b0700sx F PDF

Foxboro Evo™
Process Automation System
Control Core Services v9.4

Software Installation Guide
*B0700SX*,,*f*
B0700SX
Rev F
August 02, 2019
Schneider Electric, Invensys, Foxboro, Foxboro Evo, and I/A Series are trademarks of Schneider Electric SE, its
subsidiaries, and affiliates.
All other brand names may be trademarks of their respective owners.
Copyright 2018-2019 Schneider Electric.

All rights reserved.
SOFTWARE LICENSE AND COPYRIGHT INFORMATION

Before using the Schneider Electric Systems USA, Inc. supplied software supported by this docu-
mentation, read and understand the following information concerning copyrighted software.
1. The license provisions in the software license for your system govern your obligations
and usage rights to the software described in this documentation. If any portion of
those license provisions is violated, Schneider Electric Systems USA, Inc. will no lon-
ger provide you with support services and assumes no further responsibilities for your
system or its operation.
2. All software issued by Schneider Electric Systems USA, Inc. and copies of the software
that you are specifically permitted to make, are protected in accordance with Federal
copyright laws. It is illegal to make copies of any software media provided to you by
Schneider Electric Systems USA, Inc. for any purpose other than those purposes men-
tioned in the software license.
Contents
Safety Information ............................................................................................................. xxxi
Preface.............................................................................................................................. xxxiii
Purpose ............................................................................................................................... xxxiii
Revision Information .......................................................................................................... xxxiii
Reference Documents ......................................................................................................... xxxiv
Cyber Security Team ........................................................................................................... xxxvi
Glossary .............................................................................................................................. xxxvi
1. Software Installation Overview.......................................................................................... 1

Installation Concepts ................................................................................................................ 1
How to Use this Installation Guide ........................................................................................... 2
Overview of Supported Software Installations ........................................................................... 2
Determining Hardware Requirements ....................................................................................... 3
Pre-Installation System Backup ................................................................................................. 4
System Configuration and Creating Commit Installation Media ............................................... 5
Control Core Services v9.4 Documentation .............................................................................. 6
Hardware and Software Specific Instruction Documents ...................................................... 6
Workstation Specific Operating System Media ......................................................................... 6
Control Core Services v9.4 Media ............................................................................................. 8
Pre-Installation Tasks ................................................................................................................ 8
Backing Up the CSA Database ............................................................................................. 8
Adjusting BIOS Settings ....................................................................................................... 8
Loading Platform Images ...................................................................................................... 8
Configuring Local Group Policies (LGPOs) ......................................................................... 8
Install McAfee Products ....................................................................................................... 8
2. Local Edition Control Core Services v9.4 Day 0 Installation............................................. 9

Workstation/Server Preparation ................................................................................................ 9
Notes on Installing Control Core Services ............................................................................... 10
Changing the Station Name .................................................................................................... 11
Preparing Network Interface Cards (NICs) For Installation .................................................... 11
Exiting During Software Installation ....................................................................................... 12
Installation Procedure ............................................................................................................. 12
Installing the Control Core Services v9.4 Trailer Media ..................................................... 25
iii
B0700SX – Rev F Contents
Restarting Your System ...................................................................................................... 26

Installing Optional Software ................................................................................................... 26
Setting Date and Time ............................................................................................................ 26
Finishing Installation .............................................................................................................. 26
3. Installation or Migration Scenarios for Enterprise Edition Control Core Services v9.4 ... 27
Introduction ............................................................................................................................ 27
Scenario 1 ............................................................................................................................... 30
Scenario 2 ............................................................................................................................... 30
Scenario 3 ............................................................................................................................... 30
Scenario 4 ............................................................................................................................... 31
Scenario 5 ............................................................................................................................... 32
Scenario 6 ............................................................................................................................... 33
Scenario 7 ............................................................................................................................... 34
Scenario 8 ............................................................................................................................... 35
Scenario 9 ............................................................................................................................... 35
Other Migration Considerations ............................................................................................. 36
Control Processor 270 and FCP280 Upgrade Recommendation ........................................ 36
Migrating a FCP270 or ZCP270 Control Database from a
System with I/A Series Software v8.6 or Earlier .................................................................. 37
Updating Sequence Block Code after Migration to a New Operating System or
NutCracker Version ........................................................................................................... 37
General Considerations ................................................................................................. 39
HLBL Code .................................................................................................................. 40
Migrating a Control Database to an FCP280, FCP270, or ZCP270 .................................. 49
Validating FCM100E and FCM100Et Settings (ZCP270 Only) ....................................... 50
4. Enterprise Edition Control Core Services v9.4 Installation for New On-Control Network
Domain Controllers ............................................................................................................ 51
Installing Enterprise Edition Control Core Services v9.4 on Primary Domain Controllers on
The Control Network ............................................................................................................. 51
Server Preparation .............................................................................................................. 52
Important Information on Installing Control Core Services ............................................... 53
Changing the Station Name ............................................................................................... 54
Preparing Network Interface Cards (NICs) For Installation ............................................... 54
Installation Procedure ......................................................................................................... 55
Restarting Your System .................................................................................................. 72
Installing Optional Software ............................................................................................... 72
Primary Domain Controller Post-Installation Procedures ................................................... 73
Changing Passwords ...................................................................................................... 73
Creating Users in Active Directory ................................................................................ 74
Tombstone Lifetime Attribute in Active Directory ........................................................ 82
Backing Up Active Directory ......................................................................................... 82
iv
Contents B0700SX – Rev F
Continuing Installation ...................................................................................................... 82

Installing Enterprise Edition Control Core Services v9.4 on Secondary Domain
Controllers on The Control Network ...................................................................................... 83
Server Preparation .............................................................................................................. 83
Important Information on Installing Control Core Services ............................................... 84
Changing the Station Name ............................................................................................... 85
Preparing Network Interface Cards (NICs) For Installation ............................................... 86
Installation Procedure ......................................................................................................... 86
Installing the Control Core Services v9.4 Trailer Media .............................................. 108
Restarting Your System ................................................................................................ 108
Installing Optional Software ............................................................................................. 108
Secondary Domain Controller Post-Installation Procedures ............................................. 109
Changing Passwords .................................................................................................... 109
Backing Up Active Directory ....................................................................................... 110
Continuing Installation .................................................................................................... 110
5. Enterprise Edition Control Core Services v9.4 Installation for New Off-Control
Network Domain Controllers............................................................................................ 111
Installing Enterprise Edition Control Core Services v9.4 on Off-Control Network Primary
Domain Controllers .............................................................................................................. 111
Server Preparation ............................................................................................................ 112
Notes on Installing Control Core Services ........................................................................ 113
Installation Procedure ....................................................................................................... 114
Assign a Static IPv4 Address to Off-Control Network Adapter .................................... 114
the Installation Procedure ........................................................................................... 115
Primary Domain Controller Post-Installation Procedures ................................................. 130
Creating Users in Active Directory .............................................................................. 132
Tombstone Lifetime Attribute in Active Directory ...................................................... 139
Installation ...................................................................................................................... 139
Installing Enterprise Edition Control Core Services v9.4 on Off-Control Network
Secondary Domain Controllers ............................................................................................ 140
Installation Procedure ....................................................................................................... 142
Assign a Static IPv4 Address to Off-Control Network Adapter .................................... 142
Installation ................................................................................................................. 144
Secondary Domain Controller Post-Installation Procedures ............................................. 164
Adding Foxboro Stations to Active Directory Post-Installation .................................... 165
Finishing Post-Installation ................................................................................................ 167
v
6. Enterprise Edition Control Core Services v9.4 Installation for Existing Off-Control
Network Primary Domain Controllers .............................................................................. 169
Overview ............................................................................................................................... 169
Installation Procedure ........................................................................................................... 170
Restarting Your System .................................................................................................... 179
Primary Domain Controller Post-Installation Procedures ...................................................... 180
Creating Users in Active Directory ................................................................................... 180
Adding Foxboro Stations to Active Directory Post-Installation .................................... 187
Tombstone Lifetime Attribute in Active Directory ........................................................... 189
Backing Up Active Directory ............................................................................................ 189
Continuing Installation ......................................................................................................... 189
7. Migrating an On-Control Windows Server 2008 Domain Controller to a New

Windows Server 2016 Primary Domain Controller on the On-Control Network ............. 191
Preparing the Source Primary Domain Controller with Windows Server 2008 ..................... 194
Preparation and Installation for New Target Primary Domain Controller With Windows
Server 2016 .......................................................................................................................... 200
Restore Windows Server 2016 on the Server .................................................................... 200
Important Information on Installing Control Core Services ............................................. 200
Changing the Station Name ............................................................................................. 201
Preparing Network Interface Cards (NICs) For Installation ............................................. 201
Installation on New Target Primary Domain Controller .................................................. 202
Configuring for Existing Domain Clients ............................................................................. 229

Windows Server 2016 Primary Domain Controller on the Off-Control Network............. 233
Preparing the Source Primary Domain Controller (Existing PDC with I/A Series
Software v8.8 or Foxboro Evo Control Core Services v9.0-9.3) for Migration ....................... 237
Document Linking Order of Custom GPOs .................................................................... 239
Adding IADomainAdmin User to Schema Admins, Enterprise Admins Groups ............... 239
Adding Target Server 2016 Name to IAComputers OU .................................................. 242
Changing Network Card Properties for On-Control Network Adapter ............................ 243
Changing Network Card Properties for Off-Control Network Adapter ............................ 246
DNS Configuration Changes ........................................................................................... 248
Preparation and Installation for New Target Primary Domain Controller ............................. 266
Assign a Static IPv4 Address to Off-Control Network Adapter ......................................... 266
Continuing the Installation Procedure .............................................................................. 268
Post-Installation Steps on Control Core Services Client Workstations .............................. 287
Adding Schneider Electric Stations to Active Directory Post-Installation .......................... 289
vi
9. Migrating an Off-Control Windows Server 2008 Domain Controller to a New

Windows Server 2016 Primary Domain Controller on the On-Control Network ............. 293
Preparing the Source Primary Domain Controller Running Windows Server 2008 .............. 296
Adding Target Server 2016 Name to IA Computers OU ................................................. 301
Preparation and Installation for New Target Primary Domain Controller ............................. 304
Installation for New Target Primary Domain Controller .................................................. 305
Installing the OS1FDB Package ....................................................................................... 331
Configuring for Existing Domain Clients ............................................................................. 335
Post installation steps on the Server 2016 PDC ............................................................... 337
10. Migrating an Off-Control Windows Server 2008 Domain Controller to a New

Windows Server 2016 Primary Domain Controller on the Off-Control Network............. 343
Preparing the Source Primary Domain Controller With Windows Server 2008 .................... 344
Adding Target Server 2016 Name to IA Computers OU ................................................. 349
Preparation and Installation for Target Primary Domain Controller with Windows
Server 2016 ........................................................................................................................... 351
Important Information on Installing Control Core Services ............................................. 352
Post-Installation Steps on Control Core Services Client Workstations .................................. 377

Windows 2016 Primary Domain Controller on an On- or Off-Control Network............. 381
Migrate from Windows Server 2003 to Windows Server 2008 .............................................. 381
Items to Verify After Migrating to Windows Server 2008 and Before Migrating to
Windows Server 2016 ...................................................................................................... 383
Migrate from Windows Server 2008 to Windows Server 2016 .............................................. 384
12. Enterprise Edition Control Core Services v9.4 Installation for Domain Clients
or Connecting Security Enhanced I/A Series Software v8.5-9.4 Domain Clients to
Existing Off-Control Network Networks ......................................................................... 385
Workstation/Server Preparation ............................................................................................ 385
Notes for Installing Control Core Services ............................................................................ 387
vii
Changing the Station Name .................................................................................................. 387

Installation Procedures .......................................................................................................... 387
Installation Procedure (On The Control Network) .......................................................... 388
Installation Procedure for Clients of New Off-Control Network Domain Controllers ..... 407
Installation Procedure for Pre-Existing Domain Clients
(I/A Series Software v8.5-v8.7) to Existing Off-Control Network Domain Controllers .... 430
Completing the Domain Client Installation ..................................................................... 435
Installing the Control Core Services v9.4 Trailer Media .............................................. 435
Non-Control Network Cables ..................................................................................... 435
Installing Optional Software ................................................................................................. 435
Setting Date and Time .......................................................................................................... 435
Re-Enabling Anti-Malware Software ..................................................................................... 436
13. Upgrading Control Core Services v9.4 (Day 1 Installation or Repair Operation) ........ 437
Day 1 Operations (Local Edition or Enterprise Edition Control Core Services) .................... 437
Repair Operations (Local Edition or Enterprise Edition Control Core Services) .................... 445
Performing a “Post-Commit for Pre-8.0” .............................................................................. 450
Instructions for Windows Workstations ...................................................................... 451
Instructions for Solaris Workstations ........................................................................... 451
14. Enhancing Server 2008 PDC running I/A Series Software v8.8 or Control
Core Services v9.0-v9.3 to Support Windows 10 and Server 2016 Domain Clients .......... 453
15. Enhancing Control Core Services Security for Interforest Migrated PDC with
Windows Server 2016 to Support Windows 10 and Windows Server 2016
Domain Clients ................................................................................................................. 459
16. Post-Installation and Migration Procedures ................................................................ 463

Restoring the CSA Database ................................................................................................. 463
Configuring Display Color Settings ...................................................................................... 463
Updating FCP270s, ZCP270s, FCP280s, and ATS Images .................................................. 463
Performing EEPROM Updates ............................................................................................. 464
Backing Up Hard Disks ........................................................................................................ 464
Reconciling the Configuration .............................................................................................. 464
Alarm Manager Multi-Head Video Configurations ............................................................... 464
17. Local Group Policy Installation ................................................................................... 467

Procedure for Importing Windows 10 Local Group Policy Settings ...................................... 467
Procedure for Importing Windows Server 2016 Local Group Policy Settings to
H90 or VM .......................................................................................................................... 467
viii
Appendix A. Startup Options ............................................................................................ 469
Appendix B. Changing the Station Name.......................................................................... 471
Appendix C. Secondary Domain Controllers in a Foxboro Evo System ............................. 475

Active Directory Operations Master Roles ............................................................................. 475
Transferring the Operations Master Roles ............................................................................. 476
Seizing Active Directory Operations Master Roles ................................................................. 494
Restoring a PDC Server Station ............................................................................................ 499
Verifying Domain Controller Backup Functionality ............................................................. 524
Removing Domain Controller Functionality from a Workstation ......................................... 527
Forcefully Removing a Domain Controller from Active Directory ........................................ 532
Restoring Connections on a Single Domain Controller System ............................................. 537
Adjusting NIC Settings after Adding an SDC ....................................................................... 545
Backing Up Active Directory on Domain Controllers ........................................................... 547
Changing the Tombstone Lifetime Attribute in Active Directory .......................................... 548
Appendix D. Guidelines for Using Veritas System Recovery for Backing Up and
Restoring Domain Controllers .......................................................................................... 555
Making Backup Images of Domain Controllers .................................................................... 555
Restoring Only One Domain Controller ............................................................................... 556
Restoring Multiple Domain Controllers from Backup Images ............................................... 556
Checking the Health of Active Directory .............................................................................. 557
Appendix E. I/A Series MESH Configurator ..................................................................... 559

Silent Installation .................................................................................................................. 559
Manual NIC Selection .......................................................................................................... 560
Post Day 0 Operations .......................................................................................................... 563
Identifying Cable A and Cable B ........................................................................................... 563
Appendix F. SNMP Community String Configuration ..................................................... 565
Appendix G. Telnet Installation ........................................................................................ 569

Installing Telnet on Workstations with Windows 10 Operating System ............................... 569
Installing Telnet on Servers with Windows Server 2016 Standard Operating System ............ 570
Appendix H. Printer Sharing............................................................................................. 573

Turning on the Windows Firewall Service ............................................................................. 573
Sharing a Printer ................................................................................................................... 574
ix
Connecting to a Shared Printer on Another Control Core Services Station ........................... 576
Appendix I. Troubleshooting ............................................................................................ 577

Setting Time Correctly Software Installation Cannot Continue
After Reboot (SDC or Domain Client) ................................................................................. 577
System Message During NIC Binding ................................................................................... 579
Appendix J. Installing Optional Software .......................................................................... 581
Appendix K. Troubleshooting PDC Migration ................................................................. 583

Indicators of a Potentially Successful Migration .................................................................... 583
Expected Detected Errors in DCHealthCheckLog ................................................................ 587
Troubleshooting AD Replication Issues ................................................................................ 588
Cleanup Procedure of Windows Server 2008 R2 PDC with Windows Server 2003
SDC References .................................................................................................................... 589
How to Cleanup Active Directory After Domain Controller Demotion ................................ 591
Windows Server 2003 Service Pack 1 (SP1) or later Enhanced version of Ntdsutil.exe ..... 591
Procedure for Windows Server 2003 SP1 or Later ............................................................ 592
How to Cleanup Domain Controllers That Are Not Decommissioned ................................. 595
How to Cleanup DNS .......................................................................................................... 596
Appendix L. Pre-Migration Settings for PDCs with Pre-Control Core Services v9.3......... 599
Appendix M. Files to Back Up/Restore ............................................................................. 605

Saving Files ........................................................................................................................... 605
Files to Back Up/Restore for Day 0 Migration ...................................................................... 605
CNI Files ......................................................................................................................... 605
Application Databases ...................................................................................................... 605
AIM*API ..................................................................................................................... 606
Control Libraries ......................................................................................................... 606
Display-Related Files ........................................................................................................ 606
System-Related Files ......................................................................................................... 607
Application Files .......................................................................................................... 607
Historian or AIM*Historian Files ................................................................................ 607
User Applications and Third-Party Package Files ......................................................... 607
Backing Up and Restoring Compound Summary Access (CSA) ............................................ 608
Backing Up CSA (CSA_Save) .......................................................................................... 608
Relocating CSA ................................................................................................................ 609
Restoring CSA (CSA_Merge) ........................................................................................... 610
Appendix N. Local Administrator Login on Windows 10, Windows Server 2016

Machines ........................................................................................................................... 611
Renaming Account1 on Windows 10/Windows Server 2016 Machines ................................ 611
x
Helping to Avoid the Loss of Logon Ability for Account1 ..................................................... 611
Appendix O. Verifying Group Policy Settings Before Migration ....................................... 613

Verifying GPO Settings ........................................................................................................ 613
Importing GPO Settings ....................................................................................................... 614
Appendix P. Linking Custom GPOs to Any CCS/CS Specific OUs .................................. 617
Custom GPO Linking Order Examples ............................................................................ 619
Example 1 - Correct (Most Common) ......................................................................... 619
Example 2 - Correct .................................................................................................... 619
Example 3 - Correct .................................................................................................... 619
Example 4 - Incorrect .................................................................................................. 620
Example 5 - Correct (Customer Example with CCS 9.4 Install) .................................. 620
xi
xii
Figures
2-1. Confirming Cancellation of Software Installation ....................................................... 12
2-2. User Account Control for IASeries.SecureSetup.exe .................................................... 13
2-3. Selecting to Install Local Edition CCS Software .......................................................... 14
2-4. Load Committed Configuration Install Files ............................................................... 15
2-5. Installation Media Folder Browser ............................................................................... 16
2-6. Load Committed Configuration Install Files - Binding ............................................... 17
2-7. Mesh Configurator Dialog Box (For Certain NIC Cards) ........................................... 18
2-8. Binding Completed ..................................................................................................... 18
2-9. Configure User Accounts ............................................................................................ 19
2-10. Configure User Accounts - Ready to Install ................................................................. 20
2-11. Foxboro Evo Control Core Services Installshield Wizard - Next .................................. 21
2-12. Foxboro Evo Control Core Services Installshield Wizard - Install ................................ 22
2-13. Installation Media Dialog Box ..................................................................................... 23
2-14. Media Folder Browser ................................................................................................. 23
2-15. Installation Media Dialog Box - For Diskettes ............................................................. 24
2-16. Finished Installation .................................................................................................... 24
2-17. Example of Installation Log ......................................................................................... 25
3-1. Directory Structure Used with ICC or the Foxboro Evo Control Editors .................... 44
3-2. Sequence Code Referencing Include Files Contained in a Directory Structure ............ 45
3-3. Sequence Code Referencing IACC Text Objects ......................................................... 46
3-4. Sequence Code Referencing IACC Text Editor ........................................................... 47
3-5. Sequence Code Referencing Carriage Return, Line Feed, Tab ..................................... 48
3-6. Sequence Code Referencing Single Quote Concern .................................................... 49
4-1. User Account Control for IASeries.SecureSetup.exe .................................................... 55
4-2. Schneider-Electric Control Core Services Installation on On-Control
Network PDC ............................................................................................................. 56
4-6. PDC Option Selection ................................................................................................ 59
4-7. Select One or More SDC Names From List and Click Set .......................................... 60
4-8. Server Platform Setup Dialog Box ............................................................................... 61
4-9. Active Directory Message ............................................................................................ 62
4-10. Active Directory Installation via DOS Window .......................................................... 62
4-11. Promoting to Primary Domain Controller via DOS Window ..................................... 63
4-12. Restart Window .......................................................................................................... 63
4-13. Setting Up the Platform for a Enterprise Edition Control Core Services Installation ... 64
4-14. Active Directory Verification Process .......................................................................... 64
4-15. Active Directory Domain Settings Applied .................................................................. 65
4-16. Command Prompt Showing Completion of Active Directory Configuration on
PDC ........................................................................................................................... 65
4-17. CCS Secure User Accounts Dialog Box ....................................................................... 66
4-18. Schneider Electric CCS Software Install: Workstation Reboot Request Dialog Box .... 67
4-19. You’re About to be Signed Out Screen ........................................................................ 67
xiii
B0700SX – Rev F Figures
4-20. InstallShield Wizard Completed .................................................................................. 69

