Microsoft Windows domain controllers.
 Migrating existing domain controllers to the latest supported Windows operating system for domain controllers
 Demoting domain controllers.

Revision history

Revision Date Description

A July 2018 Initial release of the document.

Intended audience
 Customers who want to integrate their process domains into their corporate hierarchy and IT staffs who
support them.
 Customers with limited networking and IT experience who are using stand-alone domains.
 Projects group and Services group.

Prerequisite skills

It is assumed that you are familiar with the operation of Experion system software and the plant processes which
Experion controls, Microsoft Windows operating systems, Windows domains and domain controllers, and network
administration tasks.

Related documents
 Windows Domain and Workgroup Implementation Guide
 For planning information, refer to Windows Domain and Workgroup Planning Guide
 For operation system migration information, refer the appropriate operating system-specific implementation
guide Windows Domain Implementation Guide for Windows Server 2008 R2
 Getting Started with Experion Software Guide
 Software Installation User's Guide
 Experion migration documentation
 Supplementary Installation Tasks Guide
 Server and Client Planning Guide
 Server and Client Configuration Guide

EPDOC-X472-en-A 9 www.honeywellprocess.com
EPDOC-X472-en-A 10 www.honeywellprocess.com
Chapter 1 Getting started

1.1 Hardware and software requirements

1.1.1 Software requirements for a domain controller

To implement a domain controller in Experion , you need the following media/software.

 Microsoft Windows Server 2016

 Experion PKS R500.1 or Higher

1.2 System requirements for a domain controller

Component Microsoft Windows Server 2016

Computer and processor

 Minimum – 1.4 GHz (x64)

 Recommended – 2GHz or faster

Memory
 Minimum – 2 GB or greater (Desktop Experience is required)

 Recommended – 4GB or greater

Hard disk
 Minimum – 32GB

 Recommended – 32GB or more

!Attention
In virtual environments Honeywell recommends that you have at least one DC on each network level
serviced by the virtual environment, this would include a domain controller on level 2.5 and each level 2
network. If the entire domain is hosted on virtual machines, you must ensure that the virtual domain is
always availability. Refer to the latest version of the following documents on
http://www.honeywellprocess.com for the hardware and software requirements of VM.

 HPS Virtualization Specification

 Virtualization Planning and Implementation Guide
Ensure that at least one domain controller is in real environment.

EPDOC-X472-en-A 11 www.honeywellprocess.com
EPDOC-X472-en-A 12 www.honeywellprocess.com
Chapter 2 Guidelines

2.1 General guidelines for implementing a domain controller

The following table describes some general guidelines and Honeywell recommendations for
implementing a domain controller in a domain.

Guideline Honeywell recommendation

Standard Edition with Desktop Experience Data Center Edition is supported, but not required. (Note – this guide was
developed using only Standard Edition.)
Server Core, Containers, Nano and other variations/configurations are
currently not supported.
Honeywell’s installation, utilities, and software require that a user interface
be present on the system, so it is required that the system have the
“Desktop Experience” present in the Operating System. (This includes the
GUI and various supporting applications, like Internet Explorer.)

Number of domain controllers per domain It is recommended to have a minimum of two domain controllers per
domain. In cases where multiple network configurations are used, each
network configuration must include at least one domain controller. If you
have multiple level 2 with a level 3 network. It is recommend having at
least one domain controller on each network level.
Domains with multiple OUs must have at least one domain controller per
OU.

Operating system installed on domain The version of the Windows Server operating system installed on all the
controllers domain controllers in a domain should be the same.
It is recommended to use different versions of the Windows Server
operating system only during a migration scenario. After completing the
migration, any servers running an older version of the operating system
should be demoted or removed from the domain. After demoting the
server, the domain operation level should be set to the native level for that
version of the operating system.

Location of Active Directory Database, Log Though Microsoft recommends placing the Database, Log files, and
files, and SYSVOL objects SYSVOL objects on different drives in a system for optimal performance,
Honeywell recommends using the following default locations.

 Active Directory Database — C:\Windows\NTDS

 Log Files — C:\Windows\NTDS

 SYSVOL — C:\Windows\SYSVOL

EPDOC-X472-en-A 13 www.honeywellprocess.com
 Guideline Honeywell recommendation
Availability of Domain Name System (DNS) When the first domain controller for a domain is configured, DNS and GC
and Global Catalog (GC) servers server roles are enabled by default. Though Microsoft recommends
disabling these roles while creating additional domain controllers in the
domain, Honeywell recommendation is to configure these roles on each
domain controller in the domain.
It is recommended to configure minimum of two DNS servers and two GC
servers. You can limit the distribution of GC servers based on the network
design.

Naming convention for domains Honeywell recommends the following while configuring domain names.

 The length of the domain name should contain 1 to 15 characters.

 Domain name should always consist of at least two parts, a name

and a designator separated by a period as follows: <Name>
<Designator>

Typical designator values are .com, .org, or .local. Specific suffix

values may be required if the domain is part of a multi-domain
network. Consult the domain administrators of the domains into which
the process domain needs to be integrated, to determine the names
to be used as well as the address range for computers in the domain.
For local domains which are not integrated into a larger domain
forest, the recommendation is to use the designator as ‘local’. For
example, Customer.local.

A domain name without a designator results in a format known as a

Single-Label name and could result in various networking problems
such as client computers not being able to dynamically register DNS
records or encountering problems in resolving DNS name queries.

For more information, refer to the following Microsoft website link:

“http://support.microsoft.com/kb/300684”

 The Netbios name must match the DNS name of the domain. For
example, pcn.local is the DNS domain name and pcn is the Netbios
name.
Reverse Lookup Zones It is recommended to configure Reverse Lookup Zone for each subnet.

Windows Internet Name Service (WINS) WINS servers are not required. Do not configure WINS for domain
controllers in an Experion network.

Setting Up Standby Operations Master Honeywell does not recommend configuring Standby Operations Masters
for Flexible Single Master Operation (FSMO) roles in a process control
network. When the FSMO role holder is unavailable, it does not
automatically change the FSMO role to the standby server. A Standby
Operations Master is beneficial particularly in large domains with multiple
domain controllers hosting millions of objects.

EPDOC-X472-en-A 14 www.honeywellprocess.com
Chapter 3 Installing a Windows domain controller

3.1 Hardware and software requirements

While setting up a domain, as a best practice you must record all the important details about the
domain configuration in the following attached Excel worksheet.

Domain configuration worksheet

The following table provides you an understanding about the information that you need to capture.
However, you must use the attached Excel worksheet to record the information mentioned in the
table.
Table 1 Domain configuration worksheet sample

Basic information
Domain name

IP address range

IP Subnet Mask

Groups for RODC creation(if required)

Directory Services Restore Mode

(DSRM) password

Starting domain functional level

Global Catalog (GC) and DNS server roles

GC server

DNS servers

User accounts Groups

Flexible Single Master Operation (FSMO) roles

Record the details about the domain controllers which hold each of the FSMO roles in the current domain.

FSMO role Site and owner

Schema master

Domain naming master

Infrastructure master

Relative ID (RID) master

EPDOC-X472-en-A 15 www.honeywellprocess.com
 Basic information
PDC emulator

Site Information

Site name Subnet address

Domain controller information

For each domain controller that is being created, capture the following details which can be used later if required.

DC type (One column per domain controller)

Domain controller name

Site

IP address

Preferred DNS

Alternate DNS

Admin account

Password

Group

3.2 Preparing a Windows domain controller

Perform each of the sub sections here:

Starting from Path to Microsoft Windows Server 2016

Install Operating System 3.2.1 Installing Microsoft Windows Server 2016 operating
system

Add a new Administrative User 3.2.2 Define an alternate Administrative User

Set Computer Name 3.2.3 Changing the computer name

Set TCP/IP Addresses 3.2.4 Configuring TCP/IP settings

Preconfigure NIC Cards 3.2.5 Preconfiguring Network Configuration for FTE

Operating System Updates 3.2.6 Installing Microsoft service packs and Windows updates

Task Complete. Return to task list.

EPDOC-X472-en-A 16 www.honeywellprocess.com
3.2.1 Installing Microsoft Windows Server 2016 operating system

It is recommended that you follow the OEM operating system installation document for loading the
operating system on Honeywell-qualified or non-qualified platform.

During the initial stages of the operating system installation, a “Select the operating system you want
to install” page appears. As Honeywell requires server installation with a GUI, ensure to select
Microsoft Windows Server 2016 Standard (with Desktop Experience) or Embedded Microsoft
Windows Server 2016 Datacenter option.

3.2.2 Define an alternate Administrative User

ON at least the first Domain Controller (local account will become a Domain Account). As a security best
practice, you should create a custom Administrative User account to manage the system and Disable
the default Administrator account created by the install.

1. Post OS install, right-click Start and choose Computer Management.

2. In the left pane of Computer Management, expand “Local Users and Groups” and click Users.

3. In the right pane, right-click and select New User.

The New User window appears.

4. Fill in a User Name and Password.

5. Change the Password Options and click Create.

6. Double-click the newly created user in right pane of Computer Management to bring up its
properties.

EPDOC-X472-en-A 17 www.honeywellprocess.com
 7. Click Add, define Administrators and click OK.

8. Optional – Click on Users and then Remove. Then, click Apply.

9. Use this account for subsequent log-ons, management, and software installs.

EPDOC-X472-en-A 18 www.honeywellprocess.com
3.2.3 Changing the computer name

This procedure is normally performed right after installation of the operating system. Perform this
procedure to change the computer name after the operating system installation (it automatically assigned
a default during install) or if you are using a computer preinstalled with the target operating system.

To change the computer name:

1. On the taskbar, click Server Manager icon.

The Server Manager dialog box appears.

2. In the left pane, click Local Server.

The Local Server page appears.

3. In PROPERTIES field, click the text against Computer name.

The System Properties dialog appears.

4. On the Computer Name tab, click Change.

The Computer Name/Domain Changes dialog box appears.

5. In the Computer Name box, type the computer name and click OK.
While performing migration, you must configure the computer with the same name as the domain
controller that this computer is replacing.
A message appears indicating to restart the computer.

6. Click OK.

7. In the System Properties dialog box, click Close.

The System Properties dialog box closes. A message appears prompting to restart the computer.

8. Click Restart now.

The computer restarts.
!Attention
It is important to restart the server after changing the computer name and before promoting the
server to a domain controller.

3.2.4 Configuring TCP/IP settings

!Attention
For any Experion release, it is recommended that you install the highest Microsoft service packs for
Microsoft Windows Server 2016 operating system.
If Fault Tolerant Ethernet (FTE) is to be installed on the Domain Controller, you must pre configure the
NIC adapters to be ready for FTE. Refer to the latest version of Fault Tolerant Ethernet Installation and
Service Guide available on www.honeywellprocess.com for the following:

 FTE-qualified NICs.
 Configure NIC adapters for FTE.

EPDOC-X472-en-A 19 www.honeywellprocess.com
 To open Network Connections dialog box:

9. On the taskbar, click Server Manager icon.

The Server Manager dialog box appears.

10. In the left pane, click Local Server.

The Local Server page appears.

11. In PROPERTIES field, click the text against Ethernet.

The Network Connections dialog box appears.

To configure TCP/IP settings:

12. Open the Network Connections dialog box.

13. Right-click Ethernet, and then click Properties.

If Honeywell FTE adapter #1 is enabled, then right-click the FTE adapter #1 and then click
Properties.
The Ethernet Properties dialog box appears.

