Scribd
Upload
227 views

b0700ss D PDF

Uploaded by

abdel taib
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
227 views

b0700ss D PDF

Uploaded by

abdel taib
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 596

Foxboro Evo™

Process Automation System

Control Core Services v9.1


Software Installation Guide

*B0700SS* *D*

B0700SS

Rev D
June 8, 2016
Schneider Electric, Invensys, Foxboro, Foxboro Evo, and I/A Series are trademarks of Schneider Electric S.E.,
its subsidiaries, and affiliates.
All other brand names may be trademarks of their respective owners.

Copyright 2014–2016 Invensys Systems, Inc.


All rights reserved.

Invensys is now part of Schneider Electric.

SOFTWARE LICENSE AND COPYRIGHT INFORMATION


Before using the Invensys Systems, Inc. supplied software supported by this documentation, you
should read and understand the following information concerning copyrighted software.
1. The license provisions in the software license for your system govern your obligations
and usage rights to the software described in this documentation. If any portion of
those license provisions is violated, Invensys Systems, Inc. will no longer provide you
with support services and assumes no further responsibilities for your system or its
operation.
2. All software issued by Invensys Systems, Inc. and copies of the software that you are
specifically permitted to make, are protected in accordance with Federal copyright
laws. It is illegal to make copies of any software media provided to you by
Invensys Systems, Inc. for any purpose other than those purposes mentioned in the
software license.
Contents
Preface............................................................................................................................... xxvii
Purpose ................................................................................................................................ xxvii
Revision Information ........................................................................................................... xxvii
Reference Documents .......................................................................................................... xxvii
Glossary ................................................................................................................................ xxix

1. Software Installation Overview.......................................................................................... 1


Installation Concepts ................................................................................................................ 1
How to Use this Installation Guide ........................................................................................... 2
Overview of Supported Software Installations ........................................................................... 3
Determining Hardware Requirements ....................................................................................... 3
Pre-Installation System Backup ................................................................................................. 4
System Configuration and Creating Commit Installation Media ............................................... 5
Foxboro Evo Control Core Services v9.1 Documentation ......................................................... 6
Workstation Specific Operating System Media ......................................................................... 6
Foxboro Evo Control Core Services v9.1 Media ........................................................................ 9
Hardware and Software Specific Instruction Documents ........................................................... 9

2. Standard Foxboro Evo Control Core Services v9.1 Day 0 Installation ............................. 11
Workstation/Server Preparation .............................................................................................. 11
Notes on Installing Foxboro Evo Control Core Services .......................................................... 12
Changing the Station Name .................................................................................................... 13
Disabling the VirusScan Console ............................................................................................ 13
Preparing Network Interface Cards (NICs) For Installation .................................................... 16
Exiting During Software Installation ....................................................................................... 16
Installation Procedure ............................................................................................................. 17
Installing the Foxboro Evo Control Core Services v9.1 Trailer CD-ROM ......................... 28
Restarting Your System ...................................................................................................... 29
Configuring VirusScan Software ............................................................................................. 29
Installing Optional Software ................................................................................................... 29
System Manager and System Management Display Handler (SMDH)
Installation Notes ............................................................................................................... 30
Installing the Beep Driver (Foxboro Evo Control Core Services
Servers with FoxPanels Only) ............................................................................................. 31
Setting Date and Time ............................................................................................................ 32

iii
B0700SS – Rev D Contents

Completing Installation .......................................................................................................... 33

3. Installation or Migration Scenarios for Security Enhanced


Foxboro Evo Control Core Services v9.1 ............................................................................. 35
Introduction ............................................................................................................................ 35
Scenario 1 ............................................................................................................................... 37
Scenario 2 ............................................................................................................................... 38
Scenario 3 ............................................................................................................................... 38
Scenario 4 ............................................................................................................................... 39
Scenario 5 ............................................................................................................................... 40
Scenario 6 ............................................................................................................................... 40

4. Security Enhanced Foxboro Evo Control Core Services v9.1


Installation for Domain Controllers on The Foxboro Evo Control Network....................... 43
Installing Security Enhanced Foxboro Evo Control Core Services v9.1 on Primary Domain
Controllers on The Foxboro Evo Control Network ................................................................. 43
Server Preparation .............................................................................................................. 43
Notes on Installing Foxboro Evo Control Core Services ..................................................... 45
Changing the Station Name ............................................................................................... 46
Disabling the VirusScan Console ........................................................................................ 46
Preparing Network Interface Cards (NICs) For Installation ............................................... 47
Canceling and Resuming the Security Enhanced Installation Process ................................. 48
Installation Procedure ......................................................................................................... 49
Installing the Foxboro Evo Control Core Services v9.1 Trailer CD-ROM ..................... 64
Restarting Your System .................................................................................................. 65
Installing Optional Software ............................................................................................... 65
System Manager and System Management Display Handler (SMDH)
Installation Notes .......................................................................................................... 65
Primary Domain Controller Postinstallation Procedures .................................................... 67
Changing Passwords ...................................................................................................... 67
Creating Users in Active Directory ................................................................................ 70
Tombstone Lifetime Attribute in Active Directory ........................................................ 78
Backing Up Active Directory ......................................................................................... 78
Continuing Installation ...................................................................................................... 78
Installing Security Enhanced Foxboro Evo Control Core Services v9.1 on Secondary Domain
Controllers on The Foxboro Evo Control Network ................................................................. 79
Server Preparation .............................................................................................................. 79
Notes on Installing Foxboro Evo Control Core Services ..................................................... 80
Changing the Station Name ............................................................................................... 81
Disabling the VirusScan Console ........................................................................................ 82
Preparing Network Interface Cards (NICs) For Installation ............................................... 83
Canceling and Resuming the Security Enhanced Installation Process ................................. 84
Installation Procedure ......................................................................................................... 86
Installing the Foxboro Evo Control Core Services v9.1 Trailer CD-ROM ................... 103
Restarting Your System ................................................................................................ 104

iv
Contents B0700SS – Rev D

Installing Optional Software ............................................................................................. 104


System Manager and System Management Display Handler (SMDH)
Installation Notes ........................................................................................................ 104
Secondary Domain Controller Post-Installation Procedures ............................................. 106
Changing Passwords .................................................................................................... 106
Backing Up Active Directory ....................................................................................... 107
Continuing Installation .................................................................................................... 107

5. Security Enhanced Foxboro Evo Control Core Services v9.1


Installation for New Off-Control Network Domain Controllers ....................................... 109
Installing Security Enhanced Foxboro Evo Control Core Services v9.1 on
Off-Control Network Primary Domain Controllers .............................................................. 109
Server Preparation ............................................................................................................ 109
Notes on Installing Foxboro Evo Control Core Services ................................................... 110
Changing the Station Name ............................................................................................. 111
Disabling the VirusScan Console ...................................................................................... 112
Canceling and Resuming the Security Enhanced Installation Process ............................... 114
Installation Procedure ....................................................................................................... 116
Restarting Your System ................................................................................................ 130
Installing Optional Software ............................................................................................. 130
Primary Domain Controller Postinstallation Procedures .................................................. 131
Changing Passwords .................................................................................................... 131
Creating Users in Active Directory .............................................................................. 134
Tombstone Lifetime Attribute in Active Directory ...................................................... 141
Backing Up Active Directory ....................................................................................... 141
Continuing Installation .................................................................................................... 141
Installing Security Enhanced Foxboro Evo Control Core Services v9.1 on
Off-Control Network Secondary Domain Controllers .......................................................... 142
Server Preparation ............................................................................................................ 142
Notes on Installing Foxboro Evo Control Core Services ................................................... 143
Changing the Station Name ............................................................................................. 144
Disabling the VirusScan Console ...................................................................................... 144
Canceling and Resuming the Security Enhanced Installation Process ............................... 147
Installation Procedure ....................................................................................................... 149
Installing the Foxboro Evo Control Core Services v9.1 Trailer CD-ROM ................... 163
Restarting Your System ................................................................................................ 164
Installing Optional Software ............................................................................................. 164
Secondary Domain Controller Post-Installation Procedures ............................................. 164
Changing Passwords .................................................................................................... 164
Backing Up Active Directory ....................................................................................... 165
Adding Foxboro Stations to Active Directory Post-Installation .................................... 165
Continuing Installation .................................................................................................... 168

6. Security Enhanced Foxboro Evo Control Core Services v9.1


Installation for Existing Off-Control Network Primary Domain Controllers .................... 169
Overview ............................................................................................................................... 169
Notes on Installing Foxboro Evo Control Core Services ................................................... 169

v
B0700SS – Rev D Contents

Disabling the VirusScan Console .......................................................................................... 170


Canceling and Resuming the Security Enhanced Installation Process .................................... 172
Installation Procedure ........................................................................................................... 174
Restarting Your System .................................................................................................... 182
Primary Domain Controller Post-Installation Procedures ...................................................... 183
Creating Users in Active Directory ................................................................................... 183
Adding Foxboro Stations to Active Directory Post-Installation .................................... 190
Tombstone Lifetime Attribute in Active Directory ........................................................... 192
Backing Up Active Directory ............................................................................................ 192
Continuing Installation ......................................................................................................... 192

7. Migrating I/A Series Software v8.5/8.6/8.7 to a New Primary Domain Controller


on The Foxboro Evo Control Network.............................................................................. 193
Preparing the Source Primary Domain Controller
(Existing On-Control Network PDC with I/A Series Software v8.5/8.6/8.7)
for Migration ........................................................................................................................ 194
Preparation and Installation for New Target Primary Domain Controller ............................. 202
Preparing Network Interface Cards (NICs) For Installation ............................................. 202
Installation on New Target Primary Domain Controller .................................................. 202
Configuring for Existing Domain Clients with I/A Series Software v8.5/8.6/8.7 ................... 223
Continuing Installation ......................................................................................................... 226

8. Migrating I/A Series Software v8.5/8.6/8.7 to a New Off-Control Network Primary


Domain Controller............................................................................................................ 229
Preparing the Source Primary Domain Controller (Existing PDC with I/A Series Software
v8.5/8.6/8.7) for Migration ................................................................................................... 229
Preparation and Installation for New Target Primary Domain Controller ............................. 252
Adding Foxboro Stations to Active Directory Post-Installation ......................................... 272
Continuing Installation ......................................................................................................... 275

9. Migrating I/A Series Software v8.5/8.6/8.7 to a Pre-Existing


Off-Control Network Primary Domain Controller ........................................................... 277
Group Policy Settings Migration From Domains with I/A Series
Software v8.7 or Earlier ......................................................................................................... 278
Preparation for Installation .................................................................................................... 279
Disabling the VirusScan Console on Target Primary Domain Controller ......................... 280
Preparing the Source Primary Domain Controllers
for Transferring Active Directory Settings ............................................................................. 282
Preparing the Target Primary Domain Controllers ................................................................ 291
Installing Microsoft SQL Server 2008 SP3 Express Edition v10.00.5500.00 .................... 303
Installing Active Directory Migration Tool v3.2 ............................................................... 318

vi
Contents B0700SS – Rev D

Migrating Passwords and Group Policy Objects


(GPOs) from Source Primary Domain Controller ................................................................. 324
Installing Password Export Server v3.1 ............................................................................. 331
Migrating Active Directory Settings to the Target Primary Domain Controller .................... 336
Adding Foxboro Stations to Active Directory Post-Installation ......................................... 337
Migrating Domain Clients with I/A Series Software
v8.5/8.6/8.7 to the New Off-Control Network Domain ....................................................... 340
Continuing Installation ......................................................................................................... 350

10. Security Enhanced Foxboro Evo Control Core Services v9.1 Installation for Domain
Clients or Connecting Security Enhanced I/A Series Software v8.5-8.7
Domain Clients to Existing Off-Control Network Networks ............................................ 351
Workstation/Server Preparation ............................................................................................ 351
Notes for Installing Foxboro Evo Control Core Services ....................................................... 353
Preparing Network Interface Cards (NICs) For Installation ............................................. 353
Migrating Domain Client from Domain in I/A Series Software
v8.7 or Earlier to a Domain in Foxboro Evo Control Core Services v9.1 .......................... 354
Changing the Station Name .................................................................................................. 356
Disabling the VirusScan Console .......................................................................................... 356
Canceling and Resuming the Security Enhanced Installation Process .................................... 359
Installation Procedures .......................................................................................................... 360
Installation Procedure (On The Foxboro Evo Control Network) ..................................... 361
Installation Procedure for Clients of New Off-Control Network Domain Controllers ..... 376
Installation Procedure for Pre-Existing Domain Clients
(I/A Series Software v8.5-v8.7) to Existing Off-Control Network Domain Controllers .... 394
Completing the Domain Client Installation ..................................................................... 399
Installing the Foxboro Evo Control Core Services v9.1 Trailer CD-ROM ................... 399
Restarting Your System ................................................................................................ 399
Non-Control Network Cables ..................................................................................... 399
Configuring VirusScan Software ........................................................................................... 400
Installing Optional Software ................................................................................................. 400
System Manager and System Management Display Handler (SMDH)
Installation Notes ............................................................................................................. 400
Setting Date and Time .......................................................................................................... 403
Domain Client Postinstallation Procedures ........................................................................... 403
Changing Passwords ......................................................................................................... 403
Re-Enabling the McAfee VirusScan Console ......................................................................... 405

11. Release Update of I/A Series Software v8.8 or Foxboro Evo Control
Core Services v9.0 to v9.1 Including Optional Day 1 Installation ..................................... 407
Upgrade Security Enhanced or Standard I/A Series Software v8.8 or Foxboro Evo
Control Core Services v9.0 to v9.1 Including Day 1 Operations ........................................... 408
Create Reconcile Media .................................................................................................... 408

vii
B0700SS – Rev D Contents

Performing the Release Update ......................................................................................... 412


Upgrade Security Enhanced or Standard I/A Series Software v8.8 or Foxboro Evo
Control Core Services v9.0 to v9.1 Via Release Update ......................................................... 417
Installing the Foxboro Evo Control Core Services v9.1 Trailer CD-ROM ............................ 422

12. Upgrading Foxboro Evo Control Core Services v9.1


(Day 1 Installation or Repair Operation)........................................................................... 425
Day 1 Operations (Standard or Security Enhanced Foxboro Evo Control Core Services) ...... 425
Repair Operations (Standard or Security Enhanced Foxboro Evo Control Core Services) ..... 434
Performing a “Post-Commit for Pre-8.0” .............................................................................. 439
Instructions for Windows Workstations ...................................................................... 440
Instructions for Solaris Workstations ........................................................................... 440

Appendix A. Startup Options ............................................................................................ 441

Appendix B. Changing the Station Name.......................................................................... 443

Appendix C. Excluding Files, Folders, and Drives ............................................................. 449

Appendix D. Secondary Domain Controllers in a Foxboro Evo System............................. 455


Active Directory Operations Master Roles ............................................................................. 455
Transferring the Operations Master Roles ............................................................................. 456
Seizing Active Directory Operations Master Roles ................................................................. 474
Restoring a PDC Server Station ............................................................................................ 479
Verifying Domain Controller Backup Functionality ............................................................. 504
Removing Domain Controller Functionality from a Workstation ......................................... 507
Forcefully Removing a Domain Controller from Active Directory ........................................ 512
Restoring Connections on a Single Domain Controller System ............................................. 517
Adjusting NIC Settings after Adding an SDC ....................................................................... 525
Backing Up Active Directory on Domain Controllers ........................................................... 527
Changing the Tombstone Lifetime Attribute in Active Directory .......................................... 528

Appendix E. Control Core Services Installation on Multiple CPU


Core-Enabled Workstations/Servers .................................................................................. 535

Appendix F. Guidelines for Using BESR for Backing Up and Restoring


Domain Controllers .......................................................................................................... 537
Making Backup Images of Domain Controllers .................................................................... 537
Restoring Only One Domain Controller ............................................................................... 538
Restoring Multiple Domain Controllers from Backup Images ............................................... 538

viii
Contents B0700SS – Rev D

Checking the Health of Active Directory .............................................................................. 539

Appendix G. I/A Series MESH Configurator .................................................................... 541


Silent Installation .................................................................................................................. 541
Manual NIC Selection .......................................................................................................... 542
Post Day 0 Operations .......................................................................................................... 545
Identifying Cable A and Cable B ........................................................................................... 545

Appendix H. SNMP Community String Configuration .................................................... 547

Appendix I. Telnet Installation.......................................................................................... 551


Installing Telnet on Workstations with Windows 7 Operating System ................................. 551
Installing Telnet on Servers with Windows Server 2008 R2 Standard Operating System ...... 552

Appendix J. Printer Sharing............................................................................................... 555


Turning on the Windows Firewall Service ............................................................................. 555
Sharing a Printer ................................................................................................................... 556
Connecting to a Shared Printer on Another Foxboro Evo Control Core Services Station ...... 558

Appendix K. Manual Update For Group Policies on an Off-Control Network PDC......... 559

Appendix L. Troubleshooting............................................................................................ 563


Setting Time Correctly After Failure to Continue
Software Installation After Reboot (SDC or Domain Client) ................................................ 563

ix
B0700SS – Rev D Contents

x
Figures
2-1. Disable Virus Scan Access Protection .......................................................................... 14
2-2. On-Access Scan Properties Dialog Box ........................................................................ 15
2-3. Confirming Cancellation of Software Installation ....................................................... 16
2-4. InstallShield Wizard Completed - Interrupted ............................................................ 17
2-5. AutoPlay Dialog Box ................................................................................................... 18
2-6. Microsoft Visual C++ 2010 Redistributable Package (x64) Installation Dialog Box ..... 19
2-7. Selecting to Install a Domain Controller ..................................................................... 20
2-8. Load Committed Configuration Install Files ............................................................... 21
2-9. Installation Media Folder Browser ............................................................................... 22
2-10. Load Committed Configuration Install Files - Binding ............................................... 23
2-11. I/A Series Network Installation Dialog Box (For Certain NIC Cards) ......................... 24
2-12. I/A Series Installshield Wizard - Next .......................................................................... 24
2-13. I/A Series Installshield Wizard - Install ........................................................................ 25
2-14. Installation Media Dialog Box ..................................................................................... 26
2-15. Media Folder Browser ................................................................................................. 26
2-16. Installation Media Dialog Box - For Diskettes ............................................................. 27
2-17. Complete Installation .................................................................................................. 27
2-18. Example of Installation Log ......................................................................................... 28
2-19. Installing System Manager Server ................................................................................ 31
4-1. Disable Virus Scan Access Protection .......................................................................... 46
4-2. On-Access Scan Properties Dialog Box ........................................................................ 47
4-3. Confirming Cancellation of Software Installation ....................................................... 48
4-4. Confirming Installation Interruption .......................................................................... 49
4-5. InstallShield Wizard Completed - Interrupted ............................................................ 49
4-6. AutoPlay Dialog Box ................................................................................................... 50
4-7. Microsoft Visual C++ 2010 Redistributable Package (x64) Installation Dialog Box ..... 51
4-8. Selecting to Install a Domain Controller ..................................................................... 52
4-9. Load Committed Configuration Install Files ............................................................... 53
4-10. Installation Media Folder Browser ............................................................................... 54
4-11. I/A Series Network Installation Dialog Box (For Certain NIC Cards) ......................... 55
4-12. Server Platform Setup Dialog Box ............................................................................... 55
4-13. Active Directory Warning ........................................................................................... 56
4-14. Active Directory Installation via DOS Window .......................................................... 57
4-15. Promoting to Primary Domain Controller via DOS Window ..................................... 57
4-16. Setting up the Platform for a Secure Foxboro Evo Control Core Services
Installation .................................................................................................................. 58
4-17. Active Directory Domain Settings Applied .................................................................. 59
4-18. I/A Series Secure User Accounts Dialog Box ............................................................... 59
4-19. Invensys IASeries Install: Workstation Reboot Request Dialog Box ............................ 60
4-20. You Are About To Be Logged Off Dialog Box ............................................................ 60
4-21. Reboot or Logoff Requested ........................................................................................ 61
4-22. Installation Media Dialog Box ..................................................................................... 62
4-23. Media Folder Browser ................................................................................................. 62
4-24. Installation Media Dialog Box - For Diskettes ............................................................. 63

xi
B0700SS – Rev D Figures

4-25. Example of Installation Log ......................................................................................... 64


4-26. Installing System Manager Server ................................................................................ 66
4-27. Resetting Passwords via Active Directory Users and Computers .................................. 68
4-28. Resetting a Password ................................................................................................... 68
4-29. Setting the Restore Mode Password via ntdsutil.exe .................................................... 69
4-30. Using and Exiting ntdsutil.exe .................................................................................... 70
4-31. Creating Users via Active Directory Users and Computers .......................................... 71
4-32. New Object - User ...................................................................................................... 72
4-33. New Object - User - Password Updates ....................................................................... 73
4-34. New Object - User - Finish ......................................................................................... 73
4-35. Opening the New User Properties Dialog Box ............................................................ 74
4-36. New User Properties Dialog Box ................................................................................. 75
4-37. Select Groups .............................................................................................................. 76
4-38. Multiple Names Found Dialog Box ............................................................................ 76
4-39. Closing Select Groups Dialog Box .............................................................................. 77
4-40. Closing Properties Dialog Box .................................................................................... 77
4-41. Disable Virus Scan Access Protection .......................................................................... 82
4-42. On-Access Scan Properties Dialog Box ........................................................................ 83
4-43. Confirming Cancellation of Software Installation ....................................................... 84
4-44. Confirming Installation Interruption .......................................................................... 85
4-45. InstallShield Wizard Completed - Interrupted ............................................................ 85
4-46. AutoPlay Dialog Box ................................................................................................... 86
4-47. Microsoft Visual C++ 2010 Redistributable Package (x64) Installation Dialog Box ..... 87
4-48. Selecting to Install a Domain Controller ..................................................................... 88
4-49. Load Committed Configuration Install Files ............................................................... 89
4-50. Installation Media Folder Browser ............................................................................... 90
4-51. I/A Series Network Installation Dialog Box (For Certain NIC Cards) ......................... 91
4-52. Server Platform Setup Dialog Box (SDC) .................................................................... 92
4-53. Resetting UTC Date ................................................................................................... 93
4-54. Unable to Determine Local Time on the PDC ............................................................ 93
4-55. Server Platform Setup Dialog Box (Second SDC) ....................................................... 94
4-56. Invensys IASeries Install: Workstation Reboot Request Dialog Box ............................ 95
4-57. Server Platform Setup Dialog Box (PDC Account Information) ................................. 96
4-58. Server Platform Setup Dialog Box (Verify Domain Name and Site Name Fields) ....... 97
4-59. Active Directory Installation via DOS Window .......................................................... 98
4-60. Assigning Role of Secondary Domain Controller via DOS Window ........................... 98
4-61. Setting Up the Platform for a Secure Foxboro Evo Control Core
Services Installation ..................................................................................................... 99
4-62. InstallShield Wizard for Foxboro Evo Control Core Services .................................... 100
4-63. Installation Media Dialog Box ................................................................................... 100
4-64. Media Folder Browser ............................................................................................... 101
4-65. Installation Media Dialog Box - For Diskettes ........................................................... 102
4-66. Example of Installation Log ....................................................................................... 103
4-67. Installing System Manager Server .............................................................................. 105
4-68. Setting the Restore Mode Password via ntdsutil.exe .................................................. 106
4-69. Using and Exiting ntdsutil.exe .................................................................................. 107
5-1. Disable Virus Scan Access Protection ........................................................................ 112
5-2. On-Access Scan Properties Dialog Box ...................................................................... 113

xii
Figures B0700SS – Rev D

5-3. Confirming Cancellation of Software Installation ..................................................... 114


5-4. Confirming Installation Interruption ........................................................................ 114
5-5. InstallShield Wizard Completed - Interrupted .......................................................... 115
5-6. Internet Protocol Version 4 (TCP/IPv4) Properties ................................................... 116
5-7. Set-ExecutionPolicy AllSigned .................................................................................. 117
5-8. AutoPlay Dialog Box ................................................................................................. 117
5-9. Microsoft Visual C++ 2010 Redistributable Package (x64) Installation
Dialog Box ................................................................................................................ 118
5-10. Selecting to Install a Domain Controller on an Off-Control Network Domain ......... 119
5-11. Load Committed Configuration Install Files ............................................................. 120
5-12. Installation Media Folder Browser ............................................................................. 121
5-13. Server Platform Setup ................................................................................................ 122
5-14. Collecting SDC Machine Info .................................................................................. 123
5-15. I/A Series Installation Warning Dialog Box ............................................................... 123
5-16. Pick Type .................................................................................................................. 124
5-17. Active Directory Domain Name Warning ................................................................. 125
5-18. Active Directory Installation via DOS Window ........................................................ 125
5-19. Promoting to Primary Domain Controller via DOS Window ................................... 126
5-20. Setting up the Platform for a Secure Foxboro Evo Control Core
Services Installation ................................................................................................... 127
5-21. Active Directory Domain Settings Applied ................................................................ 128
5-22. I/A Series Secure User Accounts Dialog Box ............................................................. 128
5-23. Adding New Computer Account ............................................................................... 129
5-24. Example of Installation Log ....................................................................................... 130
5-25. Resetting Passwords via Active Directory Users and Computers ................................ 132
5-26. Resetting a Password ................................................................................................. 132
5-27. Setting the Restore Mode Password via ntdsutil.exe .................................................. 133
5-28. Using and Exiting ntdsutil.exe .................................................................................. 133
5-29. Creating Users via Active Directory Users and Computers ........................................ 134
5-30. New Object - User .................................................................................................... 135
5-31. New Object - User - Password Updates ..................................................................... 136
5-32. New Object - User - Finish ....................................................................................... 136
5-33. Opening the New User Properties Dialog Box .......................................................... 137
5-34. New User Properties Dialog Box ............................................................................... 138
5-35. Select Groups ............................................................................................................ 139
5-36. Multiple Names Found Dialog Box .......................................................................... 139
5-37. Closing Select Groups Dialog Box ............................................................................ 140
5-38. Closing Properties Dialog Box .................................................................................. 140
5-39. Disable Virus Scan Access Protection ........................................................................ 145
5-40. On-Access Scan Properties Dialog Box ...................................................................... 146
5-41. Confirming Cancellation of Software Installation ..................................................... 147
5-42. Confirming Installation Interruption ........................................................................ 147
5-43. InstallShield Wizard Completed - Interrupted .......................................................... 148
5-44. Internet Protocol Version 4 (TCP/IPv4) Properties ................................................... 149
5-45. AutoPlay Dialog Box ................................................................................................. 150
5-46. Microsoft Visual C++ 2010 Redistributable Package (x64) Installation
Dialog Box ................................................................................................................ 151
5-47. Selecting to Install a Domain Controller ................................................................... 152

xiii
B0700SS – Rev D Figures

5-48. Load Committed Configuration Install Files ............................................................. 153


5-49. Installation Media Folder Browser ............................................................................. 154
5-50. Server Platform Setup ................................................................................................ 155
5-51. Resetting UTC Date ................................................................................................. 156
5-52. Unable to Determine Local Time on the PDC .......................................................... 156
5-53. Server Platform Setup (Select Add Off-MESH) ......................................................... 157
5-54. Collecting SDC Machine Info .................................................................................. 157
5-55. I/A Series Installation Warning Dialog Box ............................................................... 158
5-56. Invensys IASeries Install: Workstation Reboot Request Dialog Box .......................... 158
5-57. Server Platform Setup (Authorize) ............................................................................. 159
5-58. Server Platform Setup (Prepare) ................................................................................ 160
5-59. Active Directory Domain Name Warning ................................................................. 160
5-60. Active Directory Installation via DOS Window ........................................................ 161
5-61. Assigning Role of Secondary Domain Controller via DOS Window ......................... 161
5-62. Setting Up the Platform for a Secure Foxboro Evo Control Core Services
Installation ................................................................................................................ 162
5-63. Example of Installation Log ....................................................................................... 163
5-64. Setting the Restore Mode Password via ntdsutil.exe .................................................. 164
5-65. Using and Exiting ntdsutil.exe .................................................................................. 165
5-66. Selecting IA Computers -> New -> Computer .......................................................... 166
5-67. New Object - Computer ........................................................................................... 167
5-68. Selecting Pre-8.8 IA Computers -> New -> Computer .............................................. 167
6-1. Disable Virus Scan Access Protection ........................................................................ 170
6-2. On-Access Scan Properties Dialog Box ...................................................................... 171
6-3. Confirming Cancellation of Software Installation ..................................................... 172
6-4. Confirming Installation Interruption ........................................................................ 172
6-5. InstallShield Wizard Completed - Interrupted .......................................................... 173
6-6. AutoPlay Dialog Box ................................................................................................. 174
6-7. Microsoft Visual C++ 2010 Redistributable Package (x64) Installation
Dialog Box ................................................................................................................ 175
6-8. Selecting to Install a Domain Controller on an Off-Control Network Domain ......... 176
6-9. Load Committed Configuration Install Files ............................................................. 177
6-10. Installation Media Folder Browser ............................................................................. 178
6-11. Server Platform Setup ................................................................................................ 179
6-12. Active Directory Domain Settings Applied ................................................................ 180
6-13. I/A Series Secure User Accounts Dialog Box ............................................................. 180
6-14. Finish Installation ..................................................................................................... 181
6-15. Example of Installation Log ....................................................................................... 182
6-16. Creating Users via Active Directory Users and Computers ........................................ 183
6-17. New Object - User .................................................................................................... 184
6-18. New Object - User - Password Updates ..................................................................... 185
6-19. New Object - User - Finish ....................................................................................... 185
6-20. Opening the New User Properties Dialog Box .......................................................... 186
6-21. New User Properties Dialog Box ............................................................................... 187
6-22. Select Groups ............................................................................................................ 188
6-23. Multiple Names Found Dialog Box .......................................................................... 188
6-24. Closing Select Groups Dialog Box ............................................................................ 189
6-25. Closing Properties Dialog Box .................................................................................. 189

xiv
Figures B0700SS – Rev D

6-26. Selecting IA Computers -> New -> Computer .......................................................... 190


6-27. New Object - Computer ........................................................................................... 191
6-28. Selecting Pre-8.8 IA Computers -> New -> Computer .............................................. 191
7-1. Active Directory Users and Computers Console (Administrator Account) ................ 195
7-2. [User] Properties Dialog Box ..................................................................................... 196
7-3. Adding User to Groups ............................................................................................. 197
7-4. Active Directory Users and Computers Console (Administrator Account) ................ 198
7-5. Installation Disc Is Not Compatible With This Windows Version Warning ............. 199
7-6. Invoking adprep32 /forestprep .................................................................................. 199
7-7. Invoking adprep32 /domainprep /gpprep .................................................................. 200
7-8. Invoking adprep32 /rodcprep .................................................................................... 200
7-9. AutoPlay Dialog Box ................................................................................................. 203
7-10. Microsoft Visual C++ 2010 Redistributable Package (x64) Installation
Dialog Box ................................................................................................................ 204
7-11. Selecting to Install a Domain Controller On-Control Network ................................ 205
7-12. I/A Series Installation Warning Dialog Box ............................................................... 205
7-13. Load Committed Configuration Install Files ............................................................. 206
7-14. Installation Media Folder Browser ............................................................................. 207
7-15. I/A Series Network Installation Dialog Box (For Certain NIC Cards) ....................... 208
7-16. Server Platform Setup Dialog Box ............................................................................. 209
7-17. I/A Series Installation Dialog Box - Date Warning .................................................... 210
7-18. Unable to Determine Local Time on the PDC .......................................................... 210
7-19. Server Platform Setup (For Second SDC) ................................................................. 211
7-20. Invensys IASeries Install: Workstation Reboot Request Dialog Box .......................... 212
7-21. Server Platform Setup (On-Control Network) Continued ........................................ 213
7-22. Server Platform Setup (On-Control Network) Continued Part 2 .............................. 214
7-23. Active Directory Warning ......................................................................................... 215
7-24. Active Directory Installation via a Command Prompt ............................................... 215
7-25. Assigning Role of Secondary Domain Controller via Command Prompt .................. 216
7-26. Verifying the Health of the Existing Active Directory System ................................... 217
7-27. I/A Series Installation Dialog Box - Warning for DC Health Log File ....................... 218
7-28. Verifying the Health of the Existing Active Directory System (Errors Found) ........... 219
7-29. I/A Series Installation Dialog Box - Errors in DC Health Log File ............................ 220
7-30. Setting Up the Platform for a Secure Foxboro Evo
Control Core Services Installation ............................................................................. 221
7-31. Installation Media Dialog Boxes ................................................................................ 222
7-32. Media Folder Browser ............................................................................................... 222
7-33. Installation Media Dialog Box - For Diskettes ........................................................... 223
7-34. Selecting FoxInt NDIS Intermediate Miniport Driver .............................................. 224
7-35. Adapter Properties Dialog Box .................................................................................. 224
7-36. Internet Protocol (TCP/IP) Properties Dialog Box .................................................... 225
7-37. Internet Protocol (TCP/IP) Properties Dialog Box .................................................... 226
8-1. Active Directory Users and Computers Console (Administrator Account) ................ 230
8-2. [User] Properties Dialog Box ..................................................................................... 231
8-3. Adding User to Groups ............................................................................................. 232
8-4. Active Directory Users and Computers Console (Administrator Account) ................ 233
8-5. Installation Disc Is Not Compatible With This Windows Version Warning ............. 234
8-6. Invoking adprep32 /forestprep .................................................................................. 234

xv
B0700SS – Rev D Figures

8-7. Invoking adprep32 /domainprep /gpprep .................................................................. 235


8-8. Invoking adprep32 /rodcprep .................................................................................... 235
8-9. Internet Protocol (TCP/IP) Properties Dialog Box .................................................... 236
8-10. Advanced TCP/IP Settings Dialog Box (IP Settings) ................................................. 237
8-11. Advanced TCP/IP Settings Dialog Box (DNS) ......................................................... 238
8-12. Internet Protocol (TCP/IP) Properties Dialog Box .................................................... 239
8-13. DNS Manager Dialog Box (Server Properties) .......................................................... 240
8-14. Server Properties Dialog Box ..................................................................................... 241
8-15. DNS Manager Dialog Box (Removing Existing Stations) .......................................... 242
8-16. DNS Manager Dialog Box (Reverse Lookup Zone) .................................................. 243
8-17. New Zone Wizard (Zone Type) ................................................................................ 244
8-18. New Zone Wizard (Active Directory Zone Replication Scope) ................................. 245
8-19. New Zone Wizard (Reverse Lookup Zone Name) ..................................................... 246
8-20. New Zone Wizard (Dynamic Update) ...................................................................... 247
8-21. DNS Manager Dialog Box (New Pointer) ................................................................. 248
8-22. New Resource Record Dialog Box ............................................................................. 249
8-23. Restart DNS Service .................................................................................................. 250
8-24. nslookup Service ....................................................................................................... 250
8-25. Local Area Connection 3 Properties .......................................................................... 252
8-26. Internet Protocol Version 4 (TCP/IPv4) Properties ................................................... 253
8-27. Set-ExecutionPolicy AllSigned .................................................................................. 254
8-28. AutoPlay Dialog Box ................................................................................................. 254
8-29. Microsoft Visual C++ 2010 Redistributable Package (x64) Installation
Dialog Box ................................................................................................................ 255
8-30. Selecting to Install a Domain Controller Off-Control Network ................................ 256
8-31. I/A Series Installation Dialog Box - Warning ............................................................ 256
8-32. Load Committed Configuration Install Files ............................................................. 257
8-33. Installation Media Folder Browser ............................................................................. 258
8-34. Server Platform Setup (Off-Control Network) .......................................................... 259
8-35. I/A Series Installation Dialog Box - Date Warning .................................................... 260
8-36. Unable to Determine Local Time on the PDC .......................................................... 260
8-37. Server Platform Setup (For Second SDC) ................................................................. 261
8-38. Invensys IASeries Install: Workstation Reboot Request Dialog Box .......................... 262
8-39. Server Platform Setup (Off-Control Network) Continued ........................................ 263
8-40. Active Directory Warning ......................................................................................... 263
8-41. Active Directory Installation via Command Prompt ................................................. 264
8-42. Assigning Role of Secondary Domain Controller via Command Prompt .................. 264
8-43. Verifying the Health of the Existing Active Directory System ................................... 265
8-44. I/A Series Installation Dialog Box - Warning for DC Health Log File ....................... 266
8-45. Verifying the Health of the Existing Active Directory System (Errors Found) ........... 267
8-46. I/A Series Installation Dialog Box - Errors in DC Health Log File ............................ 268
8-47. Setting Up the Platform For a Secure Foxboro Evo Control Core Services
Installation ................................................................................................................ 269
8-48. Configure DNS Setting Dialog Box .......................................................................... 270
8-49. Internet Protocol (TCP/IP) Properties - Removing On-Control Network
DNS Entries ............................................................................................................. 271
8-50. Internet Protocol (TCP/IP) Properties - Setting for Off-Control Network
Network Interface Card ............................................................................................ 272

xvi
Figures B0700SS – Rev D

8-51. Selecting IA Computers -> New -> Computer .......................................................... 273


8-52. New Object - Computer ........................................................................................... 274
8-53. Selecting Pre-8.8 IA Computers -> New -> Computer .............................................. 274
9-1. InterForestMigration Folder ...................................................................................... 279
9-2. Disable Virus Scan Access Protection ........................................................................ 280
9-3. On-Access Scan Properties Dialog Box ...................................................................... 281
9-4. Selecting Reset Password ........................................................................................... 282
9-5. Reset Password Dialog Box ....................................................................................... 283
9-6. Set-ExecutionPolicy Unrestricted .............................................................................. 283
9-7. Internet Protocol (TCP/IP) Properties Dialog Box - Off-Control Network
NIC Card ................................................................................................................. 284
9-8. Internet Protocol (TCP/IP) Properties Dialog Box - FoxInt NDIS Intermediate
Miniport Driver ........................................................................................................ 285
9-9. Ping Target PDC from Command Prompt ............................................................... 286
9-10. Execute PrepSourceDomainForMigration.ps1 Script ................................................ 287
9-11. Inter-Forest Migration Dialog Box ............................................................................ 288
9-12. Moving IA Computers and IA Users OUs into Migration OU ................................. 289
9-13. Moving Additional Users and Groups into the Migration OU .................................. 290
9-14. Migration OU - Populated ........................................................................................ 291
9-15. AutoPlay Dialog Box ................................................................................................. 292
9-16. Microsoft Visual C++ 2010 Redistributable Package (x64) Installation
Dialog Box ................................................................................................................ 293
9-17. Selecting to Perform an Inter-Forest Migration ......................................................... 294
9-18. Load Committed Configuration Install Files ............................................................. 295
9-19. Installation Media Folder Browser ............................................................................. 296
9-20. InstallShield Wizard Completed ................................................................................ 296
9-21. Internet Protocol (TCP/IP) Properties Dialog Box - Target PDC’s
Off-Control Network NIC Card ............................................................................... 297
9-22. Ping Source PDC from Command Prompt ............................................................... 298
9-23. Executing PrepTargetDomainForMigration.ps1 ....................................................... 299
9-24. Inter-Forest Migration Dialog Box ............................................................................ 299
9-25. Active Directory Migration Tool Window ................................................................ 300
9-26. Creating the Password Migration Export File ............................................................ 301
9-27. Administrators Properties Dialog Box ....................................................................... 302
9-28. Select Users, Contacts, Computers, Service Accounts or Groups Dialog Box ............ 302
9-29. SQL Server Installation Center - Start Installation .................................................... 303
9-30. SQL Server Installation Center - Setup Support Rules .............................................. 304
9-31. SQL Server Installation Center - License Key ............................................................ 305
9-32. SQL Server Installation Center - Accept License ....................................................... 306
9-33. SQL Server Installation Center - Install Setup Support Files ..................................... 307
9-34. SQL Server Installation Center - Setup Support Files Installed .................................. 308
9-35. SQL Server Installation Center - Feature Selection .................................................... 309
9-36. SQL Server Installation Center - Instance Configuration .......................................... 310
9-37. SQL Server Installation Center - Disk Space Requirements ....................................... 311
9-38. SQL Server Installation Center - Server Configuration .............................................. 312
9-39. SQL Server Installation Center - Database Engine Configuration ............................. 313
9-40. SQL Server Installation Center - Error and Usage Reporting .................................... 314
9-41. SQL Server Installation Center - Installation Rules ................................................... 315

xvii
B0700SS – Rev D Figures

9-42. SQL Server Installation Center - Ready to Install ...................................................... 316


9-43. SQL Server Installation Center - Installation Progress ............................................... 317
9-44. SQL Server Installation Center - Installation Complete ............................................ 318
9-45. Installing Active Directory Migration Tool v3.2 - Welcome ...................................... 319
9-46. Installing Active Directory Migration Tool v3.2 - License Agreement ....................... 320
9-47. Installing Active Directory Migration Tool v3.2 - Customer Experience
Improvement ............................................................................................................ 321
9-48. Installing Active Directory Migration Tool v3.2 - Database Selection ....................... 322
9-49. Installing Active Directory Migration Tool v3.2 - Database Import .......................... 323
9-50. Installing Active Directory Migration Tool v3.2 - Complete ..................................... 324
9-51. Installing pwdmig.msi ............................................................................................... 325
9-52. Select No .................................................................................................................. 325
9-53. Password Export Server Service ................................................................................. 326
9-54. Password Export Server Service Properties Dialog Box .............................................. 327
9-55. Group Policy Management Console (GPMC) .......................................................... 328
9-56. Group Policy Object Editor - Restricted Groups ....................................................... 329
9-57. Administrators Properties Dialog Box ....................................................................... 330
9-58. Add Member Dialog Box .......................................................................................... 330
9-59. ADMT Password Migration DLL Setup Welcome ................................................... 331
9-60. ADMT Password Migration DLL Setup - License Agreement ................................... 332
9-61. ADMT Password Migration DLL Setup - Encryption File ........................................ 333
9-62. Password for the Encryption Key .............................................................................. 333
9-63. ADMT Password Migration DLL Setup - Start Installation ...................................... 334
9-64. ADMT Password Migration DLL - Specifying User Account ................................... 334
9-65. ADMT Password Migration DLL - Account Granted Log On As a Service Right ..... 335
9-66. ADMT Password Migration DLL Setup - Finishing Installation ............................... 335
9-67. Restarting Your System ............................................................................................. 336
9-68. Executing .\ADInterForestMigration.ps1 .................................................................. 337
9-69. Inter-Forest Migration Dialog Box ............................................................................ 337
9-70. Selecting IA Computers -> New -> Computer .......................................................... 338
9-71. New Object - Computer ........................................................................................... 339
9-72. Selecting Pre-8.8 IA Computers -> New -> Computer .............................................. 339
9-73. Adapter Properties Dialog Box .................................................................................. 340
9-74. Internet Protocol (TCP/IP) Properties Dialog Box - FoxInt NDIS Intermediate
Miniport Driver ........................................................................................................ 341
9-75. Internet Protocol (TCP/IP) Properties Dialog Box - Off-Control Network NIC ...... 342
9-76. Computer Name Changes - Name Temporary Workgroup ...................................... 343
9-77. Computer Name Changes - Enter Credentials .......................................................... 343
9-78. Computer Name Changes - Welcome to the Temporary Workgroup ....................... 344
9-79. Computer Name Changes - Note that Domain Client Must Be Restarted ................ 344
9-80. System Properties - Computer Name - Change ......................................................... 344
9-81. Computer Name Changes - Adding Off-Control Network Domain ......................... 345
9-82. Computer Name Changes - Enter Account Credentials ............................................ 345
9-83. Computer Name Changes - Welcome to the Off-Control Network Domain ............ 346
9-84. Computer Name Changes - Note that Domain Client Must Be Restarted ................ 346
9-85. System Properties Dialog Box - Closing .................................................................... 346
9-86. System Settings Change Dialog Box - Click No ........................................................ 347
9-87. Services Windows - FoxNTGUIAppServices ............................................................. 347

xviii
Figures B0700SS – Rev D

9-88. FoxNTGUIAppServices Properties Dialog Box ......................................................... 348


9-89. Services Dialog Box ................................................................................................... 348
9-90. Services Dialog Box ................................................................................................... 349
9-91. Executing SetIAStartupAcct ...................................................................................... 349
10-1. Adding Pre-Existing Domain Client to the Pre-8.8 IA Computers OU ..................... 355
10-2. Adding Pre-Existing Domain Client to the IA Computers OU ................................. 356
10-3. Disable Virus Scan Access Protection ........................................................................ 357
10-4. On-Access Scan Properties Dialog Box ...................................................................... 358
10-5. Confirming Cancellation of Software Installation ..................................................... 359
10-6. Confirming Installation Interruption ........................................................................ 359
10-7. InstallShield Wizard Completed - Interrupted .......................................................... 360
10-8. AutoPlay Dialog Box ................................................................................................. 361
10-9. Microsoft Visual C++ 2010 Redistributable Package (x64) Installation Dialog Box ... 362
10-10. Selecting to Install a Secure Domain Client ............................................................... 363
10-11. Load Committed Configuration Install Files ............................................................. 364
10-12. Installation Media Folder Browser ............................................................................. 365
10-13. I/A Series Network Installation Dialog Box (For Certain NIC Cards) ....................... 366
10-14. Network Connections - Local Area Connection vs. NIC Adapter Device Number ... 367
10-15. Ready to Connect This Workstation to the I/A Series Domain ................................. 368
10-16. Resetting UTC Date ................................................................................................. 369
10-17. Unable to Determine Local Time .............................................................................. 369
10-18. Invensys IASeries Install: Workstation Reboot Request Dialog Box .......................... 370
10-19. You Are About To Be Logged Off Dialog Box .......................................................... 370
10-20. InstallShield Wizard for Foxboro Evo Control Core Services .................................... 371
10-21. Reboot or Logoff Requested ...................................................................................... 372
10-22. Installation Media Dialog Box ................................................................................... 373
10-23. Media Folder Browser ............................................................................................... 373
10-24. Installation Media Dialog Box - For Diskettes ........................................................... 374
10-25. Example of Installation Log ....................................................................................... 375
10-26. AutoPlay Dialog Box ................................................................................................. 376
10-27. Microsoft Visual C++ 2010 Redistributable Package (x64) Installation Dialog Box ... 377
10-28. Selecting to Install a Client in a Security Enhanced System ....................................... 378
10-29. Load Committed Configuration Install Files Dialog Box .......................................... 379
10-30. Installation Media Folder Browser ............................................................................. 380
10-31. Load Committed Configuration Install Files Dialog Box - Bind ............................... 381
10-32. I/A Series Network Installation (For Certain NIC Cards) ......................................... 382
10-33. Network Connections - Local Area Connection vs. NIC Adapter Device Number ... 383
10-34. I/A Series Network Installation (For Certain NIC Cards) ......................................... 383
10-35. Ready to Connect This Workstation to the Control Core Services/I/A
Series Domain Dialog Box ........................................................................................ 384
10-36. Resetting UTC Date ................................................................................................. 385
10-37. Unable to Determine Local Time .............................................................................. 385
10-38. Collecting SDC Machine Info .................................................................................. 386
10-39. Select a Host Domain for this workstation and click Connect Area ........................... 386
10-40. Workstation Reboot Request .................................................................................... 387
10-41. You Are About To Be Logged Off Dialog Box .......................................................... 387
10-42. Welcome to the InstallShield Wizard for Foxboro Evo Control Core Services ........... 388
10-43. Ready to Install the Program ..................................................................................... 389

xix
B0700SS – Rev D Figures

10-44. Installation Media Dialog Box ................................................................................... 390


10-45. Media Folder Browser ............................................................................................... 390
10-46. Installation Media Dialog Box - For Diskettes ........................................................... 391
10-47. Setting Internet Protocol Version 4 (TCP/IPv4) Properties ....................................... 392
10-48. Example of Installation Log ....................................................................................... 393
10-49. Internet Protocol (TCP/IP) Properties Dialog Box - Off-Control Network
NIC Card ................................................................................................................. 395
10-50. Adding Pre-Existing Domain Client (I/A Series Software v8.5) to
Active Directory ........................................................................................................ 396
10-51. Domain Client Installation – Ready to Connect ....................................................... 397
10-52. Connecting to the Control Core Services/I/A Series Domain .................................... 398
10-53. Unable To Determine Local Time ............................................................................ 398
10-54. Installing System Manager Server .............................................................................. 402
10-55. Resetting Passwords via Computer Management ....................................................... 404
10-56. Resetting Password for IAManager ............................................................................ 404
10-57. Confirming Password for IAManager ........................................................................ 405
10-58. On-Access Scan Properties Dialog Box ...................................................................... 406
11-1. I/A Series Reconcile Media Utility ............................................................................ 409
11-2. Get Security Enhanced Foxboro Evo Control Core Services Stations ........................ 410
11-3. Select the Location Where You Want Your Reconcile Files Saved ............................. 411
11-4. Try Another Diskette Warning ................................................................................. 411
11-5. Disable Control Core Services Drivers and Services ................................................... 412
11-6. I/A Series Software Installation Dialog Box ............................................................... 413
11-7. Perform a Day 1 Operation on Workstation with Foxboro Evo
Control Core Services ............................................................................................... 414
11-8. Ready to Install on Workstation with Foxboro Evo Control Core Services ................ 415
11-9. I/A Series Installshield Wizard ................................................................................... 416
11-10. Example of Installation Log ....................................................................................... 417
11-11. Disable Control Core Services Drivers and Services ................................................... 418
11-12. I/A Series Software Installation Dialog Box ............................................................... 419
11-13. Perform a Release Update Operation on Workstation
with Foxboro Evo Control Core Services .................................................................. 420
11-14. I/A Series Installshield Wizard ................................................................................... 421
11-15. Example of Installation Log ....................................................................................... 422
12-1. I/A Series Reconcile Media Utility ............................................................................ 426
12-2. Get SE Stations ......................................................................................................... 427
12-3. Select the Location Where You Want Your Reconcile Files Saved ............................. 428
12-4. Try Another Diskette Warning ................................................................................. 428
12-5. Disable Control Core Services Drivers and Services ................................................... 429
12-6. I/A Series Software Installation Dialog Box ............................................................... 430
12-7. Perform a Day 1 Operation on the Foxboro Evo workstation ................................... 431
12-8. Ready to Install on the Foxboro Evo Workstation ..................................................... 432
12-9. I/A Series Installshield Wizard ................................................................................... 433
12-10. Example of Installation Log ....................................................................................... 434
12-11. Disable Control Core Services Drivers and Services ................................................... 435
12-12. I/A Series Software Installation Dialog Box ............................................................... 436
12-13. Perform a Repair Operation on the Foxboro Evo Workstation .................................. 437
12-14. I/A Series Installshield Wizard ................................................................................... 438

xx
Figures B0700SS – Rev D

12-15. Example of Installation Log ....................................................................................... 439


B-1. System Window ........................................................................................................ 444
B-2. Computer Name Tab in the System Properties Dialog Box ....................................... 445
B-3. Computer Name Changes Dialog Box ...................................................................... 446
B-4. Restarting Your Computer To Apply Changes .......................................................... 447
C-1. On-Access Scan Statistics Dialog Box ........................................................................ 450
C-2. On-Access Scan Properties Dialog Box - Selecting All Processes ................................ 451
C-3. On-Access Scan Properties Dialog Box - Exclusions Tab ........................................... 452
C-4. On Access Scan Properties Dialog Box - Exclusions Tab ........................................... 453
C-5. Add Exclusion Item ................................................................................................... 453
C-6. Set Exclusions ........................................................................................................... 454
D-1. Transferring FSMO Roles ......................................................................................... 456
D-2. Active Directory Users and Computers - IADomainAdmin ...................................... 457
D-3. IADomainAdmin Properties Dialog Box ................................................................... 458
D-4. Select groups Dialog Box ........................................................................................... 459
D-5. Active Directory Users and Computers - Connect to Domain Controller ................. 459
D-6. Connect to Domain Controller Dialog Box .............................................................. 460
D-7. Active Directory Users and Computers - Set Operations Masters .............................. 461
D-8. Operations Master Dialog Box .................................................................................. 462
D-9. Operations Master - Confirm Transfer ...................................................................... 462
D-10. Operations Master - Confirm Change ....................................................................... 463
D-11. Active Directory Domains and Trusts - Connect to Domain Controller ................... 463
D-12. Active Directory Domains and Trusts - Selecting Domain Controller to Become
The New PDC .......................................................................................................... 464
D-13. Active Directory Domains and Trusts - Set Operations Masters ................................ 465
D-14. Change Operations Master ........................................................................................ 465
D-15. Active Directory Domains and Trusts - Confirm Yes ................................................ 466
D-16. Active Directory Domains and Trusts - Confirm OK ............................................... 466
D-17. Command Prompt - regsvr32 schmmgmt.dll ............................................................ 467
D-18. Confirm Operation ................................................................................................... 467
D-19. Confirm Operation ................................................................................................... 467
D-20. Microsoft Management Console - Selecting Add/Remove Snap-In ........................... 468
D-21. Add or Remove Snap-Ins Dialog Box ........................................................................ 469
D-22. Add or Remove Snap-Ins Dialog Box ........................................................................ 470
D-23. Microsoft Management Console - Selecting Change Domain Controller .................. 471
D-24. Change Domain Controller ...................................................................................... 471
D-25. Microsoft Management Console - Selecting Operations Master ................................ 472
D-26. Change Domain Controller ...................................................................................... 472
D-27. Change Schema Master Dialog Box .......................................................................... 473
D-28. Active Directory Domains and Trusts - Confirm Yes ................................................ 473
D-29. Active Directory Domains and Trusts - Confirm OK ............................................... 473
D-30. Seizing FSMO Roles ................................................................................................. 474
D-31. Role Seizure Confirmation Dialog Box ..................................................................... 475
D-32. Role Seizure Confirmation Dialog Box ..................................................................... 475
D-33. Restoring FSMO Roles to a Primary Domain Controller That Had Its
Roles Seized .............................................................................................................. 480
D-34. Invoking dcpromo /forceremoval .............................................................................. 481
D-35. Acknowledging Warnings - Part 1 ............................................................................. 481

xxi
B0700SS – Rev D Figures

D-36. Acknowledging Warnings - Part 2 ............................................................................. 482


D-37. Acknowledging Warnings - Part 3 ............................................................................. 483
D-38. Active Directory Installation Wizard - Welcome ....................................................... 484
D-39. Active Directory Installation Wizard - Force Removal ............................................... 485
D-40. Active Directory Installation Wizard -Acknowledge .................................................. 485
D-41. Active Directory Installation Wizard - Administrator Password ................................. 486
D-42. Active Directory Installation Wizard - Summary ....................................................... 487
D-43. Active Directory Installation Wizard - Reading Domain Policy ................................. 488
D-44. Active Directory Installation Wizard - Completed .................................................... 488
D-45. Active Directory Installation Wizard - Restarting the Computer ............................... 489
D-46. Windows Security - Logging in IADomainAdmin .................................................... 489
D-47. Windows Security - Logging in IADomainAdmin .................................................... 490
D-48. Windows Security - Logging in IADomainAdmin .................................................... 490
D-49. Windows Security - Logging in IADomainAdmin .................................................... 490
D-50. Invoking dcpromo .................................................................................................... 491
D-51. Active Directory Installation Wizard - Welcome ....................................................... 491
D-52. Active Directory Installation Wizard - Operating System Compatibility ................... 492
D-53. Active Directory Installation Wizard - Domain Controller Type ............................... 493
D-54. Active Directory Installation Wizard - Additional Domain Controller ...................... 494
D-55. Active Directory Installation Wizard - Forest Root Domain ...................................... 495
D-56. Active Directory Installation Wizard - Site for New Domain Controller ................... 496
D-57. Active Directory Installation Wizard - Additional Domain Controller Options ........ 497
D-58. Static IP Assignment ................................................................................................. 498
D-59. Active Directory Installation Wizard - Continue ....................................................... 498
D-60. Active Directory Installation Wizard - Database and Log Folders .............................. 499
D-61. Active Directory Installation Wizard - Restore Mode Administrator Password .......... 500
D-62. Active Directory Installation Wizard - Summary ....................................................... 501
D-63. Active Directory Installation Wizard - Configuring ................................................... 502
D-64. Active Directory Installation Wizard - Complete ....................................................... 502
D-65. Restarting the Computer ........................................................................................... 503
D-66. DNS Management - Selecting Lookup Zone Properties ............................................ 503
D-67. Zone Properties Dialog Box ...................................................................................... 504
D-68. nslookup for Client Stations (NESRV5.iaseries.local) ................................................ 505
D-69. nslookup for Client Stations (NESRV4.iaseries.local) ................................................ 506
D-70. Typical NIC Settings for a Client Workstation on a System with a Primary and
One Secondary DNS Server ...................................................................................... 507
D-71. Starting the Active Directory Installation Wizard ...................................................... 508
D-72. Active Directory Installation Wizard - Welcome ....................................................... 508
D-73. Active Directory Installation Wizard - Global Catalog Provider Warning ................. 509
D-74. Active Directory Installation Wizard - Remove Active Directory ............................... 509
D-75. Active Directory Installation Wizard - Administrator Password ................................. 510
D-76. Active Directory Installation Wizard - Summary ....................................................... 511
D-77. Active Directory Installation Wizard - Configuring ................................................... 512
D-78. Active Directory Installation Wizard - Restarting the Computer ............................... 512
D-79. Active Directory Users and Computers - Delete a Domain
Controller Connection .............................................................................................. 513
D-80. Active Directory Users and Computers - Delete Confirmation .................................. 513
D-81. Active Directory Users and Computers - Delete a Domain Controller Settings ......... 514

xxii
Figures B0700SS – Rev D

D-82. Active Directory Users and Computers - Delete Confirmation .................................. 514
D-83. Active Directory Users and Computers - Deleting a Domain Controller ................... 515
D-84. Active Directory Users and Computers - Delete a Server ........................................... 515
D-85. Active Directory Users and Computers - Delete Confirmation .................................. 516
D-86. Active Directory Users and Computers - Creating New Computer Account ............. 516
D-87. New Object - Computer Dialog Box ......................................................................... 517
D-88. Workstation System Properties .................................................................................. 518
D-89. Computer Name Changes Dialog Box - Workgroup ................................................. 519
D-90. Computer Name Change - Remember Local Admin Password ................................. 519
D-91. Log in IADomainAdmin ........................................................................................... 520
D-92. Computer Name Change - Welcome to the [YourName] Workgroup ...................... 520
D-93. Computer Name Change - Restart Computer ........................................................... 520
D-94. Closing System Properties Dialog Box ...................................................................... 521
D-95. Computer Name Changes Dialog Box - Domain ...................................................... 522
D-96. Windows Security Dialog Box ................................................................................... 522
D-97. Computer Name Changes Dialog Box - Welcome to the [YourName] Domain ....... 523
D-98. Computer Name Changes Dialog Box - Need to Restart To Apply Changes ............ 523
D-99. Close System Properties Dialog Box .......................................................................... 524
D-100. Computer Name Changes Dialog Box - Need to Restart To Apply Changes ............ 524
D-101. Local Area Connection Properties Dialog Box ........................................................... 525
D-102. Internet Protocol Version 4 (TCP/IP4) Properties Dialog Box .................................. 526
D-103. Advanced TCP/IP Settings Dialog Box .................................................................... 527
D-104. Opening ADSI Edit Directory Services ..................................................................... 529
D-105. ADSI Edit Directory Services - Connect To .............................................................. 529
D-106. ADSI Edit Directory Services - Configuration ........................................................... 530
D-107. ADSI Edit Directory Services - Properties Selection .................................................. 531
D-108. Attribute Editor - Attribute Selection ........................................................................ 532
D-109. Attribute Value -- Tombstone Lifetime Period .......................................................... 532
G-1. MESH Configurator NIC Selection .......................................................................... 541
G-2. NIC Selection on Unknown Platform/BIOS ............................................................. 542
G-3. Network Connections ............................................................................................... 543
G-4. Network Connections Showing Device Names ......................................................... 543
G-5. Off-Control Network NIC Selection ........................................................................ 544
G-6. NICs on The MESH Control Network Selection ..................................................... 544
H-1. SNMP Service Properties Dialog Box ........................................................................ 548
I-1. Windows Features Dialog Box .................................................................................. 551
I-2. Server Manager ......................................................................................................... 552
I-3. Add Features Wizard ................................................................................................. 553
I-4. Confirm Installation Selections ................................................................................. 554
J-1. Windows Firewall Settings ........................................................................................ 556
J-2. Printer Properties Dialog Box .................................................................................... 557
K-1. iasecadupdate.bat ...................................................................................................... 560
K-2. Invensys Code Signing Certificates v1.0 .................................................................... 561
K-3. Invensys Code Signing Certificates v1.0 Settings ....................................................... 561
L-1. Run rsop.msc ............................................................................................................ 563
L-2. Resultant Set of Policy Window ................................................................................ 564
L-3. Computer Configuration Properties Dialog Box ....................................................... 565

xxiii
B0700SS – Rev D Figures

xxiv
Tables
1-1. Platforms Supporting Control Core Services v9.1 ......................................................... 3
1-2. Foxboro Evo Control Core Services v9.1 Platform Specific Media Kits ......................... 7
3-1. Domain Controller Installation/Migration Scenarios for Foxboro Evo
Control Core Services v9.1 .......................................................................................... 37
C-1. McAfee VirusScan Enterprise + AntiSpyware Enterprise Exclusion List .................... 449

xxv
B0700SS – Rev D Tables

xxvi
Preface

Purpose
The purpose of this document is to describe installation of the Foxboro Evo™ Control Core Ser-
vices v9.1 (hereinafter referred to as the Control Core Services) on supported Windows worksta-
tions and servers. Control Core Services v9.1 software is not supported on Solaris stations.
Control Core Services v9.1 is a Day 0 installation or a Day 1 upgrade to workstations/servers with
I/A Series software v8.8 or Control Core Services v9.0. It delivers optional enhanced security fea-
tures for the Foxboro Evo system that facilitates meeting client and government specifications, for
example, North American Electric Reliability Corporation (NERC) standards.
During a Day 0 software installation, you will have an option of choosing to install the Security
Enhanced (SE) Control Core Services v9.1, which requires Microsoft Active Directory® network
services, or standard Control Core Services v9.1 without the security enhancements. Depending
on your environment, you may not be able to take advantage of security enhanced Control Core
Services v9.1, for example, if you need to allow an older third-party application to run that has
not been rewritten to work in the secure environment.