4-21. Reboot or Logoff Requested ........................................................................................ 70
4-22. Installation Media Dialog Box ..................................................................................... 70
4-23. Media Folder Browser ................................................................................................. 71
4-24. Installation Media Dialog Box - For Diskettes ............................................................. 72
4-25. Using and Exiting ntdsutil.exe .................................................................................... 74
4-26. Creating Users via Active Directory Users and Computers .......................................... 75
4-27. New Object - User ...................................................................................................... 76
4-28. New Object - User - Password Updates ....................................................................... 77
4-29. New Object - User - Finish ......................................................................................... 77
4-30. Opening the New User Properties Dialog Box ............................................................ 78
4-31. New User Properties Dialog Box ................................................................................. 79
4-32. Select Groups .............................................................................................................. 80
4-33. Multiple Names Found Dialog Box ............................................................................ 80
4-34. Closing Select Groups Dialog Box .............................................................................. 81
4-35. Closing Properties Dialog Box .................................................................................... 81
4-36. Selecting to Install a Domain Controller ..................................................................... 88
4-40. PDC Can Be Pinged From This Server ....................................................................... 91
4-41. Server Platform Setup Dialog Box (SDC) .................................................................... 92
4-42. Server Platform Setup Dialog Box (SDC) - Authorize ................................................. 92
4-43. Resetting UTC Date ................................................................................................... 93
4-44. Unable to Determine Local Time on the PDC ............................................................ 93
4-45. Join Client to Domain Rights Verified ........................................................................ 94
4-46. Server Platform Setup Dialog Box (Second SDC) ....................................................... 94
4-47. Confirm Domain Name Pingable ............................................................................... 95
4-48. Verify Host Domain - Connect ................................................................................... 95
4-49. Schneider Electric CCS Software Install: Workstation Reboot Request Dialog Box .... 96
4-50. You’re About to be Signed Out Screen ........................................................................ 96
4-51. Server Platform Setup Dialog Box (PDC Account Information) ................................. 97
4-52. Join Client to Domain Rights Verified ........................................................................ 97
4-53. Server Platform Setup Dialog Box (Verify Domain Name and Site Name Fields) ....... 98
4-54. Verify Site Name with Command Prompt .................................................................. 98
4-55. CCS Installation Dialog Box When Site and/or Domain Names Are Incorrect ........... 99
4-56. System Message for Domain Name Check .................................................................. 99
4-57. PDC’s Fully Qualified Domain Name Pingable ........................................................ 100
4-58. Active Directory Domain Services Install .................................................................. 101
4-59. Active Directory Installation via DOS Window ........................................................ 101
4-60. Windows PowerShell Credential Request .................................................................. 102
4-61. Assigning Role of Secondary Domain Controller via DOS Window ......................... 102
4-62. Promotion to Domain Controller System Message .................................................... 103
4-63. Setting Up the Platform for a Enterprise Edition Control Core Services Installation . 103
4-64. Promoting to SDC Role ............................................................................................ 104
4-65. DOS Window Showing Completion of Active Directory Configuration on SDC ..... 104
4-66. InstallShield Wizard for Foxboro Evo Control Core Services .................................... 105
4-67. Installation Media Dialog Box ................................................................................... 105
xiv
Figures B0700SX – Rev F
4-68. Media Folder Browser ............................................................................................... 106

4-69. Installation Media Dialog Box - For Diskettes ........................................................... 107
4-70. Installation Completion ............................................................................................ 107
4-71. Example of Installation Log ....................................................................................... 108
4-72. Setting the Restore Mode Password via ntdsutil.exe .................................................. 109
4-73. Using and Exiting ntdsutil.exe .................................................................................. 110
5-1. Static IPv4 Assignment to PDC Off Control Network Adapter ................................ 115
5-2. User Account Control ............................................................................................... 116
5-3. Selecting to Install a Domain Controller on an Off-Control Network Domain ......... 117
5-4. Load Committed Configuration Install Files ............................................................. 118
5-5. Installation Media Folder Browser ............................................................................. 119
5-6. Server Platform Setup ................................................................................................ 120
5-7. Collecting SDC Station Information ......................................................................... 120
5-8. CCS Installation System Message Dialog Box ........................................................... 121
5-9. Enter Domain Information For Active Directory Setup ............................................ 122
5-10. Active Directory Domain Name System Message ...................................................... 123
5-11. Active Directory Service Installation .......................................................................... 124
5-13. Promoting to Primary Domain Controller via DOS Window ................................... 125
5-14. You’re About to be Signed Out Screen ...................................................................... 125
5-15. Setting up the Platform for a Enterprise Edition Control Core Services Installation .. 126
5-16. Active Directory Verification Process ........................................................................ 126
5-17. Active Directory Domain Settings Applied ................................................................ 127
5-18. Active Directory Configuration Complete ................................................................. 127
5-19. CCS Secure User Accounts Dialog Box ..................................................................... 128
5-20. Workstation Reboot Request Dialog Box .................................................................. 129
5-22. Setting the Restore Mode Password via ntdsutil.exe .................................................. 131
5-24. Creating Users via Active Directory Users and Computers ........................................ 132
5-25. New Object - User .................................................................................................... 133
5-26. New Object - User - Password Updates ..................................................................... 134
5-27. New Object - User - Finish ....................................................................................... 134
5-28. Opening the New User Properties Dialog Box .......................................................... 135
5-29. New User Properties Dialog Box ............................................................................... 136
5-30. Select Groups ............................................................................................................ 137
5-31. Multiple Names Found Dialog Box .......................................................................... 137
5-32. Closing Select Groups Dialog Box ............................................................................ 138
5-33. Closing Properties Dialog Box .................................................................................. 138
5-34. Static IPv4 Assignment to SDC Off Control Network Adapter ................................. 143
5-35. PDC Pingable from SDC Using the Off-Control Network Static IP Address ........... 144
5-36. UAC Prompt ............................................................................................................ 144
5-37. Selecting to Install a Domain Controller ................................................................... 145
5-40. PDC Pingable with Off-Control Network Static IP Address ..................................... 147
5-42. Server Platform Setup Dialog Box (SDC) - Authorize ............................................... 148
xv
5-43. Resetting UTC Date ................................................................................................. 149

5-44. Unable to Determine Local Time on the PDC .......................................................... 149
5-45. Join Client to Domain Rights Verified ...................................................................... 150
5-46. Add Off-Mesh Option from Drop-Down List .......................................................... 150
5-47. Adding Additional Off-Mesh IPs for Other SDCs .................................................... 150
5-48. Setting Off-Mesh IPs for SDCs ................................................................................. 150
5-49. Server Platform Setup Dialog Box (Second SDC) ..................................................... 151
5-50. Confirm Domain Name Pingable ............................................................................. 152
5-51. Verify Domain Name Before Connect ...................................................................... 152
5-52. Schneider Electric CCS Software Install: Workstation Reboot Request Dialog Box .. 153
5-53. Workstation Sign Out Dialog Box ............................................................................ 153
5-54. Server Platform Setup (Authorize) ............................................................................. 154
5-55. Join Client to Domain Rights Verified ...................................................................... 154
5-56. Server Platform Setup (Prepare) ................................................................................ 155
5-57. Verify Site Name with Command Prompt ................................................................ 156
5-58. Domain Name or Site Name Mismatch .................................................................... 156
5-59. System Message for Domain Name Check ................................................................ 157
5-60. PDC’s Fully Qualified Domain Name Pingable ........................................................ 157
5-61. Active Directory Domain Services Install .................................................................. 158
5-63. User Credential for Prompting to SDC ..................................................................... 159
5-64. Assigning Role of Secondary Domain Controller via DOS Window ......................... 159
5-65. Promote to Domain Controller Window Showing Detected Errors
That Can Be Ignored ................................................................................................ 160
5-68. Setting Up the Platform for a Enterprise Edition Control Core Services
Installation ................................................................................................................ 161
5-69. Active Directory Verification Process Attempting to Make Active
Directory Functional ................................................................................................. 162
5-71. DOS Window Showing Completion of AD Configuration on SDC ......................... 162
5-72. Ready to Click Done Button ..................................................................................... 163
5-74. Selecting IA Computers -> New -> Computer .......................................................... 165
5-75. New Object - Computer ........................................................................................... 166
5-76. Selecting Pre-8.8 IA Computers -> New -> Computer .............................................. 166
6-1. Selecting to Install a Domain Controller on an Off-Control Network Domain ......... 172
6-8. CCS Secure User Accounts Dialog Box ..................................................................... 178
6-9. Workstation Reboot Request Dialog ......................................................................... 179
6-10. Operating System Reboot Dialog .............................................................................. 179
6-11. Creating Users via Active Directory Users and Computers ........................................ 180
xvi
6-12. New Object - User .................................................................................................... 181

6-13. New Object - User - Password Updates ..................................................................... 182
6-14. New Object - User - Finish ....................................................................................... 182
6-15. Opening the New User Properties Dialog Box .......................................................... 183
6-16. New User Properties Dialog Box ............................................................................... 184
6-17. Select Groups ............................................................................................................ 185
6-18. Multiple Names Found Dialog Box .......................................................................... 185
6-19. Closing Select Groups Dialog Box ............................................................................ 186
6-20. Closing Properties Dialog Box .................................................................................. 186
7-1. Active Directory Users and Computers Console (Administrator Account) ................ 195
7-2. IADomainAdmin Properties Dialog Box ................................................................... 196
7-3. Adding User to Groups ............................................................................................. 197
7-5. Linking Order of GPOs for the Accounts OU .......................................................... 199
7-6. User Account Control for IASeries.SecureSetup.exe .................................................. 203
7-7. Selecting to Install a Domain Controller On-Control Network ................................ 204
7-8. I/A Series Installation Message Dialog Box ................................................................ 205
7-11. Mesh Configurator Dialog Box (For Certain NIC Cards) ......................................... 207
7-12. Server Platform Setup Dialog Box ............................................................................. 208
7-13. Source 2008 PDC Pingable from Target 2016 Machine ........................................... 209
7-14. Schneider Electric CCS Software Installation Dialog Box - Date Message ................. 209
7-16. Join Rights Verification ............................................................................................. 210
7-17. Server Platform Setup (For Second SDC) ................................................................. 211
7-18. Schneider Electric CCS Install: Workstation Reboot Request Dialog Box ................. 212
7-20. Server Platform Setup (On-Control Network) Continued ........................................ 213
7-21. Join Rights Verification ............................................................................................. 213
7-22. Server Platform Setup (On-Control Network) Continued - Part 2 ............................ 214
7-24. Invalid Domain Name Dialog ................................................................................... 215
7-25. Active Directory Message .......................................................................................... 216
7-26. Active Directory Installation via a Command Prompt ............................................... 216
7-27. Assigning Role of Secondary Domain Controller via Command Prompt .................. 217
7-28. Message Regarding Physical Adapters via Command Prompt .................................... 217
7-29. Promote to Domain Controller Window Showing Messages ..................................... 218
7-31. Verifying the Health of the Existing Active Directory System ................................... 219
7-33. DC Health Check Status ........................................................................................... 220
7-34. CCS Installation Dialog Box - Message for DC Health Log File ............................... 221
7-35. Verifying the Health of the Existing Active Directory
System (Detected Errors Found) ............................................................................... 222
xvii
7-36. CCS Installation Dialog Box - Detected Errors in DC Health Log File ..................... 223
7-37. Setting Up the Platform for a Enterprise Edition Control
Core Services Installation .......................................................................................... 223
7-39. Active Directory Configuration In Progress ............................................................... 224
7-40. Active Directory Configuration Requesting Domain Admin Credentials .................. 225
7-41. Active Directory Configuration Completed .............................................................. 225
7-42. Installation Windows Depicting Progress Of Installation Until Completion ............. 226
7-43. Installation Media Dialog Boxes ................................................................................ 227
7-46. Selecting FoxInt NDIS Intermediate Miniport Driver .............................................. 229
7-47. Adapter Properties Dialog Box .................................................................................. 230
7-48. Internet Protocol (TCP/IP) Properties Dialog Box .................................................... 231
8-3. [User] Properties Dialog Box ..................................................................................... 241
8-7. Advanced TCP/IP Settings Dialog Box (IP Settings) ................................................. 245
8-8. Advanced TCP/IP Settings Dialog Box (DNS) ......................................................... 246
8-10. Ipconfig Command Showing New Static IP .............................................................. 247
8-11. DNS Manager Dialog Box (Server Properties) .......................................................... 248
8-12. Server Properties Dialog Box ..................................................................................... 249
8-13. DNS Manager Dialog Box (Removing Existing Stations) .......................................... 250
8-14. Properties Context Menu .......................................................................................... 251
8-15. Name Server Tab ...................................................................................................... 252
8-16. Example DNS Entries ............................................................................................... 252
8-17. Delete Reverse Lookup Zone .................................................................................... 253
8-18. Delete Reverse Lookup Zone Confirmation .............................................................. 253
8-19. Delete Reverse Lookup Zone System Message Confirmation .................................... 254
8-20. DNS Manager Dialog Box (Reverse Lookup Zone) .................................................. 254
8-21. Welcome Window for New Reverse Lookup Zone Creation ..................................... 255
8-22. New Zone Wizard (Zone Type) ................................................................................ 256
8-23. New Zone Wizard (Active Directory Zone Replication Scope) ................................. 257
8-24. IPv4 Selection ........................................................................................................... 258
8-25. New Zone Wizard (Reverse Lookup Zone Name) ..................................................... 259
8-26. New Zone Wizard (Dynamic Update) ...................................................................... 260
8-27. New Zone Wizard (Closing) ..................................................................................... 261
8-28. DNS Manager Dialog Box (New Pointer) ................................................................. 262
8-29. New Resource Record Dialog Box ............................................................................. 263
8-30. Restart DNS Service .................................................................................................. 264
8-31. nslookup Service ....................................................................................................... 264
8-32. Static IPv4 Assignment to PDC Off-Control Network Adapter ................................ 267
8-33. Verify Newly Assigned IP Address ............................................................................. 267
xviii
8-34. Verify Source 2008 PDC Pingable from Target PDC ............................................... 268
8-35. ................................................................................................................................. 268
8-36. Selecting to Install a Domain Controller Off-Control Network ................................ 269
8-37. I/A Series Installation Dialog Box - Message ............................................................. 269
8-39. The browser for the folder containing the committed configuration install
files opens, as shown in Figure 8-39. If the installation media with your
Commit files is on the server’s hard drive or a network, browse to the
location of the media and click Select Folder. ...................................................... 270
8-40. Server Platform Setup (Off-Control Network) .......................................................... 271
8-41. Schneider Electric CCS Software Installation Dialog Box - Date System Message ..... 272
8-43. Join Rights Verified ................................................................................................... 273
8-44. Add Off-Mesh Option .............................................................................................. 273
8-45. Add Additional Off-Mesh IPs ................................................................................... 273
8-46. Set the Off-Mesh IDs ................................................................................................ 273
8-48. Verify Domain Name and Connect .......................................................................... 275
8-51. Server Platform Setup (Off-Control Network) Continued ........................................ 276
8-53. Verify Domain and Site Names ................................................................................. 277
8-55. Domain Name or Site Name Invalid Dialog ............................................................. 277
8-57. Load Active Directory Domain Services .................................................................... 278
8-58. Active Directory Installation via Command Prompt ................................................. 279
8-59. Assigning Role of Secondary Domain Controller via Command Prompt .................. 279
8-60. Promote to Domain Controller Process ..................................................................... 280
8-63. Active Directory Verification Process ....................................................................... 282
8-66. Verifying the Health of the Existing Active Directory System (Detected Errors Found) 284
8-70. Active Directory Configuration in Progress ............................................................... 286
8-72. Internet Protocol (TCP/IP) Properties - Removing On-Control Network
DNS Entries ............................................................................................................. 288
8-73. Internet Protocol (TCP/IP) Properties - Setting for Off-Control Network
Network Interface Card ............................................................................................ 289
xix

9-9. LGPO Policies System Message ................................................................................ 307
9-10. User Account Control Dialog Box ............................................................................ 308
9-11. Selecting to Install a Domain Controller On-Control Network ................................ 309
9-12. Control Core Services Installation Message Dialog Box ............................................. 309
9-15. Mesh Configurator Dialog Box (For Certain NIC Cards) ......................................... 312
9-16. Server Platform Setup Dialog Box ............................................................................. 313
9-17. Schneider Electric CCS Software Installation Dialog Box - Date Message ................. 314
9-21. Add Additional Off-Mesh IPs ................................................................................... 315
9-26. Workstation Reboot Dialog Box ............................................................................... 317
9-27. Server Platform Setup (On-Control Network) Continued Reauthorization ............... 318
9-29. Verify Domain and Site Names and Click Prepare .................................................... 319
9-34. Active Directory Installation via a Command Prompt ............................................... 321
9-35. Promote to Domain Controller Authentication Window .......................................... 322
9-47. Enter Domain Administrator Credentials Dialog ...................................................... 329
xx

9-49. Progress of Installation Until Completion ................................................................. 331
9-50. Installation Media Dialog Box .................................................................................. 332
9-52. Installation Media Dialog Box for Diskettes .............................................................. 334
9-55. DNS Console IP Addresses ....................................................................................... 338
9-56. Reverse Lookup Zones for Off-/On-Control Networks ............................................. 339
9-57. Name Server Record in DNS .................................................................................... 339
9-58. Name Server Record Representing Off-Control Network ......................................... 340
9-59. DNS Records Pointing to Off-Control Network IP Addresses .................................. 341
10-9. User Account Control Dialog Box ............................................................................ 355
10-10. Selecting to Install a Domain Controller Off-Control Network ................................ 356
10-11. CCS Installation Dialog Box - Message ..................................................................... 357
10-14. Server Platform Setup (Off-Control Network) .......................................................... 359
10-15. Schneider Electric CCS Software Installation Dialog Box - Date System Message ..... 360
10-19. Add Additional Off-Mesh IDs .................................................................................. 361
10-25. Server Platform Setup (Off-Control Network) Continued - Re-Authorization .......... 364
10-31. Active Directory Installation via Command Prompt ................................................. 367
10-32. Promote to DC Authentication Window .................................................................. 368
xxi

10-45. Setting Up Platform for CCS Installation Screen with Done Button Enabled ........... 376
12-1. UAC Prompt for IASeries.SecureSetup.exe ............................................................... 389
12-2. Selecting to Install an Active Directory Client ........................................................... 390
12-5. I/A Series Network Installation Dialog Box (For Certain NIC Cards) ....................... 393
12-6. Network Connections - Local Area Connection vs. NIC Adapter Device Number ... 394
12-7. Configure User Accounts .......................................................................................... 395
12-8. PDC Pingable with On-Control Network Static IP Address ..................................... 396
12-9. Ready to Connect This Workstation to the CCS Domain ........................................ 397
12-11. Unable to Determine Local Time .............................................................................. 398
12-12. Select SDCs from List ............................................................................................... 399
12-13. PDC Pingable with On-Control Network Static IP Address ..................................... 400
12-14. nslookup Command ................................................................................................. 400
12-15. Domain Name Pingable ............................................................................................ 401
12-16. Click Connect Button ............................................................................................... 401
12-18. You Are About To Be Logged Off Dialog Box .......................................................... 402
12-19. InstallShield Wizard for Foxboro Evo Control Core Services .................................... 402
12-20. Reboot or Logoff Requested ...................................................................................... 403
12-25. UAC Prompt for IASeries.SecureSetup.exe ............................................................... 408
12-26. Selecting to Install a Client in an Enterprise Edition System ..................................... 409
12-27. Load Committed Configuration Install Files Dialog Box .......................................... 410
12-29. Load Committed Configuration Install Files Dialog Box - Bind ............................... 412
12-30. Load Committed Configuration Install Files Dialog Box - Detected
Error Message if Selected IP Address is Already In Use .............................................. 413
12-31. DC Network Installation (For Certain NIC Cards) .................................................. 414
12-32. Network Connections - Local Area Connection vs. NIC Adapter Device Number ... 415
12-33. I/A Series Network Installation (For Certain NIC Cards) ......................................... 415
12-34. Configure Password for Account1 User ..................................................................... 416
xxii
12-35. PDC Pingable from Client Using Off-Control Network Static IP Address ............... 417
12-36. Ready to Connect This Workstation to the Control Core Services
Domain Dialog Box .................................................................................................. 418
12-38. Unable to Determine Local Time .............................................................................. 419
12-39. Add Off-Mesh SDC During Client Install ................................................................ 420
12-40. Add SDC IP Addresses .............................................................................................. 420
12-41. Set Button Clicked .................................................................................................... 420
12-42. PDC Pingable with Off-Control Network Static IP Address ..................................... 421
12-43. nslookup Command ................................................................................................. 421
12-44. Domain Name Pingable ............................................................................................ 422
12-45. Select a Host Domain for this Workstation and Click Connect Area ........................ 423
12-46. Workstation Reboot Request .................................................................................... 423
12-47. You Are About To Be Logged Off Dialog Box .......................................................... 424
12-48. Welcome to the InstallShield Wizard for Foxboro Evo Control Core Services ........... 424
12-49. Rest of the Installation Process .................................................................................. 425
12-53. Setting Internet Protocol Version 4 (TCP/IPv4) Properties ....................................... 428
12-55. Internet Protocol (TCP/IP) Properties Dialog Box - Off-Control Network
NIC Card ................................................................................................................. 431
12-56. Adding Pre-Existing Domain Client (I/A Series Software v8.5) to Active Directory .. 432
12-57. Domain Client Installation – Ready to Connect ....................................................... 433
12-58. Connecting to the Control Core Services/I/A Series Domain .................................... 434
12-59. Unable To Determine Local Time ............................................................................ 434
13-1. I/A Series Reconcile Media Utility ............................................................................ 438
13-2. Get SE Stations ......................................................................................................... 439
13-3. Select the Location Where You Want Your Reconcile Files Saved ............................. 440
13-4. Try Another Diskette Message .................................................................................. 440
13-5. Disable Control Core Services Drivers and Services ................................................... 441
13-6. Control Core Services Software Installation Dialog Box ............................................ 442
13-7. Perform a Day 1 Operation on the Foxboro Evo workstation ................................... 443
13-8. Ready to Install on the Foxboro Evo Workstation ..................................................... 444
13-10. Disable Control Core Services Drivers and Services ................................................... 446
13-11. Control Core Services Software Installation Dialog Box ............................................ 447
13-12. Perform a Repair Operation on the Foxboro Evo Workstation .................................. 448
13-13. Foxboro Evo Control Core Services Installshield Wizard .......................................... 449
14-2. User Account Control for Command Prompt in Administrator Mode ...................... 454
14-4. Administrator: Update 2008 AD Command Prompt ................................................ 457
15-2. User Account Control for Command Prompt in Administrator Mode ...................... 461
xxiii
15-4. Administrator: Update 2016 AD Command Prompt ................................................ 462