14. Select Internet Protocol Version 4 (TCP/IPv4) and then click Properties.
The Internet Protocol Version 4 (TCP/IPv4) Properties dialog box appears.

15. Click Use the following IP address option button and configure the following:

 In the IP address box, type the IP address to be assigned for this network connection.
!Attention
If you are performing migration, you must configure the computer with the IP address of the
domain controller that this computer is replacing.
 In the Subnet mask box, type the subnet mask for the network.
 In the Default gateway box, type the IP address of the computer or device on your network that
connects your network to another network or to the Internet.
If you are configuring a stand-alone domain, you need not configure Default gateway.
Note:
It is unnecessary to configured DNS configuration at this time unless you have external DNS
Servers. (e.g. you are not combining the DNS with this Domain controller).

16. Click Use the following DNS Server addresses option button and configure the following:

 In the Preferred DNS server box, type the IP address of the DNS server.
 In the Alternate DNS server box, type the IP address of the alternate DNS server.

17. Click OK.

The Internet Protocol Version 4 (TCP/IPv4) Properties dialog box closes.

18. In the Local Area Connection Properties dialog box, click OK.

EPDOC-X472-en-A 20 www.honeywellprocess.com
3.2.5 Preconfiguring Network Configuration for FTE

If you intend to support FTE, you should install or activate the appropriate supported NIC Cards and
drivers prior to promoting the system to a Domain Controller. Refer to the latest Fault Tolerant Ethernet
Installation and Service Guide for additional information about supported devices and settings on the
http://www.honeywellprocess.com website.

3.2.6 Installing Microsoft service packs and Windows updates

Install Microsoft service packs and Windows updates as recommended for the Experion system installed
on your computer. For more information about the supported versions, refer to the Software Change
Notice (SCN) for the release of Experion that is installed on your system. The latest Software Change
Notice is available at the following Honeywell Process Solutions website link
“http://www.honeywellprocess.com”.
!Attention
For any Experion release, it is recommended that you install the highest Microsoft service packs for
Microsoft Windows Server 2016 operating system.
Clean operating system installation without Honeywell software is not supported by the ISO disk provided
with the
SUIT. That is, if you perform a clean operating system installation using the ISO disk provided with the
SUIT. Then, Honeywell is not responsible for installing Microsoft service packs and applying Windows
updates on such systems. However, Honeywell still supports Domain Controllers set up with clean
installation.

3.3 Preparing a Windows domain controller

The following table lists the tasks that you must perform for setting up a domain controller.

Task Reference

Installing the Microsoft Windows Server 3.2 Preparing a Windows domain controller
2016 server as a domain controller (First Then
Domain Controller/Forest)
3.3.1 Preparing Microsoft Windows Server 2016 to be a
domain controller
Then
3.4 Configuring Microsoft Windows Server 2016 as a domain
controller
continuing through
3.4.1 Set up a new domain in a new forest

EPDOC-X472-en-A 21 www.honeywellprocess.com
 Task Reference
Adding a Microsoft Windows Server 2016 3.2 Preparing a Windows domain controller
based Domain controller to establish a new Then
Domain to the Forest
3.3.1 Preparing Microsoft Windows Server 2016 to be a
domain controller
Then
3.4 Configuring Microsoft Windows Server 2016 as a domain
controller
continuing through
3.4.2 Set up a new domain in an existing forest
Adding additional Microsoft Windows 3.2 Preparing a Windows domain controller
Server 2016 based Domain Controllers to Then
any an existing Domain in the forest
3.5.1 Adding Microsoft Windows Server 2016 to a Windows
(Writable)
domain
Then
3.3.1 Preparing Microsoft Windows Server 2016 to be a
domain controller
Then
3.4 Configuring Microsoft Windows Server 2016 as a domain
controller
continuing through
3.4.3 Add a Domain Controller to an existing domain

Adding additional Microsoft Windows 3.2 Preparing a Windows domain controller

Server 2016 based Read Only Domain Then
Controllers to any an existing Domain in
3.5.1 Adding Microsoft Windows Server 2016 to a Windows
the forest (RODC)
domain
Then
3.3.1 Preparing Microsoft Windows Server 2016 to be a
domain controller
Then
3.4 Configuring Microsoft Windows Server 2016 as a domain
controller
continuing through
3.4.4 Setting up a Read-only Domain Controller
Verifying if DNS server role is active Verifying if DNS server role is active on page 57.

Verifying if Global Catalog server role is Verifying if Global Catalog server role is active on page 58.
active

Adding reverse lookup zone Adding reverse lookup zone on page 60.

EPDOC-X472-en-A 22 www.honeywellprocess.com
3.3.1 Preparing Microsoft Windows Server 2016 to be a domain controller

This topic describes the steps to set up or install a Microsoft Windows Server 2016 server as a domain
controller added to a new domain in a new forest, a new domain in an existing forest, or as a peer domain
controller.

In addition, this section also describes the steps to automatically assign the Microsoft Windows Server
2016 server the role of a primary domain controller.

3.3.1.1. Adding Roles and Features to Microsoft Windows Server 2016

Note:
Operating system has already been installed.

1. Log on to the computer using a local administrator account.

2. On the taskbar, click Server Manager icon. The Server Manager dialog box
appears.

3. In Server Manager Dashboard, click Add roles and features.

The Add Roles and Features Wizard appears.

EPDOC-X472-en-A 23 www.honeywellprocess.com
 4. Click Next.
The Select installation type page appears.

EPDOC-X472-en-A 24 www.honeywellprocess.com
 5. Click Role-based or feature-based installation option and then click Next.
The Select destination server page appears.

6. In Server Pool, select the server that must be configured as a domain controller and
then click Next.
The Select server roles page appears.

EPDOC-X472-en-A 25 www.honeywellprocess.com
 7. In Roles, select Active Directory Domain Services.
A dialog box for adding features for the Active Directory Domain appears.

8. Click Add Features.

The Select server roles page appears with the Active Directory Domain Services
option enabled.

EPDOC-X472-en-A 26 www.honeywellprocess.com
 9. If the Domain Controller is also going to host DNS, then in Roles, select DNS
Server.
A dialog box for adding features for the DNS Server appears

10. Click Add Features.

The Select server roles page appears with the DNS Server option enabled.

EPDOC-X472-en-A 27 www.honeywellprocess.com
 11. Click Next.
The Select features page appears.

EPDOC-X472-en-A 28 www.honeywellprocess.com
 12. Click Next.
The Active Directory Domain Services page appears.

13. Click Next.

The DNS Server page appears.

EPDOC-X472-en-A 29 www.honeywellprocess.com
 14. Click Next.
The Confirm installation selections page appears. All the features selected in the
previous steps appears in this page.

EPDOC-X472-en-A 30 www.honeywellprocess.com
 15. Verify the selected features and then click Install.
The Installation progress page appears.

EPDOC-X472-en-A 31 www.honeywellprocess.com
 Attention
During installation, if you close the Installation progress page, you can view this page
again in the Server Manager dialog box, by clicking Notifications icon and selecting
Add Roles and Features.

16. After a couple of minutes, feature installation will complete.

EPDOC-X472-en-A 32 www.honeywellprocess.com
 Task Complete – Returnt to task list.

3.4 Configuring Microsoft Windows Server 2016 as a domain controller

1. Return to Server Manager, in left panel select AD DS. On right panel, towards top, select
“More” on the Configuration required for Active Directory Domain Services…. notification.

2. The All Servers Task Details and Notification page appears. Click Promote this server to a
domain controller.

EPDOC-X472-en-A 33 www.honeywellprocess.com
 The Deployment Configuration page appears.

3. You can set up a primary domain controller in one of the following ways:

a. Setup a new domain in a new forest

b. Setup a new domain (child) in an existing forest.

c. Add a domain controller to an existing domain.

d. Setting up a Read Only Domain Controller (RODC).

3.4.1 Set up a new domain in a new forest

The following table lists the task that you must perform for setting up a new domain in an existing forest.

Task Refer to
Creating a new Microsoft Windows Server Below
2016 domain/forest

Adjusting DNS definition Post creation, refer to Section 3.5.5, Adjusting DNS Configuration

Required for First Domain Controller setting up a new domain

General conventions for Root Domain Name:

 Integration with company: Doman.<<CompanyName>>.com

– Or Domain.<<org>>.<<CompanyName>>.com
 Standalone: Doman.local

1. Click the Create a new domain in a new forest option button, and then click Next.
The Active Directory Domain Services Configuration Wizard appears.

EPDOC-X472-en-A 34 www.honeywellprocess.com
 2. In the Active Directory Domain Services Configuration Wizard window, under Deployment
Configuration page,

a. Select Add a new forest option

b. Type the Root domain name and click Next.

The Domain Controller Options page appears.

EPDOC-X472-en-A 35 www.honeywellprocess.com
 3. In the Domain Controller Options page,

a. Select Forest functional level and Domain functional level.

Note
If Forest will need to host earlier operating system domain controllers, it may be necessary to
change the Forest Functional level to a lower value. Change as appropriate. If not, leave at the
default level.
Domain functional level cannot be changed, since this is the version establishing/creating.
b. Select Domain Name System (DNS) server and Global Catalog (GC) options

c. Type Directory Services Restore Mode (DSRM) password and click Next.
The DNS Options page appears.

EPDOC-X472-en-A 36 www.honeywellprocess.com
 4. In the DNS Options, click Next.
The Additional Options page appears.

EPDOC-X472-en-A 37 www.honeywellprocess.com
 5. Based on what you assigned previously and a couple seconds, a NetBIOS domain name will be
automatically entered in Additional Options page. Validate it is OK and click Next.
The Paths page appears.

EPDOC-X472-en-A 38 www.honeywellprocess.com
 6. In the Paths page, review the path information and if necessary, change the paths by clicking the
small boxes against each path. After you set the path click Next.
The Review Options page appears.

EPDOC-X472-en-A 39 www.honeywellprocess.com
 7. In the Review Options page, review the configuration settings that you have selected. To change
any of the configuration settings, click Previous. If all the configuration settings are acceptable, then
click Next.
The Prerequisites Check page appears.

EPDOC-X472-en-A 40 www.honeywellprocess.com
 8. In the Prerequisites Check page, review Results and click Install.
The Installation page appears. The installation of the Active Directory services starts and the
progress of installation is displayed.

9. After the installation is complete, the server automatically restarts. The login screen appears and you
can login to the server.

3.4.1.1. Adjust Alternate Administrative User’s Group membership

Earlier, it was suggested that you create an alternate administrative user. Creating a New
Domain will add additional groups to the Administrator account, but not the alternate. So you
should adjust this now.

1. Using Server Manager, choose Tools, Active Directory Users and Computers.

2. Find your User and double-click it to bring up the properties.

3. Chang the Member Of tab.

EPDOC-X472-en-A 41 www.honeywellprocess.com
 4. Click Add and add the following groups:
Domain Admins, Enterprise Admins, Group Policy Creator Owners, and Schema Admins.

5. After adding, click Domain Admins and then click the Set Primary Group.
Then Apply and OK to close the properties.

6. When completed, Active Directory Users and Computers can now be closed.

EPDOC-X472-en-A 42 www.honeywellprocess.com
 7. You should log out and back in with this account before adding additional Domain Controllers
to this domain (if using this account to do so…)

Task Complete. Return to task list.