Revision Information
For this release of this document (B0700SS, Rev. C), the following changes were made:
Chapter 1 “Software Installation Overview”
♦ Updated the list of supported stations in “Determining Hardware Requirements” on
page 3.

Reference Documents
You should be familiar with the following Foxboro Evo documents:
♦ System Management Displays (B0193JC)
♦ System Definition: A Step-By-Step Procedure (B0193WQ)
♦ System Definition Release Notes for Windows 7 and Windows Server 2008 (B0700SH)
♦ Time Synchronization User’s Guide (B0700AQ)
♦ The Foxboro Evo Control Network Architecture Guide (B0700AZ)
♦ Address Translation Station User’s Guide (B0700BP)
♦ Field Control Processor 280 (FCP280) User’s Guide (B0700FW)
♦ Field Control Processor 280 (FCP280) On-Line Image Update (B0700FX)
♦ Security Enhancements User's Guide for I/A Series Workstations with Windows 7 or
Windows Server 2008 Operating Systems (B0700ET)
♦ Symantec System Recovery 2013 Desktop, Server and Virtual Editions Guide for I/A Series
Systems (B0700EY)
♦ McAfee VirusScan® and AntiSpyware Enterprise 8.8i Installation (B0700EQ)

xxvii
B0700SS – Rev D Preface

♦ Optional McAfee® Security Products Installation and Configuration Guide


(B0700EX)
♦ FoxView™ and FoxDraw™ Software V10.4.1 Release Notes (B0700SN)
♦ Control Core Services v9.1 Release Notes (B0700SR)
♦ System Manager (B0750AP)
♦ System Manager V2.4 Release Notes (B0750RS)
♦ Foxboro Evo Control Software Installation Guide (B0750RA)
♦ FERRET V5.5 (Windows® Platforms) and FERRET V4.5.3 (UNIX® Platforms) User’s
Guide (B0860AZ)
♦ FERRET V5.5 (Windows® Platforms) and FERRET V4.5.3 (UNIX® Platforms)
Installation and Release Notes (B0860RH)
♦ Virtualization User’s Guide (B0700VM)
Hardware and Software Specific Documentation for Windows 7 Operating System
♦ Hardware and Software Specific Instructions for Model H92 Workstation (HP Z420)
(Windows 7 Operating System) (B0700FS)
♦ Hardware and Software Specific Instructions for Model H92 with Windows 7 Operating
System (Z400) (B0700FF)
♦ Hardware and Software Specific Instructions for Model P92 Workstation (T3500 Gen II)
with Windows 7 Operating System (B0700FM)
♦ Hardware and Software Specific Instructions for Model P92 Workstation (T3500) with
Windows 7 Operating System (B0700FJ)
Hardware and Software Specific Documentation for Windows Server 2008 R2 Standard
Operating System
♦ Hardware and Software Specific Instructions for Model H90 (HP DL380 E5645 CPU)
Windows Server® 2008 Operating System (B0700GB)
♦ Hardware and Software Specific Instructions for Model P91 (T710 Gen II) with Win-
dows Server® 2008 Operating System (B0700FP)
♦ Hardware and Software Specific Instructions for Model P90 (R710 Gen II) with Windows
Server® 2008 Operating System (B0700FN)
♦ Hardware and Software Specific Instructions for Model P91 (T610) with Windows
Server® 2008 Operating System (B0700FL)
♦ Hardware and Software Specific Instructions for Model P90 (R710) with Windows
Server® 2008 Operating System (B0700FK)
♦ Hardware and Software Instructions for Model H91 Workstation (HP ML350) with
Windows Server 2008 Operating System (B0700FH)
♦ Hardware and Software Instructions for Model H90 Workstation (HP DL380) with
Windows Server 2008 Operating System (B0700FG)
Hardware and Software Specific Documentation for Windows Server 2008 R2 Enterprise
Operating System
♦ Hardware and Software Specific Instructions for I/A Series Model V90 Server Virtualiza-
tion Host (DL380) (Windows Server 2008 R2 Enterprise Operating System) (B0700VA)

xxviii
Preface B0700SS – Rev D


Hardware and Software Specific Instructions for I/A Series Model V90 Server Virtualiza-
tion Host (HP DL380 E5645 CPU) Windows Server 2008 R2 Enterprise Operating
System (B0700VB)
Most of these documents are available on the Foxboro Evo Electronic Documentation media
(K0174MA). The latest revisions of each document are also available through our Invensys
Global Customer Support at https://support.ips.invensys.com.

Glossary

Term Definition
Active Directory A network services application created by Microsoft Corporation.
Foxboro Evo Control Core Core software environment, formerly known as “I/A Series (Intelli-
Services gent Automation Series) software”.
Foxboro Evo Control Core A workstation which runs the Foxboro Evo Control Core Services
Services workstation without the Foxboro Evo Control Software.
Foxboro Evo Control Edi- Formerly known as “FCS Configuration Tools”, “InFusion Engi-
tors neering Environment”, or “IEE”, these are the Control Software
engineering and configuration tools built on the ArchestrA Inte-
grated Development Environment (IDE). It is part of the Foxboro
Evo Control Software.
Foxboro Evo Control Soft- Formerly known as “Foxboro Control Software (FCS)” and “InFu-
ware sion”, a suite of software built on the ArchestrA Integrated Develop-
ment Environment (IDE) to operate with the Foxboro Evo Control
Core Services.
Foxboro Evo Control Net- Formerly known as The Mesh control network, a switch network
work available in multiple topologies which facilitates communications
between Foxboro Evo stations. Also referred to as “the control net-
work”.
Foxboro Evo Control A workstation which runs the Foxboro Evo Control Core Services
Workstation and the Foxboro Evo Control Software.
H90 or P90 A rack-mounted server class computer utilized as a Foxboro Evo
Control Core Services terminal server or a high availability worksta-
tion
H91 or P91 (Legacy) A tower server class computer utilized as a Control Core
Services terminal server or a high availability workstation. Tower-
style servers are legacy servers, discontinued for sale from Invensys.
H92 or P92 A desktop workstation class computer utilized as a Foxboro Evo
workstation

xxix
B0700SS – Rev D Preface

Term Definition
Off-Control Network A descriptor applied to stations which are not located on the Fox-
boro Evo Control Network - and instead connected via a separate
customer-supplied network.
The procedures for configuring these stations for a system with the
security enhanced Control Core Services differ significantly from the
procedures for configuring stations on the Foxboro Evo Control
Network.
On-Control Network A descriptor applied to stations which are located on the Foxboro
Evo Control Network, formerly known as The Mesh control net-
work.
PDC Primary Domain Controller
SDC Secondary Domain Controller
SE Security Enhanced Control Core Services
Security Enhanced (SE) Control Core Services containing the optional security enhance-
Control Core Services ments.
SMDH System Management Display Handler
SP Service Pack
Standard Control Core Control Core Services without security enhancements installed.
Services
SysDef Control Core Services’ System Definition software
The control network Shortened term for the Foxboro Evo Control Network
The Control Software Shortened term for Foxboro Evo Control Software.

xxx
1. Software Installation Overview
This chapter provides an overview for the concepts and installation processes described in this
document.
This document describes installation of the standard and security enhanced Control Core Services
v9.1 on stations (workstations, servers, and domain controllers) running the following operating
systems:
♦ Windows 7
♦ Windows Server 2008 R2 Standard
The following information is provided in this chapter:
♦ How to use this installation guide
♦ Overview of the types of software installations supported by this release
♦ System configuration and creating the Commit installation media
♦ Pre-installation system backup
♦ How to acquire documentation for the Control Core Services v9.1
♦ Media upgrade kits for supported hardware
♦ Installation media for Control Core Services v9.1

NOTE
In this document, the term “workstation” can refer to both desktop workstations
and servers in a Control Core Services system.

Installation Concepts
Starting with I/A Series software v8.8, the concept of installation has changed from a granular
model to a more comprehensive model. (Note that this section refers to installation on a new
workstation/server, rather than an upgrade to an existing Foxboro Evo or I/A Series software
installation.)
I/A Series software v8.7 and earlier had the concept of “selected package installation”, which
allowed each software package which was part of the I/A Series software to be installed separately -
for example, each package might be on a separate diskette, and only the diskettes you wanted
installed on a workstation/server could be provided during the installation.
In I/A Series software v8.8, and Foxboro Evo Control Core Services v9.0 and later, the installation
process is more automated, providing more flexibility to allow the appropriate system configura-
tion application to determine which packages are required for a workstation/server. Typically, the
process works as follows:
1. The Foxboro system configuration application creates Commit media which specifies
which packages are to be installed on each workstation/server.

1
B0700SS – Rev D 1. Software Installation Overview

2. All packages, with the exception of the OS1FDB package, are provided on the instal-
lation DVD. The OS1FDB has several variations, and so the appropriate variation
must be selected
3. When run, the installation application installs the appropriate packages. If there are
any Device Integrator modules configured, then the OS1FDB media will be requested
individually per letterbug. A different set of OS1FDB media can be chosen for each
letterbug or this can be skipped per letterbug.
After the installation is complete, you can perform these installation tasks on the existing Foxboro
Evo or I/A Series software:
♦ Perform a Day 1 operation, which adds packages or updates the software configura-
tion based on changes from the system configuration application.
If you skipped the installation of the OS1FDB package, you can add it with this
operation.
♦ Perform a Repair operation, to verify that all files are present and not corrupted, and
applying updates and fixes as needed.
The method of upgrading to a new version of Foxboro Evo or I/A Series software differs signifi-
cantly depending from which version you are upgrading, and to which version you are upgrading.
The upgrade from I/A Series software v8.8 or Foxboro Evo Control Core Services v9.0 to Control
Core Services v9.1 is a Release Update, which updates existing software packages and adds sup-
port for the multiple CPU core feature, and can be performed as detailed in this manual.

How to Use this Installation Guide


♦ Refer to the following sections in this chapter to determine the appropriate worksta-
tion hardware, software and documentation that is required for your installation:
♦ “System Configuration and Creating Commit Installation Media” on page 5
♦ “Pre-Installation System Backup” on page 4
♦ “Foxboro Evo Control Core Services v9.1 Documentation” on page 6
♦ “Workstation Specific Operating System Media” on page 6 - describes the media
needed to install the OS for each workstation type
♦ “Foxboro Evo Control Core Services v9.1 Media” on page 9
♦ “Determining Hardware Requirements” on page 3
♦ “Hardware and Software Specific Instruction Documents” on page 9.
♦ To perform an installation for a workstation or server with standard Control Core Ser-
vices v9.1, proceed to Chapter 2 “Standard Foxboro Evo Control Core Services v9.1
Day 0 Installation” and perform the procedures in this chapter.
♦ To perform an installation for a workstation or server with Security Enhanced (SE)
Control Core Services v9.1, proceed to Chapter 3 “Installation or Migration Scenarios
for Security Enhanced Foxboro Evo Control Core Services v9.1”, which directs you to
the appropriate chapter of this document for the installation procedures for your spe-
cific system configuration.
♦ If you are enabling the multiple CPU core feature on your workstation or server
(introduced in Control Core Services v9.1), refer to Appendix E “Control Core Ser-
vices Installation on Multiple CPU Core-Enabled Workstations/Servers”.

2
1. Software Installation Overview B0700SS – Rev D

Overview of Supported Software Installations


The Control Core Services v9.1 release supports several different types of software installations.
Understanding and selecting the appropriate installation is very important and is required prior to
beginning the Control Core Services v9.1 installation to your workstations/servers.
♦ Standard Control Core Services installation - The standard Control Core Services is
for systems that do not require Microsoft® Active Directory Domain Controllers.
The same standard installation is applied to all Foxboro Evo workstations. Control
Core Services v9.1 can be either installed as:
♦ (Day 0 Installation) A new image on a station which supports Windows 7 or Win-
dows Server 2008 R2 Standard.
♦ (Day 1 Installation) An “upgrade” on top of an existing I/A Series software v8.8 or
Control Core Services v9.0 installation.
♦ Security-Enhanced (SE) Control Core Services installation - Security-Enhanced (SE)
Control Core Services software is used on systems that require Microsoft® Active
Directory Domain Controllers. In these systems, all the workstation clients of these
domain controllers are members of a secure domain (domain clients). There are two
separate categories of security enhanced (SE) installations:
a. New security enhanced Control Core Services software installations - There are
three different installation scenarios for these new installations.
b. Installation on existing stations with security enhanced I/A Series software v8.5,
v8.6, v8.7, or v8.8 - There are three different scenarios for existing stations with
security enhanced software. These are referred to as migrations.
Refer to Chapter 3 “Installation or Migration Scenarios for Security Enhanced Fox-
boro Evo Control Core Services v9.1” for a detailed explanation of these scenarios.

Determining Hardware Requirements


Control Core Services v9.1 runs on the following currently offered platforms and any later ver-
sions of these platforms which are released.

Table 1-1. Platforms Supporting Control Core Services v9.1

Station Type Multicore CPU Cores Enabled Single Core


Workstation H92 HP Z400 Workstation H92 HP Z400 Workstation
(Current) (Model H92, Style B) (Model H92, Style B)
H92 HP Z420 Workstation H92 HP Z420 Workstation
(Model H92, Style D/A) (Model H92, Style D/A)
Workstation - P92*K, P92*L and P92*M (T3500
(Legacy) and T3500 Gen II) Workstation
Server (Current) H90 HP DL380 Server (Model H90, H90 HP DL380 Server - all versions
Style B)
H90 HP DL380 with E5645 CPU H91 (HP ML350)
Server (Model H90, Style D/A)

3
B0700SS – Rev D 1. Software Installation Overview

Table 1-1. Platforms Supporting Control Core Services v9.1 (Continued)

Station Type Multicore CPU Cores Enabled Single Core


Server (Legacy) - P90 (Dell™ R710 and Dell R710
Gen II)
- P91 (Dell T710 Gen II)
- P91 (Dell T610)
Magelis M92 P0928KK Magelis Workstation -
M90 P0928KM Magelis Server -
Virtual Machine V90 HP DL380 VM Host V90 HP DL380 VM Host
Host

Check the Hardware and Software Specific Instructions manual included with your station to deter-
mine if it supports the multiple CPU core feature. This feature is described in Appendix E “Con-
trol Core Services Installation on Multiple CPU Core-Enabled Workstations/Servers”.
Refer to Virtualization User’s Guide (B0700VM) for more details on virtual machine hosts.
The legacy workstations and servers listed in Table 1-1 which were shipped with I/A Series soft-
ware (previous to Control Core Services v9.0) can be upgraded to run Control Core Services v9.1,
provided their hardware is upgraded to be comparable to that of the current workstations and
servers listed above. For example, a legacy T3500 with 3 GB of RAM could be upgraded to run
Control Core Services v9.1 as long as an additional GB of RAM is installed.
Legacy hardware will need to have its Windows operating system licenses updated, as Control
Core Services v9.1 may require the installation of a completely new operating system for stations
with I/A Series software v8.7 or older. The license number will be supplied with your operating
system installation media.
Additional hardware requirements are provided in the Hardware and Software Specific Documen-
tation listed in “Reference Documents” on page xxvii and the following PSSes:
♦ Model H92 Workstations Windows® 7 Professional Operating System (PSS 31H-4H92)
♦ Model H91 Workstation Servers for the Windows Server® 2008 R2 Operating System
(PSS 31H-4H91)
♦ Model H90 Workstation Servers for the Windows Server® 2008 R2 Operating System
(PSS 31H-4H90)

Pre-Installation System Backup


Before installing a system with Control Core Services v9.1, be sure to back up your existing work-
stations and servers. A backup should occur before either of these installation operations:
♦ Day 0 installation - A fresh Foxboro Evo Control Core Services installation that wipes
out any Foxboro Evo Control Core Services or I/A Series software installed on it pre-
viously. A Day 0 installation is required if you have a workstation with I/A Series
software pre-v8.8 and want to upgrade that station to Control Core Services v9.1.
♦ Day 1 installation/upgrade - An upgrade to stations with I/A Series software v8.8 or
Control Core Services v9.0, a Day 1 upgrade (release update) to Control Core Ser-
vices v9.1 is available. For these stations, you do not need a Day 0 installation as you

4
1. Software Installation Overview B0700SS – Rev D

are capable of performing an on-line image update. The “Initialize” and “loadall”
operations are not necessarily required in this case.
For instructions on backing up and restoring your workstations or servers, refer to Symantec Sys-
tem Recovery 2013 Desktop, Server and Virtual Editions Guide for I/A Series Systems (B0700EY).

NOTE
To backup the PDC and SDC domain controller pair, refer to Appendix F “Guide-
lines for Using BESR for Backing Up and Restoring Domain Controllers”.

Once you have completed the backup, you physically install the software on each target worksta-
tion. For a Day 0 installation, this procedure includes installing a new operating system image on
the station and performing the Day 0 installation. For a Day 1 upgrade, this procedure only
involved installing the Day 1 release update.

NOTE
If you are installing Security Enhanced (SE) Control Core Services v9.1, you MUST
install the Primary Domain Controller (PDC) first.

After Day 0 installations, control processors require an image update, so careful planning will be
required. The On-Line Image Update (or On-Line Upgrade) procedure is not available for Day 0
installations because the control database files (workfiles) are lost during the Day 0 software
installation. To restore the control database after a Day 0 installation, you must perform an Ini-
tialize and LoadAll. The on-line image update procedure is available for future upgrades that do
not involve a Day 0 installation on the host workstation. Refer to Control Processor 270 (CP270)
On-Line Image Update (B0700BY) or Field Control Processor 280 (FCP280) On-Line Image Update
(B0700FX).

System Configuration and Creating Commit


Installation Media
The first phase of installing a system is the system configuration process, which includes creating,
importing, and/or editing a system configuration, and creating Commit installation media (on a
network drive, USB drive, diskette, etc). Control Core Services v9.1 system configuration can be
accomplished using the following software:
♦ System Definition 3.1 or later - For instructions on installing System Definition soft-
ware, refer to System Definition Release Notes for Windows 7 and Windows Server 2008
(B0700SH, Rev. B or later). To create the Commit installation media, follow the pro-
cedures in System Definition: A Step-By-Step Procedure (B0193WQ, Rev. K or later).
♦ I/A Series Configurator Component (IACC) v2.6 or later - I/A Series System Configu-
ration Component (IACC) User's Guide (B0700FE, Rev. B or later).
♦ Foxboro Evo Control Software (hereinafter referred to as the Control Software) v5.0
or later - For instructions on installing the Control Software, refer to Foxboro Evo Con-
trol Software Installation Guide (B0750RA, Rev. R or later). To create the Commit
installation media, follow the procedures in Hardware Configuration User’s Guide
(B0750BB, Rev. H or later).

5
B0700SS – Rev D 1. Software Installation Overview

After creating or editing the system configuration, you must create Commit installation media for
use during software installation.

NOTE
Be sure to label Commit installation media with the Control Core Services or
I/A Series versions on which it can be used, for example, Control Core Services v9.1
or I/A Series v8.2-v8.8.

NOTE
You should have only a single System Configuration (set of Commit media) for
your Control Core Services system. From a single configuration database, you can
produce media for multiple versions of Control Core Services and I/A Series soft-
ware by providing a Package Distribution Disk (10091). Starting with I/A Series
software v8.8, there is no package distribution disk, so this request can be ignored in
System Definition. For earlier versions, this was used to produce specific informa-
tion on the Commit disk that was used by the I/A Series installation application.
See the documentation listed below for information on how to import existing con-
figurations using System Definition v3.1, IACC v2.6, or the Control Software v5.0.

NOTE
If importing an older configuration from an earlier version of System Definition
(pre-v3.0), in a system with I/A Series software pre-v8.8, any stations intended for
use in a system with Control Core Services v9.1 must be migrated to either the new
WSTA70 (for Windows 7) or WSVR70 (for Windows Server 2008 R2 Standard)
station type. After migrating these stations, new Commit media must be created.
(Stations with I/A Series software v8.8 have already been migrated to these new
station types.)

Foxboro Evo Control Core Services v9.1


Documentation
Verify that you have all the necessary documentation required for your installation. Refer to “Ref-
erence Documents” on page xxvii for a list of all documentation related to Control Core Services
v9.1. Most documents are located on the Foxboro Evo Electronic Documentation media
(K0174MA), and you can find the latest revisions of the documents on the Invensys Global Cus-
tomer Support webpage https://support.ips.invensys.com.

Workstation Specific Operating System Media


You will also need to install operating system images for each workstation on which you will
install the standard or security enhanced Control Core Services v9.1.
The following kits can be ordered from BuyAutomation. When ordering these Operating System
upgrade kits for use in servers, be aware of the intended use as a Primary or Secondary Domain
Controller, Terminal Server, or Highly Available Workstation. The use of a server as a Highly

6
1. Software Installation Overview B0700SS – Rev D

Available workstation (with no domain controlling or Terminal Services (for Windows 7 stations)
or Remote Desktop Services (for Windows Server 2008 R2 Standard servers) has a different prod-
uct licensing scheme for deliverables that are part of these upgrade kit part numbers. The
K0174xx media disk part numbers that are used to load the systems are not listed in BuyAutoma-
tion.
Use Table 1-2 below to verify that you have the necessary media kit(s).

Table 1-2. Foxboro Evo Control Core Services v9.1 Platform Specific Media Kits

Media Upgrade
Kit Part Number Kit Description
K0201FJ Windows 7 Professional SP1 Operating System Upgrade Kit for Foxboro Evo
Workstation Dell T3500 P92 Style K Rev. A,B and Style L Rev. A, B
K0201FM Windows 7 Professional SP1 Operating System Upgrade Kit for Foxboro Evo
Workstation Dell T3500 Gen II P92 Style M Rev. A,B
K0201FQ Windows 7 Professional SP1 Operating System Upgrade Kit for Foxboro Evo
Workstation HP Z400 H92 Style A Rev. A, B
K0201FK Windows Server 2008 R2 Standard SP1 Operating System Upgrade Kit for
Foxboro Evo Workstation Server Dell R710 Gen I Rack Mount P90 Style D
Rev. A, B Configured as Highly Available Workstation
K0201GL Windows Server 2008 R2 Standard SP1 Operating System Upgrade Kit for
Foxboro Evo Workstation Server Dell T610 Tower P91 Style G Rev. A, B, C
Configured as Highly Available Workstation
K0201FL Windows Server 2008 R2 Standard SP1 Operating System Upgrade Kit for
Foxboro Evo Server Dell R710 Gen I Rack Mount P90 Style D Rev. A, B
Configured as Server (Remote Desktop, Domain Controller, McAfee ePO,
etc.)
K0201GM Windows Server 2008 R2 Standard SP1 Operating System Upgrade Kit for
Foxboro Evo Server Dell T610 Tower P91 Style G Rev. A, B, C Configured as
Server (Remote Desktop, Domain Controller, McAfee ePO, etc.)
K0201FX Windows Server 2008 R2 Standard SP1 Operating System Upgrade Kit for
Foxboro Evo Workstation Server Dell R710 Gen II Rack mount P90 Style E
Rev. A, B Configured as Highly Available Workstations
K0201GN Windows Server 2008 R2 Standard SP1 Operating System Upgrade Kit for
Foxboro Evo Workstation Server Dell Dell T710 Gen II Tower P91 Style H
Rev. A, B Configured as Highly Available Workstations
K0201FY Windows Server 2008 R2 Standard SP1 Operating System Upgrade Kit for
Foxboro Evo Workstation Server Dell R710 Gen II Rack mount P90 Style E
Rev. A, B Configured as Server (Remote Desktop, Domain Controller,
McAfee ePO, etc.)
K0201GP Windows Server 2008 R2 Standard SP1 Operating System Upgrade Kit for
Foxboro Evo Workstation Server Dell T710 Gen II Tower P91 Style H Rev. A,
B Configured as Server (Remote Desktop, Domain Controller, McAfee ePO,
etc.)

7
B0700SS – Rev D 1. Software Installation Overview

Table 1-2. Foxboro Evo Control Core Services v9.1 Platform Specific Media Kits (Continued)

Media Upgrade
Kit Part Number Kit Description
K0201FN Windows Server 2008 R2 Standard SP1 Operating System Upgrade Kit for
Foxboro Evo Workstation Server Dell R710 Gen II Rack mount P90 Style F
Rev. A, B Configured as Highly Available Workstations
K0201GQ Windows Server 2008 R2 Standard SP1 Operating System Upgrade Kit for
Foxboro Evo Workstation Server Dell T710 Gen II Tower P91 Style J Rev. A,
B Configured as Highly Available Workstations
K0201FP Windows Server 2008 R2 Standard SP1 Operating System Upgrade Kit for
Foxboro Evo Workstation Server Dell R710 Gen II Rack mount P90 Style F
Rev. A, B Configured as Server (Remote Desktop, Domain Controller,
McAfee ePO, etc.)
K0201GR Windows Server 2008 R2 Standard SP1 Operating System Upgrade Kit for
Foxboro Evo Workstation Server Dell T710 Gen II Tower P91 Style J Rev. A,
B Configured as Server (Remote Desktop, Domain Controller, McAfee ePO,
etc.)
K0201FT Windows Server 2008 R2 Standard SP1 Operating System Upgrade Kit for
Foxboro Evo Workstation Server HP DL380 Rack server H90 Style A Rev. A
Configured as Highly Available Workstations
K0201FU Windows Server 2008 R2 Standard SP1 Operating System Upgrade Kit for
Foxboro Evo Workstation Server HP DL380 Rack server H90 Style A Rev. A
Configured as Server (Remote Desktop, Domain Controller, McAfee ePO,
etc.)
K0201FR Windows Server 2008 R2 Standard SP1 Operating System Upgrade Kit for
Foxboro Evo Workstation Server HP ML350 Tower Server H91 Style A Rev. A
Configured as Highly Available Workstations
K0201FS Windows Server 2008 R2 Standard SP1 Operating System Upgrade Kit for
Foxboro Evo Workstation Server HP ML350 Tower Server H91 Style A Rev. A
Configured as Server (Remote Desktop, Domain Controller, McAfee ePO,
etc.)

NOTE
For the Foxboro Evo workstation HP Z420, H92 Style C, use the media part num-
ber K0174KC shipped with the workstation. If you wish to purchase backups of
this CD-ROM, be aware that it is not available through BuyAutomation; request it
from Invensys Global Customer Support at https://support.ips.invensys.com.

8
1. Software Installation Overview B0700SS – Rev D

Foxboro Evo Control Core Services v9.1 Media


Refer to the Hardware and Software Specific Instructions included with your station for the part
number of the restore DVD for your station.
The part number and contents of the Control Core Services v9.1 Day 0 Media Kit, and all addi-
tional media needed to install this software, are listed in Foxboro Evo™ Process Automation System
Control Core Services v9.1 Release Notes (B0700SR).

Hardware and Software Specific Instruction


Documents
The Hardware and Software Specific Instructions documents included with your stations will be
used for setting up your stations and installing hardware upgrades.
These documents have instructions for restoring the operating system (Quick Restore) and install-
ing Control Core Services. The procedures found in the Hardware and Software Specific Instruc-
tions documents are superseded by the Control Core Services v9.1 procedures found in this
document.

9
B0700SS – Rev D 1. Software Installation Overview

10
2. Standard Foxboro Evo Control
Core Services v9.1 Day 0
Installation
This chapter describes procedures to perform an initial installation of Control Core Services
v9.1 without security enhancements. An initial installation, or an installation which removes
all instances of existing Control Core Services or I/A Series software, is referred to as a “Day 0”
operation.

NOTE
1. If you already have a station with I/A Series software v8.8 or Control Core Ser-
vices v9.0 installed and want to update to Control Core Services v9.1 directly
(referred to as a release update), refer to Chapter 11 “Release Update of I/A Series
Software v8.8 or Foxboro Evo Control Core Services v9.0 to v9.1 Including
Optional Day 1 Installation”.
2. If you already have Control Core Services v9.1 installed and want to update or
change the packages installed (a Day 1 operation), or repair the existing packages,
refer to Chapter 12 “Upgrading Foxboro Evo Control Core Services v9.1 (Day 1
Installation or Repair Operation)”.
3. All release updates (Security Enhanced or standard) follow the same procedure,
including release update procedures for On-Control Network PDCs. For Off-Con-
trol Network PDCs, no upgrade is required, as they do not contain any Control
Core Services software. In this scenario, you will need to update your group policies
as described in Appendix K “Manual Update For Group Policies on an Off-Control
Network PDC”.

Workstation/Server Preparation
This section applies to both Windows 7 and Windows Server 2008 R2 Standard stations on
which Foxboro Evo Control Core Services are being installed without security enhancements for
the first time, or overwriting existing Control Core Services or I/A Series software. (This is
referred to as a Day 0 installation, as opposed to a Day 1 installation which is performed on a
workstation/server on which the Control Core Services have already been installed with the inten-
tion of retaining existing control databases and such.) Perform the following steps to set up the
hardware and restore the operating system onto your workstation.

NOTE
If this is a new station shipped from the Invensys factory with the V9.1 Restore
image identified by the media kits in Table 1-2 and verified in your workstation’s
H-code (or P-code), proceed to “Notes on Installing Foxboro Evo Control Core
Services” on page 12. If not, continue following the steps in this section.

11
B0700SS – Rev D 2. Standard Foxboro Evo Control Core Services v9.1 Day 0 Installation

1. Install hardware, restore the Windows operating system, and update drivers for your
workstation. Perform the following:
a. Refer to Control Core Services v9.1 Release Notes (B0700SR) for hardware require-
ments specific to the V9.1 release. For instructions on installing memory
upgrades, PCI cards, and so forth, refer to the “Installing Hardware Upgrades”
chapter of the hardware and software specific instruction document shipped with
your workstation.
b. Using the V9.1 Restore Media, restore the Windows operating system on your
workstation. Follow the instructions of Appendix A “Startup Options”.

! WARNING
Only use the media kits listed in Table 1-2 to restore the operating system of a sta-
tion with Control Core Services v9.1.

Do not follow the instructions for installing Control Core Services from your hard-
ware specific instruction manual. Follow the software installation procedure below.

c. Set the time and date. Perform the following:


♦ Open the Windows Date and Time applet by clicking the Date and Time
icon in the Control Panel.
♦ Click the Change Date and Time button.
♦ Adjust the date and time.
♦ Click OK.
♦ Click the Change time zone button.
♦ Select the correct time zone from the drop-down list and select the checkbox
(if not already selected) to automatically adjust the clock for daylight saving
time (DST) changes, if desired.
♦ Click OK.
d. For any procedures not found in Step 1.b above, refer to the “Installing and
Updating Drivers” chapter of the Hardware And Software Specific Instruction
document shipped with the server.

Notes on Installing Foxboro Evo Control Core


Services
Before you install Control Core Services, make sure that the workstation is physically connected
to the network and, if required, that any network interface card drivers are updated. Refer to the
notes below.
Also, make sure the workstation is disconnected from any secondary (non-Foxboro) networks, but
do not disable the adapters for these network cards.

12
2. Standard Foxboro Evo Control Core Services v9.1 Day 0 Installation B0700SS – Rev D

! CAUTION
GPS PCI time cards are installed only in primary and backup Master TimeKeeper
workstations or servers as configured for MTK. The MTK workstations or servers
with Control Core Services v9.1 and later must install the GPS PCI time card,
driver, and control utility before installing Control Core Services. Refer to the Time
Synchronization User’s Guide (B0700AQ) to perform this installation.

! CAUTION
In Control Panel -> Network Connections, which lists the available NICs, do not
change the name of any “Local Area Connection x” network connection. This can
result in software installation issues or system instability.

Changing the Station Name


The Windows workstation or server name must match the workstation or server letterbug name
as it was configured in SysDef and saved onto your Commit installation media before you install
the Control Core Services. For instructions on modifying the computer name of your workstation
or server, refer to Appendix B “Changing the Station Name”.

Disabling the VirusScan Console


Proceed as follows:
1. Right-click the McAfee shield in the toolbar and click VirusScan Console.
2. Click Yes to accept the User Account Control (UAC) prompt.
3. If Access Protection is “Enabled”, right-click on Access Protection and select
Disable, as shown in Figure 2-1.

13
B0700SS – Rev D 2. Standard Foxboro Evo Control Core Services v9.1 Day 0 Installation

Figure 2-1. Disable Virus Scan Access Protection

4. Right-click on On-Access Scanner and select Disable.


5. Right-click on On-Access Scanner and select Properties. The On-Access Scan
Properties dialog box opens as shown in Figure 2-2.

14
2. Standard Foxboro Evo Control Core Services v9.1 Day 0 Installation B0700SS – Rev D

Figure 2-2. On-Access Scan Properties Dialog Box

6. Clear the check-box labeled Enable on-access scanning at system startup


and click Apply. Click OK.

NOTE
The check box should be re-enabled at the end of the installation.

15
B0700SS – Rev D 2. Standard Foxboro Evo Control Core Services v9.1 Day 0 Installation

Preparing Network Interface Cards (NICs) For


Installation
Before installing Control Core Services, for each installed NIC, you must set the NIC’s properties
“Flow Control” and “Speed & Duplex” manually as described below for the NICs on this station.

NOTE
Refer to the Hardware and Software Specific Instructions document included with
your station to determine the NIC cards it supports.

Proceed as follows:
1. Right-click the My Computer icon, and click Manage. Double-click Device Man-
ager. In the Device Manager window, expand the Network adapters list.
2. Right-click the desired card and click Properties. In the Properties dialog box that
appears, select the Advanced tab.
3. In the Property field, click Flow Control. In the Value field, select Disable from
the drop-down menu list.
4. In the Property field, click Speed & Duplex. In the Value field, in the drop-down
menu list:
♦ For a station on the Foxboro Evo Control Network, select 100 Mb Full.
♦ For a station on another network other than the control network (Off-Control
Network), select Auto.
5. Click OK.
6. For each additional NIC, repeat Steps 2 through 5.
7. Shutdown and restart the system for the driver changes to take effect. Click the Start
button and click Shut Down; select Restart from the pull-down menu and click OK.

Exiting During Software Installation


If you click the Cancel button during the installation, the following dialog box appears:

Figure 2-3. Confirming Cancellation of Software Installation

Click Yes to cancel, or No to resume the installation process. If you click Yes, you are returned to
the installation dialog box as shown in Figure 2-4. If you want to see the installation log, check
Show the Windows Installer log. Click Finish.

16
2. Standard Foxboro Evo Control Core Services v9.1 Day 0 Installation B0700SS – Rev D

Figure 2-4. InstallShield Wizard Completed - Interrupted

! CAUTION
Exiting during the software installation process causes an incomplete installation
and may cause the workstation to become unstable. This requires that you reload
the operating system.

To restart the installation process after clicking Cancel, re-insert the DVD labeled “Foxboro Evo
Control Core Services v9.1 Day 0 DVD-ROM” (K0174MS-A). A dialog box appears asking if
you want to continue with the installation.
If you click Yes, the installation will return to the dialog box that was canceled. If you click No,
installation will restart from the beginning.

Installation Procedure
Proceed as follows:
1. Ensure that the workstation is attached to the control network.
2. Unplug any non-Mesh network cables.
3. Insert the DVD labeled “Foxboro Evo Control Core Services v9.1 Day 0 DVD-
ROM” (K0174MS-A), if it is not already in the station.
4. If AutoPlay is enabled, the AutoPlay dialog box appears as shown in Figure 2-5. Click
Run setup.exe.
Otherwise, navigate to the DVD drive and double-click setup.exe.

17
B0700SS – Rev D 2. Standard Foxboro Evo Control Core Services v9.1 Day 0 Installation

Figure 2-5. AutoPlay Dialog Box

! CAUTION
If you are prompted with a dialog box indicating that you need to restart for the
configuration changes made to the Security Enhanced Installer to take effect, you
may have restored a pre-V9.1 image. If you are sure you used the proper V9.1
restore image, then reboot the server. Otherwise, restore the workstation using the
proper V9.1 restore media. (See page 6.)

If a dialog box appears indicating that .NET Framework is required, then you have
used incorrect restore media. Restore the workstation using the proper V9.1 Restore
media. (See page 6.)

5. Click Yes to accept the User Account Control (UAC) prompt.


6. A pre-requisite installation dialog box appears as shown in Figure 2-6. Click Install
to load the Microsoft Visual C++ 2010 Redistributable Package (x64) on the server.

18
2. Standard Foxboro Evo Control Core Services v9.1 Day 0 Installation B0700SS – Rev D

Figure 2-6. Microsoft Visual C++ 2010 Redistributable Package (x64) Installation Dialog Box

19
B0700SS – Rev D 2. Standard Foxboro Evo Control Core Services v9.1 Day 0 Installation

7. Select the radio button setting for Install I/A Series software without
security enhancements. Click Next to continue.

Figure 2-7. Selecting to Install a Domain Controller

8. The next dialog box requests that you load the committed configuration install files,
as shown in Figure 2-8. Click Load to load the committed configuration files.

20
2. Standard Foxboro Evo Control Core Services v9.1 Day 0 Installation B0700SS – Rev D

Figure 2-8. Load Committed Configuration Install Files

9. The browser for the folder containing the committed configuration install files opens,
as shown in Figure 2-9. If the installation media with your Commit files is on the
server’s hard drive or a network, browse to the location of the media and click Select
Folder. If the installation media with your Commit files is on a floppy diskette, put
the diskette in the diskette drive (A:\) and click Use Diskette.

NOTE
If you have multiple Commit diskettes, the Stamp ID: field in Figure 2-8 indicates
the number of the requested Commit diskette to the right of the Load button (101
for the first diskette, 102 for the second, and so forth). Insert each diskette in the set
and click Load.

21
B0700SS – Rev D 2. Standard Foxboro Evo Control Core Services v9.1 Day 0 Installation

Figure 2-9. Installation Media Folder Browser

22
2. Standard Foxboro Evo Control Core Services v9.1 Day 0 Installation B0700SS – Rev D

10. Once the installation files have been loaded, click Bind as shown in Figure 2-10 to
launch the I/A Series Network Installation dialog box (Figure 2-11).

Figure 2-10. Load Committed Configuration Install Files - Binding

11. The dialog box shown in Figure 2-11 is displayed if the network configuration from
System Definition does not match the available NIC hardware. Select the two net-
work cards and click Next.

! CAUTION
Be certain to pick the correct NICs as this selection cannot be changed later in the
installation.

If this dialog box is not displayed, the NIC cards have been automatically configured.
Proceed to the next step.

23
B0700SS – Rev D 2. Standard Foxboro Evo Control Core Services v9.1 Day 0 Installation

Figure 2-11. I/A Series Network Installation Dialog Box (For Certain NIC Cards)

12. The MSI installer opens for Control Core Services Day 0 software. Click Next.

Figure 2-12. I/A Series Installshield Wizard - Next

24
2. Standard Foxboro Evo Control Core Services v9.1 Day 0 Installation B0700SS – Rev D

13. Click Install to run the installation.

Figure 2-13. I/A Series Installshield Wizard - Install

14. If the OS1FDB package is configured on this server, the dialog box shown in
Figure 2-14 is displayed for each OS1FDB station configured to be hosted by the
workstation being installed.

NOTE
This will occur one time for each OS1FDB station configured.

Click one of the following:


♦ Click Load to install this package.
♦ Click Skip to bypass the installation of this package. If Skip is selected, the
installation will continue, but this dialog box will be displayed again for each of
the OS1FDB stations configured on this Foxboro Evo workstation.

25
B0700SS – Rev D 2. Standard Foxboro Evo Control Core Services v9.1 Day 0 Installation

Figure 2-14. Installation Media Dialog Box

15. If you selected Load, the media folder browser opens.

Figure 2-15. Media Folder Browser

If your installation media for the OS1FDB package is not on a floppy diskette, browse
to the location of your stamped media and click the Select Folder button
If your installation media for the OS1FDB package is on a floppy diskette, click Use
Diskette. The diskette must be in the diskette drive (A:\). Once the Use Diskette
button is clicked, the diskette will be read.

26
2. Standard Foxboro Evo Control Core Services v9.1 Day 0 Installation B0700SS – Rev D

16. If you selected Use Diskette in the previous step, the dialog box in Figure 2-16
appears. Insert the second diskette in the OS1FDB set and click Load. The diskette
must be inserted in drive A:\.

Figure 2-16. Installation Media Dialog Box - For Diskettes

17. Click Finish when the installation process is complete.

Figure 2-17. Complete Installation

At the end of the installation, the installation log is displayed. You can view this log
later by clicking the Start button and selecting All Programs -> Invensys ->
IASeries -> Utilities -> Log Viewer.

27
B0700SS – Rev D 2. Standard Foxboro Evo Control Core Services v9.1 Day 0 Installation

Figure 2-18. Example of Installation Log

Click on the Setup Log, Pkg Log, and Init Log buttons to view these logs. These
logs can also be printed.

Installing the Foxboro Evo Control Core Services v9.1 Trailer CD-
ROM
To complete the installation of Control Core Services v9.1, you must install the V9.1 trailer CD-
ROM (K0174MZ-A). The trailer CD-ROM must be installed for stations running Windows 7 or
Windows Server 2008 R2 Standard operating systems:
1. Launch the trailer installation application (1250550.msi).
Insert the CD-ROM labeled “Foxboro Evo Control Core Services 9.1 Trailer CD-
ROM” (K0174MZ-A) into the station. Navigate to the CD-ROM with Windows
Explorer and double-click 1250550.msi to launch the installation.
2. Click Next and then click Install to start the installation process.
If the user currently logged in is not an administrator, a User Account Control (UAC)
prompt may appear. Click Yes to accept the UAC prompt.

28
2. Standard Foxboro Evo Control Core Services v9.1 Day 0 Installation B0700SS – Rev D

NOTE
During the trailer installation, if the following message appears, “The Setup must
update files or services that cannot be updated while the system is running. If we
choose to continue, reboot will be required to continue the setup,” click OK. The
installation continues as normal. Do not reboot the station if you see this message.
This message is shown in the event that you are installing the trailer after booting
into the Control Core Services software (which you should not have done if you are
performing this procedure as written in this section).

3. When the installation is complete, click Finish.


4. If you are installing the trailer via a CD-ROM, remove the trailer CD-ROM.
5. Restart your station as described in the following section.

Restarting Your System


FoxView software may be installed prior to rebooting the workstation to eliminate one reboot.
Install FoxView™ and FoxDraw™ software from the FoxView/FoxDraw CD-ROM. Refer to
FoxView™ and FoxDraw™ Software V10.4.1 Release Notes (B0700SN) for installation instruc-
tions.
Reboot the workstation at this time. Click the Start button and click Shut Down; select Restart
from the pull-down menu and click OK.

Configuring VirusScan Software


McAfee VirusScan V8.8i software is installed on your station. Refer to Appendix C “Excluding
Files, Folders, and Drives” to exclude the recommended set of Control Core Services files from
scanning.

Installing Optional Software


After restarting the station following the Control Core Services installation, you may need to per-
form one or more of the following tasks:
1. If not already installed, install FoxView™ and FoxDraw™ software from the Fox-
View/FoxDraw CD-ROM. Refer to FoxView™ and FoxDraw™ Software V10.4.1
Release Notes (B0700SN) for installation instructions.
2. Install Wonderware® Historian according to the instructions provided in Foxboro Evo
Control Software Installation Guide (B0750RA). The Wonderware Historian may be
installed on workstations/servers with Control Core Services or on “off-platform”
workstations/servers that is, stations without Control Core Services.
-OR-
Install AIM*Historian® software according to the instructions provided with the
AIM*Historian media.
3. If desired, install Foxboro Evo™ Control Software according to the instructions pro-
vided with the Foxboro Evo Control Software Installation Guide (B0750RA). This may
include the Foxboro Evo Control Editors and Foxboro Evo Control HMI applica-
tions:

29
B0700SS – Rev D 2. Standard Foxboro Evo Control Core Services v9.1 Day 0 Installation

♦ Control HMI and all its components must be installed on workstations/servers


with Control Core Services installed.
♦ The Control Editors and Galaxy Repository may be installed on worksta-
tions/servers with Control Core Services or on “off-platform” workstations/servers
that is, stations without Control Core Services.
4. It is highly recommended that you install FERRET software after installing Control
Core Services v9.1. Refer to FERRET V5.5 (Windows® Platforms) and FERRET
V4.5.3 (UNIX® Platforms) User’s Guide (B0860AZ) for installation instructions and
FERRET V5.5 (Windows® Platforms) and FERRET V4.5.3 (UNIX® Platforms)
Installation and Release Notes (B0860RH) for information on using the FERRET soft-
ware. These documents are available in PDF format on the Ferret CD-ROM.
5. Install any other software media for selected optional packages.

System Manager and System Management Display Handler


(SMDH) Installation Notes
Control Core Services system management is carried out by the operator primarily via the:
♦ System Manager, discussed in System Manager (B0750AP), or
♦ System Management Display Handler (SMDH), discussed in System Management
Displays (B0193JC).
Be aware of the following notes regarding the installation of these software packages.
♦ On servers/workstations configured with the SMDH package (ASMDW7), the Sys-
tem Manager will be installed. Uninstalling the System Manager through the
Programs and Features dialog box (accessed via the Control Panel) results in the
server/workstation defaulting to SMDH as the system management application.
♦ SMDH can only be invoked through FoxView. From the Control Core Services initial
display, access the SMDH displays from the System button on the FoxView main
window.
System Manager displays can be invoked directly, without the need for a separate
application.
Be aware that FoxView is not typically loaded on a domain controller. Invensys rec-
ommends the IAMESH only configuration on domain controllers, in which SMDH
or System Manager is not installed.
♦ On servers/workstations where System Manager is installed by the Day 0 installation
of Control Core Services, only the System Manager client is installed.

NOTE
The System Manager Server should be installed only if the IASVCS package is
assigned to the station.

To install the System Manager Server, proceed as follows:


a. Insert the DVD labeled “Foxboro Evo Control Core Services v9.1 Day 0 DVD-
ROM” (K0174MS-A), if it is not already in the drive and open the folder
“\3rd_party\SystemManager”.
b. Double-click on setup.exe.

30
2. Standard Foxboro Evo Control Core Services v9.1 Day 0 Installation B0700SS – Rev D

c. Click Next.
d. Keep the “Modify” choice selected (default) and click Next.
e. Under “System Manager Server”, select “This feature will be installed
on local hard drive”, as shown in Figure 2-19.

Figure 2-19. Installing System Manager Server

f. Click Next and then Install to install the System Manager Server.
♦ If the SMDH package was not configured and the System Manager client is not
installed, System Manager may be added by running the complete System Manager
installation process from the System Manager CD-ROM (K0201HU).

NOTE
The System Manager client is installed only if the IASVCS package is assigned to
the station.

Installing the Beep Driver (Foxboro Evo Control Core Services


Servers with FoxPanels Only)
On Foxboro Evo servers with Windows Server 2008 R2 Standard, FoxPanels requires that the
Beep Driver component be running to operate. This driver is disabled by default, and must be
enabled on these servers to enable redirection of the Beep Driver through the audio redirection
mechanism.
To enable the Beep Driver on servers with Windows Server 2008 R2 Standard, proceed as follows:
1. Install the Desktop Experience server feature.

31
B0700SS – Rev D 2. Standard Foxboro Evo Control Core Services v9.1 Day 0 Installation

a. Open the Server Manager as follows: click the Start button and click Control
Panel -> Administrative Tools, and double-click Server Manager.
Alternately, you can open a command prompt - click the Start button and click
Programs -> Accessories -> Command Prompt. Then, type
servermanager.msc and press <Enter>.
b. In the Features Summary section, click Add features.
c. Select the Desktop Experience check box, and then click Next.
d. Complete the wizard by clicking Install.
2. Configure the Windows Audio service to start automatically.
a. Open a command prompt, type Services.msc and press <Enter>.
b. Scroll down in the Services (Local) window, right-click Windows Audio and
select Properties.
c. In the General tab, select Automatic in the Startup Type drop-down menu.
d. Click OK.
e. Close the Services dialog box.
3. Open a command prompt.
a. Type the following: sc config beep start= auto
b. Press <Enter>. This configures the Beep Driver to start automatically.
4. Enable the SystemSoundsService task to run on user logon, as follows:
a. Open the Task Scheduler: click the Start button and click Control Panel ->
Administrative Tools and double-click Task Scheduler.
Alternately, you can open a command prompt, type Taskschd.msc and press
<Enter>.
b. Open the Task Library.
c. Navigate to the Microsoft/Windows/Multimedia section.
d. Right-click the SystemSoundsService task and click Enable.
e. Click OK.
f. Close the Task Scheduler.
The Beep Driver is enabled.

Setting Date and Time


For an internally sourced Master TimeKeeper (MTK), set the local date and time with either Sys-
tem Manager (default) or SMDH.
For instructions on how to set the date and time with the System Manager, refer to the section
“Date and Time Tools” in System Manager (B0750AP).
For instructions on how to set the date and time with the System Management Display Handler
(SMDH), proceed as follows:
1. From the Control Core Services initial display, access System Management displays
from the System button on the FoxView main window.

32
2. Standard Foxboro Evo Control Core Services v9.1 Day 0 Installation B0700SS – Rev D

2. From the System Monitor display, select the Time button to access the Set Date and
Time screen. Set the current date and time by clicking the appropriate arrows on the
screen. Click RETURN - SET.
For an active externally sourced MTK, the Set Date and Time display is unavailable. The date and
time are automatically established and synchronized by an external GPS satellite.
Refer to Time Synchronization User’s Guide (B0700AQ) for a complete description of the time
synchronization subsystem.

Completing Installation
To complete the installation, re-enable the Enable on-access scanning at system
startup feature in the McAfee VirusScan Console as follows:
1. Right-click the McAfee shield in the toolbar and click VirusScan Console.
2. Click Yes to accept the User Account Control (UAC) prompt.
3. Right-click on Access Protection and select Enable, as shown in Figure 2-1 on
page 14.
4. Right-click on On-Access Scanner and click Enable.
5. Right-click on On-Access Scanner and select Properties. The On-Access Scan
Properties dialog box opens as shown in Figure 2-2 on page 15.
6. Check the check-box labeled Enable on-access scanning at system startup
and click Apply.
7. Click OK to close this dialog box.

33
B0700SS – Rev D 2. Standard Foxboro Evo Control Core Services v9.1 Day 0 Installation

34
3. Installation or Migration
Scenarios for Security Enhanced
Foxboro Evo Control Core Services
v9.1
If you are performing an installation or migration for a workstation/server with Security
Enhanced Control Core Services v9.1, this chapter assists you in determining the various tasks
needed for your specific system configuration.

NOTE
1. If you already have a station with I/A Series software v8.8 or Control Core Ser-
vices v9.0 installed and want to update to Control Core Services v9.1 directly
(referred to as a release update), refer to Chapter 11 “Release Update of I/A Series
Software v8.8 or Foxboro Evo Control Core Services v9.0 to v9.1 Including
Optional Day 1 Installation”.
2. If you already have Control Core Services v9.1 installed and want to update or
change the packages installed (a Day 1 operation), or repair the existing packages,
refer to Chapter 12 “Upgrading Foxboro Evo Control Core Services v9.1 (Day 1
Installation or Repair Operation)”.
3. All release updates (Security Enhanced or standard) follow the same procedure,
including release update procedures for On-Control Network PDCs. For Off-Con-
trol Network PDCs, no upgrade is required, as they do not contain any Control
Core Services software. In this scenario, you will need to update your group policies
as described in Appendix K “Manual Update For Group Policies on an Off-Control
Network PDC”.

Introduction
For installations that require additional security over that provided by the standard Control Core
Services v9.1, a system with the security enhanced Control Core Services v9.1 is available. This
security implementation involves having servers that provide the role of Microsoft® Active Direc-
tory Domain Controllers. A domain controller is a server on a Microsoft Windows network that
is responsible for allowing host access to Windows domain resources. It stores user account infor-
mation, authenticates users and enforces security policy for a Windows domain.
There has to be at least one domain controller present to act as the “primary” domain controller,
but the recommendation is to have a second server acting as a “secondary” domain controller to
provide redundancy. All the workstation clients of these domain controllers are members of a
secure domain (domain clients).

35
B0700SS – Rev D 3. Installation or Migration Scenarios for Security Enhanced Foxboro Evo Control Core Services v9.1

Determine the installation scenario for your Control Core Services system as follows:
1. There are two separate types of installations for systems with security enhanced Con-
trol Core Services v9.1. Determine which are applicable for the stations in your Con-
trol Core Services system:
♦ New Installation - Installation of this security enhanced software on worksta-
tions/servers on which Control Core Services or I/A Series software has never been
installed. For this installation, the domain controllers and all client domain work-
stations are newly installed with Control Core Services v9.1.
Workstations with standard Control Core Services software can also be installed
on the same control network but will not be members of the secure domain.
♦ Migration - If your system has domain clients with I/A Series software v8.5/6/7
which you do not plan to immediately upgrade to Control Core Services v9.1,
you must perform the migration procedure. In this case, the v8.5/6/7 domain pol-
icies would be left in place while, at the same time, the new policies for v8.8 and
Control Core Services v9.0-v9.1 would be present on the domain (in parallel).
After the migration, the system will have domain clients with I/A Series software
v8.5/6/7 and domain clients with Control Core Services v9.1 all connected to the
same domain. The domain clients with I/A Series software v8.5/6/7 can be
removed at a later time and replaced with domain clients with Control Core Ser-
vices v9.1, and the old Active Directory GPOs and OUs that support the older
I/A Series version could be removed from Active Directory eventually.
This migration would not be performed if you plan to immediately upgrade all
domain clients with I/A Series software v8.5/6/7 to Control Core Services v9.1
2. Next, the domain controller target destination must be determined. This is based on
where the domain controllers will be located after the installation:
♦ On-Control Network - On the Foxboro Evo Control Network.
♦ Off-Control Network - On a separate network.
3. Once you have determined the installation type (New Installation or Migration) and
the domain controller target destination (On-Control Network or Off-Control Net-
work), use this information to select your installation scenario from Table 3-1. Then
proceed to the appropriate section in this document to install the software, as
directed.
Table 3-1 provides the details concerning each different installation scenario.

36
3. Installation or Migration Scenarios for Security Enhanced Foxboro Evo Control Core Services v9.1B0700SS – Rev D

Table 3-1. Domain Controller Installation/Migration Scenarios for Foxboro Evo


Control Core Services v9.1

Domain Controller Target Destination


Scenario Refer to
Type On-Control Network Off-Control Network Chapter
New 1 New On-Control Net- - Chapter 4 on
Installation (page 37) work PDC with Con- page 43
trol Core Services v9.1
2 - New Off-Control Net- Chapter 5 on
(page 38) work PDC with Control page 109
Core Services v9.1
3 - Install Control Core Chapter 6 on
(page 38) Services v9.1 on Existing page 169
Off-Control Network
Installation Type

PDC1 with Windows


Server 2008 R2 Stan-
dard
Migration 4 PDC with I/A Series - Chapter 7 on
(page 39) software v8.7 page 193
->
New On-Control Net-
work PDC with Con-
trol Core Services v9.1
5 PDC with I/A Series New Off-Control Net- Chapter 8 on
(page 40) software v8.7 -> work PDC with Control page 229
Core Services v9.1
6 PDC with I/A Series Existing Off-Control Chapter 9 on
(page 40) software v8.7 -> Network PDC1 page 277
1. An existing Off-Control Network PDC means a PDC that you already have in place which does not
contain any Control Core Services domain content. It must be already installed with Microsoft
Active Directory software.

These scenarios are explained below.

Scenario 1
In this scenario:
♦ New domain controllers (PDC and SDC) are located on the Foxboro Evo Control
Network (On-Control Network). All stations (new domain controllers and new
domain client workstations) are loaded with Control Core Services v9.1.
♦ There are no stations with security enhanced I/A Series software v8.7 or earlier on the
domain.
♦ Stations with standard (non-SE) Control Core Services v9.1 or earlier are supported
on the same control network but not on the secure domain.

37
B0700SS – Rev D 3. Installation or Migration Scenarios for Security Enhanced Foxboro Evo Control Core Services v9.1

Refer to Chapter 4 “Security Enhanced Foxboro Evo Control Core Services v9.1 Installation for
Domain Controllers on The Foxboro Evo Control Network” for the installation instructions for
this scenario.
Refer to Chapter 10 “Security Enhanced Foxboro Evo Control Core Services v9.1 Installation for
Domain Clients or Connecting Security Enhanced I/A Series Software v8.5-8.7 Domain Clients
to Existing Off-Control Network Networks” for the installation instructions for the domain cli-
ents.

Scenario 2
In this scenario:
♦ New domain controllers (PDC and SDC) are located on a separate, customer-sup-
plied network (Off-Control Network). All stations (new domain controllers and new
domain client workstations) are loaded with Control Core Services v9.1.
♦ There are no stations with security enhanced I/A Series software v8.7 or earlier on the
domain.
♦ Stations with standard (non-SE) Control Core Services v9.1 or earlier are supported
on the same control network but not on the secure domain.
Refer to Chapter 5 “Security Enhanced Foxboro Evo Control Core Services v9.1 Installation for
New Off-Control Network Domain Controllers” for the installation instructions for this scenario.
Refer to Chapter 10 “Security Enhanced Foxboro Evo Control Core Services v9.1 Installation for
Domain Clients or Connecting Security Enhanced I/A Series Software v8.5-8.7 Domain Clients
to Existing Off-Control Network Networks” for the installation instructions for the domain cli-
ents.

Scenario 3
This scenario is designed for systems in which you already have a PDC with Windows Server
2008 R2 Standard on which you want to install the Control Core Services components for Active
Directory.
In this scenario:
♦ Control Core Services v9.1 is installed to an existing PDC with Windows Server 2008
R2 Standard installed on an Off-Control Network network. The existing PDC is run-
ning Windows Server 2008 R2 Standard with no Control Core Services software. The
existing PDC installed on a separate network (Off-Control Network) is a customer-
supplied station that has customer-specific Active Directory components with no
Control Core Services software.
♦ This installation is not completely automated by the Control Core Services v9.1
installation program and requires some manual steps as indicated in Chapter 6 “Secu-
rity Enhanced Foxboro Evo Control Core Services v9.1 Installation for Existing Off-
Control Network Primary Domain Controllers”.
♦ All domain clients are installed as new workstations with Control Core Services v9.1.
♦ There are no stations with security enhanced I/A Series software v8.7 or earlier on the
domain.

38
3. Installation or Migration Scenarios for Security Enhanced Foxboro Evo Control Core Services v9.1B0700SS – Rev D

♦ Stations with standard (non-SE) Control Core Services v9.1 or earlier are supported
on the same control network but not on the secure domain.
Refer to Chapter 6 “Security Enhanced Foxboro Evo Control Core Services v9.1 Installation for
Existing Off-Control Network Primary Domain Controllers” for the installation instructions for
this scenario.
Refer to Chapter 10 “Security Enhanced Foxboro Evo Control Core Services v9.1 Installation for
Domain Clients or Connecting Security Enhanced I/A Series Software v8.5-8.7 Domain Clients
to Existing Off-Control Network Networks” for the installation instructions for the domain cli-
ents.

Scenario 4
In this scenario:
♦ This is a migration of an existing PDC on the control network with Window Server
2003 and I/A Series software v8.5, v8.6 or v8.7 to a new PDC on the control network
with Windows Server 2008 R2 Standard and Control Core Services v9.1.
♦ The new PDC with Windows Server 2008 R2 Standard can either be a new server or
an existing SDC that is capable of running Windows Server 2008 R2 Standard.
♦ The installation is not completely automated by the Control Core Services v9.1 instal-
lation program and requires some manual steps as indicated in Chapter 7 “Migrating
I/A Series Software v8.5/8.6/8.7 to a New Primary Domain Controller on The Fox-
boro Evo Control Network”.
♦ The station name for the new PDC must be the name of a new station with Control
Core Services v9.1 that is configured to have only the IAMESH package. The name of
this station must be included on the Commit installation media.
♦ The existing PDC will switch roles and become an SDC on the control network with
Windows Server 2003. This station will keep its same name.
♦ SDCs are configured as follows:
♦ All existing SDCs with I/A Series software v8.7 or earlier must be taken off-line
(removing them from Active Directory, described in Appendix D “Secondary
Domain Controllers in a Foxboro Evo System” - demoting is required for domain
controllers).
♦ These off-line stations must have Windows Server 2008 R2 Standard installed on
them (if their hardware supports this operating system).
♦ Each off-line station must have the appropriate software installed on them to
make them an SDC according to the instructions in this document.
This requires that either a new letterbug (station name) is provided which is desig-
nated as a station with Control Core Services v9.1 in the Commit installation
media or that the existing station name is converted in System Definition to be a
station with Control Core Services v9.1.
Refer to Chapter 7 “Migrating I/A Series Software v8.5/8.6/8.7 to a New Primary Domain Con-
troller on The Foxboro Evo Control Network” for the installation instructions for this scenario.
Refer to Chapter 10 “Security Enhanced Foxboro Evo Control Core Services v9.1 Installation for
Domain Clients or Connecting Security Enhanced I/A Series Software v8.5-8.7 Domain Clients

39
B0700SS – Rev D 3. Installation or Migration Scenarios for Security Enhanced Foxboro Evo Control Core Services v9.1

to Existing Off-Control Network Networks” for the installation instructions for the domain cli-
ents.