B-1. Computer Name Tab in the System Properties Dialog Box ....................................... 472
B-2. Computer Name Changes Dialog Box ...................................................................... 473
B-3. Restarting Your Computer To Apply Changes .......................................................... 474
C-1. Transferring FSMO Roles ......................................................................................... 476
C-2. Active Directory Users and Computers - IADomainAdmin ...................................... 477
C-3. IADomainAdmin Properties Dialog Box ................................................................... 478
C-4. Select groups Dialog Box ........................................................................................... 479
C-5. Active Directory Users and Computers - Connect to Domain Controller ................. 479
C-6. Connect to Domain Controller Dialog Box .............................................................. 480
C-7. Active Directory Users and Computers - Set Operations Masters .............................. 481
C-8. Operations Master Dialog Box .................................................................................. 482
C-9. Operations Master - Confirm Transfer ...................................................................... 482
C-10. Operations Master - Confirm Change ....................................................................... 483
C-11. Active Directory Domains and Trusts - Connect to Domain Controller ................... 483
C-12. Active Directory Domains and Trusts - Selecting Domain Controller to Become
The New PDC .......................................................................................................... 484
C-13. Active Directory Domains and Trusts - Set Operations Masters ................................ 485
C-14. Change Operations Master ........................................................................................ 485
C-15. Active Directory Domains and Trusts - Confirm Yes ................................................ 486
C-16. Active Directory Domains and Trusts - Confirm OK ............................................... 486
C-17. Command Prompt - regsvr32 schmmgmt.dll ............................................................ 487
C-18. Confirm Operation ................................................................................................... 487
C-19. Confirm Operation ................................................................................................... 487
C-20. Microsoft Management Console - Selecting Add/Remove Snap-In ........................... 488
C-21. Add or Remove Snap-Ins Dialog Box ........................................................................ 489
C-22. Add or Remove Snap-Ins Dialog Box ........................................................................ 490
C-23. Microsoft Management Console - Selecting Change Domain Controller .................. 491
C-24. Change Domain Controller ...................................................................................... 491
C-25. Microsoft Management Console - Selecting Operations Master ................................ 492
C-26. Change Domain Controller ...................................................................................... 492
C-27. Change Schema Master Dialog Box .......................................................................... 493
C-28. Active Directory Domains and Trusts - Confirm Yes ................................................ 493
C-29. Active Directory Domains and Trusts - Confirm OK ............................................... 493
C-30. Seizing FSMO Roles ................................................................................................. 494
C-31. Role Seizure Confirmation Dialog Box ..................................................................... 495
C-32. Role Seizure Confirmation Dialog Box ..................................................................... 495
C-33. Restoring FSMO Roles to a Primary Domain Controller That Had Its Roles Seized . 500
C-34. Invoking dcpromo /forceremoval .............................................................................. 501
C-35. Acknowledging Messages - Part 1 .............................................................................. 501
C-38. Active Directory Installation Wizard - Welcome ....................................................... 504
C-39. Active Directory Installation Wizard - Force Removal ............................................... 505
C-40. Active Directory Installation Wizard -Acknowledge .................................................. 505
C-41. Active Directory Installation Wizard - Administrator Password ................................. 506
C-42. Active Directory Installation Wizard - Summary ....................................................... 507
C-43. Active Directory Installation Wizard - Reading Domain Policy ................................. 508
xxiv
C-44. Active Directory Installation Wizard - Completed .................................................... 508

C-45. Active Directory Installation Wizard - Restarting the Computer ............................... 509
C-46. Windows Security - Logging in IADomainAdmin .................................................... 509
C-50. Invoking dcpromo .................................................................................................... 511
C-52. Active Directory Installation Wizard - Operating System Compatibility ................... 512
C-53. Active Directory Installation Wizard - Domain Controller Type ............................... 513
C-54. Active Directory Installation Wizard - Additional Domain Controller ...................... 514
C-55. Active Directory Installation Wizard - Forest Root Domain ...................................... 515
C-56. Active Directory Installation Wizard - Site for New Domain Controller ................... 516
C-57. Active Directory Installation Wizard - Additional Domain Controller Options ........ 517
C-58. Static IP Assignment ................................................................................................. 518
C-59. Active Directory Installation Wizard - Continue ....................................................... 518
C-60. Active Directory Installation Wizard - Database and Log Folders .............................. 519
C-61. Active Directory Installation Wizard - Restore Mode Administrator Password .......... 520
C-63. Active Directory Installation Wizard - Configuring ................................................... 522
C-64. Active Directory Installation Wizard - Finished ......................................................... 522
C-65. Restarting the Computer ........................................................................................... 523
C-66. DNS Management - Selecting Lookup Zone Properties ............................................ 523
C-67. Zone Properties Dialog Box ...................................................................................... 524
C-68. nslookup for Client Stations (NESRV5.iaseries.local) ................................................ 525
C-69. nslookup for Client Stations (NESRV4.iaseries.local) ................................................ 526
C-70. Typical NIC Settings for a Client Workstation on a System with a Primary and
One Secondary DNS Server ...................................................................................... 527
C-71. Starting the Active Directory Installation Wizard ...................................................... 528
C-73. Active Directory Installation Wizard - Global Catalog Provider Message .................. 529
C-74. Active Directory Installation Wizard - Remove Active Directory ............................... 529
C-75. Active Directory Installation Wizard - Administrator Password ................................. 530
C-77. Active Directory Installation Wizard - Configuring ................................................... 532
C-78. Active Directory Installation Wizard - Restarting the Computer ............................... 532
C-79. Active Directory Sites and Services - Delete a Domain Controller Connection ......... 533
C-80. Active Directory Users and Computers - Delete Confirmation .................................. 533
C-81. Active Directory Sites and Services - Delete a Domain Controller Settings ................ 534
C-83. Active Directory Users and Computers - Deleting a Domain Controller ................... 535
C-84. Active Directory Users and Computers - Delete a Server ........................................... 535
C-86. Active Directory Users and Computers - Creating New Computer Account ............. 536
C-87. New Object - Computer Dialog Box ......................................................................... 537
C-88. Workstation System Properties .................................................................................. 538
C-89. Computer Name Changes Dialog Box - Workgroup ................................................. 539
C-90. Computer Name Change - Remember Local Admin Password ................................. 539
xxv
C-91. Log in IADomainAdmin ........................................................................................... 540

C-92. Computer Name Change - Welcome to the [YourName] Workgroup ...................... 540
C-93. Computer Name Change - Restart Computer ........................................................... 540
C-94. Closing System Properties Dialog Box ...................................................................... 541
C-95. Computer Name Changes Dialog Box - Domain ...................................................... 542
C-96. Windows Security Dialog Box ................................................................................... 542
C-97. Computer Name Changes Dialog Box - Welcome to the [YourName] Domain ....... 543
C-98. Computer Name Changes Dialog Box - Need to Restart To Apply Changes ............ 543
C-99. Close System Properties Dialog Box .......................................................................... 544
C-100. Computer Name Changes Dialog Box - Need to Restart To Apply Changes ............ 544
C-101. Local Area Connection Properties Dialog Box ........................................................... 545
C-102. Internet Protocol Version 4 (TCP/IP4) Properties Dialog Box .................................. 546
C-103. Advanced TCP/IP Settings Dialog Box ..................................................................... 547
C-104. Opening ADSI Edit Directory Services ..................................................................... 549
C-105. ADSI Edit Directory Services - Connect To .............................................................. 549
C-106. ADSI Edit Directory Services - Configuration ........................................................... 550
C-107. ADSI Edit Directory Services - Properties Selection .................................................. 551
C-108. Attribute Editor - Attribute Selection ........................................................................ 552
C-109. Attribute Value -- Tombstone Lifetime Period .......................................................... 552
E-1. MESH Configurator NIC Selection .......................................................................... 559
E-2. NIC Selection on Unknown Platform/BIOS ............................................................. 560
E-3. Network Connections ............................................................................................... 561
E-4. Network Connections Showing Device Names ......................................................... 561
E-5. Off-Control Network NIC Selection ........................................................................ 562
E-6. NICs on The MESH Control Network Selection ..................................................... 562
F-1. SNMP Service Properties Dialog Box ........................................................................ 566
G-1. Windows Features Dialog Box .................................................................................. 569
G-2. Server Manager ......................................................................................................... 570
G-3. Add Features Wizard ................................................................................................. 571
G-4. Confirm Installation Selections ................................................................................. 572
H-1. Windows Firewall Settings ........................................................................................ 574
H-2. Printer Properties Dialog Box .................................................................................... 575
I-1. Resultant Set of Policy Window ................................................................................ 578
I-2. Computer Configuration Properties Dialog Box ....................................................... 579
I-3. Mesh Configurator Detected Error Dialog Box ......................................................... 580
K-1. DFS Replication Event Log ....................................................................................... 583
K-2. Directory Service Event Log ...................................................................................... 584
K-3. DNS Server Event Log .............................................................................................. 584
K-4. Active Directory Web Services Event Log ................................................................. 585
K-5. DCHealthCheck Log - DNS Tests Passed ................................................................ 585
K-6. DCHealthCheck Log - Consistency Checks Successful ............................................. 586
K-7. DCHealthCheck Log - Replication From Inbound Neighbors in the
Topology Is Successful .............................................................................................. 586
K-8. DCHealthCheck Log - No Detected Errors for Replication Summary ...................... 587
K-9. UserAccountControl Set to 532512 Instead Of Default 532480 ............................... 588
K-10. Empty Hosts File ...................................................................................................... 590
K-11. Active Directory Users and Computers - Delete Computer ....................................... 595
K-12. Active Directory Users and Computers - Delete Computer - Part 2 .......................... 596
xxvi
L-1. Opening gpmc.msc ................................................................................................... 599

L-2. Invensys IA Computers v1.0 Policy ........................................................................... 600
L-3. Selecting Edit ............................................................................................................ 601
L-4. Navigating to Public Key Policies .............................................................................. 602
L-5. Selecting Certificate Path Validation Settings ............................................................ 603
L-6. Invoking the Properties Window ............................................................................... 603
O-1. Empty GPO Settings Tab ......................................................................................... 614
P-1. Linked Group Policy Objects - Foxboro Supplied GPO
Relative Linking Order .............................................................................................. 618
P-2. Linked Group Policy Objects - CustomGPO - Link Order 1 .................................... 619
P-6. Linked Group Policy Objects - CustomGPO - Link Order 1 through 6 ................... 621
P-7. Linked Group Policy Objects - Foxboro Supplied GPOs -
Link Order 1 thru 4, and Link Order 13 and 14 ....................................................... 621
P-8. Linked Group Policy Objects - Previous Custom GPO Link Order
Re-ordered Properly .................................................................................................. 622
xxvii
xxviii
Tables
1-1. Platforms Supporting Control Core Services v9.4 ......................................................... 3
1-2. Foxboro Evo Control Core Services v9.4 Platform Specific Media Kit .......................... 7
1-3. Foxboro Evo Control Core Services v9.4 Platform Specific Upgrade Kits ..................... 7
3-1. Domain Controller Installation/Migration Scenarios for
Control Core Services v9.4 .......................................................................................... 29
3-2. General Migration Considerations .............................................................................. 38
3-3. HLBL Migration Considerations ................................................................................ 38
3-4. SFC Migration Considerations .................................................................................... 39
16-1. WinSizPos Parameters ............................................................................................... 465
xxix
B0700SX – Rev F Tables
xxx
Safety Information
Important Information
Read these instructions carefully and look at the equipment to
become familiar with the device before trying to install, operate, ser-
vice, or maintain it. The following special messages may appear
throughout this manual or on the equipment to warn of potential
hazards or to call attention to information that clarifies or simplifies
a procedure.
The addition of either symbol to a "Danger" or

"Warning" safety label indicates that an electrical
hazard exists which will result in personal injury if
the instructions are not followed.
This is the safety alert symbol. It is used to alert you to

potential personal injury hazards. Obey all safety messages
that follow this symbol to avoid possible injury or death.
DANGER
DANGER indicates a hazardous situation which, if not avoided, will
result in death or serious injury.
WARNING
WARNING indicates a hazardous situation which, if not avoided, could
result in death or serious injury.
CAUTION
CAUTION indicates a hazardous situation which, if not avoided, could
result in minor or moderate injury.
NOTICE
NOTICE is used to address practices not related to physical injury.
Please Note
Electrical equipment should be installed, operated, serviced, and main-
tained only by qualified personnel. No responsibility is assumed by
Schneider Electric for any consequences arising out of the use of this
material.
A qualified person is one who has skills and knowledge related to the con-
struction, installation, and operation of electrical equipment and has
received safety training to recognize and avoid the hazards involved.
Preface
Purpose
The purpose of this document is to describe installation of the Foxboro Evo™ Control Core Ser-
vices v9.4 (hereinafter referred to as the Control Core Services) on supported Windows worksta-
tions and servers. Control Core Services software is not supported on Solaris stations.
Control Core Services v9.4 is a Day 0 installation. It delivers optional enhanced cyber security
features for the Foxboro Evo system that facilitates meeting client and government specifications,
for example, North American Electric Reliability Corporation (NERC) standards.
During a Day 0 software installation, you will have an option of choosing to install the Enterprise
Edition Control Core Services v9.4, which needs Microsoft Active Directory® network services,
or Local Edition Control Core Services v9.4. Depending on your environment, you may not be
able to take advantage of Enterprise Edition Control Core Services v9.4, for example, if you need
to allow an older third-party application to run that has not been rewritten to work in the Enter-
prise environment.
Revision Information
For this release of this document (B0700SX, Rev. F), these changes were made:
Chapter 4 “Enterprise Edition Control Core Services v9.4 Installation for New On-Control
Network Domain Controllers”
♦ Updated the section “Installing Enterprise Edition Control Core Services v9.4 on Pri-
mary Domain Controllers on The Control Network” on page 51.
♦ Updated a note under the section “the Installation Procedure” on page 115.
Chapter 5 “Enterprise Edition Control Core Services v9.4 Installation for New Off-Control
Network Domain Controllers”
♦ Updated the section “Installing Enterprise Edition Control Core Services v9.4 on Off-
Control Network Primary Domain Controllers” on page 111.
♦ Updated the section “Restarting Your System” on page 130.
♦ Updated Figure 5-19, Figure 5-20, and Figure 5-27.
♦ Updated the section “Installation” on page 144.
Chapter 6 “Enterprise Edition Control Core Services v9.4 Installation for Existing Off-Control
Network Primary Domain Controllers”
♦ “Overview” on page 169 and “Installation Procedure” on page 170.
Chapter 7 “Migrating an On-Control Windows Server 2008 Domain Controller to a New
Windows Server 2016 Primary Domain Controller on the On-Control Network”
♦ Updated the section “Preparation and Installation for New Target Primary Domain
Controller With Windows Server 2016” on page 200.
Windows Server 2016 Primary Domain Controller on the Off-Control Network”
xxxiii
B0700SX – Rev F Preface
♦Updated the section“Preparing the Source Primary Domain Controller (Existing

PDC with I/A Series Software v8.8 or Foxboro Evo Control Core Services v9.0-9.3)
for Migration” on page 237 and “Preparation and Installation for New Target Primary
Domain Controller” on page 266.
Chapter 9 “Migrating an Off-Control Windows Server 2008 Domain Controller to a New
Windows Server 2016 Primary Domain Controller on the On-Control Network”
♦ Updated the section “Migrating an Off-Control Windows Server 2008 Domain Con-
troller to a New Windows Server 2016 Primary Domain Controller on the On-
Control Network” on page 293
Chapter 10 “Migrating an Off-Control Windows Server 2008 Domain Controller to a New
Windows Server 2016 Primary Domain Controller on the Off-Control Network”
♦ Updated the section “Preparation and Installation for Target Primary Domain Con-
troller with Windows Server 2016” on page 351.
Windows 2016 Primary Domain Controller on an On- or Off-Control Network”
♦ Updated the section “Migrate from Windows Server 2003 to Windows Server 2008”
on page 381.
Chapter 12 “Enterprise Edition Control Core Services v9.4 Installation for Domain Clients or
Connecting Security Enhanced I/A Series Software v8.5-9.4 Domain Clients to Existing Off-
Control Network Networks”
♦ Updated the section “Installation Procedures” on page 387.
Chapter 13 “Upgrading Control Core Services v9.4 (Day 1 Installation or Repair Operation)”
♦ Updated the section “Day 1 Operations (Local Edition or Enterprise Edition Control
Core Services)” on page 437.
Chapter 14 “Enhancing Server 2008 PDC running I/A Series Software v8.8 or Control Core
Services v9.0-v9.3 to Support Windows 10 and Server 2016 Domain Clients”
♦ Updated this chapter.
Chapter 15 “Enhancing Control Core Services Security for Interforest Migrated PDC with
Windows Server 2016 to Support Windows 10 and Windows Server 2016 Domain Clients”
♦ Updated this chapter.
Appendix H “Printer Sharing”
♦ Updated the section “Turning on the Windows Firewall Service” on page 573.
Appendix P “Linking Custom GPOs to Any CCS/CS Specific OUs”
♦ Added new appendix.
Reference Documents
It is recommended that you are familiar with the following Foxboro Evo documents:
♦ System Management Displays (B0193JC)
♦ System Definition: A Step-By-Step Procedure (B0193WQ)
♦ System Definition V3.4 Release Notes for Windows 10 and Windows Server 2016
(B0700TA)
xxxiv
Preface B0700SX – Rev F
♦
Time Synchronization User’s Guide (B0700AQ)
♦ The Foxboro Evo Control Network Architecture Guide (B0700AZ)
♦ Address Translation Station User’s Guide (B0700BP)
♦ Field Control Processor 280 (FCP280) User’s Guide (B0700FW)
♦ Field Control Processor 280 (FCP280) On-Line Image Update (B0700FX)
♦ Field Control Processor 280 (FCP280) Sizing Guidelines and Excel® Workbook
(B0700FY)
♦ Field Control Processor 270 (FCP270) Sizing Guidelines and Excel Workbook
(B0700AV)
♦ Z-Module Control Processor 270 (ZCP270) Sizing Guidelines and Excel Workbook
(B0700AW)
♦ Field Device Control 280 (FDC280) User's Guide (B0700GQ)
♦ Control Network Interface (CNI) User's Guide (B0700GE)
♦ Security Implementation User’s Guide for I/A Series and Foxboro Evo Workstations (Win-
dows 10 or Windows Server 2016 Operating Systems) (B0700HG)
♦ Veritas System Recovery 2016 Desktop, Server and Virtual Editions Guide for I/A Series®
and Foxboro Evo™ Process Automation Systems (B0700HH)
♦ Installation and Configuration of the McAfee ENS 10.5.2 with ePO
5.9.1(B0700VW)
♦ FoxView and FoxDraw Software V10.5 Release Notes (B0700SZ)
♦ Control Core Services v9.4 Release Notes (B0700SY)
♦ System Manager (B0750AP)
♦ System Manager V2.11 Release Notes (B0750RS)
♦ Foxboro Evo Control Software Installation Guide (B0750RA)
♦ Control Software v7.1 Release Notes (B0750ST)
♦ FERRET v6.1.1 (Windows Platforms) and FERRET v6.1.1 (UNIX Platforms) User's
Guide (B0860BU)
♦ FERRET v6.1.2 Installation and Release Notes (B0860RU)
♦ Virtualization User's Guide for Windows Server 2016 (B0700HD)
♦ Local Group Policy Installation Guide (B0799FA)
♦ Procedure for Workstation Upgrade without Control Processor (CP) Reboot (B0860CP)
Hardware and Software Specific Documentation for Windows 10 Operating System
♦ Hardware and Software Specific Instructions for Model H92 (HP Z440) Windows 10
Professional Operating System (B0700HA)
♦ Hardware and Software Specific Instructions for Model H92 (HP Z420) Windows 10
Professional Operating System (B0700HB)
Hardware and Software Specific Documentation for Windows Server 2016 Standard
Operating System
♦ Hardware and Software Specific Instructions for Model H90 (HP DL380 Gen9) Win-
dows Server 2016 Operating System (B0700GZ)
xxxv
♦ Hardware and Software Specific Instructions for Model V91 Server Virtualization Host
(HP DL380 Gen9) Windows Server 2016 Operating System (B0700HE)
Most of these documents are available on the Foxboro Evo Electronic Documentation media
(K0174MA). The latest revisions of each document are also available through our Global Cus-
tomer Support at https://pasupport.schneider-electric.com.
Cyber Security Team