3.4.2 Set up a new domain in an existing forest

The following table lists the task that you must perform for setting up a new domain in an existing forest.

Task Refer to

Creating a new Microsoft Windows Server Below

2016 domain in an existing forest

Adjusting DNS definition Post creation, refer to Section 3.5.5, Adjusting DNS Configuration

1. Click the Add a new domain to an existing forest option and then click Next.
The Active Directory Domain Services Configuration Wizard appears.

2. In the Active Directory Domain Services Configuration Wizard window, under Deployment
Configuration page,

a. Select domain type dropdown, chose Child Domain.

b. In the Parent domain name field, enter in the parent domain name. (For example –
domainXYZ.local)
or

Click select.

The Windows Security dialog appears.

3. In the Windows Security dialog, fill in an appropriate Username and Password to access the
domain.
The Select domain from the forest dialog box appears.

4. In the Select domain from the forest dialog box, from the domain list, select the required domain
name and then click OK.
The selected domain appears in the Parent domain name field.

5. In the New domain name field, type a name for the child domain and then click Next.
The Deployment Configuration page appears.

6. In the Deployment Configuration page, ensure that Domain Name System (DNS) server option is
enabled and checked. Click Next.
The Domain Controller Options page appears.

7. In the Domain Controller Options page,

d. Select Forest functional level and Domain functional level

e. Select Domain Name System (DNS) server and Global Catalog (GC) options

EPDOC-X472-en-A 43 www.honeywellprocess.com
 f. Type Directory Services Restore Mode (DSRM) password and click Next.
The DNS Options page appears.

8. In the DNS Options, click Next.

The Additional Options page appears.

EPDOC-X472-en-A 44 www.honeywellprocess.com
 9. In the Additional Options page, type NetBIOS domain name and click Next.
The Paths page appears.

EPDOC-X472-en-A 45 www.honeywellprocess.com
 10. In the Paths page, review the path information and if necessary, change the paths by clicking the
small boxes against each path. After you set the path click Next.
The Review Options page appears.

EPDOC-X472-en-A 46 www.honeywellprocess.com
 11. Review the path information and if necessary, change the paths by clicking the small boxes against
each path. After you set the path click Next.
The Review Options page appears.

12. In the Review Options page, review the configuration settings that you have selected. To change
any of the configuration settings, click Previous. If all the configuration settings are acceptable, then
click Next.
The Prerequisites Check page appears.

13. In the Prerequisites Check page, if the message All prerequisites checks passed successful,
Click Install to begin installation prompt appears. Click Install to begin installation.
The Installation page appears. The installation of the Active Directory services starts and the
progress of installation is displayed.

14. After the installation is complete, the server automatically restarts. The login screen appears and you
can login to the server.

EPDOC-X472-en-A 47 www.honeywellprocess.com
3.4.3 Add a Domain Controller to an existing domain

The following table lists the task that you must perform for adding a domain controller to an existing
domain.
Task Refer to
Join Microsoft Windows Server 2016 to a Refer to 3.5.1 - Adding Microsoft Windows Server 2016 to a
Windows domain Windows domain

Add a Microsoft Windows Server 2016 Below

domain controller in an existing domain

Adjusting DNS definition Post creation, refer to Section 3.5.5, Adjusting DNS Configuration

(If system was previously joined to the domain, domain should be already filled in)

1. Click the Add a Domain Controller to an existing domain option, and then click Next.
The Active Directory Domain Services Configuration Wizard appears.

2. In the Active Directory Domain Services Configuration Wizard window, under Deployment
Configuration page,

a. Select Add a domain controller to an existing domain option.

EPDOC-X472-en-A 48 www.honeywellprocess.com
 b. Type the Domain name and click Next.
The Domain Controller Options page appears.

3. After seconds, a Site name will be automatically entered in Domain Controller Options
page.

a. Select Domain Name System (DNS) server and Global Catalog (GC) options

b. Type Directory Services Restore Mode (DSRM) password and click Next.
The DNS Options page appears.

EPDOC-X472-en-A 49 www.honeywellprocess.com
 4. In the DNS Options, click Next.
The Additional Options page appears.
Note
If your system is not connected to an upstream network, you may receive the warning above.

EPDOC-X472-en-A 50 www.honeywellprocess.com
 5. Click Next.
The Paths page appears.

EPDOC-X472-en-A 51 www.honeywellprocess.com
 6. Click Next.
The Review Options page appears

EPDOC-X472-en-A 52 www.honeywellprocess.com
 7. In the Review Options page, review the configuration settings that you have selected. To change
any of the configuration settings, click Previous. If all the configuration settings are acceptable, then
click Next.
The Prerequisites Check page appears.

EPDOC-X472-en-A 53 www.honeywellprocess.com
 8. In the Prerequisites Check page, review for any errors that require correction. If all Prerequisites
are pass click Install.

9. The Installation page appears. The installation of the Active Directory services starts and the
progress of installation is displayed.

After the installation is complete, the server automatically restarts. The login screen appears and you
can login to the server.

Task Complete. Return to task list.

EPDOC-X472-en-A 54 www.honeywellprocess.com
3.4.4 Setting up a Read-only Domain Controller

You can set up a Read-only Domain Controller (RODC) in the following way:
 Direct installation – Enables you to install an RODC similar to the approach used for installing
additional domain controllers in the domain. In this method, RODC installation can performed by a
member of the domain administrator group. This method installs an RODC by selecting the Read-
only domain controller (RODC) option in the Active Directory Domain Services Installation Wizard.

!Attention
It is not possible to change a domain controller from writable to read-only or from read-only to writable,
directly. To change a writable domain controller to an RODC, you must demote the domain controller and
then promote it again to an RODC. This requires domain administrator permissions and uses the direct
installation method for creating the RODC.

The following table lists the task that you must perform for setting up a read-only domain controller.

Guideline Honeywell recommendation

Join Microsoft Windows Server 2016 to a Refer to 3.5.1 - Adding Microsoft Windows Server 2016 to a
Windows domain Windows domain
Add a Microsoft Windows Server 2016 Below
domain controller in the role of Read Only
Domain Controller

Adjusting DNS definition Post creation, refer to Section 3.5.5, Adjusting DNS Configuration

To add Microsoft Windows Server 2016 server to the role of an RODC

The Deployment Configuration page appears.

1. Click Add a domain controller to an existing domain.

The Domain field displays the name of the domain to which this RODC is being added.

2. Click Change to provide the credentials of the root domain to which the RODC must be added.
The Windows Security dialog box appears.

3. Type the Username and Password of a domain account that has administrator privileges and then
click OK.
i. For example, you must type the user name in the “[email protected]” or
“[email protected]” format.
ii. The control returns back to the Deployment Configuration page.

4. Click Next.
The Domain Controller Options page appears.

5. Check the Read only domain controller (RODC) option.

EPDOC-X472-en-A 55 www.honeywellprocess.com
 6. Ensure that the Domain Name System (DNS) server and Global Catalog (GC) options are enabled
and checked.

7. Type the password for Directory Services Restore Mode (DSRM), in the Password and Confirm
password fields.

8. Click Next.
The RODC Options page appears.

9. Click Next.
The Additional Options page appears.

10. Click Next.

The Paths page appears.

11. Review the path information and if necessary, change the paths by clicking the small boxes against
each path. After you set the path click Next.
The Review Options page appears.

12. Review the configuration settings that you have selected. To change any of the configuration settings,
click Previous. If all the configuration settings are acceptable, then click Next.
The Prerequisites Check page appears.

13. If the message All prerequisites checks passed successful. Click Install to begin installation
appears, then click Install.

i. The Installation page appears. The installation of the Active Directory services starts and the
progress of installation is displayed.

ii. After the installation is complete, the server automatically restarts. The login screen appears and
you can login to the server.

iii. Next steps

iv. Perform the steps in section Adding reverse lookup zone.

EPDOC-X472-en-A 56 www.honeywellprocess.com
3.5 Common tasks for setting up a domain controller
This section describes the tasks that are common for setting up a primary or peer or read-only
domain controller.

3.5.1 Adding Microsoft Windows Server 2016 to a Windows domain

Pre-task - Define DNS Configuration
(If not done so prior)

1. Log on to the computer using an administrator account.

2. Open the Network and Sharing Center (you can right click network icon on taskbar and choose or
type to search.

3. On the left hand side, click Change Adapter Settings. It will open a new window titled Network
Connections.

4. Right click one of your active network connections and choose Properties. It will open the NIC
properties window.

5. Click Internet Protocol Version 4 (TCP/IPv4), and the click the Properties button.

6. Fill in the appropriate IP Address for the Preferred DNS Server and Alternate DNS Server, then
click OK.

7. Click OK to Close the NIC Properties Window

8. You then close any remaining open Window.

To add a Microsoft Windows Server 2016 to a Windows domain

1. Log on to the computer using an administrator account.

2. On the taskbar, click Server Manager icon.

The Server Manager dialog box appears.

3. In the left pane, click Local Server.

The Local Server page appears.

4. In PROPERTIES field, click WORKGROUP.

The System Properties dialog box appears.

5. Click Change.
The Computer Name/Domain Changes dialog box appears.

6. In Member of field, click the Domain option.

This enables the Domain field.

7. In the Domain field, type the name of the domain and then click OK.

EPDOC-X472-en-A 57 www.honeywellprocess.com
 The Windows Security dialog box appears.

8. Type the User name and Password of the domain having administrative rights and the click OK.
Once the server is added to the domain a confirmation dialog box appears.

9. Click OK.
A message appears indicating to restart the computer.

10. Click OK.

The System Properties dialog box appears with the full computer name and Domain information. This indicates
that the computer is now a member of the domain.

11. After verifying the information, click Close.

A message appears indicating to restart the computer.

12. Click Restart Now.

The computer restarts and the server is added to the domain.

3.5.2 Verifying if DNS server role is active

To verify if DNS server role is active on the domain controller

1. Log on to the computer using a domain administrator account.

2. On the taskbar, click Server Manager icon.

The Server Manager dialog box appears.

3. In Server Manager Dashboard, click Add roles and features.

The Add Roles and Features Wizard appears.

4. Click Next.
The Select installation type page appears.

5. Click Next.
The Select destination server page appears.

6. In Server Pool, select the server for which you must verify if the DNS role is active and then click
Next.
The Select server roles page appears.

EPDOC-X472-en-A 58 www.honeywellprocess.com
 7. In Roles, ensure that DNS Server option is enabled. This determines that the DNS server is role is
active on the domain controller.

3.5.3 Verifying if Global Catalog server role is active

To verify if Global Catalog server role is active on the domain controller

1. Log on to the domain controller.

2. On the taskbar, click Server Manager icon.

The Server Manager dialog box appears.

3. Click Tools > Active Directory Users and Computers.

The Active Directory Users and Computers page appears.

EPDOC-X472-en-A 59 www.honeywellprocess.com
 4. In the console tree on the left pane of the Active Directory Users and Computers window, expand
<domain name>, and then click Domain Controllers.

5. In the details pane that is on the right side of the Active Directory Users and Computers window,
right click the domain controller, and then click Properties.
The domain controller Properties dialog box appears.

6. On the General tab, ensure that the DC Type field displays Global Catalog.

EPDOC-X472-en-A 60 www.honeywellprocess.com
 7. Click NDTS Settings.
The NDTS Settings Properties dialog box appears.

8. On the General tab, ensure that the Global Catalog check box is selected.
This indicates that the Global Catalog server role is active.