Scenario 5
In this scenario:
♦ This is a migration of an existing PDC on the control network with Window Server
2003 and I/A Series software v8.5, v8.6 or v8.7 to a new PDC installed on a separate
network (Off-Control Network) with Windows Server 2008 R2 Standard and Con-
trol Core Services v9.1.
♦ The new PDC with Windows Server 2008 R2 Standard can either be a new server or
an existing SDC that is capable of running Windows Server 2008 R2 Standard.
♦ The installation is not completely automated by the Control Core Services v9.1 instal-
lation program and requires some manual steps as indicated in Chapter 8 “Migrating
I/A Series Software v8.5/8.6/8.7 to a New Off-Control Network Primary Domain
Controller”.
♦ The station name for the new PDC does not have to be included on the Commit
installation media. This new name is configured in the Active Directory according to
the instructions.
♦ The original PDC (with I/A Series software v8.5, v8.6 or v8.7) is no longer used after
the installation and can be removed.
♦ The old SDC must be removed. This involves demoting the domain controller and
removing from Active Directory. Any other SDC station on a system with I/A Series
software v8.7 or earlier on the control network must also be removed and reloaded as
stations with Control Core Services v9.1 (Off-Control Network) if desired:
♦ All existing SDCs with I/A Series software v8.7 or earlier must be taken off-line
(removing them from Active Directory, described in Appendix D “Secondary
Domain Controllers in a Foxboro Evo System” - demoting is required for domain
controllers).
♦ These off-line stations must have Windows Server 2008 R2 Standard installed on
them (if their hardware supports this operating system).
♦ Each off-line station must be installed as an Off-Control Network SDC according
to the instructions in this document.
Refer to Chapter 8 “Migrating I/A Series Software v8.5/8.6/8.7 to a New Off-Control Network
Primary Domain Controller” for the installation instructions for this scenario.
Refer to Chapter 10 “Security Enhanced Foxboro Evo Control Core Services v9.1 Installation for
Domain Clients or Connecting Security Enhanced I/A Series Software v8.5-8.7 Domain Clients
to Existing Off-Control Network Networks” for the installation instructions for the domain cli-
ents.

Scenario 6
In this scenario:

40
3. Installation or Migration Scenarios for Security Enhanced Foxboro Evo Control Core Services v9.1B0700SS – Rev D

♦ This is a migration of an existing PDC on the control network with Window Server
2003 and I/A Series software v8.5, v8.6 or v8.7 to an existing PDC on a separate net-
work (Off-Control Network) with Windows Server 2008 R2 Standard. The existing
PDC is a customer station that has customer-specific Active Directory components
with no Control Core Services software.
♦ The installation is not completely automated by the Control Core Services v9.1 instal-
lation program and requires some manual steps as indicated in Chapter 9 “Migrating
I/A Series Software v8.5/8.6/8.7 to a Pre-Existing Off-Control Network Primary
Domain Controller”.
♦ The station name for the new PDC does not have to be included on the Commit
installation media. This new name is configured in the Active Directory according to
the instructions.
♦ The original PDC and all original SDC stations (with I/A Series software v8.5, v8.6
or v8.7) will no longer function as domain controllers on the Control Core Services
network.
♦ It is possible to do one of the following with the original PDC and any original SDC
stations:
♦ Reload these stations with I/A Series software v8.5/8.6/8.7 and connect them to
the new migrated domain. This involves reloading the Windows Server 2003 R2
operating system on these station and re-installing I/A Series software as described
in I/A Series 8.5 Software Installation Guide (B0700SB).
♦ Remove Active Directory from these stations and then connect them directly to
the new domain without reloading I/A Series software (staying at v8.5/8.6/8.7).
This involves performing the procedures for demoting a domain controller, start-
ing with each SDC station and ending with the PDC station (all on the old
domain). Then, the stations must be connected physically to the new Off-Control
Network domain and then joined to the new Active Directory domain.
♦ Reload these stations with Control Core Services v9.1 (if the hardware supports
the Windows Server 2008 R2 Standard operating system). This involves backing
up anything relevant on the station, reloading the operating system, and installing
Control Core Services v9.1. In this case, these stations either need to be assigned a
new workstation name (change the Commit installation media to add a new sta-
tion with Control Core Services v9.1) or migrate the existing letterbug to become
an station with Control Core Services v9.1 in System Definition, as described in
System Definition: A Step-By-Step Procedure (B0193WQ).

NOTE
The procedure to add an SDC station to this domain after the migration is com-
pleted is out of the scope of this document. The domain is an existing setup and
already has its domain controllers configured.

Refer to Chapter 9 “Migrating I/A Series Software v8.5/8.6/8.7 to a Pre-Existing Off-Control


Network Primary Domain Controller” for the installation instructions for this scenario.
Refer to Chapter 10 “Security Enhanced Foxboro Evo Control Core Services v9.1 Installation for
Domain Clients or Connecting Security Enhanced I/A Series Software v8.5-8.7 Domain Clients

41
B0700SS – Rev D 3. Installation or Migration Scenarios for Security Enhanced Foxboro Evo Control Core Services v9.1

to Existing Off-Control Network Networks” for the installation instructions for the domain cli-
ents.

42
4. Security Enhanced Foxboro Evo
Control Core Services v9.1
Installation for Domain Controllers
on The Foxboro Evo Control
Network
This chapter describes procedures to install security enhanced Control Core Services v9.1 on
primary and secondary domain controller servers on the Foxboro Evo Control Network
(hereafter referred to as “the control network”).
Proceed to the appropriate section:
♦ For Primary Domain Controllers on the Foxboro Evo Control Network, proceed to
the next section.
♦ For Secondary Domain Controllers on the Foxboro Evo Control Network, proceed to
“Installing Security Enhanced Foxboro Evo Control Core Services v9.1 on Secondary
Domain Controllers on The Foxboro Evo Control Network” on page 79.

NOTE
After the IAInstaller account has been created during the PDC software installation,
use this account for all subsequent installation tasks, such as installing additional
software. However, due to the permissions assigned to IAInstaller, do not use it for
any other role, such as operation of the station.

Installing Security Enhanced Foxboro Evo Control


Core Services v9.1 on Primary Domain Controllers on
The Foxboro Evo Control Network
This section describes how to install security enhanced Control Core Services v9.1 on primary
domain controller servers on the control network.

Server Preparation
The primary domain controller (PDC) must be a server-class station installed with the Windows
Server 2008 R2 Standard operating system, and must be the first station in the Control Core Ser-
vices system installed with the security enhanced Control Core Services software. For this proce-
dure, it is assumed that the PDC is installed on the control network (which is a dedicated Control
Core Services maintained network).

43
B0700SS – Rev D 4. Security Enhanced Foxboro Evo Control Core Services

Perform the following steps to set up the hardware and restore the operating system onto your pri-
mary domain controller server:

NOTE
If this is a new station shipped from the Invensys factory with the V9.1 Restore
image identified by the media kits in Table 1-2 and verified in your workstation’s
H-code (or P-code), proceed to “Notes on Installing Foxboro Evo Control Core
Services” on page 45. If not, continue following the steps in this section.

1. Install hardware, restore the Windows Server 2008 R2 Standard operating system, and
update drivers for your server. Perform the following:
a. Refer to Control Core Services v9.1 Release Notes (B0700SR) to be sure that your
hardware meets all hardware requirements specific to Control Core Services V9.1.
For instructions on installing memory upgrades, PCI cards, and so forth, refer to
the “Installing Hardware Upgrades” chapter of the Hardware and Software Specific
Instructions document shipped with your server.
b. Using the V9.1 Restore Media, restore the Windows Server 2008 R2 Standard
operating system on your server. Follow the instructions of Appendix A “Startup
Options”.

! WARNING
Only use the media kits listed in Table 1-2 to restore the operating system of a sta-
tion with Control Core Services v9.1.

Do not follow the instructions for installing Control Core Services from your hard-
ware specific instruction manual. Follow the software installation procedure below.

c. Set the time and date. Perform the following:


♦ Open the Windows Date and Time applet by clicking the Date and Time
icon in the Control Panel.
♦ Click the Change Date and Time button.
♦ Adjust the date and time.
♦ Click OK.
♦ Click the Change time zone button.
♦Select the correct time zone from the drop-down list and select the checkbox
(if not already selected) to automatically adjust the clock for daylight saving
time (DST) changes, if desired.
♦ Click OK.
d. For any procedures not found in Step 1.b above, refer to the “Installing and
Updating Drivers” chapter of the Hardware and Software Specific Instructions doc-
ument shipped with the server.

44
4. Security Enhanced Foxboro Evo Control Core Services v9.1 Installation for Domain Controllers on The Foxboro Evo

Notes on Installing Foxboro Evo Control Core Services


Before you install Control Core Services, make sure that the server is physically connected to the
control network and, if required, that any network interface card drivers are updated. Refer to the
notes below.
Also, make sure the server is disconnected from any secondary (non-Foxboro) networks, but do
not disable the adapters for these network cards.

! WARNING
The server must be connected to the control network before installing Control Core
Services.

! CAUTION
Disconnect non-Foxboro network connections but do not disable the adapters for
these network cards.

! CAUTION
The network interface drivers used for connection to the control network may
require updating before installing Control Core Services v9.1. Failure to do this may
lead to communication errors. See Appendix A “Startup Options”.

! CAUTION
In Control Panel -> Network Connections, which lists the available NICs, do not
change the name of any “Local Area Connection x” network connection. This can
result in software installation issues or system instability.

NOTE
It is not possible to log onto either type of domain controller (primary or second-
ary) with any of the standard Control Core Services or I/A Series user accounts
(such as users that are members of the IA Plant Operators, IA Plant Maintenance,
or IA Plant Engineers groups). It is possible to log onto a domain controller with
the “IAManager”, “IAInstaller”, and “IADomainAdmin” accounts. However, all of
the Control Core Services functionality is not available through these user accounts.
The recommended configuration for the domain controllers is IAMESH only.

NOTE
On servers with the Windows Server 2008 R2 Standard operating system, it is rec-
ommended that no roles be added to the system which are not necessary for the
operation of the server. Adding unnecessary roles (for example, adding the Remote
Desktop Services role when the server is not to be used as a remote session host) can
create security weaknesses in the overall system.

45
B0700SS – Rev D 4. Security Enhanced Foxboro Evo Control Core Services

Changing the Station Name


The Windows server name must match the server letterbug name as it was configured in SysDef
and saved onto your Commit installation media before you install the Control Core Services. For
instructions on modifying the computer name of your server, refer to Appendix B “Changing the
Station Name”.

Disabling the VirusScan Console


Proceed as follows:
1. Right-click the McAfee shield in the toolbar and click VirusScan Console.
2. Click Yes to accept the User Account Control (UAC) prompt.
3. If Access Protection is “Enabled”, right-click on Access Protection and select
Disable, as shown in Figure 4-1.

Figure 4-1. Disable Virus Scan Access Protection

4. Right-click on On-Access Scanner and select Disable.


5. Right-click on On-Access Scanner and select Properties. The On-Access Scan
Properties dialog box opens as shown in Figure 4-2.

46
4. Security Enhanced Foxboro Evo Control Core Services v9.1 Installation for Domain Controllers on The Foxboro Evo

Figure 4-2. On-Access Scan Properties Dialog Box

6. Clear the check-box labeled Enable on-access scanning at system startup


and click Apply. Click OK.

NOTE
The check box should be re-enabled at the end of the installation.

Preparing Network Interface Cards (NICs) For Installation


Before installing Control Core Services, for each installed NIC, you must set the NIC’s properties
“Flow Control” and “Speed & Duplex” manually as described below for the NICs on this station.

47
B0700SS – Rev D 4. Security Enhanced Foxboro Evo Control Core Services

NOTE
Refer to the Hardware and Software Specific Instructions document included with
your station to determine the NIC cards it supports.

Proceed as follows:
1. Right-click the My Computer icon, and click Manage. Double-click Device Man-
ager. In the Device Manager window, expand the Network adapters list.
2. Right-click the desired card and click Properties. In the Properties dialog box that
appears, select the Advanced tab.
3. In the Property field, click Flow Control. In the Value field, select Disable from
the drop-down menu list.
4. In the Property field, click Speed & Duplex. In the Value field, in the drop-down
menu list:
♦ For a station on the control network, select 100 Mb Full.
♦ For a station on another network other than the control network (Off-Control
Network), select Auto.
5. Click OK.
6. For each additional NIC, repeat Steps 2 through 5.
7. Shutdown and restart the system for the driver changes to take effect. Click the Start
button and click Shut Down; select Restart from the pull-down menu and click OK.

Canceling and Resuming the Security Enhanced Installation


Process
If you click the Cancel button during the security-enhanced installation, the following dialog
box appears:

Figure 4-3. Confirming Cancellation of Software Installation

Click Yes to cancel, or No to resume the installation process. If you click Yes, the following dialog
box appears. Click OK:

48
4. Security Enhanced Foxboro Evo Control Core Services v9.1 Installation for Domain Controllers on The Foxboro Evo

Figure 4-4. Confirming Installation Interruption

You are returned to the installation dialog box as shown in Figure 4-5. If you want to see the
installation log, check Show the Windows Installer log. Click Finish.

Figure 4-5. InstallShield Wizard Completed - Interrupted

To restart the installation process after clicking Cancel, re-insert the DVD labeled “Foxboro Evo
Control Core Services v9.1 Day 0 DVD-ROM” (K0174MS-A). A dialog box appears asking if
you want to continue with the installation.
If you click Yes, the installation will return to the dialog box that was canceled. If you click No,
installation will restart from the beginning.

Installation Procedure
Proceed as follows:
1. Ensure that the server is attached to the control network.

49
B0700SS – Rev D 4. Security Enhanced Foxboro Evo Control Core Services

2. Unplug any non-control network cables.


3. Insert the DVD labeled “Foxboro Evo Control Core Services v9.1 Day 0 DVD-
ROM” (K0174MS-A).
4. If AutoPlay is enabled, the AutoPlay dialog box appears as shown in Figure 4-6. Click
Run setup.exe.
Otherwise, navigate to the DVD drive and double-click setup.exe.

Figure 4-6. AutoPlay Dialog Box

! CAUTION
If you are prompted with a dialog box indicating that you need to restart for the
configuration changes made to the Security Enhanced Installer to take effect, you
may have restored a non-secure image intended for I/A Series software v8.5-8.7 on
Windows XP or Windows Server 2003 R2. If you are sure you used the proper Con-
trol Core Services v9.1 restore image, then reboot the server. Otherwise, restore the
server using the proper Control Core Services v9.1 restore media. (See page 6.)

5. Click Yes to accept the User Account Control (UAC) prompt.


6. A pre-requisite installation dialog box appears as shown in Figure 4-7. Click Install
to load the Microsoft Visual C++ 2010 Redistributable Package (x64) on the server.

50
4. Security Enhanced Foxboro Evo Control Core Services v9.1 Installation for Domain Controllers on The Foxboro Evo

Figure 4-7. Microsoft Visual C++ 2010 Redistributable Package (x64) Installation Dialog Box

51
B0700SS – Rev D 4. Security Enhanced Foxboro Evo Control Core Services

7. A dialog box appears that allows you to select whether you are installing Control Core
Services without security enhancements or for a security-enhanced system. Select
Install I/A Series software for a security enhanced system and
Install this workstation as a domain controller (secondary or pri-
mary):

Figure 4-8. Selecting to Install a Domain Controller

8. If you are migrating from a previous version of I/A Series software (pre-v8.8), check
the “Migrate from Pre-8.8 I/A Series (PDC Only)” box. Otherwise, do not
check this box.
Security enhanced Control Core Services v9.1 should only be installed on the Win-
dows 7 or Windows Server 2008 R2 Standard operating systems as provided by Inven-
sys.
9. Click Next.
10. The next dialog box requests that you load the committed configuration install files,
as shown in Figure 4-9. Click Load to load the committed configuration files.

52
4. Security Enhanced Foxboro Evo Control Core Services v9.1 Installation for Domain Controllers on The Foxboro Evo

Figure 4-9. Load Committed Configuration Install Files

11. The browser for the folder containing the committed configuration install files opens,
as shown in Figure 4-10. If the installation media with your Commit files is on the
server’s hard drive or a network, browse to the location of the media and click Select
Folder. If the installation media with your Commit files is on a floppy diskette, put
the diskette in the diskette drive (A:\) and click Use Diskette.

NOTE
If you have multiple Commit diskettes, the Stamp ID: field in Figure 4-9 indicates
the number of the requested Commit diskette to the right of the Load button (101
for the first diskette, 102 for the second, and so forth). Insert each diskette in the set
and click Load.

53
B0700SS – Rev D 4. Security Enhanced Foxboro Evo Control Core Services

Figure 4-10. Installation Media Folder Browser

12. Once the installation files have been loaded, click Bind as shown in Figure 4-9 on
page 53 to launch the I/A Series Network Installation dialog box (Figure 4-11).
13. The dialog box shown in Figure 4-11 is displayed if the network configuration from
System Definition does not match the available NIC hardware. If this dialog box is
displayed, select the two network cards and click Next.

! CAUTION
Be certain to pick the correct NICs as this selection cannot be changed later in the
installation.

If this dialog box is not displayed, the NIC cards have been automatically configured.
Proceed to the next step.

54
4. Security Enhanced Foxboro Evo Control Core Services v9.1 Installation for Domain Controllers on The Foxboro Evo

Figure 4-11. I/A Series Network Installation Dialog Box (For Certain NIC Cards)

14. Click Next. The Server platform setup dialog appears as shown in Figure 4-12. Leave
the “Install as a Primary Domain Controller (PDC)” choice selected.

Figure 4-12. Server Platform Setup Dialog Box

55
B0700SS – Rev D 4. Security Enhanced Foxboro Evo Control Core Services

15. If Secondary Domain Controller (SDC) stations are planned for this Control Core
Services system, select the SDC stations from the “Select the Secondary Domain Con-
troller Stations” drop-down list and click Set. If no SDC stations are planned, click
Skip.
16. In the “Enter domain information for Active Directory setup and Prepare” area, enter
the name of your domain (iaseries.local is the default), the site name
(IASERIES is the default), and the password for the logged on user account (normally
the password for the Fox account). When done, click Prepare.
17. A warning dialog appears as shown in Figure 4-13. Ensure that the name you have
chosen for your Active Directory domain is correct and will not conflict with another
domain on the same network. Click OK to continue.

Figure 4-13. Active Directory Warning

18. Click Install to load the Active Directory Domain Services onto this server and to
promote the server to the role of Primary Domain Controller.
A DOS window is displayed while Active Directory is being installed, as shown in
Figure 4-14.

56
4. Security Enhanced Foxboro Evo Control Core Services v9.1 Installation for Domain Controllers on The Foxboro Evo

Figure 4-14. Active Directory Installation via DOS Window

The DOS window shows progress while the system is promoted to Primary Domain
Controller status and DNS is installed, as shown in Figure 4-15.

Figure 4-15. Promoting to Primary Domain Controller via DOS Window

19. The server reboots automatically after Active Directory has been installed.
After the server reboots, log into the “Administrator” account with the password
“Password1”.
20. Restart the installation by launching Setup.exe from the DVD drive, as described in
Steps 3- 4 above. The dialog box shown in Figure 4-16 is displayed. Click Apply.

57
B0700SS – Rev D 4. Security Enhanced Foxboro Evo Control Core Services

Figure 4-16. Setting up the Platform for a Secure Foxboro Evo Control Core Services Installation

A DOS window is displayed while the Active Directory domain settings are applied,
as shown in Figure 4-17.

58
4. Security Enhanced Foxboro Evo Control Core Services v9.1 Installation for Domain Controllers on The Foxboro Evo

Figure 4-17. Active Directory Domain Settings Applied

21. The I/A Series Secure User Accounts dialog box opens as shown in Figure 4-18. Enter
in the user names and passwords for the standard Control Core Services or I/A Series
domain accounts and click Create.

Figure 4-18. I/A Series Secure User Accounts Dialog Box

59
B0700SS – Rev D 4. Security Enhanced Foxboro Evo Control Core Services

NOTE
The names of these accounts may be changed, but the default values are recom-
mended. It is recommended that the password meets the following password
complexity criteria:
- An 8-character minimum password length
- At least one lowercase character
- At least one uppercase character
- At least one numeric character.
These criteria are not required for this password, but they are strongly recom-
mended.
After the installation has completed, these requirements will remain in place for
accounts created in the Control Core Services domain.

22. When the Invensys IASeries Install: Workstation Reboot Request dialog box appears,
as shown in Figure 4-19, click Reboot.

Figure 4-19. Invensys IASeries Install: Workstation Reboot Request Dialog Box

The following dialog box indicates that the server will be rebooted.

Figure 4-20. You Are About To Be Logged Off Dialog Box

23. After the server reboots, log on with the “IA Installer” account with the password cho-
sen in the previous steps.
24. If installation does not continue automatically (or the Finish dialog box appears), nav-
igate to the DVD drive and double-click setup.exe to continue the installation. If
installation does continue automatically, click Next and then Install to run the
installation.

60
4. Security Enhanced Foxboro Evo Control Core Services v9.1 Installation for Domain Controllers on The Foxboro Evo

NOTE
In some cases, the installation is not able to restart automatically after logging in
with the IA Installer account. If the following dialog box (Figure 4-21) is displayed
after logging in (this dialog box could take a few minutes to display), the installa-
tion must be restarted manually. This can be done after a reboot or logoff and logon
with the IA Installer account. To restart the installation manually, execute setup.exe
directly from the DVD drive.

Figure 4-21. Reboot or Logoff Requested

25. If the OS1FDB package is configured on this server, the dialog box shown in
Figure 4-22 is displayed.
To install this package, insert the first OS1FDB package diskette and click Load. After
the first disk has been loaded, insert the second OS1FDB package diskette and click
Load.
To bypass the installation of this package, click Skip. The installation continues, but
this dialog box is displayed again for each of the OS1FDB stations configured on this
station.

NOTE
This will occur one time for each OS1FDB station configured.

61
B0700SS – Rev D 4. Security Enhanced Foxboro Evo Control Core Services

Figure 4-22. Installation Media Dialog Box

26. If you selected Load, the media folder browser opens.

Figure 4-23. Media Folder Browser

If your installation media for the OS1FDB package is not on a floppy diskette, browse
to the location of your stamped media and click the Select Folder button
If your installation media for the OS1FDB package is on a floppy diskette, click Use
Diskette. The diskette must be in the diskette drive (A:\). Once the Use Diskette
button is clicked, the diskette will be read.

62
4. Security Enhanced Foxboro Evo Control Core Services v9.1 Installation for Domain Controllers on The Foxboro Evo

27. If you selected Use Diskette in the previous step, the dialog box in Figure 4-24
appears. Insert the second diskette in the OS1FDB set and click Load. The diskette
must be inserted in drive A:\.

Figure 4-24. Installation Media Dialog Box - For Diskettes

28. Click Finish when the installation process is complete.


At the end of the installation, the installation log is displayed. You can view the instal-
lation log at any time by clicking the Start button and selecting All Programs ->
Invensys -> IASeries -> Utilities -> Log Viewer.

63
B0700SS – Rev D 4. Security Enhanced Foxboro Evo Control Core Services

Figure 4-25. Example of Installation Log

Click on the Setup Log, Pkg Log, and Init Log buttons to view these logs. These
logs can also be printed.

Installing the Foxboro Evo Control Core Services v9.1 Trailer CD-ROM
To complete the installation of Control Core Services v9.1, you must install the V9.1 trailer CD-
ROM (K0174MZ-A). The trailer CD-ROM must be installed for stations running Windows 7 or
Windows Server 2008 R2 Standard operating systems:
1. Launch the trailer installation application (1250550.msi).
Insert the CD-ROM labeled “Foxboro Evo Control Core Services 9.1 Trailer CD-
ROM” (K0174MZ-A) into the station. Navigate to the CD-ROM with Windows
Explorer and double-click 1250550.msi to launch the installation.
2. Click Next and then click Install to start the installation process.
If the user currently logged in is not an administrator, a User Account Control (UAC)
prompt may appear. Click Yes to accept the UAC prompt.

64
4. Security Enhanced Foxboro Evo Control Core Services v9.1 Installation for Domain Controllers on The Foxboro Evo

NOTE
During the trailer installation, if the following message appears, “The Setup must
update files or services that cannot be updated while the system is running. If we
choose to continue, reboot will be required to continue the setup,” click OK. The
installation continues as normal. Do not reboot the station if you see this message.
This message is shown in the event that you are installing the trailer after booting
into the Control Core Services software (which you should not have done if you are
performing this procedure as written in this section).

3. When the installation is complete, click Finish.


4. If you are installing the trailer via a CD-ROM, remove the trailer CD-ROM.
5. Restart your station as described in the following section.

Restarting Your System


Reboot the server at this time. Click the Start button and click Shut Down; select Restart from
the pull-down menu and click OK.

Installing Optional Software


After restarting the station following the Control Core Services software installation, you can
install ePolicy Orchestrator on your PDC. This software should only be installed on one domain
controller in the system. Install this software according to Optional McAfee® Security Products
Installation and Configuration Guide (B0700EX).

System Manager and System Management Display Handler (SMDH)


Installation Notes
Control Core Services system management is carried out by the operator primarily via the:
♦ System Manager, discussed in System Manager (B0750AP), or
♦ System Management Display Handler (SMDH), discussed in System Management
Displays (B0193JC).
Be aware of the following notes regarding the installation of these software packages.
♦ On servers/workstations configured with the SMDH package (ASMDW7), the Sys-
tem Manager will be installed. Uninstalling the System Manager through the
Programs and Features dialog box (accessed via the Control Panel) results in the
server/workstation defaulting to SMDH as the system management application.
♦ SMDH can only be invoked through FoxView. From the Control Core Services initial
display, access the SMDH displays from the System button on the FoxView main
window.
System Manager displays can be invoked directly, without the need for a separate
application.
Be aware that FoxView is not typically loaded on a domain controller. Invensys rec-
ommends the IAMESH only configuration on domain controllers, in which SMDH
or System Manager is not installed.

65
B0700SS – Rev D 4. Security Enhanced Foxboro Evo Control Core Services

♦ On servers/workstations where System Manager is installed by the Day 0 installation


of Control Core Services software, only the System Manager client is installed. To
install the System Manager Server, proceed as follows
a. Insert the DVD labeled “Foxboro Evo Control Core Services v9.1 Day 0 DVD-
ROM” (K0174MS-A), if it is not already in the drive and open the folder
“\3rd_party\SystemManager”.
b. Double-click on setup.exe.
c. Click Next.
d. Keep the “Modify” choice selected (default) and click Next.
e. Under “System Manager Server”, select “This feature will be installed
on local hard drive”, as shown in Figure 4-26.

Figure 4-26. Installing System Manager Server

f. Click Next and then Install to install the System Manager Server.
♦ If the SMDH package was not configured and the System Manager client is not
installed, System Manager may be added by running the complete System Manager
installation process from the System Manager CD-ROM (K0201HU).

NOTE
The System Manager client is installed only if the IASVCS package is assigned to
the station.

♦ In order to run the Foxboro Control Panel applet, navigate to the folder
D:\usr\fox\system32. Right-click on Foxboro.cpl, select Run as Adminis-

66
4. Security Enhanced Foxboro Evo Control Core Services v9.1 Installation for Domain Controllers on The Foxboro Evo

trator, and click OK


to close the dialog box. Click Yes to accept the User Account
Control (UAC) prompt.

NOTE
On Foxboro Evo servers with Windows Server 2008 R2 Standard, FoxPanels
requires that the Beep Driver component be running to operate. If you have Fox-
Panels on this domain controller, refer to “Installing the Beep Driver (Foxboro Evo
Control Core Services Servers with FoxPanels Only)” on page 31 for installation
instructions.

Primary Domain Controller Postinstallation Procedures


Changing Passwords
After completing the installation of the PDC, the password for the administrator account on the
domain should be changed. Initially, this password is set to “Password1” for the Invensys supplied
server images. When setting this password, it must meet the password complexity requirements
which are enforced on the Control Core Services system domain.

67
B0700SS – Rev D 4. Security Enhanced Foxboro Evo Control Core Services

Perform the following steps:


1. Click the Start button and select Control Panel -> Administrative Tools ->
Active Directory Users and Computers. Right-click on the Administrator
account under the Accounts\Users\Administrators OU which was renamed to
IAManager during the Control Core Services or I/A Series installation. Select Reset
Password:

Figure 4-27. Resetting Passwords via Active Directory Users and Computers

2. Enter the new password and confirm it in the Reset Password dialog box:

Figure 4-28. Resetting a Password

68
4. Security Enhanced Foxboro Evo Control Core Services v9.1 Installation for Domain Controllers on The Foxboro Evo

3. Click OK.
The restore mode password for Active Directory on this server should be configured at this time.
Perform the following steps:
1. Select Run from the Start menu and enter ntdsutil.exe:

Figure 4-29. Setting the Restore Mode Password via ntdsutil.exe

2. Click OK.
3. Type the following text in the command prompt window:
set dsrm password
reset password on server <SERVERNAME>
<password>
<password>
quit
quit
<SERVERNAME> is the actual name of your PDC server. <Password> is the newly
chosen Active Directory Restore Mode password.

69
B0700SS – Rev D 4. Security Enhanced Foxboro Evo Control Core Services

NOTE
Be sure to document this password and save it in a secure place for future retrieval.
Without this password you will not be able to recover Active Directory.

Figure 4-30. Using and Exiting ntdsutil.exe

In addition, set the passwords for all of the domain client workstations. Initially the local
IAManager account (the original Administrator account on all of the domain clients) has its pass-
word set to Password1. On each domain client, the password should be changed.

Creating Users in Active Directory


The following steps can be used to create an Operator account in the Active Directory domain.
This is a default group. Similar steps can be taken to create other customized accounts, such as
Maintenance and Engineer accounts. Refer to Security Enhancements User's Guide for I/A Series
Workstations with Windows 7 or Windows Server 2008 Operating Systems (B0700ET) for informa-
tion on creating customized accounts.
1. Click the Start button and select Control Panel -> Administrative Tools ->
Active Directory Users and Computers. You may need to scroll down to see
this menu selection.

70
4. Security Enhanced Foxboro Evo Control Core Services v9.1 Installation for Domain Controllers on The Foxboro Evo

2. Under the Invensys\Accounts\Users\Standard OU, right-click Standard, and select


New -> User:

Figure 4-31. Creating Users via Active Directory Users and Computers

All users are created under the Accounts\Users\Standard OU, including IA Plant
Engineers, IA Plant Operators, and IA Plant Maintenance.
The dialog box shown in Figure 4-32 opens.

71
B0700SS – Rev D 4. Security Enhanced Foxboro Evo Control Core Services

Figure 4-32. New Object - User

3. Enter the First name, Full name, and User logon name as the same value (for exam-
ple,. Operator1).
4. Click Next.
5. In the dialog box shown in Figure 4-33, clear the User must change password at
next logon check box. Select the Password never expires check box.
6. Enter the password and confirm the password.
7. Click Next.

72
4. Security Enhanced Foxboro Evo Control Core Services v9.1 Installation for Domain Controllers on The Foxboro Evo

Figure 4-33. New Object - User - Password Updates

8. Click Finish as shown in Figure 4-34.

Figure 4-34. New Object - User - Finish

73
B0700SS – Rev D 4. Security Enhanced Foxboro Evo Control Core Services

9. Double-click on the new user name in the Active Directory Users and Computers dia-
log box to open the Properties dialog box, as shown in Figure 4-35.

Figure 4-35. Opening the New User Properties Dialog Box

74
4. Security Enhanced Foxboro Evo Control Core Services v9.1 Installation for Domain Controllers on The Foxboro Evo

10. Select the Member Of tab, as shown in Figure 4-36.

Figure 4-36. New User Properties Dialog Box

11. Click the Add button.


12. Type in the text “IA Plant” and click the Check Names button as shown in
Figure 4-37.

75
B0700SS – Rev D 4. Security Enhanced Foxboro Evo Control Core Services

Figure 4-37. Select Groups

13. Select the desired Control Core Services standard user group (for example, IA Plant
Engineers) and click OK.

Figure 4-38. Multiple Names Found Dialog Box

76
4. Security Enhanced Foxboro Evo Control Core Services v9.1 Installation for Domain Controllers on The Foxboro Evo

14. Click OK to close the Select Groups dialog box shown in Figure 4-39.

Figure 4-39. Closing Select Groups Dialog Box

15. Click OK to close the Properties dialog box shown in Figure 4-40.

Figure 4-40. Closing Properties Dialog Box

77
B0700SS – Rev D 4. Security Enhanced Foxboro Evo Control Core Services

16. Repeat the above steps for as many users as desired. The different standard user groups
provide different policy settings and system access.

Tombstone Lifetime Attribute in Active Directory


By default the Active Directory tombstone lifetime is sixty days. Having a longer tombstone life-
time decreases the chance that a deleted object remains in the local directory of a disconnected
Domain Controller beyond the time when the object is permanently deleted from online DCs.
It is highly recommended that you review information regarding the tombstone lifetime attribute
in “Backing Up Active Directory on Domain Controllers” on page 527. If you want to alter the
default value, use the procedure “Changing the Tombstone Lifetime Attribute in Active Direc-
tory” on page 528.

Backing Up Active Directory


You should back up Active Directory at regular intervals on Control Core Services domain con-
troller stations. Backing up Active Directory ensures a smooth restoration of Control Core Ser-
vices system operations after an unexpected hardware or software failure. See “Backing Up Active
Directory on Domain Controllers” on page 527 for additional information.

Continuing Installation
Re-enable the Enable on-access scanning at system startup feature in the McAfee
VirusScan Console as follows:
1. Right-click the McAfee shield in the toolbar and click VirusScan Console.
2. Click Yes to accept the User Account Control (UAC) prompt.
3. Right-click on On-Access Scanner and select Properties. The On-Access Scan
Properties dialog box opens as shown in Figure 4-2 on page 47.
4. Check the check-box labeled Enable on-access scanning at system startup
and click Apply.
5. Click OK to close this dialog box.
If you have a secondary domain controller on the control network, proceed to “Installing Security
Enhanced Foxboro Evo Control Core Services v9.1 on Secondary Domain Controllers on The
Foxboro Evo Control Network” on page 79.
If you do not have an SDC, proceed to Chapter 10 “Security Enhanced Foxboro Evo Control
Core Services v9.1 Installation for Domain Clients or Connecting Security Enhanced I/A Series
Software v8.5-8.7 Domain Clients to Existing Off-Control Network Networks” for the installa-
tion procedure for the domain clients.

78
4. Security Enhanced Foxboro Evo Control Core Services v9.1 Installation for Domain Controllers on The Foxboro Evo

Installing Security Enhanced Foxboro Evo Control


Core Services v9.1 on Secondary Domain Controllers
on The Foxboro Evo Control Network
This section describes how to install security enhanced Control Core Services v9.1 on secondary
domain controller servers on the control network.

Server Preparation
The secondary domain controller (SDC) must be a server-class station installed with the Win-
dows Server 2008 R2 Standard operating system. For this procedure, it is assumed that the SDC
is installed on the control network (which is a dedicated Foxboro maintained network).
Perform the following steps to set up the hardware and restore the operating system onto your sec-
ondary domain controller server:

NOTE
If this is a new station shipped from the Invensys factory with the V9.1 Restore
image identified by the media kits in Table 1-2 and verified in your workstation’s
H-code (or P-code), proceed to “Notes on Installing Foxboro Evo Control Core
Services” on page 80. If not, continue following the steps in this section.

1. Install hardware, install the Windows Server 2008 R2 Standard operating system, and
update drivers for your server. Perform the following:
a. Refer to Control Core Services v9.1 Release Notes (B0700SR) to be sure that your
hardware meets all hardware requirements specific to the Control Core Services
v9.1 release. For instructions on installing memory upgrades, PCI cards, and so
forth, refer to the “Installing Hardware Upgrades” chapter of the Hardware and
Software Specific Instructions document shipped with your server.
b. Using the V9.1 Restore Media, restore the Windows Server 2008 R2 Standard
operating system on your server. Follow the instructions of Appendix A “Startup
Options”.

! WARNING
Only use the media kits listed in Table 1-2 to restore the operating system of a sta-
tion with Control Core Services v9.1.

Do not follow the instructions for installing Control Core Services from your hard-
ware specific instruction manual. Follow the software installation procedure below.

c. Set the time and date.to match the date and time on the PDC. Perform the fol-
lowing:
♦ Open the Windows Date and Time applet by clicking the Date and Time
icon in the Control Panel.
♦ Click the Change Date and Time button.
♦ Adjust the date and time.

79
B0700SS – Rev D 4. Security Enhanced Foxboro Evo Control Core Services

♦ Click OK.
♦ Click the Change time zone button.
♦ Select the correct time zone from the drop-down list and select the checkbox
(if not already selected) to automatically adjust the clock for daylight saving
time (DST) changes, if desired.
♦ Click OK.

NOTE
While installing an SDC, it is important to ensure that the UTC system time
matches the UTC system time on the domain (as viewed on the PDC). The date
and time must match, though the time which Windows displays may differ if the
time zones are not the same on the two stations.
Be careful when changing the time zone prior to adjusting the system time as this
can cause the AM/PM setting to change.
Also, be aware that the checkbox included for some time zones which defines
whether or not the time will be automatically adjusted for Daylight Saving Time
can cause the system time to differ by an hour.

d. For any procedures not found in Step 1.b above, refer to the “Installing and
Updating Drivers” chapter of the Hardware and Software Specific Instructions doc-
ument shipped with the server.

Notes on Installing Foxboro Evo Control Core Services


Before you install Control Core Services, make sure that the server is physically connected to the
network and that the PDC is on-line and attached to the control network.
Also, make sure the server is disconnected from any secondary (non-Foxboro) networks, but do
not disable the adapters for these network cards.

! WARNING
The server must be connected to the control network before installing Control Core
Services.

! CAUTION
Disconnect non-Foxboro network connections but do not disable the adapters for
these network cards.

! CAUTION
The network interface drivers used for connection to the control network may
require updating before installing Control Core Services v9.1. Failure to do this may
lead to communication errors. See “Installing/Updating the Network Interface Card
Drivers” section in your Hardware and Software Specific Instructions document.

80
4. Security Enhanced Foxboro Evo Control Core Services v9.1 Installation for Domain Controllers on The Foxboro Evo

! CAUTION
In Control Panel -> Network Connections, which lists the available NICs, do not
change the name of any “Local Area Connection x” network connection. This can
result in software installation issues or system instability.

NOTE
It is not possible to log onto either type of domain controller (primary or second-
ary) with any of the standard Control Core Services user accounts (such as users
that are members of the IA Plant Operators, IA Plant Maintenance, or IA Plant
Engineers groups). It is possible to log onto a domain controller with the “IAMan-
ager”, “IAInstaller”, and “IADomainAdmin” accounts. However, all of the Control
Core Services functionality is not available through these user accounts. The recom-
mended configuration for the domain controllers is IAMESH only.

NOTE
On servers with the Windows Server 2008 R2 Standard operating system, it is rec-
ommended that no roles be added to the system which are not necessary for the
operation of the server. Adding unnecessary roles (for example, adding the Remote
Desktop Services role when the server is not to be used as a remote session host) can
create security weaknesses in the overall system.

Changing the Station Name


The Windows server name must match the server letterbug name as it was configured in SysDef
and saved onto your Commit installation media before you install the Control Core Services. For
instructions on modifying the computer name of your server, refer to Appendix B “Changing the
Station Name”.

81
B0700SS – Rev D 4. Security Enhanced Foxboro Evo Control Core Services

Disabling the VirusScan Console


Proceed as follows:
1. Right-click the McAfee shield in the toolbar and click VirusScan Console.
2. Click Yes to accept the User Account Control (UAC) prompt.
3. If Access Protection is “Enabled”, right-click on Access Protection and select
Disable, as shown in Figure 4-41.

Figure 4-41. Disable Virus Scan Access Protection

4. Right-click on On-Access Scanner and select Disable.


5. Right-click on On-Access Scanner and select Properties. The On-Access Scan
Properties dialog box opens as shown in Figure 4-42.

82
4. Security Enhanced Foxboro Evo Control Core Services v9.1 Installation for Domain Controllers on The Foxboro Evo

Figure 4-42. On-Access Scan Properties Dialog Box

6. Clear the check-box labeled Enable on-access scanning at system startup


and click Apply. Click OK.

NOTE
The check box should be re-enabled at the end of the installation.

Preparing Network Interface Cards (NICs) For Installation


Before installing Control Core Services, for each installed NIC, you must set the NIC’s properties
“Flow Control” and “Speed & Duplex” manually as described below for the NICs on this station.

83
B0700SS – Rev D 4. Security Enhanced Foxboro Evo Control Core Services

NOTE
Refer to the Hardware and Software Specific Instructions document included with
your station to determine the NIC cards it supports.

Proceed as follows:
1. Right-click the My Computer icon, and click Manage. Double-click Device Man-
ager. In the Device Manager window, expand the Network adapters list.
2. Right-click the desired card and click Properties. In the Properties dialog box that
appears, select the Advanced tab.
3. In the Property field, click Flow Control. In the Value field, select Disable from
the drop-down menu list.
4. In the Property field, click Speed & Duplex. In the Value field, in the drop-down
menu list:
♦ For a station on the control network, select 100 Mb Full.
♦ For a station on another network other than the control network (Off-Control
Network), select Auto.
5. Click OK.
6. For each additional NIC, repeat Steps 2 through 5.
7. Shutdown and restart the system for the driver changes to take effect. Click the Start
button and click Shut Down; select Restart from the pull-down menu and click OK.

Canceling and Resuming the Security Enhanced Installation


Process
If you click the Cancel button during the security-enhanced installation, the following dialog
box appears:

Figure 4-43. Confirming Cancellation of Software Installation

Click Yes to cancel, or No to resume the installation process. If you click Yes, the following dialog
box appears. Click OK:

84
4. Security Enhanced Foxboro Evo Control Core Services v9.1 Installation for Domain Controllers on The Foxboro Evo

Figure 4-44. Confirming Installation Interruption

You are returned to the installation dialog box as shown in Figure 4-45. If you want to see the
installation log, check Show the Windows Installer log. Click Finish.

Figure 4-45. InstallShield Wizard Completed - Interrupted

To restart the installation process after clicking Cancel, re-insert the DVD labeled “Foxboro Evo
Control Core Services v9.1 Day 0 DVD-ROM” (K0174MS-A). A dialog box appears asking if
you want to continue with the installation.
If you click Yes, the installation will return to the dialog box that was canceled. If you click No,
installation will restart from the beginning.

85
B0700SS – Rev D 4. Security Enhanced Foxboro Evo Control Core Services

Installation Procedure
Proceed as follows:
1. Ensure that the Primary Domain Controller has been installed and is attached to the
control network.
2. Ensure that the Secondary Domain Controller server is attached to the control net-
work.
3. Unplug any non-control network cables.
4. Insert the DVD labeled “Foxboro Evo Control Core Services v9.1 Day 0 DVD-
ROM” (K0174MS-A).
5. If AutoPlay is enabled, the AutoPlay dialog box appears as shown in Figure 4-46.
Click Run setup.exe.
Otherwise, navigate to the DVD drive and double-click setup.exe.

Figure 4-46. AutoPlay Dialog Box

! CAUTION
If you are prompted with a dialog box indicating that you need to restart for the
configuration changes made to the Security Enhanced Installer to take effect, you
may have restored a non-secure image intended for I/A Series software v8.5-8.7 on
Windows XP or Windows Server 2003 R2. If you are sure you used the proper V9.1
restore image, then reboot the server. Otherwise, restore the server using the proper
V9.1 restore media. (See page 6.)

If a dialog box appears indicating that .NET Framework is required, then you have
used incorrect restore media. Restore the server using the proper V9.1 Restore
media. (See page 6.)

6. Click Yes to accept the User Account Control (UAC) prompt.

86
4. Security Enhanced Foxboro Evo Control Core Services v9.1 Installation for Domain Controllers on The Foxboro Evo

7. A pre-requisite installation dialog box appears as shown in Figure 4-47. Click


Install to load the Microsoft Visual C++ 2010 Redistributable Package (x64) on the
server.

Figure 4-47. Microsoft Visual C++ 2010 Redistributable Package (x64) Installation Dialog Box

87
B0700SS – Rev D 4. Security Enhanced Foxboro Evo Control Core Services

8. A dialog box appears that allows you to select whether you are installing Control Core
Services without security enhancements or for a security-enhanced system. Select
Install I/A Series software for a security enhanced system and
Install this workstation as a domain controller (secondary or pri-
mary):

Figure 4-48. Selecting to Install a Domain Controller

9. Click Next.
10. The next dialog box requests that you load the committed configuration install files,
as shown in Figure 4-49. Click Load to load the install files.

88
4. Security Enhanced Foxboro Evo Control Core Services v9.1 Installation for Domain Controllers on The Foxboro Evo

Figure 4-49. Load Committed Configuration Install Files

11. The browser for the folder containing the committed configuration install files opens,
as shown in Figure 4-50. If the installation media with your Commit files is on the
server’s hard drive or a network, browse to the location of the media and click Select
Folder. If the installation media with your Commit files is on a floppy diskette, put
the diskette in the diskette drive (A:\) and click Use Diskette.

NOTE
If you have multiple Commit diskettes, the Stamp ID: field in Figure 4-9 indicates
the number of the requested Commit diskette to the right of the Load button (101
for the first diskette, 102 for the second, and so forth). Insert each diskette in the set
and click Load.

89
B0700SS – Rev D 4. Security Enhanced Foxboro Evo Control Core Services

Figure 4-50. Installation Media Folder Browser

12. Once the Commit files have been loaded, click Bind as shown in Figure 4-9 on
page 53 to launch the I/A Series Network Installation dialog box (Figure 4-51).
13. The dialog box shown in Figure 4-51 is displayed if the network configuration from
System Definition does not match the available NIC hardware. Select the two net-
work cards and click Next.

! CAUTION
Be certain to pick the correct NICs as this selection cannot be changed later in the
installation.

If this dialog box is not displayed, the NIC cards have been automatically configured.
Proceed to the next step.

90
4. Security Enhanced Foxboro Evo Control Core Services v9.1 Installation for Domain Controllers on The Foxboro Evo

Figure 4-51. I/A Series Network Installation Dialog Box (For Certain NIC Cards)

14. Click Next. The Server platform setup dialog appears as shown in Figure 4-52. Select
the “Install as a Secondary Domain Controller (SDC)” radio button.

91
B0700SS – Rev D 4. Security Enhanced Foxboro Evo Control Core Services

Figure 4-52. Server Platform Setup Dialog Box (SDC)

15. In the “Provide information for the domain administrator account and click Autho-
rize” area (see Figure 4-52), enter in the name of the primary domain controller
(PDC) station. Verify the account name with authority to add workstation to the
domain (i.e. iaseries.local\IAInstaller). Enter the password for this account and click
Authorize.
16. If the local system time does not match the PDC system time, the dialog box shown
in Figure 4-53 appears. Click OK. Fix the local system time to match the PDC time
(see “Server Preparation” on page 79) and re-click Authorize.

92
4. Security Enhanced Foxboro Evo Control Core Services v9.1 Installation for Domain Controllers on The Foxboro Evo

Figure 4-53. Resetting UTC Date

In some cases, it will not be possible to determine the remote system time. In this case,
the dialog box shown in Figure 4-54 is displayed. It is important to ensure that the
local and remote system times match (including date, time, AM/PM) before continu-
ing. Note that the checkbox displayed for some time zones which allows the system to
automatically adjust for Daylight Saving Time can affect the time displayed by the
system by one hour.

Figure 4-54. Unable to Determine Local Time on the PDC

17. If there is another Secondary Domain Controller on the network, choose that SDC’s
name from the “Select the Secondary Domain Controller Stations” drop-down list
and click Set, as shown in Figure 4-55. Otherwise, click Skip.

93
B0700SS – Rev D 4. Security Enhanced Foxboro Evo Control Core Services

Figure 4-55. Server Platform Setup Dialog Box (Second SDC)

18. Verify the name of the domain and click Connect.


19. A message appears to indicate that the connection to the domain has succeeded. If
unsuccessful, a reason for the failure is displayed.
Click OK.

NOTE
If after connecting the domain client to an SDC and the software installation does
not continue after the reboot, the system time may not have been set correctly. Refer
to “Setting Time Correctly After Failure to Continue Software Installation After
Reboot (SDC or Domain Client)” on page 563 to correct this.

94
4. Security Enhanced Foxboro Evo Control Core Services v9.1 Installation for Domain Controllers on The Foxboro Evo

20. When the Invensys IASeries Install: Workstation Reboot Request dialog box appears,
as shown in Figure 4-56, click Reboot.

Figure 4-56. Invensys IASeries Install: Workstation Reboot Request Dialog Box

21. After the server reboots, log onto the server with the “IA Installer” account using the
password as it was set during the PDC server’s installation.
22. The installation restarts automatically. The Server platform setup dialog box appears
as shown in Figure 4-57. Re-enter the PDC’s server name, domain “admin” account
name, and domain “admin” account password. Click Authorize.

95
B0700SS – Rev D 4. Security Enhanced Foxboro Evo Control Core Services

Figure 4-57. Server Platform Setup Dialog Box (PDC Account Information)

23. Verify the Domain Name and Site Name fields, shown in Figure 4-58. If satisfied,
click Prepare.

96
4. Security Enhanced Foxboro Evo Control Core Services v9.1 Installation for Domain Controllers on The Foxboro Evo

Figure 4-58. Server Platform Setup Dialog Box (Verify Domain Name and Site Name Fields)

24. A warning dialog appears. Ensure that the name you have chosen for your Active
Directory domain is correct and will not conflict with another domain on the same
network.
25. Click Install to load the Active Directory Domain Services onto this server and to
assign the server to the role of Secondary Domain Controller.
A DOS window is displayed while Active Directory is being installed, as shown in
Figure 4-59.

97
B0700SS – Rev D 4. Security Enhanced Foxboro Evo Control Core Services

Figure 4-59. Active Directory Installation via DOS Window

The DOS window shows progress while the system is assigned to its Secondary
Domain Controller status and DNS is installed, as shown in Figure 4-60.

Figure 4-60. Assigning Role of Secondary Domain Controller via DOS Window

26. The server reboots automatically after Active Directory has been installed.
After the server reboots, log into the “IA Installer” account with the password as set in
the Server platform setup dialog box above (Figure 4-58).
27. The installation process restarts automatically. The dialog box shown in Figure 4-61 is
displayed. Click Apply.

98
4. Security Enhanced Foxboro Evo Control Core Services v9.1 Installation for Domain Controllers on The Foxboro Evo

Figure 4-61. Setting Up the Platform for a Secure Foxboro Evo Control Core Services Installation

A DOS window is displayed while the Active Directory domain settings are applied.

99
B0700SS – Rev D 4. Security Enhanced Foxboro Evo Control Core Services

28. Click Next and then Install to run the installation.

Figure 4-62. InstallShield Wizard for Foxboro Evo Control Core Services

29. If the OS1FDB package is configured on this server, the dialog box shown in
Figure 4-63 is displayed.
To install this package, insert the first OS1FDB package diskette and click Load. After
the first disk has been loaded, insert the second OS1FDB package diskette and click
Load.
To bypass the installation of this package, click Skip. The installation continues, but
this dialog box is displayed again for each of the OS1FDB stations configured on this
SDC.

Figure 4-63. Installation Media Dialog Box

100
4. Security Enhanced Foxboro Evo Control Core Services v9.1 Installation for Domain Controllers on The Foxboro Evo

30. If you selected Load, the media folder browser opens.

Figure 4-64. Media Folder Browser

If your installation media for the OS1FDB package is not on a floppy diskette, browse
to the location of your stamped media and click the Select Folder button
If your installation media for the OS1FDB package is on a floppy diskette, click Use
Diskette. The diskette must be in the diskette drive (A:\). Once the Use Diskette
button is clicked, the diskette will be read.

101
B0700SS – Rev D 4. Security Enhanced Foxboro Evo Control Core Services

31. If you selected Use Diskette in the previous step, the dialog box in Figure 4-24
appears. Insert the second diskette in the OS1FDB set and click Load. The diskette
must be inserted in drive A:\.

Figure 4-65. Installation Media Dialog Box - For Diskettes

32. Click Finish when the installation process is complete.


At the end of the installation, the installation log is displayed. You can view the instal-
lation log at any time by clicking the Start button and selecting All Programs ->
Invensys -> IASeries -> Utilities -> Log Viewer.

102
4. Security Enhanced Foxboro Evo Control Core Services v9.1 Installation for Domain Controllers on The Foxboro Evo

Figure 4-66. Example of Installation Log

Click on the Setup Log, Pkg Log, and Init Log buttons to view these logs. These
logs can also be printed.

Installing the Foxboro Evo Control Core Services v9.1 Trailer CD-ROM
To complete the installation of Control Core Services v9.1, you must install the V9.1 trailer CD-
ROM (K0174MZ-A). The trailer CD-ROM must be installed for stations running Windows 7 or
Windows Server 2008 R2 Standard operating systems:
1. Launch the trailer installation application (1250550.msi).
Insert the CD-ROM labeled “Foxboro Evo Control Core Services 9.1 Trailer CD-
ROM” (K0174MZ-A) into the station. Navigate to the CD-ROM with Windows
Explorer and double-click 1250550.msi to launch the installation.
2. Click Next and then click Install to start the installation process.
If the user currently logged in is not an administrator, a User Account Control (UAC)
prompt may appear. Click Yes to accept the UAC prompt.

103
B0700SS – Rev D 4. Security Enhanced Foxboro Evo Control Core Services

NOTE
During the trailer installation, if the following message appears, “The Setup must
update files or services that cannot be updated while the system is running. If we
choose to continue, reboot will be required to continue the setup,” click OK. The
installation continues as normal. Do not reboot the station if you see this message.
This message is shown in the event that you are installing the trailer after booting
into the Control Core Services software (which you should not have done if you are
performing this procedure as written in this section).

3. When the installation is complete, click Finish.


4. If you are installing the trailer via a CD-ROM, remove the trailer CD-ROM.
5. Restart your station as described in the following section.

Restarting Your System


Reboot the server at this time. Click the Start button and click Shut Down; select Restart from
the pull-down menu and click OK.

Installing Optional Software


After restarting the station following the Control Core Services installation, you can install ePolicy
Orchestrator on your SDC. This software should only be installed on one domain controller in
the system. Install this software according to Optional McAfee® Security Products Installation and
Configuration Guide (B0700EX).

System Manager and System Management Display Handler (SMDH)


Installation Notes
Control Core Services system management is carried out by the operator primarily via the:
♦ System Manager, discussed in System Manager (B0750AP), or
♦ System Management Display Handler (SMDH), discussed in System Management
Displays (B0193JC).
Be aware of the following notes regarding the installation of these software packages.
♦ On servers/workstations configured with the SMDH package (ASMDW7), the Sys-
tem Manager will be installed. Uninstalling the System Manager through the
Programs and Features dialog box (accessed via the Control Panel) results in the
server/workstation defaulting to SMDH as the system management application.
♦ SMDH can only be invoked through FoxView. From the Control Core Services initial
display, access the SMDH displays from the System button on the FoxView main
window.
System Manager displays can be invoked directly, without the need for a separate
application.
Be aware that FoxView is not typically loaded on a domain controller. Invensys rec-
ommends the IAMESH only configuration on domain controllers, in which SMDH
or System Manager is not installed.

104
4. Security Enhanced Foxboro Evo Control Core Services v9.1 Installation for Domain Controllers on The Foxboro Evo

♦ On servers/workstations where System Manager is installed by the Day 0 installation


of Control Core Services, only the System Manager client is installed. To install the
System Manager Server, proceed as follows
a. Insert the DVD labeled “Foxboro Evo Control Core Services v9.1 Day 0 DVD-
ROM” (K0174MS-A), if it is not already in the drive and open the folder
“\3rd_party\SystemManager”.
b. Double-click on setup.exe.
c. Click Next.
d. Keep the “Modify” choice selected (default) and click Next.
e. Under “System Manager Server”, select “This feature will be installed
on local hard drive”, as shown in Figure 4-67.

Figure 4-67. Installing System Manager Server

f. Click Next and then Install to install the System Manager Server.
♦ If the SMDH package was not configured and the System Manager client is not
installed, the System Manager may be added by running the complete System Man-
ager installation process from the System Manager CD-ROM (K0201HU).

NOTE
The System Manager client is installed only if the IASVCS package is assigned to
the station.

♦ In order to run the Foxboro Control Panel applet, navigate to the folder
D:\usr\fox\system32. Right-click on Foxboro.cpl, select Run as Adminis-

105
B0700SS – Rev D 4. Security Enhanced Foxboro Evo Control Core Services

trator, and click OK


to close the dialog box. Click Yes to accept the User Account
Control (UAC) prompt.

Secondary Domain Controller Post-Installation Procedures


Changing Passwords
After completing the installation of a secondary domain controller, you should set the restore
mode password for Active Directory on this server. Perform the following steps:
1. Select Run from the Start menu and enter ntdsutil.exe:

Figure 4-68. Setting the Restore Mode Password via ntdsutil.exe

2. Click OK.
3. Type the following text in the command prompt window:
set dsrm password
reset password on server <SERVERNAME>
<password>
<password>
quit
quit
<SERVERNAME> is the actual name of your SDC server. <Password> is the newly
chosen Active Directory Restore Mode password.

106
4. Security Enhanced Foxboro Evo Control Core Services v9.1 Installation for Domain Controllers on The Foxboro Evo

NOTE
Be sure to document this password and save it in a secure place for future retrieval.
Without this password you will not be able to recover Active Directory.

Figure 4-69. Using and Exiting ntdsutil.exe

Backing Up Active Directory


You should back up Active Directory at regular intervals on Control Core Services domain con-
troller stations. Backing up Active Directory ensures a smooth restoration of Control Core Ser-
vices system operations after an unexpected hardware or software failure. See “Backing Up Active
Directory on Domain Controllers” on page 527 for additional information.

Continuing Installation
Re-enable the Enable on-access scanning at system startup feature in the McAfee
VirusScan Console as follows:
1. Right-click the McAfee shield in the toolbar and click VirusScan Console.
2. Click Yes to accept the User Account Control (UAC) prompt.
3. Right-click on On-Access Scanner and select Properties. The On-Access Scan
Properties dialog box opens as shown in Figure 4-42 on page 83.
4. Check the check-box labeled Enable on-access scanning at system startup
and click Apply.
5. Click OK to close this dialog box.
Proceed to Chapter 10 “Security Enhanced Foxboro Evo Control Core Services v9.1 Installation
for Domain Clients or Connecting Security Enhanced I/A Series Software v8.5-8.7 Domain Cli-
ents to Existing Off-Control Network Networks” for the installation procedure for the domain
clients.

107
B0700SS – Rev D 4. Security Enhanced Foxboro Evo Control Core Services

108
5. Security Enhanced Foxboro Evo
Control Core Services v9.1
Installation for New Off-Control
Network Domain Controllers
This chapter describes procedures to install security enhanced Control Core Services v9.1 on
new primary and secondary domain controller servers on a separate network from the Foxboro
Evo Control Network (hereafter referred to as “the control network”).
Proceed to the appropriate section:
♦ For Off-Control Network Primary Domain Controllers, proceed to the next section.
♦ For Off-Control Network Secondary Domain Controllers, proceed to “Installing
Security Enhanced Foxboro Evo Control Core Services v9.1 on Off-Control Network
Secondary Domain Controllers” on page 142.

NOTE
Use the “IA Installer” account for all installation tasks. However, due to the
permissions assigned to “IA Installer”, do not use it for any other role, such as
operation of the station.

Installing Security Enhanced Foxboro Evo Control


Core Services v9.1 on Off-Control Network Primary
Domain Controllers
This section describes how to install security enhanced Control Core Services v9.1 on new pri-
mary domain controller servers on a separate network from the control network.

Server Preparation
The primary domain controller (PDC) must be a server-class station installed with the Windows
Server 2008 R2 Standard operating system, and must be the first station in the Control Core Ser-
vices system installed with the security enhanced Control Core Services. For this procedure, it is
assumed that the PDC is installed on a separate network (which is called an “Off-Control Net-
work” network), not connected to the control network.
Perform the following steps to set up the hardware and restore the operating system onto your pri-
mary domain controller server:

109
B0700SS – Rev D 5. Security Enhanced Foxboro Evo Control Core Services

NOTE
If this is a new station shipped from the Invensys factory with the V9.1 Restore
image identified by the media kits in Table 1-2 and verified in your workstation’s
H-code (or P-code), proceed to “Notes on Installing Foxboro Evo Control Core
Services” on page 110. If not, continue following the steps in this section.