Contact the Cyber Security Team using this information.
America GCS Asia Pacific GCS EMEA GCS

Foxboro, MA USA Shanghai, China Baarn Netherlands
Phone: +1 866 746 6477 Phone: +86 800 4500 3457 Phone: +31 3554 84125
International: +1 508 549 2424 Fax: +86 21 37180196 Fax: +31 3554 84230
Fax: +1 508 549 4999 Email: support-apac.pa@se.com Email: emeagcs.support@se.com
Email: systems.support@se.com
For more information on Schneider Electric Cyber Security Services, refer to:
https://www.schneider-electric.com/en/work/services/field-services/industrial-automation/industrial-
cybersecurity/industrial-cybersecurity.jsp
Glossary
Term Definition
Active Directory A network services application created by Microsoft Corporation.
Enterprise Edition Con- Control Core Services designed for enterprise-sized environments.
trol Core Services Formerly known as “Security Enhanced Control Core Services”.
Foxboro Evo Control Core Core software environment, formerly known as “I/A Series (Intelli-
Services gent Automation Series) software”.
Foxboro Evo Control Core A workstation which runs the Foxboro Evo Control Core Services
Services workstation without the Foxboro Evo Control Software.
Foxboro Evo Control Edi- Formerly known as “FCS Configuration Tools”, “InFusion Engi-
tors neering Environment”, or “IEE”, these are the Control Software
engineering and configuration tools built on the ArchestrA Inte-
grated Development Environment (IDE). It is part of the Foxboro
Evo Control Software.
Foxboro Evo Control Soft- Formerly known as “Foxboro Control Software (FCS)” and “InFu-
ware sion”, a suite of software built on the ArchestrA Integrated Develop-
ment Environment (IDE) to operate with the Foxboro Evo Control
Core Services.
xxxvi
Preface B0700SX – Rev F
Term Definition
Foxboro Evo Control Net- Formerly known as The Mesh control network, a switch network
work available in multiple topologies which facilitates communications
between Foxboro Evo stations. Also referred to as “the control net-
work”.
Foxboro Evo Control A workstation which runs the Foxboro Evo Control Core Services
Workstation and the Foxboro Evo Control Software.
Local Edition Control Control Core Services designed for Windows Workgroup stations.
Core Services Formerly known as “standard Control Core Services”.
Off-Control Network A descriptor applied to stations which are not located on the Fox-
boro Evo Control Network - and instead connected via a separate
customer-supplied network.
The procedures for configuring these stations for a system with the
Enterprise Edition Control Core Services differ significantly from
the procedures for configuring stations on the Foxboro Evo Control
Network.
On-Control Network A descriptor applied to stations which are located on the Foxboro
Evo Control Network (formerly known as The Mesh control net-
work).
PDC Primary Domain Controller
SDC Secondary Domain Controller
SP Service Pack
SysDef Control Core Services’ System Definition software
The control network Shortened term for the Foxboro Evo Control Network
The Control Software Shortened term for Foxboro Evo Control Software.
xxxvii
xxxviii
1. Software Installation Overview
This chapter provides an overview for the concepts and installation processes described in this
document.
This document describes installation of the Local Edition and Enterprise Edition Control Core
Services v9.4 on stations (workstations, servers, and domain controllers) running the following
operating systems:
♦ Windows 10
♦ Windows Server 2016 Standard
The following information is provided in this chapter:
♦ How to use this installation guide
♦ Overview of the types of software installations supported by this release
♦ System configuration and creating the Commit installation media
♦ Pre-installation system backup
♦ How to acquire documentation for the Control Core Services v9.4
♦ Media upgrade kits for supported hardware
♦ Installation media for Control Core Services v9.4
In this document, the term “workstation” can refer to both desktop workstations and servers in a
Control Core Services system.
Installation Concepts
Starting with I/A Series software v8.8, the concept of installation has changed from a granular
model to a more comprehensive model. (Note that this chapter refers to installation on a new
workstation/server, rather than an upgrade to an existing Foxboro Evo or I/A Series software
installation.)
I/A Series software v8.7 and earlier had the concept of “selected package installation”, which
allowed each software package which was part of the I/A Series software to be installed separately -
for example, each package might be on a separate diskette, and only the diskettes you wanted
installed on a workstation/server would need to be provided during the installation.
In I/A Series software v8.8, and Foxboro Evo Control Core Services v9.0 and later, the installation
process is more automated, providing more flexibility to allow the appropriate system configura-
tion application to determine which packages are required for a workstation/server. Typically, the
process works as follows:
1. The Foxboro system configuration application creates Commit media which specifies
which packages are to be installed on each workstation/server.
2. Every package, with the exception of the OS1FDB package, is provided on the instal-
lation DVD. The OS1FDB has several variations, and so the appropriate variation has
to be selected.
1
B0700SX – Rev F 1. Software Installation Overview
3. When run, the installation application installs the appropriate packages. If there are
any Device Integrator modules configured, then the OS1FDB media will be requested
individually per letterbug. A different set of OS1FDB media can be chosen for each
letterbug or this can be skipped per letterbug.
After the installation is finished, you can perform these installation tasks on the existing Foxboro
Evo or Control Core Services software:
♦ Perform a Day 1 operation, which adds packages or updates the software configura-
tion based on changes from the system configuration application.
If you skipped the installation of the OS1FDB package, you can add it with this
operation.
♦ Perform a Repair operation, to verify that the files are present and not corrupted, and
applying updates and fixes as needed.
All Control Core Services v9.4 initial installations are Day 0 operations. After the Day 0 is com-
plete, you can re-load your databases and display files.
How to Use this Installation Guide

♦ Refer to the following sections in this chapter to determine the appropriate worksta-
tion hardware, software and documentation that is required for your installation:
♦ “Determining Hardware Requirements” on page 3
♦ “Pre-Installation System Backup” on page 4
♦ “System Configuration and Creating Commit Installation Media” on page 5
♦ “Control Core Services v9.4 Documentation” on page 6
♦ “Workstation Specific Operating System Media” on page 6 - describes the media
needed to install the OS for each workstation type
♦ “Control Core Services v9.4 Media” on page 8
♦ “Hardware and Software Specific Instruction Documents” on page 6.
♦ To perform an installation for a workstation or server with Local Edition Control
Core Services v9.4, proceed to Chapter 2 “Local Edition Control Core Services v9.4
Day 0 Installation” and perform the procedures in this chapter.
♦ To perform an installation for a workstation or server with Enterprise Edition Control
Core Services v9.4, proceed to Chapter 3 “Installation or Migration Scenarios for
Enterprise Edition Control Core Services v9.4”, which directs you to the appropriate
chapter of this document for the installation procedures for your specific system
configuration.
Overview of Supported Software Installations

The Control Core Services v9.4 release supports several different types of software installations.
Understanding and selecting the appropriate installation is vital and has to be done prior to begin-
ning the Control Core Services v9.4 installation to your workstations/servers.
♦ Local Edition Control Core Services installation - The Local Edition Control Core
Services is for systems not requiring Microsoft® Active Directory Domain Control-
2
1. Software Installation Overview B0700SX – Rev F
lers. Control Core Services v9.4 is installed as a (Day 0 Installation) A new image on a
station which supports Windows 10 or Windows Server 2016 Standard.
♦ Enterprise Edition Control Core Services installation - Enterprise Edition Control
Core Services software is used on systems that require Microsoft® Active Directory
Domain Controllers. In these systems, the workstation clients of these domain con-
trollers are members of an Active Directory domain (domain clients). There are two
separate categories of Enterprise Edition installations:
a. New Enterprise Edition Control Core Services software installations.
b. Installation on existing stations with security enhanced I/A Series software v8.5,
v8.6, v8.7, or v8.8. These are referred to as migrations. (See the following note.)
While Day 1 installations are not supported for the initial installation of Control Core
Services v9.4, there are possible migration scenarios for the domain controller only
which are covered in the later chapters. If a workstation is at an older version (domain
client), it will have to be re-installed (via a Day 0 operation) to upgrade it to CCS
v9.4. Then it can be connected to the CCS V9.4 domain controller. Alternatively, it
can be left at the older version and can continue to be connected to the same domain
controller. Various domain controller scenarios are supported depending on the
migration path of the PDC.
Refer to Chapter 3 “Installation or Migration Scenarios for Enterprise Edition Con-
trol Core Services v9.4” for a detailed explanation of these scenarios.
Determining Hardware Requirements

Control Core Services v9.4 runs on the following currently offered platforms and any later ver-
sions of these platforms which are released.
Table 1-1. Platforms Supporting Control Core Services v9.4
Station Type Platform with Multicore CPU Cores Enabled

Workstation H92 HP Z420 Workstation (Model H92, Style G/A to Style H/A)
NOTE
Older styles of the HP Z420 can be upgraded by
replacing the video card with new part number
P0928JF. Any continued use of on-board serial card
will be considered an engineered solution. Consult
your technical / sales representative for details.
H92 HP Z440 Workstation (Model H92, Style J/A or newer style)

Server H90 HP DL380 Gen9 Server1 (Model H90, Style G/A or newer style)
3
Table 1-1. Platforms Supporting Control Core Services v9.4 (Continued)
Station Type Platform with Multicore CPU Cores Enabled

Virtual Machine V90 HP DL380 VM Host
Host
NOTE
The V90 HP DL380 VM Host may be upgraded to a
V91 HP DL380 Gen9 Server 2016 VM Host. Its hard-
ware can run Windows Server 2016 but only after it has
been upgraded to become a V91 server.
V91 HP DL380 Gen9 Server 2016 VM Host (Model V91, Style A/A or
newer style)
1. BIOS must be updated to version 2.22 or later before upgrading the OS. Please download
the latest qualified BIOS update from the GCS site:
( https://pasupport.schneider-electric.com/content/Security/mspatch/mspatch.asp).
NOTE: This link is only accessible to registered users. First time users can register at:
https://pasupport.schneider-electric.com/
Allow three business days for validation of the application.
Additional hardware requirements are provided in the Hardware and Software Specific Docu-
mentation listed in “Reference Documents” on page xxxiv and the following PSSes:
♦ Model H92 Workstation for Windows 10 Operating System (PSS 31H-4H92-10)
♦ Model H90 Workstation Server for Windows Server 2016 Operating System
(PSS 31H-4H90-16)
Pre-Installation System Backup

Before installing a system with Control Core Services v9.4, back up your existing workstations
and servers. A backup has to occur before a Day 0 installation; a fresh Control Core Services
installation that wipes out any Control Core Services or I/A Series software installed on it previ-
ously. A Day 0 installation is needed if you have a workstation with I/A Series software pre-v8.8
and want to upgrade that station to Control Core Services v9.4.
Typically, a backup will only occur for the following scenarios:
♦ A legacy workstation being upgraded to CCS V9.4 through a Day 0 process where the
user will have to save off databases, display files, etc.. prior to installing the new sys-
tem. There are two sub-categories to this:
♦ The legacy system has hardware that is compatible with Windows 10 or Windows
Server 2016 and will re-use the old hardware.
♦ The legacy system hardware is not compatible and will be replaced.
♦ For a PDC, it is recommended to backup the PDC prior to upgrade, but the PDC
hardware (given the PDC upgrade procedures provided) will be replaced during the
upgrade process. The old PDC may then be re-used depending that hardware's com-
patibility with the Server 2016 operating system. It could potentially be re-used as an
4
SDC or as a domain client. Or, if the hardware is not compatible, it could be re-used
as an older version workstation spare.
For instructions on backing up and restoring your workstations or servers, refer to Veritas System
Recovery 2016 Desktop, Server and Virtual Editions Guide for I/A Series® and Foxboro Evo™ Process
Automation Systems (B0700HH).
NOTE
To backup the PDC and SDC domain controller pair, refer to Appendix D “Guide-
lines for Using Veritas System Recovery for Backing Up and Restoring Domain
Controllers”.
Once you have completed the backup, you physically install the software on each target worksta-
tion. For a Day 0 installation, this procedure includes installing a new operating system image on
the station and performing the Day 0 installation.
If you are installing Enterprise Edition Control Core Services v9.4, you HAVE TO install the Pri-
mary Domain Controller (PDC) first.
After Day 0 installations, control processors need an image update, so careful planning will be
needed. The On-Line Image Update (or On-Line Upgrade) procedure is not available for Day 0
installations because the control database files (workfiles) are lost during the Day 0 software
installation. To restore the control database after a Day 0 installation, you have to perform an Ini-
tialize and LoadAll. The on-line image update procedure is available for future upgrades that do
not involve a Day 0 installation on the host workstation. Refer to Control Processor 270 (CP270)
On-Line Image Update (B0700BY) or Field Control Processor 280 (FCP280) On-Line Image Update
(B0700FX).
System Configuration and Creating Commit

Installation Media
The first phase of installing a system is the system configuration process, which includes creating,
importing, and/or editing a system configuration, and creating Commit installation media (on a
network drive, USB drive, etc). Control Core Services v9.4 system configuration can be accom-
plished using the following software:
♦ System Definition 3.4 or later - For instructions on installing System Definition soft-
ware, refer to System Definition V3.4 Release Notes for Windows 10 and Windows Server
2016 (B0700TA). To create the Commit installation media, follow the procedures in
System Definition: A Step-By-Step Procedure (B0193WQ, Rev. P or later).
♦ I/A Series Configurator Component (IACC) v2.6 or later - I/A Series System Configu-
ration Component (IACC) User's Guide (B0700FE, Rev. D or later).
♦ Foxboro Evo Control Software (hereinafter referred to as the Control Software) v7.1
or later - For instructions on installing the Control Software, refer to Foxboro Evo Con-
trol Software Installation Guide (B0750RA, Rev. Z or later). To create the Commit
installation media, follow the procedures in Hardware Configuration User’s Guide
(B0750BB, Rev. L or later).
After creating or editing the system configuration, create Commit installation media for use dur-
ing software installation.
5
Label Commit installation media with the Control Core Services or I/A Series versions on which
it can be used, for example, Control Core Services v9.4 or I/A Series v8.2-v8.8.
It is recommended that you have only a single System Configuration (set of Commit media) for
your Control Core Services system. From a single configuration database, you can produce media
for multiple versions of Control Core Services and I/A Series software by providing a Package Dis-
tribution Disk (10091). Starting with I/A Series software v8.8, there is no package distribution
disk, so this request can be ignored in System Definition. For earlier versions, this was used to
produce specific information on the Commit media that was used by the I/A Series installation
application.
See the documentation listed below for information on how to import existing configurations
using System Definition v3.4, IACC v2.6, or the Control Software v7.1.
If importing an older configuration from an earlier version of System Definition (pre-v3.0), in a
system with I/A Series software pre-v8.8, any stations that will be installed for use in a system with
Control Core Services v9.4 has to be migrated to either the new WSTA70 (for Windows 10) or
WSVR70 (for Windows Server 2016 Standard) station type. After migrating these stations, new
Commit media has to be created. (Stations with I/A Series software v8.8 have already been
migrated to these new station types.)
Control Core Services v9.4 Documentation

Verify that you have all the necessary documentation needed for your installation. Refer to “Refer-
ence Documents” on page xxxiv for a list of all documentation related to Control Core Services
v9.4. Most documents are located on the Foxboro Evo Electronic Documentation media
(K0174MA), and you can find the latest revisions of the documents on the Global Customer Sup-
port webpage https://pasupport.schneider-electric.com.
Hardware and Software Specific Instruction Documents

The Hardware and Software Specific Instructions documents included with your stations will be
used for setting up your stations and installing hardware upgrades.
These documents have instructions for restoring the operating system (Quick Restore) and install-
ing Control Core Services. The procedures found in the Hardware and Software Specific Instruc-
tions documents are superseded by the Control Core Services v9.4 procedures found in this
document.
Workstation Specific Operating System Media

You will also need to install operating system images for each workstation on which you will
install the Local Edition or Enterprise Edition Control Core Services v9.4.
The following kits can be ordered from BuyAutomation. When ordering these Operating System
upgrade kits for use in servers, be aware of the planned use as a server or a Highly Available Work-
station. The use of a server as a Highly Available workstation (for Windows 10 stations) has a dif-
ferent product licensing scheme for deliverables that are part of these upgrade kit part numbers.
The K0177xx media disk part numbers that are used to load the systems are not listed in BuyAu-
tomation.
Use Table 1-2 below to verify that you have the necessary media kit.
6
Table 1-2. Foxboro Evo Control Core Services v9.4 Platform Specific Media Kit
Media Kit Part

Number Kit Description
K0177BP Foxboro Evo Control Core Services v9.4 Windows 10/Server 2016 Day 0
DVD
The upgrade kits in Table 1-3 are available if you want to upgrade existing supported hardware to
the new operating systems.
Table 1-3. Foxboro Evo Control Core Services v9.4 Platform Specific Upgrade Kits
Media Kit Part

Number Kit Description
K0204AG H92 HP Z440 Workstation Windows 10 upgrade kit (Model H92, Style J/A
or newer style)
K0204AH H92 HP Z420 Workstation Windows 10 upgrade kit (Model H92, Style G/A
to Style H/A)
NOTE
Older styles of the HP Z420 can be upgraded by replacing the
video card with new part number P0928JF. Any continued
use of on-board serial card will be considered an engineered
solution. Consult your technical / sales representative for
details.
K0204AJ1 H90 HP DL380 Gen9 Server 2016 (as Workstation, supports no remote cli-
ents) upgrade kit (Model H90, Style G/A or newer style)
K0204AW1 H90 HP DL380 Gen9 Server 2016 (as Server, supports remote clients)
upgrade kit (Model H90, Style G/A or newer style)
K0204AK2 V91 HP DL380 G9 Server 2016 VM Host upgrade kit (Model V91, Style A/A
or newer style)
K0204AL Upgrade kit for Server 2016 2 VMs (Kit to add 2 Server 2016 VMs to V91 vir-
tualization server host)
1. BIOS must be updated to version 2.22 or later before upgrading the OS. Please download the latest
qualified BIOS update from the GCS site:
(https://pasupport.schneider-electric.com/content/Security/mspatch/mspatch.asp).
NOTE: This link is only accessible to registered users. First time users can register at:
https://pasupport.schneider-electric.com/
Allow three business days for validation of the application.
2.
Can be used to upgrade a V90 Gen 9 server.
7
Control Core Services v9.4 Media

Refer to the Foxboro Evo™ Process Automation System Control Core Services v9.4 Release Notes
(B0700SY) included with your station for the part number of the restore DVD for your station.
The part number and contents of the Control Core Services v9.4 Day 0 Media Kit, and the addi-
tional media needed to install this software, are listed in these release notes.
Pre-Installation Tasks
Backing Up the CSA Database
Back up the CSA files by using the CSA_Save utility as described in “Backing Up and Restoring
Compound Summary Access (CSA)” in the Control Core Services v9.4 Release Notes (B0700SY).
Adjusting BIOS Settings

For the BIOS settings applicable to your workstation/server hardware, refer to the Hardware and
Software Specific Instructions manual shipped with your hardware.
Loading Platform Images

To install the images applicable to your workstation/server hardware, refer to the Hardware and
Software Specific Instructions manual shipped with your hardware.
Configuring Local Group Policies (LGPOs)

To set the LGPOs, refer to Security Implementation User's Guide for I/A Series and Foxboro Evo
Workstations (Windows 10 or Windows Server 2016 Operating Systems) (B0700HG). The LGPOs
and ENS should be installed prior to the Control Core Services v9.4 installation.
Install McAfee Products