9. Close all the open dialog boxes.

3.5.4 Adding reverse lookup zone

Reverse lookup zones that are active directory integrated are replicated to the new DNS server.

To add reverse lookup zone

1. In the Server Manager Window, click Tools > DNS. The DNS Manager window appears.

2. In the console tree, expand items under DNS until Reverse Lookup Zones item appears.
If there is an entry for the IP address configured in your domain, do not perform the remaining steps in this
procedure. Note that the order of the IP address octets is reversed in the IP address entry.

3. Right click on Reverse Lookup Zones, and then select New Zone. The New Zone Wizard appears.

4. On the Welcome page of the New Zone Wizard, click Next.

5. Click Primary zone, and then click Next.

The Active Directory Zone Replication Scope page appears.

6. Select To all DNS servers running on domain controllers in this domain : <domain name> and
then click Next.
The Reverse Lookup Zone Name page appears.

EPDOC-X472-en-A 61 www.honeywellprocess.com
 7. Select IPv4 Reverse Lookup Zone and then click Next.
The Reverse Lookup Zone Name page updates to provide options to configure Network ID and Reverse
lookup zone name.

8. In Network ID text box, type the first three parts of the IP address assigned to the domain and then
click Next.
As the IP address is entered, the text in the ‘Reverse lookup zone name:’ updates and displays the IP address
in reverse order.
The Dynamic Update page appears.

9. Select Allow only secure dynamic updates (recommended for Active Directory) and then click
Next.
The Completing the New Zone Wizard page appears.

10. On the Completing the New Zone Wizard page, review the settings that you have configured in the
wizard, and then click Finish.

Results
Ensure that the reverse lookup zone is created under the DNS.

3.5.5 Adjusting DNS Configuration

For Domain Controllers hosting DNS.

By default, when setting up a Domain Controller, the system may automatically configure the local
address as the preferred DNS Address.

We recommend following a cross registration pattern where the preferred DNS is actually another DNS
Server, and the alternate is the local system. This configuration must be configured manually.

Consider the following example:

 2 Domain Controllers are hosting DNS.

o Domain Controller 1 has an IP Address 10.0.1.3.
o Domain Controller 2 has an IP Address 10.0.1.4.
 Domain Controller 1 (10.0.1.3) DNS configuration:
o Preferred DNS should be 10.0.1.4
o Alternate DNS should be 127.0.0.1.
 Domain Controller 2 (10.0.1.4) DNS configuration:
o Preferred DNS should be 10.0.1.3
o Alternate DNS should be 127.0.0.1.

1. Log on to the computer using an administrator account.

2. Open the Network and Sharing Center (you can right click network icon on taskbar and choose or
type to search.

3. On the left hand side, click Change Adapter Settings. It will open a new window titled Network
Connections.

EPDOC-X472-en-A 62 www.honeywellprocess.com
 4. Right click one of your active network connections and choose Properties. It will open the NIC
properties window.

5. Click Internet Protocol Version 4 (TCP/IPv4), and the click the Properties button.

6. Fill in the appropriate IP Address for the Preferred DNS Server and Alternate DNS Server, then
click OK.

7. Click OK to Close the NIC Properties Window

8. You then close any remaining open Window.

EPDOC-X472-en-A 63 www.honeywellprocess.com
EPDOC-X472-en-A 64 www.honeywellprocess.com
Chapter 4 Post Installation Tasks

4.1 Configuring Active Directory sites

A default site is always provided. The default site is adequate for simple installations.

4.1.1 Creating a site in Active Directory

To create a site in Active Directory

1. Log on to one of the domain controllers in the domain using an account with administrative privileges.

2. On the taskbar, click Server Manager icon.

The Server Manager dialog box appears.

3. Click Tools > Active Directory Sites and Services.

The Active Directory Sites and Services page appears.

4. In the console tree, right-click Sites, and then click New Site.
The New Object — Site dialog box appears.

5. In the Name box, type the name of the new site.

6. In Link Name list, select the site link object for this site and then click OK.
A dialog box appears indicating that a new site is created in the Active Directory.
Note:
This Dialog box does not appears, if the user deletes an old site and tries to add a New Site.

7. Click OK.
The new site name appears under Sites folder in the console tree.

8. In the console tree, right-click the Subnets folder, and then click New Subnet.
The New Object — Site dialog box appears.

9. In the Prefix box, type the IPv4 or the IPv6 subnet prefix.

10. In the Select a site object for this prefix list, click the site to be associated with the subnet prefix.

11. Click OK.

This creates a site in Active directory.

EPDOC-X472-en-A 65 www.honeywellprocess.com
4.1.2 Moving domain controllers to sites

To move domain controllers to sites

1. Log on to one of the domain controllers in the domain using an account with administrative
privileges.

2. On the taskbar, click Server Manager icon.

The Server Manager dialog box appears.

3. Click Tools > Active Directory Sites and Services.

The Active Directory Sites and Services page appears.

4. In the console tree, expand the Sites folder and the site in which the server object resides.
By default, a domain controller is added to the site named Default-First-Site-Name.

5. Expand the site Default-First-Site-Name, and then the Servers folder.

The Servers folder displays the domain controllers that are currently configured for that site.

6. Right-click the sever object that you want to move, and then click Move.
The Move Server dialog box appears.

7. In the Select the site that should contain this server list, click the site name to which the server
needs to be transferred, and then click OK.
The Active Directory Sites and Services window updates indicating that the server is moved to the site.

4.1.3 Verifying the availability of Global Catalog server in a site

It is recommended that at least one of the domain controllers associated with each site is configured as a
GC server. This accelerates the authentication requests within the site and also helps to avoid cross site
transfers.

To verify the availability of Global Catalog server in a site

1. Log on to one of the domain controllers in the domain using an account with administrative privileges.

2. On the taskbar, click Server Manager icon.

The Server Manager dialog box appears.

3. Click Tools > Active Directory Sites and Services.

The Active Directory Sites and Services page appears.

4. In the console tree, expand Sites folder, and then expand the site object on which the servers reside.

5. Expand the Servers folder, and then expand the server name.
The NDTS Settings items appear under the server name.

6. Right-click NDTS Settings item, and then click Properties.

The NDTS Settings Properties dialog box appears.

EPDOC-X472-en-A 66 www.honeywellprocess.com
 7. Verify if the Global Catalog check box is selected. If not, select the Global Catalog check box, and
then click OK.
The NDTS Settings Properties dialog box closes.

4.1.4 Adjusting replication interval for a site

Changes to the Active Directory information in any of the domain controllers replicates to the other
servers in the domain on a regular basis. The replication also occurs during a system reboot or when
manually initiated. Windows uses a very efficient algorithm to replicate only the information that is
changed so that the network load due to replication is minimal. The default time between replications can
be configured using the Active Directory Sites and Services snap-in as follows.

!Attention
Honeywell recommends that you to leave the replication interval with the default settings. However, refer
to the following procedure if you want to make any adjustment to the replication interval for your site.

To adjust replication interval for a site

1. Log on to one of the domain controllers in the domain using an account with administrative privileges.

2. On the taskbar, click Server Manager icon.

The Server Manager dialog box appears.

3. Click Tools > Active Directory Sites and Services.

The Active Directory Sites and Services page appears.

4. In the console tree, expand Inter-Site Transports folder, and then click the IP folder.

5. In the right-pane of the Active Directory Sites and Services window, double-click
DEFAULTIPSITELINK.
The DEFAULTIPSITELINK Properties dialog box appears. The Replicate every box displays the configured
replication time.

6. To change the replication time, in the Replicate every box, type or select the new time in minutes.

!Attention
The minimum replication time is 15 minutes and the maximum replication time is 10080 minutes (168
hours, or 7 days). When the sites are interconnected over high-speed links, it is recommended to
configure the replication interval as 15 minutes. If slow links are used or in cases where the network
traffic is heavy, the replication interval can be increased.

You can also adjust the replication interval as follows:

i. Click Change Schedule.
The Schedule for DEFAULTIPSITELINK dialog box appears. By default, the replication schedule
appears as 24 hours a day, 7 days a week.

EPDOC-X472-en-A 67 www.honeywellprocess.com
 ii. To change the default replication interval, adjust the day and time settings using the mouse
pointer.

iii. Click Replication Not Available or Replication Available, as appropriate.

iv. Click OK.

7. Click Apply, and then click OK.

The DEFAULTIPSITELINK Properties dialog box closes.

4.2 Creating Organizational Unit

Prerequisites

Ensure to install the Honeywell domain security policy. The Organizational Unit (OU) must be created
after installing Honeywell domain security policy.

To create Honeywell Active Directory users

1. Log on to the domain controller using an account with administrative privileges.

2. On the taskbar, click Server Manager icon.

The Server Manager dialog box appears.

3. Click Tools > Active Directory Users and Computers.

The Active Directory Users and Computers page appears.

4. In the console tree, expand <domain name>, right-click <domain name>, and then click New >
Organizational Unit.
The New Object — Organizational Unit dialog box appears. Make sure that the protect container check
box is automatically checked on New Object — Organizational Unit.

5. In the Name box, type the name of Organizational Unit.

6. Click OK.

Results
The Organizational Unit is created and it appears in the right pane under the <domain name>.

4.3 Creating Active Directory users and groups

4.3.1 Creating Honeywell Active Directory users

To create Honeywell Active Directory users

1. Log on to the domain controller using an account with administrative privileges.

2. On the taskbar, click Server Manager icon.

The Server Manager dialog box appears.

EPDOC-X472-en-A 68 www.honeywellprocess.com
 3. Click Tools > Active Directory Users and Computers.
The Active Directory Users and Computers page appears.

4. In the console tree, expand <domain name>, right-click Users, and then click New > User.
The New Object — User dialog box appears.

5. In the First name box, type the user's first name.

6. In the Initials box, type the user's initials.

7. In the Last name box, type the user's last name.

8. In the Full name box, modify the details to add initials or reverse the order of first and last names.

9. In the User logon box, type the user logon name, click the UPN suffix in the drop-down list, and
then click Next.

10. Type the password in the Password and Confirm Password boxes.

11. Select the password option that conforms your site standards.

12. Click Next and then click Finish.

The new user account is created in Active Directory Domain Services.

13. To verify if the new user account is created, perform the following steps.

i. In the console tree, under <domain name>, click Users.

ii. In the right-pane, verify if the new user name is displayed in the list of available users and groups.

4.3.2 Creating Active Directory groups

To create Active Directory groups

1. Log on to the domain controller using an account with administrative privileges.

2. On the taskbar, click Server Manager icon.

The Server Manager dialog box appears.

3. Click Tools > Active Directory Users and Computers.

The Active Directory Users and Computers page appears.

4. In the console tree, right-click the folder (Active Directory Users and Computers/domain node/folder)
in which you want to add a group.

5. Click New > Group.

The New Object — Group dialog box appears.

6. Type the Group name.

7. Select Group scope and Group type for the group, as desired.

8. Click OK.

EPDOC-X472-en-A 69 www.honeywellprocess.com
 A new group is created and appears in the details pane of the Active Directory Users and Computers
window.

4.3.3 Changing group membership

To change group membership

1. Log on to the domain controller using an account with administrative privileges.

2. On the taskbar, click Server Manager icon.

The Server Manager dialog box appears.

3. Click Tools > Active Directory Users and Computers.

The Active Directory Users and Computers page appears.