1. Install hardware, restore the Windows Server 2008 R2 Standard operating system, and
update drivers for your server. Perform the following:
a. Refer to Control Core Services v9.1 Release Notes (B0700SR) to be sure that your
hardware meets all hardware requirements specific to the Control Core Services
V9.1 release. For instructions on installing memory upgrades, PCI cards, and so
forth, refer to the “Installing Hardware Upgrades” chapter of the Hardware and
Software Specific Instructions document shipped with your server.
b. Using the Control Core Services V9.1 Restore Media, restore the Windows Server
2008 R2 Standard operating system on your server. Follow the instructions of
Appendix A “Startup Options”.

! WARNING
Only use the media kits listed in Table 1-2 to restore the operating system of a sta-
tion with Control Core Services v9.1.

Do not follow the instructions for installing Control Core Services from your hard-
ware specific instruction manual. Follow the software installation procedure below.

c. Set the time and date. Perform the following:


♦ Open the Windows Date and Time applet by clicking the Date and Time
icon in the Control Panel.
♦ Click the Change Date and Time button.
♦ Adjust the date and time.
♦ Click OK.
♦ Click the Change time zone button.
♦ Select the correct time zone from the drop-down list and select the checkbox
(if not already selected) to automatically adjust the clock for daylight saving
time (DST) changes, if desired.
♦ Click OK.
d. For any procedures not found in Step 1.b above, refer to the “Installing and
Updating Drivers” chapter of the Hardware and Software Specific Instructions doc-
ument shipped with the server.

Notes on Installing Foxboro Evo Control Core Services


Before you install Control Core Services, make sure that the server is physically connected to the
Off-Control Network and, if required, that any network interface card drivers are updated. Refer
to the notes below.

110
5. Security Enhanced Foxboro Evo Control Core Services v9.1 Installation for New Off-Control Network Domain

Also, make sure the server is disconnected from any secondary (non-Foxboro) networks, but do
not disable the adapters for these network cards.

! WARNING
The server must be connected to the Off-Control Network before installing Con-
trol Core Services software.

! CAUTION
Disconnect non-Foxboro network connections but do not disable the adapters for
these network cards.

! CAUTION
The network interface drivers used for connection to the control network may
require updating before installing Control Core Services v9.1. Failure to do this may
lead to communication errors. See Appendix A “Startup Options”.

! CAUTION
In Control Panel -> Network Connections, which lists the available NICs, do not
change the name of any “Local Area Connection x” network connection. This can
result in software installation issues or system instability.

NOTE
It is not possible to log onto either type of domain controller (primary or second-
ary) with any of the standard Control Core Services/I/A Series user accounts (such
as users that are members of the IA Plant Operators, IA Plant Maintenance, or IA
Plant Engineers groups).

NOTE
On servers with the Windows Server 2008 R2 Standard operating system, it is rec-
ommended that no roles be added to the system which are not necessary for the
operation of the server. Adding unnecessary roles (for example, adding the Remote
Desktop Services role when the server is not to be used as a remote session host) can
create security weaknesses in the overall system.

Changing the Station Name


The Windows server name must match the server letterbug name as it was configured in SysDef
and saved onto your Commit installation media before you install the Control Core Services. For
instructions on modifying the computer name of your server, refer to Appendix B “Changing the
Station Name”.

111
B0700SS – Rev D 5. Security Enhanced Foxboro Evo Control Core Services

Disabling the VirusScan Console


Proceed as follows:
1. Right-click the McAfee shield in the toolbar and click VirusScan Console.
2. Click Yes to accept the User Account Control (UAC) prompt.
3. If Access Protection is “Enabled”, right-click on Access Protection and select
Disable, as shown in Figure 5-1.

Figure 5-1. Disable Virus Scan Access Protection

4. Right-click on On-Access Scanner and select Disable.


5. Right-click on On-Access Scanner and select Properties. The On-Access Scan
Properties dialog box opens as shown in Figure 5-2.

112
5. Security Enhanced Foxboro Evo Control Core Services v9.1 Installation for New Off-Control Network Domain

Figure 5-2. On-Access Scan Properties Dialog Box

6. Clear the check-box labeled Enable on-access scanning at system startup


and click Apply. Click OK.

NOTE
The check box should be re-enabled at the end of the installation.

113
B0700SS – Rev D 5. Security Enhanced Foxboro Evo Control Core Services

Canceling and Resuming the Security Enhanced Installation


Process
If you click the Cancel button during the security-enhanced installation, the following dialog
box appears:

Figure 5-3. Confirming Cancellation of Software Installation

Click Yes to cancel, or No to resume the installation process. If you click Yes, the following dialog
box appears. Click OK:

Figure 5-4. Confirming Installation Interruption

114
5. Security Enhanced Foxboro Evo Control Core Services v9.1 Installation for New Off-Control Network Domain

You are returned to the installation dialog box as shown in Figure 5-5. If you want to see the
installation log, check Show the Windows Installer log. Click Finish.

Figure 5-5. InstallShield Wizard Completed - Interrupted

To restart the installation process after clicking Cancel, re-insert the DVD labeled “Foxboro Evo
Control Core Services v9.1 Day 0 DVD-ROM” (K0174MS-A). A dialog box appears asking if
you want to continue with the installation.
If you click Yes, the installation will return to the dialog box that was canceled. If you click No,
installation will restart from the beginning.

115
B0700SS – Rev D 5. Security Enhanced Foxboro Evo Control Core Services

Installation Procedure
NOTE
If you unplugged any non-control network cables prior to performing the Day 0
installation, plug in the non-control network cables at this time.

Proceed as follows:
1. Click the Start button and then click Control Panel -> Network and Sharing
Center. In the Tasks pane, click Change adapter settings.
2. Right-click the connection that you want to change, and then click Properties. If
you are prompted for an administrator password or confirmation, type the password
or provide confirmation.
3. Click the Networking tab. Under “This connection uses the following items”, click
Internet Protocol Version 4 (TCP/IPv4), and then click Properties. The
Internet Protocol Version 4 (TCP/IPv4) Properties dialog box opens as shown in
Figure 5-6.
4. Set the server to have exactly one statically configured NIC adapter for use by Active
Directory, as shown in Figure 5-6. Click OK when done.

Note: The IP address does not need to match the IP address shown in this figure.

Figure 5-6. Internet Protocol Version 4 (TCP/IPv4) Properties

116
5. Security Enhanced Foxboro Evo Control Core Services v9.1 Installation for New Off-Control Network Domain

5. Set the PowerShell execution policy on the server by executing the following com-
mand from within Windows PowerShell:
Set-ExecutionPolicy AllSigned

Figure 5-7. Set-ExecutionPolicy AllSigned

6. Insert the DVD labeled “Foxboro Evo Control Core Services v9.1 Day 0 DVD-
ROM” (K0174MS-A).
7. If AutoPlay is enabled, the AutoPlay dialog box appears as shown in Figure 5-8. Click
Run setup.exe.
Otherwise, navigate to the DVD drive and double-click setup.exe.

Figure 5-8. AutoPlay Dialog Box

117
B0700SS – Rev D 5. Security Enhanced Foxboro Evo Control Core Services

! CAUTION
If you are prompted with a dialog box indicating that you need to restart for the
configuration changes made to the Security Enhanced Installer to take effect, you
may have restored a non-secure image intended for I/A Series software v8.5-8.7 on
Windows XP or Windows Server 2003 R2. If you are sure you used the proper V9.1
restore image, then reboot the server. Otherwise, restore the server using the proper
V9.1 restore media. (See page 6.)

If a dialog box appears indicating that .NET Framework is required, then you have
used incorrect restore media. Restore the server using the proper V9.1 Restore
media. (See page 6.)

8. Click Yes to accept the User Account Control (UAC) prompt.


9. A pre-requisite installation dialog box appears as shown in Figure 5-9. Click Install
to load the Microsoft Visual C++ 2010 Redistributable Package (x64) on the server.

Figure 5-9. Microsoft Visual C++ 2010 Redistributable Package (x64) Installation Dialog Box

118
5. Security Enhanced Foxboro Evo Control Core Services v9.1 Installation for New Off-Control Network Domain

10. Select the Install I/A Series software for a security enhanced system.
Then select Install the workstation as an OFF-MESH domain controller
(secondary or primary) bullets as shown in Figure 5-10.
Click Next to continue.

Figure 5-10. Selecting to Install a Domain Controller on an Off-Control Network Domain

119
B0700SS – Rev D 5. Security Enhanced Foxboro Evo Control Core Services

11. The next dialog box requests that you load the committed configuration install files,
as shown in Figure 5-11. Click Load to load the committed configuration files.

Figure 5-11. Load Committed Configuration Install Files

12. The browser for the folder which contains the committed configuration install files
opens, as shown in Figure 5-12. If the installation media with your Commit files is on
the server’s hard drive or a network, browse to the location of the media and click
Select Folder. If the installation media with your Commit files is on a floppy dis-
kette, put the diskette in the diskette drive (A:\) and click Use Diskette.

NOTE
If you have multiple Commit diskettes, the Stamp ID: field in Figure 5-11 indicates
the number of the requested Commit diskette to the right of the Load button (101
for the first diskette, 102 for the second, and so forth). Insert each diskette in the set
and click Load.

120
5. Security Enhanced Foxboro Evo Control Core Services v9.1 Installation for New Off-Control Network Domain

Figure 5-12. Installation Media Folder Browser

121
B0700SS – Rev D 5. Security Enhanced Foxboro Evo Control Core Services

13. Click Next. The Server platform setup dialog box appears as shown in Figure 5-13.
Leave the Install as a Primary Domain Controller (PDC) choice selected.

Figure 5-13. Server Platform Setup

122
5. Security Enhanced Foxboro Evo Control Core Services v9.1 Installation for New Off-Control Network Domain

14. If a Secondary Domain Controller (SDC) server is planned for this Control Core Ser-
vices system, add the SDC servers from the drop-down list by selecting the Add Off-
Mesh checkbox shown in Figure 5-13. The dialog box shown in Figure 5-14 opens to
indicate where the IP addresses for SDC stations can be set. Enter each of the known
SDC IP addresses and click Done.

Figure 5-14. Collecting SDC Machine Info

15. In Figure 5-15, click Set to choose the SDC stations in your list or Skip to choose no
SDC station IP addresses. If this server does not have exactly one statically set NIC
adapter, the message shown in Figure 5-15 is displayed. Once the NIC settings are
corrected, you can click Set or Skip again to continue.

Figure 5-15. I/A Series Installation Warning Dialog Box

123
B0700SS – Rev D 5. Security Enhanced Foxboro Evo Control Core Services

16. Enter the name of your domain (offmesh.local is the default), the site name
(OFFMESH is the default), and the password for the logged on user account (normally
the password for the Fox account).

Figure 5-16. Pick Type

17. Click Prepare.

124
5. Security Enhanced Foxboro Evo Control Core Services v9.1 Installation for New Off-Control Network Domain

18. The warning dialog box shown in Figure 5-17 appears. Make sure at this time that the
name you have chosen for your Active Directory domain is correct and will not con-
flict with another domain on the same network. Click OK to continue.

Figure 5-17. Active Directory Domain Name Warning

19. Click Install to load the Active Directory Domain Services onto this server and to
promote the server to the role of Primary Domain Controller.
A DOS window is displayed while Active Directory is being installed, as shown in
Figure 5-18.

Figure 5-18. Active Directory Installation via DOS Window

The DOS window shows progress while the system is promoted to Primary Domain
Controller status and DNS is installed, as shown in Figure 5-19.

125
B0700SS – Rev D 5. Security Enhanced Foxboro Evo Control Core Services

Figure 5-19. Promoting to Primary Domain Controller via DOS Window

20. The server reboots automatically after Active Directory has been installed.
After the server reboots, log into the “Administrator” account with the password
“Password1” or the actual password if the password was changed prior to installing
Control Core Services.

126
5. Security Enhanced Foxboro Evo Control Core Services v9.1 Installation for New Off-Control Network Domain

21. Restart the installation by launching Setup.exe from the DVD drive, as described in
Step 3 above. The dialog box shown in Figure 5-20 is displayed. Click Apply.

Figure 5-20. Setting up the Platform for a Secure Foxboro Evo Control Core Services Installation

127
B0700SS – Rev D 5. Security Enhanced Foxboro Evo Control Core Services

A DOS window is displayed while the Active Directory domain settings are applied,
as shown in Figure 5-21.

Figure 5-21. Active Directory Domain Settings Applied

22. The I/A Series Secure User Accounts dialog box opens as shown in Figure 5-22. Enter
in the user names and passwords for the standard Control Core Services or I/A Series
domain accounts and click Create.

Figure 5-22. I/A Series Secure User Accounts Dialog Box

128
5. Security Enhanced Foxboro Evo Control Core Services v9.1 Installation for New Off-Control Network Domain

NOTE
The names of these accounts may be changed, but the default values are recom-
mended. It is recommended that the password meets the following password
complexity criteria:
- An 8-character minimum password length
- At least one lowercase character
- At least one uppercase character
- At least one numeric character.
These criteria are not required for this password, but they are strongly recom-
mended.
After the installation has completed, these requirements will remain in place for
accounts created in the Control Core Services domain.

23. Add a new Computer account for any SDC stations that will be added to the domain.
Click the Start button and select Control Panel -> Administrative Tools ->
Active Directory Users and Computers.
24. In the console tree, right-click Computers (under Active Directory Users and
Computers\domain node\Computers).
25. Point to New, and then click Computer. In the New Object dialog box that appears
(see Figure 5-23), add the new computer name in both “Computer name” fields.

Figure 5-23. Adding New Computer Account

26. Click OK.

129
B0700SS – Rev D 5. Security Enhanced Foxboro Evo Control Core Services

Figure 5-24. Example of Installation Log

Click on the Setup Log, Pkg Log, and Init Log buttons to view these logs. These logs can also
be printed.
Restart your server as described in the following section.

Restarting Your System


Reboot the server at this time. Click the Start button and click Shut Down; select Restart from
the pull-down menu and click OK.

Installing Optional Software


After restarting the station following the Control Core Services installation, you can install ePolicy
Orchestrator on your PDC. This software should only be installed on one domain controller in
the system. Install this software according to Optional McAfee® Security Products Installation and
Configuration Guide (B0700EX).

130
5. Security Enhanced Foxboro Evo Control Core Services v9.1 Installation for New Off-Control Network Domain

NOTE
On Foxboro Evo servers with Windows Server 2008 R2 Standard, FoxPanels
requires that the Beep Driver component be running to operate. If you have Fox-
Panels on this domain controller, refer to “Installing the Beep Driver (Foxboro Evo
Control Core Services Servers with FoxPanels Only)” on page 31 for installation
instructions.

Primary Domain Controller Postinstallation Procedures


Changing Passwords
After completing the installation of the PDC, the password for the administrator account on the
domain should be changed. Initially, this password is set to “Password1” for the Invensys supplied
server images. When setting this password, it must meet the password complexity requirements
which are enforced on the Control Core Services system domain.
Perform the following steps:
1. Click the Start button and select Control Panel -> Administrative Tools ->
Active Directory Users and Computers. Right-click on the Administrator

131
B0700SS – Rev D 5. Security Enhanced Foxboro Evo Control Core Services

account under the Accounts\Users\Administrators OU which was renamed to IAMan-


ager during the Control Core Services installation. Select Reset Password:

Figure 5-25. Resetting Passwords via Active Directory Users and Computers

2. Enter the new password and confirm it in the Reset Password dialog box:

Figure 5-26. Resetting a Password

3. Click OK.
The restore mode password for Active Directory on this server should be configured at this time.
Perform the following steps:

132
5. Security Enhanced Foxboro Evo Control Core Services v9.1 Installation for New Off-Control Network Domain

1. Select Run from the Start menu and enter ntdsutil.exe:

Figure 5-27. Setting the Restore Mode Password via ntdsutil.exe

2. Click OK.
3. Type the following text in the command prompt window:
set dsrm password
reset password on server <SERVERNAME>
<password>
<password>
quit
quit
<SERVERNAME> is the actual name of your PDC server. <Password> is the newly
chosen Active Directory Restore Mode password.

NOTE
Be sure to document this password and save it in a secure place for future retrieval.
Without this password you will not be able to recover Active Directory.

Figure 5-28. Using and Exiting ntdsutil.exe

133
B0700SS – Rev D 5. Security Enhanced Foxboro Evo Control Core Services

Creating Users in Active Directory


The following steps can be used to create an Operator account in the Active Directory domain.
This is a default group. Similar steps can be taken to create other customized accounts, such as
Maintenance and Engineer accounts. Refer to Security Enhancements User's Guide for I/A Series
Workstations with Windows 7 or Windows Server 2008 Operating Systems (B0700ET) for informa-
tion on creating customized accounts.
1. Click the Start button and select Control Panel -> Administrative Tools ->
Active Directory Users and Computers. You may need to scroll down to see
this menu selection.
2. Under the Accounts\Users\Standard OU, right-click Standard, and select New ->
User:

Figure 5-29. Creating Users via Active Directory Users and Computers

All users are created under the Accounts\Users\Standard OU, including IA Plant
Engineers, IA Plant Operators, and IA Plant Maintenance.
The dialog box shown in Figure 5-30 opens.

134
5. Security Enhanced Foxboro Evo Control Core Services v9.1 Installation for New Off-Control Network Domain

Figure 5-30. New Object - User

3. Enter the First name, Full name, and User logon name as the same value (for exam-
ple,. Operator1).
4. Click Next.
5. In the dialog box shown in Figure 5-31, clear the User must change password at
next logon check box. Select the Password never expires check box.
6. Enter the password and confirm the password.
7. Click Next.

135
B0700SS – Rev D 5. Security Enhanced Foxboro Evo Control Core Services

Figure 5-31. New Object - User - Password Updates

8. Click Finish as shown in Figure 5-32.

Figure 5-32. New Object - User - Finish

136
5. Security Enhanced Foxboro Evo Control Core Services v9.1 Installation for New Off-Control Network Domain

9. Double-click on the new user name in the Active Directory Users and Computers dia-
log box to open the Properties dialog box, as shown in Figure 5-33.

Figure 5-33. Opening the New User Properties Dialog Box

137
B0700SS – Rev D 5. Security Enhanced Foxboro Evo Control Core Services

10. Select the Member Of tab, as shown in Figure 5-34.

Figure 5-34. New User Properties Dialog Box

11. Click the Add button.


12. Type in the text “IA Plant” and click the Check Names button as shown in
Figure 5-35.

138
5. Security Enhanced Foxboro Evo Control Core Services v9.1 Installation for New Off-Control Network Domain

Figure 5-35. Select Groups

13. Select the desired Control Core Services or I/A Series standard user group (for exam-
ple, IA Plant Engineers) and click OK.

Figure 5-36. Multiple Names Found Dialog Box

139
B0700SS – Rev D 5. Security Enhanced Foxboro Evo Control Core Services

14. Click OK to close the Select Groups dialog box shown in Figure 5-37.

Figure 5-37. Closing Select Groups Dialog Box

15. Click OK to close the Properties dialog box shown in Figure 5-38.

Figure 5-38. Closing Properties Dialog Box

140
5. Security Enhanced Foxboro Evo Control Core Services v9.1 Installation for New Off-Control Network Domain

16. Repeat the above steps for as many users as desired. The different standard user groups
provide different policy settings and system access.

Tombstone Lifetime Attribute in Active Directory


By default the Active Directory tombstone lifetime is sixty days. Having a longer tombstone life-
time decreases the chance that a deleted object remains in the local directory of a disconnected
Domain Controller beyond the time when the object is permanently deleted from online DCs.
It is highly recommended that you review information regarding the tombstone lifetime attribute
in “Backing Up Active Directory on Domain Controllers” on page 527. If you want to alter the
default value, use the procedure “Changing the Tombstone Lifetime Attribute in Active Direc-
tory” on page 528.

Backing Up Active Directory


You should back up Active Directory at regular intervals on Control Core Services domain con-
troller stations. Backing up Active Directory ensures a smooth restoration of Control Core Ser-
vices system operations after an unexpected hardware or software failure. See “Backing Up Active
Directory on Domain Controllers” on page 527 for additional information.

Continuing Installation
Re-enable the Enable on-access scanning at system startup feature in the McAfee
VirusScan Console as follows:
1. Right-click the McAfee shield in the toolbar and click VirusScan Console.
2. Click Yes to accept the User Account Control (UAC) prompt.
3. Right-click on On-Access Scanner and select Properties. The On-Access Scan
Properties dialog box opens as shown in Figure 5-2 on page 113.
4. Check the check-box labeled Enable on-access scanning at system startup
and click Apply.
5. Click OK to close this dialog box.
If you have a secondary domain controller on the same separate network, proceed to “Installing
Security Enhanced Foxboro Evo Control Core Services v9.1 on Off-Control Network Secondary
Domain Controllers” on page 142.
If you do not have an SDC, proceed to Chapter 10 “Security Enhanced Foxboro Evo Control
Core Services v9.1 Installation for Domain Clients or Connecting Security Enhanced I/A Series
Software v8.5-8.7 Domain Clients to Existing Off-Control Network Networks” for the installa-
tion procedure for the domain clients.

141
B0700SS – Rev D 5. Security Enhanced Foxboro Evo Control Core Services

Installing Security Enhanced Foxboro Evo Control


Core Services v9.1 on Off-Control Network
Secondary Domain Controllers
This section describes how to install security enhanced Control Core Services v9.1 on secondary
domain controller servers on a separate network from the control network.

Server Preparation
The secondary domain controller (SDC) must be a server-class station installed with the Win-
dows Server 2008 R2 Standard operating system. For this procedure, it is assumed that the SDC
is installed on a separate network (which is called “Off-Control Network”), not connected to the
control network.
Perform the following steps to set up the hardware and restore the operating system onto your sec-
ondary domain controller server:

NOTE
If this is a new station shipped from the Invensys factory with the V9.1 Restore
image identified by the media kits in Table 1-2 and verified in your workstation’s
H-code (or P-code), proceed to “Notes on Installing Foxboro Evo Control Core
Services” on page 143. If not, continue following the steps in this section.

1. Install hardware, install the Windows Server 2008 R2 Standard operating system, and
update drivers for your server. Perform the following:
a. Refer to Control Core Services v9.1 Release Notes (B0700SR) to be sure that your
hardware meets all hardware requirements specific to Control Core Services v9.1.
For instructions on installing memory upgrades, PCI cards, and so forth, refer to
the “Installing Hardware Upgrades” chapter of the Hardware and Software Specific
Instructions document shipped with your server.
b. Using the Control Core Services v9.1 Restore Media, restore the Windows Server
2008 R2 Standard operating system on your server. Follow the instructions of
Appendix A “Startup Options”.

! WARNING
Only use the media kits listed in Table 1-2 on page 7 to restore the operating system
of an V9.1 station.

Do not follow the instructions for installing Control Core Services from your hard-
ware specific instruction manual. Follow the software installation procedure below.

c. Set the time and date.to match the date and time on the PDC. Perform the fol-
lowing:
♦ Open the Windows Date and Time applet by clicking the Date and Time
icon in the Control Panel.
♦ Click the Change Date and Time button.

142
5. Security Enhanced Foxboro Evo Control Core Services v9.1 Installation for New Off-Control Network Domain

♦ Adjust the date and time.


♦ Click OK.
♦ Click the Change time zone button.
♦ Select the correct time zone from the drop-down list and select the checkbox
(if not already selected) to automatically adjust the clock for daylight saving
time (DST) changes, if desired.
♦ Click OK.

NOTE
While installing an SDC, it is important to ensure that the UTC system time
matches the UTC system time on the domain (as viewed on the PDC). The date
and time must match, though the time which Windows displays may differ if the
time zones are not the same on the two stations.
Be careful when changing the time zone prior to adjusting the system time as this
can cause the AM/PM setting to change.
Also, be aware that the checkbox included for some time zones which defines
whether or not the time will be automatically adjusted for Daylight Saving Time
can cause the system time to differ by an hour.

d. For any procedures not found in Step 1.b above, refer to the “Installing and
Updating Drivers” chapter of the Hardware and Software Specific Instructions doc-
ument shipped with the server.

Notes on Installing Foxboro Evo Control Core Services


Before you install Control Core Services, make sure that the server is physically connected to the
network and that the PDC is on-line and attached to the same Off-Control Network.
Also, make sure the server is disconnected from any secondary (non-Foxboro) networks, but do
not disable the adapters for these network cards.

! WARNING
The server must be connected to the Off-Control Network before installing Con-
trol Core Services.

! CAUTION
Disconnect non-Foxboro network connections but do not disable the adapters for
these network cards.

! CAUTION
The network interface drivers may require updating before installing Control Core
Services v9.1. Failure to do this may lead to communication errors. See the “Install-
ing/Updating the Network Interface Card Drivers” section in your Hardware and
Software Specific Instructions document.

143
B0700SS – Rev D 5. Security Enhanced Foxboro Evo Control Core Services

! CAUTION
In Control Panel -> Network Connections, which lists the available NICs, do not
change the name of any “Local Area Connection x” network connection. This can
result in software installation issues or system instability.

NOTE
It is not possible to log onto either type of domain controller (primary or second-
ary) with any of the standard Control Core Services or I/A Series user accounts
(such as users that are members of the IA Plant Operators, IA Plant Maintenance,
or IA Plant Engineers groups). It is possible to log onto a domain controller with
the “IAManager”, “IAInstaller”, and “IADomainAdmin” accounts. However, all of
the Control Core Services functionality is not available through these user accounts.
The recommended configuration for the domain controllers is IAMESH only.

NOTE
On servers with the Windows Server 2008 R2 Standard operating system, it is rec-
ommended that no roles be added to the system which are not necessary for the
operation of the server. Adding unnecessary roles (for example, adding the Remote
Desktop Services role when the server is not to be used as a remote session host) can
create security weaknesses in the overall system.

Changing the Station Name


The Windows server name must match the server letterbug name as it was configured in SysDef
and saved onto your Commit installation media before you install the Control Core Services. For
instructions on modifying the computer name of your server, refer to Appendix B “Changing the
Station Name”.

Disabling the VirusScan Console


Proceed as follows:
1. Right-click the McAfee shield in the toolbar and click VirusScan Console.
2. Click Yes to accept the User Account Control (UAC) prompt.
3. If Access Protection is “Enabled”, right-click on Access Protection and select
Disable, as shown in Figure 5-39.

144
5. Security Enhanced Foxboro Evo Control Core Services v9.1 Installation for New Off-Control Network Domain

Figure 5-39. Disable Virus Scan Access Protection

4. Right-click on On-Access Scanner and select Disable.


5. Right-click on On-Access Scanner and select Properties. The On-Access Scan
Properties dialog box opens as shown in Figure 5-40.

145
B0700SS – Rev D 5. Security Enhanced Foxboro Evo Control Core Services

Figure 5-40. On-Access Scan Properties Dialog Box

6. Clear the check-box labeled Enable on-access scanning at system startup


and click Apply. Click OK.

NOTE
The check box should be re-enabled at the end of the installation.

146
5. Security Enhanced Foxboro Evo Control Core Services v9.1 Installation for New Off-Control Network Domain

Canceling and Resuming the Security Enhanced Installation


Process
If you click the Cancel button during the security-enhanced installation, the following dialog
box appears:

Figure 5-41. Confirming Cancellation of Software Installation

Click Yes to cancel, or No to resume the installation process. If you click Yes, the following dialog
box appears. Click OK:

Figure 5-42. Confirming Installation Interruption

147
B0700SS – Rev D 5. Security Enhanced Foxboro Evo Control Core Services

You are returned to the installation dialog box as shown in Figure 5-43. If you want to see the
installation log, check Show the Windows Installer log. Click Finish.

Figure 5-43. InstallShield Wizard Completed - Interrupted

To restart the installation process after clicking Cancel, re-insert the DVD labeled “Foxboro Evo
Control Core Services v9.1 Day 0 DVD-ROM” (K0174MS-A). A dialog box appears asking if
you want to continue with the installation.
If you click Yes, the installation will return to the dialog box that was canceled. If you click No,
installation will restart from the beginning.

148
5. Security Enhanced Foxboro Evo Control Core Services v9.1 Installation for New Off-Control Network Domain

Installation Procedure
NOTE
If you unplugged any non-control network cables prior to performing the Day 0
installation, plug in the non-control network cables at this time.

Proceed as follows:
1. Click the Start button and then click Control Panel -> Network and Sharing
Center. In the Tasks pane, click Change adapter settings.
2. Right-click the connection that you want to change, and then click Properties. If
you are prompted for an administrator password or confirmation, type the password
or provide confirmation.
3. Click the Networking tab. Under “This connection uses the following items”, click
Internet Protocol Version 4 (TCP/IPv4), and then click Properties. The
Internet Protocol Version 4 (TCP/IPv4) Properties dialog box opens as shown in
Figure 5-44.
4. Set the server to have exactly one statically configured NIC adapter for use by Active
Directory, as shown in Figure 5-44. Click OK when done.

Note: The IP address does not need to match the IP address shown in this figure.
Figure 5-44. Internet Protocol Version 4 (TCP/IPv4) Properties

149
B0700SS – Rev D 5. Security Enhanced Foxboro Evo Control Core Services

5. Insert the DVD labeled “Foxboro Evo Control Core Services v9.1 Day 0 DVD-
ROM” (K0174MS-A).
6. If AutoPlay is enabled, the AutoPlay dialog box appears as shown in Figure 5-45.
Click Run setup.exe.
Otherwise, navigate to the DVD drive and double-click setup.exe.

Figure 5-45. AutoPlay Dialog Box

! CAUTION
If you are prompted with a dialog box indicating that you need to restart for the
configuration changes made to the Security Enhanced Installer to take effect, you
may have restored a non-secure image intended for I/A Series software v8.5-8.7 on
Windows XP or Windows Server 2003 R2. If you are sure you used the proper Con-
trol Core Services v9.1 restore image, then reboot the server. Otherwise, restore the
server using the proper Control Core Services v9.1 restore media. (See page 6.)

If a dialog box appears indicating that .NET Framework is required, then you have
used incorrect restore media. Restore the server using the proper Control Core Ser-
vices v9.1 Restore media. (See page 6.)

7. Click Yes to accept the User Account Control (UAC) prompt.

150
5. Security Enhanced Foxboro Evo Control Core Services v9.1 Installation for New Off-Control Network Domain

8. A pre-requisite installation dialog box appears as shown in Figure 5-46. Click


Install to load the Microsoft Visual C++ 2010 Redistributable Package (x64) on the
server.

Figure 5-46. Microsoft Visual C++ 2010 Redistributable Package (x64) Installation Dialog Box

151
B0700SS – Rev D 5. Security Enhanced Foxboro Evo Control Core Services

9. A dialog box appears that allows you to select whether you are installing Control Core
Services without security enhancements or for a security-enhanced system. Select
Install I/A Series software for a security enhanced system and
Install this workstation as an OFF-MESH domain controller (second-
ary or primary):

Figure 5-47. Selecting to Install a Domain Controller

10. Click Next.

152
5. Security Enhanced Foxboro Evo Control Core Services v9.1 Installation for New Off-Control Network Domain

11. The next dialog box requests that you load the committed configuration install files,
as shown in Figure 5-48. Click Load to load the committed configuration files.

Figure 5-48. Load Committed Configuration Install Files

12. The browser for the folder containing the committed configuration install files opens,
as shown in Figure 5-49. If the installation media with your Commit files is on the
server’s hard drive or a network, browse to the location of the media and click Select
Folder. If the installation media with your Commit files is on a floppy diskette, put
the diskette in the diskette drive (A:\) and click Use Diskette.

NOTE
If you have multiple Commit diskettes, the Stamp ID: field in Figure 5-48 indicates
the number of the requested Commit diskette to the right of the Load button (101
for the first diskette, 102 for the second, and so forth). Insert each diskette in the set
and click Load.

153
B0700SS – Rev D 5. Security Enhanced Foxboro Evo Control Core Services

Figure 5-49. Installation Media Folder Browser

154
5. Security Enhanced Foxboro Evo Control Core Services v9.1 Installation for New Off-Control Network Domain

13. Click Next. The Server platform setup dialog box appears as shown in Figure 5-50.
Select the Install as an off-mesh Secondary Domain Controller (SDC)
radio button.

Figure 5-50. Server Platform Setup

14. In the Domain Controller IP Address field, enter the IP address of the Off-Control
Network PDC server and the password of the account authorized to add stations to
the domain (default value is offmesh.local\IAInstaller). Click Authorize.
15. If the local system time does not match the PDC system time, the dialog box shown
in Figure 5-51 appears. Click OK. Fix the local system time to match the PDC time
(see “Server Preparation” on page 142) and re-click Authorize.

155
B0700SS – Rev D 5. Security Enhanced Foxboro Evo Control Core Services

Figure 5-51. Resetting UTC Date

In some cases, it will not be possible to determine the remote system time. In this case,
the dialog box shown in Figure 5-52 is displayed. It is important to ensure that the
local and remote system times match (including date, time, AM/PM) before continu-
ing. Note that the checkbox displayed for some time zones which allows the system to
automatically adjust for Daylight Saving Time can affect the time displayed by the
system by one hour.

Figure 5-52. Unable to Determine Local Time on the PDC

156
5. Security Enhanced Foxboro Evo Control Core Services v9.1 Installation for New Off-Control Network Domain

16. If Secondary Domain Controller (SDC) servers are planned for this Control Core Ser-
vices system, add the SDC servers from the drop-down list by selecting the Add Off-
Mesh checkbox shown in Figure 5-53.

Figure 5-53. Server Platform Setup (Select Add Off-MESH)

17. The dialog box shown in Figure 5-54 opens to indicate where the IP addresses for
SDC stations can be set. Enter each of the known SDC IP addresses and click Done.

Figure 5-54. Collecting SDC Machine Info

157
B0700SS – Rev D 5. Security Enhanced Foxboro Evo Control Core Services

18. In Figure 5-53, click Set to choose the SDC stations in your list or Skip to choose no
SDC station IP addresses. If this server does not have exactly one statically set NIC
adapter, the message shown in Figure 5-55 is displayed. Once the NIC settings are
corrected, you can click Set or Skip again to continue.

Figure 5-55. I/A Series Installation Warning Dialog Box

19. Verify the name of the domain and click Connect. If successful, a message is displayed
to indicate that the connection to the domain has succeeded. If unsuccessful, a reason
for the failure is displayed.
20. When the Invensys IASeries Install: Workstation Reboot Request dialog box appears,
as shown in Figure 5-56, click Reboot.

Figure 5-56. Invensys IASeries Install: Workstation Reboot Request Dialog Box

21. After the server reboots, log on with the “IAInstaller” account with the password cho-
sen during the PDC station installation.
22. The installation process restarts automatically. The Server platform setup dialog
appears as shown in Figure 5-57. Re-enter the Domain Controller IP Address, domain
admin account name (Authorized Account), and domain admin account password
(Authorized Password). Click Authorize.

158
5. Security Enhanced Foxboro Evo Control Core Services v9.1 Installation for New Off-Control Network Domain

Figure 5-57. Server Platform Setup (Authorize)

159
B0700SS – Rev D 5. Security Enhanced Foxboro Evo Control Core Services

23. Verify the Domain Name and Site Name fields and click the Prepare button.

Figure 5-58. Server Platform Setup (Prepare)

24. The warning dialog box shown in Figure 5-59 appears. Make sure at this time that the
name you have chosen for your Active Directory domain is correct. Click OK to
continue.

Figure 5-59. Active Directory Domain Name Warning

160
5. Security Enhanced Foxboro Evo Control Core Services v9.1 Installation for New Off-Control Network Domain

25. Click Install to load the Active Directory Domain Services onto this server and to
assign the server to the role of Secondary Domain Controller.
A DOS window is displayed while Active Directory is being installed, as shown in
Figure 5-60.

Figure 5-60. Active Directory Installation via DOS Window

The DOS window shows progress while the system is assigned to its Secondary
Domain Controller status and DNS is installed, as shown in Figure 5-61.

Figure 5-61. Assigning Role of Secondary Domain Controller via DOS Window

161
B0700SS – Rev D 5. Security Enhanced Foxboro Evo Control Core Services

26. The server reboots automatically after Active Directory has been installed.
After the server reboots, log into the “IAInstaller” account with the password as set in
the Server platform setup dialog box above.
27. The installation process restarts automatically. The dialog box shown in Figure 5-62 is
displayed. Click Apply.

Figure 5-62. Setting Up the Platform for a Secure Foxboro Evo Control Core Services
Installation

A DOS window is displayed while the Active Directory domain settings are applied.
The installation of the Off-Control Network SDC server is complete. DNS is installed automati-
cally with Active Directory.

162
5. Security Enhanced Foxboro Evo Control Core Services v9.1 Installation for New Off-Control Network Domain

Figure 5-63. Example of Installation Log

Click on the Setup Log, Pkg Log, and Init Log buttons to view these logs. These logs can also
be printed.

Installing the Foxboro Evo Control Core Services v9.1 Trailer CD-ROM
To complete the installation of Control Core Services v9.1, you must install the V9.1 trailer CD-
ROM (K0174MZ-A). The trailer CD-ROM must be installed for stations running Windows 7 or
Windows Server 2008 R2 Standard operating systems:
1. Launch the trailer installation application (1250550.msi).
Insert the CD-ROM labeled “Foxboro Evo Control Core Services 9.1 Trailer CD-
ROM” (K0174MZ-A) into the station. Navigate to the CD-ROM with Windows
Explorer and double-click 1250550.msi to launch the installation.
2. Click Next and then click Install to start the installation process.
If the user currently logged in is not an administrator, a User Account Control (UAC)
prompt may appear. Click Yes to accept the UAC prompt.

163
B0700SS – Rev D 5. Security Enhanced Foxboro Evo Control Core Services

NOTE
During the trailer installation, if the following message appears, “The Setup must
update files or services that cannot be updated while the system is running. If we
choose to continue, reboot will be required to continue the setup,” click OK. The
installation continues as normal. Do not reboot the station if you see this message.
This message is shown in the event that you are installing the trailer after booting
into the Control Core Services software (which you should not have done if you are
performing this procedure as written in this section).

3. When the installation is complete, click Finish.


4. If you are installing the trailer via a CD-ROM, remove the trailer CD-ROM.
5. Restart your station as described in the following section.

Restarting Your System


Reboot the server at this time. Click the Start button and click Shut Down; select Restart
from the pull-down menu and click OK.

Installing Optional Software


After restarting the station following the Control Core Services installation, you can install ePolicy
Orchestrator on your SDC. This software should only be installed on one domain controller in
the system. Install this software according to Optional McAfee® Security Products Installation and
Configuration Guide (B0700EX).

Secondary Domain Controller Post-Installation Procedures


Changing Passwords
After completing the installation of a secondary domain controller, you should set the restore
mode password for Active Directory on this server. Perform the following steps:
1. Select Run from the Start menu and enter ntdsutil.exe:

Figure 5-64. Setting the Restore Mode Password via ntdsutil.exe

2. Click OK.
3. Type the following text in the command prompt window:
set dsrm password
reset password on server <SERVERNAME>

164
5. Security Enhanced Foxboro Evo Control Core Services v9.1 Installation for New Off-Control Network Domain

<password>
<password>
quit
quit
<SERVERNAME> is the actual name of your SDC server. <Password> is the newly
chosen Active Directory Restore Mode password.

NOTE
Be sure to document this password and save it in a secure place for future retrieval.
Without this password you will not be able to recover Active Directory.

Figure 5-65. Using and Exiting ntdsutil.exe

Backing Up Active Directory


You should back up Active Directory at regular intervals on Control Core Services domain con-
troller stations. Backing up Active Directory ensures a smooth restoration of Control Core Ser-
vices system operations after an unexpected hardware or software failure. See “Backing Up Active
Directory on Domain Controllers” on page 527 for additional information.

Adding Foxboro Stations to Active Directory Post-Installation


When first installed, the Off-Control Network PDC contains objects in Active Directory for all
Foxboro stations in the system. If stations are added to the Control Core Services system at a later
time, new objects must be created manually in this PDC’s Active Directory.
1. Click the Start button and select Control Panel -> Administrative Tools ->
Active Directory Users and Computers. You may need to scroll down to see
this menu selection.
2. From Active Directory Users and Computers, right-click on the “IA Comput-
ers” OU and select New -> Computer as shown in Figure 5-66.

165
B0700SS – Rev D 5. Security Enhanced Foxboro Evo Control Core Services

Figure 5-66. Selecting IA Computers -> New -> Computer

3. Enter the name of the new workstation in the Computer name field and click OK as
shown in Figure 5-67. The OU for “Pre-8.8 workstations” on migrated systems will
be named “Pre-8.8 IA Computers” as shown in Figure 5-68.

166
5. Security Enhanced Foxboro Evo Control Core Services v9.1 Installation for New Off-Control Network Domain

Figure 5-67. New Object - Computer

Figure 5-68. Selecting Pre-8.8 IA Computers -> New -> Computer

167
B0700SS – Rev D 5. Security Enhanced Foxboro Evo Control Core Services

Continuing Installation
Re-enable the Enable on-access scanning at system startup feature in the McAfee
VirusScan Console as follows:
1. Right-click the McAfee shield in the toolbar and click VirusScan Console.
2. Click Yes to accept the User Account Control (UAC) prompt.
3. Right-click on On-Access Scanner and select Properties. The On-Access Scan
Properties dialog box opens as shown in Figure 5-40 on page 146.
4. Check the check-box labeled Enable on-access scanning at system startup
and click Apply.
5. Click OK to close this dialog box.
Proceed to Chapter 10 “Security Enhanced Foxboro Evo Control Core Services v9.1 Installation
for Domain Clients or Connecting Security Enhanced I/A Series Software v8.5-8.7 Domain Cli-
ents to Existing Off-Control Network Networks” for the installation procedure for the domain
clients.

168
6. Security Enhanced Foxboro Evo
Control Core Services v9.1
Installation for Existing Off-Control
Network Primary Domain
Controllers
This chapter describes procedures to install security enhanced Control Core Services v9.1 on an
existing primary domain controller server with Windows Server 2008 R2 Standard on a
separate network (not on the Foxboro Evo Control Network).

Overview
If you already have a PDC with Windows Server 2008 R2 Standard on which you want to install
the Control Core Services components for Active Directory, follow the instructions in this chapter
to perform this installation.
Be aware that this scenario does not include installation of an SDC. If you have an SDC, the
Active Directory should be replicated to that SDC after the Control Core Services installation to
the PDC.
If you do not have an SDC and want to add one now, you can purchase an Invensys-supplied
SDC and install Control Core Services v9.1 on it as described in “Installing Security Enhanced
Foxboro Evo Control Core Services v9.1 on Off-Control Network Secondary Domain Control-
lers” on page 142. Alternately, you can use a non-Invensys server as your SDC and install only the
appropriate Microsoft Active Directory software.

Notes on Installing Foxboro Evo Control Core Services


Before you install Control Core Services, make sure that the server is physically connected to the
Off-Control Network and, if required, that any network interface card drivers are updated. Refer
to the notes below.

NOTE
It is not possible to log onto either type of domain controller (primary or second-
ary) with any of the standard Control Core Services or I/A Series user accounts
(such as users that are members of the IA Plant Operators, IA Plant Maintenance,
or IA Plant Engineers groups). It is possible to log onto a domain controller with
the “IAManager”, “IAInstaller”, and “IADomainAdmin” accounts.

169
B0700SS – Rev D 6. Security Enhanced Foxboro Evo Control Core Services

! CAUTION
In Control Panel -> Network Connections, which lists the available NICs, do not
change the name of any “Local Area Connection x” network connection. This can
result in software installation issues or system instability.

NOTE
On servers with the Windows Server 2008 R2 Standard operating system, it is rec-
ommended that no roles be added to the system which are not necessary for the
operation of the server. Adding unnecessary roles (for example, adding the Remote
Desktop Services role when the server is not to be used as a remote session host) can
create security weaknesses in the overall system.

NOTE
Use the IAInstaller account for all installation tasks. However, due to the
permissions assigned to IAInstaller, do not use it for any other role, such as
operation of the station.

Disabling the VirusScan Console


Proceed as follows:
1. Right-click the McAfee shield in the toolbar and click VirusScan Console.
2. Click Yes to accept the User Account Control (UAC) prompt.
3. If Access Protection is “Enabled”, right-click on Access Protection and select
Disable, as shown in Figure 6-1.

Figure 6-1. Disable Virus Scan Access Protection

170
6. Security Enhanced Foxboro Evo Control Core Services v9.1 Installation for Existing Off-Control Network Primary

4. Right-click on On-Access Scanner and select Disable.


5. Right-click on On-Access Scanner and select Properties. The On-Access Scan
Properties dialog box opens as shown in Figure 6-2.

Figure 6-2. On-Access Scan Properties Dialog Box

6. Clear the check-box labeled Enable on-access scanning at system startup


and click Apply. Click OK.

NOTE
The check box should be re-enabled at the end of the installation.

171
B0700SS – Rev D 6. Security Enhanced Foxboro Evo Control Core Services

Canceling and Resuming the Security Enhanced


Installation Process
If you click the Cancel button during the security-enhanced installation, the following dialog
box appears:

Figure 6-3. Confirming Cancellation of Software Installation

Click Yes to cancel, or No to resume the installation process. If you click Yes, the following dialog
box appears. Click OK:

Figure 6-4. Confirming Installation Interruption

172
6. Security Enhanced Foxboro Evo Control Core Services v9.1 Installation for Existing Off-Control Network Primary

You are returned to the installation dialog box as shown in Figure 6-5. If you want to see the
installation log, check Show the Windows Installer log. Click Finish.

Figure 6-5. InstallShield Wizard Completed - Interrupted

To restart the installation process after clicking Cancel, re-insert the DVD labeled “Foxboro Evo
Control Core Services v9.1 Day 0 DVD-ROM” (K0174MS-A). A dialog box appears asking if
you want to continue with the installation.
If you click Yes, the installation will return to the dialog box that was canceled. If you click No,
installation will restart from the beginning.

173
B0700SS – Rev D 6. Security Enhanced Foxboro Evo Control Core Services

Installation Procedure
NOTE
If you unplugged any non-control network cables prior to performing the Day 0
installation, plug in the non-control network cables at this time.

Proceed as follows:
1. Insert the DVD labeled “Foxboro Evo Control Core Services v9.1 Day 0 DVD-
ROM” (K0174MS-A).
2. If AutoPlay is enabled, the AutoPlay dialog box appears as shown in Figure 6-6. Click
Run setup.exe.
Otherwise, navigate to the DVD drive and double-click setup.exe.

Figure 6-6. AutoPlay Dialog Box

! CAUTION
If you are prompted with a dialog box indicating that you need to restart for the
configuration changes made to the Security Enhanced Installer to take effect, you
may have restored a non-secure image intended for I/A Series software v8.5-8.7 on
Windows XP or Windows Server 2003 R2. If you are sure you used the proper V9.1
restore image, then reboot the server. Otherwise, restore the server using the proper
V9.1 restore media. (See page 6.)

If a dialog box appears indicating that .NET Framework is required, then you have
used incorrect restore media. Restore the server using the proper V9.1 Restore
media. (See page 6.)

3. Click Yes to accept the User Account Control (UAC) prompt.

174
6. Security Enhanced Foxboro Evo Control Core Services v9.1 Installation for Existing Off-Control Network Primary

4. A pre-requisite installation dialog box appears as shown in Figure 6-7. Click Install
to load the Microsoft Visual C++ 2010 Redistributable Package (x64) on the server.

Figure 6-7. Microsoft Visual C++ 2010 Redistributable Package (x64) Installation Dialog Box

175
B0700SS – Rev D 6. Security Enhanced Foxboro Evo Control Core Services

5. Select the Install I/A Series software for a security enhanced system
and Install to an existing OFF-MESH PDC station (PDC only) bullets as
shown in Figure 6-8.
Click Next to continue.

Figure 6-8. Selecting to Install a Domain Controller on an Off-Control Network Domain

6. The next dialog box requests that you load the committed configuration install files,
as shown in Figure 6-9. Click Load to set the installation target drive to D:\ and load
the committed configuration files.

176
6. Security Enhanced Foxboro Evo Control Core Services v9.1 Installation for Existing Off-Control Network Primary

Figure 6-9. Load Committed Configuration Install Files

7. The browser for the folder which contains the committed configuration install files
opens, as shown in Figure 6-10. If the installation media with your Commit files is on
the server’s hard drive or a network, browse to the location of the media and click
Select Folder. If the installation media with your Commit files is on a floppy dis-
kette, put the diskette in the diskette drive (A:\) and click Use Diskette.

NOTE
If you have multiple Commit diskettes, the Stamp ID: field in Figure 6-9 indicates
the number of the requested Commit diskette to the right of the Load button (101
for the first diskette, 102 for the second, and so forth). Insert each diskette in the set
and click Load.

177
B0700SS – Rev D 6. Security Enhanced Foxboro Evo Control Core Services

Figure 6-10. Installation Media Folder Browser

178
6. Security Enhanced Foxboro Evo Control Core Services v9.1 Installation for Existing Off-Control Network Primary

8. Click Next. The dialog box appears as shown in Figure 6-11. Click Apply.

Figure 6-11. Server Platform Setup

179
B0700SS – Rev D 6. Security Enhanced Foxboro Evo Control Core Services

9. A command prompt is displayed while the Active Directory domain settings are
applied. When asked Do you want to run software from this trusted pub-
lisher, press A (for Always run) and press <Enter>. This allows the signed scripts to
configure your system.

Figure 6-12. Active Directory Domain Settings Applied

10. The I/A Series Secure User Accounts dialog box opens as shown in Figure 6-13. Enter
in the user name and password for the standard Control Core Services domain
account and click Create.

Figure 6-13. I/A Series Secure User Accounts Dialog Box

180
6. Security Enhanced Foxboro Evo Control Core Services v9.1 Installation for Existing Off-Control Network Primary

NOTE
The names of these accounts may be changed, but the default values are recom-
mended. It is recommended that the password meets the following password
complexity criteria:
- An 8-character minimum password length
- At least one lowercase character
- At least one uppercase character
- At least one numeric character.
These criteria are not required for this password, but they are strongly recom-
mended.
After the installation has completed, these requirements will remain in place for
accounts created in the Control Core Services domain.

11. Click Finish.

Figure 6-14. Finish Installation

At the end of the installation, the installation log is displayed. You can view the installation log at
any time by clicking the Start button and selecting All Programs -> Invensys -> IASeries ->
Utilities -> Log Viewer.

181
B0700SS – Rev D 6. Security Enhanced Foxboro Evo Control Core Services

Figure 6-15. Example of Installation Log

Click on the Setup Log, Pkg Log, and Init Log buttons to view these logs. These logs can also
be printed.

Restarting Your System


Reboot the server at this time. Click the Start button and click Shut Down; select Restart from
the pull-down menu and click OK.

182
6. Security Enhanced Foxboro Evo Control Core Services v9.1 Installation for Existing Off-Control Network Primary

Primary Domain Controller Post-Installation


Procedures
Creating Users in Active Directory
The following steps can be used to create an Operator account in the Active Directory domain.
This is a default group. Similar steps can be taken to create other customized accounts, such as
Maintenance and Engineer accounts. Refer to Security Enhancements User's Guide for I/A Series
Workstations with Windows 7 or Windows Server 2008 Operating Systems (B0700ET) for informa-
tion on creating customized accounts.
1. Click the Start button and select Control Panel -> Administrative Tools ->
Active Directory Users and Computers. You may need to scroll down to see
this menu selection.
2. Under the Accounts\Users\Standard OU, right-click Standard, and select New ->
User:

Figure 6-16. Creating Users via Active Directory Users and Computers

183
B0700SS – Rev D 6. Security Enhanced Foxboro Evo Control Core Services

All users are created under the Accounts\Users\Standard OU, including IA Plant
Engineers, IA Plant Operators, and IA Plant Maintenance.
The dialog box shown in Figure 6-17 opens.

Figure 6-17. New Object - User

3. Enter the First name, Full name, and User logon name as the same value (for exam-
ple,. Operator1).
4. Click Next.
5. In the dialog box shown in Figure 6-18, clear the User must change password at
next logon check box. Select the Password never expires check box.
6. Enter the password and confirm the password.
7. Click Next.

184
6. Security Enhanced Foxboro Evo Control Core Services v9.1 Installation for Existing Off-Control Network Primary

Figure 6-18. New Object - User - Password Updates

8. Click Finish as shown in Figure 6-19.

Figure 6-19. New Object - User - Finish

185
B0700SS – Rev D 6. Security Enhanced Foxboro Evo Control Core Services

9. Double-click on the new user name in the Active Directory Users and Computers dia-
log box to open the Properties dialog box, as shown in Figure 6-20.

Figure 6-20. Opening the New User Properties Dialog Box

186
6. Security Enhanced Foxboro Evo Control Core Services v9.1 Installation for Existing Off-Control Network Primary

10. Select the Member Of tab, as shown in Figure 6-21.

Figure 6-21. New User Properties Dialog Box

11. Click the Add button.


12. Type in the text “IA Plant” and click the Check Names button as shown in
Figure 6-22.

187
B0700SS – Rev D 6. Security Enhanced Foxboro Evo Control Core Services

Figure 6-22. Select Groups

13. Select the desired Control Core Services standard user group (for example, IA Plant
Engineers) and click OK.

Figure 6-23. Multiple Names Found Dialog Box

188
6. Security Enhanced Foxboro Evo Control Core Services v9.1 Installation for Existing Off-Control Network Primary

14. Click OK to close the Select Groups dialog box shown in Figure 6-24.

Figure 6-24. Closing Select Groups Dialog Box

15. Click OK to close the Properties dialog box shown in Figure 6-25.

Figure 6-25. Closing Properties Dialog Box

189
B0700SS – Rev D 6. Security Enhanced Foxboro Evo Control Core Services

16. Repeat the above steps for as many users as desired. The different standard user groups
provide different policy settings and system access.

Adding Foxboro Stations to Active Directory Post-Installation


When first installed, the Off-Control Network PDC contains objects in Active Directory for all
Foxboro stations in the system. If stations are added to the Control Core Services system at a later
time, new objects must be created manually in this PDC’s Active Directory.
1. Click the Start button and select Control Panel -> Administrative Tools ->
Active Directory Users and Computers. You may need to scroll down to see
this menu selection.
2. From Active Directory Users and Computers, right-click on the “IA Comput-
ers” OU and select New -> Computer as shown in Figure 6-26.

Figure 6-26. Selecting IA Computers -> New -> Computer

3. Enter the name of the new workstation in the Computer name field and click OK as
shown in Figure 6-27. The OU for “Pre-8.8 workstations” on migrated systems will
be named “Pre-8.8 IA Computers” as shown in Figure 6-28.

190
6. Security Enhanced Foxboro Evo Control Core Services v9.1 Installation for Existing Off-Control Network Primary

Figure 6-27. New Object - Computer

Figure 6-28. Selecting Pre-8.8 IA Computers -> New -> Computer

191
B0700SS – Rev D 6. Security Enhanced Foxboro Evo Control Core Services

Tombstone Lifetime Attribute in Active Directory


By default the Active Directory tombstone lifetime is sixty days. Having a longer tombstone life-
time decreases the chance that a deleted object remains in the local directory of a disconnected
Domain Controller beyond the time when the object is permanently deleted from online DCs.
It is highly recommended that you review information regarding the tombstone lifetime attribute
in “Backing Up Active Directory on Domain Controllers” on page 527. If you want to alter the
default value, use the procedure “Changing the Tombstone Lifetime Attribute in Active Direc-
tory” on page 528.

Backing Up Active Directory


You should back up Active Directory at regular intervals on Control Core Services domain con-
troller stations. Backing up Active Directory ensures a smooth restoration of Control Core Ser-
vices system operations after an unexpected hardware or software failure. See “Backing Up Active
Directory on Domain Controllers” on page 527 for additional information.

Continuing Installation
Re-enable the Enable on-access scanning at system startup feature in the McAfee
VirusScan Console as follows:
1. Right-click the McAfee shield in the toolbar and click VirusScan Console.
2. Click Yes to accept the User Account Control (UAC) prompt.
3. Right-click on On-Access Scanner and select Properties. The On-Access Scan
Properties dialog box opens as shown in Figure 6-2 on page 171.
4. Check the check-box labeled Enable on-access scanning at system startup
and click Apply.
5. Click OK to close this dialog box.
Proceed to Chapter 10 “Security Enhanced Foxboro Evo Control Core Services v9.1 Installation
for Domain Clients or Connecting Security Enhanced I/A Series Software v8.5-8.7 Domain Cli-
ents to Existing Off-Control Network Networks” for the installation procedure for the domain
clients.

192
7. Migrating I/A Series Software
v8.5/8.6/8.7 to a New Primary
Domain Controller
on The Foxboro Evo Control
Network
This chapter describes how to migrate an existing On-Control Network Primary Domain
Controller (PDC) with I/A Series software v8.5/8.6/8.7 to a new PDC with Windows Server
2008 R2 Standard, located on Foxboro Evo Control Network (hereafter referred to as “the
control network”).
The source station for this migration can either be:
♦ A new I/A Series server, shipped with a Control Core Services v9.1 (or later) image
installed.
♦ An existing SDC with I/A Series software v8.5/8.6/8.7 installed, which will be con-
verted to a PDC with a Control Core Services v9.1 (or later) image installed.
The target station (the station onto which the new software will be installed) for this migration is
the new PDC with Windows Server 2008 R2 Standard.
After the migration, both the domain clients which existed in I/A Series software v8.8 or earlier
and the new Control Core Services domain clients (Control Core Services v9.1 or later) will be
connected to the same domain. Existing group policies will be maintained while new Control
Core Services v9.1 group policies will be enacted. The steps in this section only need to be fol-
lowed once for the domain migration in order to establish the new PDC station.
Perform the procedures provided below.

! CAUTION
In Control Panel -> Network Connections, which lists the available NICs, do not
change the name of any “Local Area Connection x” network connection. This can
result in software installation issues or system instability.

193
B0700SS – Rev D 7. Migrating I/A Series Software v8.5/8.6/8.7 to a New

Preparing the Source Primary Domain Controller


(Existing On-Control Network PDC with I/A Series
Software v8.5/8.6/8.7) for Migration
NOTE
Once complete, all existing SDC stations with I/A Series software v8.5/8.6/8.7
must be reloaded as SDC stations with Control Core Services v9.1 running on the
Microsoft Windows Server 2008 R2 Standard operating system. Once this has been
done, the domain and forest functional levels can be raised to “Server 2008 R2”.

NOTE
Do not reload an existing SDC with I/A Series software v8.5-8.7 with the Windows
Server 2008 R2 Standard operating system if this SDC will be used as the new
PDC.

For the source On-Control Network Primary Domain Controller (PDC) with I/A Series software
v8.5/8.6/8.7 for this migration, proceed as follows:
1. Log into the existing (I/A Series software v8.8 or earlier) On-Control Network PDC
using a domain administrator account (such as IADomainAdmin).
2. Open the Active Directory Users and Computers console - click the Start button and
select Control Panel -> Administrative Tools -> Active Directory Users
and Computers.
3. Under the Users organizational unit (OU), find the domain administrator account
which is being used for this installation, as shown in Figure 7-1.

194
7. Migrating I/A Series Software v8.5/8.6/8.7 to a New Primary Domain Controller on The Foxboro Evo Control

Figure 7-1. Active Directory Users and Computers Console (Administrator Account)

195
B0700SS – Rev D 7. Migrating I/A Series Software v8.5/8.6/8.7 to a New

4. Right-click on the user name and click Properties. The user Properties dialog box
opens as shown in Figure 7-2.

Figure 7-2. [User] Properties Dialog Box

5. Verify that the domain administrator account is a member of both the Schema
Admins and Enterprise Admins groups by selecting the Member Of tab as shown in
Figure 7-2. If this user account is not, the user must be added to both these groups, as
follows:
a. From the Member Of tab, select the Add button.
b. Type in the name of the group which needs to be added (such as Schema Admins
or Enterprise Admins) and click OK, as shown in Figure 7-3. Repeat this for
each group.

196
7. Migrating I/A Series Software v8.5/8.6/8.7 to a New Primary Domain Controller on The Foxboro Evo Control

Figure 7-3. Adding User to Groups

6. Click OK to close the user Properties dialog box.


7. Click on the IA Computers folder and verify that the new PDC server name is pres-
ent. If not, you must add it as follows.
a. Right-click on IA Computers and select New -> Computer, as shown in
Figure 7-4.
b. Enter the name of the new computer and click OK.

197
B0700SS – Rev D 7. Migrating I/A Series Software v8.5/8.6/8.7 to a New

Figure 7-4. Active Directory Users and Computers Console (Administrator Account)

8. If the current domain administrator account was added to either the “Schema
Admins” or “Enterprise Admins” in the steps above, log off from this account and log
back on to the station using the same account.