If desired, install McAfee security products. Refer to Installation and Configuration of the McAfee
ENS 10.5.2 with ePO 5.9.1 (B0700VW).
8
2. Local Edition Control Core
Services v9.4 Day 0 Installation
This chapter describes procedures to perform an initial installation of the Local Edition
Control Core Services v9.4. An initial installation, or an installation which removes any
instances of existing Control Core Services or I/A Series software, is referred to as a “Day 0”
operation.
As well, updating supported hardware with earlier versions of Control Core Services requires a
Day 0 operation. Upgrade scenarios include the following:
♦ I/A Series software versions prior to 8.8 - Requires new hardware. You must save off
databases, displays, etc. and then load the hardware with CCS v9.4 and apply the
saved databases, displays, etc.
♦ I/A Series software v8.8 through Control Core Services v9.0 - 9.3 - This may require
new hardware if not compatible with Windows 10 or Windows Server 2016. If new
hardware is required, then save off databases, displays, etc. and re-load with new hard-
ware. If your hardware is compatible, save off databases, displays, etc. and re-load the
workstation with new operating system. Then, load with CCS V9.4 and apply saved
databases, displays, etc.
♦ No release update is applicable for Control Core Services v9.4.
♦ A Day 1 installation will apply only in the case where packages must be added to an
existing CCS v9.4 installation.
If you already have a supported station with I/A Series software v8.8 or Control Core Services
v9.0-9.3 installed and want to apply an initial Day 0 installation of Control Core Services v9.4 to
it, refer to this chapter.
If you already have Control Core Services v9.4 installed and want to update or change the pack-
ages installed (a Day 1 operation), or repair the existing packages, refer to Chapter 13 “Upgrading
Control Core Services v9.4 (Day 1 Installation or Repair Operation)”.
Password handling is different for Control Core Services v9.4 on Windows 10/Windows Server
2016 operating systems.
♦ The built-in admin account has no password and the account is disabled.
♦ “Account1” has “Password1” as its initial value, but the user is prompted to change the
password during installation.
♦ A new account is created during a Local Edition installation, during which you select
the user name and password.
Workstation/Server Preparation
This section applies to Windows 10 and Windows Server 2016 Standard stations on which Local
Edition Control Core Services are being installed for the first time, or overwriting existing Con-
trol Core Services or I/A Series software. (This is referred to as a Day 0 installation. Perform the
following steps to set up the hardware and restore the operating system onto your workstation.
9
B0700SX – Rev F 2. Local Edition Control Core Services v9.4 Day 0 Installation
NOTE
If this is a new station shipped from the Schneider Electric factory with the V9.4
Restore image identified by the media kits in Table 1-2 and verified in your work-
station’s
H-code, proceed to “Notes on Installing Control Core Services” on page 10. If not,
continue following the steps in this section.
1. Install hardware, restore the Windows operating system, and update drivers for your
workstation. Perform the following:
a. Refer to Control Core Services v9.4 Release Notes (B0700SY) for hardware require-
ments specific to the V9.4 release. For instructions on installing memory
upgrades, PCI cards, and so forth, refer to the “Installing Hardware Upgrades”
chapter of the hardware and software specific instruction document shipped with
your workstation.
b. If the server is new from factory with the Server 2016 image then skip this step.
Otherwise using the V9.4 Restore Media, restore the Windows operating system
on your workstation. Follow the instructions of Appendix A “Startup Options”.
Only use the media kits listed in Table 1-2 to restore the operating system of a station
with Control Core Services v9.4.
It is vital that the instructions for installing Control Core Services from your hardware
specific instruction manual are not followed. Follow the software installation proce-
dure below.
c. Set the time and date. Perform the following:
♦ Open the Windows Date and Time applet by clicking the Date and Time
icon in the Control Panel.
♦ Click the Change Date and Time button.
♦ Adjust the date and time.
♦ Click OK.
♦ Click the Change time zone button.
♦ Select the correct time zone from the drop-down list and select the checkbox
(if not already selected) to automatically adjust the clock for daylight saving
time (DST) changes, if desired.
♦ Click OK.
d. For any procedures not found in Step 1.b above, refer to the “Installing and
Updating Drivers” chapter of the Hardware And Software Specific Instructions
document shipped with the workstation/server.
Notes on Installing Control Core Services

Before you install Control Core Services, check that any network interface card drivers are
updated. Refer to the notes below.
10
2. Local Edition Control Core Services v9.4 Day 0 Installation B0700SX – Rev F
♦ GPS PCI time synchronization cards are not supported on the Windows 10 operating
system. You must use a workstation with Windows 7 to host GPS time
synchronization.
♦ In Control Panel -> Network and Sharing Center/Network Connections, which lists
the available NICs, it is inadvisable to change the name of any “Local Area Connec-
tion x” network connection. This can result in software installation issues or system
instability.
Changing the Station Name

The Windows workstation or server name has to match the workstation or server letterbug name
as it was configured in SysDef and saved onto your Commit installation media before you install
the Control Core Services. For instructions on modifying the computer name of your workstation
or server, refer to Appendix B “Changing the Station Name”.
Preparing Network Interface Cards (NICs) For

Installation
NOTICE
POTENTIAL DATA LOSS
Only perform this procedure for 100MBps fiber optic cards. For copper
NICs and for Gigabit Fiber optic NICs, you should NOT perform this
procedure.
Failure to follow these instructions can result in data loss.
Before performing this installation, disable any antivirus software that is installed.
Before installing Control Core Services, for each installed NIC, you have to set the NIC’s proper-
ties “Flow Control” and “Speed & Duplex” manually as described below for the NICs on this sta-
tion.
Refer to the Hardware and Software Specific Instructions document included with your station to
determine the NIC cards it supports.
Proceed as follows:
1. On Windows 10 or Windows Server 2016 stations, click Control Panel -> Device
Manager.
In the Device Manager window, expand the Network adapters list.
2. Right-click the desired card and click Properties. In the Properties dialog box that
appears, select the Advanced tab.
3. In the Property field, click Flow Control. In the Value field, select Disable from
the drop-down menu list.
4. In the Property field, click Speed & Duplex. In the Value field, in the drop-down
menu list:
11
♦ For a station on the Control Network, select 100 Mb Full.

♦ For a station on another network other than the control network (Off-Control
Network), select Auto.
5. Click OK.
6. For each additional NIC, repeat Steps 2 through 5.
7. Shutdown and restart the system for the driver changes to take effect. Click the Start
button and click Shut Down; select Restart from the pull-down menu and click OK.
Exiting During Software Installation

If you click the Cancel button during the section of the installation which configures the work-
station type and domain controller setup, this dialog box appears:
Figure 2-1. Confirming Cancellation of Software Installation
Click Yes to cancel, or No to resume the installation process. If you click Yes, the installation
exits. Upon restarting the setup process, depending on how far along the configuration has pro-
ceeded, you may be returned to the same dialog box from which the installation was canceled.
To restart the installation process after clicking Cancel, re-insert the DVD labeled “Foxboro Evo
Control Core Services v9.4 Windows 10/Server 2016 Day 0 DVD” (K0177BP).
Installation Procedure
NOTE
Proceed as follows:
1. Check that the workstation is attached to the control network.
2. Unplug any non-Control Network cables.
3. Insert the DVD labeled “Foxboro Evo Control Core Services v9.4 Windows 10/Server
2016 Day 0 DVD” (K0177BP), if it is not already in the station.
4. Navigate to the DVD drive and double-click setup.exe.
12
5. When the User Account Control (UAC) prompt appears, click Yes.
Figure 2-2. User Account Control for IASeries.SecureSetup.exe
13
6. Select the radio button setting for Install CCS software for a Local Edi-
tion. Click Next to continue.
Figure 2-3. Selecting to Install Local Edition CCS Software
14
7. The next dialog box requests that you load the committed configuration install files,
as shown in Figure 2-4. Click Load to load the committed configuration files.
Figure 2-4. Load Committed Configuration Install Files
8. The browser for the folder containing the committed configuration install files opens,
as shown in Figure 2-5. If the installation media with your Commit files is on the
server’s hard drive or a network, browse to the location of the media and click Select
Folder.
15
Figure 2-5. Installation Media Folder Browser
16
9. Once the installation files have been loaded, click Bind as shown in Figure 2-6 to
launch the Load committed configuration install files dialog box (Figure 2-7).
Figure 2-6. Load Committed Configuration Install Files - Binding
10. From the Mesh Configurator dialog box shown in Figure 2-7, select the two network
cards representing the control network and click Next.
Be certain to pick the correct NICs as this selection cannot be changed later in the
installation.
If this dialog box is not displayed, the NIC cards have been automatically configured.
Proceed to the next step.
17
Figure 2-7. Mesh Configurator Dialog Box (For Certain NIC Cards)
11. In the Load committed configuration install files dialog box, click Next, as in
Figure 2-8.
Figure 2-8. Binding Completed
18
12. The Configure User Accounts dialog box as shown in Figure 2-9.
♦ Specify the Password and confirm password for the “Local Administrator
Account”.
♦ Specify the User name, Password, and Confirm Password for the “Local Edition
Engineering User Account”.
♦ Select the checkbox “Set this account to Auto Logon on restart”, if you want to
enable auto-login. If the checkbox is unchecked, you have to login Manually.
♦ Configure.
Figure 2-9. Configure User Accounts
19
13. Click Install.
Figure 2-10. Configure User Accounts - Ready to Install
20
14. The MSI installer opens for Control Core Services Day 0 software. Click Next.
Figure 2-11. Foxboro Evo Control Core Services Installshield Wizard - Next
21
15. Click Install to run the installation.
Figure 2-12. Foxboro Evo Control Core Services Installshield Wizard - Install
Canceling the installation after this point may result in a partially installed system.
16. If the OS1FDB package is configured on this server, the dialog box shown in
Figure 2-13 is displayed for each OS1FDB station configured to be hosted by the
workstation being installed.
This will occur one time for each OS1FDB station configured.
a. Click one of the following:
♦ Click Load to install this package.
♦ Click Skip to bypass the installation of this package. If Skip is selected, the
installation will continue, but this dialog box will be displayed again for each
of the OS1FDB stations configured on this Foxboro Evo workstation.
22
Figure 2-13. Installation Media Dialog Box
b. If you selected Load, the media folder browser opens.
Figure 2-14. Media Folder Browser
If your installation media for the OS1FDB package is not on a floppy diskette, browse
to the location of your stamped media and click the Select Folder button
If your installation media for the OS1FDB package is on a floppy diskette, click Use
Diskette. The diskette has to be in the diskette drive (A:\). Once the Use Diskette
button is clicked, the diskette will be read.
23
c. If you selected Use Diskette in the previous step, the dialog box in Figure 2-15
appears. Insert the second diskette in the OS1FDB set and click Load. The dis-
kette has to be inserted in drive A:\.
Figure 2-15. Installation Media Dialog Box - For Diskettes
17. Click Finish when the installation process is finished.
Figure 2-16. Finished Installation
At the end of the installation, the installation log is displayed. You can view this log
later by clicking the Start button and selecting Foxboro Core Service -> Log
Viewer.
24
Figure 2-17. Example of Installation Log
Click on the Setup Log, Pkg Log, and Init Log buttons to view these logs. These
logs can also be printed.
Installing the Control Core Services v9.4 Trailer Media

If a trailer is provided in the media kit, install it at this time. Installation instructions are provided
in Control Core Services v9.4 Release Notes (B0700SY).
25
Restarting Your System

FoxView software may be installed prior to rebooting the workstation to help avoid one reboot.
Install FoxView™ and FoxDraw™ software from the FoxView/FoxDraw CD-ROM. Refer to
FoxView and FoxDraw Software V10.5 Release Notes (B0700SZ) for installation instructions.
NOTE
System Manager v2.11 or later is not part of the Control Core Services v9.4 media.
It must be installed using separate media prior to reboot.
Reboot the workstation at this time. Click the Start button and click Shut Down; select Restart
from the pull-down menu and click OK.
Installing Optional Software

Refer to Appendix J “Installing Optional Software”.
Setting Date and Time

For an internally sourced Master TimeKeeper (MTK), set the local date and time with System
Manager. For instructions on how to set the date and time with the System Manager, refer to the
section “Date and Time Tools” in System Manager (B0750AP).
GPS PCI time synchronization cards are not supported on the Windows 10 operating system.
You must use a workstation with Windows 7 to host GPS time synchronization.
Refer to Time Synchronization User’s Guide (B0700AQ) for a description of the time synchroniza-
tion subsystem.
Finishing Installation
To finish the installation, re-enable any antivirus software that is installed.
26
3. Installation or Migration
Scenarios for Enterprise Edition
If you are performing an installation or migration for a workstation/server with Enterprise
Edition Control Core Services v9.4, this chapter assists you in determining the various tasks
needed for your specific system configuration.
If you already have a station with I/A Series software v8.8 or Control Core Services v9.0-9.3
installed and want to update to Control Core Services v9.4 directly (referred to as a release update),
refer to Chapter 13 “Upgrading Control Core Services v9.4 (Day 1 Installation or Repair Opera-
tion)”.
If you already have Control Core Services v9.4 installed and want to update or change the pack-
ages installed (a Day 1 operation), or repair the existing packages, refer to Chapter 13 “Upgrading
Control Core Services v9.4 (Day 1 Installation or Repair Operation)”.
The release updates (Enterprise Edition or Local Edition) follow the same procedure, including
release update procedures for On-Control Network PDCs. For Off-Control Network PDCs, no
upgrade is needed, as Control Core Services software is not installed.
Before installing Control Core Services on each of your workstations/servers, set a proper pass-
word on the workstations/servers.
Introduction
For installations that need additional cyber security and management capabilities over that pro-
vided by the Local Edition Control Core Services v9.4, a system with the Enterprise Edition Con-
trol Core Services v9.4 is available. This implementation involves having servers that provide the
role of Microsoft® Active Directory Domain Controllers. A domain controller is a server on a
Microsoft Windows network that is responsible for allowing host access to Windows domain
resources. It stores user account information, authenticates users and enforces authorization policy
for a Windows domain.
There has to be at least one domain controller present to act as the “primary” domain controller,
but the recommendation is to have a second server acting as a “secondary” domain controller to
provide redundancy. The workstation clients of these domain controllers are members of an
Active Directory domain (domain clients).
Determine the installation scenario for your Control Core Services system as follows:
1. There are two separate types of installations for systems with Enterprise Edition Con-
trol Core Services v9.4. Determine which are applicable for the stations in your Con-
trol Core Services system:
♦ New Installation - Installation of this Enterprise Edition software on worksta-
tions/servers on which Control Core Services or I/A Series software has never been
installed. For this installation, the domain controllers and the client domain work-
27
B0700SX – Rev F 3. Installation or Migration Scenarios for Enterprise Edition Control Core Services v9.4
stations are newly installed with Control Core Services v9.4.

Workstations with Local Edition Control Core Services software can also be
installed on the same control network but will not be members of the Active
Directory domain.
♦ Migration - If your system has domain clients with I/A Series software v8.5/6/7/8
or Control Core Services v9.0-9.3 which you postpone the upgrade to Control
Core Services v9.4, you have to perform the migration procedure. In this case, the
I/A Series software v8.5/6/7/8 or Control Core Services v9.0-9.3 domain policies
would be left in place while, at the same time, the new policies for v8.8 and Con-
trol Core Services v9.0-v9.4 would be present on the domain (in parallel). After
the migration, the system will have domain clients with I/A Series software
v8.5/6/7/8 or Control Core Services v9.0-9.3 and domain clients with Control
Core Services v9.4 connected to the same domain. The domain clients with
I/A Series software v8.5/6/7/8 or Control Core Services v9.0-9.3 can be removed
at a later time and replaced with domain clients with Control Core Services v9.4,
and the old Active Directory GPOs and OUs that support the older I/A Series
version could be removed from Active Directory eventually.
This migration would not be performed if you plan to immediately upgrade the
domain clients with I/A Series software v8.5/6/7/8 or Control Core Services v9.0-
9.3 to Control Core Services v9.4.
2. Next, the domain controller target destination has to be determined. This is based on
where the domain controllers will be located after the installation:
♦ On-Control Network - On the Control Network.
♦ Off-Control Network - On a separate network.
3. Once you have determined the installation type (New Installation or Migration) and
the domain controller target destination (On-Control Network or Off-Control Net-
work), use this information to select your installation scenario from Table 3-1. Then
proceed to the appropriate section in this document to install the software, as
directed.
Table 3-1 provides the details concerning each different installation scenario.
28
3. Installation or Migration Scenarios for Enterprise Edition Control Core Services v9.4 B0700SX – Rev F
Table 3-1. Domain Controller Installation/Migration Scenarios for

Domain Controller Target Destination

Scenario Refer to
Type On-Control Network Off-Control Network Chapter
New 1 New On-Control Net- - Chapter 4 on
Installa- (page 30) work PDC with Con- page 51
tion, No trol Core Services v9.4
Migration 2 - New Off-Control Net- Chapter 5 on
of Older (page 30) work PDC with Control page 111
Configura- Core Services v9.4
tions 3 - Install Control Core Chapter 6 on
(page 30) Services v9.4 on Existing page 169
Off-Control Network
PDC1 with Windows
Server 2016 Standard
New 4 On-Control PDC with New On-Control Net- Chapter 7 on
Installa- (page 31) I/A Series software v8.8 work PDC with Control page 191
tion, With or Control Core Ser- Core Services v9.4
Installation Type
Migration vices v9.0- 9.3

of Older 5 On-Control PDC with New Off-Control Net- Chapter 8 on
Configura- (page 32) I/A Series software v8.8 work PDC with Control page 233
tions or Control Core Ser- Core Services v9.4
vices v9.0- 9.3
6 Off-Control PDC with New On-Control Net- Chapter 9 on
(page 33) I/A Series software v8.8 work PDC with Control page 293
or Control Core Ser- Core Services v9.4
vices v9.0- 9.3
7 Off-Control PDC with New Off-Control Net- Chapter 10
(page 34) I/A Series software v8.8 work PDC with Control on page 343
or Control Core Ser- Core Services v9.4
vices v9.0-9.3 ->
8 On-Control PDC with New On-Control Net- Chapter 11
(page 35) I/A Series software v8.5- work PDC with Control on page 381
8.7 Core Services
9 On-Control PDC with New Off-Control Net- Chapter 11
(page 35) I/A Series software v8.5- work PDC with Control on page 381
8.7 Core Services v9.4
1.
An existing Off-Control Network PDC means a PDC that you already have in place which does not
contain any Control Core Services domain content. It has to be already installed with Microsoft
Active Directory software.
These scenarios are explained below.
29
Scenario 1
In this scenario:
♦ New domain controllers (PDC and SDC) are located on the Foxboro Evo Control
Network (On-Control Network). Each of the stations (new domain controllers and
new domain client workstations) are loaded with Control Core Services v9.4.
♦ There are no stations with security enhanced Control Core Services v9.3 or earlier on
the domain.
♦ Stations with Local Edition Control Core Services v9.4 or earlier are supported on the
same control network but not on the Active Directory domain.
Refer to Chapter 4 “Enterprise Edition Control Core Services v9.4 Installation for New On-Con-
trol Network Domain Controllers” for the installation instructions for this scenario.
Refer to Chapter 12 “Enterprise Edition Control Core Services v9.4 Installation for Domain Cli-
ents or Connecting Security Enhanced I/A Series Software v8.5-9.4 Domain Clients to Existing
Off-Control Network Networks” for the installation instructions for the domain clients.
Scenario 2
In this scenario:
♦ New domain controllers (PDC and SDC) are located on a separate, customer-sup-
plied network (Off-Control Network). Each of the stations (new domain controllers
and new domain client workstations) are loaded with Control Core Services v9.4.
♦ There are no stations with security enhanced Control Core Services v9.3or earlier on
the domain.
Refer to Chapter 5 “Enterprise Edition Control Core Services v9.4 Installation for New Off-Con-
trol Network Domain Controllers” for the installation instructions for this scenario.
Scenario 3
This scenario is designed for systems in which you already have a PDC with Windows Server
2016 Standard on which you want to install the Control Core Services components for Active
Directory.
In this scenario:
♦ Control Core Services v9.4 is installed to an existing PDC with Windows Server 2016
Standard installed on an Off-Control Network network. The existing PDC is running
Windows Server 2016 Standard with no Control Core Services software. The existing
PDC installed on a separate network (Off-Control Network) is a customer-supplied
station that has customer-specific Active Directory components with no Control Core
Services software.
30
♦ This installation is not completely automated by the Control Core Services v9.4
installation program and needs some manual steps as indicated in Chapter 6 “Enter-
prise Edition Control Core Services v9.4 Installation for Existing Off-Control
Network Primary Domain Controllers”.
♦ All domain clients are installed as new workstations with Control Core Services v9.4.
♦ There are no stations with security enhanced Control Core Services v9.3 or earlier on
the domain.
Refer to Chapter 6 “Enterprise Edition Control Core Services v9.4 Installation for Existing Off-
Control Network Primary Domain Controllers” for the installation instructions for this scenario.
Scenario 4
In this scenario:
♦ This is a migration of an existing PDC on the control network with Window Server
2008 and I/A Series software v8.8-Control Core Services v9.0-9.3 to a new PDC on
the control network with Windows Server 2016 Standard and Control Core Services
v9.4.
♦ The new PDC with Windows Server 2016 Standard can either be a new server or an
existing SDC that is capable of running Windows Server 2016 Standard.
♦ The installation is not completely automated by the Control Core Services v9.4 instal-
lation program and needs some manual steps as indicated in Chapter 7 “Migrating an
On-Control Windows Server 2008 Domain Controller to a New Windows Server
2016 Primary Domain Controller on the On-Control Network”.
♦ The station name for the new PDC has to be the name of a new station with Control
Core Services v9.4 that is configured to have only the IAMESH package. The name of
this station has to be included on the Commit installation media.
♦ The existing PDC will switch roles and become an SDC on the control network with
Windows Server 2016. This station will keep its same name.
♦ SDCs are configured as follows:
♦ All existing SDCs with Control Core Services v9.3 or earlier have to be demoted
(as described in “Removing Domain Controller Functionality from a Worksta-
tion” on page 527).
♦ These demoted stations have to have Windows Server 2016 Standard installed on
them (if their hardware supports this operating system).
♦ Each demoted station has to have the appropriate software installed on them to
make them an SDC according to the instructions in this document - see “Install-
ing Enterprise Edition Control Core Services v9.4 on Secondary Domain Con-
trollers on The Control Network” on page 83, “Installing Enterprise Edition
Control Core Services v9.4 on Off-Control Network Secondary Domain Control-
31
lers” on page 140, and Appendix C “Secondary Domain Controllers in a Foxboro