4. In the console tree, browse to the folder (Active Directory Users and Computers/domain node/folder)
containing the group that you want to modify.

5. Select the Honeywell Group that you want to modify.

6. In the details pane (right pane), right-click the group, and then click Properties.

7. On the Members tab, click Add.

8. Enter the Honeywell user name and then Check Names.

A valid entry will have an underline.

9. Click OK.

10. Repeat steps until the required users are added to the group.

11. Click OK.

For further guidance on managing groups, refer to the following Microsoft documentation.
http://technet.microsoft.com/en-us/library/cc738263(WS.10).aspx

4.4 Configuring time synchronization in a domain

After configuring all systems for roles in a domain, any prior time topology becomes invalid due to the
configuration changes. Hence, you must configure a new time topology by considering the domain
and control system requirements; otherwise, the system uses the local clock for the authoritative time
source in the domain.

If possible, you should configure an external time source for the domain. If configuring, you must set
the external time source on the PDC role holder. For more information about configuring an external
time source, refer to the following Microsoft documentation. http://support.microsoft.com/kb/816042

Using “time.windows.com” as an example, (an IP address of a local NTP Server (for example) could
also be used), perform the following commands:

EPDOC-X472-en-A 70 www.honeywellprocess.com
 1. w32tm.exe /config /manualpeerlist:”time.windows.com” /syncfromflags:manual /reliable:YES /update

2. w32tm.exe /config /update

3. net stop w32time

4. net start w32time

For all other nodes, consider the section “Time synchronization” in the Server and Client Planning
Guide. And refer to the section “Setting up time synchronization” in the Supplementary Installation
Tasks Guide.

4.5 Adding workstation/server to Windows domain

4.5.1 Setting the DNS server IP address

Setting the DNS server IP address

1. Log on to the stand-alone workstation/Experion server as a local administrator.

2. Click Start > Controlpanel > Network > Network and Sharing Center.
The Network and Sharing Center window appears.

3. On the left pane, click Change adapter settings.

The Network Connections window appears.

4. Right-click Ethernet, and then click Properties.

If Honeywell FTE adapter #1 is enabled, then right-click the FTE adapter #1 and then click Properties.
The Ethernet Properties dialog box appears.

5. Click Internet Protocol Version 4 (TCP/IPv4), and then click Properties.

The Internet Protocols (TCP/IP) Properties dialog box appears.

6. Click Use the following DNS server addresses.

7. In Preferred DNS server and Alternate DNS server box, type the preferred DNS server IP address
and the alternate DNS server IP address of the domain controller.

8. Click OK.
The Local Area Connection Properties dialog box closes.

EPDOC-X472-en-A 71 www.honeywellprocess.com
4.5.2 Adding a node to a Windows domain

While adding a node to a domain, you must not change the computer name and the
domain at the same time.
!Attention
To join the domain, the client machine (server or desktop) must have DNS resolution to the
domain. This may require editing the network card properties and configuring primary and
alternative DNS server addresses. These should be the addresses of the domain controllers on a
domain running Active Directory-integrated DNS.

1. Log on to the client node as a local administrator.

2. Perform one of the following:

Operating System Steps

For Windows 7: 1. Click Start > Control Panel.
2. In View by list, click Small icons.
3. Click System.
4. Under Computer name, Domain, and Workgroup Settings
area, click Change Settings.
5. Click Continue in the User Account Control dialog box, if
prompted.
The System Properties dialog box appears.
For Windows Server 2008: 1. Click Start > Control Panel.
2. Select Classic View, if not selected.
3. Double-click System.
4. Under Computer name, Domain, and Workgroup Settings
area, click Change Settings.
5. Click Continue in the User Account Control dialog box, if
prompted.
The System Properties dialog box appears.
For Windows Server 2012: 1. On the taskbar, click Server Manager icon.
The Server Manager dialog box appears.
2. In the left pane click Local Server.
The Local Server page appears.
3. In PROPERTIES field, click the text against Workgroup.
The System Properties dialog box appears.

EPDOC-X472-en-A 72 www.honeywellprocess.com
 Operating System Steps
For Windows 10: 1. Click Start, Settings > In the left pane, select About.
2. Select Connect to work or school
3. Click Connect
4. Under Alternate Actions, click “Join this device to a local
Active Directory Domain”
5. Type in the domain name in the Join a Domain box
6. Type in the username and password of a domain administrator
account and click OK
7. You can Skip adding any accounts.
8. Skip to Step 10 below

For Windows Server 2016: 1. On the taskbar, click Server Manager icon.
The Server Manager dialog box appears.
2. In the left pane click Local Server.
The Local Server page appears.
3. In PROPERTIES field, click the text against Workgroup.
The System Properties dialog box appears.

3. Click Change.

4. Under Member of area, click the Domain option button, and then type the domain name.

5. Click OK.

6. Type the user name and password of a domain administrator account, and then click OK.

7. In the Welcome dialog box, click OK.

8. In the You must restart… dialog box, click OK.

9. In the System Properties dialog box, click Close.

10. Click Restart Now.

The computer restarts.

EPDOC-X472-en-A 73 www.honeywellprocess.com
4.5.3 Viewing the workstation/server added to a domain

To view the workstation/server added to a domain on a Domain Controller

1. On the taskbar, click Server Manager icon.

The Server Manager dialog box appears.

2. Click Tools > Active Directory Users and Computers.

The Active Directory Users and Computers page appears.

3. In the console tree, expand <domain name> and then click Computers folder.
The details pane on the right side of the window displays the computer accounts available in the domain. The
computer account uniquely identifies the computer added to the domain. The Windows computer account
matches the name of the computer joining the domain.

4. Verify if the name of the workstation/server that you have added appears in the available list of
computer accounts.
!Attention
All new computers that are added to the domain will be assigned to the computers container. Once
the computer is added to the domain it can be moved to another OU.

4.6 Configuring time synchronization on the workstations/servers

added to a Windows domain
If your Experion system is integrated with a Windows domain, it is recommended that you use the
domain controller as the time source for all the clients within the domain. The Experion server should
be configured as the NTP server which receives time from the domain controller. Though Flex
Stations and Console Stations are set up as NTP clients, they receive time from the domain controller
rather than the Experion servers.

The Experion servers configured as NTP servers serve time to the control hardware. This is because
domain controllers are typically not on a network that is accessible to Experion. The controllers within
the process control should be configured to get their time from an Experion server that has been set
up as an NTP server acting as a secondary NTP server.

Prerequisites

Before setting up time synchronization, read the section “ Time synchronization” in the Server and
Client Planning Guide.

Tasks to be performed for configuring time synchronization on the workstations/servers

added to the Windows domain

EPDOC-X472-en-A 74 www.honeywellprocess.com
 Guideline Honeywell recommendation
Configure primary Experion server as the “Adjusting NTP servers” in the Supplementary Installation Tasks Guide.
secondary NTP server.

Configure secondary Experion server and “Adjusting NTP clients” in the Supplementary Installation Tasks Guide.
other Experion clients as the NTP clients.

Configure control hardware to receive time “Setting up control hardware to receive time from an NTP server in a
from secondary NTP server. Windows domain” in the Supplementary Installation Tasks Guide.

EPDOC-X472-en-A 75 www.honeywellprocess.com
EPDOC-X472-en-A 76 www.honeywellprocess.com
Chapter 5 Honeywell Experion PKS Software
Support for Domain Controllers

Refer to the latest Software Installation User's Guide for installing the Honeywell Domain Controller package.

When installing software on Domain Controllers, it is best practice to do one at a time. Restarts will be
necessary, which will affect the controller’s ability to perform authentication and other duties.

5.1 Initiating Setup

If using DVD/USB, insert the Media (Installation Disk 1).

Using Explorer, go to the drive and Setup.exe in the root.

If using ESIS:

1. Open Explorer. In the Navigation Bar type in \\ESIS Server Name\R500 Share Name

2. Double click Setup.exe. Answer Yes to the User Account Control dialog.

EPDOC-X472-en-A 77 www.honeywellprocess.com
 3. Change Option to “Product Install Only”.

4. Enter UserName and Password.

5. Click Next.

5.2 Domain Controller Policies

1. Click Setup to install domain policies on the domain controller.

2. On the first Domain Controller in the Domain, select Yes.

It is unnecessary to install more than once as the policies are added to the Domain, so for each
additional Domain Controller, select No.
If you selected Yes:

EPDOC-X472-en-A 78 www.honeywellprocess.com
 3. Click Next.

4. If you agree, change Option to “I accept…” and click Next.

5. Enter password for DcsComServer Password account that will be created in the Domain.

6. Click Next.

EPDOC-X472-en-A 79 www.honeywellprocess.com
 7. Click Install.

8. Package will install.

EPDOC-X472-en-A 80 www.honeywellprocess.com
 9. When it completes, click Finish.

5.3 .Net Framework

1. Run the Honeywell security model - domain controller.msi.

If not installed earlier, you must click Yes to install the .Net Framework components used to
support the optional components.

EPDOC-X472-en-A 81 www.honeywellprocess.com
5.4 Experion Optional Features
1. If .Net is already installed, user will directly get the page for Optional Features selection (Setup
type of Node to install page), as shown below.

2. In the Setup type of Node to install page, click Optional Features, then click Next.
The User and License Information page appears.

EPDOC-X472-en-A 82 www.honeywellprocess.com
 3. In the User and License Information page, type the Name and Company, and then click Next.
The Feature and Options Selection page appears.

EPDOC-X472-en-A 83 www.honeywellprocess.com
 4. In the Feature and Options Selection page, select the Optional Features you wish to install,
and, then click Next.
The Security Password Entry page appears.

5. In the Security Password Entry page, type the password and, then click Next.
The Summary page appears.

EPDOC-X472-en-A 84 www.honeywellprocess.com
 Note:
The Summary screen will vary based on options selected in step 3.

6. Review Options and click Install.

The installation progress page appears.

EPDOC-X472-en-A 85 www.honeywellprocess.com
 Installation will proceed.

EPDOC-X472-en-A 86 www.honeywellprocess.com
 7. Depending on options selected, it may be necessary to log in to continue install after necessary
restarts (reboots) are performed, as indicated by the Status Panel. Click OK to proceed with
Restart.

Note:
Make sure you log back in with the same account to which you started the install, as instructed by
the Message.

8. Click OK to finish, then Shutdown and Restart the system.

EPDOC-X472-en-A 87 www.honeywellprocess.com
EPDOC-X472-en-A 88 www.honeywellprocess.com
Chapter 6 Preparing the domain for migration

6.1 Recording the current domain controller configuration information

The first stage in planning a migration is understanding the current domain controller
configuration. Before starting the migration, you must record all the important details about the
current domain controller configuration in the following attached Excel worksheet.

Migration planning worksheet

Table 2 Migration planning worksheet sample

The following table provides you an understanding about the information that you need to
capture. However, you must use the attached Excel worksheet to record the information
mentioned in the table.

Basic information

Domain name

Domain operation mode

Authentication objects
Record the information about each user account and the groups in which the accounts are added as members. Even
though this information automatically migrates to the new server, as a best practice it is recommended to capture this
information.
After migration, you can use this information to check if the migration completed successfully.

User accounts Groups

Flexible Single Master Operation (FSMO) roles

Record the details about the domain controllers which hold each of the FSMO roles in the current domain.