198
7. Migrating I/A Series Software v8.5/8.6/8.7 to a New Primary Domain Controller on The Foxboro Evo Control

9. Insert the Microsoft® Windows Server® 2008 R2 Standard DVD. Acknowledge the
warning shown in Figure 7-5.

Figure 7-5. Installation Disc Is Not Compatible With This Windows Version Warning

10. Open a command prompt. Click the Start button, click Programs -> Accessories -
> Command Prompt.
11. In the command prompt, navigate to the “E:\Support\ADPrep” folder. As shown in
Figure 7-6, enter the following command: adprep32 /forestprep

Figure 7-6. Invoking adprep32 /forestprep

12. Enter “c” at the prompt to continue.

199
B0700SS – Rev D 7. Migrating I/A Series Software v8.5/8.6/8.7 to a New

13. As shown in Figure 7-7, enter the following command:


adprep32 /domainprep /gpprep

Figure 7-7. Invoking adprep32 /domainprep /gpprep

14. As shown in Figure 7-8, enter the following command:


adprep32 /rodcprep

Figure 7-8. Invoking adprep32 /rodcprep

15. Review the adprep logs in C:\Windows\Debug\adprep\logs\.


Preparation for the migration of this source PDC is complete.

200
7. Migrating I/A Series Software v8.5/8.6/8.7 to a New Primary Domain Controller on The Foxboro Evo Control

16. If you are upgrading an existing Secondary Domain Controller with I/A Series soft-
ware v8.5/8.6/8.7 to become the new target PDC, you must remove the Active Direc-
tory from this SDC as described in the following substeps. If you do not have an SDC
and are installing a new station as the target PDC, proceed to “Preparation and Instal-
lation for New Target Primary Domain Controller” on page 202.
To remove the Active Directory from the SDC, perform one of the two following
procedures:
a. Use dcpromo on the existing SDC to remove Active Directory as described in
“Removing Domain Controller Functionality from a Workstation” on page 507.
b. In Active Directory Sites and Services on the source PDC, click Actions ->
Refresh. The NTDS settings that were shown under the SDC name are
removed. If they are not, the removal operation of the Active Directory from the
SDC was unsuccessful and you cannot continue. Contact Global Customer Sup-
port for assistance.
-OR-
a. Use Symantec System Recovery (SSR) to load the new Control Core Services v9.1
platform image on the existing SDC station to be upgraded. Refer to Symantec
System Recovery 2013 Desktop, Server and Virtual Editions Guide for I/A Series Sys-
tems (B0700EY) for instructions.
b. On the source PDC, click the Start button and select Control Panel -> Admin-
istrative Tools -> Active Directory Sites and Services. Navigate to
Sites -> [Domain Name] -> Servers -> [Name of SDC]. Remove the SDC
station from the list along with every entry underneath.
17. Proceed to the next section.

201
B0700SS – Rev D 7. Migrating I/A Series Software v8.5/8.6/8.7 to a New

Preparation and Installation for New Target Primary


Domain Controller
Proceed as follows on the server to become the new PDC.

NOTE
Use the IAInstaller account for all installation tasks. However, due to the
permissions assigned to IAInstaller, do not use it for any other role, such as
operation of the station.

Preparing Network Interface Cards (NICs) For Installation


Before installing Control Core Services, for each installed NIC, you must set the NIC’s properties
“Flow Control” and “Speed & Duplex” manually as described below for the NICs on this station.

NOTE
Refer to the Hardware and Software Specific Instructions document included with
your station to determine the NIC cards it supports.

Proceed as follows:
1. Right-click the My Computer icon, and click Manage. Double-click Device Man-
ager. In the Device Manager window, expand the Network adapters list.
2. Right-click the desired card and click Properties. In the Properties dialog box that
appears, select the Advanced tab.
3. In the Property field, click Flow Control. In the Value field, select Disable from
the drop-down menu list.
4. In the Property field, click Speed & Duplex. In the Value field, in the drop-down
menu list:
♦ For a station on the control network, select 100 Mb Full.
♦ For a station on another network other than the control network (Off-Control
Network), select Auto.
5. Click OK.
6. For each additional NIC, repeat Steps 2 through 5.
7. Shutdown and restart the system for the driver changes to take effect. Click the Start
button and click Shut Down; select Restart from the pull-down menu and click OK.

Installation on New Target Primary Domain Controller


Proceed as follows:
1. Insert the DVD labeled “Foxboro Evo Control Core Services v9.1 Day 0 DVD-
ROM” (K0174MS-A).
2. If AutoPlay is enabled, the AutoPlay dialog box appears as shown in Figure 7-9. Click
Run setup.exe.
Otherwise, navigate to the DVD drive and double-click setup.exe.

202
7. Migrating I/A Series Software v8.5/8.6/8.7 to a New Primary Domain Controller on The Foxboro Evo Control

Figure 7-9. AutoPlay Dialog Box

! CAUTION
If a dialog box appears indicating that .NET Framework is required, then you have
used incorrect restore media. Restore the server using the proper v9.1 (or later)
Restore media.

3. Click Yes to accept the User Account Control (UAC) prompt.


4. A pre-requisite installation dialog box appears as shown in Figure 7-10. Click
Install to load the Microsoft Visual C++ 2010 Redistributable Package (x64) on the
server.

203
B0700SS – Rev D 7. Migrating I/A Series Software v8.5/8.6/8.7 to a New

Figure 7-10. Microsoft Visual C++ 2010 Redistributable Package (x64) Installation Dialog Box

5. A dialog box appears that allows you to select whether you are installing Control Core
Services without security enhancements or for a security-enhanced system. Select
Install I/A Series software for a security enhanced system and
Install the workstation as a domain controller (secondary or pri-
mary), as shown in Figure 7-11.
Also select the check box labeled Migrate from Pre-8.8 I/A Series (PDC
Only) under the selection you checked, as shown in Figure 7-11.

204
7. Migrating I/A Series Software v8.5/8.6/8.7 to a New Primary Domain Controller on The Foxboro Evo Control

Figure 7-11. Selecting to Install a Domain Controller On-Control Network

6. Click Next.
7. Acknowledge the warning shown in Figure 7-12.

Figure 7-12. I/A Series Installation Warning Dialog Box

205
B0700SS – Rev D 7. Migrating I/A Series Software v8.5/8.6/8.7 to a New

8. The next dialog box requests that you load the committed configuration install files,
as shown in Figure 7-13. Click Load to load the committed configuration files.

Figure 7-13. Load Committed Configuration Install Files

9. The browser for the folder containing the committed configuration install files opens,
as shown in Figure 7-14. If the installation media with your Commit files is on the
server’s hard drive or a network, browse to the location of the media and click Select
Folder. If the installation media with your Commit files is on a diskette, put the dis-
kette in the diskette drive (A:\) and click Use Diskette.

NOTE
If you have multiple Commit diskettes, the Stamp ID: field in Figure 7-13 indicates
the number of the requested Commit diskette to the right of the Load button (101
for the first diskette, 102 for the second, and so forth). Insert each diskette in the set
and click Load.

206
7. Migrating I/A Series Software v8.5/8.6/8.7 to a New Primary Domain Controller on The Foxboro Evo Control

Figure 7-14. Installation Media Folder Browser

10. Once the Commit files have been loaded, click Bind as shown in Figure 7-13 on
page 206 to launch the I/A Series Network Installation dialog box (Figure 7-15).
11. The dialog box shown in Figure 7-15 is displayed for some servers (Dell T3500 and
R710 servers) if the network configuration from System Definition does not match
the available NIC hardware. Select the two network cards and click Next.

! CAUTION
Be certain to pick the correct NICs as this selection cannot be changed later in the
installation.

If this dialog box is not displayed, the NIC cards have been automatically configured.
Proceed to the next step.

207
B0700SS – Rev D 7. Migrating I/A Series Software v8.5/8.6/8.7 to a New

Figure 7-15. I/A Series Network Installation Dialog Box (For Certain NIC Cards)

208
7. Migrating I/A Series Software v8.5/8.6/8.7 to a New Primary Domain Controller on The Foxboro Evo Control

12. Click Next. The Server platform setup dialog appears as shown in Figure 7-16. The
Install as a Secondary Domain Controller (SDC) bullet is selected by
default. Initially, this station is installed as an SDC station and will be promoted to be
the PDC station before the installation completes.

Figure 7-16. Server Platform Setup Dialog Box

13. Enter in the name of the existing PDC (from which you are migrating), as shown in
Figure 7-16.
In the Authorized Account field, verify that the domain joining account name dis-
played has the authority to add workstations to the domain
(i.e. iaseries.local\IAInstaller).
In the Authorized Password field, enter the password for this account.
When finished, click Authorize.

209
B0700SS – Rev D 7. Migrating I/A Series Software v8.5/8.6/8.7 to a New

14. If the local system time does not match the system time on the existing PDC (from
which you are migrating), a message is displayed as shown in Figure 7-17. Click OK.
Fix the local system time to match the existing PDC’s time and re-click Authorize.

Figure 7-17. I/A Series Installation Dialog Box - Date Warning

In some cases, it will not be possible to determine the remote system time. In this case,
the dialog box shown in Figure 7-18 is displayed. It is important to ensure that the
local and remote system times match (including date, time, AM/PM) before continu-
ing. Note that the checkbox displayed for some time zones which allows the system to
automatically adjust for Daylight Saving Time can affect the time displayed by the
system by one hour.

Figure 7-18. Unable to Determine Local Time on the PDC

210
7. Migrating I/A Series Software v8.5/8.6/8.7 to a New Primary Domain Controller on The Foxboro Evo Control

15. If there is another SDC station on the network, choose that SDC’s name from the
drop-down list and click Set, as shown in Figure 7-19. Otherwise, click Skip.

Figure 7-19. Server Platform Setup (For Second SDC)

211
B0700SS – Rev D 7. Migrating I/A Series Software v8.5/8.6/8.7 to a New

16. In the “Select a Host Domain for this workstation and click Connect” field, verify the
name of the domain and click Connect. The message shown is in Figure 7-20 dis-
played to indicate that the connection to the domain has succeeded.
If unsuccessful, a reason for the failure is displayed.

Figure 7-20. Invensys IASeries Install: Workstation Reboot Request Dialog Box

17. After the server reboots, log on with the “IAInstaller” account with the password as it
was set during the PDC’s installation.
18. The installation continues automatically. The Server platform setup dialog box
appears.
Re-enter in the name of the existing PDC (from which you are migrating), as shown
in Figure 7-21.
In the Authorized Account field, verify that the domain joining account name dis-
played has the authority to add workstations to the domain
(i.e. iaseries.local\IAInstaller).
In the Authorized Password field, enter the password for this account.
When finished, click Authorize.

212
7. Migrating I/A Series Software v8.5/8.6/8.7 to a New Primary Domain Controller on The Foxboro Evo Control

Figure 7-21. Server Platform Setup (On-Control Network) Continued

213
B0700SS – Rev D 7. Migrating I/A Series Software v8.5/8.6/8.7 to a New

19. Under the “Enter domain information for Active Directory setup and click Prepare”
area, verify the Domain Name and Site Name fields and click the Prepare button.

Figure 7-22. Server Platform Setup (On-Control Network) Continued Part 2

214
7. Migrating I/A Series Software v8.5/8.6/8.7 to a New Primary Domain Controller on The Foxboro Evo Control

20. A warning dialog appears as shown in Figure 7-23. Ensure that the name you have
chosen for your Active Directory domain is correct and will not conflict with another
domain on the same network.m

Figure 7-23. Active Directory Warning

21. Click Install to load the Active Directory Domain Services onto this server and to
assign the server to the role of Secondary Domain Controller.
A command prompt is displayed while Active Directory is being installed, as shown in
Figure 7-24.

Figure 7-24. Active Directory Installation via a Command Prompt

The command prompt shows progress while the system is assigned to its Secondary
Domain Controller status and DNS is installed, as shown in Figure 7-25.

215
B0700SS – Rev D 7. Migrating I/A Series Software v8.5/8.6/8.7 to a New

Figure 7-25. Assigning Role of Secondary Domain Controller via Command Prompt

22. The server reboots automatically after Active Directory has been installed.
After the server reboots, log into the “IADomainAdmin” account with the password as
set during the PDC’s installation.

216
7. Migrating I/A Series Software v8.5/8.6/8.7 to a New Primary Domain Controller on The Foxboro Evo Control

23. The installation restarts automatically and the I/A Series Software Installation dialog
box appears as shown in Figure 7-26. Click Verify to check the health of the Active
Directory domain. This takes several minutes. It may be necessary to wait as much as
an hour before proceeding past this dialog box, depending on how long it takes for
Active Directory to replicate to this new SDC.

Figure 7-26. Verifying the Health of the Existing Active Directory System

217
B0700SS – Rev D 7. Migrating I/A Series Software v8.5/8.6/8.7 to a New

24. When complete, the warning dialog box shown in Figure 7-27 is displayed if errors
are found. One or more conditions could be detected including diagnostic failures,
event log errors, and replication failures.

Figure 7-27. I/A Series Installation Dialog Box - Warning for DC Health Log File

218
7. Migrating I/A Series Software v8.5/8.6/8.7 to a New Primary Domain Controller on The Foxboro Evo Control

25. To view the log, click View in Figure 7-28. After viewing the errors, it may be neces-
sary to correct the issues in the Active Directory domain. Click the Verify button as
many times as necessary after you take each corrective action to ensure that no further
issues exist. After clicking Verify, clicking View opens the updated diagnostic results.

Figure 7-28. Verifying the Health of the Existing Active Directory System (Errors Found)

NOTE
The following error messages are expected during a migration and can be safely
ignored:
Warning 1:
Warning: SVRINF is not advertising as a time server.
......................... SVRINF failed test Advertising
Invalid service type: RpcSs on SVRINF, current value
WIN32_OWN_PROCESS, expected value WIN32_SHARE_PROCESS
w32time Service is stopped on [SVRINF]
......................... SVRINF failed test Services

219
B0700SS – Rev D 7. Migrating I/A Series Software v8.5/8.6/8.7 to a New

Warning 2:
Warning: DcGetDcName(TIME_SERVER) call failed, error 1355
A Time Server could not be located.
The server holding the PDC role is down.
Warning: DcGetDcName(GOOD_TIME_SERVER_PREFERRED) call failed,
error 1355
A Good Time Server could not be located.
......................... iaseries.local failed test LocatorCheck

NOTE
It can take several hours for event log messages which were generated during the
migration to clear from this log. System log failures (such as the following) should
be investigated if they persist long after the migration has completed.
......................... NESRV4 failed test SystemLog

26. If it is determined that it is safe to ignore the errors in the log, click Ignore to con-
tinue, as shown in Figure 7-29. Acknowledge the following warning.

Figure 7-29. I/A Series Installation Dialog Box - Errors in DC Health Log File

220
7. Migrating I/A Series Software v8.5/8.6/8.7 to a New Primary Domain Controller on The Foxboro Evo Control

27. Click Next. The dialog shown in Figure 7-30 is displayed. Click Apply.

Figure 7-30. Setting Up the Platform for a Secure Foxboro Evo


Control Core Services Installation

A command prompt is displayed while the Active Directory settings are applied.
28. Click Next and then Install to run the installation.
29. If the OS1FDB package is configured on this server, the dialog box shown in
Figure 7-31 is displayed.
To install this package, insert the first OS1FDB package diskette and click Load. After
the first disk has been loaded, insert the second OS1FDB package diskette and click
Load.
To bypass the installation of this package, click Skip. If Skip is selected, the installa-
tion will continue, but this dialog will be displayed again for each of the OS1FDB sta-
tions configured on this Foxboro station.

NOTE
This will occur one time for each OS1FDB station configured.

221
B0700SS – Rev D 7. Migrating I/A Series Software v8.5/8.6/8.7 to a New

Figure 7-31. Installation Media Dialog Boxes

30. If you selected Load, the media folder browser opens.

Figure 7-32. Media Folder Browser

If your installation media for the OS1FDB package is not on a floppy diskette, browse
to the location of your stamped media and click the Select Folder button
If your installation media for the OS1FDB package is on a floppy diskette, click Use
Diskette. The diskette must be in the diskette drive (A:\). Once the Use Diskette
button is clicked, the diskette will be read.

222
7. Migrating I/A Series Software v8.5/8.6/8.7 to a New Primary Domain Controller on The Foxboro Evo Control

31. If you selected Use Diskette in the previous step, the dialog box in Figure 7-33
appears. Insert the second diskette in the OS1FDB set and click Load. The diskette
must be inserted in drive A:\.

Figure 7-33. Installation Media Dialog Box - For Diskettes

32. Click Finish when the installation process is complete.


33. Reboot the server. Click the Start button and click Shut Down; select Restart from
the pull-down menu and click OK.
The installation procedure for the domain controller is complete.

NOTE
After migration is complete, install Windows Server 2008 R2 Standard with Con-
trol Core Services v9.1 on all of your SDCs.

Configuring for Existing Domain Clients with


I/A Series Software v8.5/8.6/8.7
For all existing domain clients with I/A Series software v8.5/8.6/8.7, proceed as follows:
1. Open the Internet Protocol (TCP/IP) Properties dialog box for the FoxInt NDIS
Intermediate Miniport Driver (Control Core Services/I/A Series network card).
a. On the desktop, right-click My Network Places, and click Properties.
b. In the Network and Connections dialog box, right-click the FoxInt NDIS Inter-
mediate Miniport Driver, and click Properties.

223
B0700SS – Rev D 7. Migrating I/A Series Software v8.5/8.6/8.7 to a New

Figure 7-34. Selecting FoxInt NDIS Intermediate Miniport Driver

2. In the adapter’s Properties dialog box, in the “This connection uses the following
items” section, click Internet Protocol (TCP/IP), and then click Properties.
The Internet Protocol (TCP/IP) Properties dialog box appears as shown in
Figure 7-36.

Figure 7-35. Adapter Properties Dialog Box

224
7. Migrating I/A Series Software v8.5/8.6/8.7 to a New Primary Domain Controller on The Foxboro Evo Control

3. The first two DNS entries are displayed in DNS server addresses section. Click
Advanced.

Figure 7-36. Internet Protocol (TCP/IP) Properties Dialog Box

NOTE
The installation will attempt to set the DNS entries on the existing stations with
I/A Series software v8.7 or earlier. However, this can fail for multiple reasons. You
may see the following message in the AD Setup log (D:\usr\fox\sp\ADSetup.log):
Failed to configure the DNS setting for AW0001 station. Access is
denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED)).
The instructions for setting up DNS entries on existing stations with I/A Series
software v8.7 or earlier should be followed for all stations with I/A Series software
v8.7 or earlier even though it is possible that some entries have been set already. It is
critical to system interoperability that these settings are made.

225
B0700SS – Rev D 7. Migrating I/A Series Software v8.5/8.6/8.7 to a New

4. Set the first DNS entry in the list to match the IP address of the new PDC with Con-
trol Core Services v9.1. Add additional entries for any SDC stations (with Windows
Server 2003 or Server 2008 R2 Standard). Click OK to save the DNS settings.

Figure 7-37. Internet Protocol (TCP/IP) Properties Dialog Box

NOTE
For all domain clients migrated from a domain with I/A Series software
v8.5/8.6/8.7 to a domain with Control Core Services v9.1, it may be necessary to
move the migrated domain client’s object in Active Directory before beginning the
client’s installation procedure. Refer to “Migrating Domain Client from Domain in
I/A Series Software v8.7 or Earlier to a Domain in Foxboro Evo Control Core Ser-
vices v9.1” on page 354.

Continuing Installation
Refer to “Installing Optional Software” on page 65 to install any additional packages on your new
PDC.
Be sure to re-enable McAfee VirusScan on all the PDCs, SDCs and domain clients on which you
disabled it. Refer to “Re-Enabling the McAfee VirusScan Console” on page 405.
Proceed to Chapter 10 “Security Enhanced Foxboro Evo Control Core Services v9.1 Installation
for Domain Clients or Connecting Security Enhanced I/A Series Software v8.5-8.7 Domain Cli-

226
7. Migrating I/A Series Software v8.5/8.6/8.7 to a New Primary Domain Controller on The Foxboro Evo Control

ents to Existing Off-Control Network Networks” for the installation procedure for all new
domain clients.

227
B0700SS – Rev D 7. Migrating I/A Series Software v8.5/8.6/8.7 to a New

228
8. Migrating I/A Series Software
v8.5/8.6/8.7 to a New Off-Control
Network Primary
Domain Controller
This chapter describes how to migrate an existing On-Control Network Primary Domain
Controller (PDC) with I/A Series software v8.5/8.6/8.7 to a new PDC with Windows Server
2008 R2 Standard which is on a separate network, not located on The Foxboro Evo Control
Network (Off-Control Network).
The source station for this migration can either be:
♦ A new I/A Series server, shipped with a Control Core Services v9.0 (or later) image
installed.
♦ An existing SDC with I/A Series software v8.5/8.6/8.7 installed, which will be con-
verted to a PDC with a Control Core Services v9.1 (or later) image installed.
The target station (the station onto which the new software will be installed) for this migration
will become new PDC with Windows Server 2008 R2 Standard.
After the migration, both the domain clients which existed in I/A Series software v8.8 or earlier
and the new Control Core Services domain clients (with Control Core Services v9.1) will be con-
nected to the same domain. Existing group policies will be maintained while new Control Core
Services v9.1 group policies will be enacted. The steps in this section only need to be followed
once for the domain migration in order to establish the new PDC station.
Perform the procedures provided below.

Preparing the Source Primary Domain Controller


(Existing PDC with I/A Series Software v8.5/8.6/8.7)
for Migration
NOTE
Once complete, all existing SDC stations with I/A Series software v8.5/8.6/8.7
must be reloaded as Off-Control Network SDC stations with Control Core Services
v9.1 running on the Microsoft Windows Server 2008 R2 Standard operating sys-
tem. Once this has been done, the domain and forest functional levels can be raised
to “Server 2008 R2”.

For the source On-Control Network Primary Domain Controller (PDC) with I/A Series software
v8.5/8.6/8.7 for this migration, proceed as follows:

229
B0700SS – Rev D 8. Migrating I/A Series Software v8.5/8.6/8.7 to a New Off-

1. Log into the existing On-Control Network PDC using a domain administrator
account (such as IADomainAdmin).
2. Open the Active Directory Users and Computers console - click the Start button and
select Programs -> Administrative Tools -> Active Directory Users and
Computers.
3. Under the Users organizational unit (OU), find the domain administrator account
which is being used for this installation, as shown in Figure 8-1.

Figure 8-1. Active Directory Users and Computers Console (Administrator Account)

230
8. Migrating I/A Series Software v8.5/8.6/8.7 to a New Off-Control Network Primary Domain ControllerB0700SS – Rev

4. Right-click on the user name and click Properties. The user Properties dialog box
opens as shown in Figure 8-2.

Figure 8-2. [User] Properties Dialog Box

5. Verify that the domain administrator account is a member of both the “Schema
Admins” and “Enterprise Admins” groups by selecting the Member Of tab as shown
in Figure 8-2. If this user account is not, the user must be added to both these groups,
as follows:
a. From the Member Of tab, select the Add button.
b. Type in the name of the group which needs to be added (Schema Admins or
Enterprise Admins) and click OK, as shown in Figure 8-3. Repeat this for each
group.

231
B0700SS – Rev D 8. Migrating I/A Series Software v8.5/8.6/8.7 to a New Off-

Figure 8-3. Adding User to Groups

6. Click OK to close the user Properties dialog box.


7. Click on the IA Computers folder and verify that the new PDC server name is pres-
ent. If not, you must add it as follows.
a. Right-click on IA Computers and select New -> Computer, as shown in
Figure 8-4.
b. Enter the name of the new computer and click OK.

232
8. Migrating I/A Series Software v8.5/8.6/8.7 to a New Off-Control Network Primary Domain ControllerB0700SS – Rev

Figure 8-4. Active Directory Users and Computers Console (Administrator Account)

8. If the current domain administrator account was added to either the Schema Admins
or Enterprise Admins in the steps above, then log off from this account and log back
on to the station using the same account.

233
B0700SS – Rev D 8. Migrating I/A Series Software v8.5/8.6/8.7 to a New Off-

9. Insert the Microsoft® Windows Server® 2008 R2 Standard DVD that was delivered
with your server. Acknowledge the warning shown in Figure 8-5.

Figure 8-5. Installation Disc Is Not Compatible With This Windows Version Warning

10. Open a command prompt. Click the Start button, and click Programs -> Accesso-
ries -> Command Prompt.
11. In the command prompt, change the directory to the “E:\Support\ADPrep” folder. As
shown in Figure 8-6, enter the following command: adprep32 /forestprep

Figure 8-6. Invoking adprep32 /forestprep

12. Enter “c” at the prompt to continue.

234
8. Migrating I/A Series Software v8.5/8.6/8.7 to a New Off-Control Network Primary Domain ControllerB0700SS – Rev

13. As shown in Figure 8-7, enter the following command:


adprep32 /domainprep /gpprep

Figure 8-7. Invoking adprep32 /domainprep /gpprep

14. As shown in Figure 8-8, enter the following command:


adprep32 /rodcprep

Figure 8-8. Invoking adprep32 /rodcprep

15. Review the adprep logs in C:\Windows\Debug\adprep\logs\.


16. Open the Internet Protocol (TCP/IP) Properties dialog box for the FoxInt NDIS
Intermediate Miniport Driver (Control Core Services/I/A Series network card).

235
B0700SS – Rev D 8. Migrating I/A Series Software v8.5/8.6/8.7 to a New Off-

a. On the desktop, right-click My Network Places, and click Properties.

! CAUTION
In Network Connections, which lists the available NICs, do not change the name of
any “Local Area Connection x” network connection. This can result in software
installation issues or system instability.

b. In the Network and Connections dialog box, right-click the FoxInt NDIS Inter-
mediate Miniport Driver, and click Properties.
c. In the adapter’s Properties dialog box, in the “This connection uses the following
items” section, click Internet Protocol (TCP/IP), and then click Proper-
ties. The Internet Protocol (TCP/IP) Properties dialog box appears as shown in
Figure 8-9.

Figure 8-9. Internet Protocol (TCP/IP) Properties Dialog Box

236
8. Migrating I/A Series Software v8.5/8.6/8.7 to a New Off-Control Network Primary Domain ControllerB0700SS – Rev

17. Remove all default gateway settings for this network interface by clicking Advanced.
In the Advanced TCP/IP Settings dialog box shown in Figure 8-10, click the IP
Settings tab. Under Default gateways, remove all the entries.

Remove
all entries

Figure 8-10. Advanced TCP/IP Settings Dialog Box (IP Settings)

18. Click the DNS tab, as shown in Figure 8-11. In the DNS server addresses, in order of
use field, remove all the entries. When done, click OK to close this dialog box and
apply the changes.

237
B0700SS – Rev D 8. Migrating I/A Series Software v8.5/8.6/8.7 to a New Off-

Remove
all entries

Figure 8-11. Advanced TCP/IP Settings Dialog Box (DNS)

19. Open the Internet Protocol (TCP/IP) Properties dialog box for the network adapter
for the new Off-Control Network.
a. On the desktop, right-click My Network Places, and click Properties.
b. In the Network and Sharing Center dialog box, right-click the network adapter
that the Off-Control Network domain controller will use, and click Properties.
c. In the adapter’s Properties dialog box, in the “This connection uses the following
items” section, click Internet Protocol (TCP/IP), and then click
Properties. The Internet Protocol (TCP/IP) Properties dialog box appears as
shown in Figure 8-12.
d. Set the IP address and preferred DNS server IP address to the same value (shown
as “181.182.81.1” as an example in Figure 8-12) and click OK.

238
8. Migrating I/A Series Software v8.5/8.6/8.7 to a New Off-Control Network Primary Domain ControllerB0700SS – Rev

Figure 8-12. Internet Protocol (TCP/IP) Properties Dialog Box

After clicking on Close, the status of the Local Area Connection is “connected”.

239
B0700SS – Rev D 8. Migrating I/A Series Software v8.5/8.6/8.7 to a New Off-

20. Open the DNS Manager. Click the Start button and select Programs -> Adminis-
trative Tools -> DNS. Right-click on the DNS server (workstation name, shown as
“SVRINF” in Figure 8-13) and click Properties.

Figure 8-13. DNS Manager Dialog Box (Server Properties)

21. In the server Properties dialog box, click the Interfaces tab as shown in
Figure 8-14. Select all IP addresses in the list, except one, and click Remove.
For the last IP address, change it to be the IP address of the Off-Control Network card
configured in the previous step.
Click Add then select the remaining IP address and click Remove.
Click OK in Properties dialog box.

240
8. Migrating I/A Series Software v8.5/8.6/8.7 to a New Off-Control Network Primary Domain ControllerB0700SS – Rev

Remove
all entries
and add one
for the new
Off-Control
Network card.

Figure 8-14. Server Properties Dialog Box

241
B0700SS – Rev D 8. Migrating I/A Series Software v8.5/8.6/8.7 to a New Off-

22. In the DNS Manager, select the Control Core Services forward lookup zone (i.e.
iaseries.local). Remove the entries for the existing I/A Series stations which are on the
existing control network, as shown in Figure 8-15.

Figure 8-15. DNS Manager Dialog Box (Removing Existing Stations)

23. In the DNS Manager, remove the reverse lookup zone for the existing On-Control
Network (i.e. 151.128.152.x Subnet).
24. Add a new reverse lookup zone for the new Off-Control Network as follows.

242
8. Migrating I/A Series Software v8.5/8.6/8.7 to a New Off-Control Network Primary Domain ControllerB0700SS – Rev

a. Right-click on Reverse Lookup Zones and select New Zone as shown in


Figure 8-16.

Figure 8-16. DNS Manager Dialog Box (Reverse Lookup Zone)

243
B0700SS – Rev D 8. Migrating I/A Series Software v8.5/8.6/8.7 to a New Off-

b. Click Next. Select Primary Zone and click Next as shown in Figure 8-17.

Figure 8-17. New Zone Wizard (Zone Type)

244
8. Migrating I/A Series Software v8.5/8.6/8.7 to a New Off-Control Network Primary Domain ControllerB0700SS – Rev

c. Click the “To all DNS servers in the Active Directory domain
iaseries.local” bullet (“iaseries.local” may vary depending on the actual
name of the Control Core Services domain) as shown in Figure 8-18. Click Next.

Figure 8-18. New Zone Wizard (Active Directory Zone Replication Scope)

245
B0700SS – Rev D 8. Migrating I/A Series Software v8.5/8.6/8.7 to a New Off-

d. In the Network ID field, enter in the first three octets of the Off-Control Network
card as shown in Figure 8-19. Click Next.

Figure 8-19. New Zone Wizard (Reverse Lookup Zone Name)

246
8. Migrating I/A Series Software v8.5/8.6/8.7 to a New Off-Control Network Primary Domain ControllerB0700SS – Rev

e. Click the Allow only secure dynamic updates bullet and click Next as
shown in Figure 8-20. Click Finish to close the New Zone Wizard.

Figure 8-20. New Zone Wizard (Dynamic Update)

247
B0700SS – Rev D 8. Migrating I/A Series Software v8.5/8.6/8.7 to a New Off-

f. Right-click on the new zone and select New Pointer as shown in Figure 8-21.

Figure 8-21. DNS Manager Dialog Box (New Pointer)

248
8. Migrating I/A Series Software v8.5/8.6/8.7 to a New Off-Control Network Primary Domain ControllerB0700SS – Rev

g. In the New Resource Record dialog box, set the pointer value to the last octet in
the Off-Control Network card’s IP address as shown in Figure 8-22.
In the Host name field, enter the full name of your server (“svrinf.iaseries.local” is
the example shown in Figure 8-22) and click OK.

Figure 8-22. New Resource Record Dialog Box

h. Close the DNS Manager.


i. Click the Start button and select Control Panel -> Administrative Tools ->
Services.

249
B0700SS – Rev D 8. Migrating I/A Series Software v8.5/8.6/8.7 to a New Off-

j. In the Services dialog box, right-click the DNS Server, and then click Restart as
shown in Figure 8-23.

Figure 8-23. Restart DNS Service

25. Click the Start button, and click Programs -> Accessories -> Command Prompt to
open a command prompt. Type nslookup and press <Enter>. If DNS is functioning
properly, it should show that it found the local DNS server with the IP address set in
the previous steps (shown as 181.182.81.1 in Figure 8-23).

! CAUTION
Until DNS is working properly, the migration procedure cannot continue.

Figure 8-24. nslookup Service

26. Type Ctrl+C and press <Enter> to terminate nslookup.

250
8. Migrating I/A Series Software v8.5/8.6/8.7 to a New Off-Control Network Primary Domain ControllerB0700SS – Rev

Preparation for the migration of this source PDC is complete.


27. If you are upgrading an existing Secondary Domain Controller with I/A Series Soft-
ware v8.5/8.6/8.7 to become the new target PDC, you must remove the Active Direc-
tory from this SDC as described in the following substeps. If you do not have an SDC
and are installing a new station as the target PDC, proceed to “Preparation and Instal-
lation for New Target Primary Domain Controller” on page 252.
To remove the Active Directory from the SDC, perform one of the two following
procedures:
a. Use dcpromo on the existing SDC to remove Active Directory as described in
“Removing Domain Controller Functionality from a Workstation” on page 507.
b. In Active Directory Sites and Services on the source PDC, click Actions ->
Refresh. The NTDS settings that were shown under the SDC name are
removed. If they are not, the removal operation of the Active Directory from the
SDC was unsuccessful and you cannot continue. Contact Global Customer Sup-
port for assistance.
-OR-
a. Use Symantec System Recovery (SSR) to load the new Control Core Services v9.1
platform image on the existing SDC station to be upgraded. Refer to Symantec
System Recovery 2013 Desktop, Server and Virtual Editions Guide for I/A Series Sys-
tems (B0700EY) for instructions.
b. On the source PDC, click the Start button and select Control Panel -> Admin-
istrative Tools -> Active Directory Sites and Services. Navigate to
Sites -> [Domain Name] -> Servers -> [Name of SDC] and expand this last
node. Note that it contains the NTDS settings. Leave this displayed on the source
PDC for now.
28. Proceed to the next section.

251
B0700SS – Rev D 8. Migrating I/A Series Software v8.5/8.6/8.7 to a New Off-

Preparation and Installation for New Target Primary


Domain Controller
Proceed as follows on the server to become the new PDC:

NOTE
Use the IAInstaller account for all installation tasks. However, due to the
permissions assigned to IAInstaller, do not use it for any other role, such as
operation of the station.

1. On the station which is to become the new Off-Control Network Control Core Ser-
vices PDC, find the network adapter for the new Off-Control Network.
Click the Start button and then click Control Panel -> Network and Sharing
Center. In the Tasks pane, click Change adapter settings. Right-click on the
adapter and click Properties.

Figure 8-25. Local Area Connection 3 Properties

c. In this same dialog box, select Internet Protocol Version 4 (TCP/IPv4)


and click Properties. In the Internet Protocol Version 4 (TCP/IPv4) Properties
dialog box, as shown in Figure 8-26, set the IP address and subnet mask for the
Off-Control Network NIC so that it can communicate with the Off-Control Net-

252
8. Migrating I/A Series Software v8.5/8.6/8.7 to a New Off-Control Network Primary Domain ControllerB0700SS – Rev

work card in the existing On-Control Network PDC with I/A Series software
v8.5/8.6/8.7. At this point, it should be possible to ping the existing On-Control
Network PDC from the new PDC.

Figure 8-26. Internet Protocol Version 4 (TCP/IPv4) Properties

2. Set the PowerShell execution policy on the target PDC by executing the following
command from within Windows PowerShell:
Set-ExecutionPolicy AllSigned

253
B0700SS – Rev D 8. Migrating I/A Series Software v8.5/8.6/8.7 to a New Off-

Figure 8-27. Set-ExecutionPolicy AllSigned

3. Insert the DVD labeled “Foxboro Evo Control Core Services v9.1 Day 0 DVD-
ROM” (K0174MS-A).
4. If AutoPlay is enabled, the AutoPlay dialog box appears as shown in Figure 8-28.
Click Run setup.exe.
Otherwise, navigate to the DVD drive and double-click setup.exe.

Figure 8-28. AutoPlay Dialog Box

254
8. Migrating I/A Series Software v8.5/8.6/8.7 to a New Off-Control Network Primary Domain ControllerB0700SS – Rev

! CAUTION
If a dialog box appears indicating that .NET Framework is required, then you have
used incorrect restore media. Restore the server using the proper Control Core Ser-
vices v9.1 (or later) Restore media.

5. Click Yes to accept the User Account Control (UAC) prompt.


6. A pre-requisite installation dialog box appears as shown in Figure 8-29. Click
Install to load the Microsoft Visual C++ 2010 Redistributable Package (x64) on the
server.

Figure 8-29. Microsoft Visual C++ 2010 Redistributable Package (x64) Installation Dialog Box

7. A dialog box appears that allows you to select whether you are installing Control Core
Services without security enhancements or for a security-enhanced system. Select
Install I/A Series software for a security enhanced system and
Install the workstation as an OFF-MESH domain controller (second-
ary or primary), as shown in Figure 8-30.
Also select the check box labeled Migrate from Pre-8.8 I/A Series (PDC
Only) under the selection you checked, as shown in Figure 8-30.

255
B0700SS – Rev D 8. Migrating I/A Series Software v8.5/8.6/8.7 to a New Off-

Figure 8-30. Selecting to Install a Domain Controller Off-Control Network

8. Click Next.
9. Acknowledge the warning shown in Figure 8-31.

Figure 8-31. I/A Series Installation Dialog Box - Warning

256
8. Migrating I/A Series Software v8.5/8.6/8.7 to a New Off-Control Network Primary Domain ControllerB0700SS – Rev

10. The next dialog box requests that you load the committed configuration install files,
as shown in Figure 8-32. Click Load to set the installation target drive to D:\ and
load the committed configuration files.

Figure 8-32. Load Committed Configuration Install Files

11. The browser for the folder containing the committed configuration install files opens,
as shown in Figure 8-33. If the installation media with your Commit files is on the
server’s hard drive or a network, browse to the location of the media and click Select
Folder. If the installation media with your Commit files is on a diskette, put the dis-
kette in the diskette drive (A:\) and click Use Diskette.

NOTE
If you have multiple Commit diskettes, the Stamp ID: field in Figure 8-33 indicates
the number of the requested Commit diskette to the right of the Load button (101
for the first diskette, 102 for the second, and so forth). Insert each diskette in the set
and click Load.

257
B0700SS – Rev D 8. Migrating I/A Series Software v8.5/8.6/8.7 to a New Off-

Figure 8-33. Installation Media Folder Browser

12. Click Next. The I/A Series Software Installation dialog box appears as shown in
Figure 8-34, in which the “Install as a Secondary Domain Controller (SDC)” choice
is selected by default. Initially, this server will be installed as an SDC and will be pro-
moted to the role of the PDC before the installation completes.

258
8. Migrating I/A Series Software v8.5/8.6/8.7 to a New Off-Control Network Primary Domain ControllerB0700SS – Rev

Figure 8-34. Server Platform Setup (Off-Control Network)

13. Enter in the IP address of the existing PDC (from which you are migrating), as shown
in Figure 8-34.
In the Authorized Account field, verify that the domain joining account name dis-
played has the authority to add workstations to the domain
(i.e. iaseries.local\IAInstaller).
In the Authorized Password field, enter the password for this account.
When finished, click Authorize.

259
B0700SS – Rev D 8. Migrating I/A Series Software v8.5/8.6/8.7 to a New Off-

14. If the local system time does not match the system time on the existing PDC (from
which you are migrating), a message is displayed as shown in Figure 8-35. Click OK.
Fix the local system time to match the existing PDC’s time and re-click Authorize.

Figure 8-35. I/A Series Installation Dialog Box - Date Warning

In some cases, it will not be possible to determine the remote system time. In this case,
the dialog box shown in Figure 8-36 is displayed. It is important to ensure that the
local and remote system times match (including date, time, AM/PM) before continu-
ing. Note that the checkbox displayed for some time zones which allows the system to
automatically adjust for Daylight Saving Time can affect the time displayed by the
system by one hour.

Figure 8-36. Unable to Determine Local Time on the PDC

260
8. Migrating I/A Series Software v8.5/8.6/8.7 to a New Off-Control Network Primary Domain ControllerB0700SS – Rev

15. If there is another SDC station on the network, choose that SDC’s name from the
drop-down list and click Set, as shown in Figure 8-37. Otherwise, click Skip.

Figure 8-37. Server Platform Setup (For Second SDC)

261
B0700SS – Rev D 8. Migrating I/A Series Software v8.5/8.6/8.7 to a New Off-

16. In the “Select a Host Domain for this workstation and click Connect” field, verify the
name of the domain and click Connect. The message shown is in Figure 8-38 dis-
played to indicate that the connection to the domain has succeeded.
If unsuccessful, a reason for the failure is displayed.

Figure 8-38. Invensys IASeries Install: Workstation Reboot Request Dialog Box

17. After the server reboots, log on with the “IAInstaller” account with the password as it
was set during the PDC’s installation.
18. The installation continues automatically. The Server platform setup dialog box
appears.
Re-enter in the IP address of the existing PDC (from which you are migrating), as
shown in Figure 8-39.
In the Authorized Account field, verify that the domain joining account name dis-
played has the authority to add workstations to the domain (i.e. iaseries.local\IAIn-
staller).
In the Authorized Password field, enter the password for this account.
When finished, click Authorize.

262
8. Migrating I/A Series Software v8.5/8.6/8.7 to a New Off-Control Network Primary Domain ControllerB0700SS – Rev

Figure 8-39. Server Platform Setup (Off-Control Network) Continued

19. Under the “Enter domain information for Active Directory setup and click Prepare”
area, verify the Domain Name and Site Name fields and click the Prepare button.
20. A warning dialog appears as shown in Figure 8-40. Ensure that the name you have
chosen for your Active Directory domain is correct and will not conflict with another
domain on the same network.

Figure 8-40. Active Directory Warning

263
B0700SS – Rev D 8. Migrating I/A Series Software v8.5/8.6/8.7 to a New Off-

21. Click Install to load the Active Directory Domain Services onto this server and to
assign the server to the role of Secondary Domain Controller.
A command prompt is displayed while Active Directory is being installed, as shown in
Figure 8-41.

Figure 8-41. Active Directory Installation via Command Prompt

The command prompt shows progress while the system is assigned to its Secondary
Domain Controller status and DNS is installed, as shown in Figure 8-42.

Figure 8-42. Assigning Role of Secondary Domain Controller via Command Prompt

264
8. Migrating I/A Series Software v8.5/8.6/8.7 to a New Off-Control Network Primary Domain ControllerB0700SS – Rev

22. The server reboots automatically after Active Directory has been installed.
After the server reboots, log into the “IADomainAdmin” account with the password as
set during the PDC’s installation.
23. The installation restarts automatically and the I/A Series Software Installation dialog
box appears as shown in Figure 8-43. Click Verify to check the health of the Active
Directory domain. This takes several minutes. It may be necessary to wait as much as
an hour before proceeding past this dialog box, depending on how long it takes for
Active Directory to replicate to this new station.

Figure 8-43. Verifying the Health of the Existing Active Directory System

265
B0700SS – Rev D 8. Migrating I/A Series Software v8.5/8.6/8.7 to a New Off-

24. When complete, the warning dialog box shown in Figure 8-43 is displayed if errors
are found. One or more conditions could be detected including diagnostic failures,
event log errors, and replication failures.

Figure 8-44. I/A Series Installation Dialog Box - Warning for DC Health Log File

266
8. Migrating I/A Series Software v8.5/8.6/8.7 to a New Off-Control Network Primary Domain ControllerB0700SS – Rev

25. To view the log, click View in Figure 8-44. After viewing the errors, it may be neces-
sary to correct the issues in the Active Directory domain. Click the Verify button as
many times as necessary after you take each corrective action to ensure that no further
issues exist. After clicking Verify, clicking View opens the updated diagnostic results.

Figure 8-45. Verifying the Health of the Existing Active Directory System (Errors Found)

NOTE
The following error messages are expected during a migration and can be safely
ignored:
Warning 1:
Warning: SVRINF is not advertising as a time server.
......................... SVRINF failed test Advertising
Invalid service type: RpcSs on SVRINF, current value
WIN32_OWN_PROCESS, expected value WIN32_SHARE_PROCESS
w32time Service is stopped on [SVRINF]
......................... SVRINF failed test Services

267
B0700SS – Rev D 8. Migrating I/A Series Software v8.5/8.6/8.7 to a New Off-

Warning 2:
Warning: DcGetDcName(TIME_SERVER) call failed, error 1355
A Time Server could not be located.
The server holding the PDC role is down.
Warning: DcGetDcName(GOOD_TIME_SERVER_PREFERRED) call failed,
error 1355
A Good Time Server could not be located.
......................... iaseries.local failed test LocatorCheck

NOTE
It can take several hours for event log messages which were generated during the
migration to clear from this log. System log failures (such as the following) should
be investigated if they persist long after the migration has completed.
......................... NESRV4 failed test SystemLog

26. If it is determined that it is safe to ignore the errors in the log, click Ignore to con-
tinue, as shown in Figure 8-43. Acknowledge the following warning.

Figure 8-46. I/A Series Installation Dialog Box - Errors in DC Health Log File

268
8. Migrating I/A Series Software v8.5/8.6/8.7 to a New Off-Control Network Primary Domain ControllerB0700SS – Rev

27. Click Next. The dialog shown in Figure 8-47 is displayed. Click Apply.

Figure 8-47. Setting Up the Platform For a Secure Foxboro Evo Control Core Services
Installation

A command prompt is displayed while the Active Directory settings are applied.
28. Click Finish.

269
B0700SS – Rev D 8. Migrating I/A Series Software v8.5/8.6/8.7 to a New Off-

29. When prompted, enter the required information for the Active Directory settings.
Enter the administrator account name on the I/A Series v8.5/8.6/8.7 domain (default
is iaseries.local\IAManager). Enter the password for the administrator account on the
I/A Series v8.5/8.6/8.7 domain. Click OK.

Figure 8-48. Configure DNS Setting Dialog Box

30. Review the Active Directory setup log (%ALLUSERSPROFILE%\Invensys\IASer-


ies\Installer\TarOutput_NNNNNNNNNNNNNNN\ADSetup.log) for errors.
31. Click Finish.
32. For each Control Core Services domain client workstation, remove the On-Control
Network DNS entry from the Control Core Services/I/A Series network interface card
as follows. On the desktop, right-click Network, and click Properties.
In the Network and Sharing Center dialog box, click Manage network connec-
tions.

NOTE
The installation will attempt to set the DNS entries on the existing stations with
I/A Series software v8.7 or earlier. However, this can fail for multiple reasons. You
may see the following message in the AD Setup log (D:\usr\fox\sp\ADSetup.log):
Failed to configure the DNS setting for AW0001 station. Access is
denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED)).
The instructions for setting up DNS entries on existing stations with I/A Series
software v8.7 or earlier should be followed for all stations with I/A Series software
v8.7 or earlier even though it is possible that some entries have been set already. It is
critical to system interoperability that these settings are made.

270
8. Migrating I/A Series Software v8.5/8.6/8.7 to a New Off-Control Network Primary Domain ControllerB0700SS – Rev

33. Right-click the Control Core Services/I/A Series network interface card, and click
Properties. In the adapter’s Properties dialog box, in the “This connection uses the
following items” section, click Internet Protocol (TCP/IP), and then click
Properties. The Internet Protocol (TCP/IP) Properties dialog box appears as shown
in Figure 8-49.
Remove the IP addresses from the Preferred DNS server and Alternate DNS server
fields.

Clear
these
fields.

Figure 8-49. Internet Protocol (TCP/IP) Properties - Removing On-Control Network


DNS Entries

271
B0700SS – Rev D 8. Migrating I/A Series Software v8.5/8.6/8.7 to a New Off-

34. Next, set the IP Address and DNS settings for the Off-Control Network interface card
according to the IP setting of the new Off-Control Network domain, as demonstrated
in Figure 8-50. Then click OK to apply the changes.

Set
these
fields.

Figure 8-50. Internet Protocol (TCP/IP) Properties - Setting for Off-Control Network
Network Interface Card

35. Reboot the server. Click the Start button and click Shut Down; select Restart from
the pull-down menu and click OK.
The installation procedure for the domain controller is complete.

NOTE
After migration is complete, install Windows Server 2008 R2 Standard with Con-
trol Core Services v9.1 on all of your SDCs.

Adding Foxboro Stations to Active Directory Post-Installation


When first installed, the Off-Control Network PDC contains objects in Active Directory for all
Foxboro stations in the system. If stations are added to the Control Core Services system at a later
time, new objects must be created manually in this PDC’s Active Directory.

272
8. Migrating I/A Series Software v8.5/8.6/8.7 to a New Off-Control Network Primary Domain ControllerB0700SS – Rev

1. Click the Start button and select Control Panel -> Administrative Tools ->
Active Directory Users and Computers. You may need to scroll down to see
this menu selection.
2. From Active Directory Users and Computers, right-click on the “IA Comput-
ers” OU and select New -> Computer as shown in Figure 8-51.

Figure 8-51. Selecting IA Computers -> New -> Computer

3. Enter the name of the new workstation in the Computer name field and click OK as
shown in Figure 8-52. The OU for “Pre-8.8 workstations” on migrated systems will
be named “Pre-8.8 IA Computers” as shown in Figure 8-53.

273
B0700SS – Rev D 8. Migrating I/A Series Software v8.5/8.6/8.7 to a New Off-

Figure 8-52. New Object - Computer

Figure 8-53. Selecting Pre-8.8 IA Computers -> New -> Computer

274
8. Migrating I/A Series Software v8.5/8.6/8.7 to a New Off-Control Network Primary Domain ControllerB0700SS – Rev

Continuing Installation
NOTE
For all domain clients migrated from a domain with I/A Series software
v8.5/8.6/8.7 to a domain with Control Core Services v9.1, it may be necessary to
move the migrated domain client’s object in Active Directory before beginning the
client’s installation procedure. Refer to “Migrating Domain Client from Domain in
I/A Series Software v8.7 or Earlier to a Domain in Foxboro Evo Control Core Ser-
vices v9.1” on page 354.

After restarting the station following the Control Core Services installation, you can install ePolicy
Orchestrator on your PDC to install any additional packages on your new PDC. This software
should only be installed on one domain controller in the system. Install this software according to
Optional McAfee® Security Products Installation and Configuration Guide (B0700EX).
Be sure to re-enable McAfee VirusScan on all the PDCs, SDCs and domain clients on which you
disabled it. Refer to “Re-Enabling the McAfee VirusScan Console” on page 405.
Proceed to Chapter 4 “Security Enhanced Foxboro Evo Control Core Services v9.1 Installation
for Domain Controllers on The Foxboro Evo Control Network” for the installation procedure for
the domain clients.

275
B0700SS – Rev D 8. Migrating I/A Series Software v8.5/8.6/8.7 to a New Off-

276
9. Migrating I/A Series Software
v8.5/8.6/8.7 to a Pre-Existing
Off-Control Network Primary
Domain Controller
This chapter describes how to migrate an existing (source) On-Control Network Primary
Domain Controller with I/A Series software v8.5/8.6/8.7 and Windows Server 2003 to a pre-
existing (target) Off-Control Network Primary Domain Controller (PDC) without I/A Series
software and already having Windows Server 2008 R2 Standard installed.

NOTE
It is not possible to migrate from an I/A Series pre-v8.8 domain to an existing Off-
Control Network domain when the I/A Series pre-v8.8 PDC and the existing Off-
Control Network domain PDC have the same station name. In this case, it would
be necessary to install a new SDC station on the I/A Series pre-v8.8 domain and
transfer all of the PDC Flexible Single Master Operation (FSMO) roles to this new
station, then remove the original I/A Series pre-v8.8 PDC (now an SDC) from the
I/A Series pre-v8.8 domain. See Appendix D “Secondary Domain Controllers in a
Foxboro Evo System” for how to transfer FSMO roles and remove domain control-
lers from Active Directory.

This procedure involves:


♦ Copying the inter-forest migration scripts to a portable drive, and downloading the
required third-party software
♦ Transferring the Active Directory Settings from the source On-Control Network
PDC to the target Off-Control Network PDC
♦ Installing required third-party software to the target Off-Control Network PDC
♦ Migrating passwords and group policy objects (GPOs) from the source On-Control
Network PDC (with the Password Export Server) to the target Off-Control Network
PDC
♦ Migrating the domain clients with I/A Series software v8.5/8.6/8.7) to the new Off-
Control Network domain.
You must transfer all user accounts, groups and computers manually to the migration organiza-
tional unit (OU) on the source On-Control Network PDC.
The inter-forest migration scripts on the Foxboro Evo Control Core Services v9.1 Day 0 DVD-
ROM will:
♦ Migrate all the user accounts, groups, group memberships, passwords and security
identifiers (SIDs) from the On-Control Network PDC’s migration OU to the pre-
existing Off-Control Network PDC’s migration OU.

277
B0700SS – Rev D 9. Migrating I/A Series Software v8.5/8.6/8.7 to a Pre-

♦ Install the new Foxboro Evo Control Security Phase 2 Active Directory components
on the target Off-Control Network PDC automatically using other scripts.
After migrating the user accounts, groups and computers, each client workstation must be
removed from the source On-Control Network PDC and added to the target Off-Control Net-
work PDC (the station onto which the new software will be installed).
In these procedures, the:
♦ Existing On-Control Network Primary Domain Controller with I/A Series software
v8.5/8.6/8.7 and Windows Server 2003 is referred to as the source PDC.
♦ Existing Off-Control Network Primary Domain Controller (PDC) with Windows
Server 2008 R2 Standard which will have the Control Core Services v9.1 Active
Directory group policies or Phase 2 Active Directory security components installed on
it - this is referred to as the target PDC.

Group Policy Settings Migration From Domains with


I/A Series Software v8.7 or Earlier
When migrating from an On-Control Network domain with I/A Series software v8.7 or earlier to
an existing Off-Control Network domain with Control Core Services v9.1 or later, there are
group policy settings in the domain with I/A Series software v8.7 or earlier that will not automat-
ically be in effect after performing the migration. This is to prevent the introduction of changes to
your existing domain at such a base level that could adversely affect other nodes that are already
working in that existing domain.
This is particularly true of settings that were in the Default Domain Controllers Policy group pol-
icy objects (GPOs) for domains with I/A Series software v8.7 or earlier. These group policy set-
tings will not be applied to your existing domain controller GPO.
For convenience, the installation application for Control Core Services v9.1 copies the Default
Domain Controllers Policy for a domain with I/A Series software v8.7 or earlier to the new
domain as the “Pre-8.8 Default Domain Controllers Policy” but it will not be linked to any OU.
It is there for reference to capture the domain controller policies that were in effect in the domain
with I/A Series software v8.7 or earlier.
It is your responsibility and at your discretion whether or not to manually add any settings that
were in the Default Domain Controllers Policy for a domain with I/A Series software v8.7 or ear-
lier to your own existing domain controllers group policy.
One such policy is the Password Complexity setting. Invensys supplies an enhanced Password
Complexity policy that you can turn on optionally if you want to require that all passwords con-
tain four types of characters (upper, lower, numbers, and symbols). This policy setting is described
in Security Enhancements User's Guide for I/A Series Workstations with Windows 7 or Windows
Server 2008 Operating Systems (B0700ET). If the Invensys-supplied enhanced Password Complex-
ity policy had been enabled in the domain controller policy for a domain with I/A Series software
v8.7 or earlier, it will need to be added to the domain controllers policy on the existing Off-Con-
trol Network domain manually.

278
9. Migrating I/A Series Software v8.5/8.6/8.7 to a Pre-Existing Off-Control Network Primary Domain Controller

Preparation for Installation


To prepare for the installation of the target Off-Control Network PDC (with Control Core Ser-
vices v9.1 or later), proceed as follows:
1. Copy the inter-forest migration scripts from the DVD labeled “Foxboro Evo Control
Core Services v9.1 Day 0 DVD-ROM” (K0174MS-A) onto a portable drive that can
be used for the setup of the Off-Control Network PDC. The scripts are located in the
\InterForestMigration folder as shown in Figure 9-1.

Figure 9-1. InterForestMigration Folder

2. Download the following third-party installation packages from Microsoft:


♦ Microsoft SQL Server 2008 SP3 Express Edition v10.00.5500.00 (32-bit installer
for installation on 64-bit workstations) - SQLEXPR_x86_ENU.exe (dated
10/6/2011), available here:
https://www.microsoft.com/en-us/download/details.aspx?id=27597

NOTE
SQL Server 2008 R2 Express Edition is not supported.

♦ Active Directory Migration Tool v3.2 - admtsetup32.exe (dated 6/18/2010),


available here:
https://www.microsoft.com/en-us/download/details.aspx?id=8377
♦ Password Export Server version 3.1 (x86) - pwdmig.msi (dated 7/9/2008),
available here:
https://www.microsoft.com/en-us/download/details.aspx?id=10370

279
B0700SS – Rev D 9. Migrating I/A Series Software v8.5/8.6/8.7 to a Pre-

NOTE
This is NOT the pwdmig.msi file found in the support files provided with the
Windows Server 2003 R2 operating system.

! CAUTION
In Control Panel -> Network Connections, which lists the available NICs, do not
change the name of any “Local Area Connection x” network connection. This can
result in software installation issues or system instability.

Disabling the VirusScan Console on Target Primary Domain


Controller
Proceed as follows to disable the McAfee VirusScan Control on the target PDC:
1. Right-click the McAfee shield in the toolbar and click VirusScan Console.
2. Click Yes to accept the User Account Control (UAC) prompt.
3. If Access Protection is “Enabled”, right-click on Access Protection and select
Disable, as shown in Figure 9-2.

Figure 9-2. Disable Virus Scan Access Protection

4. Right-click on On-Access Scanner and select Disable.


5. Right-click on On-Access Scanner and select Properties. The On-Access Scan
Properties dialog box opens as shown in Figure 9-3.

280
9. Migrating I/A Series Software v8.5/8.6/8.7 to a Pre-Existing Off-Control Network Primary Domain Controller

Figure 9-3. On-Access Scan Properties Dialog Box

6. Clear the check-box labeled Enable on-access scanning at system startup


and click Apply. Click OK.

NOTE
The check box should be re-enabled at the end of the installation.

281
B0700SS – Rev D 9. Migrating I/A Series Software v8.5/8.6/8.7 to a Pre-

Preparing the Source Primary Domain Controllers


for Transferring Active Directory Settings
To prepare the source PDC (with I/A Series software v8.5/8.6/8.7) to have its Active Directory
settings transferred to the target PDC (with Control Core Services v9.1 or later), proceed as fol-
lows:
1. On the source PDC, change the password of the IAManager account to match the
password of the Administrator account on the target PDC. Click the Start button and
select Control Panel -> Administrative Tools -> Active Directory Users
and Computers. In Active Directory Users and Computers, right click on the user
account and select Reset Password.

Figure 9-4. Selecting Reset Password

282
9. Migrating I/A Series Software v8.5/8.6/8.7 to a Pre-Existing Off-Control Network Primary Domain Controller

2. Enter the password in the two fields as shown in Figure 9-5 and click OK.

Figure 9-5. Reset Password Dialog Box

3. Log off from the source PDC and log back into the source PDC using the newly-set
password.
4. Set the PowerShell execution policy on the source PDC by executing the following
command from within Windows PowerShell:
Set-ExecutionPolicy Unrestricted

Figure 9-6. Set-ExecutionPolicy Unrestricted

5. Open the Internet Protocol (TCP/IP) Properties dialog box for the Off-Control Net-
work NIC card as follows:
a. On the desktop, right-click My Network Places, and click Properties.
b. In the Network and Connections dialog box, right-click the Off-Control Network
NIC card, and click Properties.

283
B0700SS – Rev D 9. Migrating I/A Series Software v8.5/8.6/8.7 to a Pre-

c. In the card’s Properties dialog box, in the “This connection uses the following
items” section, click Internet Protocol (TCP/IP), and then click Proper-
ties. The Internet Protocol (TCP/IP) Properties dialog box appears as shown in
Figure 9-7.
d. In the Internet Protocol (TCP/IP) Properties dialog box, set the TCP/IP address
and DNS server address to match the network settings of the target PDC. The
DNS server address should be the IP address of the target PDC.

These should match the similar


settings in the Target PDC

IP Address of the Target PDC

Figure 9-7. Internet Protocol (TCP/IP) Properties Dialog Box - Off-Control Network
NIC Card

NOTE
The installation will attempt to set the DNS entries on the existing stations with
I/A Series software v8.7 or earlier. However, this can fail for multiple reasons. You
may see the following message in the AD Setup log (D:\usr\fox\sp\ADSetup.log):
Failed to configure the DNS setting for AW0001 station. Access is
denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED)).
The instructions for setting up DNS entries on existing stations with I/A Series
software v8.7 or earlier should be followed for all stations with I/A Series software
v8.7 or earlier even though it is possible that some entries have been set already. It is
critical to system interoperability that these settings are made.

284
9. Migrating I/A Series Software v8.5/8.6/8.7 to a Pre-Existing Off-Control Network Primary Domain Controller

6. Open the Properties dialog box for the FoxInt NDIS Intermediate Miniport Driver
(Control Core Services/I/A Series network card).
a. On the desktop, right-click My Network Places, and click Properties.
b. In the Network and Connections dialog box, right-click the FoxInt NDIS Inter-
mediate Miniport Driver, and click Properties.
c. Disable the TCP/IP protocol on the FoxInt NDIS Intermediate Miniport Driver
by un-checking the Internet Protocol (TCP/IP) check box in the list of supported
protocols as shown in Figure 9-8.