Evo System”.
♦ For this to work, either a new letterbug (station name) has to be provided which is
designated as a station with Control Core Services v9.4 in the Commit
installation media or the existing station name has to be converted in System Def-
inition to be a station with Control Core Services v9.4.
Refer to Chapter 7 “Migrating an On-Control Windows Server 2008 Domain Controller to a
New Windows Server 2016 Primary Domain Controller on the On-Control Network” for the
installation instructions for this scenario.
Scenario 5
In this scenario:
2008 and I/A Series software v8.8 or Control Core Services v9.0-9.3 to a new PDC
installed on a separate network (Off-Control Network) with Windows Server 2016
Standard and Control Core Services v9.4.
2016 Primary Domain Controller on the Off-Control Network”.
♦ The station name for the new PDC does not have to be included on the Commit
installation media. This new name is configured in the Active Directory according to
the instructions.
♦ The original PDC (with I/A Series software v8.8 or Control Core Services v9.0-9.3) is
no longer used after the installation and can be removed or re-purposed as another
server after demoting it from the domain controller role, as described in “Removing
Domain Controller Functionality from a Workstation” on page 527.
♦ The old SDC has to be removed. This involves demoting the domain controller and
removing from Active Directory. Any other SDC station on a system with Control
Core Services v9.3 or earlier on the control network has to also be removed and
reloaded as stations with Control Core Services v9.4 (Off-Control Network) if
desired:
♦ Existing SDCs with I/A Series software v8.7 or earlier have to be demoted (as
described in “Removing Domain Controller Functionality from a Workstation”
on page 527).
♦ Each demoted station has to be installed as an Off-Control Network SDC accord-
ing to the instructions in this document.
32

New Windows Server 2016 Primary Domain Controller on the Off-Control Network” for the
Scenario 6
In this scenario:
♦ This is a migration of an existing PDC off control network with Window Server 2008
and I/A Series software v8.8-Control Core Services v9.0-9.3 to a new PDC on the
control network with Windows Server 2016 Standard and Control Core Services
v9.4.
Evo System”.
For this to work, either a new letterbug (station name) has to be provided which is designated as a
station with Control Core Services v9.4 in the Commit installation media or the existing station
name has to be converted in System Definition to be a station with Control Core Services v9.4.
Refer to Chapter 9 “Migrating an Off-Control Windows Server 2008 Domain Controller to a
New Windows Server 2016 Primary Domain Controller on the On-Control Network” for the
33
Scenario 7
In this scenario:
♦ This is a migration of an existing PDC Off control network with Window Server
2008 and I/A Series software v8.8-Control Core Services v9.0-9.3 to a new PDC Off
control network with Windows Server 2016 Standard and Control Core Services
v9.4.
Evo System”.
For this to work, either a new letterbug (station name) has to be provided which is designated as a
station with Control Core Services v9.4 in the Commit installation media or the existing station
name has to be converted in System Definition to be a station with Control Core Services v9.4.
Refer to Chapter 10 “Migrating an Off-Control Windows Server 2008 Domain Controller to a
New Windows Server 2016 Primary Domain Controller on the Off-Control Network” for the
34
Scenario 8
In this scenario:
♦ This is a migration of an existing PDC on the control network with Windows Server
2003 and I/A Series software v8.5-8.7 to a new PDC on the control network with
Windows Server 2016 Standard and Control Core Services v9.4.
lation program and needs some manual steps as indicated in Chapter 12.
make them an SDC according to the instructions in this document- see “Install-
Control Core Services v9.4 on Off-Control Network Primary Domain Control-
Evo System”.
♦ For this to work, either a new letterbug (station name) has to be provided which is
designated as a station with Control Core Services v9.4 in the Commit installation
media or the existing station name has to be converted in System Definition to be
a station with Control Core Services v9.4.
New Windows 2016 Primary Domain Controller on an On- or Off-Control Network” for the
Scenario 9
In this scenario:
2003 and I/A Series software v8.5 -8.7 to a new PDC installed on a separate network
35
(Off-Control Network) with Windows Server 2016 Standard and Control Core Ser-
vices v9.4.
lation program and needs some manual steps as indicated in Chapter 12.
♦ The station name for the new PDC does not have to be included on the Commit
installation media. This new name is configured in the Active Directory according to
the instructions.
♦ The original PDC (with I/A Series software v8.5-8.7) is no longer used after the instal-
lation and can be removed or re-purposed as another server. But this should be done
only after properly demoting the domain controller role. Refer to “Removing Domain
Controller Functionality from a Workstation” on page 527 for instructions on how to
demote a domain controller.
♦ The old SDC has to be removed. This involves demoting the domain controller and
removing from Active Directory. Any other SDC station on a system with I/A Series
software v8.7 or earlier on the control network has to also be removed and reloaded as
stations with Control Core Services v9.4 (Off-Control Network) if desired:
♦ Existing SDCs with I/A Series software v8.7 or earlier have to be demoted (as
described in “Removing Domain Controller Functionality from a Workstation”
on page 527).
♦ Each demoted station has to be installed as an Off-Control Network SDC accord-
ing to the instructions in this document.
New Windows 2016 Primary Domain Controller on an On- or Off-Control Network” for the
Other Migration Considerations

Control Processor 270 and FCP280 Upgrade Recommendation
After the installation of the workstation software, it is recommended that Control Processor 270s
(FCP270 and ZCP270) and FCP280s hosted by workstations with Control Core Services v9.4
have an image update. If this action is desired, careful planning is needed.
For replacing workstations/servers with Windows 7 or earlier operating systems with worksta-
tion/servers with later operating systems without rebooting their CPs and without loading a dif-
ferent image version in them, refer to Procedure for Workstation Upgrade without Control Processor
(CP) Reboot (B0860CP).
For legacy control processors, refer to Appendix B “EEPROM Revision Levels” in Control Core
Services v9.4 Release Notes (B0700SY) for the latest image version numbers for these modules.
36
Migrating a FCP270 or ZCP270 Control Database from a

System with I/A Series Software v8.6 or Earlier
I/A Series software v8.7-v8.8 and Control Core Services v9.0 and later versions include the
LASTGV parameter, which enables the Last Good Value functionality in the RIN and RINR
blocks, as mentioned in V8.7 Release Notes and Installation Procedures (B0700SE). When enabled,
this functionality causes the previous value of MEAS to be retained, and the value obtained from
the current cycle to be ignored for the block. Refer to the sections called “Last Good Value” in the
RIN and RINR chapters of Integrated Control Block Descriptions (B0193AX) for more informa-
tion with regards to this functionality.
Prior to I/A Series software v8.7, the LASTGV parameter did not exist for the RIN and RINR
blocks.
This LASTGV parameter defaults to a value of 1, which activates the Last Good Value functional-
ity (default setting, is not backward compatible with I/A Series software v8.6 or earlier). There-
fore, when migrating control databases from systems with I/A Series software v8.6 or earlier, the
LASTGV parameter on RIN and RINR blocks will default to 1, activating the Last Good Value
functionality on these blocks where this functionality did not previously exist.
Review your RIN and RINR blocks to determine the desired LASTGV parameter value and
update the parameter in your desired control configurator appropriately.
For more information on the RIN and RINR blocks, refer to Integrated Control Block Descriptions
(B0193AX).
Updating Sequence Block Code after Migration to a New

Operating System or NutCracker Version
You may encounter suboptimal conditions if you are using sequence blocks and migrating from
workstations running the Solaris operating system to workstations running the Windows worksta-
tion or vice versa. You may also encounter similar conditions when migrating between different
versions of NutCracker software.
Prior to I/A Series software v8.2, preprocessor software behaved identically on both Windows and
Solaris platforms. Pre-v8.2 MKS NutCracker software was compatible with the Solaris C prepro-
cessor software.
However, I/A Series software v8.2-v8.8 and Control Core Services for the Windows operating sys-
tem was released with a newer version of MKS NutCracker. This version of MKS caused some
interoperability suboptimal conditions with Windows platforms running the older version of the
MKS NutCracker software, as well as with Solaris workstations running the native Solaris C pre-
processor software.
Table 3-2 to Table 3-4 give an overview of these conditions you may encounter when migrating
High Level Batch Language (HLBL) and Sequential Function Chart (SFC) files between plat-
forms and configurators, and general considerations for migrating sequence block code.
37
Table 3-2. General Migration Considerations
Foxboro Evo
Control
ICC on ICC on IACC on Editors on
Solaris Windows Windows Windows
Description Platform Platform Platform Platform
Precompiler supports reserved Yes Yes Yes Yes
words
Precompiler supports long No No No No
comments
Precompiler supports long IF No No Yes Yes
statements
Table 3-3. HLBL Migration Considerations
Foxboro Evo
Control
ICC on ICC on IACC on Editors on
Solaris Windows Windows Windows
Precompiler is case sensitive Yes Yes No No
Precompiler replaces strings Yes No No No
included in single quotes
correctly
Precompiler correctly expands Yes No No No
#define statements
Precompiler correctly expands Yes No No No
#define statements with com-
ments
Precompiler needs that a No No Yes Yes
value is added to #define
statements
Precompiler supports “#if Yes Yes No No
defined” statements
Precompiler supports redefini- Yes Yes No No
tion of #define values
Precompiler supports condi- Yes Yes No No
tional inclusion
Precompiler supports a direc- Yes Yes No Yes
tory structure
Precompiler removes white No Yes Yes Yes
space
Precompiler exhibits text edi- N/A N/A Yes N/A
tor suboptimal conditions
Precompiler supports spaces N/A N/A No Yes
behind #endif macro
Precompiler support multi-line Yes Yes No No
macros separated by a backs-
lash ('\') character at the end
of the line.
38
Table 3-4. SFC Migration Considerations
Foxboro Evo
ICC on ICC on IACC on Control Editors
Solaris Windows Windows on Windows
Precompiler has subopti- No Yes Yes Yes
mal conditions with car-
riage return, line feed, and
tab characters
Precompiler has subopti- No No Yes Yes
mal conditions with single
quotes
For additional information on control configuration, sequence blocks, and their compilation,
refer to the following documents:
♦ High Level Batch Language (HLBL) User’s Guide (B0400DF)
♦ I/A Series Configuration Component (IACC) User's Guide (B0700FE)
♦ Sequence Block SFC Editor User's Guide (B0750AM)
♦ Sequence Block HLBL Editor User's Guide (B0750AL)
♦ Integrated Control Configurator (B0193AV)
♦ Sequential Function Chart/Structured Text Configurator and Display Manager for
Sequence Blocks (B0193UZ)
The following sections describe these concerns in more detail.
General Considerations
The following subsections describe general considerations when migrating sequence block code
between different configurators and operating systems:
Using Reserved Words

Before migrating from a Solaris to a Windows workstation, make certain that you have not rede-
fined any reserved words, such as AUTO, MANUAL, or FUNCTION. If you are using a case-
sensitive configurator and reserved words have been redefined, you can resolve the concern by
changing the case of the defined word (for example, auto, manual, or function). This will affect
the SENDMSG command.
For a list of reserved words, refer to the “Keywords” section in High Level Batch Language (HLBL)
User’s Guide (B0400DF).
Using Long Comments and If Statements

The compiler cannot find labels if comments are too long or if the text is too long within an IF
loop. To resolve this concern, enter a carriage return after approximately 60 characters. Addition-
ally, for a list of other sequence compiler limits, refer to “Sequence Compiler Limits” in High Level
Batch Language (HLBL) User’s Guide (B0400DF).
39
HLBL Code
The following subsections describe the concerns with HLBL code that may appear when migrat-
ing code between configurators and operating systems:
♦ “Case Sensitivity” on page 40.
♦ “Replacement of Strings Included in Single Quotes” on page 41.
♦ “Expansion of #define Statements” on page 41.
♦ “Value Added to #define Statements” on page 42.
♦ “Conditional Inclusion Support” on page 43.
♦ “Directory Structure” on page 44.
♦ “Text Editor Concerns” on page 46.
♦ “Space Behind #endif Macro” on page 47.
Case Sensitivity
ICC running on both Solaris and Windows platforms is case-sensitive, whereas the IACC and the
Foxboro Evo Control Editors (hereinafter referred to as Control Editors) applications (which both
run on Windows platforms) are not case-sensitive. You may have a concern when compiling code
depending on which control configuration tool you are using. For example, you may have case-
sensitivity suboptimal conditions if you are upgrading from ICC running on a Solaris platform to
the Control Editors running on a Windows platform, as shown in the following example.
The following code will not compile in the non-case-sensitive control configurators because the
uppercase BATCHTIME macro conflicts with the lower case batchtime variable:
#ifdef BATCHTIME
batchsec : RI0015; {Batch timer in seconds}
batchtime : SN0001; {Batch elapsed time string batch time changed
from batchtime to batchtime1}
lasttime : II0001; {Last time batch time was updated}
#endif
Alternatively, the following code will compile, because the batchtime variable has been changed
to batchtime1:
#ifdef BATCHTIME
batchtime1 : SN0001; {Batch elapsed time string batch time changed
form batchtime to batchtime1}
#endif
TIP
If you are upgrading from a non-case-sensitive configurator (ICC on Solaris or
Windows platforms) to a case-sensitive configurator (IACC or the Control Editors),
make certain your code does not contain tokens that differ only in case, such as an
uppercase macro name and a lowercase variable name.
40
Replacement of Strings Included in Single Quotes

For ICC running on Solaris platforms, the precompiler will replace strings included in single
quotes, as in device := 'CHARG_VLV'. However, this is not the case for ICC running on a Win-
dows platform or for IACC and the Control Editors. The precompilers for these applications will
not replace strings enclosed in single quotes. If you are upgrading from a Solaris platform to a
Windows platform, you will have a suboptimal condition if the code contains strings enclosed in
single quotes that are meant to be replaced by macros, as shown in the following example.
In the following code snippet, the precompiler will not substitute RX_101:XV101_1A wherever
CHARG_VLV appears, because the CHARG_VLV string is within single quotes. This condition occurs
for ICC running on a Windows platform, as well as IACC and the Control Editors.
#define OPEN TRUE /* existing macro */
#define CHARG_VLV RX_101:XV101_1A /* existing macro */
001 DRIVE(device := 'CHARG_VLV', option := 1, mode := OPEN);

002 :CHARG_VLV.MA := FALSE;
Alternatively, if the code was changed as follows, the precompiler will substitute
‘RX_101:XV101_1A’ wherever sCHARG_VLV appears, and RX_101:XV101_1A wherever
CHARG_VLV appears.
#define OPEN TRUE /* existing macro */
#define CHARG_VLV RX_101:XV101_1A /* existing macro */
#define sCHARG_VLV ‘RX_101:XV101_1A’ /* new macro */
001 DRIVE(device := sCHARG_VLV, option := 1, mode := OPEN);

002 :CHARG_VLV.MA := FALSE;
TIP
If you are upgrading from ICC running on the Solaris platform to ICC, IACC, or
the Control Editors running on a Windows platform, make certain that the code
does not contain strings enclosed in single quotes that are meant to be replaced by
macro text. Include the single quotes in the macro definition instead.
Expansion of #define Statements

Precompilers on Solaris platforms and Windows platforms expand #define macros in the code dif-
ferently. The Windows XP operating system takes everything after the macro name and blindly
substitutes it into the code, where the Solaris operating system will remove comments of the type
{} and will recognize that substitution not be made if the macro name is included in a string.
For example, consider the following code:
#define Desired ::UNIT.RI0001 {Any REAL from display}
H2O_SetPt := Desired + 5.0;
MESSAGE := “Enter Desired Water Amount to TK-301, ACK”;
The Windows XP operating system expands this code as follows:
H2O_SetPt := ::UNIT.RI0001 {Any REAL from display} + 5.0;
MESSAGE := “Enter ::UNIT.RI0001 {Any REAL from display} Water Amount
to TK-301, ACK”;
41
The comment included in the H2O_SetPt line is not standard coding practice, but the text will
compile and run on both Windows and Solaris platforms. However, the substitution that Win-
dows XP precompiler makes on the MESSAGE line is incorrect.
Expansion of #define Statements with Comments

If there are spaces between the #define declaration and a comment, suboptimal conditions may
occur.
For example, consider the following code:
...
#define RX_PRESS :PT101_1A /* Comment */
...
REPEAT
P1 := :RX_PRESS.PNT_1;
UNTIL FALSE;
...
The Windows XP operating system expands this code as follows:
P1 := ::PT101_1A.PNT_1;
TIP
If you are upgrading from an ICC on Solaris platforms to ICC, IACC, or the Con-
trol Editors on a Windows platform, make certain all the macros contained in
define statements are expanded properly in the Sequence code. If there are spaces
before comments, remove the spaces. For example, modify the code to read:
#define RX_PRESS :PT101_1A/* Comment */
Value Added to #define Statements

For precompilers associated with ICC on both Windows and Solaris platforms, define state-
ments do not need to have a value assigned:
# define MACRO
However, for IACC and the Control Editors, a value has to be added to the define statement in
order for the code to compile:
# define MACRO value
In the following example, macros without a value assigned are not supported for the precompilers
associated with IACC and the Control Editors, whereas the statements are valid for ICC on Win-
dows and Solaris platforms.
#include “opt_HLBL_Global_UnitExec.s”
#define BATCHTIME {no value is assigned to the macro BATCHTIME
}
#include “opt_HLBL_Global_TimeCalc.s”
#ifdef BATCHTIME
batchelapsedtime : SN0001; {Batch elapsed time string}
#endif
42
In the following modified example, a value is assigned to the BATCHTIME macro, so the
code is accepted by the precompilers:
#include “opt_HLBL_Global_UnitExec.s”
#define BATCHTIME 1 {the value “1” is assigned to the macro
BATCHTIME }
#include “opt_HLBL_Global_TimeCalc.s”
#ifdef BATCHTIME
batchelapsedtime : SN0001; {Batch elapsed time string}
#endif
TIP
If you are upgrading from a ICC on Solaris or Windows platforms to IACC or the
Control Editors on a Windows platform, make certain all the macros contained in
define statements are assigned a value.
Conditional Inclusion Support

The precompilers associated with ICC running on Solaris and Windows platforms provide condi-
tional inclusion support. However, you may need to make modifications if you are migrating
from ICC on Solaris or Windows platforms to IACC or the Control Editors on Windows plat-
forms, or vice versa.
Conditional inclusion commands like if, ifdef, or ifndef, allow parts of the source code to be
included or ignored during compilation. The condition can be tested based on the value of a con-
stant expression or on whether a macro name is defined. If the conditional inclusion command
tests for equality, the test has to contain only one equal sign (‘=’) if you are using IACC or the
Control Editors.
For example, the following code containing conditional “if ” statements does not compile on
IACC or the Control Editors:
#if NUM_OF_PUMPS == 2
VALID_SUM = 3;
VALID_PRD = 2;
#endif
#if NUM_OF_PUMPS == 3
VALID_SUM = 6;
VALID_PRD = 6;
#endif
In the following modified example, only one ‘=’ character is used in the equality test. This code
compiles on IACC and the Control Editors.
#if NUM_OF_PUMPS = 2
VALID_SUM = 3;
VALID_PRD = 2;
#endif
#if NUM_OF_PUMPS = 3
VALID_SUM = 6;
43
VALID_PRD = 6;
#endif
TIP
If you are using conditional inclusion statements and you are upgrading to IACC or
the Control Editors, make certain equality tests only use one equal sign.
Directory Structure
The ICC running on Solaris and Windows platforms and the Control Editors allow a directory
structure for individual include files, whereas IACC does not allow a directory structure.
For example, Figure 3-1 shows an example of a directory structure that could have been used with
ICC or the Control Editors, and Figure 3-2 shows the sequence code that references the files in
the directory structure. Specifically, the #include statements in Figure 3-2 are referencing files that
reside in the “D:\opt\HLBL\Global” and “D:\opt\HLBL\SBR” directories, such as book_release.s
and msg_disp.sbr.
Figure 3-1. Directory Structure Used with ICC or the Foxboro Evo Control Editors
44
Figure 3-2. Sequence Code Referencing Include Files Contained in a Directory Structure
However, the directory structure shown in Figure 3-1 is not supported when you are migrating
from ICC or the Control Editors to IACC. To work around this, you can use the “Text Objects”
names in IACC to mimic the original file structure.
Text objects are library objects that contain Structured Text (ST) code and can be inserted into
the sequence block code. To mimic the original file structure in IACC, perform the following
steps to create a text object and add code to it.
1. In the IACC Project Navigator, expand System > Libraries > Text Objects.
2. Right-click Text Objects and choose New Text Object from the pop-up menu.
3. A new object with a default name is added under the Text Objects branch. The
default name is highlighted, and you can change the name at this point.
4. Give the Text Object a new name using the convention <pathname>_<filename>.
For example, give the D:\opt\HLBL\SBR\msg_disp.sbr file the name
opt_HLBL_SBR_MsgDisp.sbr.
5. Add code to the Text Object:
a. Double-click the object to open the ST Code Editor.
b. Copy the text from the included file and paste it into the Text Object in IACC.
c. Update the filenames in throughout the sequence code. You could do this by per-
forming a find and replace operation to replace “/opt/HLBL/SBR/” with
“opt_HLBL_SBR_”, as shown in “Sequence Code Referencing IACC Text
Objects” on page 46 below.
d. Verify, compile, and save the code in the Text Object.
45
Figure 3-3. Sequence Code Referencing IACC Text Objects
TIP
If you are migrating to IACC, manually copy and paste the files into the IACC con-
figurator and use the “Text Objects” library name to mimic the old file structure.
Refer to “Creating and Editing Text Objects” in I/A Series Configuration Component
(IACC) User's Guide (B0700FE).
Text Editor Concerns