FSMO role Current site and owner Destination site and owner

Schema master

Domain naming master

Domain Functional level

Forests Functional level

Infrastructure master

Relative ID (RID) master

EPDOC-X472-en-A 89 www.honeywellprocess.com
 PDC emulator

Domain controller networking information

For each domain controller that is being migrated, capture the following details which can be used for setting up the
network connections during and after the migration.

Subnet mask

Domain controller 1 of type peer or RODC

Domain controller name

IP address

Is a GC server (yes or no)

Is a DNS server (yes or no)

Preferred DNS

Alternate DNS

Path for AD database

Path for log files

6.2 Inventorying the current domain controller configuration

6.2.1 Installing Windows Support Tools on Windows Server 2003 domain controllers

The process of inventorying the current domain controller configuration utilizes several command line
utilities provided by Microsoft known as Windows Support Tools. On Windows Server 2003, the Windows
Support Tools are not installed along with the operating system. You must install them separately from
the Windows operating system CD of the version that is currently installed on the domain controller.

To install Windows Support Tools

1. Log on to the domain controller using a Windows account with local administrator rights.

2. Insert the Windows Server 2003 CD into the CD/DVD drive.

3. Browse the contents of the CD and navigate to the folder \Support\Tools.

4. Double-click SupTools.msi.
The Windows Support Tools Setup Wizard appears.

EPDOC-X472-en-A 90 www.honeywellprocess.com
 5. Click Next.
The End User License Agreement page appears.

6. In the End User License Agreement page, click I Agree, and then Next.
The User Information page appears.

7. In the User Information page, fill in/verify Name and Organization details and then click Next.
The Destination Directory page appears.

EPDOC-X472-en-A 91 www.honeywellprocess.com
 8. In the Destination Directory page, click Install Now.
The Installation Progress page appears.

9. Once the installation is done, the Completing the Windows Support Tools Setup Wizard page
appears.

10. Click Finish.

EPDOC-X472-en-A 92 www.honeywellprocess.com
6.2.2 Identifying the domain controllers holding the FSMO roles

To identify the domain controllers holding the FSMO roles

1. Open the Windows Support Tools Command Prompt.

2. Type the following command and then press ENTER.

netdom query /domain:%userdnsdomain% fsmo
or just
netdom /query FSMO (defaults to the current systems domain).

!Attention
You can also use the domain name in place of %userdnsdomain%.

The Command Prompt lists the FSMO roles available and the name of the domain controller that
holds the respective FSMO role.

3. Record the information about the domain controllers and the FSMO roles they hold in the Recording
the current domain controller configuration information.

6.2.3 Identifying GC servers configured in the domain

If you have configured GC servers in your domain, before starting the migration you must
identify the domain controllers that are hosting the GC server role. To identify the GC servers,
you must perform this task on one of the domain controllers in the domain.

To identify the GC servers in a domain

1. Log on to the domain controller using an account with administrative privileges.

EPDOC-X472-en-A 93 www.honeywellprocess.com
 2. Perform one of the following:

Operating System Steps

Windows Server 2003, 2003 R2, 2008, Click Start > All Programs > Administrative Tools > Active Directory
2008 R2 Sites and Services.

Windows Server 2012, 2012 R2  On the taskbar, click Server Manager icon.
The Server Manager dialog box appears.
 Click Tools > Active Directory Sites and Services.

The Active Directory Sites and Services window appears.

3. In the console tree, expand Sites folder, and then expand the site object on which the servers reside.

4. Expand the Servers folder, and then expand the server name.
The NDTS Settings items appear under the server name.

5. Right-click NDTS Settings item, and then click Properties.

The NDTS Settings Properties dialog box appears.

6. Verify if the Global Catalog check box is selected. If not, select the Global Catalog check box, and
then click OK.
The NDTS Settings Properties dialog box closes.

7. Repeat steps 5 through 6 for each available server under the site object.

8. Record the details about the domain controllers configured as GC servers in the Recording the
current domain controller configuration information.

6.2.4 Identifying DNS servers configured in the domain

If you have configured DNS servers in your domain, before starting the migration you must identify the
domain controllers that are hosting the DNS server role. To identify the DNS servers, you must perform
this task on each domain controller in the domain.

Choose a Domain Controller where you have the DNS role installed. Locate the DNS Manager tool
that was installed on the server.

Operating System Steps

Windows Server 2003, 2003 R2, 2008, Click Start > All Programs > Administrative Tools > DNS Manager.
2008 R2

Windows Server 2012, 2012 R2  On the taskbar, click Server Manager icon.
The Server Manager dialog box appears.
 Click Tools > DNS.

1. Expand the Server Name under DNS on the left hand side. Expand Forward Lookup Zones, click
on your domain name. (idea.local in example below)

EPDOC-X472-en-A 94 www.honeywellprocess.com
 2. Locate Name Server (NS) records on the right hand side.
Note:
Any Server hosting DNS should have a NS record listed here.

Double clicking a NS record and bringing up the properties will also list all Name Servers.

EPDOC-X472-en-A 95 www.honeywellprocess.com
6.2.5 Identifying the domain operation mode

To identify the domain operation mode

1. Perform one of the following:

Operating System Steps

Windows Server 2003, 2003 R2, 2008, Click Start > All Programs > Administrative Tools > Active Directory
2008 R2 Domains and Trusts.

Windows Server 2012, 2012 R2  On the taskbar, click Server Manager icon.
The Server Manager dialog box appears.
 Click Tools > Active Directory Domains and Trusts.

The Active Directory Domains and Trusts window appears.

2. In the console tree, right-click the domain name, and then click Properties.
The domain Properties dialog box appears.

The Domain functional level displays the operation mode currently configured for the
domain controller.

EPDOC-X472-en-A 96 www.honeywellprocess.com
 3. Record the information about the current domain operation mode in the Recording the current
domain controller configuration information.

6.3 Verifying domain controller readiness for migration

6.3.1 Verifying domain health

Run the Network Diagnostics (NetDiag) utility

NetDiag is a command-line diagnostic utility that is used for diagnosing any network connectivity
problems prior to starting the migration. NetDiag utility performs a series of tests to determine the state of
the network. Running this utility helps to identify and isolate any network connectivity problems that might
occur during migration.

Prerequisites

 Adjust the screen buffer size of Command Prompt.

The NetDiag utility test output displayed in Command Prompt can be enormous and hence it is
recommended to adjust the screen buffer size of the Command Prompt. To adjust the screen buffer
size,

1. Open Command Prompt, click the upper-left icon on the title bar, and then click Properties.

2. Click the Layout tab and set the following under Screen Buffer Size area.
– In the Width box, type or select 200.
– In the Height box, type or select 3000.

3. Click OK.

To run the Network Diagnostics (NetDiag) utility

1. At the Command Prompt, type NETDIAG, and then press ENTER.

The NETDIAG output displays the details about the system, including the details about the hotfixes that
are installed. After the system details, the output also displays the status of the tests that are
performed by this utility. The following are the results that are displayed in the output.
 Passed — indicates that the test is completed successfully
 Skipped — indicates that the test is skipped as it is not relevant to the configuration
 Failed — indicates that issues are reported

Any test that failed or reported any errors should be analyzed before proceeding further.

2. If required, run the command DCDiag /fix, to resolve the issues which are reported.

Run the Domain Controller Diagnostics (DCDiag) utility

DCDiag is a command-line diagnostic utility that is used for analyzing the performance of one or all of
the domain controllers in an Active Directory forest and identifies any problems to assist in

EPDOC-X472-en-A 97 www.honeywellprocess.com
 troubleshooting. DCDiag consists of many tests that can be run individually or as part of a suite to
verify the domain controller health. DCDiag utility is installed as part of the Windows 2000 Support
Tools installation.

To run the DCDiag utility

1. Open Command Prompt, type DCDIAG and then press ENTER.

The DCDIAG utility displays a summary of the test results, for each domain controller tested. It also reports any
issues encountered.

2. If required, run the command DCDiag /fix, to resolve the issues which are reported.
!Attention:
For further information about the DCDiag utility or if you have any setup problem while executing the
DCDiag utility, contact your nearest Honeywell TAC representative.

6.3.2 Ensuring availability of multiple domain controllers

As a best practice, it is recommended to have at least two domain controllers in a domain, which operate
as peers to each other in providing the Active Directory information. An advantage of having multiple
domain controllers in a domain is that, the domain controllers can be migrated with minimal impact to the
domain members. When migrating one of the domain controllers in a domain, you can transfer the
functions that it provides to a peer domain controller to prevent disruption of operations during migration.

In a domain consisting of only a single domain controller, you must add a temporary peer domain
controller to enable the migration. The temporary peer should be configured with a unique name and IP
address, so that it does not conflict with the name or IP address of the domain controller being migrated.
In addition, while setting up a temporary peer, you should also configure it as a GC server and a DNS
server.

The server operating system for the temporary peer can either be the same version installed on the
current domain controllers in the domain or can be installed with the latest supported operating system.
!Attention:
If the temporary peer domain controller is installed with the latest version of the Windows Server
operating system, to promote it to a domain controller you must prepare the schema of the temporary
peer domain controller by running the adprep utility.

After completing the migration of the original domain controller, if you do not want to migrate the
temporary peer domain controller and retain it in the domain, demote the temporary peer domain
controller and then remove it from the domain. However, since the best practice is to always have a
minimum of two domain controllers in a domain, it is recommended to install the temporary peer domain
controller with and retain it in the domain even after migrating the original domain controller.

EPDOC-X472-en-A 98 www.honeywellprocess.com
6.3.3 Ensuring availability of multiple DNS servers
!Attention
You can ensure the availability of multiple DNS server only if you have multiple domain controllers.

Before starting the migration of domain controllers, it is important to ensure that there are multiple DNS
servers configured in the domain. You can configure one or more of the domain controllers in the domain
as the DNS servers. If there is only one domain controller configured as the DNS server, you must
configure one of the peer domain controllers in the domain as the alternate DNS server.

In addition, ensure that the IP address for the DNS servers, configured on the domain controllers in the
domain are accurate.

6.4 Preparing the Active Directory

6.4.1 Evaluating the functional level of the domain

Prior to starting the migration, you should review the functional level of the Domain. (May need to be
raise it to support new clients.) Post Migration, you should review it again to see if you have met the
requirements to raise the level (To support new or enhanced capabilities).

Functional levels determine the Domain and Forest capabilities, but are limited by the operating systems
that are hosting it. So you can only raise the level to the lowest value operating system you are using
currently as a domain controller. Once all Domain Controllers are upgraded to a higher level, can it can
be raised.

The host requirement typically only effects Domain Controllers, but the capabilities may affect the clients
that can be added to the domain as well.

The advanced capabilities of Windows 10 and Server 2016 require that the Domain they are added to (as
clients) must be at a functional level of Windows Server 2003 or higher.

Minimum Domain Functional Level

Microsoft Windows Server 2003 (see Note 1)

Supported Domain Functional Levels with Windows Server 2016.

Supported Domain Functional Level

Windows Server 2003 (see Note 1)

Windows Server 2008

Windows Server 2008 R2

Windows Server 2012

Windows Server 2012 R2

EPDOC-X472-en-A 99 www.honeywellprocess.com
 Supported Domain Functional Level
Windows Server 2016

Note 1
This operating system is End of Life (EOL) and is only supported for Migration purposes. Customer
should decommission any Windows 2003 Servers and raise the functional level when completed.