Uncheck

Figure 9-8. Internet Protocol (TCP/IP) Properties Dialog Box - FoxInt NDIS Intermediate
Miniport Driver

285
B0700SS – Rev D 9. Migrating I/A Series Software v8.5/8.6/8.7 to a Pre-

7. Click the Start button, and click Programs -> Accessories -> Command Prompt to
open a command prompt. Verify the basic TCP/IP connectivity by pinging the target
PDC from the command prompt.

Figure 9-9. Ping Target PDC from Command Prompt

8. Open Windows PowerShell and navigate to the folder containing the inter-forest
migration scripts (.\InterForestMigration\PrepSourceDomain), to which you copied
them in “Preparation for Installation” on page 279. In the Windows PowerShell com-
mand prompt, execute the command .\PrepSourceDomainForMigration.ps1 to
prepare the source PDC for migration

NOTE
If Windows PowerShell was already open before this step to set an execution policy,
the PowerShell command prompt must be closed and then reopened before per-
forming this step.

286
9. Migrating I/A Series Software v8.5/8.6/8.7 to a Pre-Existing Off-Control Network Primary Domain Controller

Figure 9-10. Execute PrepSourceDomainForMigration.ps1 Script

9. In the Inter-Forest Migration dialog box, shown in Figure 9-11, provide the
information requested for your source and target PDCs. In this example, the target
PDC is named existing.local with an IP address of 181.182.81.1 and an administra-
tor account name of Administrator. The source PDC IP address is 181.182.81.2 in
this example.

287
B0700SS – Rev D 9. Migrating I/A Series Software v8.5/8.6/8.7 to a Pre-

Note: Values shown are examples only.


Figure 9-11. Inter-Forest Migration Dialog Box

10. Review the Active Directory setup log (D:\usr\fox\sp\ADSetup.log) for errors.

288
9. Migrating I/A Series Software v8.5/8.6/8.7 to a Pre-Existing Off-Control Network Primary Domain Controller

11. From within Active Directory Users and Computers, drag the “IA Computers” and
“IA Users” Organizational Units (OUs) to the Migration OU as shown in
Figure 9-12.

Figure 9-12. Moving IA Computers and IA Users OUs into Migration OU

12. Select the Exceed_Users group, the IA Installer group, the IA Services group, the
IA Services user (named IAServices in Figure 9-13), and the IA Installer user (named
IAInstaller in Figure 9-13) from within the Users OU. Drag these users and groups to
the Migration OU as shown in Figure 9-13.

289
B0700SS – Rev D 9. Migrating I/A Series Software v8.5/8.6/8.7 to a Pre-

Figure 9-13. Moving Additional Users and Groups into the Migration OU

290
9. Migrating I/A Series Software v8.5/8.6/8.7 to a Pre-Existing Off-Control Network Primary Domain Controller

13. After the previous steps have been performed, the Migration OU appears as shown in
Figure 9-14.

Figure 9-14. Migration OU - Populated

Any additional users and groups may also be dragged into the Migration OU if they
are to be migrated. However, the migration process does not support migrating
custom OUs. All objects must be located directly under the Migration OU.

NOTE
Any non-standard accounts or groups (such as those which were not created by
default during the installation of I/A Series software v8.5) will be migrated if they
are placed directly inside the Migration OU. However, any links which had been
made to group policy objects (GPOs) before the migration will be lost. After the
migration is complete, it will be necessary to recreate the OUs which had contained
these Active Directory objects and manually move the objects into their respective
OUs. It will also be necessary to re-establish any links to the GPOs in order for
these user groups and accounts to work as they had on the pre-migrated system.

Preparing the Target Primary Domain Controllers


Proceed as follows to transfer the source PDC’s (with I/A Series software v8.5/8.6/8.7) Active
Directory settings to the target PDC (with Control Core Services v9.1 or later):

291
B0700SS – Rev D 9. Migrating I/A Series Software v8.5/8.6/8.7 to a Pre-

1. Ensure you are logged in as Administrator. In the target PDC (with Control Core Ser-
vices v9.1 or later), insert the DVD labeled “Foxboro Evo Control Core Services v9.1
Day 0 DVD-ROM” (K0174MS-A).
2. If AutoPlay is enabled, the AutoPlay dialog box appears as shown in Figure 9-15.
Click Run setup.exe.
Otherwise, navigate to the DVD drive and double-click setup.exe.

Figure 9-15. AutoPlay Dialog Box

3. Click Yes to accept the User Account Control (UAC) prompt.


4. A pre-requisite installation dialog box appears as shown in Figure 9-16. Click
Install to load the Microsoft Visual C++ 2010 Redistributable Package (x64) on the
server.

292
9. Migrating I/A Series Software v8.5/8.6/8.7 to a Pre-Existing Off-Control Network Primary Domain Controller

Figure 9-16. Microsoft Visual C++ 2010 Redistributable Package (x64) Installation Dialog Box

293
B0700SS – Rev D 9. Migrating I/A Series Software v8.5/8.6/8.7 to a Pre-

5. A dialog box appears that allows you to select whether you are installing Control Core
Services without security enhancements or for a security-enhanced system. Select
Install I/A Series software for a security enhanced system and
Perform an inter-forest migration, Pre-8.8 to existing OFF-MESH
(load commit files only)

Figure 9-17. Selecting to Perform an Inter-Forest Migration

6. Click Next.

294
9. Migrating I/A Series Software v8.5/8.6/8.7 to a Pre-Existing Off-Control Network Primary Domain Controller

7. The next dialog box requests that you load the committed configuration install files,
as shown in Figure 9-18. Click Load to set the installation target drive to D:\ and
load the committed configuration files.

Figure 9-18. Load Committed Configuration Install Files

8. The browser for the folder containing the committed configuration install files opens,
as shown in Figure 9-19. If the installation media with your Commit files is on the
server’s hard drive or a network, browse to the location of the media and click Select
Folder. If the installation media with your Commit files is on a diskette, put the dis-
kette in the diskette drive (A:\) and click Use Diskette.

NOTE
If you have multiple Commit diskettes, the Stamp ID: field in Figure 9-19 indicates
the number of the requested Commit diskette to the right of the Load button (101
for the first diskette, 102 for the second, and so forth). Insert each diskette in the set
and click Load.

295
B0700SS – Rev D 9. Migrating I/A Series Software v8.5/8.6/8.7 to a Pre-

Figure 9-19. Installation Media Folder Browser

9. Click Next.
10. Once the committed configuration installation files have been loaded, click Finish.

Figure 9-20. InstallShield Wizard Completed

296
9. Migrating I/A Series Software v8.5/8.6/8.7 to a Pre-Existing Off-Control Network Primary Domain Controller

11. Verify that the TCP/IP settings for the target PDC are compatible with the settings
made on the source PDC. Open the Internet Protocol (TCP/IP) Properties dialog box
for the target PDC’s Off-Control Network NIC card as follows:
a. On the desktop of the target PDC, right-click My Network Places, and click
Properties.
b. In the Network and Connections dialog box, right-click the Off-Control Network
NIC card, and click Properties.
c. In the card’s Properties dialog box, in the “This connection uses the following
items” section, click Internet Protocol (TCP/IP), and then click Proper-
ties. The Internet Protocol (TCP/IP) Properties dialog box appears as shown in
Figure 9-21.
d. In the Internet Protocol (TCP/IP) Properties dialog box, ensure the IP address is
compatible with the settings made for the source domain controller. When fin-
ished, click OK twice to close these dialog boxes.

These should be compatible


with the settings made for the
Source domain controller.

Figure 9-21. Internet Protocol (TCP/IP) Properties Dialog Box - Target PDC’s
Off-Control Network NIC Card

297
B0700SS – Rev D 9. Migrating I/A Series Software v8.5/8.6/8.7 to a Pre-

12. Click the Start button, and click Programs -> Accessories -> Command Prompt to
open a command prompt. Verify the basic TCP/IP connectivity by pinging the target
PDC from the command prompt.

Figure 9-22. Ping Source PDC from Command Prompt

13. Install the Microsoft SQL Server 2008 SP3 Express Edition software v10.00.5500.00
downloaded in “Preparation for Installation” on page 279, using the directions
described in “Installing Microsoft SQL Server 2008 SP3 Express Edition
v10.00.5500.00” on page 303.
Note that SQL Server 2008 R2 Express Edition is not supported.
14. Open Windows PowerShell and navigate to the folder containing the inter-forest
migration scripts (.\InterForestMigration\PrepTargetDomain), to which you copied
them in “Preparation for Installation” on page 279. In the Windows PowerShell com-
mand prompt, execute the command .\PrepTargetDomainForMigration.ps1 to
prepare the target PDC for migration

298
9. Migrating I/A Series Software v8.5/8.6/8.7 to a Pre-Existing Off-Control Network Primary Domain Controller

Figure 9-23. Executing PrepTargetDomainForMigration.ps1

15. In the Inter-Forest Migration dialog box, shown in Figure 9-24, provide the
information requested for your source PDC. In this example, the source PDC is
named iaseries.local with an IP address of 181.182.81.2 and an administrator
account name of IAManager.

Note: Values shown are examples only.

Figure 9-24. Inter-Forest Migration Dialog Box

299
B0700SS – Rev D 9. Migrating I/A Series Software v8.5/8.6/8.7 to a Pre-

16. Review the Active Directory setup log (%ALLUSERSPROFILE%\Invensys\IASer-


ies\Installer\TarOutput_NNNNNNNNNNNNNNNNNN\ADSetup.log) for errors
once the scripts executed in the previous steps have completed.
17. Install Active Directory Migration Tool v3.2 (admtsetup32.exe) downloaded in “Prep-
aration for Installation” on page 279, using the directions in “Installing Active Direc-
tory Migration Tool v3.2” on page 318.
Be sure to use “.\SQLEXPRESS” as your SQL Server instance name unless a different
instance name was selected during the SQL Server installation.
18. Open Active Directory Migration Tool under Administrative Tools and verify
that there are no errors reported in the ADMT window, shown in Figure 9-25. If
errors were reported, the migration cannot continue until they are resolved. Make
sure that ADMT v3.2 was installed under the correct user account and that SQL
Server 2008 Express is also correctly installed. It may be necessary to uninstall and
reinstall ADMT 3.2 (as described in “Installing Active Directory Migration Tool
v3.2” on page 318) to resolve issues before continuing.

Figure 9-25. Active Directory Migration Tool Window

19. Click the Start button, and click Programs -> Accessories -> Command Prompt to
open a command prompt. Create the password migration export file by executing the
following command from the command prompt:
C:\Windows\admt\admt.exe key /opt:create /sd:“[SOURCE_PDC]”
/kf:“[PASSWORD_EXPORT_FILE]” /KeyPassword:“[PASSWORD]”
Where:

300
9. Migrating I/A Series Software v8.5/8.6/8.7 to a Pre-Existing Off-Control Network Primary Domain Controller

[SOURCE_PDC] is the name of the source PDC.


[PASSWORD_EXPORT_FILE] is the location and name for the new password
export file.
[PASSWORD] is the key password.
For example (as shown in Figure 9-26), if the name of the source PDC is “iaser-
ies.local” and the name of the password export file is “D:\source.pes”, the command
would be:
C:\Windows\admt\admt.exe key /opt:create /sd:“iaseries.local”
/kf:“D:\source.pes” /KeyPassword:“Password1”

Figure 9-26. Creating the Password Migration Export File

20. From Active Directory Users and Computers, right-click on the Built-in Admin-
istrators group and select Properties. In the Administrators Properties dialog
box, select the Members tab and click the Add button as shown in Figure 9-27.

301
B0700SS – Rev D 9. Migrating I/A Series Software v8.5/8.6/8.7 to a Pre-

Figure 9-27. Administrators Properties Dialog Box

21. In the Select Users, Contacts, Computers, Service Accounts or Groups dialog box,
enter the full name of the source PDC’s administrator account (in this example,
IASERIES\IAManager) and click OK.

Note: Values shown are examples only.

Figure 9-28. Select Users, Contacts, Computers, Service Accounts or Groups Dialog Box

302
9. Migrating I/A Series Software v8.5/8.6/8.7 to a Pre-Existing Off-Control Network Primary Domain Controller

22. Click OK to close the Administrators Properties dialog box.


23. Reboot the target PDC. Click the Start button and click Shut Down; select Restart
from the pull-down menu and click OK.

Installing Microsoft SQL Server 2008 SP3 Express Edition


v10.00.5500.00
Install Microsoft SQL Server 2008 Express Edition SP3 as follows.
1. Run the SQLEXPR_x86_ENU.exe file you downloaded in “Preparation for Installa-
tion” on page 279.
2. Select Installation on the left-hand side of the SQL Server Installation Center dia-
log box. Click the link for New SQL Server stand-alone installation or add
features to an existing installation.

Figure 9-29. SQL Server Installation Center - Start Installation

303
B0700SS – Rev D 9. Migrating I/A Series Software v8.5/8.6/8.7 to a Pre-

3. Click OK.

Figure 9-30. SQL Server Installation Center - Setup Support Rules

304
9. Migrating I/A Series Software v8.5/8.6/8.7 to a Pre-Existing Off-Control Network Primary Domain Controller

4. Click Next.

Figure 9-31. SQL Server Installation Center - License Key

305
B0700SS – Rev D 9. Migrating I/A Series Software v8.5/8.6/8.7 to a Pre-

5. Check the I accept the license terms check box and click Next.

Figure 9-32. SQL Server Installation Center - Accept License

306
9. Migrating I/A Series Software v8.5/8.6/8.7 to a Pre-Existing Off-Control Network Primary Domain Controller

6. Click Install to install the setup support files.

Figure 9-33. SQL Server Installation Center - Install Setup Support Files

307
B0700SS – Rev D 9. Migrating I/A Series Software v8.5/8.6/8.7 to a Pre-

7. Click Next.

Figure 9-34. SQL Server Installation Center - Setup Support Files Installed

308
9. Migrating I/A Series Software v8.5/8.6/8.7 to a Pre-Existing Off-Control Network Primary Domain Controller

8. Check the Database Engine Services check box and click Next.

Figure 9-35. SQL Server Installation Center - Feature Selection

309
B0700SS – Rev D 9. Migrating I/A Series Software v8.5/8.6/8.7 to a Pre-

9. Confirm the instance name of SQLExpress and click Next.

Figure 9-36. SQL Server Installation Center - Instance Configuration

310
9. Migrating I/A Series Software v8.5/8.6/8.7 to a Pre-Existing Off-Control Network Primary Domain Controller

10. Click Next.

Figure 9-37. SQL Server Installation Center - Disk Space Requirements

311
B0700SS – Rev D 9. Migrating I/A Series Software v8.5/8.6/8.7 to a Pre-

11. Select the “NT AUTHORITY\SYSTEM” account for the SQL Server Database
Engine. Then, click Next.

Figure 9-38. SQL Server Installation Center - Server Configuration

312
9. Migrating I/A Series Software v8.5/8.6/8.7 to a Pre-Existing Off-Control Network Primary Domain Controller

12. Add the Administrator account as a SQL Server Administrator


(EXISTING\Administrator). Then, click Next.

Figure 9-39. SQL Server Installation Center - Database Engine Configuration

313
B0700SS – Rev D 9. Migrating I/A Series Software v8.5/8.6/8.7 to a Pre-

13. Click Next.

Figure 9-40. SQL Server Installation Center - Error and Usage Reporting

314
9. Migrating I/A Series Software v8.5/8.6/8.7 to a Pre-Existing Off-Control Network Primary Domain Controller

14. Click Next.

Figure 9-41. SQL Server Installation Center - Installation Rules

315
B0700SS – Rev D 9. Migrating I/A Series Software v8.5/8.6/8.7 to a Pre-

15. Click Install to install SQL Server 2008 Express, SP3.

Figure 9-42. SQL Server Installation Center - Ready to Install

316
9. Migrating I/A Series Software v8.5/8.6/8.7 to a Pre-Existing Off-Control Network Primary Domain Controller

16. Click Next.

Figure 9-43. SQL Server Installation Center - Installation Progress

317
B0700SS – Rev D 9. Migrating I/A Series Software v8.5/8.6/8.7 to a Pre-

17. Click Close when the installation is complete.

Figure 9-44. SQL Server Installation Center - Installation Complete

Installing Active Directory Migration Tool v3.2


To install the Active Directory Migration Tool (ADMT) v3.2, proceed as follows:
1. In Windows Explorer, double-click the Active Directory Migration Tool installer
(admtsetup32.exe) which you downloaded in “Preparation for Installation” on
page 279.

318
9. Migrating I/A Series Software v8.5/8.6/8.7 to a Pre-Existing Off-Control Network Primary Domain Controller

2. As shown in Figure 9-45, click Next.

Figure 9-45. Installing Active Directory Migration Tool v3.2 - Welcome

319
B0700SS – Rev D 9. Migrating I/A Series Software v8.5/8.6/8.7 to a Pre-

3. As shown in Figure 9-46, select the I Agree radio button and click Next.

Figure 9-46. Installing Active Directory Migration Tool v3.2 - License Agreement

320
9. Migrating I/A Series Software v8.5/8.6/8.7 to a Pre-Existing Off-Control Network Primary Domain Controller

4. As shown in Figure 9-47, leave the default setting and click Next.

Figure 9-47. Installing Active Directory Migration Tool v3.2 - Customer Experience
Improvement

321
B0700SS – Rev D 9. Migrating I/A Series Software v8.5/8.6/8.7 to a Pre-

5. Enter the instance name (chosen during the SQL Server 2008 Express SP3 installa-
tion). The default is .\SQLEXPRESS as shown in Figure 9-48. Then click Next.

Figure 9-48. Installing Active Directory Migration Tool v3.2 - Database Selection

322
9. Migrating I/A Series Software v8.5/8.6/8.7 to a Pre-Existing Off-Control Network Primary Domain Controller

6. Click Next.

Figure 9-49. Installing Active Directory Migration Tool v3.2 - Database Import

323
B0700SS – Rev D 9. Migrating I/A Series Software v8.5/8.6/8.7 to a Pre-

7. When prompted as shown in Figure 9-50, click Finish to complete the Active Direc-
tory Migration Tool installation.

Figure 9-50. Installing Active Directory Migration Tool v3.2 - Complete

Migrating Passwords and Group Policy Objects


(GPOs) from Source Primary Domain Controller
To migrate the passwords and the group policy objects (GPO) from the source PDC, proceed as
follows:
1. Install Password Export Server v3.1 (x86) (pwdmig.msi), downloaded in “Preparation
for Installation” on page 279, with the procedure described in “Installing Password
Export Server v3.1” on page 331.

324
9. Migrating I/A Series Software v8.5/8.6/8.7 to a Pre-Existing Off-Control Network Primary Domain Controller

Figure 9-51. Installing pwdmig.msi

2. At the end of the Password Migration service installation, when asked if you want to
restart the computer (see Figure 9-52), select No.

Figure 9-52. Select No

3. Click Start -> Run. In the Run dialog box, type services.msc and click OK. The
Services dialog appears. Right-click on the Password Export Server Service
entry and select Properties.

325
B0700SS – Rev D 9. Migrating I/A Series Software v8.5/8.6/8.7 to a Pre-

Figure 9-53. Password Export Server Service

326
9. Migrating I/A Series Software v8.5/8.6/8.7 to a Pre-Existing Off-Control Network Primary Domain Controller

4. In the Service Properties dialog box, select a startup type of Automatic and click OK.

Figure 9-54. Password Export Server Service Properties Dialog Box

5. Close the Services window.


6. Open the Group Policy Management Console (GPMC) - click the Start button and
select Control Panel -> Administrative Tools -> Group Policy Manage-
ment.

327
B0700SS – Rev D 9. Migrating I/A Series Software v8.5/8.6/8.7 to a Pre-

7. In the GPMC console tree, locate the Default Domain Controllers GPO as shown in
Figure 9-55, right-click it and select Edit.

Figure 9-55. Group Policy Management Console (GPMC)

328
9. Migrating I/A Series Software v8.5/8.6/8.7 to a Pre-Existing Off-Control Network Primary Domain Controller

8. Navigate to Computer Configuration -> Windows Settings -> Security


Settings -> Restricted Groups as shown in Figure 9-56. Right-click on
Administrators and select Properties.

Figure 9-56. Group Policy Object Editor - Restricted Groups

329
B0700SS – Rev D 9. Migrating I/A Series Software v8.5/8.6/8.7 to a Pre-

9. Click Add adjacent to the “Members of this group” area.

Figure 9-57. Administrators Properties Dialog Box

10. Enter the name of the Administrator account on the target domain and click OK.

Figure 9-58. Add Member Dialog Box

11. Click OK to exit the Administrators Properties dialog box.


12. Reboot the source PDC. Click the Start button and click Shut Down; select Restart
from the pull-down menu and click OK.
13. After the source PDC finishes rebooting, log into the PDC with the IAManager
account. You must be logged in with this account for the Password Export Server Ser-
vice to run.

330
9. Migrating I/A Series Software v8.5/8.6/8.7 to a Pre-Existing Off-Control Network Primary Domain Controller

Installing Password Export Server v3.1


Proceed as follows on the source PDC:
1. In Windows Explorer, double-click the Password Export Server v3.1 installer
(pwdmig.msi) which was downloaded in “Preparation for Installation” on page 279.
2. When the Welcome screen shown in Figure 9-59 appears, click Next.

Figure 9-59. ADMT Password Migration DLL Setup Welcome

331
B0700SS – Rev D 9. Migrating I/A Series Software v8.5/8.6/8.7 to a Pre-

3. As shown in Figure 9-60, select the I Accept the License Agreement radio but-
ton and click Next.

Figure 9-60. ADMT Password Migration DLL Setup - License Agreement

4. Click Browse as shown in Figure 9-61. Browse to the location in which you created
the source.pes file in “Preparing the Target Primary Domain Controllers” on
page 291. (For example, in Figure 9-61, the location is D:\.) Click OK to close the
Browse dialog box. Then click Next.

332
9. Migrating I/A Series Software v8.5/8.6/8.7 to a Pre-Existing Off-Control Network Primary Domain Controller

Figure 9-61. ADMT Password Migration DLL Setup - Encryption File

5. When the dialog box shown in Figure 9-62 appears, type the password you provided
for this file in “Preparing the Target Primary Domain Controllers” on page 291
(“Password1”) in the Password and Confirm fields. Then click Next.

Figure 9-62. Password for the Encryption Key

333
B0700SS – Rev D 9. Migrating I/A Series Software v8.5/8.6/8.7 to a Pre-

6. As shown in Figure 9-63, click Next.

Figure 9-63. ADMT Password Migration DLL Setup - Start Installation

7. When the dialog box shown in Figure 9-64 appears, enter the source PDC Adminis-
trator account credentials (IASERIES\IAManager) to configure the Password Export
Server and click OK.

Figure 9-64. ADMT Password Migration DLL - Specifying User Account

334
9. Migrating I/A Series Software v8.5/8.6/8.7 to a Pre-Existing Off-Control Network Primary Domain Controller

8. Click OK.

Figure 9-65. ADMT Password Migration DLL - Account Granted Log On As a Service Right

9. Click Finish to complete the Password Export Server Service installation.

Figure 9-66. ADMT Password Migration DLL Setup - Finishing Installation

335
B0700SS – Rev D 9. Migrating I/A Series Software v8.5/8.6/8.7 to a Pre-

10. Do not restart the source PDC. When prompted as shown in Figure 9-67, click No.

Figure 9-67. Restarting Your System

Migrating Active Directory Settings to the Target


Primary Domain Controller
To migrate the Active Directory settings to the target PDC, proceed as follows:
1. Log into the target PDC using the Administrator account to be used for the
migration.
2. To turn off the Windows PowerShell signing restriction, open a Windows PowerShell
(x86) command prompt - 32-bit version only - and execute the following command:
Set-ExecutionPolicy Unrestricted

NOTE
1) You cannot use the 64-bit Windows PowerShell to execute these scripts.
2) The source PDC must be available and must be logged into with the account
under which the Password Export Server Service is setup to run.

3. Re-open a Windows PowerShell (x86) command prompt - 32-bit version only.


4. Navigate to the folder containing the migration scripts (.\InterForestMigra-
tion\Migrate) to which you moved them in “Preparation for Installation” on
page 279.
In the command prompt, execute the following command as shown in Figure 9-68:
.\ADInterForestMigration.ps1

336
9. Migrating I/A Series Software v8.5/8.6/8.7 to a Pre-Existing Off-Control Network Primary Domain Controller

Figure 9-68. Executing .\ADInterForestMigration.ps1

5. When prompted, provide the name of the source PDC (iaseries.local in the example
shown in Figure 9-69).

Note: Value shown is an example only.

Figure 9-69. Inter-Forest Migration Dialog Box

The migration takes several minutes to complete.


6. Review the Active Directory setup log (%ALLUSERSPROFILE%\Invensys\IASer-
ies\Installer\TarOutput_NNNNNNNNNNNNNNNNNN\ADSetup.log) for
errors.

Adding Foxboro Stations to Active Directory Post-Installation


When first installed, the Off-Control Network PDC contains objects in Active Directory for all
Foxboro stations in the system. If stations are added to the Control Core Services system at a later
time, new objects must be created manually in this PDC’s Active Directory.
1. Click the Start button and select Control Panel -> Administrative Tools ->
Active Directory Users and Computers. You may need to scroll down to see
this menu selection.
2. From Active Directory Users and Computers, right-click on the “IA Comput-
ers” OU and select New -> Computer as shown in Figure 9-70.

337
B0700SS – Rev D 9. Migrating I/A Series Software v8.5/8.6/8.7 to a Pre-

Figure 9-70. Selecting IA Computers -> New -> Computer

3. Enter the name of the new workstation in the Computer name field and click OK as
shown in Figure 9-71. The OU for “Pre-8.8 workstations” on migrated systems will
be named “Pre-8.8 IA Computers” as shown in Figure 9-72.

338
9. Migrating I/A Series Software v8.5/8.6/8.7 to a Pre-Existing Off-Control Network Primary Domain Controller

Figure 9-71. New Object - Computer

Figure 9-72. Selecting Pre-8.8 IA Computers -> New -> Computer

339
B0700SS – Rev D 9. Migrating I/A Series Software v8.5/8.6/8.7 to a Pre-

Migrating Domain Clients with I/A Series Software


v8.5/8.6/8.7 to the New Off-Control Network
Domain
To migrate the existing domain clients (with I/A Series software v8.5/8.6/8.7) to the new Off-
Control Network domain, proceed as follows:
1. Open the Internet Protocol (TCP/IP) Properties dialog box for the FoxInt NDIS
Intermediate Miniport Driver (Control Core Services/I/A Series network card).
a. On the desktop, right-click My Network Places, and click Properties.
b. In the Network and Connections dialog box, right-click the FoxInt NDIS Inter-
mediate Miniport Driver, and click Properties.
c. In the adapter’s Properties dialog box, in the “This connection uses the following
items” section, click Internet Protocol (TCP/IP), and then click Proper-
ties.

Figure 9-73. Adapter Properties Dialog Box

340
9. Migrating I/A Series Software v8.5/8.6/8.7 to a Pre-Existing Off-Control Network Primary Domain Controller

d. The Internet Protocol (TCP/IP) Properties dialog box appears as shown in


Figure 9-74. Remove all DNS server entries.

Figure 9-74. Internet Protocol (TCP/IP) Properties Dialog Box - FoxInt NDIS Intermediate
Miniport Driver

2. Open the Internet Protocol (TCP/IP) Properties dialog box for the Off-Control Net-
work NIC.
a. In the Network and Connections dialog box, right-click the Off-Control Network
NIC, and click Properties.
b. In the NIC’s Properties dialog box, in the “This connection uses the following
items” section, click Internet Protocol (TCP/IP), and then click Proper-
ties.

341
B0700SS – Rev D 9. Migrating I/A Series Software v8.5/8.6/8.7 to a Pre-

c. The Internet Protocol (TCP/IP) Properties dialog box appears as shown in


Figure 9-75. Setup the TCP/IP entries for IP address and DNS servers which are
compatible with the new Off-Control Network domain network. The primary
DNS setting should be the IP address of the target PDC.

IP Address of
the Target
PDC

Figure 9-75. Internet Protocol (TCP/IP) Properties Dialog Box - Off-Control Network NIC

3. On the desktop, right-click My Computer and select Properties. In the System


Properties dialog box, select the Computer Name tab. Click the Change button.
Select the Workgroup radio button and enter a name for a temporary workgroup.
When finished, click OK.

342
9. Migrating I/A Series Software v8.5/8.6/8.7 to a Pre-Existing Off-Control Network Primary Domain Controller

Figure 9-76. Computer Name Changes - Name Temporary Workgroup

4. When asked, enter the IAManager account credentials and click OK.

Figure 9-77. Computer Name Changes - Enter Credentials

343
B0700SS – Rev D 9. Migrating I/A Series Software v8.5/8.6/8.7 to a Pre-

5. Click OK.

Figure 9-78. Computer Name Changes - Welcome to the Temporary Workgroup

6. Click OK.

Figure 9-79. Computer Name Changes - Note that Domain Client Must Be Restarted

7. In the System Properties dialog box, in the Computer Name tab, click the Change
button again.

Figure 9-80. System Properties - Computer Name - Change

344
9. Migrating I/A Series Software v8.5/8.6/8.7 to a Pre-Existing Off-Control Network Primary Domain Controller

8. Select the Domain radio button and enter in the name of the Off-Control Network
domain. Click OK.

Figure 9-81. Computer Name Changes - Adding Off-Control Network Domain

9. Enter the credentials for an account with permission to add stations to the Off-Con-
trol Network domain and click OK.

Figure 9-82. Computer Name Changes - Enter Account Credentials

345
B0700SS – Rev D 9. Migrating I/A Series Software v8.5/8.6/8.7 to a Pre-

10. Click OK.

Figure 9-83. Computer Name Changes - Welcome to the Off-Control Network Domain

11. Click OK.

Figure 9-84. Computer Name Changes - Note that Domain Client Must Be Restarted

12. Click OK as shown in Figure 9-85. Do not reboot the computer when prompted.

Figure 9-85. System Properties Dialog Box - Closing

346
9. Migrating I/A Series Software v8.5/8.6/8.7 to a Pre-Existing Off-Control Network Primary Domain Controller

13. Click No, as shown in Figure 9-86.

Figure 9-86. System Settings Change Dialog Box - Click No

14. Click Start -> Run. In the Run dialog box, type services.msc and click OK. The
Services dialog appears. Right-click on FoxNTGUIAppServices and select
Properties.

Figure 9-87. Services Windows - FoxNTGUIAppServices

15. Select the Log On tab as shown in Figure 9-88. In the “This account:” field, enter the
name of the IAServices account on the new Off-Control Network domain. After the

347
B0700SS – Rev D 9. Migrating I/A Series Software v8.5/8.6/8.7 to a Pre-

migration, it should only be necessary to change the domain name. Enter and confirm
the password for this account. When finished, click OK.

Figure 9-88. FoxNTGUIAppServices Properties Dialog Box

16. The dialog box shown in Figure 9-89 appears if the account information was entered
correctly. Click OK.

Figure 9-89. Services Dialog Box

348
9. Migrating I/A Series Software v8.5/8.6/8.7 to a Pre-Existing Off-Control Network Primary Domain Controller

17. Click OK.

Figure 9-90. Services Dialog Box

18. Click the Start button, and click Programs -> Accessories -> Command Prompt to
open a command prompt. Type the following command and then press <Enter>:
SetIAStartupAcct

Figure 9-91. Executing SetIAStartupAcct

19. Reboot the domain client. Click the Start button and click Shut Down; select
Restart from the pull-down menu and click OK.
The migration process is complete.

NOTE
After migration is complete, install Windows Server 2008 R2 Standard with Con-
trol Core Services v9.1 on all of your SDCs.

349
B0700SS – Rev D 9. Migrating I/A Series Software v8.5/8.6/8.7 to a Pre-

Continuing Installation
NOTE
For all domain clients migrated from a domain with I/A Series software
v8.5/8.6/8.7 to a domain with Control Core Services v9.1, it may be necessary to
move the migrated domain client’s object in Active Directory before beginning the
client’s installation procedure. Refer to “Migrating Domain Client from Domain in
I/A Series Software v8.7 or Earlier to a Domain in Foxboro Evo Control Core Ser-
vices v9.1” on page 354.

Refer to “Installing Optional Software” on page 65 to install any additional packages on the PDC.
Be sure to re-enable McAfee VirusScan on all the PDCs, SDCs and domain clients on which you
disabled it. Refer to “Re-Enabling the McAfee VirusScan Console” on page 405.
Proceed to Chapter 10 “Security Enhanced Foxboro Evo Control Core Services v9.1 Installation
for Domain Clients or Connecting Security Enhanced I/A Series Software v8.5-8.7 Domain Cli-
ents to Existing Off-Control Network Networks” for the installation procedure for the domain
clients.

350
10. Security Enhanced Foxboro Evo
Control Core Services v9.1
Installation for Domain Clients
or Connecting Security Enhanced
I/A Series Software v8.5-8.7
Domain Clients to Existing Off-
Control Network Networks
This chapter describes procedures to install security enhanced Control Core Services v9.1 on
your domain clients and connect them to the appropriate On-Control Network or Off-Control
Network domain controller. It also describes how to connect an existing domain client with
I/A Series software v8.5-v8.7 to an existing Off-Control Network domain controller.

Workstation/Server Preparation
This section applies to the Windows 7 and Windows Server 2008 R2 Standard stations that are
being installed as domain clients. The domain client may be connected to a domain client either
on the Foxboro Evo Control Network (which is a dedicated Foxboro maintained network, hereaf-
ter known as “the control network”) or on another network (which is called an “Off-Control Net-
work” network).
Dialog boxes on these two types of platforms may differ slightly, but will be functionally identical,
with minor exceptions as documented below.
Perform the following steps to set up the hardware and restore the operating system onto your
workstation:

NOTE
If this is a new station shipped from the Invensys factory with the V9.1 Restore
image identified by the media kits in Table 1-2 and verified in your workstation’s
H-code (or P-code), proceed to “Notes for Installing Foxboro Evo Control Core
Services” on page 353. If not, continue following the steps in this section.

1. Install hardware, restore the Windows operating system, and update drivers for your
workstation or server. Perform the following:
a. Refer to Control Core Services v9.1 Release Notes (B0700SR) to be sure that your
hardware meets all hardware requirements specific to the V9.1 release. For instruc-
tions on installing memory upgrades, PCI cards, and so forth, refer to the “Install-

351
B0700SS – Rev D 10. Security Enhanced Foxboro Evo Control Core Services

ing Hardware Upgrades” chapter of the hardware and software specific instruction
document shipped with your workstation or server.
b. Using the V8.8 Restore Media, restore the Windows operating system on your
workstation or server. Follow the instructions of Appendix A “Startup Options”.

! WARNING
Only use the media kits listed in Table 1-2 to restore the operating system of a sta-
tion with Control Core Services v9.1.

Do not follow the instructions for installing Control Core Services from your hard-
ware specific instruction manual. Follow the software installation procedure below.

c. Set the time and date. Perform the following:


♦ Open the Windows Date and Time applet by clicking the Date and Time
icon in the Control Panel.
♦ Click the Change Date and Time button.
♦ Adjust the date and time.
♦ Click OK.
♦ Click the Change time zone button.
♦ Select the correct time zone from the drop-down list and select the checkbox
(if not already selected) to automatically adjust the clock for daylight saving
time (DST) changes, if desired.
♦ Click OK.

NOTE
While installing a secure domain client, it is important to ensure that the UTC sys-
tem time matches the UTC system time on the domain (as viewed on the PDC).
The date and time must match, though the time which Windows displays may dif-
fer if the time zones are not the same on the two stations.
Be careful when changing the time zone prior to adjusting the system time as this
can cause the AM/PM setting to change.
Also, be aware that the checkbox included for some time zones which defines
whether or not the time will be automatically adjusted for Daylight Saving Time
can cause the system time to differ by an hour.

d. For any procedures not found in Step 1.b above, refer to the “Installing and
Updating Drivers” chapter of the hardware and software specific instruction docu-
ment shipped with the station.

352
10. Security Enhanced Foxboro Evo Control Core Services v9.1 Installation for Domain Clients or Connecting Security

Notes for Installing Foxboro Evo Control Core


Services
Before you install Control Core Services, make sure that the station is physically connected to the
control network and that the PDC is on-line and attached to the control network or a secondary
(non-Foxboro) network for an Off-Control Network PDC.
If the PDC is on the control network, make sure the station is disconnected from any secondary
(non-Foxboro) networks, but do not disable the adapters for these network cards.

! CAUTION
In Control Panel -> Network Connections, which lists the available NICs, do not
change the name of any “Local Area Connection x” network connection. This can
result in software installation issues or system instability.

! CAUTION
GPS PCI time cards are installed only in primary and backup Master TimeKeeper
workstations or stations as configured for MTK. The MTK workstations or stations
with Control Core Services v9.1 (and later) must install the GPS PCI time card,
driver, and control utility before installing Control Core Services. Refer to the Time
Synchronization User’s Guide (B0700AQ) to perform this installation.

NOTE
On servers with the Windows Server 2008 R2 Standard operating system, it is rec-
ommended that no roles be added to the system which are not necessary for the
operation of the server. Adding unnecessary roles (for example, adding the Remote
Desktop Services role when the server is not to be used as a remote session host) can
create security weaknesses in the overall system.

NOTE
Use the IAInstaller account for all installation tasks. However, due to the
permissions assigned to IAInstaller, do not use it for any other role, such as
operation of the station.

Preparing Network Interface Cards (NICs) For Installation


Before installing Control Core Services, for each installed NIC, you must set the NICE's proper-
ties “Flow Control” and “Speed & Duplex” manually as described below for the NICs on this sta-
tion.

NOTE
Refer to the Hardware and Software Specific Instructions document included with
your station to determine the NIC cards it supports.

353
B0700SS – Rev D 10. Security Enhanced Foxboro Evo Control Core Services

Proceed as follows:
1. Right-click the My Computer icon, and click Manage. Double-click Device Man-
ager. In the Device Manager window, expand the Network adapters list.
2. Right-click the desired card and click Properties. In the Properties dialog box that
appears, select the Advanced tab.
3. In the Property field, click Flow Control. In the Value field, select Disable from
the drop-down menu list.
4. In the Property field, click Speed & Duplex. In the Value field, in the drop-down
menu list:
♦ For a station on the control network, select 100 Mb Full.
♦ For a station on another network other than the control network (Off-Control
Network), select Auto.
5. Click OK.
6. For each additional NIC, repeat Steps 2 through 5.
7. Shutdown and restart the system for the driver changes to take effect. Click the Start
button and click Shut Down; select Restart from the pull-down menu and click OK.

Migrating Domain Client from Domain in I/A Series Software


v8.7 or Earlier to a Domain in Foxboro Evo Control Core
Services v9.1
If you have migrated a domain client from a domain in a system with I/A Series software v8.7 or
earlier to a domain with Control Core Services v9.1, it may be necessary to move the migrated
domain client’s object in Active Directory before beginning the client’s installation procedure.
This may be necessary as there is a different Organizational Unit (OU) in Active Directory for the
domain clients from a domain with I/A Series software v8.7 or earlier and the domain clients in a
domain with Control Core Services v9.1.
This applies to a pre-existing I/A Series software v8.5/6/7 domain client which will be reinstalled
with Control Core Services v9.1 and connected to a Control Core Services v9.1 domain. If the
domain was migrated from I/A Series software v8.5/6/7 and the old domain clients are not being
reinstalled with v9.1, then nothing on the domain client needs to be changed (aside from the
DNS settings).
Proceed as follows:
1. On the target PDC, log in using a domain administrator account.
2. Open the Active Directory Users and Computers console - click the Start button and
select Control Panel -> Administrative Tools -> Active Directory Users
and Computers.

354
10. Security Enhanced Foxboro Evo Control Core Services v9.1 Installation for Domain Clients or Connecting Security

3. Determine if the account of the domain client to be installed as a Control Core Ser-
vices v9.1 domain client is in the “Pre-8.8 IA Computers” OU as shown in
Figure 10-1.

Figure 10-1. Adding Pre-Existing Domain Client to the Pre-8.8 IA Computers OU

355
B0700SS – Rev D 10. Security Enhanced Foxboro Evo Control Core Services

4. Drag the account of the domain client into the “IA Computers” OU as shown in
Figure 10-2.

Figure 10-2. Adding Pre-Existing Domain Client to the IA Computers OU

Changing the Station Name


The Windows workstation or server name must match the workstation or server letterbug name
as it was configured in SysDef and saved onto your Commit installation media before you install
the Control Core Services. For instructions on modifying the computer name of your workstation
or server, refer to Appendix B “Changing the Station Name”.

Disabling the VirusScan Console


Proceed as follows:
1. Right-click the McAfee shield in the toolbar and click VirusScan Console.
2. Click Yes to accept the User Account Control (UAC) prompt.
3. If Access Protection is “Enabled”, right-click on Access Protection and select
Disable, as shown in Figure 10-3.

356
10. Security Enhanced Foxboro Evo Control Core Services v9.1 Installation for Domain Clients or Connecting Security

Figure 10-3. Disable Virus Scan Access Protection

4. Right-click on On-Access Scanner and select Disable.


5. Right-click on On-Access Scanner and select Properties. The On-Access Scan
Properties dialog box opens as shown in Figure 10-4.

357
B0700SS – Rev D 10. Security Enhanced Foxboro Evo Control Core Services

Figure 10-4. On-Access Scan Properties Dialog Box

6. Clear the check-box labeled Enable on-access scanning at system startup


and click Apply. Click OK.

NOTE
The check box should be re-enabled at the end of the installation.

358
10. Security Enhanced Foxboro Evo Control Core Services v9.1 Installation for Domain Clients or Connecting Security

Canceling and Resuming the Security Enhanced


Installation Process
If you click the Cancel button during the security-enhanced installation, the following dialog
box appears:

Figure 10-5. Confirming Cancellation of Software Installation

Click Yes to cancel, or No to resume the installation process. If you click Yes, the following dialog
box appears. Click OK:

Figure 10-6. Confirming Installation Interruption

359
B0700SS – Rev D 10. Security Enhanced Foxboro Evo Control Core Services

You are returned to the installation dialog box as shown in Figure 10-7. If you want to see the
installation log, check Show the Windows Installer log. Click Finish.

Figure 10-7. InstallShield Wizard Completed - Interrupted

To restart the installation process after clicking Cancel, re-insert the DVD labeled “Foxboro Evo
Control Core Services v9.1 Day 0 DVD-ROM” (K0174MS-A). A dialog box appears asking if
you want to continue with the installation.
If you click Yes, the installation will return to the dialog box that was canceled. If you click No,
installation will restart from the beginning.

Installation Procedures
The following installation procedures are provided:
♦ “Installation Procedure (On The Foxboro Evo Control Network)” on page 361 - for
domain clients with Control Core Services v9.1 on the control network
♦ “Installation Procedure for Clients of New Off-Control Network Domain Control-
lers” on page 376 - for domain clients with Control Core Services v9.1 on a new Off-
Control Network
♦ “Installation Procedure for Pre-Existing Domain Clients (I/A Series Software v8.5-
v8.7) to Existing Off-Control Network Domain Controllers” on page 394 - for pre-
existing domain clients with I/A Series software v8.5-v8.7 on an existing Off-Control
Network.

360
10. Security Enhanced Foxboro Evo Control Core Services v9.1 Installation for Domain Clients or Connecting Security

Installation Procedure (On The Foxboro Evo Control Network)


Proceed as follows:
1. Ensure that the Primary Domain Controller (for this domain client) has been installed
and is attached to the control network.
2. Ensure that the domain client’s object is under the correct Control Core Services v9.1
Organizational Unit (OU) in the Active Directory.
3. Ensure that the domain client workstation is attached to the control network.
4. Unplug any non-control network cables.
5. Insert the DVD labeled “Foxboro Evo Control Core Services v9.1 Day 0 DVD-
ROM” (K0174MS-A).
6. If AutoPlay is enabled, the AutoPlay dialog box appears as shown in Figure 10-8.
Click Run setup.exe.
Otherwise, navigate to the DVD drive and double-click setup.exe.

Figure 10-8. AutoPlay Dialog Box

! CAUTION
If you are prompted with a dialog box indicating that you need to restart for the
configuration changes made to the Security Enhanced Installer to take effect, you
may have restored a non-secure image intended for I/A Series software v8.5-8.7 on
Windows XP or Windows Server 2003 R2. If you are sure you used the proper V9.1
restore image, then reboot the station. Otherwise, restore the station using the
proper V9.1 restore media. (See page 6.)

If a dialog box appears indicating that.NET Framework is required, then you have
used incorrect restore media. Restore the station using the proper V9.1 Restore
media. (See page 6.)

7. Click Yes to accept the User Account Control (UAC) prompt.

361
B0700SS – Rev D 10. Security Enhanced Foxboro Evo Control Core Services

8. A pre-requisite installation dialog box appears as shown in Figure 10-9. Click


Install to load the Micros oft Visual C++ 2010 Red i st rib ut able Package (x64) on
the workstation.

Figure 10-9. Microsoft Visual C++ 2010 Redistributable Package (x64) Installation Dialog Box

362
10. Security Enhanced Foxboro Evo Control Core Services v9.1 Installation for Domain Clients or Connecting Security

9. A dialog box appears that allows you to select whether you are installing Control Core
Services without security enhancements or for a security-enhanced system. Select
Install I/A Series software for a security enhanced system and
Install this workstation as a client workstation:

Figure 10-10. Selecting to Install a Secure Domain Client

10. Click Next.

363
B0700SS – Rev D 10. Security Enhanced Foxboro Evo Control Core Services

11. The next dialog box requests that you load the committed configuration install files,
as shown in Figure 10-11. Select the Use an On-MESH Domain Controller radio
button. Click Load to load the committed configuration files.

Figure 10-11. Load Committed Configuration Install Files

12. The browser for the folder containing the committed configuration install files opens,
as shown in Figure 10-12. If the installation media with your Commit files is on the
server’s hard drive or a network, browse to the location of the media and click Select
Folder. If the installation media with your Commit files is on a floppy diskette, put
the diskette in the diskette drive (A:\) and click Use Diskette.

NOTE
If you have multiple Commit diskettes, the Stamp ID: field in Figure 10-11 indi-
cates the number of the requested Commit diskette to the right of the Load button
(101 for the first diskette, 102 for the second, and so forth). Insert each diskette in
the set and click Load.

364
10. Security Enhanced Foxboro Evo Control Core Services v9.1 Installation for Domain Clients or Connecting Security

Figure 10-12. Installation Media Folder Browser

13. Once the installation files have been loaded, click Bind as shown in Figure 10-11 to
launch the I/A Series Network Installation dialog box (Figure 10-13).
14. The dialog box shown in Figure 10-13 is displayed if the network configuration from
System Definition do not match the available NIC hardware.
If this dialog box is not displayed, the NIC cards have been automatically configured.
Proceed to the next step.

365
B0700SS – Rev D 10. Security Enhanced Foxboro Evo Control Core Services

Otherwise, proceed as follows:


♦ For an On-Control Network domain client, the dialog box, shown in
Figure 10-13, asks you to select the NICs to be connected to the Foxboro net-
work. Select the two network cards and click Next.

! CAUTION
Be certain to pick the correct NICs as this selection cannot be changed later in the
installation.

NIC Adapter Device Number

NOTE: I/A Series Network Installation dialog box shown above is for an On-Control Network domain
client, and is provided to illustrate the concept of the NIC Adapter Device Number only.
Figure 10-13. I/A Series Network Installation Dialog Box (For Certain NIC Cards)

NOTE
For help in determining the correct network adapters) to select, click the Start
button and then select Control Panel -> Network and Internet -> Network
Connections. The Network Connections dialog box appears as shown in
Figure 10-14. Identify the NIC adapter device number for the NIC to be connected
to the Domain Controller’s network (it should have an entry in the Connectivity
column).
Note that the NIC Adapter Device Number indicated in Figure 10-13 aligns with
the NIC Adapter Device Number shown in Figure 10-14. This should not be
confused with the Local Area Connection number (shown in Figure 10-14).

366
10. Security Enhanced Foxboro Evo Control Core Services v9.1 Installation for Domain Clients or Connecting Security

Local Area Connection Number NIC Adapter Device Number


Indicates if there is a physical
cable connection to this NIC
Figure 10-14. Network Connections - Local Area Connection vs. NIC Adapter Device Number

15. The Ready to connect this workstation to the Control Core Services domain dialog
box appears as shown in Figure 10-15. Enter the name (letterbug) of the domain con-
troller server and the password for the “IA Installer” account. Verify the user account
with authorization to add stations to the domain.
♦ If “offmesh.local” is the name of your domain, enter the password and click
Authorize.
♦ If “offmesh.local” is not your domain, change the domain name, enter the pass-
word and click Authorize.

367
B0700SS – Rev D 10. Security Enhanced Foxboro Evo Control Core Services

Figure 10-15. Ready to Connect This Workstation to the I/A Series Domain

16. If the local system time does not match the PDC system time, the dialog box shown
in Figure 10-16 appears. Click OK. Fix the local system time to match the PDC time
(see “Workstation/Server Preparation” on page 351) and re-click Authorize.

368
10. Security Enhanced Foxboro Evo Control Core Services v9.1 Installation for Domain Clients or Connecting Security

Figure 10-16. Resetting UTC Date

In some cases, it will not be possible to determine the remote system time. In this case,
the dialog box shown in Figure 10-17 is displayed. It is important to ensure that the
local and remote system times match (including date, time, AM/PM) before continu-
ing. Note that the checkbox displayed for some time zones which allows the system to
automatically adjust for Daylight Saving Time can affect the time displayed by the
system by one hour.

Figure 10-17. Unable to Determine Local Time

NOTE
If after connecting the domain client to a Control Core Services domain and the
software installation does not continue after the reboot, the system time may not
have been set correctly. Refer to “Setting Time Correctly After Failure to Continue
Software Installation After Reboot (SDC or Domain Client)” on page 563 to cor-
rect this.

369
B0700SS – Rev D 10. Security Enhanced Foxboro Evo Control Core Services

17. If a Secondary Domain Controller (SDC) is planned for this Control Core Services
system, select the SDC from the “Select the Secondary Domain Controller Stations”
drop-down list and click Set. If no SDC station is planned, click Skip.
18. Fill in the name of the host domain (iaseries.local is the default) and click
Connect.
19. If the workstation is connected to the domain, the dialog box shown in Figure 10-18
appears. Click Reboot.

Figure 10-18. Invensys IASeries Install: Workstation Reboot Request Dialog Box

The following dialog box indicates that the server will be rebooted.

Figure 10-19. You Are About To Be Logged Off Dialog Box

20. When the station reboots, log into the domain using the “IA Installer” account.

370
10. Security Enhanced Foxboro Evo Control Core Services v9.1 Installation for Domain Clients or Connecting Security

21. If installation does not continue automatically (or the Finish dialog box appears), nav-
igate to the DVD drive and double-click setup.exe to continue the installation. If
installation does continue automatically, click Next and then Install to run the
installation process.

Figure 10-20. InstallShield Wizard for Foxboro Evo Control Core Services

NOTE
In some cases, the installation is not able to restart automatically after logging in
with the IA Installer account. If the following dialog box (Figure 10-21) is displayed
after logging in (this dialog box could take a few minutes to display), the installa-
tion must be restarted manually. This can be done after a reboot or logoff and logon
with the IA Installer account. To restart the installation manually, execute setup.exe
directly from the DVD drive.

371
B0700SS – Rev D 10. Security Enhanced Foxboro Evo Control Core Services

Figure 10-21. Reboot or Logoff Requested

22. If the OS1FDB package is configured on this server, the dialog box shown in
Figure 10-22 is displayed.
To install this package, insert the first OS1FDB package diskette and click Load. After
the first disk has been loaded, insert the second OS1FDB package diskette and click
Load.
To bypass the installation of this package, click Skip. The installation continues, but
this dialog box is displayed again for each of the OS1FDB stations configured on this
Foxboro station.

NOTE
This will occur one time for each OS1FDB station configured.

372
10. Security Enhanced Foxboro Evo Control Core Services v9.1 Installation for Domain Clients or Connecting Security

Figure 10-22. Installation Media Dialog Box

23. If you selected Load, the media folder browser opens.

Figure 10-23. Media Folder Browser

If your installation media for the OS1FDB package is not on a floppy diskette, browse
to the location of your stamped media and click the Select Folder button
If your installation media for the OS1FDB package is on a floppy diskette, click Use
Diskette. The diskette must be in the diskette drive (A:\). Once the Use Diskette
button is clicked, the diskette will be read.

373
B0700SS – Rev D 10. Security Enhanced Foxboro Evo Control Core Services

24. If you selected Use Diskette in the previous step, the dialog box in Figure 10-24
appears. Insert the second diskette in the OS1FDB set and click Load. The diskette
must be inserted in drive A:\.

Figure 10-24. Installation Media Dialog Box - For Diskettes

25. Click Finish when the installation process is complete.


At the end of the installation, the installation log is displayed.
You can view the installation log at any time by clicking the Start button and selecting
All Programs -> Invensys -> IASeries -> Utilities -> Log Viewer.

374
10. Security Enhanced Foxboro Evo Control Core Services v9.1 Installation for Domain Clients or Connecting Security

Figure 10-25. Example of Installation Log

Click on the Setup Log, Pkg Log, and Init Log buttons to view these logs. These
logs can also be printed.
26. Proceed to “Completing the Domain Client Installation” on page 399.

375
B0700SS – Rev D 10. Security Enhanced Foxboro Evo Control Core Services

Installation Procedure for Clients of New Off-Control Network


Domain Controllers
NOTE
Do not set up the Off-Control Network NIC manually prior to installing the Con-
trol Core Services. This will be handled automatically during the installation.

This procedure is for adding domain clients to new Off-Control Network domain controllers.
Proceed as follows:
1. Ensure the PDC for this domain client has been installed and is attached to the sec-
ondary (non-Foxboro) network.
2. Ensure that the domain client’s object is under the correct Control Core Services v9.1
Organizational Unit (OU) in the Active Directory.
3. Ensure the domain client is attached to the control network.
4. Ensure the domain client is attached to the secondary (non-Foxboro) network.
5. Insert the DVD labeled “Foxboro Evo Control Core Services v9.1 Day 0 DVD-
ROM” (K0174MS-A).
6. If AutoPlay is enabled, the AutoPlay dialog box appears as shown in Figure 10-26.
Click Run setup.exe.
Otherwise, navigate to the DVD drive and double-click setup.exe.

Figure 10-26. AutoPlay Dialog Box

376
10. Security Enhanced Foxboro Evo Control Core Services v9.1 Installation for Domain Clients or Connecting Security

! CAUTION
If you are prompted with a dialog box indicating that you need to restart for the
configuration changes made to the Security Enhanced Installer to take effect, you
may have restored a non-secure image intended for I/A Series software v8.5-8.7 on
Windows XP or Windows Server 2003 R2. If you are sure you used the proper Con-
trol Core Services v9.1 restore image, then reboot the station. Otherwise, restore the
station using the proper Control Core Services v9.1 restore media. (See page 6.)

If a dialog box appears indicating that.NET Framework is required, then you have
used incorrect restore media. Restore the server using the proper Control Core Ser-
vices v9.1 Restore media. (See page 6.)

7. Click Yes to accept the User Account Control (UAC) prompt.


8. A pre-requisite installation dialog box appears as shown in Figure 10-27. Click
Install to load the Micros oft Visual C++ 2010 Red i st rib ut able Package (x64) on
the server.

Figure 10-27. Microsoft Visual C++ 2010 Redistributable Package (x64) Installation Dialog Box

377
B0700SS – Rev D 10. Security Enhanced Foxboro Evo Control Core Services

9. Select the Install I/A Series software for a security enhanced system
bullet as shown in Figure 10-28. Ensure that Install this workstation as a
client workstation is selected. Then click Next.

Figure 10-28. Selecting to Install a Client in a Security Enhanced System

378
10. Security Enhanced Foxboro Evo Control Core Services v9.1 Installation for Domain Clients or Connecting Security

10. The Load committed configuration install files dialog box appears as shown in
Figure 10-29.
Select the Use an Off-MESH Domain Controller radio button. Enter the IP
address for the Off-Control Network PDC. Enter the IP address and net mask for the
local Off-Control Network NIC card or select the Use DHCP check box. Click
Select.

Figure 10-29. Load Committed Configuration Install Files Dialog Box

NOTE
Control Core Services can only be installed to the D:\ drive.

11. Click Load to load the committed configuration files.


The browser for the folder containing the committed configuration install files opens,
as shown in Figure 10-30. If the installation media with your Commit files is on the
server’s hard drive or a network, browse to the location of the media and click Select
Folder. If the installation media with your Commit files is on a floppy diskette, put
the diskette in the diskette drive (A:\) and click Use Diskette.

379
B0700SS – Rev D 10. Security Enhanced Foxboro Evo Control Core Services

NOTE
If you have multiple Commit diskettes, the Stamp ID: field in Figure 10-30 indi-
cates the number of the requested Commit diskette to the right of the Load button
(101 for the first diskette, 102 for the second, and so forth). Insert each diskette in
the set and click Load.

Figure 10-30. Installation Media Folder Browser

380
10. Security Enhanced Foxboro Evo Control Core Services v9.1 Installation for Domain Clients or Connecting Security

12. Once the Commit files have been loaded, click Bind as shown in Figure 10-31 to
launch the Control Core Services/I/A Series network installation.

Figure 10-31. Load Committed Configuration Install Files Dialog Box - Bind

NOTE
If after clicking the Bind button, the installation does not proceed and the Bind
button is still enabled, it is likely that the Off-Control Network NIC card was con-
figured with the desired IP address prior to running the Control Core Services
installation. If this is the case, reset the Off-Control Network NIC settings to use
DHCP and re-click the Bind button.

NOTE
If after clicking the Bind button, the install does not proceed and the Load button
is enabled, it is likely that there is a mismatch in the configuration between your
NIC hardware and your network system configuration. Verify and fix the commit-
ted configuration install files as necessary and reload these install files in order to
continue.

381
B0700SS – Rev D 10. Security Enhanced Foxboro Evo Control Core Services

13. The dialog box shown in Figure 10-32 is displayed. Select the onboard NIC that
communicates with the PDC and the SDC on the secondary network (that is, the
Off-Control Network NIC). This NIC was set up on page 379. Then click Next.

! CAUTION
Be certain to pick the correct NICs as this selection cannot be changed later in the
installation. Refer to the explanation on page 366 for the difference between the
NIC adapter device number and the local area connection number for a NIC.

NIC Adapter Device Number

NOTE: I/A Series Network Installation dialog box shown above is for an On-Control Network domain
client, and is provided to illustrate the concept of the NIC Adapter Device Number only.
Figure 10-32. I/A Series Network Installation (For Certain NIC Cards)

NOTE
For help in determining the correct network adapters) to select, click the Start
button and then select Control Panel -> Network and Internet -> Network
Connections. The Network Connections dialog box appears as shown in
Figure 10-33. Identify the NIC adapter device number for the NIC to be connected
to the Domain Controller’s network (it should have an entry in the Connectivity
column).
Note that the NIC Adapter Device Number indicated in Figure 10-32 aligns with
the NIC Adapter Device Number shown in Figure 10-33. This should not be
confused with the Local Area Connection number (shown in Figure 10-33).

382
10. Security Enhanced Foxboro Evo Control Core Services v9.1 Installation for Domain Clients or Connecting Security

Local Area Connection Number NIC Adapter Device Number


Indicates if there is a physical
cable connection to this NIC
Figure 10-33. Network Connections - Local Area Connection vs. NIC Adapter Device Number

14. Select the NICs) that communicate with the control network (that is, the On-Control
Network NICs). Then click Next.

Figure 10-34. I/A Series Network Installation (For Certain NIC Cards)

15. Click Next. The Ready to connect this workstation to the Control Core
Services/I/A Series domain dialog box appears as shown in Figure 10-35. Fill in the
Domain Controller IP Address of the PDC server, and verify the user account with
authorization to add stations to the domain.
♦ If “offmesh.local” is the name of your domain, enter the password and click
Authorize.

383
B0700SS – Rev D 10. Security Enhanced Foxboro Evo Control Core Services

♦ If “offmesh.local” is not your domain, change the domain name, enter the pass-
word and click Authorize.

NOTE
There are instances in which “offmesh.local” will not be your domain, such as if
your domain controllers were migrated off of the control network.

NOTE
It may be necessary to use a different account in this dialog box if migrating to an
existing Off-Control Network domain. In this case, the Administrator account may
be necessary depending on how the “IA Installer” group member has been config-
ured.

Figure 10-35. Ready to Connect This Workstation to the Control Core Services/I/A Series Domain
Dialog Box

384
10. Security Enhanced Foxboro Evo Control Core Services v9.1 Installation for Domain Clients or Connecting Security

16. If the local system time does not match the PDC system time, the dialog box shown
in Figure 10-36 appears. Click OK. Fix the local system time to match the PDC time
(see “Workstation/Server Preparation” on page 351) and re-click Authorize.