The Structured Text (ST) Code Editor is a text editor built into IACC for creating and editing
HLBL code for sequence blocks. The ST Code Editor in IACC does not allow you to edit the first
line in the sequence block. To work around this condition, you have to import the proper code
manually on a per-block basis, rather than compiling sequence blocks using the bulk HLBL block
compiler.
46
Figure 3-4. Sequence Code Referencing IACC Text Editor
TIP
If you are migrating to IACC, import the code manually on a per-block basis. Refer
to “Compiling the HLBL Code” in I/A Series Configuration Component (IACC) User's
Guide (B0700FE).
Space Behind #endif Macro

In IACC, spaces behind endif statements lead to compilation detected errors. This suboptimal
condition does not occur for ICC on Solaris and Windows platforms or the Control Editors.
Because there is a space after the endif statement, the code in the following example will not
compile in IACC:
IACC accepts the code in the following example:
47
TIP
If you are migrating to IACC, remove spaces after endif statements.
SFC Code
The following subsections describe the concerns with SFC code that may appear when migrating
code between configurators and operating systems:
♦ “Carriage Return, Line Feed, Tab” on page 48.
♦ “Single Quote Concerns” on page 48.
Carriage Return, Line Feed, Tab

If you attempt to migrate code from a Solaris platform (ICC) to a Windows platform (ICC,
IACC, or the Control Editors), the carriage return, line feed, and tab characters appear in the
migrated text as shown below:
Figure 3-5. Sequence Code Referencing Carriage Return, Line Feed, Tab
TIP
After migrating code from Solaris to Windows, replace the carriage return, line feed,
and tab characters that are not imported correctly into SFC/ST Display Manager.
Refer to SFC V2.0 Release Notes (Windows XP and Windows Server 2003 Platforms)
(B0400QR) or SFC V 2.0 Release Notes (Solaris Platform) (B0400QS) for information
on migrating sequence blocks between Windows and Solaris platforms.
Single Quote Concerns

In IACC, the following SFC code will not compile because there is a single quote in the
comment.
(* SECURE OTHER REACTOR'S CHARGE BLOCK, BLEED, AND CONTROL VALVES *)
SECURE_CHRG_VLVS := TRUE;\
If a single quote appears in a comment, the detected error message in Figure 3-6 will appear.
48
Figure 3-6. Sequence Code Referencing Single Quote Concern
However, the following SFC code with the single quote removed will compile in IACC:
(* SECURE OTHER REACTORS CHARGE BLOCK, BLEED, AND CONTROL VALVES *)
SECURE_CHRG_VLVS := TRUE;\
Alternately, the Control Editors deal with this issue internally by removing any single quotes
embedded in comments before compilation. The source code is not changed and successfully
compiles, but the single quote characters have been removed from the compiled code.
TIP
After migrating code to IACC, make certain there are no single quotes embedded in
comments. To work around this suboptimal condition, you could either replace the
single quote with another character or remove the single quote character, for exam-
ple “can’t” would become “cant” or “cannot”.
If you are migrating code to the Control Editors, keep in mind that the compiled code
will not contain the single quote character if it was embedded in a comment.
Migrating a Control Database to an FCP280, FCP270, or ZCP270

You can migrate a control database from a CP60 to an FCP280, FCP270 or ZCP270 provided
that the database is configured correctly. Database validation logic in the FCP280, FCP270 or
ZCP270 has been improved since the CP60, and databases containing configuration detected
errors that are undetected by a CP60 will not load correctly into an FCP280, FCP270 or
ZCP270. Before performing the control database migration and loading the database for use with
an FCP280, FCP270 or ZCP270, you have to correct these configuration detected errors to
improve proper system performance.
First, check the periods and phases of the ECB200/ECB202 blocks and their associated DCI
blocks to make certain there are no phasing discrepancies. DCI block execution frequency cannot
be faster than its associated parent ECB200/ECB202 execution frequency. The period/phase of
the associated child ECB201 is irrelevant to the DCI block execution. DCI blocks have to be con-
figured to run on a multiple of both the ECB200/ECB202 phase and the phase of the compound
containing the DCI block. For example, an invalid configuration can include a DCI block config-
ured for 0.5 second execution, but the block’s parent ECB200/ECB202 is configured for 1 second
execution. This invalid configuration condition goes undetected in the CP60, but will disallow
49
the database from being loaded on an FCP280, FCP270 or ZCP270. Prior to I/A Series software
v8.0 the entire set of DCI blocks is as follows: BIN, BINR, BOUT, IIN, IOUT, PAKIN, PAK-
OUT, PLSOUT, RIN, RINR, ROUT, STRIN, and STROUT.
Second, if you are migrating a control database from a Nodebus CP to an FCP280, FCP270 or
ZCP270, please note that databases containing the MVC (Multivariable Controller Block) and
MVL (Multivariable Loop Block) blocks will not load into an FCP280, FCP270 or ZCP270.
Validating FCM100E and FCM100Et Settings (ZCP270 Only)

The validation for FCM100E and FCM100Et ECBs has been tightened with I/A Series software
v8.5-v8.8 or Control Core Services v9.0 and later to make certain that the correct files are down-
loaded during any FCM software updates. The software type and the hardware type in the FCM
ECB are separately validated, and each is needed to be set to 210. If either is incorrectly set during
creation of the FCM ECB, then a E28 - INVALID SOFTWARE/HARDWARE TYPE system message
will result. This E28 system message will also occur when loading the control database where the
incorrect values have been saved from less stringent systems.
If such a detected error occurs during a LoadAll, neither the FCM nor the FBMs below it is dis-
played in system management software. To recover, perform one of the following items:
♦ Prior to saving the control database, correct the FCM ECB’s by setting the Hardware
Type and Software Type to 210, or
♦ After the LoadAll completes, re-enter the ECB with the corrected values in place.
With the corrected FCM ECB in place, the FBMs automatically re-attached.
50
4. Enterprise Edition Control Core
Services v9.4 Installation for New
On-Control Network Domain
Controllers
This chapter describes procedures to install Enterprise Edition Control Core Services v9.4 on
primary and secondary domain controller servers on the Foxboro Evo Control Network
(hereafter referred to as “the control network”).
Proceed to the appropriate section:
♦ For Primary Domain Controllers on the Control Network, proceed to the next
section.
♦ For Secondary Domain Controllers on the Control Network, proceed to “Installing
Enterprise Edition Control Core Services v9.4 on Secondary Domain Controllers on
The Control Network” on page 83.
NOTE
It is highly recommended to have a Secondary Domain Controller (SDC) in place
in order to maintain high availability of the domain services in case the PDC is
down.
NOTE
Starting with the HP DL380 Gen9 server images for Windows Server 2016, the
default Administrator account is disabled and has a blank password.
Installing Enterprise Edition Control Core Services

v9.4 on Primary Domain Controllers on
The Control Network
This section describes how to install Enterprise Edition Control Core Services v9.4 on primary
domain controller servers on the control network.
To install Enterprise Edition Control Core Services v9.4 on a secondary domain controller, refer
to “Installing Enterprise Edition Control Core Services v9.4 on Secondary Domain Controllers
on The Control Network” on page 83.
51
B0700SX – Rev F 4. Enterprise Edition Control Core Services v9.4 Installation for New On-Control Network Domain Controllers
High level steps in this scenario are shown in the below diagram.
Ensure server HW Disconnect any non- Disable Anti-Malware

compatibility with Control Network software
Server 2016 Foxboro connections.
image. Do not disable them.
Refer to B0700SY
Install PDC
If not new from factory Change station name

restore Foxboro supplied per the commit
Server 2016 image on information
the server HW Create required plant
users in AD
(ex: Engineer/Operator/
Admin/ Etc.
Prepare NIC cards for
Set Date/Time/TimeZone installation
on the OS
Enable Anti-Malware
software
Connect the server Install Foxboro Server
physically to Control 2016 Local Group
Network using the Policies (LGPOs)
appropriate Control
Network interface cards Optionally install SDCs
(This is highly
recommended)
Install Anti-Malware
software (ex: McAfee
ENS)
Server Preparation
The primary domain controller (PDC) has to be a server-class station installed with the Windows
Server 2016 Standard operating system, and has to be the first station in the Control Core Ser-
vices system installed with the Enterprise Edition Control Core Services software. For this proce-
dure, it is assumed that the PDC is installed on the control network (which is a dedicated Control
Core Services maintained network).
Perform the following steps to set up the hardware and restore the operating system onto your pri-
mary domain controller server:
NOTE
If this is a new station shipped from the Schneider-Electric factory with the V9.4
station’s
H-code (or P-code), proceed to “Important Information on Installing Control Core
Services” on page 53. If not, continue following the steps in this section.
1. Install hardware, restore the Windows Server 2016 Standard operating system, and
update drivers for your server. Perform the following:
52
4. Enterprise Edition Control Core Services v9.4 Installation for New On-Control Network Domain Controllers B0700SX – Rev F
a. Refer to Control Core Services v9.4 Release Notes (B0700SY) to be certain that your
hardware meets the hardware requirements specific to Control Core Services
V9.4. For instructions on installing memory upgrades, PCI cards, and so forth,
refer to the “Installing Hardware Upgrades” chapter of the Hardware and Software
Specific Instructions document shipped with your server.
b. If the server is new from factory with the Server 2016 image, then skip this step.
Otherwise, using the V9.4 Restore Media, restore the Windows Server 2016 Stan-
dard operating system on your server. Follow the instructions of Appendix A
“Startup Options”.
It is inadvisable to follow the instructions for installing Control Core Services from
your hardware specific instruction manual. Instead, follow the software installation
procedure below.
♦ Open the Windows Date and Time applet by selecting Control Panel ->
Date and Time.
♦ Click OK.
♦ Click OK.
Updating Drivers” chapter of the Hardware and Software Specific Instructions doc-
ument shipped with the server.
Important Information on Installing Control Core Services

Before you install Control Core Services, check that the server is physically connected to the con-
trol network and, if needed, that any network interface card drivers are updated. Also, check the
server is disconnected from any secondary (non-Foxboro) networks, but it is inadvisable for you
to disable the adapters for these network cards. Refer to the notes below.
♦ The server must be connected to the control network before installing Control Core
Services.
♦ Disconnect non-Foxboro network connections but the adapters for these network
cards should not be disabled.
♦ The network interface drivers used for connection to the control network may require
updating before installing Control Core Services v9.4. It is required because this may
lead to unstable or unavailable communications. See Appendix A “Startup Options”.
♦ In Control Panel -> Network and Sharing Center/Network Connections,
which lists the available NICs, it is inadvisable to change the name of any “Local Area
53
Connection x” network connection. This can result in software installation issues or

system instability.
♦ On servers with the Windows Server 2016 Standard operating system, it is recom-
mended that no roles be added to the system which are not necessary for the operation
of the server. Adding unnecessary roles (for example, adding the Remote Desktop Ser-
vices role when the server is not to be used as a remote session host) can create cyber-
security weaknesses in the overall system.

The Windows server name has to match the server letterbug name as it was configured in SysDef
and saved onto your Commit installation media before you install the Control Core Services. For
instructions on modifying the computer name of your server, refer to Appendix B “Changing the
Station Name”.
Preparing Network Interface Cards (NICs) For Installation
NOTICE
POTENTIAL DATA LOSS
Perform this procedure only for 100MBps fiber optic cards. For copper
NICs and Gigabit fiber optic NICs, you should not perform this
procedure.
Before installing Control Core Services, for each installed NIC, set the NIC’s properties “Flow
Control” and “Speed & Duplex” manually as described below for the NICs on this station.
Proceed as follows:
1. On Windows Server 2016 Standard stations, click Control Panel -> Device Man-
ager.
menu list:
♦ For a station on the control network, select 100 Mb Full.
54
5. Click OK.
Proceed as follows:
1. Check that the server is attached to the control network.
2. Unplug any non-control network cables.
3. Install Server 2016 Local Group Policies. Refer to Chapter 17 “Local Group Policy
Installation”.
4. Install anti-malware software such as McAfee ENS. Refer to Installation and Configu-
rationof the McAfee ENS 10.5.2 with ePO 5.9.1 (B0700VW).
5. If McAfee ENS is installed, ensure the following McAfee ENS components are up to
date. Refer to Installation and Configuration of the McAfee ENS 10.5.2 with ePO 5.9.1
(B0700VW):
♦ ENS AMCore DAT file
♦ Exploit Prevention Content
6. Run a full scan of the system to ensure no viruses are present in the system before
work begins.
7. Disable anti-malware software such as McAfee ENS. Refer to Installation and Configu-
rationof the McAfee ENS 10.5.2 with ePO 5.9.1 (B0700VW).
2016 Day 0 DVD” (K0177BP).
10. When the UAC prompt appears, click Yes.
55
11. A dialog box appears that allows you to select whether you are installing Local Edition
Control Core Services or for an Enterprise Edition system.
♦ Select Install Enterprise Edition Control Core Services.
♦ Select the installation type as Active Directory Domain Services (AD DS).
♦ Select the network connectivity as On Control Network:
Figure 4-2. Schneider-Electric Control Core Services Installation on On-Control Network PDC
NOTE
Click Cancel in any screen during the installation to cancel the installation proce-
dure. The installation can be resumed from where it was stopped by relaunching the
Setup.exe.
12. Click Next.

56
The browser for the folder containing the committed configuration install files opens,
Folder.
57
launch the Mesh Configurator dialog box (Figure 4-5).
installation.
58
16. Click Next. The Server platform setup dialog appears as shown in Figure 4-6. Leave
the “Install as a Primary Domain Controller (PDC)” choice selected.
Figure 4-6. PDC Option Selection
59
17. If you plan to install one or more SDCs, choose the SDC names from the “Select the
Secondary Domain Controller Stations” list box and click Set.
Figure 4-7. Select One or More SDC Names From List and Click Set
18. If SDCs are not in the install plan, you may click Skip in the section “Select the Sec-
ondary Domain Controller Stations”.
19. Enter a new password and re-enter the same password in the Confirm Password text
box under the section Passwords.
20. Enter a new Built-in Admin password and re-enter the same password in the Confirm
Password text box.
21. Select the " AD Database path" ,"AD Log Files Path " and "AD SYSVOL path" under
the section "Path Information". You can use the default values aor change the paths by
clicking on the ellipses button.
22. You can select the existing path or create a new path by clicking Make New Folder.
Click OK to select the folder.
23. Enter the new domain name, site name, and NetBIOS name and click Prepare. The
NetBIOS name is auto-populated as you change the domain name. You can choose to
change the auto-populated value of the NetBIOS name before clicking Prepare.
60
Figure 4-8. Server Platform Setup Dialog Box
The NetBIOS domain name is the name which you see when you log into the
domain. It is generated by the installation application and is displayed in the text box
“NetBIOS Name” shown in Figure 4-8. The generated NETBIOS name is based on
the domain name specified. The rules for generating a NETBIOS name are:
♦ The maximum length of the name should be 15 characters.
♦ The minimum length of the name should be 2 characters.
♦ It can contain any combination of upper and lower case letters and numbers
as well as the following special characters: !, @, #, $, %, ^, &, ), (, -, _, {, }, and
~.
♦ These special characters are not allowed: \, /, :, *, ?, “, <, >, and |.
If the generated name does not conform with above rules or is not suitable to your
requirements, you are free to change it in the textbox. Note that generally, this value is
set to the same name as the last segment of the domain name.
24. If there are any validation detected errors, clicking Prepare presents them as appro-
priate, allowing you to change the information entered. The validations performed in
this step include:
61
♦ Password matching
♦ Built-in Password complexity checking
♦ DSRM Password complexity checking
♦ NetBIOS name validity checking
♦ Domain name validity checking
25. If all of the validations have passed, a dialog box appears as shown in Figure 4-9. Con-
firm that the name you have chosen for your Active Directory domain is correct and
will not conflict with another domain on the same network. Click OK to continue.
Figure 4-9. Active Directory Message
A NetBIOS name will be generated by the install program and is displayed in the text
box "NetBIOS Name" shown in Figure 4-10. This NETBIOS name is based on your
domain name. However, NetBIOS names are restricted to fifteen (15) characters.
26. Click Install to load the Active Directory Domain Services onto this server and to
promote the server to the role of Primary Domain Controller.
A DOS window is displayed while Active Directory is being installed, as shown in
Figure 4-10.
Figure 4-10. Active Directory Installation via DOS Window
The DOS window shows progress while the system is promoted to Primary Domain
Controller status and DNS is installed, as shown in Figure 4-11. Some system mes-
sages are shown in the DOS window during the promotion of the domain controller.
These system messages pertain to static IP addresses, the delegation of DNS, or
default security settings for the Windows Server 2016 operating system. These system
messages can be ignored.
62
Figure 4-11. Promoting to Primary Domain Controller via DOS Window
27. After the server is promoted to the Primary Domain Controller role, the window
shown in Figure 4-12 is displayed. Click the Close button to restart the server.
Figure 4-12. Restart Window
28. After the server reboots, log into the “Administrator” account with the password that
has been set in the “Server Platform Setup” screen.
29. Restart the installation by launching Setup.exe from the DVD drive, as described in
Steps 3- 4 above.
At the UAC prompt, click Yes.
The dialog box shown in Figure 4-13 is displayed. Click Apply.
63
Figure 4-13. Setting Up the Platform for a Enterprise Edition Control Core Services Installation
A DOS window is displayed while the Active Directory is ready to be configured.

During this stage it is normal to see detected errors that Active Directory is not yet
functional. The Active Directory verification process attempts to make it functional
and proceeds to the next step of configuring the Active Directory.
Figure 4-14. Active Directory Verification Process
64
30. As part of the Active Directory configuration process, a DOS window is displayed
showing the progress while the Active Directory domain settings are applied, as shown
in Figure 4-15.
Figure 4-15. Active Directory Domain Settings Applied
31. Once the configuration of Active Directory is complete, the command window shows
if the process completed successfully, or with detected errors. The command window
also shows the path to the log file which is:
“c:\windows\temp\2016onmeshpdc_config.log”.
Then the command window waits for any key to be pressed to proceed further. Press
<Enter> to dismiss the command window.
Figure 4-16. Command Prompt Showing Completion of Active Directory Configuration on PDC
If the above command prompt indicates there are any detected errors, save the indi-
cated log file to an external drive for any possible analysis by Schneider Electric. Then
reimage the server and start the installation again.
32. At this point, the CCS Secure User Accounts dialog box opens as shown in
Figure 4-17. Enter in the user names and passwords for the Control Core Services
domain accounts and click Create.
65
Figure 4-17. CCS Secure User Accounts Dialog Box
After the IAInstaller account has been created during the PDC software installation,
use this account for any subsequent installation tasks on workstations, such as install-
ing additional software. However, due to the permissions assigned to IAInstaller, it is
not for use for any other role, such as operation of the domain controller.
The names of these accounts may be changed from their default values.
The password has to meet this complexity criteria:
♦ Must not contain the user's account name or parts of the user's full name that
exceed two consecutive characters.
♦ An 8-character minimum password length
♦ Contain characters from three of the following four categories:
- English upper case characters (A-Z)
- English lower case characters (a-z)
- Base 10 digits (0-9)
- Non-alphabetic characters (for example: !, $, #, %)
66
33. When the Schneider Electric CCS Software Install: Workstation Reboot Request dia-
log box appears, as shown in Figure 4-18, click Reboot.
Figure 4-18. Schneider Electric CCS Software Install: Workstation Reboot Request Dialog Box
34. The “You’re about to be signed out” screen appears as shown in Figure 4-19. After a
few minutes, the server will automatically reboot.
Figure 4-19. You’re About to be Signed Out Screen
67
NOTICE
POTENTIAL DATA LOSS
At this point the default Administrator account (which is internally

renamed as IAManager) on the PDC is disabled for security reasons.
You will be unable to login with this account on the PDC. The only
domain administrator at this point will be the IADomainAdmin user. If
you want to enable the Administrator (a.k.a IAManager) on the PDC,
you can use Active Directory Users and Computers console to enable
the user.
It is therefore, advised to create another domain administrator user

who can act as a domain and enterprise administrator. The other
domain admin account can be useful in an event the first two domain
admin accounts get locked or unusable.
35. After the server reboots, log on with the “IAInstaller” account with the password cho-
sen in the previous steps.
36. The installation continues automatically. Click Next and then Install to run the
installation.
68
Figure 4-20. InstallShield Wizard Completed
In some cases, the installation is not able to restart automatically after logging in with
the IAInstaller account. If the dialog box in Figure 4-21 is displayed after logging in
(this dialog box could take a few minutes to display), the installation has to be
restarted manually. This can be done after a reboot or logoff and logon with the
IA Installer account. To restart the installation manually, execute setup.exe directly
from the DVD drive.
69
Figure 4-21. Reboot or Logoff Requested
Figure 4-22 is displayed.
To install this package, insert the first OS1FDB package diskette and click Load. After
the first disk has been loaded, insert the second OS1FDB package diskette and click
Load.
To bypass the installation of this package, click Skip. The installation continues, but
this dialog box is displayed again for each of the OS1FDB stations configured on this
station.
70
38. If you selected Load, the media folder browser opens.
71
39. If you selected Use Diskette in the previous step, the dialog box in Figure 4-24
appears. Insert the second diskette in the OS1FDB set and click Load. The diskette
has to be inserted in drive A:\.