6.4.2 Upgrading existing Domain Controllers to Windows Server 2016

Refer to the table below for to reference operating system upgrade options for existing Domain
Controllers.

Starting from Path to 2016

Windows Server 2003 (or R2) New Install/Replacement required
Notes: A

Windows Server 2008 New Install/Replacement required

Notes: A

Windows Server 2008 R2 Can Direct Upgrade first to 2012 R2

Then Direct Upgrade from 2012 R2 to 2016
Notes: B, C, D
Or
New Install/replacement required

Windows Server 2012 Direct Upgrade to 2016

Notes: B, C, D
Or
New Install/replacement

Windows Server 2012 R2 Direct Upgrade to 2016

Notes: B, C, D
Or
New Install/replacement

Notes:
A – Starting OS is 32 bit based, Target OS is 64 bit. OS cannot be direct upgraded.
B – Hardware/Host platform needs to be checked to see if it supports new OS.
C - Any third party software needs to be checked to see if it supports upgrade
D – Microsoft recommends Clean Installs for Domain controllers

6.4.3 Raising the functional level of the domain

If the current domain operation mode determined during the domain inventorying task (as described in
the section “Identifying the domain operation mode”) and recorded on the Recording the current
domain controller configuration information is not at the required minimum or supported level (as
documented in Evaluating the functional level of the domain), after upgrading the OS (as referenced
in as referenced in Error! Reference source not found.Error! Reference source not found.Note 1). This

EPDOC-X472-en-A 100 www.honeywellprocess.com

 operating system is End of Life (EOL) and is only supported for Migration purposes. Customer should
decommission any Windows 2003 Servers and raise the functional level when completed.

To raise the functional level of the domain

1. Log on to the domain controller.

2. Perform one of the following:

Operating System Steps

Windows Server 2003, 2003 R2, 2008, Click Start > All Programs > Administrative Tools > Active Directory
2008 R2 Domains and Trusts.

Windows Server 2012, 2012 R2  On the taskbar, click Server Manager icon.
The Server Manager dialog box appears.
 Click Tools > Active Directory Domains and Trusts.

The Active Directory Domains and Trusts window appears.

3. In the console tree, right-click the domain name, and then click Raise Domain Functional Level.
The Raise Domain Functional Level dialog box appears. The dialog box displays the current domain functional
level and provides a list of available domain functional levels.

!Attention
If the domain functional level is already at the appropriate level, a dialog box appears indicating that it
is already set to the highest level. Close the dialog box and then close the Active Directory Domains
and Trusts window. Skip the rest of the steps in this procedure and proceed to next task in migration
Expanding the Active Directory schema.

4. In the Select an available domain functional level list, click the required functional level, and then
click Raise.

5. A warning message appears indicating that changing the domain functional level affects the entire
domain and that this action cannot be reversed.

6. Click OK to close the dialog box.

7. When the domain functional level is raised, a confirmation message appears indicating that the level
is raised and that the new level replicates to each domain controller in the domain.

8. Click OK to close the confirmation dialog box.

9. Close the Active Directory Domains and Trusts window.

!Attention
While attempting to raise the functional level of the domain, if the Active Directory is busy, there are
chances for the raise operation to fail. In such case, you must repeat this procedure till you succeed
to raise the functional level of domain.

EPDOC-X472-en-A 101 www.honeywellprocess.com

6.4.4 Expanding the Active Directory schema

With Microsoft Windows Server 2016, the schema updates are run automatically when the first controller
is added to the domain. It is no longer necessary to run Adprep as a manual procedure beforehand.

6.5 Joining a Server 2016 Domain Controller to replace an existing

Controller
In cases where the domain controller must be replaced with a new Server 2016 system; Windows
Server 2003 or 2008, follow this flow:

 6.5.1, Remove the DNS Role (if configured)

Note: Repeat this procedure as many times as necessary until all old controllers have been
replaced.
 6.5.3, Remove the DNS Role (if configured)

a. For Windows Server 2003

1. Run Manage your Server:

2. Click Add or Remove a Role.

The Configure Your Server Wizard with Preliminary Steps page appears.

EPDOC-X472-en-A 102 www.honeywellprocess.com

 3. Click Next.
The Sever Role page appears.

4. In the Sever Role page, click/select DNS Server and then click Next.
The Role Removal Confirmation page appears.

EPDOC-X472-en-A 103 www.honeywellprocess.com

 5. In the The Role Removal Confirmation page, check the box Remove DNS Server Role and then
click Next.
The DNS Server Role Removed page appears stating successful removal of DNS Server Role.

6. Click Finish.

EPDOC-X472-en-A 104 www.honeywellprocess.com

 b. For Windows Server 2008
1. Run Server Manager.

2. Click Remove Roles.

The Remove Roles Server Wizard with Before you begin page appears.

3. Click Next.
The Sever Roles page appears.

EPDOC-X472-en-A 105 www.honeywellprocess.com

 4. In the Sever Role page, click/unselect DNS Server and then click Next.
The Confirmation page appears.

5. In the Confirmation page, review the messages and click Remove.

The Removal Results page appears stating successful removal of DNS Server Role.

EPDOC-X472-en-A 106 www.honeywellprocess.com

 6. Click Close.
The Remove Roles Wizard dialog asks to restart now

7. Click Yes.

8. After logging back in, you should see the completion dialog.

EPDOC-X472-en-A 107 www.honeywellprocess.com

 9. Click Close.

c. On a Newer Domain Controller with the DNS role, run DNS Manager (Server
Manager, Tools, DNS).

EPDOC-X472-en-A 108 www.honeywellprocess.com

 d. Open your domains forward lookup zone (Double-click idealab.local in example).

EPDOC-X472-en-A 109 www.honeywellprocess.com

 e. Double-click any Name Server (NS) record.

EPDOC-X472-en-A 110 www.honeywellprocess.com

 f. Click highlight DNS just removed and then click Remove button.

g. Click Apply, and then click OK.

EPDOC-X472-en-A 111 www.honeywellprocess.com

 h. The Name Server has now been Removed.

i. Remove Active Directory Services.

1. (On 2003) Run Manage your Server.

2. Click Add or remove a role option.

The Configure Your Server Wizard with Preliminary Steps page appears.

EPDOC-X472-en-A 112 www.honeywellprocess.com

 3. Click Next.
The Server Role page appears.

4. In the Server Role page, highlight Domain Controller (Active Directory) and then click Next.
The Role Removal Confirmation page appears.

EPDOC-X472-en-A 113 www.honeywellprocess.com

 5. In the Role Removal Confirmation page, check the box Remove Active Directory Role, and then
click Next.
The Active Directory Installation Wizard appears.

6. Click Next.
The Remove Active Directory page appears.

EPDOC-X472-en-A 114 www.honeywellprocess.com

 7. Click Next.
The Administrator Password page appears.

8. In the Administrator Password page, enter in a password for the Administrator account, and then
click Next.
The Summary page appears.

EPDOC-X472-en-A 115 www.honeywellprocess.com

 9. Click Next.
The wizard starts configuring the Active Directory.

10. After wizard completes the configuration of the Active Directory, the Completed message appears.

EPDOC-X472-en-A 116 www.honeywellprocess.com

 11. Click Finish.
A popup window appears directing to Restart the windows.

12. Click Restart Now button.

13. After restart, log back onto the system.

The Domain Controller Role Removed page appears.

EPDOC-X472-en-A 117 www.honeywellprocess.com

 14. Click Finish.

15. Old Domain Controller can now be permanently shut down.

16. Cleanup of system from Domain.

a. On an existing Domain Controller, run Active Directory Users and Computers.

b. Click Computers.

EPDOC-X472-en-A 118 www.honeywellprocess.com

 c. Righ-click computer name on right side and choose Delete.

A popup window appears to confirm the deletion. Click Yes.

d. On an existing Domain Controller, run Active Directory Sites and Services.

e. Expand Sites, Default-First-Site-Name, and click Servers.

EPDOC-X472-en-A 119 www.honeywellprocess.com

 f. Rick-click Server Name and choose Delete.

A popup window appears to confirm the deletion. Click Yes.

EPDOC-X472-en-A 120 www.honeywellprocess.com

 g. Servers now listed should only be active ones.

Application can be closed.

 Installing New Windows Server 2016 Domain Controller

 6.5.4, Promote and Join Existing Domain
 6.5.5, Transfer roles and functions from Old DC to New DC
 6.5.6, Decommission Old DC
 6.5.7, Raising Functional Levels
 6.5.7, FRS to DFS Migration

6.5.1 Remove the DNS Role (if configured)

j. For Windows Server 2003

17. Run Manage your Server:

EPDOC-X472-en-A 121 www.honeywellprocess.com

 18. Click Add or Remove a Role.
The Configure Your Server Wizard with Preliminary Steps page appears.

19. Click Next.

The Sever Role page appears.

EPDOC-X472-en-A 122 www.honeywellprocess.com

 20. In the Sever Role page, click/select DNS Server and then click Next.
The Role Removal Confirmation page appears.

21. In the The Role Removal Confirmation page, check the box Remove DNS Server Role and then
click Next.
The DNS Server Role Removed page appears stating successful removal of DNS Server Role.

EPDOC-X472-en-A 123 www.honeywellprocess.com

 22. Click Finish.

EPDOC-X472-en-A 124 www.honeywellprocess.com

 k. For Windows Server 2008
23. Run Server Manager.

24. Click Remove Roles.

The Remove Roles Server Wizard with Before you begin page appears.

25. Click Next.

The Sever Roles page appears.

EPDOC-X472-en-A 125 www.honeywellprocess.com

 26. In the Sever Role page, click/unselect DNS Server and then click Next.
The Confirmation page appears.

27. In the Confirmation page, review the messages and click Remove.
The Removal Results page appears stating successful removal of DNS Server Role.

EPDOC-X472-en-A 126 www.honeywellprocess.com

 28. Click Close.
The Remove Roles Wizard dialog asks to restart now

29. Click Yes.

30. After logging back in, you should see the completion dialog.

EPDOC-X472-en-A 127 www.honeywellprocess.com

 31. Click Close.

l. On a Newer Domain Controller with the DNS role, run DNS Manager (Server
Manager, Tools, DNS).

EPDOC-X472-en-A 128 www.honeywellprocess.com

 m. Open your domains forward lookup zone (Double-click idealab.local in example).

EPDOC-X472-en-A 129 www.honeywellprocess.com

 n. Double-click any Name Server (NS) record.

EPDOC-X472-en-A 130 www.honeywellprocess.com

 o. Click highlight DNS just removed and then click Remove button.

p. Click Apply, and then click OK.

EPDOC-X472-en-A 131 www.honeywellprocess.com

 q. The Name Server has now been Removed.

r. Remove Active Directory Services.

32. (On 2003) Run Manage your Server.

33. Click Add or remove a role option.

The Configure Your Server Wizard with Preliminary Steps page appears.

EPDOC-X472-en-A 132 www.honeywellprocess.com

 34. Click Next.
The Server Role page appears.

35. In the Server Role page, highlight Domain Controller (Active Directory) and then click Next.
The Role Removal Confirmation page appears.

EPDOC-X472-en-A 133 www.honeywellprocess.com

 36. In the Role Removal Confirmation page, check the box Remove Active Directory Role, and then
click Next.
The Active Directory Installation Wizard appears.

37. Click Next.

The Remove Active Directory page appears.