Figure 10-36. Resetting UTC Date

In some cases, it will not be possible to determine the remote system time. In this case,
the dialog box shown in Figure 10-37 is displayed. It is important to ensure that the
local and remote system times match (including date, time, AM/PM) before continu-
ing. Note that the checkbox displayed for some time zones which allows the system to
automatically adjust for Daylight Saving Time can affect the time displayed by the
system by one hour.

Figure 10-37. Unable to Determine Local Time

17. If SDC stations are planned for this Control Core Services system, expand the drop-
down list from “Select the Secondary Controller Domains” and select the Add Off-
Mesh entry. A dialog box opens in which the IP addresses for SDC stations can be set.
Enter each of the known SDC’s IP addresses and click Done.

385
B0700SS – Rev D 10. Security Enhanced Foxboro Evo Control Core Services

Figure 10-38. Collecting SDC Machine Info

18. Click Set to choose the SDC stations in your list or Skip to choose no SDC station
IP addresses. If this station has more than one statically set NIC adapter, a message is
displayed indicating that the domain controller must have at least one NIC card con-
figured with a static IP address in order to continue the installation. Once the NIC
settings are corrected, click Set or Skip again to continue.
19. The “Select a Host Domain for this workstation and click Connect” area is added as
shown in Figure 10-39. If “offmesh.local” is not the name of your domain, change the
domain field as needed. Click Connect.

Figure 10-39. Select a Host Domain for this workstation and click Connect Area

386
10. Security Enhanced Foxboro Evo Control Core Services v9.1 Installation for Domain Clients or Connecting Security

20. If connected to the domain, the message shown in Figure 10-40 is displayed.

Figure 10-40. Workstation Reboot Request

Click Reboot. The following dialog box may appear to indicate that the station is
about to be rebooted. If it appears, click Close.

Figure 10-41. You Are About To Be Logged Off Dialog Box

21. When the station reboots, log into the domain using the “IAInstaller” account.
22. If the Workstation Reboot Request dialog box appears again (it will have text similar
to “A reboot or system logoff has been requested...”), click Finish.
Then you must reboot the station manually. Click the Start button and click Shut
Down; select Restart from the pull-down menu and click OK.
After the station reboots, log into the domain using the “IAInstaller” account.

387
B0700SS – Rev D 10. Security Enhanced Foxboro Evo Control Core Services

23. The installation may restart automatically. In this case, you may have to wait for a few
minutes before the installation continues, and then click Next.

Figure 10-42. Welcome to the InstallShield Wizard for Foxboro Evo Control Core Services

If the installation does not continue automatically after a few minutes, navigate to the
DVD drive and double-click setup.exe. You may be prompted to set the IP Address
of the PDC, SDC, and local station again, as shown in Figure 10-29 “Load Commit-
ted Configuration Install Files Dialog Box” on page 379, and to set the domain name
as shown in Figure 10-35 “Ready to Connect This Workstation to the Control Core
Services/I/A Series Domain Dialog Box” on page 384.
Then you may have to reload the committed configuration files as shown in
Figure 10-30 “Installation Media Folder Browser” on page 380. After these files have
been reloaded, the installation process continues.

388
10. Security Enhanced Foxboro Evo Control Core Services v9.1 Installation for Domain Clients or Connecting Security

24. Click Install to run the installation process.

Figure 10-43. Ready to Install the Program

25. If the OS1FDB package is configured on this server, the dialog box shown in
Figure 10-44 is displayed.
To install this package, insert the first OS1FDB package diskette and click Load. After
the first disk has been loaded, insert the second OS1FDB package diskette and click
Load.
To bypass the installation of this package, click Skip. The installation continues, but
this dialog box is displayed again for each of the OS1FDB stations configured on this
Foxboro station.

NOTE
This will occur one time for each OS1FDB station configured.

389
B0700SS – Rev D 10. Security Enhanced Foxboro Evo Control Core Services

Figure 10-44. Installation Media Dialog Box

26. If you selected Load, the media folder browser opens.

Figure 10-45. Media Folder Browser

If your installation media for the OS1FDB package is not on a floppy diskette, browse
to the location of your stamped media and click the Select Folder button
If your installation media for the OS1FDB package is on a floppy diskette, click Use
Diskette. The diskette must be in the diskette drive (A:\). Once the Use Diskette
button is clicked, the diskette will be read.

390
10. Security Enhanced Foxboro Evo Control Core Services v9.1 Installation for Domain Clients or Connecting Security

27. If you selected Use Diskette in the previous step, the dialog box in Figure 10-46
appears. Insert the second diskette in the OS1FDB set and click Load. The diskette
must be inserted in drive A:\.

Figure 10-46. Installation Media Dialog Box - For Diskettes

28. Click Finish when the installation process is complete.

NOTE
The DNS entries for the Off-Control Network NIC fail to set during the domain
client installation. After completing the Control Core Services installation, but
before rebooting the domain client, open the Off-Control Network NIC card set-
tings in the Internet Protocol Version 4 (TCP/IPv4) Properties dialog box as fol-
lows:
Click the Start button and then click Control Panel -> Network and Sharing
Center. In the Tasks pane, click Change adapter settings. Right-click on the
adapter and click Properties.
In this same dialog box, select Internet Protocol Version 4 (TCP/IPv4) and
click Properties. In the Internet Protocol Version 4 (TCP/IPv4) Properties dialog
box, as shown in Figure 10-47, set the first DNS entry to be the IP address of the
Off-Control Network PDC station. Set all additional DNS entries to be the IP
addresses of the Off-Control Network SDC stations.

391
B0700SS – Rev D 10. Security Enhanced Foxboro Evo Control Core Services

IP Address for Off-Control


Network PDC

IP Address for Off-Control


Network SDC

Figure 10-47. Setting Internet Protocol Version 4 (TCP/IPv4) Properties

At the end of the installation, the installation log is displayed.


You can view the installation log at any time by clicking the Start button and selecting
All Programs -> Invensys -> IASeries -> Utilities -> Log Viewer.

392
10. Security Enhanced Foxboro Evo Control Core Services v9.1 Installation for Domain Clients or Connecting Security

Figure 10-48. Example of Installation Log

Click on the Setup Log, Pkg Log, and Init Log buttons to view these logs. These
logs can also be printed.
29. Proceed to “Completing the Domain Client Installation” on page 399.

393
B0700SS – Rev D 10. Security Enhanced Foxboro Evo Control Core Services

Installation Procedure for Pre-Existing Domain Clients


(I/A Series Software v8.5-v8.7) to Existing Off-Control Network
Domain Controllers
You can install a pre-existing domain client with I/A Series software v8.5-v8.7 and directly con-
nect it to an existing Off-Control Network domain as long as it has been migrated using the pro-
cedures detailed in Chapter 7 “Migrating I/A Series Software v8.5/8.6/8.7 to a New Primary
Domain Controller on The Foxboro Evo Control Network”, Chapter 8 “Migrating I/A Series
Software v8.5/8.6/8.7 to a New Off-Control Network Primary Domain Controller” or Chapter 9
“Migrating I/A Series Software v8.5/8.6/8.7 to a Pre-Existing Off-Control Network Primary
Domain Controller”.
Previously, Off-Control Network domains in I/A Series systems v8.5-8.7 were not supported.
However, you can use the installer on your existing CD labeled “I/A Series 8.5 XP Day 0 CD-
ROM” (K0174GD) to attach the domain client to a migrated Off-Control Network domain in a
Control Core Services v9.1.
For complete installation instructions, refer to the chapter “V8.5 I/A Series SE Software Installa-
tion for a Domain Client” in I/A Series 8.5 Software Installation Guide (B0700SB), available
through the Global Customer Support at https://support.ips.invensys.com.
Proceed as follows:
1. Before running the installer on your pre-existing domain client, set up a connection to
the Off-Control Network and set the IP address and DNS settings for the Off-Con-
trol Network NIC as described below.
Open the Internet Protocol (TCP/IP) Properties dialog box for the domain client’s
Off-Control Network NIC card as follows:
a. On the desktop, right-click My Network Places, and click Properties.
b. In the Network and Connections dialog box, right-click the Off-Control Network
NIC card, and click Properties.
c. In the card’s Properties dialog box, in the “This connection uses the following
items” section, click Internet Protocol (TCP/IP), and then click Proper-
ties. The Internet Protocol (TCP/IP) Properties dialog box appears as shown in
Figure 10-49.
d. In the Internet Protocol (TCP/IP) Properties dialog box, set the TCP/IP address
and DNS server address to match the network settings of the target PDC (that is,
the PDF with Control Core Services v9.1 for the Off-Control Network network).
The preferred DNS server address should be the IP address of the target PDC.
If your system has an SDC, add the IP address of the SDC to the Alternate DNS
server field.

394
10. Security Enhanced Foxboro Evo Control Core Services v9.1 Installation for Domain Clients or Connecting Security

These should match the similar


settings in the Target PDC

IP Address of the Target PDC


If your system has an SDC,
add the IP address of the SDC
here

Figure 10-49. Internet Protocol (TCP/IP) Properties Dialog Box - Off-Control Network
NIC Card

2. If the pre-existing domain client was not a part of the original I/A Series configuration
prior to the migration of the target PDC, it may be necessary to add the domain cli-
ent to Active Directory. On the target PDC, in Active Directory Users and Comput-
ers, ensure that there is a computer account for the pre-existing domain client in the
“Pre-8.8 IA Computers” OU as shown in Figure 10-50.

395
B0700SS – Rev D 10. Security Enhanced Foxboro Evo Control Core Services

Figure 10-50. Adding Pre-Existing Domain Client (I/A Series Software v8.5) to Active Directory

3. Proceed with the installation instructions in “Installation Procedure” in the chapter


“V8.5 I/A Series SE Software Installation for a Domain Client” in I/A Series 8.5 Soft-
ware Installation Guide (B0700SB) through Step 16 (which, in the current draft, is the
step which reads as follows: “After completing network setup, click Next on the
I/A Series Software Installation dialog box”).

396
10. Security Enhanced Foxboro Evo Control Core Services v9.1 Installation for Domain Clients or Connecting Security

4. At Step 16, when the “Ready to connect this workstation to the I/A Series domain”
page appears as shown in Figure 10-51, in the Domain Controller Letterbug field,
enter the IP address for the target PDC.
Also enter:
♦ In the Domain Admin Account field, the domain name and domain administra-
tor account name (created during the domain client’s former PDC’s installation)
♦ In the Domain Admin Password field, the domain administrator password (set
during the PDC server installation)

Figure 10-51. Domain Client Installation – Ready to Connect

5. Click Authorize.

397
B0700SS – Rev D 10. Security Enhanced Foxboro Evo Control Core Services

6. Do not select any SDC stations. Select the Skip button when prompted, as shown in
Figure 10-52.

Figure 10-52. Connecting to the Control Core Services/I/A Series Domain

7. Click Connect.
8. A warning dialog box appears regarding the time on the domain client workstation
matching the time on the domain, as shown in Figure 10-53. Ensure the date and
time are correct to within five minutes before continuing. Perform the instructions
provided in Step 21 of “Installation Procedure” in I/A Series 8.5 Software Installation
Guide (B0700SB).

Figure 10-53. Unable To Determine Local Time

398
10. Security Enhanced Foxboro Evo Control Core Services v9.1 Installation for Domain Clients or Connecting Security

9. Continue with Step 22 of “Installation Procedure” in I/A Series 8.5 Software Installa-
tion Guide (B0700SB) and complete the installation procedure.

Completing the Domain Client Installation


Installing the Foxboro Evo Control Core Services v9.1 Trailer CD-ROM
To complete the installation of Control Core Services v9.1, you must install the V9.1 trailer CD-
ROM (K0174MZ-A). The trailer CD-ROM must be installed for stations running Windows 7 or
Windows Server 2008 R2 Standard operating systems:
1. Launch the trailer installation application (1250550.msi).
Insert the CD-ROM labeled “Foxboro Evo Control Core Services 9.1 Trailer CD-
ROM” (K0174MZ-A) into the station. Navigate to the CD-ROM with Windows
Explorer and double-click 1250550.msi to launch the installation.
2. Click Next and then click Install to start the installation process.
If the user currently logged in is not an administrator, a User Account Control (UAC)
prompt may appear. Click Yes to accept the UAC prompt.

NOTE
During the trailer installation, if the following message appears, “The Setup must
update files or services that cannot be updated while the system is running. If we
choose to continue, reboot will be required to continue the setup,” click OK. The
installation continues as normal. Do not reboot the station if you see this message.
This message is shown in the event that you are installing the trailer after booting
into the Control Core Services software (which you should not have done if you are
performing this procedure as written in this section).

3. When the installation is complete, click Finish.


4. If you are installing the trailer via a CD-ROM, remove the trailer CD-ROM.
5. Restart your station as described in the following section.

Restarting Your System


FoxView software may be installed prior to rebooting the workstation or server to eliminate one
reboot. Install FoxView™ and FoxDraw™ software from the FoxView/FoxDraw CD-ROM.
Refer to FoxView™ and FoxDraw™ Software V10.4.1 Release Notes (B0700SN) for installation
instructions.
Reboot the workstation at this time. Click the Start button and click Shut Down; select Restart
from the pull-down menu and click OK.

Non-Control Network Cables


If you unplugged any non-control network cables prior to performing the Day 0 installation, plug
in the non-control network cables at this time.

399
B0700SS – Rev D 10. Security Enhanced Foxboro Evo Control Core Services

Configuring VirusScan Software


McAfee VirusScan V8.8i software is installed on your workstation. Refer to Appendix C “Exclud-
ing Files, Folders, and Drives” to exclude the recommended set of Control Core Services files
from scanning.

Installing Optional Software


After restarting the station following the Control Core Services installation, you may need to per-
form one or more of the following tasks:
1. If not already installed, install FoxView™ and FoxDraw™ software from the Fox-
View/FoxDraw CD-ROM. Refer to FoxView™ and FoxDraw™ Software V10.4.1
Release Notes (B0700SN) for installation instructions.
2. Install Wonderware® Historian according to the instructions provided in Foxboro Evo
Control Software Installation Guide (B0750RA). The Wonderware Historian may be
installed on workstations/servers with Control Core Services or on “off-platform”
workstations/servers that is, stations without Control Core Services.
-OR-
Install AIM*Historian® software according to the instructions provided with the
AIM*Historian media.
3. If desired, install Foxboro Evo™ Control Software according to the instructions pro-
vided with the Foxboro Evo Control Software Installation Guide (B0750RA). This may
include the Foxboro Evo Control Editors and Foxboro Evo Control HMI applica-
tions:
♦ Control HMI and all its components must be installed on workstations/servers
with Control Core Services installed.
♦ The Control Editors and Galaxy Repository may be installed on worksta-
tions/servers with Control Core Services or on “off-platform” workstations/servers
that is, stations without Control Core Services.
4. It is highly recommended that you install Ferret software after installing Control Core
Services v9.1. Refer to FERRET V5.5 (Windows® Platforms) and FERRET V4.5.3
(UNIX® Platforms) User’s Guide (B0860AZ) for installation instructions and FER-
RET V5.5 (Windows® Platforms) and FERRET V4.5.3 (UNIX® Platforms) Installa-
tion and Release Notes (B0860RH) for information on using the FERRET software.
These documents are available in PDF format on the FERRET CD-ROM.
5. Install any other software media for selected optional packages.

System Manager and System Management Display Handler


(SMDH) Installation Notes
NOTE
Skip this section for all Off-Control Network domain controllers.

Control Core Services system management is carried out by the operator primarily via the:
♦ System Manager, discussed in System Manager (B0750AP), or

400
10. Security Enhanced Foxboro Evo Control Core Services v9.1 Installation for Domain Clients or Connecting Security

♦ System Management Display Handler (SMDH), discussed in System Management


Displays (B0193JC).
Be aware of the following notes regarding the installation of these software packages.
♦ On servers/workstations configured with the SMDH package (ASMDW7), the Sys-
tem Manager will be installed. Uninstalling the System Manager through the
Programs and Features dialog box (accessed via the Control Panel) results in the
server/workstation defaulting to SMDH as the system management application.
♦ SMDH can only be invoked through FoxView. From the Control Core Services initial
display, access the SMDH displays from the System button on the FoxView main
window.
System Manager displays can be invoked directly, without the need for a separate
application.
Be aware that FoxView is not typically loaded on a domain controller. Invensys rec-
ommends the IAMESH only configuration on domain controllers, in which SMDH
or System Manager is not installed.
♦ On servers/workstations where System Manager is installed by the Day 0 installation
of Control Core Services, only the System Manager client is installed.

NOTE
The System Manager Server should be installed only if the IASVCS package is
assigned to the station.

To install the System Manager Server, proceed as follows


a. Insert the DVD labeled “Foxboro Evo Control Core Services v9.1 Day 0 DVD-
ROM” (K0174MS-A), if it is not already in the drive and open the folder
“\3rd_party\SystemManager”.
b. Double-click on setup.exe.
c. Click Next.
d. Keep the “Modify” choice selected (default) and click Next.
e. Under “System Manager Server”, select “This feature will be installed
on local hard drive”, as shown in Figure 10-54.

401
B0700SS – Rev D 10. Security Enhanced Foxboro Evo Control Core Services

Figure 10-54. Installing System Manager Server

f. Click Next and then Install to install the System Manager Server.
♦ If the SMDH package was not configured and the System Manager client is not
installed, System Manager may be added by running the complete System Manager
installation process from the System Manager CD-ROM (K0201HU).

NOTE
The System Manager client is installed only if the IASVCS package is assigned to
the station.

♦ When logging into domain client workstations, a Control Core Services user account
should be used, which is a member of one of the standard Control Core
Services/I/A Series user groups such as IA Plant Engineers or IA Plant Operators.

! CAUTION
Logging on with the IAInstaller account will not result in the logon command run-
ning; FoxView will not start and Exceed will not be launched.

402
10. Security Enhanced Foxboro Evo Control Core Services v9.1 Installation for Domain Clients or Connecting Security

NOTE
On Foxboro Evo servers with Windows Server 2008 R2 Standard, FoxPanels
requires that the Beep Driver component be running to operate. If you have Fox-
Panels on this server, refer to “Installing the Beep Driver (Foxboro Evo Control
Core Services Servers with FoxPanels Only)” on page 31 for installation instruc-
tions.

Setting Date and Time


For an internally sourced Master TimeKeeper (MTK), set the local date and time with either Sys-
tem Manager (default) or SMDH.
For instructions on how to set the date and time with the System Manager, refer to the section
“Date and Time Tools” in System Manager (B0750AP).
For instructions on how to set the date and time with the System Management Display Handler
(SMDH), proceed as follows:
1. From the Control Core Services initial display, access System Management displays
from the System button on the FoxView main window.
2. From the System Monitor display, select the Time button to access the Set Date and
Time screen. Set the current date and time by clicking the appropriate arrows on the
screen. Click RETURN - SET.
For an active externally sourced MTK, the Set Date and Time display is unavailable. The date and
time are automatically established and synchronized by an external GPS satellite.
Refer to Time Synchronization User’s Guide (B0700AQ) for a complete description of the time
synchronization subsystem.

Domain Client Postinstallation Procedures


Changing Passwords
The local Administrator account password should be changed once the installation of the client
machine has been completed. The account name is IAManager and the initial password set for
the Invensys supplied workstation image is “Password1”. However, during the PDC installation,
you may have defined new passwords.
Perform the following steps:

403
B0700SS – Rev D 10. Security Enhanced Foxboro Evo Control Core Services

1. Click the Start button and select Control Panel -> Administrative Tools ->
Computer Management. Right-click on the IAManager account and select Set
Password.

Figure 10-55. Resetting Passwords via Computer Management

2. Passwords changed in this manner will result in certain encrypted data becoming inac-
cessible. At this point, make sure there is no encrypted data stored under this user
account and click Proceed.

Figure 10-56. Resetting Password for IAManager

404
10. Security Enhanced Foxboro Evo Control Core Services v9.1 Installation for Domain Clients or Connecting Security

3. Enter in the new password and confirm this entry. Any password entered after the
installation of the secure Control Core Services system must meet domain password
complexity requirements.

Figure 10-57. Confirming Password for IAManager

4. Click OK to set the password.

Re-Enabling the McAfee VirusScan Console


At the end of the installation process, you must re-enable McAfee VirusScan Console on all sta-
tions for which it was disabled - PDCs, SDCs, and domain clients. On each station, proceed as
follows:
1. Right-click the McAfee shield in the toolbar and click VirusScan Console.
2. Click Yes to accept the User Account Control (UAC) prompt.
3. Right-click on Access Protection and select Enable.
4. Right-click on On-Access Scanner and click Enable.
5. Right-click on On-Access Scanner and select Properties. The On-Access Scan
Properties dialog box opens as shown in Figure 10-58.

405
B0700SS – Rev D 10. Security Enhanced Foxboro Evo Control Core Services

Figure 10-58. On-Access Scan Properties Dialog Box

6. Check the check-box labeled Enable on-access scanning at system startup


and click Apply.
7. Click OK to close this dialog box.

406
11. Release Update of I/A Series
Software v8.8 or Foxboro Evo
Control Core Services v9.0 to
v9.1 Including Optional Day 1
Installation
This chapter describes the procedure to upgrade I/A Series software v8.8 or Control Core
Services v9.0 to Control Core Services v9.1 through a release update or release update with Day
1.
Before upgrading I/A Series software v8.8 or Control Core Services v9.0 to Control Core Services
v9.1 through this installation procedure, the I/A Series software v8.8 or Control Core Services
v9.0 must already be installed on the station and be running. You must allow the software instal-
lation procedures to turn off the I/A Series software as required.

! CAUTION
Exiting or cancelling during the software installation process causes an incomplete
installation and may cause the station to become unstable. This requires that you
reload the operating system.

NOTE
Use the IAInstaller account for all installation tasks. However, due to the
permissions assigned to IAInstaller, do not use it for any other role, such as
operation of the station.

NOTE
If you are updating a workstation or server which is a member of an Off-Control
Network domain, perform the steps listed in Appendix K “Manual Update For
Group Policies on an Off-Control Network PDC” prior to installing updates to the
workstation’s or server’s domain client workstations.

407
B0700SS – Rev D 11. Release Update of I/A Series Software v8.8 or Foxboro

Upgrade Security Enhanced or Standard I/A Series


Software v8.8 or Foxboro Evo Control Core
Services v9.0 to v9.1 Including Day 1 Operations
To upgrade I/A Series software v8.8 or Control Core Services v9.0 to Control Core Services v9.1
including a Day 1 installation, first generate new Reconcile media for Control Core Services v9.1
via SysDef v3.1 or later. For information on using this software, refer to System Definition: A Step-
By-Step Procedure (B0193WQ, Rev. K or later).

NOTE
SysDef v3.2 (or later) is not included in I/A Series software v8.8 or Control Core
Services v9.0. To use it, you must first install it, as described in System Definition
Release Notes for Windows 7 and Windows Server 2008 (B0700SH, Rev. B or later).

Create Reconcile Media


This procedure is used to create the reconcile media and should be done first; it can be performed
from a single workstation. You will import the reconcile files into System Definition in order to
create Day 1 Commit installation media.
Perform the following steps to set up for reconciliation:
1. Open the I/A Series Reconcile Media Utility as follows. Open the Start menu and
select from the Start button -> All Programs -> Invensys -> IASeries -> Utili-
ties -> Reconcile.
2. Click Yes to accept the User Account Control (UAC), if prompted.
3. The I/A Series Reconcile Media Utility opens as shown in Figure 11-1.

408
11. Release Update of I/A Series Software v8.8 or Foxboro Evo Control Core Services v9.0 to v9.1 Including Optional

Figure 11-1. I/A Series Reconcile Media Utility

4. Click Get Standard Stations to get all reconcile files for standard Foxboro sta-
tions.
5. When prompted, fill in the Primary Domain Controller server name (Domain Con-
troller Name), Domain Name, Secure Username and Secure Password. If the domain
is Off-Control Network, the PDC station’s IP address should be provided instead of
the workstation name.

409
B0700SS – Rev D 11. Release Update of I/A Series Software v8.8 or Foxboro

6. Click Get SE Stations to get all reconcile files for security enhanced Control Core
Services stations using the provided credentials.

Figure 11-2. Get Security Enhanced Foxboro Evo Control Core Services Stations

7. Select the stations that need to be reconciled in the checklist box on the left-hand side
of the dialog box.
8. Select the appropriate radio button at the top of the dialog box: Create new
reconcile media or Appending to existing reconcile media.
9. Click Create to write to the media. The folder browser dialog box opens, as shown in
Figure 11-3.

410
11. Release Update of I/A Series Software v8.8 or Foxboro Evo Control Core Services v9.0 to v9.1 Including Optional

Figure 11-3. Select the Location Where You Want Your Reconcile Files Saved

10. If you want to write the installation files to a diskette, be aware that the diskette must
already be in a tar format.
To write to a tar format floppy diskette in the diskette drive (A:\), click Use
Diskette.
To write the installation files to a folder location, select a folder and click Select
Folder.
11. If you selected Appending to existing reconcile media in Step 8 and
Reconcile installation media (with media number 201) is not provided in the A:\
floppy drive, the dialog box shown in Figure 11-4 is displayed.

Figure 11-4. Try Another Diskette Warning

411
B0700SS – Rev D 11. Release Update of I/A Series Software v8.8 or Foxboro

12. Use the Reconcile media generated with this utility within System Definition to
update the Commit media.

Performing the Release Update


The following procedure performs the release update and optional Day 1 operations. Proceed as
follows:
1. Insert the Day 0 DVD in the workstation/server for which you want to perform the
release update.
2. Run setup.exe.
3. Click Yes to accept the User Account Control (UAC), if prompted.
4. If Control Core Services are running, the dialog box shown in Figure 11-5 is dis-
played.

Figure 11-5. Disable Control Core Services Drivers and Services

5. Click Yes and reboot the workstation manually. Click the Start button and select
Restart from the pull-down menu to the right of “Shut down” and click OK.
6. If this is a security enhanced installation, log into the iainstaller account.
7. Restart setup.exe after rebooting the workstation.

412
11. Release Update of I/A Series Software v8.8 or Foxboro Evo Control Core Services v9.0 to v9.1 Including Optional

The I/A Series Software Installation dialog box appears, as shown in Figure 11-6.

Figure 11-6. I/A Series Software Installation Dialog Box

413
B0700SS – Rev D 11. Release Update of I/A Series Software v8.8 or Foxboro

8. Select the Perform a Day 1 operation on this I/A Series workstation


(includes Release Update) bullet in the I/A Series Software Installation dialog
box, as shown in Figure 11-7.

Figure 11-7. Perform a Day 1 Operation on Workstation with Foxboro Evo


Control Core Services

9. Click Load to load the updated Commit files.

414
11. Release Update of I/A Series Software v8.8 or Foxboro Evo Control Core Services v9.0 to v9.1 Including Optional

10. Once the Commit files have been loaded, I/A Series Software Installation dialog box
appears as shown in Figure 11-8. Click Install.

Figure 11-8. Ready to Install on Workstation with Foxboro Evo Control Core Services

415
B0700SS – Rev D 11. Release Update of I/A Series Software v8.8 or Foxboro

11. The I/A Series Installshield Wizard appears as shown in Figure 11-9. Proceed through
the wizard to complete this operation.

Figure 11-9. I/A Series Installshield Wizard

The installation continues without user interaction until the end, when the log viewer
utility is displayed. You can view the installation log at any time by clicking the Start
button and selecting All Programs -> Invensys -> IASeries -> Utilities -> Log
Viewer.

416
11. Release Update of I/A Series Software v8.8 or Foxboro Evo Control Core Services v9.0 to v9.1 Including Optional

Figure 11-10. Example of Installation Log

Click on the Setup Log, Pkg Log, and Init Log buttons to view these logs. These
logs can also be printed.
12. Reboot the workstation. Click the Start button and click Shut Down; select Restart
from the pull-down menu and click OK.
13. Install the V9.1 trailer CD-ROM (K0174MZ-A) as described in “Installing the Fox-
boro Evo Control Core Services v9.1 Trailer CD-ROM” on page 399.

NOTE
A Day 1 installation should be performed on all Foxboro stations every time the
System Definition is changed.

Upgrade Security Enhanced or Standard I/A Series


Software v8.8 or Foxboro Evo Control Core Services
v9.0 to v9.1 Via Release Update
A station can also be upgraded from I/A Series software v8.8 or Control Core Services v9.0 to
Control Core Services v9.1 through a release update. Using this method, the I/A Series Software
Installation application updates any I/A Series software v8.8 files which changed in the Control

417
B0700SS – Rev D 11. Release Update of I/A Series Software v8.8 or Foxboro

Core Services v9.1 release. The release update also updates the System Manager in the same way
that a Day 1 installation will update it during an I/A Series software v8.8 or Control Core Services
v9.0 to Control Core Services v9.1 upgrade.
The release update does not update any of the separate applications, or install any new packages.
A release update only updates the existing packages that are already installed, in addition to Sys-
tem Manager if it is already installed.
Proceed as follows:
1. Insert the Day 0 DVD in the workstation/server for which you want to perform a
Day 1 installation.
2. Run setup.exe. If Control Core Services are running, the dialog shown in
Figure 11-11 is displayed.

Figure 11-11. Disable Control Core Services Drivers and Services

3. Click Yes and reboot the workstation manually. Click the Start button and click Shut
Down; select Restart from the pull-down menu and click OK.
Restart setup.exe after rebooting the workstation.

418
11. Release Update of I/A Series Software v8.8 or Foxboro Evo Control Core Services v9.0 to v9.1 Including Optional

The I/A Series Software Installation dialog box appears, as shown in Figure 11-12.

Figure 11-12. I/A Series Software Installation Dialog Box

419
B0700SS – Rev D 11. Release Update of I/A Series Software v8.8 or Foxboro

4. Select the Perform a Release Update operation on the I/A Series work-
station bullet in the I/A Series Software Installation dialog box, as shown in
Figure 11-13.

Figure 11-13. Perform a Release Update Operation on Workstation


with Foxboro Evo Control Core Services

5. Click Install.

420
11. Release Update of I/A Series Software v8.8 or Foxboro Evo Control Core Services v9.0 to v9.1 Including Optional

6. The I/A Series Installshield Wizard appears as shown in Figure 11-14. Proceed
through the wizard to complete this operation.

Figure 11-14. I/A Series Installshield Wizard

The installation continues without user interaction until the end, when the log viewer
utility is displayed. You can view the installation log at any time by clicking the Start
button and selecting All Programs -> Invensys -> IASeries -> Utilities -> Log
Viewer.

421
B0700SS – Rev D 11. Release Update of I/A Series Software v8.8 or Foxboro

Figure 11-15. Example of Installation Log

Click on the Setup Log, Pkg Log, and Init Log buttons to view these logs. These
logs can also be printed.
7. Reboot the workstation. Click the Start button and click Shut Down; select Restart
from the pull-down menu and click OK.
8. Install the V9.1 trailer CD-ROM (K0174MZ-A) as described in the following sec-
tion.

Installing the Foxboro Evo Control Core Services v9.1


Trailer CD-ROM
To complete the installation of Control Core Services v9.1, you must install the V9.1 trailer CD-
ROM (K0174MZ-A). The trailer CD-ROM must be installed for stations running Windows 7 or
Windows Server 2008 R2 Standard operating systems:
1. Launch the trailer installation application (1250550.msi).
Insert the CD-ROM labeled “Foxboro Evo Control Core Services 9.1 Trailer CD-
ROM” (K0174MZ-A) into the station. Navigate to the DVD with Windows
Explorer and double-click 1250550.msi to launch the installation.
2. Click Next and then click Install to start the installation process.
If the user currently logged in is not an administrator, a User Account Control (UAC)

422
11. Release Update of I/A Series Software v8.8 or Foxboro Evo Control Core Services v9.0 to v9.1 Including Optional

prompt may appear. Click Yes to accept the UAC prompt.

NOTE
During the trailer installation, if the following message appears, “The Setup must
update files or services that cannot be updated while the system is running. If we
choose to continue, reboot will be required to continue the setup,” click OK. The
installation continues as normal. Do not reboot the station if you see this message.
This message is shown in the event that you are installing the trailer after booting
into the Control Core Services software (which you should not have done if you are
performing this procedure as written in this section).

3. When the installation is complete, click Finish.


4. If you are installing the trailer via a CD-ROM, remove the trailer CD-ROM.
5. Reboot the workstation at this time. Click the Start button and click Shut Down;
select Restart from the pull-down menu and click OK.

423
B0700SS – Rev D 11. Release Update of I/A Series Software v8.8 or Foxboro

424
12. Upgrading Foxboro Evo Control
Core Services v9.1
(Day 1 Installation or Repair
Operation)
This chapter describes the procedure to upgrade Control Core Services v9.1 through a Day 1
installation.
Before performing this installation procedure, the Control Core Services must already be installed
on the workstation and be running. You must allow the software installation procedures to turn
off the Control Core Services as required.

! CAUTION
Exiting or cancelling during the software installation process causes an incomplete
installation and may cause the station to become unstable. This requires that you
reload the operating system.

NOTE
Use the IAInstaller account for all installation tasks. However, due to the
permissions assigned to IAInstaller, do not use it for any other role, such as
operation of the station.

Day 1 Operations (Standard or Security Enhanced


Foxboro Evo Control Core Services)
This procedure is only to create the reconcile files and should be done first; it can be performed
from a single workstation. Then, you will take the reconcile files to System Definition in order to
create a Day 1 Commit installation media. Then you will insert the Day 0 installation DVD.
Perform the following steps to set up for installation:
1. Open the I/A Series Reconcile Media Utility as follows. Open the Start menu and
select from the Start button -> All Programs -> Invensys -> IASeries -> Utili-
ties -> Reconcile.
2. Click Yes to accept the User Account Control (UAC) prompt.
3. The I/A Series Reconcile Media Utility opens as shown in Figure 12-1.

425
B0700SS – Rev D 12. Upgrading Foxboro Evo Control Core Services v9.1 (Day 1 Installation or Repair Operation)

Figure 12-1. I/A Series Reconcile Media Utility

4. Click Get Standard Stations to get all reconcile files for standard Foxboro sta-
tions.
5. When prompted, fill in the Primary Domain Controller server name (Domain Con-
troller Name), Domain Name, Secure Username and Secure Password. If the domain
is Off-Control Network, the PDC station’s IP address should be provided instead of
the workstation name.

426
12. Upgrading Foxboro Evo Control Core Services v9.1 (Day 1 Installation or Repair Operation) B0700SS – Rev D

6. Click Get SE Stations to get all reconcile files for secure Control Core Services sta-
tions using the provided credentials.

Figure 12-2. Get SE Stations

7. Select the stations that need to be reconciled in the check-list box on the left-hand
side of the dialog box.
8. Select the appropriate radio button at the top of the dialog box: Create new
reconcile media or Appending to existing reconcile media.
9. Click Create to write to the media. The folder browser dialog box opens, as shown in
Figure 12-3.

427
B0700SS – Rev D 12. Upgrading Foxboro Evo Control Core Services v9.1 (Day 1 Installation or Repair Operation)

Figure 12-3. Select the Location Where You Want Your Reconcile Files Saved

10. If you want to write the installation files to a diskette, be aware that the diskette must
already be in a tar format.
To write to a tar format floppy diskette in the diskette drive (A:\), click Use
Diskette.
To write the installation files to a folder location, select a folder and click Select
Folder.
11. If you selected Appending to existing reconcile media in Step 8 and
Reconcile installation media (with media number 201) is not provided in the A:\
floppy drive, the dialog box shown in Figure 12-4 is displayed.

Figure 12-4. Try Another Diskette Warning

428
12. Upgrading Foxboro Evo Control Core Services v9.1 (Day 1 Installation or Repair Operation) B0700SS – Rev D

12. Use the Reconcile media generated with this utility within System Definition to
update the commit media.
13. Insert the Day 0 DVD in the workstation/server for which you want to perform a
Day 1 installation.
14. Run setup.exe. If Control Core Services are running, the dialog box shown in
Figure 12-5 is displayed.

Figure 12-5. Disable Control Core Services Drivers and Services

15. Click Yes and reboot the workstation manually. Click the Start button and click Shut
Down; select Restart from the pull-down menu and click OK.
Restart setup.exe after rebooting the workstation.

429
B0700SS – Rev D 12. Upgrading Foxboro Evo Control Core Services v9.1 (Day 1 Installation or Repair Operation)

The I/A Series Software Installation dialog box appears, as shown in Figure 12-6.

Figure 12-6. I/A Series Software Installation Dialog Box

430
12. Upgrading Foxboro Evo Control Core Services v9.1 (Day 1 Installation or Repair Operation) B0700SS – Rev D

16. Select the Perform a Day 1 operation on the I/A Series workstation
bullet in the I/A Series Software Installation dialog box, as shown in Figure 12-7.

Figure 12-7. Perform a Day 1 Operation on the Foxboro Evo workstation

17. Click Load to load the updated Commit files.

431
B0700SS – Rev D 12. Upgrading Foxboro Evo Control Core Services v9.1 (Day 1 Installation or Repair Operation)

18. Once the Commit files have been loaded, I/A Series Software Installation dialog box
appears as shown in Figure 12-8. Click Install.

Figure 12-8. Ready to Install on the Foxboro Evo Workstation

432
12. Upgrading Foxboro Evo Control Core Services v9.1 (Day 1 Installation or Repair Operation) B0700SS – Rev D

19. The I/A Series Installshield Wizard appears as shown in Figure 12-9. Proceed through
the wizard to complete this operation.

Figure 12-9. I/A Series Installshield Wizard

The installation continues without user interaction until the end, when the log viewer
utility is displayed. You can view the installation log at any time by clicking the Start
button and selecting All Programs -> Invensys -> IASeries -> Utilities -> Log
Viewer.

433
B0700SS – Rev D 12. Upgrading Foxboro Evo Control Core Services v9.1 (Day 1 Installation or Repair Operation)

Figure 12-10. Example of Installation Log

Click on the Setup Log, Pkg Log, and Init Log buttons to view these logs. These
logs can also be printed.
20. Reboot the workstation. Click the Start button and click Shut Down; select Restart
from the pull-down menu and click OK.

NOTE
A Day 1 installation should be performed on all Foxboro stations every time the
System Definition is changed.

Repair Operations (Standard or Security Enhanced


Foxboro Evo Control Core Services)
Control Core Services v9.1 can also be repaired directly from the I/A Series Software Installation
application. Using this method, the application updates any Control Core Services v9.1 files
which are found to be different than the files originally installed.
Proceed as follows:
1. Insert the Day 0 DVD in the workstation/server for which you want to perform a
Day 1 installation.

434
12. Upgrading Foxboro Evo Control Core Services v9.1 (Day 1 Installation or Repair Operation) B0700SS – Rev D

2. Run setup.exe. If Control Core Services are running, the dialog box shown in
Figure 12-11 is displayed.

Figure 12-11. Disable Control Core Services Drivers and Services

3. Click Yes and reboot the workstation manually. Click the Start button and click Shut
Down; select Restart from the pull-down menu and click OK.
Restart setup.exe after rebooting the workstation.

435
B0700SS – Rev D 12. Upgrading Foxboro Evo Control Core Services v9.1 (Day 1 Installation or Repair Operation)

The I/A Series Software Installation dialog box appears, as shown in Figure 12-6.

Figure 12-12. I/A Series Software Installation Dialog Box

436
12. Upgrading Foxboro Evo Control Core Services v9.1 (Day 1 Installation or Repair Operation) B0700SS – Rev D

4. Select the Perform a Repair operation on the I/A Series workstation


bullet in the I/A Series Software Installation dialog box, as shown in Figure 12-13.

Figure 12-13. Perform a Repair Operation on the Foxboro Evo Workstation

5. Click Install.

437
B0700SS – Rev D 12. Upgrading Foxboro Evo Control Core Services v9.1 (Day 1 Installation or Repair Operation)

6. The I/A Series Installshield Wizard appears as shown in Figure 12-9. Proceed through
the wizard to complete this operation.

Figure 12-14. I/A Series Installshield Wizard

The repair operation continues without user interaction until the end, when the log
viewer utility is displayed. You can view the installation log at any time by clicking the
Start button and selecting All Programs -> Invensys -> IASeries -> Utilities -
> Log Viewer.

438
12. Upgrading Foxboro Evo Control Core Services v9.1 (Day 1 Installation or Repair Operation) B0700SS – Rev D

Figure 12-15. Example of Installation Log

Click on the Setup Log, Pkg Log, and Init Log buttons to view these logs. These
logs can also be printed.
7. Reboot the workstation. Click the Start button and click Shut Down; select Restart
from the pull-down menu and click OK.

Performing a “Post-Commit for Pre-8.0”


NOTE
Do not install this software on workstations on the Foxboro Evo Control Network.
Perform this step on all Nodebus workstations after every Commit installation or
any installation where the workstation operating system is selected for installation.

The following procedure must be performed after a Day 1 installation procedure on all Nodebus
workstations (AP, AW, and WP) to add Control Core Services addressing information to the host
files on Nodebus components. To perform the Post-Commit for I/A Series software Pre-8.0,
install the Pre-V8.1 Compatibility Diskette on each Nodebus workstation.

439
B0700SS – Rev D 12. Upgrading Foxboro Evo Control Core Services v9.1 (Day 1 Installation or Repair Operation)

The following sections detail the steps for installing the disk on the two platforms.

Instructions for Windows Workstations


To execute the procedure on Nodebus (V6.x/V7.x, etc.) Foxboro workstations running the
Windows NT Workstation 4.0, Windows NT Server 4.0, Windows XP or Windows 7 operating
system:
1. Insert the K0173XN diskette.
2. Open a Command Prompt window, and type the following:
d:
ncenv
sh
tar xvf A: ./usr/fox/bin/mkhosts.sh
cd /usr/fox/bin
sh mkhosts.sh
3. A reboot of the workstation is not required.

Instructions for Solaris Workstations


To execute the procedure on Nodebus (V6.x/V7.x, etc.) I/A Series workstations running the
Solaris 2.5.1 or Solaris 2.8 (also referred to as “Solaris 8”) operating system:
1. Insert the K0173XN diskette.
2. Open a VT100 session, and type the following:
cd /
tar xvf /dev/fd0 ./usr/fox/bin/mkhosts.sh
cd /usr/fox/bin
mkhosts.sh
3. A reboot of the workstation is not required.

440
Appendix A. Startup Options
This appendix describes the startup options in Foxboro Evo workstations and servers.
For the startup options in Foxboro Evo workstations and servers, refer to:
♦ For standard Control Core Services installations - see “Control Core Services Startup
and Security Options” in Control Core Services v9.1 Release Notes (B0700SR)
♦ For security enhanced Control Core Services installations - see “I/A Series Startup and
Security Options” in Security Enhancements User's Guide for I/A Series Workstations
with Windows 7 or Windows Server 2008 Operating Systems (B0700ET)

441
B0700SS – Rev D Appendix A. Startup Options

442
Appendix B. Changing the Station
Name
This appendix describes how to change a station’s name.
The Windows workstation or server name must match the workstation or server letterbug name
as it was configured in SysDef and saved onto your Commit installation media before you install
the Control Core Services. For systems with multiple workstations or servers, you must change
the default workstation/server names.
The Foxboro Evo workstation/server letterbug is an uppercase six-character alphanumeric work-
station name recognized by the Control Core Services. The letterbug is defined during System
Definition and is written to the Commit installation media.
To make your workstation or server letterbug name match your host name, perform the following
procedure:
1. Click the Start button and click Control Panel.
2. In the Control Panel group, double-click System. The System Properties dialog box
opens.

443
B0700SS – Rev D Appendix B. Changing the Station Name

3. Click Advanced system settings in the left pane of the System window.

Figure B-1. System Window

444
Appendix B. Changing the Station Name B0700SS – Rev D

4. In the System Properties dialog box, select the Computer Name tab (Figure B-2).

Figure B-2. Computer Name Tab in the System Properties Dialog Box

445
B0700SS – Rev D Appendix B. Changing the Station Name

5. In the Computer Name tab, click Change. The Computer Name Changes dialog box
opens (Figure B-3).

Type in station letterbug;


for example, INF1AW

Figure B-3. Computer Name Changes Dialog Box

6. In the Computer Name Changes dialog box, click Computer Name and (using all
uppercase characters) change the name to the applicable letterbug assignment on the
Commit. Click OK.

NOTE
The Computer Name field must contain six (6) uppercase characters and numbers.

7. Click Workgroup in the “Member of ” section of the Computer Name Changes dialog
box and ensure that the workgroup name is WORKGROUP. (see Figure B-3).
8. In the Computer Name Changes dialog box, click OK.
9. Click OK to close the System Properties dialog box.

446
Appendix B. Changing the Station Name B0700SS – Rev D

10. A message box opens asking if you want to restart your computer. Click OK.

Figure B-4. Restarting Your Computer To Apply Changes

11. When the system restarts, it logs you on as “Fox”. Proceed with Control Core Services
installation.

447
B0700SS – Rev D Appendix B. Changing the Station Name

448
Appendix C. Excluding Files,
Folders, and Drives
This appendix provides procedures for excluding files, folders and drives from the McAfee
VirusScan Enterprise + AntiSpyware Enterprise software.
The following files and folders must be excluded on Foxboro H91/P91 and H92/P92
workstations:

Table C-1. McAfee VirusScan Enterprise + AntiSpyware Enterprise Exclusion List

Exclude
File or Folder to Exclude Subfolders?
D:\usr\fox\exten\dcisrvr.exe No
D:\usr\fox\exten\fbmload.exe No
D:\usr\fox\exten\rls.exe No
D:\usr\fox\exten\romload_srvr.exe No
D:\usr\fox\sp\files\iom* No
D:\usr\fox\exten\om_impdb.exe No

For each file listed above, proceed as follows to exclude these files:
1. Double-click the VirusScan icon in the system tray to bring up the VirusScan Status
window.

449
B0700SS – Rev D Appendix C. Excluding Files, Folders, and Drives

2. Click on the Properties button in the VirusScan Status window.

Figure C-1. On-Access Scan Statistics Dialog Box

450
Appendix C. Excluding Files, Folders, and Drives B0700SS – Rev D

3. Select the All Processes icons in the left pane.

Figure C-2. On-Access Scan Properties Dialog Box - Selecting All Processes

451
B0700SS – Rev D Appendix C. Excluding Files, Folders, and Drives

4. Click the Exclusions tab, and then click Exclusions to open the Set Exclusions
dialog box. Initially, the Set Exclusions dialog box appears blank, indicating that no
files are excluded from scanning.

Figure C-3. On-Access Scan Properties Dialog Box - Exclusions Tab

452
Appendix C. Excluding Files, Folders, and Drives B0700SS – Rev D

5. Click Add to open the Add Exclusion Item dialog box.

Figure C-4. On Access Scan Properties Dialog Box - Exclusions Tab

6. In the What to exclude area, select By name/location.


a. Specify the name or location. For particular files listed above, enter the full-path of
the file, or click Browse. To exclude all iom files, enter
D:\usr\fox\sp\files\iom*.

Figure C-5. Add Exclusion Item

453
B0700SS – Rev D Appendix C. Excluding Files, Folders, and Drives

7. In the When to exclude area, specify when to exclude the items from scanning.
Choose On read and On write.
8. Click OK to save your changes and return to the Set Exclusions dialog box.

Figure C-6. Set Exclusions

9. Click OK to close the Set Exclusions dialog box.


10. Click OK to close the On-Access Scan Properties dialog box.
For more information, refer to McAfee VirusScan® and AntiSpyware Enterprise 8.8i Installation
(B0700EQ).

454
Appendix D. Secondary Domain
Controllers in a Foxboro Evo System
This chapter details the installation and configuration procedures for the security enhancements
provided for Control Core Services v9.1 or later systems, which may also include Foxboro Evo
Control Software v5.0 or later software.
In the security-enhanced Control Core Services system, the secondary domain controller (SDC)
functions as a backup to the primary domain controller (PDC) server for both Active Directory
and DNS services. This means that if the PDC becomes unavailable for any reason, the SDC pro-
vides such functions as:
♦ Servicing log on requests to the Foxboro network
♦ Allowing for the creation, deletion, and modification of user accounts
♦ Servicing DNS name resolution requests
Some functionality will be unavailable or may be limited during the time that a PDC is offline
and the SDC has not been promoted to PDC. This includes, but is not limited to:
♦ Domain schema cannot be extended.
♦ New SDC workstations cannot be added to the domain.
♦ Ability to add users and computers to the domain may be limited.
♦ Group polices cannot be edited.
It is recommended that the PDC remain the PDC and all SDC stations remain as SDC stations
once the security-enhanced Control Core Services system has been installed. If a PDC is unavail-
able for a short period of time (e.g. less than a week), it is highly recommended that an SDC is
not promoted to take over the role of PDC. This is because the offline PDC will not be automat-
ically demoted to be an SDC. During this time when the PDC is offline, do not add any new sta-
tions. When the PDC comes back online, there would be two primary domain controllers, one of
which must then be demoted.

! CAUTION
Bringing up two PDC stations on the Control Core Services system must be
avoided.

Active Directory Operations Master Roles


If there is a need to promote an SDC to become the PDC, it is always better to do this while the
PDC is still available. This is the preferred method for passing primary domain controller func-
tionality to a different server on the Control Core Services system, so that the primary domain
controller will automatically be demoted to a secondary domain controller.
There are five Flexible Single Master Operation (FSMO) roles which are transferable between
domain controllers within an Active Directory domain or forest:

455
B0700SS – Rev D Appendix D. Secondary Domain Controllers in a Foxboro Evo System

♦ RID (Relative ID) Master


♦ PDC Emulator
♦ Infrastructure Master
♦ Domain Naming Master
♦ Schema Master
Note that these roles are also referred to as “operations master” roles. The steps in the next section
provide a method for transferring all five roles from the PDC to one of the SDC servers.

Transferring the Operations Master Roles


In this procedure, the example name of the PDC is “NESRV5” while the example name of the
SDC is “NESRV4”. The transfer procedure is illustrated in Figure D-1.

Server 1 (NESRV5) Role Server 2 (NESRV4) Role

Primary Domain Secondary Domain


Controller Controller

FSMO roles are transferred to


existing Secondary Domain Secondary Domain Primary Domain
Controller Controller Controller

Figure D-1. Transferring FSMO Roles

Proceed as follows to transfer the domain controller roles from a working PDC to an existing sec-
ondary domain controller:
1. To transfer the RID Master, PDC Emulator, and Infrastructure Master FSMO roles:
a. Click the Start button and select Control Panel -> Administrative Tools ->
Active Directory Users and Computers.
b. Open Active Directory Users and Computers in the left-hand tree view
and open the domain (iaseries.local) -> Invensys -> Accounts -> Users ->
Administrators. In the right-hand pane, right-click IADomainAdmin and select
Properties.

456
Appendix D. Secondary Domain Controllers in a Foxboro Evo System B0700SS – Rev D

Figure D-2. Active Directory Users and Computers - IADomainAdmin

c. In the Properties dialog box, select the Member Of tab.

457
B0700SS – Rev D Appendix D. Secondary Domain Controllers in a Foxboro Evo System

Figure D-3. IADomainAdmin Properties Dialog Box

d. Click the Add button.


e. Type in the text “Schema” and click the Check Names button.
f. Select the desired user group (i.e. Schema Admins).

458
Appendix D. Secondary Domain Controllers in a Foxboro Evo System B0700SS – Rev D

Figure D-4. Select groups Dialog Box

g. Click OK and then click OK again on the Properties dialog box.


h. Right-click on Active Directory Users and Computers in the left-hand tree
view and select Change Domain Controller.

Figure D-5. Active Directory Users and Computers - Connect to Domain Controller

i. Select the domain controller which is to become the new PDC. Click OK.

459
B0700SS – Rev D Appendix D. Secondary Domain Controllers in a Foxboro Evo System

Figure D-6. Connect to Domain Controller Dialog Box

460
Appendix D. Secondary Domain Controllers in a Foxboro Evo System B0700SS – Rev D

j. Right-click on Active Directory Users and Computers in the left-hand tree


view and select All Tasks -> Operations Masters.

Figure D-7. Active Directory Users and Computers - Set Operations Masters

461
B0700SS – Rev D Appendix D. Secondary Domain Controllers in a Foxboro Evo System

k. Select the RID tab and click the Change button.

Figure D-8. Operations Master Dialog Box

l. Click Yes to confirm the change.

Figure D-9. Operations Master - Confirm Transfer

m. Select the PDC tab and click the Change button.


n. Click OK to confirm the change.

462
Appendix D. Secondary Domain Controllers in a Foxboro Evo System B0700SS – Rev D

Figure D-10. Operations Master - Confirm Change

o. Select the Infrastructure tab and click the Change button.


p. Click OK to confirm the change.
2. To transfer the Domain Naming Master FSMO role:
a. Click the Start button and select Control Panel -> Administrative Tools ->
Active Directory Domains and Trusts.
b. Right-click on Active Directory Domains and Trusts in the left-hand tree
view and select Change Active Directory Domain Controller.

Figure D-11. Active Directory Domains and Trusts - Connect to Domain Controller

c. Select the domain controller which is to become the new PDC.

463
B0700SS – Rev D Appendix D. Secondary Domain Controllers in a Foxboro Evo System

Figure D-12. Active Directory Domains and Trusts - Selecting Domain Controller to Become
The New PDC

464
Appendix D. Secondary Domain Controllers in a Foxboro Evo System B0700SS – Rev D

d. Right-click on Active Directory Domains and Trusts in the left-hand tree


view and select Operations Master.

Figure D-13. Active Directory Domains and Trusts - Set Operations Masters

e. Press the Change button.

Figure D-14. Change Operations Master

f. Click Yes to confirm the change.

465
B0700SS – Rev D Appendix D. Secondary Domain Controllers in a Foxboro Evo System

Figure D-15. Active Directory Domains and Trusts - Confirm Yes

g. Click OK.

Figure D-16. Active Directory Domains and Trusts - Confirm OK

3. To transfer the Schema Master FSMO role:

NOTE
This procedure can only be completed by a schema administrator. By default, the
only user with schema administrator privileges is the system administrator (i.e., the
user account which is named IAManager at the time the workstation is first
installed).

a. Open a command prompt. From the Start menu, click Programs -> Accesso-
ries -> Command Prompt.
b. In the command prompt, type regsvr32 schmmgmt.dll and press <Enter>.
This will register the Scheme Management DLL.

466
Appendix D. Secondary Domain Controllers in a Foxboro Evo System B0700SS – Rev D

Figure D-17. Command Prompt - regsvr32 schmmgmt.dll

c. Click OK to confirm the operation completed successfully.

Figure D-18. Confirm Operation

d. Open the Run window, type MMC and press <Enter>. This will open the Micro-
soft Management Console.

Figure D-19. Confirm Operation

e. Select Add/Remove Snap-In from the File menu.

467
B0700SS – Rev D Appendix D. Secondary Domain Controllers in a Foxboro Evo System

Figure D-20. Microsoft Management Console - Selecting Add/Remove Snap-In

4. From Available Snap-ins, select Active Directory Schema and click Add.

468
Appendix D. Secondary Domain Controllers in a Foxboro Evo System B0700SS – Rev D

Figure D-21. Add or Remove Snap-Ins Dialog Box

5. Click OK.

469
B0700SS – Rev D Appendix D. Secondary Domain Controllers in a Foxboro Evo System

Figure D-22. Add or Remove Snap-Ins Dialog Box

470
Appendix D. Secondary Domain Controllers in a Foxboro Evo System B0700SS – Rev D

f. Right-click on Active Directory Schema in the left-hand tree view and select
Change Active Directory Domain Controller.

Figure D-23. Microsoft Management Console - Selecting Change Domain Controller

g. Select the domain controller which is to become the new PDC.

Figure D-24. Change Domain Controller

471
B0700SS – Rev D Appendix D. Secondary Domain Controllers in a Foxboro Evo System

h. Right-click on Active Directory Schema in the left-hand tree view and select
Operations Master.

Figure D-25. Microsoft Management Console - Selecting Operations Master

i. Click OK.

Figure D-26. Change Domain Controller

j. Click the Change button.

472
Appendix D. Secondary Domain Controllers in a Foxboro Evo System B0700SS – Rev D

Figure D-27. Change Schema Master Dialog Box

k. Click Yes to confirm the change.

Figure D-28. Active Directory Domains and Trusts - Confirm Yes

l. Click OK.

Figure D-29. Active Directory Domains and Trusts - Confirm OK

473
B0700SS – Rev D Appendix D. Secondary Domain Controllers in a Foxboro Evo System

Seizing Active Directory Operations Master Roles


In the event that the PDC is no longer available, one of the SDCs may still be promoted to be a
primary domain controller. To do this, follow the procedure below to seize the domain controller
roles for an existing SDC. This procedure provides a method for seizing all five roles and assigning
them to one of the SDC servers, and is illustrated in Figure D-30.

Server 1 (NESRV5) Role Server 2 (NESRV4) Role

Primary Domain Secondary Domain


Controller Controller

Unavailable
PDC is unavailable due to
a hardware or software failure. Primary Domain Secondary Domain
Controller Controller

Unavailable
FSMO roles are seized by the
existing SDC. This server Primary Domain Primary Domain
becomes the Primary Domain Controller Controller
Controller.

Figure D-30. Seizing FSMO Roles

NOTE
This is a last-resort measure that should only be taken if the PDC holding the roles
will not be able to be restored. Once you perform this procedure, you will not be
able to bring the PDC back online without first removing its installation of Active
Directory. (This is discussed in a later section.)

To seize the Active Directory roles because the PDC will no longer be available:
1. On the SDC server which will become the PDC, open the Run window, type ntdsu-
til and press <Enter>. This starts the Active Directory Services Maintenance Utility.

474
Appendix D. Secondary Domain Controllers in a Foxboro Evo System B0700SS – Rev D

Figure D-31. Role Seizure Confirmation Dialog Box

2. Type roles and press <Enter>.


3. At the fsmo maintenance: prompt, type connections and press <Enter>.
4. At the server connections: prompt, type connect to server <servername> and
press <Enter>. In this case, <servername> is the name of the SDC being promoted
to PDC.
5. At the server connections: prompt, type q and press <Enter>.
6. At the fsmo maintenance: prompt, type seize naming master and press <Enter>.
7. At the fsmo maintenance: prompt, type seize infrastructure master and press
<Enter>.
8. At the fsmo maintenance: prompt, type seize PDC and press <Enter>.
9. At the fsmo maintenance: prompt, type seize RID master and press <Enter>.
10. At the fsmo maintenance: prompt, type seize schema master and press <Enter>.
During each role seizure call, the Active Directory Services Maintenance Utility will
attempt to transfer the role by contacting the PDC. A time-out will occur while this
happens, followed by an error message. A dialog will appear, asking to confirm the sei-
zure of the role. Click Yes to seize the role.

Figure D-32. Role Seizure Confirmation Dialog Box

475
B0700SS – Rev D Appendix D. Secondary Domain Controllers in a Foxboro Evo System

The full text of the above operation should appear similar to the following in the com-
mand prompt window. Text in bold is the text entered by the user.