EPDOC-X472-en-A 134 www.honeywellprocess.com

 38. Click Next.
The Administrator Password page appears.

39. In the Administrator Password page, enter in a password for the Administrator account, and then
click Next.
The Summary page appears.

EPDOC-X472-en-A 135 www.honeywellprocess.com

 40. Click Next.
The wizard starts configuring the Active Directory.

41. After wizard completes the configuration of the Active Directory, the Completed message appears.

EPDOC-X472-en-A 136 www.honeywellprocess.com

 42. Click Finish.
A popup window appears directing to Restart the windows.

43. Click Restart Now button.

44. After restart, log back onto the system.

The Domain Controller Role Removed page appears.

EPDOC-X472-en-A 137 www.honeywellprocess.com

 45. Click Finish.

46. Old Domain Controller can now be permanently shut down.

47. Cleanup of system from Domain.

h. On an existing Domain Controller, run Active Directory Users and Computers.

i. Click Computers.

EPDOC-X472-en-A 138 www.honeywellprocess.com

 j. Righ-click computer name on right side and choose Delete.

A popup window appears to confirm the deletion. Click Yes.

k. On an existing Domain Controller, run Active Directory Sites and Services.

l. Expand Sites, Default-First-Site-Name, and click Servers.

EPDOC-X472-en-A 139 www.honeywellprocess.com

 m. Rick-click Server Name and choose Delete.

A popup window appears to confirm the deletion. Click Yes.

EPDOC-X472-en-A 140 www.honeywellprocess.com

 n. Servers now listed should only be active ones.

Application can be closed.

6.5.2 Installing New Windows Server 2016 Domain Controller

1. Pre-requisite Step - Install Server 2016

a. Rename computer, assign IP Address and other localization/tailoring steps.

b. System assumed to be temporarily in a workgroup at this stage.

2. Add existing DNS configuration to system:

EPDOC-X472-en-A 141 www.honeywellprocess.com

 3. In Server Manager, click Add Roles and Features:

The Add Roles and Features Wizard with Before you Begin page appears.

EPDOC-X472-en-A 142 www.honeywellprocess.com

 4. Click Next.
The Installation Type page appears.

5. Click Next.
The Server Selection page appears.

6. Click Next.
The Server Roles page appears.

EPDOC-X472-en-A 143 www.honeywellprocess.com

 7. In the Server Roles page, select Active Directory Domain Services role.
The Add features that are required for Active Directory Domain Services? Popup window
appears.

EPDOC-X472-en-A 144 www.honeywellprocess.com

 8. In the Add features that are required for Active Directory Domain Services? pop up window,
select Include management tools (if applicable) option and then click Add Features tab.
The Add Roles and Features Wizard with Server Roles page appears.

9. Select DNS Server.

The Add features that are required for DNS Server? Pop up window appears.

EPDOC-X472-en-A 145 www.honeywellprocess.com

 10. In the Add features that are required for DNS Server? Pop up window, select Include
management tools (if applicable) option and then click Add Features tab.
The Add Roles and Features Wizard with Server Roles page appears.

11. Click Next.

The Features page appears.

EPDOC-X472-en-A 146 www.honeywellprocess.com

 12. Click Next.
The AD DS page appears.

13. Click Next.

The DNS Server page appears.

EPDOC-X472-en-A 147 www.honeywellprocess.com

 14. Click Next.
The Confirmation page appears.

15. Click Install.

The Results page appears with installation progress details.

EPDOC-X472-en-A 148 www.honeywellprocess.com

 16. Click Close or watch.

17. Verify Installation Succeeded and click Close tab.

6.5.3 Promote and Join Existing Domain

1. Return to Server Manager and click Notification Flag:

Click Promote this server to a domain controller option.

EPDOC-X472-en-A 149 www.honeywellprocess.com

 The Active Directory Domain Services Configuration Wizard window with Deployment
Configuration page appears.

2. In the with Deployment Configuration page, fill in Domain and Change credentials and then click
Next.

EPDOC-X472-en-A 150 www.honeywellprocess.com

 3. Click Next.
The Domain Controller Options page with “A Domain controller running….” warning appears.
Note: The “A Domain controller running….” warning can be ignored.

EPDOC-X472-en-A 151 www.honeywellprocess.com

 4. Click Next.
The DNS Options page appears with “A delegation for this DNS server….” warning appears.
Note: The “A delegation for this DNS server….” warning is about RODC’s only being supported on
2008 and up domains. It can be ignored.
Add a Directory Services Restore Mode Password and click Next.

Note: The warning will occur if systems are not connected to the Internet and can be ignored.
Click Next.
The Additional Options page appears.

EPDOC-X472-en-A 152 www.honeywellprocess.com

 5. Click Next.
The Paths page appears.

EPDOC-X472-en-A 153 www.honeywellprocess.com

 6. Click Next.
The Preparations Options page appears.
Note: This screen will only occur on first controller added.

7. Click Next.
The Review Options page appears.

EPDOC-X472-en-A 154 www.honeywellprocess.com

 8. Click Next.
The Prerequisites Check page appears.

EPDOC-X472-en-A 155 www.honeywellprocess.com

 9. In the Prerequisites Check page, review Warnings and Click Install.

Note: System will restart when the installation is completed.

6.5.4 Transfer roles and functions from Old DC to New DC

Log into new system with a Domain based administration account.

1. Adjust DNS Configuration (if DNS was added).

a. First Value should be another DNS server (not the Old Domain controller you are going to
decommission).
b. Second Value should be the local address – 127.0.0.1.

2. Open Command Prompt and run dcdiag.

a. Correct any potential issues.

Note: If configuring FTE on this domain controller, it can be better to temporarily disable the
Green NIC until the FTE Software is to be installed.

3. Transfer any owned roles over from the Old Domain Controller to the new 2016 Domain
Controller.

o. Operations Master can be transferred via the Active Directory Domains and Trust Tool.

p. RID Master can be transferred via the Active Directory Users and Computers Tool.

EPDOC-X472-en-A 156 www.honeywellprocess.com

 q. PDC Master can be transferred via the Active Directory Users and Computers Tool.
Note: If transferring PDC and it communicated with an external time source don’t forget to update
it on new controller.
r. Infrastructure Master can be transferred via the Active Directory Users and Computers Tool.

s. Schema Master can be transferred via the MMC - Active Directory Schema Tool.

6.5.5 Decommission Old DC

Intention here is to remove services/functionality from the Domain Controller before it is turned off.

1. Adjust DNS Configuration on all clients (if previously configured with this DC’s IP Address as one of
the clients DNS values).

a. Primary value should be another DNS server (possibly the new server just added).
b. Secondary value can be any other available DNS Server (Not the server about to be removed).

2. Adjust DNS Configuration on the Old Domain Controller (the one about to be Decommisioned).

a. Primary value should be another DNS server (possibly the new server just added).

b. Secondary value can be any other available DNS Server (Not the server about to be
removed).

3. Remove Global Catalog from 2003 Server.

a. Open Active Directory Users and Computers (on New 2016 DC)

b. Navigate to your Domain, then Domain Controllers.

c. Select the Domain Controller you wish to decommission and select properties.
The PE2850-DC1 Properties window appears.

EPDOC-X472-en-A 157 www.honeywellprocess.com

 d. In the PE2850-DC1 Properties window, click NTDS Settings.
The PE2850-DC1 Properties window appears.

e. In the PE2850-DC1 Properties window, uncheck Global Catalog and click Apply.

EPDOC-X472-en-A 158 www.honeywellprocess.com

 f. Click Ok and close the properties.

g. After several minutes, the DC Type should change from GC to DC.

6.5.6 Raising Functional Levels

Once all Domain Controllers have been replaced, you can now raise the domains functional level. You
should raise it to the highest available level given the lowest Domain Controllers release value (assumed
to now be 2008 or higher).

1. On an existing Domain Controller, run Active Directory Domains and Trusts.

2. To Raise the Domain Functional Level,

EPDOC-X472-en-A 159 www.honeywellprocess.com

 a. Right-click the Domain and choose Raise Domain Functional Level.

b. The Raise Domain Functonal level dialog will appear.

c. Click Drop Down option on the “Select an avail domain functional level”.

EPDOC-X472-en-A 160 www.honeywellprocess.com

 You should choose the highest available level you can, based on the Oldest OS a Domain
Contoller is running.
d. After making your selection, click Raise.

e. A warning dialog will appear.

EPDOC-X472-en-A 161 www.honeywellprocess.com

 f. Click OK.
A confirmation popup window appears.

g. Click OK.

3. Once all Domains have been raised, you can consider raising the Forest Level.

a. Return to Active Directory Domains and Trusts.

b. Right-click on the left hand side “Active Directory Domains and Trusts and chooese Raise
Forest Functional Level.

EPDOC-X472-en-A 162 www.honeywellprocess.com

 c. The Raise Forst Functonal level window appears.

d. Click Drop Down option on the “Select an avail forest functional level”.

EPDOC-X472-en-A 163 www.honeywellprocess.com

 You should choose the highest available level you can, based on the Oldest OS a Domain within
the Forest is running.
e. After making your selection, click Raise

f. A warning dialog will appear.

EPDOC-X472-en-A 164 www.honeywellprocess.com

 g. Click OK.
A confirmation window appears.

h. Click OK.

6.5.7 FRS to DFS Migration

1. Verify you meet all requirements (may have to raise functional levels first) by typing in the command:

dfsrmig /getglobalstate at a command prompt.

If you are ready to start a migration, the return value should look like the above.

2. Start migration by typing in the command:

dfsrmig /setglobalstate 1 at a command prompt.

EPDOC-X472-en-A 165 www.honeywellprocess.com

 3. Query the status by typing in:

dfsrmig /getmigrationstate at a command prompt.

Be patient, it may take a little time. Need to wait until this value is returned:

4. Continue migration (phase 2) by typing in the command:

dfsrmig /setglobalstate 2 at a command prompt.

EPDOC-X472-en-A 166 www.honeywellprocess.com

 5. Verify the status by again typing in:

dfsrmig /getmigrationstate at a command prompt.

Wait until the status reaches.

6. Continue migration (phase 3) by typing in the command:

dfsrmig /setglobalstate 3 at a command prompt.

EPDOC-X472-en-A 167 www.honeywellprocess.com

 7. Verify the status by again typing in:

dfsrmig /getmigrationstate at a command prompt.

Wait until the status reaches.

8. Verify by completion by typing in Net Share:

NETLOGON and SYSVOL shares should now be under SYSVOL_DFSR.

EPDOC-X472-en-A 168 www.honeywellprocess.com

 9. In addition, File Replication Service should be stopped and disabled on all Domain Controllers.

EPDOC-X472-en-A 169 www.honeywellprocess.com

Support Information

For support, contact your local Honeywell Process Solutions Customer Contact Center (CCC). To find your local
CCC visit the website, https://www.honeywellprocess.com/en-US/contact-us/customer-support-
contacts/Pages/default.aspx.

EPDOC-X472-en-A 170 www.honeywellprocess.com

For more information
To learn more about Honeywell’s products or
solutions visit www.honeywellprocess.com or
contact your Honeywell account manager.

Process Solutions
Honeywell

1250 West Sam Houston Parkway South

Houston, TX 77042

Honeywell House, Skimped Hill Lane

Bracknell, RG12 1EB

Shanghai City Centre, 100 Junyi Road

Shanghai, China 20051
EPDOC-X472-en-A
July 2018
www.honeywellprocess.com © 2018 Honeywell International Sàrl