C:\Windows\system32\ntdsutil.exe: roles
fsmo maintenance: connections
server connections: connect to server NESRV4.iaseries.local
Binding to NESRV4.iaseries.local ...
Connected to NESRV4.iaseries.local using credentials of locally logged on
user.
server connections: q
fsmo maintenance: seize naming master
Attempting safe transfer of domain naming FSMO before seizure.
ldap_modify_sW error 0x34(52 (Unavailable).
Ldap extended error message is 000020AF: SvcErr: DSID-03210397, problem
5002 (UNAVAILABLE), data 1722

Win32 error returned is 0x20af(The requested FSMO operation failed. The


current FSMO holder could not be contacted.)
)
Depending on the error code this may indicate a connection,
ldap, or role transfer error.
Transfer of domain naming FSMO failed, proceeding with seizure ...
Server "NESRV4.iaseries.local" knows about 5 roles
Schema - CN=NTDS Settings,CN=NESRV5,CN=Servers,CN=IASERIES,CN=Sites,CN=
Configuration,DC=iaseries,DC=local
Naming Master - CN=NTDS Settings,CN=NESRV4,CN=Servers,CN=IASERIES,CN=
Sites,CN=Configuration,DC=iaseries,DC=local
PDC - CN=NTDS Settings,CN=NESRV5,CN=Servers,CN=IASERIES,CN=Sites,CN=Con-
figuration,DC=iaseries,DC=local
RID - CN=NTDS Settings,CN=NESRV5,CN=Servers,CN=IASERIES,CN=Sites,CN=Con-
figuration,DC=iaseries,DC=local
Infrastructure - CN=NTDS Settings,CN=NESRV5,CN=Servers,CN=IASERIES,CN=
Sites,CN=Configuration,DC=iaseries,DC=local
fsmo maintenance: seize infrastructure master
Attempting safe transfer of infrastructure FSMO before seizure.
ldap_modify_sW error 0x34(52 (Unavailable).
Ldap extended error message is 000020AF: SvcErr: DSID-03210397, problem
5002 (UNAVAILABLE), data 1722

Win32 error returned is 0x20af(The requested FSMO operation failed. The


current FSMO holder could not be contacted.)
)
Depending on the error code this may indicate a connection,
ldap, or role transfer error.
Transfer of infrastructure FSMO failed, proceeding with seizure ...
Server "NESRV4.iaseries.local" knows about 5 roles

476
Appendix D. Secondary Domain Controllers in a Foxboro Evo System B0700SS – Rev D

Schema - CN=NTDS Settings,CN=NESRV5,CN=Servers,CN=IASERIES,CN=Sites,CN=


Configuration,DC=iaseries,DC=local
Naming Master - CN=NTDS Settings,CN=NESRV4,CN=Servers,CN=IASERIES,CN=
Sites,CN=Configuration,DC=iaseries,DC=local
PDC - CN=NTDS Settings,CN=NESRV5,CN=Servers,CN=IASERIES,CN=Sites,CN=Con-
figuration,DC=iaseries,DC=local
RID - CN=NTDS Settings,CN=NESRV5,CN=Servers,CN=IASERIES,CN=Sites,CN=Con-
figuration,DC=iaseries,DC=local
Infrastructure - CN=NTDS Settings,CN=NESRV4,CN=Servers,CN=IASERIES,CN=
Sites,CN=Configuration,DC=iaseries,DC=local
fsmo maintenance: seize PDC
Attempting safe transfer of PDC FSMO before seizure.
ldap_modify_sW error 0x34(52 (Unavailable).
Ldap extended error message is 000020AF: SvcErr: DSID-03210581, problem
5002 (UNAVAILABLE), data 1722

Win32 error returned is 0x20af(The requested FSMO operation failed. The


current FSMO holder could not be contacted.)
)
Depending on the error code this may indicate a connection,
ldap, or role transfer error.
Transfer of PDC FSMO failed, proceeding with seizure ...
Server "NESRV4.iaseries.local" knows about 5 roles
Schema - CN=NTDS Settings,CN=NESRV5,CN=Servers,CN=IASERIES,CN=Sites,CN=
Configuration,DC=iaseries,DC=local
Naming Master - CN=NTDS Settings,CN=NESRV4,CN=Servers,CN=IASERIES,CN=
Sites,CN=Configuration,DC=iaseries,DC=local
PDC - CN=NTDS Settings,CN=NESRV4,CN=Servers,CN=IASERIES,CN=Sites,CN=Con-
figuration,DC=iaseries,DC=local
RID - CN=NTDS Settings,CN=NESRV5,CN=Servers,CN=IASERIES,CN=Sites,CN=Con-
figuration,DC=iaseries,DC=local
Infrastructure - CN=NTDS Settings,CN=NESRV4,CN=Servers,CN=IASERIES,CN=
Sites,CN=Configuration,DC=iaseries,DC=local
fsmo maintenance: seize RID master
Attempting safe transfer of RID FSMO before seizure.
ldap_modify_sW error 0x34(52 (Unavailable).
Ldap extended error message is 000020AF: SvcErr: DSID-03210CB1, problem
5002 (UNAVAILABLE), data 1722

Win32 error returned is 0x20af(The requested FSMO operation failed. The


current FSMO holder could not be contacted.)
)
Depending on the error code this may indicate a connection,
ldap, or role transfer error.
Transfer of RID FSMO failed, proceeding with seizure ...
Searching for highest rid pool in domain
Server "NESRV4.iaseries.local" knows about 5 roles

477
B0700SS – Rev D Appendix D. Secondary Domain Controllers in a Foxboro Evo System

Schema - CN=NTDS Settings,CN=NESRV5,CN=Servers,CN=IASERIES,CN=Sites,CN=


Configuration,DC=iaseries,DC=local
Naming Master - CN=NTDS Settings,CN=NESRV4,CN=Servers,CN=IASERIES,CN=
Sites,CN=Configuration,DC=iaseries,DC=local
PDC - CN=NTDS Settings,CN=NESRV4,CN=Servers,CN=IASERIES,CN=Sites,CN=Con-
figuration,DC=iaseries,DC=local
RID - CN=NTDS Settings,CN=NESRV4,CN=Servers,CN=IASERIES,CN=Sites,CN=Con-
figuration,DC=iaseries,DC=local
Infrastructure - CN=NTDS Settings,CN=NESRV4,CN=Servers,CN=IASERIES,CN=
Sites,CN=Configuration,DC=iaseries,DC=local
Attempting safe transfer of RID FSMO before seizure.
ldap_modify_sW error 0x34(52 (Unavailable).
Ldap extended error message is 000020AF: SvcErr: DSID-03210CB1, problem
5002 (UNAVAILABLE), data 1722

Win32 error returned is 0x20af(The requested FSMO operation failed. The


current FSMO holder could not be contacted.)
)
Depending on the error code this may indicate a connection,
ldap, or role transfer error.
Transfer of RID FSMO failed, proceeding with seizure ...
Searching for highest rid pool in domain
Server "NESRV4.iaseries.local" knows about 5 roles
Schema - CN=NTDS Settings,CN=NESRV5,CN=Servers,CN=IASERIES,CN=Sites,CN=
Configuration,DC=iaseries,DC=local
Naming Master - CN=NTDS Settings,CN=NESRV4,CN=Servers,CN=IASERIES,CN=
Sites,CN=Configuration,DC=iaseries,DC=local
PDC - CN=NTDS Settings,CN=NESRV4,CN=Servers,CN=IASERIES,CN=Sites,CN=Con-
figuration,DC=iaseries,DC=local
RID - CN=NTDS Settings,CN=NESRV4,CN=Servers,CN=IASERIES,CN=Sites,CN=Con-
figuration,DC=iaseries,DC=local
Infrastructure - CN=NTDS Settings,CN=NESRV4,CN=Servers,CN=IASERIES,CN=
Sites,CN=Configuration,DC=iaseries,DC=local
fsmo maintenance: seize schema master
Attempting safe transfer of schema FSMO before seizure.
ldap_modify_sW error 0x34(52 (Unavailable).
Ldap extended error message is 000020AF: SvcErr: DSID-03210397, problem
5002 (UNAVAILABLE), data 1722

Win32 error returned is 0x20af(The requested FSMO operation failed. The


current FSMO holder could not be contacted.)
)
Depending on the error code this may indicate a connection,
ldap, or role transfer error.
Transfer of schema FSMO failed, proceeding with seizure ...
Server "NESRV4.iaseries.local" knows about 5 roles
Schema - CN=NTDS Settings,CN=NESRV4,CN=Servers,CN=IASERIES,CN=Sites,CN=
Configuration,DC=iaseries,DC=local

478
Appendix D. Secondary Domain Controllers in a Foxboro Evo System B0700SS – Rev D

Naming Master - CN=NTDS Settings,CN=NESRV4,CN=Servers,CN=IASERIES,CN=


Sites,CN=Configuration,DC=iaseries,DC=local
PDC - CN=NTDS Settings,CN=NESRV4,CN=Servers,CN=IASERIES,CN=Sites,CN=Con-
figuration,DC=iaseries,DC=local
RID - CN=NTDS Settings,CN=NESRV4,CN=Servers,CN=IASERIES,CN=Sites,CN=Con-
figuration,DC=iaseries,DC=local
Infrastructure - CN=NTDS Settings,CN=NESRV4,CN=Servers,CN=IASERIES,CN=
Sites,CN=Configuration,DC=iaseries,DC=local
fsmo maintenance:

Restoring a PDC Server Station


If the PDC station which had its roles seized becomes available later (e.g., through a hardware fix
or a ghost image restore), it cannot be returned to the Foxboro network until it has had its Active
Directory removed. This is due to the fact that the software on that station is still configured to be
the primary domain controller.
The instructions to remove Active Directory from this workstation before placing it back on the
Foxboro network are provided below. This procedure is illustrated in Figure D-33.

479
B0700SS – Rev D Appendix D. Secondary Domain Controllers in a Foxboro Evo System

Server 1 (NESRV5) Role Server 2 (NESRV4) Role

Unavailable
Primary Domain Controller
(PDC) NESRV5 is unavailable. Primary Domain Primary Domain
NESRV4 has seized FSMO Controller Controller
roles and is the only PDC on
the system.
Disconnected from
Foxboro Network
and Restarted
NESRV5 is physically
disconnected from the Primary Domain Primary Domain
Foxboro network prior Controller Controller
to restarting.

Connected to
Foxboro Network
Active Directory is removed
from NESRV5 and it is No Longer a Primary Domain
reconnected to the Foxboro Domain Controller Controller
network.

Active Directory is restored


on NESRV5 which is now Secondary Domain Primary Domain
a Secondary Domain Controller Controller Controller
on the Foxboro network.

Optional - Transfer FSMO


roles back to the original
Primary Domain Secondary Domain
PDC server (NESRV5).
Controller Controller

Figure D-33. Restoring FSMO Roles to a Primary Domain Controller That Had Its Roles Seized

Alternatively, you can remove and restore the Active Directory by reinstalling the operating system
and Control Core Services on this workstation. (This is a longer and more complicated procedure
than the one described in Figure D-33 but it is a viable alternative.) To accomplish this, com-
pletely reload this workstation from the base Invensys-provided Day 0 workstation image and fol-
low the instructions for installing a secondary domain controller provided in Chapter 4 “Security
Enhanced Foxboro Evo Control Core Services v9.1 Installation for Domain Controllers on The
Foxboro Evo Control Network” or Chapter 5 “Security Enhanced Foxboro Evo Control Core Ser-
vices v9.1 Installation for New Off-Control Network Domain Controllers”. Once this worksta-
tion is completely installed as an SDC, follow the procedure listed below for promoting this
workstation to be the PDC while the existing primary domain controller is still available to be
demoted.

480
Appendix D. Secondary Domain Controllers in a Foxboro Evo System B0700SS – Rev D

Proceed as follows:
1. Start the server up while physically disconnected from the Foxboro network.
2. Click the Start button and select Control Panel -> Administrative Tools ->
Services, stop the Net Logon service.
3. Open the Run window, type dcpromo /forceremoval. Press <Enter>.

Figure D-34. Invoking dcpromo /forceremoval

4. If this server previously held all five FSMO roles, six warnings will be displayed; one
for each role previously held and one additional warning is displayed for the data held
in Active Directory for the DNS server. Acknowledge each warning as they are dis-
played to continue. See Figure D-35 through Figure D-37.

Figure D-35. Acknowledging Warnings - Part 1

481
B0700SS – Rev D Appendix D. Secondary Domain Controllers in a Foxboro Evo System

Figure D-36. Acknowledging Warnings - Part 2

482
Appendix D. Secondary Domain Controllers in a Foxboro Evo System B0700SS – Rev D

Figure D-37. Acknowledging Warnings - Part 3

483
B0700SS – Rev D Appendix D. Secondary Domain Controllers in a Foxboro Evo System

5. At the following dialog box, click Next.

Figure D-38. Active Directory Installation Wizard - Welcome

484
Appendix D. Secondary Domain Controllers in a Foxboro Evo System B0700SS – Rev D

6. Click Next.

Figure D-39. Active Directory Installation Wizard - Force Removal

7. Click OK.

Figure D-40. Active Directory Installation Wizard -Acknowledge

485
B0700SS – Rev D Appendix D. Secondary Domain Controllers in a Foxboro Evo System

8. Enter an Administrator account password for the new local Administrator account on
this server. The name of this account will be Administrator which is different from
the account name originally created by the Control Core Services installation. This
account name can be changed later through the standard Microsoft dialog boxes.
Click Next.

Figure D-41. Active Directory Installation Wizard - Administrator Password

486
Appendix D. Secondary Domain Controllers in a Foxboro Evo System B0700SS – Rev D

9. Click Next.

Figure D-42. Active Directory Installation Wizard - Summary

487
B0700SS – Rev D Appendix D. Secondary Domain Controllers in a Foxboro Evo System

10. Wait while the configurator reads the domain policy.

Figure D-43. Active Directory Installation Wizard - Reading Domain Policy

11. Click Finish when the process completes.

Figure D-44. Active Directory Installation Wizard - Completed

488
Appendix D. Secondary Domain Controllers in a Foxboro Evo System B0700SS – Rev D

12. Physically reconnect the workstation to the Foxboro network.


13. Restart the workstation.

Figure D-45. Active Directory Installation Wizard - Restarting the Computer

14. This workstation must be manually added back onto the domain. Use the IADomain-
Admin account along with the password entered above to log onto the workstation.

Figure D-46. Windows Security - Logging in IADomainAdmin

15. Click the Start button and select Control Panel -> System. From the System win-
dow, select Advanced system settings from the left-hand pane. Click the Change
button on the System Properties dialog box.
16. Select the Domain radio button and enter the domain name.
17. A dialog box will indicate that the computer has been added to the domain. Click OK.

489
B0700SS – Rev D Appendix D. Secondary Domain Controllers in a Foxboro Evo System

Figure D-47. Windows Security - Logging in IADomainAdmin

18. A dialog box will indicate that the computer must be restarted. Click OK.

Figure D-48. Windows Security - Logging in IADomainAdmin

19. Click Restart Now to have the workstation restart.

Figure D-49. Windows Security - Logging in IADomainAdmin

20. If this workstation must be reloaded as a primary or secondary domain controller, the
dcpromo utility can be used to reinstall Active Directory. The remaining steps below
describe reloading Active Directory on the failed server.
Open the Run windows, and type dcpromo. Press <Enter>.

490
Appendix D. Secondary Domain Controllers in a Foxboro Evo System B0700SS – Rev D

Figure D-50. Invoking dcpromo

21. Click Next.

Figure D-51. Active Directory Installation Wizard - Welcome

491
B0700SS – Rev D Appendix D. Secondary Domain Controllers in a Foxboro Evo System

22. Click Next.

Figure D-52. Active Directory Installation Wizard - Operating System Compatibility

492
Appendix D. Secondary Domain Controllers in a Foxboro Evo System B0700SS – Rev D

23. Select the second radio button indicating that this is an additional domain controller
for an existing domain and click Next.

Figure D-53. Active Directory Installation Wizard - Domain Controller Type

493
B0700SS – Rev D Appendix D. Secondary Domain Controllers in a Foxboro Evo System

24. Enter the domain name and click Next.

Figure D-54. Active Directory Installation Wizard - Additional Domain Controller

494
Appendix D. Secondary Domain Controllers in a Foxboro Evo System B0700SS – Rev D

25. Select the forest root domain name and click Next.

Figure D-55. Active Directory Installation Wizard - Forest Root Domain

495
B0700SS – Rev D Appendix D. Secondary Domain Controllers in a Foxboro Evo System

26. Select the site for the new domain controller and click Next.

Figure D-56. Active Directory Installation Wizard - Site for New Domain Controller

496
Appendix D. Secondary Domain Controllers in a Foxboro Evo System B0700SS – Rev D

27. Click Next.

Figure D-57. Active Directory Installation Wizard - Additional Domain Controller Options

497
B0700SS – Rev D Appendix D. Secondary Domain Controllers in a Foxboro Evo System

28. Click No, I will assign static IP addresses to all physical network
adapters.

Figure D-58. Static IP Assignment

29. Click Yes.

Figure D-59. Active Directory Installation Wizard - Continue

498
Appendix D. Secondary Domain Controllers in a Foxboro Evo System B0700SS – Rev D

30. Keep the default folder paths. Click Next.

Figure D-60. Active Directory Installation Wizard - Database and Log Folders

499
B0700SS – Rev D Appendix D. Secondary Domain Controllers in a Foxboro Evo System

31. Enter a restore mode password and confirm. Click Next.

Figure D-61. Active Directory Installation Wizard - Restore Mode Administrator Password

500
Appendix D. Secondary Domain Controllers in a Foxboro Evo System B0700SS – Rev D

32. Click Next to confirm your choices.

Figure D-62. Active Directory Installation Wizard - Summary

501
B0700SS – Rev D Appendix D. Secondary Domain Controllers in a Foxboro Evo System

33. Wait while the wizard configures the Active Directory Domain Services.

Figure D-63. Active Directory Installation Wizard - Configuring

34. Click Finish when done.

Figure D-64. Active Directory Installation Wizard - Complete

502
Appendix D. Secondary Domain Controllers in a Foxboro Evo System B0700SS – Rev D

35. Allow the computer to restart.

Figure D-65. Restarting the Computer

36. Reboot the server and log in with a domain administrator user account.
37. Click the Start button and select Control Panel -> Administrative Tools ->
DNS.
38. Right-click on each forward and reverse lookup zone and select Properties. There
should be three in total.

Figure D-66. DNS Management - Selecting Lookup Zone Properties

503
B0700SS – Rev D Appendix D. Secondary Domain Controllers in a Foxboro Evo System

39. Check the Allow Zone Transfers checkbox and select the second radio button
choice to allow transfers only to servers listed on the Name Server tab. Click OK.

Figure D-67. Zone Properties Dialog Box

40. The server may now be restored as a PDC or be left as an SDC station. To make this
server a PDC, refer to “Transferring the Operations Master Roles” on page 456 to
transfer domain controller roles from one domain controller to another.
When you have completed the restoration, verify that the SDC is working properly, as discussed
in the next subsection.

Verifying Domain Controller Backup Functionality


Once a Control Core Services system has been installed with both a primary and secondary
domain controller, verify that the backup functionality is working properly.
To test that the SDC is servicing logon requests and allowing for the creation of new user
accounts while the PDC is offline, proceed as follows:
1. Create a new user account on the SDC while the PDC is offline.
2. Add this user account to one of the standard Control Core Services groups (for exam-
ple, IA Plant Operators).

504
Appendix D. Secondary Domain Controllers in a Foxboro Evo System B0700SS – Rev D

3. Use this new user account to log onto one of the client workstations.
To test that the SDC is servicing DNS name resolution requests while the backup is offline, pro-
ceed as follows:
1. Open a command prompt on one of the client workstations.
2. With the PDC still connected to the network, type nslookup and press <Enter>.
3. With the PDC still connected to the network, in the command prompt, type
“nslookup <CLIENT2>”, where <CLIENT2> is another client station on the domain.
The IP address of the second client will be retrieved from the primary DNS server
(NESRV5.iaseries.local in this case) to verify that the PDC is no longer available
4. Type “nslookup <CLIENT2> <SDCStationName>” to verify tat the SDC responds to
the DNS request.

Figure D-68. nslookup for Client Stations (NESRV5.iaseries.local)

5. Disconnect the PDC from the network.


6. Open a command prompt on one of the client workstations.
7. With the PDC disconnected from the network, type nslookup and press <Enter>.
8. Type <CLIENT2>, where <CLIENT2> is another client on the domain. The IP address
of the second client will be retrieved from the secondary DNS server
(NESRV4.iaseries.local in this case).

505
B0700SS – Rev D Appendix D. Secondary Domain Controllers in a Foxboro Evo System

Figure D-69. nslookup for Client Stations (NESRV4.iaseries.local)

9. In the event that this does not work with the PDC disconnected, it is possible that the
NIC card settings were not made for the SDC when the Control Core Services was
installed. On every workstation, the SDC IP addresses should be configured as sec-
ondary DNS locators. The NIC settings should appear as shown in Figure D-70 for a
client workstation on a system with a primary and one secondary DNS server. These
settings are only necessary for the FoxInt NDIS Intermediate Miniport Drive. In this
case, 151.128.152.205 is for the PDC and 151.128.152.209 is for the SDC.

506
Appendix D. Secondary Domain Controllers in a Foxboro Evo System B0700SS – Rev D

Figure D-70. Typical NIC Settings for a Client Workstation on a System with a Primary and
One Secondary DNS Server

Removing Domain Controller Functionality from a


Workstation
In the event that a domain controller must have Active Directory removed, it is always recom-
mended that the Microsoft dcpromo utility be used to perform this operation.
1. Click the Start button and select Control Panel -> Administrative Tools ->
Services. Stop the Net Logon service.

507
B0700SS – Rev D Appendix D. Secondary Domain Controllers in a Foxboro Evo System

2. From the Run window, enter dcpromo. Click OK.

Figure D-71. Starting the Active Directory Installation Wizard

3. Click Next.

Figure D-72. Active Directory Installation Wizard - Welcome

508
Appendix D. Secondary Domain Controllers in a Foxboro Evo System B0700SS – Rev D

4. Click OK to the following warning. The SDC is also a Global Catalog provider.

Figure D-73. Active Directory Installation Wizard - Global Catalog Provider Warning

5. Leave un-checked the check box indicating that this is the last domain controller in
the domain. Click Next.

Figure D-74. Active Directory Installation Wizard - Remove Active Directory

509
B0700SS – Rev D Appendix D. Secondary Domain Controllers in a Foxboro Evo System

6. Enter an Administrator account password for the new local Administrator account on
this server. The name of this account will be Administrator which is different from
the account name originally created by the Control Core Services installation. This
account name can be changed later through the standard Microsoft dialog boxes.
Click Next.

Figure D-75. Active Directory Installation Wizard - Administrator Password

510
Appendix D. Secondary Domain Controllers in a Foxboro Evo System B0700SS – Rev D

7. Click Next.

Figure D-76. Active Directory Installation Wizard - Summary

511
B0700SS – Rev D Appendix D. Secondary Domain Controllers in a Foxboro Evo System

8. Wait while the wizard configures the Active Directory Domain Services.

Figure D-77. Active Directory Installation Wizard - Configuring

9. Click Finish when the process completes.


10. Restart the computer.

Figure D-78. Active Directory Installation Wizard - Restarting the Computer

Forcefully Removing a Domain Controller from


Active Directory
In the event that a domain controller has failed and will not be restored from a saved image,
remove this domain controller from the Active Directory domain with the following procedure.
This procedure will not successfully remove a domain controller if it holds one or more of the
FSMO roles. These roles must be transferred to another domain controller before proceeding, as
discussed in “Transferring the Operations Master Roles” on page 456.
If the domain controller is not available, the master roles cannot be transferred. In this case, refer
to “Seizing Active Directory Operations Master Roles” on page 474.

512
Appendix D. Secondary Domain Controllers in a Foxboro Evo System B0700SS – Rev D

Proceed as follows:
1. Click the Start button and select Control Panel -> Administrative Tools ->
Active Directory Users and Computers.
2. Navigate to the Domain Controllers entry in the tree view under the domain
name.
3. Right-click on the domain controller connection in the right-hand pane to remove
and select Delete.

Figure D-79. Active Directory Users and Computers - Delete a Domain Controller Connection

4. Click Yes to confirm.

Figure D-80. Active Directory Users and Computers - Delete Confirmation

513
B0700SS – Rev D Appendix D. Secondary Domain Controllers in a Foxboro Evo System

5. Right-click on the domain controller settings to remove in the left-hand pane and
select Delete.

Figure D-81. Active Directory Users and Computers - Delete a Domain Controller Settings

6. Click Yes to confirm.

Figure D-82. Active Directory Users and Computers - Delete Confirmation

514
Appendix D. Secondary Domain Controllers in a Foxboro Evo System B0700SS – Rev D

7. When the following warning appears, select Delete.

Figure D-83. Active Directory Users and Computers - Deleting a Domain Controller

8. Right-click on the server to remove in the left-hand pane and select Delete.

Figure D-84. Active Directory Users and Computers - Delete a Server

9. Click Yes to confirm.

515
B0700SS – Rev D Appendix D. Secondary Domain Controllers in a Foxboro Evo System

Figure D-85. Active Directory Users and Computers - Delete Confirmation

10. If this workstation is to be added back to the system as a domain client, this worksta-
tion name must be added manually to the list of IA Computers in Active Directory.
Navigate to the IA Computers entry in the tree view under the domain name.
11. Right-click on IA Computers and select New -> Computer.

Figure D-86. Active Directory Users and Computers - Creating New Computer Account

516
Appendix D. Secondary Domain Controllers in a Foxboro Evo System B0700SS – Rev D

12. Enter the name of the Foxboro Evo workstation and click OK.

Figure D-87. New Object - Computer Dialog Box

Restoring Connections on a Single Domain Controller


System
If the PDC becomes unavailable and there are no SDCs on the Control Core Services system, the
original PDC may be reloaded from a ghost image or reloaded from the base Invensys-provided
Day 0 workstation images. However, the functionality of the Control Core Services system will be
very limited during the time which the PDC is unavailable. On each client workstation, only
domain accounts (including operators and administrators) which have already been used to log on
to that workstation may be used. This is because the account credentials for these accounts have
been cached locally.
After the PDC station has been completely restored, the following procedure must be performed
on each of the client workstations in order to restore the connection to the domain.

NOTE
These steps are not necessary if there was an SDC present on the Foxboro network.

517
B0700SS – Rev D Appendix D. Secondary Domain Controllers in a Foxboro Evo System

Proceed as follows:
1. Right-click on My Computer in Windows Explorer and select Properties. Click
the Change button on the System Properties dialog box.

Figure D-88. Workstation System Properties

518
Appendix D. Secondary Domain Controllers in a Foxboro Evo System B0700SS – Rev D

2. Select the Workgroup radio button and enter a workgroup name.

Figure D-89. Computer Name Changes Dialog Box - Workgroup

3. Enter domain administrator credentials and click OK.


4. Click OK when the following dialog box appears.

Figure D-90. Computer Name Change - Remember Local Admin Password

519
B0700SS – Rev D Appendix D. Secondary Domain Controllers in a Foxboro Evo System

5. Log in as IADomainAdmin.

Figure D-91. Log in IADomainAdmin

6. A dialog box indicates that the computer has been added to the workgroup entered.
Click OK.

Figure D-92. Computer Name Change - Welcome to the [YourName] Workgroup

7. A dialog box indicates that you will need to restart the station to apply the
changes.Click OK.

Figure D-93. Computer Name Change - Restart Computer

520
Appendix D. Secondary Domain Controllers in a Foxboro Evo System B0700SS – Rev D

8. Click Close to close the System Properties dialog box.

Figure D-94. Closing System Properties Dialog Box

9. Upon closing the System Properties dialog box, click Yes to have the workstation
restarted.
10. After the workstation restarts, log on with the local administrator account credentials.
11. Right-click on My Computer in Windows Explorer and select Properties. Click the
Change button on the System Properties dialog box.
12. Select the Domain radio button and enter the domain name.

521
B0700SS – Rev D Appendix D. Secondary Domain Controllers in a Foxboro Evo System

Figure D-95. Computer Name Changes Dialog Box - Domain

13. When prompted, add the username and password of the account with permission to
join this domain. Click OK when done.

Figure D-96. Windows Security Dialog Box

522
Appendix D. Secondary Domain Controllers in a Foxboro Evo System B0700SS – Rev D

14. A dialog box indicates that the computer has been added to the domain. Click OK.

Figure D-97. Computer Name Changes Dialog Box - Welcome to the [YourName] Domain

15. A dialog box indicates that the computer must be restarted. Click OK.

Figure D-98. Computer Name Changes Dialog Box - Need to Restart To Apply Changes

523
B0700SS – Rev D Appendix D. Secondary Domain Controllers in a Foxboro Evo System

16. Click Close to close the System Properties dialog box.

Figure D-99. Close System Properties Dialog Box

17. Upon closing the System Properties dialog box, click Restart Now to have the
workstation restart.

Figure D-100. Computer Name Changes Dialog Box - Need to Restart To Apply Changes

524
Appendix D. Secondary Domain Controllers in a Foxboro Evo System B0700SS – Rev D

Adjusting NIC Settings after Adding an SDC


If this SDC server name was not selected from the SDC drop-down list during the installation of
the PDC or any of the clients, including additional SDC servers, then the NIC card settings must
be adjusted on those stations at this time.
On each of these stations, the SDC IP address should be configured as a secondary DNS locator:
1. Open the Network and Sharing Center from the Control Panel.
2. Click Change adapter settings in the left-hand pane.
3. Right-click on the entry for REDL Virtual Miniport Driver and select Proper-
ties.
4. Select Internet Protocol 4 (TCP/IPv4) and click Properties.

Figure D-101. Local Area Connection Properties Dialog Box

525
B0700SS – Rev D Appendix D. Secondary Domain Controllers in a Foxboro Evo System

5. Click the Advanced button.

Figure D-102. Internet Protocol Version 4 (TCP/IP4) Properties Dialog Box

526
Appendix D. Secondary Domain Controllers in a Foxboro Evo System B0700SS – Rev D

6. In the Advanced TCP/IP Settings dialog box, select the DNS tab.
This is what the NIC settings should look like for a client workstation on a system
with a primary and one secondary DNS server. These settings are only necessary for
the FoxInt NDIS Intermediate Miniport Driver. In this case, the IP address ending in
84 is for the PDC and the IP address ending in 112 is for the SDC. Add the SDC IP
Address on each station if it is not already present.

Figure D-103. Advanced TCP/IP Settings Dialog Box

Backing Up Active Directory on Domain Controllers


Active Directory should be backed up at regular intervals on Control Core Services domain con-
troller stations in order to ensure a smooth restoration of Control Core Services system operations
following unexpected system failures (software or hardware). At a minimum, these backups
should be performed at least every 60 days, which is the default value of the tombstone lifetime
for Active Directory backups. Backups may be taken less often if the tombstone lifetime value is
increased (see the following section). This value is stored in Active Directory under the tomb-
stoneLifetime attribute and defines the length of time for which a backup is valid and usable
for restoring Active Directory objects. With a valid backup available, any objects created in Active
Directory after the initial Control Core Services software installation can be easily restored. This
includes policies that have been defined in addition to the standard Control Core Services system

527
B0700SS – Rev D Appendix D. Secondary Domain Controllers in a Foxboro Evo System

policies. Refer to http://technet.microsoft.com/en-us/magazine/2008.05.adbackup.aspx?pr=blog for


information on performing Active Directory backups.

NOTE
It is highly recommended that the following procedures are performed for changing
the tombstone lifetime value. This will help ensure that backups remain current and
usable. A value of a least 180 days is recommended. This should be done before
BESR or Active Directory backups are taken. Also, make sure that the value
changed is replicated to all domain controllers before creating backups.

NOTE
Refer to Appendix F “Guidelines for Using BESR for Backing Up and Restoring
Domain Controllers” for additional information on backups.

Changing the Tombstone Lifetime Attribute in Active


Directory
By default, the Active Directory tombstone lifetime is sixty days. This value can be changed if
necessary. Having a longer tombstone lifetime decreases the chance that a deleted object remains
in the local directory of a disconnected Domain Controller beyond the time when the object is
permanently deleted from online Domain Controllers.
The easiest way to modify this attribute value is by using the ADSI Edit tool.

! WARNING
Certain Windows Support Tools, if used improperly, might cause your computer to
stop functioning. It is recommended that only experienced users install and use
Windows Support Tools.

In order to perform the following steps, you can use the IADomainAdmin account or you will
need to be a member of the “Enterprise Admins” group.
To view or change attribute values by using ADSI Edit:
1. Click Start, click Run, type ADSIEdit.msc and then click OK.

528
Appendix D. Secondary Domain Controllers in a Foxboro Evo System B0700SS – Rev D

Figure D-104. Opening ADSI Edit Directory Services

2. Right-click on the ADSI Edit node and select Connect to.

Figure D-105. ADSI Edit Directory Services - Connect To

529
B0700SS – Rev D Appendix D. Secondary Domain Controllers in a Foxboro Evo System

3. From the drop-down menu under “Select a well known naming context”, select
Configuration. Click OK.

Figure D-106. ADSI Edit Directory Services - Configuration

530
Appendix D. Secondary Domain Controllers in a Foxboro Evo System B0700SS – Rev D

4. Expand the Configuration node.


5. Expand:
CN=Configuration,DC=<ForestRootDN>
where “<ForestRootDN>” is the Distinguished Name of your Active Directory Forest
Root domain. For example, if your domain's name is iaseries.local, then the DN for it
would be:
DC=iaseries,DC=local
6. Navigate to:
CN=Services > CN=Windows NT > CN=Directory Service
7. Right-click on Directory Service and choose Properties.

Figure D-107. ADSI Edit Directory Services - Properties Selection

531
B0700SS – Rev D Appendix D. Secondary Domain Controllers in a Foxboro Evo System

8. In the CN=Directory Service Properties dialog, scroll down, click the tomb-
stoneLifetime attribute, and click Edit.

Figure D-108. Attribute Editor - Attribute Selection

9. Configure the tombstone lifetime period (in days), then click OK.

Figure D-109. Attribute Value -- Tombstone Lifetime Period

10. Click OK and then close the ADSI Edit tool.


When you view the properties, if no value is set (shows up as “<Not Set>”) it means that the
default value is in effect. Any value that you type in the Attribute Editor Value field replaces the
default value when you click OK.

532
Appendix D. Secondary Domain Controllers in a Foxboro Evo System B0700SS – Rev D

In order to verify the value has been set, the following command can be executed in a command
prompt window:
dsquery * "cn=Directory Service,cn=Windows NT,cn=Services,
cn=Configuration,dc=iaseries,dc=local" -scope base -attr tombstonelifetime

If your domain name is not “iaseries.local,” then replace the distinguished name of the domain in
the above command from “dc=iaseries,dc=local” to the actual distinguished name of your domain.

533
B0700SS – Rev D Appendix D. Secondary Domain Controllers in a Foxboro Evo System

534
Appendix E. Control Core Services
Installation on Multiple CPU
Core-Enabled Workstations/Servers
This appendix provides guidelines for installing Control Core Services v9.1 or later on
workstations/servers which are planned to operate with multiple CPU cores enabled.
Foxboro Evo Control Core Services v9.1 adds support for running the software on a workstation
or server with all CPU cores enabled. Previously, I/A Series software and Control Core Services
could be run only on a single CPU core. With this feature enabled, all Foxboro Evo and third
party applications/services can run in any core as assigned by the operating system.
Refer to the Hardware and Software Specific Instructions included with your workstation or server
to determine if your workstation, server, or virtual machine can support the multiple CPU core
feature enabled, when used with Control Core Services v9.1 or later.

For the initial (Day 0) installation on a workstation or server with the multiple CPU core feature
to be enabled, you must perform the following actions in order:
1. Install Control Core Services v9.1 as described in the appropriate chapter in this
manual.
2. Enable the use of multiple CPU cores in the workstation’s or server’s BIOS.
3. Enable the use of multiple CPU cores in the workstation’s or server’s operating system.
4. Upgrade the required drivers manually by running their upgrade executables:
♦ (For H92 workstation only) Intel Rapid Storage driver - provided on the Control
Core Services v9.1 (or later) installation media
♦ NVIDIA Quadro Professional Graphics driver - provided on the Control Core
Services v9.1 (or later) installation media

NOTE
The procedures for the above actions are provided in the Hardware and Software Spe-
cific Instructions included with your supported workstation or server.

5. Uninstall McAfee VirusScan Enterprise v8.8 and reinstall McAfee VirusScan Enter-
prise v8.8 manually with a new patched version, as described in the Hardware and
Software Specific Instructions included with your supported workstation or server. The
media for this patched version is installed as part of the Control Core Services v9.1 (or
later) installation.
6. Update the DAT file for McAfee VirusScan Enterprise v8.8 using the DAT file
updater, as described in the Hardware and Software Specific Instructions included with
your supported workstation or server, in the same section used for the previous step.
The DAT file updater is installed as part of the Control Core Service v9.1 (or later)

535
B0700SS – Rev DAppendix E. Control Core Services Installation on Multiple CPU Core-Enabled Workstations/Servers

installation. A newer DAT file may also be available directly from the vendor.

For a Day 1 installation on a workstation or server with the multiple CPU core feature to be
enabled, you must perform the following actions in order:
1. Install Control Core Services v9.1 as described in Chapter 12 “Upgrading Foxboro
Evo Control Core Services v9.1 (Day 1 Installation or Repair Operation)”.
2. Shut off the Control Core Services and reboot the workstation or server.
3. Enable the use of multiple CPU cores in the workstation’s or server’s BIOS.
4. Upgrade the required drivers manually by running their upgrade executables:
♦ (For H92 workstation only) Intel Rapid Storage driver - provided on the Control
Core Services v9.1 (or later) installation media
♦ NVIDIA Quadro Professional Graphics driver - provided on the Control Core
Services v9.1 (or later) installation media
5. Uninstall McAfee VirusScan Enterprise v8.8 and reinstall McAfee VirusScan Enter-
prise v8.8 manually with a new patched version, as described in the Hardware and
Software Specific Instructions included with your supported workstation or server. The
media for this patched version is installed as part of the Control Core Services v9.1 (or
later) installation.
6. Update the DAT file for McAfee VirusScan Enterprise v8.8 using the DAT file
updater, as described in the Hardware and Software Specific Instructions included with
your supported workstation or server, in the same section used for the previous step.
The DAT file updater is installed as part of the Control Core Service v9.1 (or later)
installation. A newer DAT file may also be available directly from the vendor.
7. Enable the use of multiple CPU cores in the workstation’s or server’s operating system.
8. Enable the Control Core Services and reboot the workstation or server.
The procedures for the above actions are provided in the Hardware and Software Specific Instruc-
tions included with your supported workstation or server.

536
Appendix F. Guidelines for Using
BESR for Backing Up and Restoring
Domain Controllers
This appendix provides guidelines for using Symantec Backup Exec System Recovery (BESR) to
backup and restore images on domain controllers.
The Symantec Backup Exec System Recovery (BESR) product is used to backup and restore Fox-
boro Evo workstations and servers. However, when used with domain controllers (PDC or SDC),
restoring an old image that has Active Directory installed on it is a last resort approach when you
have more than one domain controller. If you have a working domain controller and you need to
restore another domain controller, it is best to reinstall the second domain controller and allow
replication to occur with the good domain controller instead of restoring the second domain con-
troller from a backup image.
The Symantec Backup Exec System Recovery (BESR) product and all procedures for using this
product are described in Symantec System Recovery 2013 Desktop, Server and Virtual Editions Guide
for I/A Series Systems (B0700EY).
For normal backups of Active Directory, the best practice is to perform a System State backup and
a group policy backup:
♦ Refer to http://technet.microsoft.com/en-us/magazine/2008.05.adbackup.aspx?pr=blog for
information on performing Active Directory backups.
♦ Use the Group Policy Management Console (GPMC) to perform group policy back-
ups. Click the Start button and select Control Panel -> Administrative Tools -
> Group Policy Management.
In the case of servers that have Active Directory installed on them, i.e., domain controllers, the
following guidelines should be followed if you are forced to restore them from BESR backups.

NOTE
These procedures refer to tools that are part of the Windows Support Tools. If you
have not installed these tools, refer to “Changing the Tombstone Lifetime Attribute
in Active Directory” on page 528.

Making Backup Images of Domain Controllers


Proceed as follows:
1. After installing a domain controller, it is strongly recommended that you change the
tombstone lifetime value to suit your backup practices. The default is 180 days for
Server 2008 R2 Standard [for Server 2003, it was 60 days]. If you intend to restore
images older than the default value, you must change this value accordingly as

537
B0700SS – Rev D Appendix F. Guidelines for Using BESR for Backing Up and Restoring Domain Controllers

described in “Changing the Tombstone Lifetime Attribute in Active Directory” on


page 528.
2. Do not make the initial backup of domain controllers until they have been running
for at least twelve hours.
3. If you have secondary domain controllers, make sure the PDC and SDC are working
together properly. See “Checking the Health of Active Directory” on page 539.
4. You should make full backups of both the PDC and the SDC about the same time
(separated by minutes, not hours).
5. Backup all the active drives (e.g., C: and D:) at the same time.
6. Be sure to select the “Verify Recovery Point” option in the BESR window when creat-
ing the backup image.

Restoring Only One Domain Controller


This procedure applies when there is only one domain controller being restored (for example, in
the case of a hardware failure), whether it is the only domain controller or there are multiple
domain controllers present. Proceed as follows:
1. The domain controller backup image should not be older (i.e., greater) than the
tombstone lifetime value.
2. Shutdown the domain controller and restore its BESR image as described in Symantec
System Recovery 2013 Desktop, Server and Virtual Editions Guide for I/A Series Systems
(B0700EY).
3. After the domain controller is rebooted, verify it is working properly. See “Checking
the Health of Active Directory” on page 539.

Restoring Multiple Domain Controllers from Backup


Images
If it is necessary to restore multiple domain controllers from backup images at the same time, such
as in a testing environment, perform the following procedure:
1. The domain controller backup images should not be older (i.e., greater) than the
tombstone lifetime value. The backup images should have been created about the
same time.
2. Shutdown the domain controllers.
3. Boot up only the PDC and restore its BESR backup image as described in Symantec
System Recovery 2013 Desktop, Server and Virtual Editions Guide for I/A Series Systems
(B0700EY).
4. Seize the FSMO roles as described in “Seizing Active Directory Operations Master
Roles” on page 474. Be aware that this procedure is described in the context of mov-
ing these roles to another domain controller when the PDC is no longer available. In
the context for this procedure, it is performed on a PDC that is being restored from a
BESR image. This may not be necessary but it is good practice. In any case, verify the
roles.

538
Appendix F. Guidelines for Using BESR for Backing Up and Restoring Domain Controllers B0700SS – Rev D

5. Set the PDC as “authoritative” for SYSVOL. Refer to the “Authoritative FRS restore”
procedure described in the following Microsoft article:
http://support.microsoft.com/kb/290762
6. Boot up the next domain controller (SDC). If this SDC is On-Control Network,
restore its BESR backup image as described in Symantec System Recovery 2013 Desktop,
Server and Virtual Editions Guide for I/A Series Systems (B0700EY). If this SDC is Off-
Control Network, it is recommended that the box be reinstalled.
7. After the domain controller is rebooted, if it has been reinstalled, join it to the
domain. In any case, verify it is working properly. See the next section’s instructions
on checking the health of Active Directory.
8. Repeat steps 6 and 7 for each additional domain controller.

Checking the Health of Active Directory


Perform the following checks to assess the health of Active Directory.
If there is only one domain controller, you can run the following:
1. Open a command prompt window - click the Start button and then select Programs
-> Accessories -> Command Prompt.
2. Type dcdiag and press <Enter>. This will start the process of checking for errors.
If there are multiple domain controllers, you should verify that replication is working:
1. Open a command prompt window - click the Start button and then select Programs
-> Accessories -> Command Prompt.
2. Type repadmin /showreps and press <Enter>. Verify there are no failures.
3. Launch the Event Viewer (click the Start button -> Control Panel -> Administra-
tive Tools -> Event Viewer).
a. Look in the Application log and verify there are no “userenv” errors.
b. Look in the File Replication Service log and verify that an Event “13516” message
is at the top of the log.

539
B0700SS – Rev D Appendix F. Guidelines for Using BESR for Backing Up and Restoring Domain Controllers

540
Appendix G. I/A Series MESH
Configurator
This appendix describes how to use the I/A Series Mesh Configurator for workstations with
Windows 7 and servers with Windows Server 2008 R2 Standard on the Foxboro Evo Control
Network (hereafter referred to as “the control network”).
The I/A Series Mesh Configurator application installs the COMEX protocol and Redundant
Ethernet Data Link (REDL) virtual adapter, and configures Internet Protocol (IP) addresses for
stations on the control network. A station can have one or two connections to the control net-
work (if it has one or two switch connections in System Definition).
The Mesh Configurator provides a user interface to select the Network Interface Cards (NICs) for
these connections.

Figure G-1. MESH Configurator NIC Selection

Silent Installation
The Day 0 installer will attempt to configure the control network connections automatically. You
are not prompted with a graphical interface if the workstation has:
♦ Two switch connections, and there are exactly two NICs in PCI slots, or
♦ One switch connection, and there is exactly one NIC in a PCI slot.
In these cases, The Mesh Configurator selects the NIC(s) in the PCI Slot(s) for the control net-
work connections.

541
B0700SS – Rev D Appendix G. I/A Series MESH Configurator

Manual NIC Selection


The graphical interface is always presented if:
♦ The location of a NIC cannot be identified as an Integrated port or PCI Slot,
♦ The workstation is using an Off-Control Network Domain Controller, or
♦ The configurator is run after the Day 0 installation.
In Windows 7 or Windows Server 2008 R2 Standard, it is no longer possible programmatically to
determine the slot of each NIC, so The Mesh Configurator attempts to map the location of each
NIC, based on the platform and BIOS settings. If this mapping fails, the location of each NIC is
listed as “Unknown”.

Figure G-2. NIC Selection on Unknown Platform/BIOS

When NIC locations are “Unknown”, you need to manually select the NICs for the control net-
work connections. The following procedure is recommended:
1. Disconnect all Ethernet cables except those from the control network (and from the
Off-Control Network Domain Controller, if one is in use).

NOTE
Do not assign static IP addresses to the workstation NICs before running The Mesh
Configurator. If the configurator reports an IP conflict, find the adapter with the
duplicate IP address, change it to use DHCP, then run the configurator again.

2. Display the Network Connections from the Start menu -> Network and Sharing
Center -> Change adapter settings (or type “view network connections”
from the Start menu search bar), and set the view to Details.

542
Appendix G. I/A Series MESH Configurator B0700SS – Rev D

Figure G-3. Network Connections

3. By default, the columns are not wide enough to display all the necessary information.
Resize the Device Name column so it is wide enough to show the full text:

Figure G-4. Network Connections Showing Device Names

4. Identify and record the Device Names that do not have a red X next to their icons.
These are the Device Names that should be selected in The Mesh Configurator.

NOTE
Take care not to confuse Names with Device Names. In the above example, the
Allied Telesis adapter 2 is not the same NIC as Local Area Connection 2.

5. If installing with an Off-Control Network Domain Controller, you are prompted to


select the NIC connected to the Domain Controller’s network.

543
B0700SS – Rev D Appendix G. I/A Series MESH Configurator

Figure G-5. Off-Control Network NIC Selection

6. After selecting the NIC for the Off-Control Network Domain Controller (or if
installing without one), you are prompted to select the NIC(s) connected to the con-
trol network.

Figure G-6. NICs on The MESH Control Network Selection

NOTE
A NIC selected for the Off-Control Network Domain Controller will be removed
from the list of available NICs when selecting the control network connection(s).

Unless there is an error or further user interaction is required, The Mesh Configurator exits
silently. If no error message is returned, this indicates a successful installation.

544
Appendix G. I/A Series MESH Configurator B0700SS – Rev D

Post Day 0 Operations


After adding, replacing, or moving an NIC, you must run The Mesh Configurator to ensure
proper network bindings.

NOTE
You must run The Mesh Configurator after restoring a workstation image from a
backup created on different hardware (for example, when replacing defective hard-
ware).

Open the configurator from the Start menu -> All Programs -> Invensys -> IASeries ->
Utilities -> Mesh Configurator (or type “mesh configurator” from the Start menu
search bar).
♦ The Mesh Configurator cannot run while the control networking is enabled. If neces-
sary, it will turn off Control Core Services and restart the workstation before running.
♦ The Mesh Configurator can only be run by users with administrator credentials.
The configurator remembers the selections made on previous installations. Previously selected
NIC(s) will be checked; you can leave them checked or select new NIC(s). If you originally
installed The Mesh Configurator with an Off-Control Network Domain Controller, it prompts
you to select the NIC connected to the Domain Controller’s network.

NOTE
The Mesh Configurator does not support Post Day 0 Operations on single-NIC
configurations.

Identifying Cable A and Cable B


When two connections to the control network are configured, the connection in the lower num-
bered slot is considered Cable A, while the connection in the higher numbered slot is considered
Cable B. (If the slots are not numbered, the top slot is Cable A, while the bottom slot is Cable B.)
If one Ethernet port is a PCI slot and the other is an Integrated port, the PCI Slot is Cable A and
the Integrated port is Cable B. This configuration is not recommended.
Due to operating system limitations, if the locations are “Unknown”, the Cable A and Cable B
selection will be non-deterministic, and may change each time you run the configurator. In this
case, the cables have to be manually identified by unplugging each cable and noting which cable is
marked “bad” in your System Management tools. For details, refer to “Monitoring the System in
System Management Displays (B0193JC), or “Workstations, Peripherals, and Network Printers” in
System Manager (B0750AP).

545
B0700SS – Rev D Appendix G. I/A Series MESH Configurator

546
Appendix H. SNMP Community
String Configuration
This appendix describes how to configure the SNMP community string for workstations with
Windows 7 and servers with Windows Server 2008 R2 Standard.
SNMP (Simple Network Management Protocol) is an internet protocol used in network manage-
ment systems to monitor network-attached devices such as workstations, servers, routers,
switches, and so forth.
The SNMP community string is a text string that acts as a password to authenticate messages that
are sent between the management software and the device (the SNMP agent). This string must be
configured in two places: the SNMP service (included with the Windows operating system) and
the Server Manager configuration file. It should be configured only after the Control Core Ser-
vices have been installed on the workstation or server.

NOTE
The community string is case-sensitive and must be identical in both places.

To configure the SNMP service, proceed as follows:


1. Log on with an account that has administrative privileges.
2. Click the Start button, and click Control Panel -> Administrative Tools ->
Services.
3. Scroll down to the SNMP Service, right-click on it, and then click Properties.
4. In the SNMP Service Properties dialog box, shown in Figure H-1, select the Secu-
rity tab.
5. During the initial installation of the Control Core Services, a default “Invensys” com-
munity string is added to the workstation/server. If this default string is present in the
Accepted community names field (see Figure H-1), you must remove it. After the ini-
tial installation of the Control Core Services, this default string is listed in the
servm.cfg file. Proceed as follows:
a. Using Windows Explorer, navigate to the \usr\fox\sysmgm\smat\ folder on the
drive on which the Control Core Services are installed (typically D:\).
b. If present, open the text file named: servm.cfg
If this file is not present, then it is likely that the default string has already been
removed at an earlier time, and you can skip to step 8.
c. In the servm.cfg file, locate the default string, adjacent to the text
“default_string: ”. Now you can close the servm.cfg file.
d. Once you know the default string, click that string in the Accepted community
names field in the SNMP Service Properties dialog box, and click Remove.

547
B0700SS – Rev D Appendix H. SNMP Community String Configuration

Figure H-1. SNMP Service Properties Dialog Box

6. Under “Accepted community names” area, click the Add… button.


7. Select the appropriate permission level for the community string in the “Community
Rights” drop-down list to specify how the host processes SNMP requests from the
selected community. Normally, READ ONLY is recommended.
8. In the “Community Name” box, type your community string.

NOTE
Be aware that your community string is case-sensitive.

9. Click Add.
To limit the acceptance of SNMP packets, click the Accept SNMP packets from
these hosts bullet. Click the Add… button, and then type the appropriate host
name, IP address or IPX address in the Host name, IP or IPX address box. You can
restrict the access to the local host (127.0.0.1) or only specific servers by using this set-
ting.
10. Click OK when done.

548
Appendix H. SNMP Community String Configuration B0700SS – Rev D

11. For the settings to take effect, right-click the SNMP service from the Services window.
Stop and then restart the SNMP service.
To configure the Server Manager configuration file, proceed as follows:
1. Using Windows Explorer, navigate to the \usr\fox\sysmgm\smat\ folder on the drive
on which the Control Core Services are installed (typically D:\).
2. Open (or create) the text file named: servm.cfg
3. Type the community string using the following format:
default_string: yourcommunitystring
(Type in the same string you used above.)
4. Save the file and then reboot.
For security purposes, it is highly recommended that you do not use a well-known default com-
munity string such as “public.” You should use a string that is compliant with your site’s password
complexity policy.

549
B0700SS – Rev D Appendix H. SNMP Community String Configuration

550
Appendix I. Telnet Installation
This appendix describes how to install the optional application telnet on systems with
Windows 7 or Windows Server 2008 R2 Standard operating systems, if desired.
By default, telnet is not installed on systems with Windows 7 or Windows Server 2008 R2 Stan-
dard operating systems. Telnet is an optional feature and if it is needed, it can be installed manu-
ally as described below.

Installing Telnet on Workstations with Windows 7


Operating System
Proceed as follows:
1. Log on to the workstation using an account with administrative privileges.
2. Click on the Start button, and then click Control Panel -> Programs and Fea-
tures.
3. Click “Turn Windows features on or off ” in the left pane.
4. Scroll down to the Telnet Client checkbox and check the box next to it, as shown in
Figure I-1.

Figure I-1. Windows Features Dialog Box

5. Click OK to close the Windows Features dialog box. The telnet application will be
installed.
To use the telnet application, open a command prompt window and type telnet to start a ses-
sion.

551
B0700SS – Rev D Appendix I. Telnet Installation

Installing Telnet on Servers with Windows Server


2008 R2 Standard Operating System
Proceed as follows:
1. Log on to the server using an account with administrative privileges.
2. Click on the Start button, and then click Control Panel -> Programs and Fea-
tures.
3. Click “Turn Windows features on or off ” in the left pane. The Server Manager
window opens.

Figure I-2. Server Manager

4. Click Features in the left pane as shown in Figure I-2.


5. Click Add Features in the right pane as shown in Figure I-2. The Add Features wiz-
ard opens.

552
Appendix I. Telnet Installation B0700SS – Rev D

6. In the Add Features Wizard, scroll down to the Telnet Client checkbox and check the
box next to it, as shown in Figure I-3.

Figure I-3. Add Features Wizard

7. When Confirm Installation Selections opens, click Install as shown in Figure I-4.

553
B0700SS – Rev D Appendix I. Telnet Installation

Figure I-4. Confirm Installation Selections

8. A dialog will appear showing the installation progress. When the installation is com-
pleted, click Close.
To use the telnet application, open a command prompt window and type telnet to start a ses-
sion.

554
Appendix J. Printer Sharing
This appendix describes how to enable sharing to printers on stations with Windows 7 or
Windows Server 2008 R2 Standard operating systems, if desired.
As with previous Microsoft operating systems, Windows 7 and Windows Server 2008 R2 Stan-
dard allow a printer to be shared by multiple stations.
However, to do this, Microsoft requires that the Windows Firewall service be enabled.

NOTE
Enabling this service does not require the Microsoft Windows Firewall to be used.
For Foxboro Evo workstations and servers, Invensys provides the McAfee
configurable firewall as the preferred firewall and recommends that the Microsoft
Windows Firewall not be used.

Turning on the Windows Firewall Service


To turn on the Windows Firewall service without turning on the Windows Firewall itself, proceed
as follows:
1. Log on to the workstation or server using an account that has administrative
privileges.
2. Click the Start button, and select Control Panel -> Administrative Tools ->
Services.
3. In the Services window, scroll down to the Windows Firewall service, right-click
on it, and then click Properties.
4. Change the “Startup type” to Automatic. Click Apply.
5. Click Start.
6. Click OK.
7. Close the Services window.
On standard Control Core Services stations (that is, stations which do not have security enhance-
ments for Control Core Services), the Windows firewall is automatically turned on when this ser-
vice is enabled. The firewall must be turned off as follows:
8. Click the Start button, and select Control Panel -> Windows Firewall.
9. At the left edge of the window, click Turn Windows Firewall on or off.
10. In each section, select the Turn off Windows Firewall (not recommended)
radio button as shown in Figure J-1.

555
B0700SS – Rev D Appendix J. Printer Sharing

Figure J-1. Windows Firewall Settings

11. Click OK.


12. Close the Windows Firewall window.

Sharing a Printer
To share a printer hosted by a workstation with Windows 7 or Windows Server 2008 R2 Stan-
dard, proceed as follows:
1. Click the Start button, and click Devices and Printers.
2. Right-click the icon of the printer that is to be shared and select Printer
properties.
3. In the Properties dialog box, click the Sharing tab.
4. Click the Change Sharing Options button if it is displayed as shown in Figure J-2.

556
Appendix J. Printer Sharing B0700SS – Rev D

Figure J-2. Printer Properties Dialog Box

5. Check the “Share this printer” checkbox and type in a Share name.
6. If this printer will be shared with a station that has a 32-bit OS (such as an x86 version
of Windows XP), install additional drivers (before setting up the station with
Windows XP) by clicking the Additional Drivers… button and then by checking
the x86 checkbox.
Otherwise, click OK. If you see the following error, the Windows Firewall service has
not been turned on as described in the previous section: “Operation could not be
completed (Error 0x000006D9)”

557
B0700SS – Rev D Appendix J. Printer Sharing

Connecting to a Shared Printer on Another Foxboro


Evo Control Core Services Station
To use the shared printer from another Control Core Services station, run the “Add Printer” wiz-
ard on that station. For a station with Windows 7 or Windows Server 2008 R2 Standard, proceed
as follows
1. Click the Start button, and click Devices and Printers.
2. Click Add a printer at the top (or right-click in the window and select Add a
printer).
3. Click Add a network, wireless or Bluetooth printer.
4. In the Add Printer dialog box, click The printer that I want isn't listed.
5. Click the Select a shared printer by name radio button.
6. Type the location of the printer, e.g., \\computername\printername, where “computer-
name” is the name of the computer hosting the printer and “printername” is the share
name you chose in step 5 in the previous section.
7. Click Next. If prompted to install drivers to complete install, click Yes and respond
to the prompts.

558
Appendix K. Manual Update For
Group Policies on an Off-Control
Network PDC
This appendix describes how to update the group policies for an Off-Control Network PDC
manually. This is the only instance in which you would need to manually update policies.
Foxboro Evo Control Core Services v9.1 adds one additional policy to a secure system. The new
policy is:
♦ Invensys Code Signing Certificates v1.0
♦ For assigning certificates to “Trusted Publishers” container on domain client
workstations
♦ The policy also applies to domain controllers in an On-Control Network domain
network
These policy changes do not affect standard stations. They do affect the installation of Foxboro
Evo workstations in all of the following scenarios. In each of these cases, the changes are made
automatically with no need for user interaction.
1. Security enhanced client Day 0 operation
2. Security enhanced client Day 1 operation
3. Secondary domain controller Day 0 operation
4. Secondary domain controller Day 1 operation
5. Off-Control Network PDC Day 0 operation
6. On-Control Network PDC Day 0 operation
7. On-Control Network PDC Day 1 operation
8. On-Control Network PDC Release Update operation
9. Migrate from pre-8.8 domain to new On-Control Network PDC
10. Migrate from pre-8.8 domain to new Off-Control Network PDC
11. Migrate from pre-8.8 domain to existing Off-Control Network domain
In the case of the Off-Control Network PDC which is being updated to CCS v9.1, the following
steps are required.
1. Insert the DVD labeled “Foxboro Evo Control Core Services v9.1 Day 0 DVD-
ROM” (K0174MS-A) into the drive of the Off-Control Network PDC.
2. Open a Command Prompt (cmd) as Administrator.
3. Navigate to the folder E:\GroupPolicy\Updates.
4. Execute the command: iasecadupdate.bat

559
B0700SS – Rev D Appendix K. Manual Update For Group Policies on an Off-Control Network PDC

Figure K-1. iasecadupdate.bat

5. The results of executing the script are logged to %ALLUSERSPROFILE%\Inven-


sys\IASeries\Installer\TarSetup_NNNNNNNNNNN\ADSetup.log.
This performs the following actions:
1. Installs the certificate locally.
2. Adds the “Invensys Code Signing Certificates v1.0” policy to the domain.
3. Links the “Invensys Code Signing Certificates v1.0” policy to the “Invensys” OU.
4. Imports the group policy settings for both new group policy objects.
After importing the new policies, the settings can be verified from the Microsoft Windows Group
Policy Management console (click the Start button and then select Control Panel -> Admin-
istrative Tools -> Group Policy Management).

560
Appendix K. Manual Update For Group Policies on an Off-Control Network PDC B0700SS – Rev D

The “Invensys Code Signing Certificates v1.0” policy appears under the Invensys OU.

Figure K-2. Invensys Code Signing Certificates v1.0

The “Invensys Code Signing Certificates v1.0” policy contains settings for applying the certifi-
cates to the “Trusted Publishers” container.

Figure K-3. Invensys Code Signing Certificates v1.0 Settings

561
B0700SS – Rev D Appendix K. Manual Update For Group Policies on an Off-Control Network PDC

562
Appendix L. Troubleshooting
This appendix provides troubleshooting procedures.

Setting Time Correctly After Failure to Continue


Software Installation After Reboot (SDC or Domain
Client)
If after connecting an SDC or a secure domain client to a Control Core Services domain and the
software installation does not continue after a reboot, the system time may not have been set cor-
rectly. An indication that this has occurred is that the software installation attempts to continue
but will not until a username and password is provided for an account with administrative privi-
leges.
To verify if the time has not been properly set, proceed as follows to check that the group policies
are being applied:
1. From the start menu, select Run. In the Open: field, type “rsop.msc” as shown in
Figure L-1 and click OK to continue.

Figure L-1. Run rsop.msc

563
B0700SS – Rev D Appendix L. Troubleshooting

2. In the Resultant Set of Policy window, right-click on Computer Configuration and


select Properties as shown in Figure L-2. The red X on the Computer Configura-
tion entry indicates that there is a problem applying policies on this station.

Figure L-2. Resultant Set of Policy Window

564
Appendix L. Troubleshooting B0700SS – Rev D

3. In the Computer Configuration Properties dialog box, select the Error Informa-
tion tab to view the errors for this policy set. The error shown in Figure L-3 indicates
that the time does not match the time on the domain controller: “The clocks on the
client and server machine are skewed.”

Figure L-3. Computer Configuration Properties Dialog Box

4. If the error shown in Figure L-3 is found on your system, fix the time on the SDC or
domain client as described in the “Server Preparation” of the appropriate chapter for
your station in this document and reboot. After rebooting, the software installation
may be restarted by running Setup.exe on the installation DVD.
Accept the UAC request in order to start the installation.

565
Invensys Systems, Inc.
38 Neponset Avenue
Foxborough, MA 02035-2037
United States of America
www.schneider-electric.com

Global Customer Support


Inside U.S.: 1-866-746-6477
Outside U.S.: 1-508-549-2424
Website: https://support.ips.invensys.com

You might also like