At the end of the installation, the installation log is displayed. You can view the instal-
lation log at any time by clicking the Start button and selecting Foxboro Core Ser-
vice -> Log Viewer.
41. Enable any anti-malware software that is installed if no additional software is needed.

Reboot the server at this time. Click the Start button and click Shut Down; select Restart from
the pull-down menu and click OK.

After restarting the station following the Control Core Services software installation, you can
install any optional software that is desired. Refer to .
72
Primary Domain Controller Post-Installation Procedures
NOTICE
POTENTIAL DATA LOSS
At this point the default Administrator account (who is internally

renamed as IAManager) on the PDC is disabled due to security
reasons. You will be unable to login with this account on the PDC. The
only domain administrator at this point will be the IADomainAdmin
user. If you want to enable the Administrator (a.k.a IAManager) on the
PDC, you can use Active Directory Users and Computers console to
enable the user.
It is therefore, advised to create another domain administrator user

who can act as a domain and enterprise administrator. The other
domain admin account can be useful in an event the first two domain
admin accounts get locked or unusable.
Changing Passwords
Configure the restore mode password for Active Directory on this server at this time. Perform the
following steps:
1. Click the Start button, and select Search programs and files.
Type ntdsutil.exe. When the application name (ntdsutil.exe) appears, click it.
2. Type the following text in the command prompt window:
a. Type the following text in the command prompt window: set dsrm password
b. Then type: reset password on server <SERVERNAME>
<SERVERNAME> is the actual name of your PDC server.
c. Enter your newly chosen Active Directory Restore Mode password as prompted
(two times).
d. Type quit to exit the command prompt.
73
Document this password and save it in a trusted place for future retrieval. Without
this password you will not be able to recover Active Directory.
Figure 4-25. Using and Exiting ntdsutil.exe
In addition, set the passwords for each of the domain client workstations. Initially the local
Account1 account has its password set to Password1. On each domain client, change the pass-
word.
Creating Users in Active Directory

The following steps can be used to create an Operator account in the Active Directory domain.
This is a default group. Similar steps can be taken to create other customized accounts, such as
Maintenance and Engineer accounts. Refer to Security Implementation User’s Guide for I/A Series
and Foxboro Evo Workstations (Windows 10 or Windows Server 2016 Operating Systems)
(B0700HG) for information on creating customized accounts.
1. Click the Start button, and then select Windows Administrative Tools -> Active
Directory Users and Computers.
74
2. Under the Foxboro \Accounts\Users\Standard OU, right-click Standard, and select

New -> User:
Figure 4-26. Creating Users via Active Directory Users and Computers
The users are created under the Accounts\Users\Standard OU, including IA Plant
Engineers, IA Plant Operators, and IA Plant Maintenance.
The dialog box shown in Figure 4-27 opens.
75
Figure 4-27. New Object - User
3. Enter the First name, Full name, and User logon name as the same value (for exam-
ple,. Operator1).
4. Click Next.
5. In the dialog box shown in Figure 4-28, clear the User must change password at
next logon checkbox. Select the Password never expires checkbox.
6. Enter the password and confirm the password.
7. Click Next.
76
Figure 4-28. New Object - User - Password Updates
8. Click Finish as shown in Figure 4-29.
Figure 4-29. New Object - User - Finish
77
9. Double-click on the new user name in the Active Directory Users and Computers dia-
log box to open the Properties dialog box, as shown in Figure 4-30.
Figure 4-30. Opening the New User Properties Dialog Box
78
10. Select the Member Of tab, as shown in Figure 4-31.
Figure 4-31. New User Properties Dialog Box
11. Click the Add button.

12. Type in the text “IA Plant” and click the Check Names button as shown in
Figure 4-32.
79
Figure 4-32. Select Groups
13. Select the desired Control Core Services standard user group (for example, IA Plant
Engineers) and click OK.
Figure 4-33. Multiple Names Found Dialog Box
80
14. Click OK to close the Select Groups dialog box shown in Figure 4-34.
Figure 4-34. Closing Select Groups Dialog Box
15. Click OK to close the Properties dialog box shown in Figure 4-35.
Figure 4-35. Closing Properties Dialog Box
81
16. Repeat the above steps for as many users as desired. The different standard user groups
provide different policy settings and system access.
Tombstone Lifetime Attribute in Active Directory

By default the Active Directory tombstone lifetime is 180 days. Having a longer tombstone life-
time decreases the chance that a deleted object remains in the local directory of a disconnected
Domain Controller beyond the time when the object is permanently deleted from online DCs.
It is highly recommended that you review information regarding the tombstone lifetime attribute
in “Backing Up Active Directory on Domain Controllers” on page 547. If you want to alter the
default value, use the procedure “Changing the Tombstone Lifetime Attribute in Active Direc-
tory” on page 548.
Backing Up Active Directory

Back up your Active Directory at regular intervals on Control Core Services domain controller
stations. Backing up Active Directory provides a smooth restoration of Control Core Services sys-
tem operations after an unexpected hardware or software suboptimal condition. See “Backing Up
Active Directory on Domain Controllers” on page 547 for additional information.
Continuing Installation
Re-enable any anti-malware software if it is not already enabled.
If you have a secondary domain controller on the control network, proceed to “Installing Enter-
prise Edition Control Core Services v9.4 on Secondary Domain Controllers on The Control Net-
work” on page 83.
If the system does not have an SDC, proceed to Chapter 12 “Enterprise Edition Control Core
Services v9.4 Installation for Domain Clients or Connecting Security Enhanced I/A Series Soft-
ware v8.5-9.4 Domain Clients to Existing Off-Control Network Networks” for the installation
procedure for the domain clients.
It is not possible to log onto either type of domain controller (primary or secondary) with any of
the Local Edition Control Core Services or I/A Series user accounts (such as users that are mem-
bers of the IA Plant Operators, IA Plant Maintenance, or IA Plant Engineers groups). It is possi-
ble to log onto a domain controller with the “IAInstaller”, and “IADomainAdmin” accounts.
However, the entire set of the Control Core Services functionality is not available through these
user accounts.
For On-Control Network domain controllers on a Foxboro DCS Control Core Services System,
it is recommended that they are configured with only the IAMESH package in System Defini-
tion. The domain controllers cannot be used as an engineer or operator workstation because of
the inability to log onto the domain controllers with the standard Control Core Services user
accounts.
82

v9.4 on Secondary Domain Controllers on The
Control Network
This section describes how to install Enterprise Edition Control Core Services v9.4 on secondary
domain controller servers on the control network.
This diagram shows high level steps for this scenario.
Ensure server HW Disconnect any non- Disable Anti-Malware

compatibility with Control Network software
Server 2016 Foxboro connections
image. Do not disable them
Refer to B0700SY
Install SDC
Restore Foxboro supplied

Server 2016 image on Change the station
the server HW name per the commit
information
Enable Anti-Malware
software
Set Date/Time/TimeZone
on the OS to match with Prepare NIC cards for
the PDC installation
Install CCS clients
Connect the server

physically to the Control Install Foxboro Server
Network using the 2016 Local Group
appropriate Control Policies (LGPOs)
Network interface cards
Ensure Control Network software (ex: McAfee
Interface card drivers ENS)
are up to date
Server Preparation
The Secondary Domain Controller (SDC) has to be a server-class station installed with the Win-
dows Server 2016 Standard operating system. For this procedure, it is assumed that the SDC is
installed on the control network (which is a dedicated Foxboro Evo maintained network).
Perform the following steps to set up the hardware and restore the operating system onto your sec-
ondary domain controller server:
If this is a new station shipped from the Schneider-Electric factory with the V9.4 Restore image
identified by the media kits in Table 1-2 and verified in your workstation’s H-code, proceed to
“Important Information on Installing Control Core Services” on page 53. If not, continue follow-
ing the steps in this section.
83
1. Install hardware, install the Windows Server 2016 Standard operating system, and
a. Refer to Control Core Services v9.4 Release Notes (B0700SY) to check that your
hardware meets the hardware requirements specific to the Control Core Services
v9.4 release. For instructions on installing memory upgrades, PCI cards, and so
forth, refer to the “Installing Hardware Upgrades” chapter of the Hardware and
Software Specific Instructions document shipped with your server.
procedure below.
c. Set the time and date.to match the date and time on the PDC. Perform the fol-
lowing:
♦ Open the Windows Date and Time applet by clicking Control Panel ->
Date and Time.
♦ Click OK.
♦ Click OK.
While installing an SDC, check that the UTC system time matches the UTC system
time on the domain (as viewed on the PDC). The date and time have to match,
though the time which Windows displays may differ if the time zones are not the
same on the two stations.
Be careful when changing the time zone prior to adjusting the system time as this can
cause the AM/PM setting to change.
Also, be aware that the checkbox included for some time zones which defines whether
or not the time will be automatically adjusted for Daylight Saving Time can cause the
system time to differ by an hour.

Before you install Control Core Services, check that the server is physically connected to the net-
work and that the PDC is on-line and attached to the control network.
84
Also, check the server is disconnected from any secondary (non-Foxboro) networks, but it is not
recommended to disable the adapters for these network cards.
Services.
♦ Disconnect non-Foxboro network connections but keep the adapters enabled for
these network cards.
updating before installing Control Core Services v9.4. Drivers that have not been
updated may lead to unstable or unavailable communication. See “Installing/Updat-
ing the Network Interface Card Drivers” section in your Hardware and Software
Specific Instructions document.
which lists the available NICsit is inadvisable to change the name of any “Local Area
system instability.
♦ It is not possible to log onto either type of domain controller (primary or secondary)
with any of the Local Edition Control Core Services user accounts (such as users that
are members of the IA Plant Operators, IA Plant Maintenance, or IA Plant Engineers
groups). It is possible to log onto a domain controller with the “IAInstaller” and
“IADomainAdmin” accounts. However, the entire set of Control Core Services func-
tionality is not available through these user accounts.
♦ For On-Control Network domain controllers on a Foxboro DCS Control Core Ser-
vices System, we recommend that they are configured with only the IAMESH
package in System Definition. The domain controllers cannot be used as an engineer
or operator workstation because of the inability to log onto the domain controllers
with the standard Control Core Services user accounts.

The Windows server name has to match the server letterbug name as it was configured in SysDef
and saved onto your Commit installation media before you install the Control Core Services. For
Station Name”.
85
NOTICE
POTENTIAL DATA LOSS
Perform this procedure ONLY for 100MBps fiber optic cards. Do not
perform this procedure for copper NICs or Gigabit Fiber optic NICs.
Proceed as follows:
1. On Windows Server 2016 Standard servers, click Control Panel -> Device Man-
ager.
menu list:
5. Click OK.
Proceed as follows:
1. Confirm that the Primary Domain Controller has been installed and is attached to the
control network.
2. Confirm that the Secondary Domain Controller server is attached to the control net-
work.
Installation”.
86
5. Install anti-malware software such as McAfee ENS.

date.
7. Run a full scan of the system to ensure no viruses are present in the system before
work begins.
ration of the McAfee ENS 10.5.2 with ePO 5.9.1 (B0700VW).
2016 Day 0 DVD” (K0177BP) into the server’s optical drive.
♦ Select Install Enterprise Edition Control Core Services.
♦ Select the Installation Type as Active Directory Domain Services (AD DS)
♦ Choose AD Type as Install New AD (PDC/SDC)
♦ Select the Network Connectivity Type as On Control Network
87
Figure 4-36. Selecting to Install a Domain Controller
NOTE
Click Cancel in any screen during the installation to stop the installation procedure.
The installation can be resumed from where it was stopped by relaunching the
Setup.exe.
13. Click Next.

as shown in Figure 4-37. Click Load to load the install files.
88
NOTE
Folder.
89
launch the Mesh Configurator dialog box (Figure 4-39).
installation.
90
17. Click Next.

18. Confirm the PDC is pingable from this server. If it is not, you might have to cancel
the setup, reboot the server and then attempt the ping again. If the ping works after
the reboot, run the installation again.
Figure 4-40. PDC Can Be Pinged From This Server
19. The Server platform setup dialog appears as shown in Figure 4-41. Select the
“Install as a Secondary Domain Controller (SDC)” radio button.
91
Figure 4-41. Server Platform Setup Dialog Box (SDC)
20. In the “Provide information for the domain joining account and click Authorize” area
(see Figure 4-41), enter in the name of the primary domain controller (PDC) station.
Verify the account name with authority to add workstation to the domain (i.e. fox-
boro.local\IAInstaller). Enter the password for this account and click Authorize.
Figure 4-42. Server Platform Setup Dialog Box (SDC) - Authorize
21. If the local system time does not match the PDC system time, the dialog box shown
in Figure 4-43 appears. Click OK. Fix the local system time to match the PDC time
(see “Server Preparation” on page 83) and re-click Authorize.
92
Figure 4-43. Resetting UTC Date
In some cases, it will not be possible to determine the remote system time. In this case,
the dialog box shown in Figure 4-44 is displayed. Check that the local and remote sys-
tem times match (including date, time, AM/PM) before continuing. Note that the
checkbox displayed for some time zones which allows the system to automatically
adjust for Daylight Saving Time can affect the time displayed by the system by one
hour.
Figure 4-44. Unable to Determine Local Time on the PDC
22. If the Authorize button click results in successful domain rights verification, a message
indicating this appears.
93
Figure 4-45. Join Client to Domain Rights Verified
23. If there is another Secondary Domain Controller on the network, choose that SDC’s
name from the “Select the Secondary Domain Controller Stations” drop-down list
and click Set, as shown in Figure 4-46. Otherwise, click Skip.
Figure 4-46. Server Platform Setup Dialog Box (Second SDC)
24. Confirm that the domain is pingable from the client (Figure 4-47).
♦ FQDN (Fully Qualified Domain Name) of the PDC (ex:- FL5014.foxboro.local)
♦ IP address of the PDC
♦ Domain name, as show in this figure.
94
Figure 4-47. Confirm Domain Name Pingable
25. Verify the name of the domain and click Connect.
Figure 4-48. Verify Host Domain - Connect
95
26. A message appears to indicate that the connection to the domain has succeeded. If
unsuccessful, a reason that the operation did not finish is displayed.
Click OK.
If after connecting the domain client to an SDC and the software installation does not
continue after the reboot, the system time may not have been set correctly. Refer to
“Setting Time Correctly Software Installation Cannot Continue After Reboot (SDC
or Domain Client)” on page 577 to correct this.
29. After the server reboots, log onto the server with the “IAInstaller” account using the
password as it was set during the PDC server’s installation.
30. After a few minutes, the installation restarts automatically. The Server platform setup
dialog box appears as shown in Figure 4-51. Re-enter the PDC’s server name, IAIn-
staller account name, and the account password. Click Authorize.
NOTE
Before clicking Authorize, confirm that the PDC is pingable using its on-control
network IP address. If the PDC is not pingable using its IP address, authorization
will not succeed. For example, ping 151.128.152.31.
96
Figure 4-51. Server Platform Setup Dialog Box (PDC Account Information)
31. If clicking Authorize results in successful domain rights verification, a message indi-
cating this appears.
32. Verify the Domain Name and Site Name fields, shown in Figure 4-53.
97
Figure 4-53. Server Platform Setup Dialog Box (Verify Domain Name and Site Name Fields)
NOTE
To verify the site name, follow these steps on the existing PDC:
- Log in as iadomainadmin.
- Open the command prompt.
- Execute the command dsquery site.
The command result should show the site name, as shown in Figure 4-54.
Figure 4-54. Verify Site Name with Command Prompt
98
33. If you are satisfied with the domain and site names, click Prepare.
If the domain name or site name do not match with those provided during PDC
installation, the dialog box shown in Figure 4-55 appears.
Figure 4-55. CCS Installation Dialog Box When Site and/or Domain Names Are Incorrect
NOTE
Clicking OK will cause the installation to become unsuccessful.
34. After correcting the Domain name or Site name, click Cancel, and then click Pre-
pare to continue with the installation.
35. If the site name or domain name matches the equivalent names on the PDC, a dialog
box appears (Figure 4-56) indicating a suboptimal condition. Check that the name
you have chosen for your Active Directory domain is correct and will not conflict with
another domain on the same network.
Click OK.
Figure 4-56. System Message for Domain Name Check
36. To maintain a smooth installation process, verify that the PDC fully qualified domain
name is pingable. Ensure that there is no physical firewall between the PDC and this
server. This ensures PDC and SDC data replication/synchronization.
a. Open a command prompt.
b. Ping the PDC using its on-control network IP address with the –a option.
c. The result of the ping should show a fully qualified name of the PDC, as shown
Figure 4-57.
99
Figure 4-57. PDC’s Fully Qualified Domain Name Pingable
assign the server to the role of Secondary Domain Controller.
100
Figure 4-58. Active Directory Domain Services Install

Figure 4-59.
After the Active Directory Domain Services are installed, this dialog box is displayed
as shown in Figure 4-60.
101
Figure 4-60. Windows PowerShell Credential Request
38. The default username is <Domain Name>\IADomainAdmin. Change the username to

the name of the user who is configured as Domain Admin and enter the password for
the that user and click OK.This launches a command prompt which promotes the
server to the Secondary Domain Controller (SDC) role.
Figure 4-61. Assigning Role of Secondary Domain Controller via DOS Window
NOTE
If the promotion to the domain controller is unsuccessful, a system message is
shown (Figure 4-62). Details about the system message can be found in two files:
- C:\windows\temp\promote2dc.txt
- C:\windows\debug\dcpromo.log
If this occurs, reimage the machine and restart the installation process.
102
Figure 4-62. Promotion to Domain Controller System Message
39. The server reboots automatically after Active Directory has been installed.
After the server reboots, log into the “IAInstaller” account with the password as set in
the Server platform setup dialog box above (Figure 4-53).
40. After a few minutes, the installation process restarts automatically. The dialog box
shown in Figure 4-63 is displayed. Click Apply.
A DOS window is displayed while the Active Directory domain settings are applied.
103
Figure 4-64. Promoting to SDC Role
41. Once the Active Directory configuration is complete, the command window shows if
the process completed successfully, or with detected errors. The command window
c:\windows\temp\2016sdc_config.log. Then the command window waits for any key
to be pressed to proceed further. Press <Enter> to dismiss the command window.
Figure 4-65. DOS Window Showing Completion of Active Directory Configuration on SDC
If this command prompt indicates there are any detected errors, save the indicated log
file to an external drive for any possible analysis by Schneider Electric. Then reimage
the server and start the installation again.
104
42. Click Next and then Install to run the installation.
Figure 4-66. InstallShield Wizard for Foxboro Evo Control Core Services
Load.
SDC.
105
106
Figure 4-70. Installation Completion
At the end of the installation, the installation log is displayed. You can view the instal-
lation log at any time by clicking the Start button and selecting Foxboro Core Ser-
vice -> Log Viewer.
107
Click the Setup Log, Pkg Log, and Init Log buttons to view these logs. These logs
can also be printed.



install any optional software that is desired. Refer to Appendix J “Installing Optional Software”.
108
Secondary Domain Controller Post-Installation Procedures

Changing Passwords
After completing the installation of a secondary domain controller, set the restore mode password
for Active Directory on this server. Perform the following steps:
1. Select Run from the Start menu and enter ntdsutil.exe:
Figure 4-72. Setting the Restore Mode Password via ntdsutil.exe
2. Click OK.
set dsrm password
reset password on server <SERVERNAME>
<password>
<password>
quit
quit
<SERVERNAME> is the actual name of your SDC server. <Password> is the newly
chosen Active Directory Restore Mode password.
109

Back up Active Directory at regular intervals on Control Core Services domain controller stations.
Backing up Active Directory maintains a smooth restoration of Control Core Services system
operations after an unexpected hardware or software suboptimal condition. See “Backing Up
Re-enable any anti-malware software that is installed if it is not already enabled.
Proceed to Chapter 12 “Enterprise Edition Control Core Services v9.4 Installation for Domain
Clients or Connecting Security Enhanced I/A Series Software v8.5-9.4 Domain Clients to Exist-
ing Off-Control Network Networks” for the installation procedure for the domain clients.
110
Services v9.4 Installation for New
Off-Control Network Domain
Controllers
new primary and secondary domain controller servers on a separate network from the Foxboro
Evo Control Network (hereafter referred to as “the control network”).
Proceed to the appropriate section:
♦ For Off-Control Network Primary Domain Controllers, proceed to the next section.
♦ For Off-Control Network Secondary Domain Controllers, proceed to “Installing
Enterprise Edition Control Core Services v9.4 on Off-Control Network Secondary
Domain Controllers” on page 140.
NOTE
It is highly recommended to have a Secondary Domain Controller (SDC) in place
in order to maintain high availability of the domain services in case the PDC is
down.
Starting with the HP DL380 Gen9 server images for Windows Server 2016, the default Adminis-
trator account is disabled and has a blank password.

v9.4 on Off-Control Network Primary
Domain Controllers
This section describes how to install Enterprise Edition Control Core Services v9.4 on new pri-
mary domain controller servers on a separate network from the control network.
To install Enterprise Edition Control Core Services v9.4 on an off-network secondary domain
controller server, refer to “Installing Enterprise Edition Control Core Services v9.4 on Off-Con-
trol Network Secondary Domain Controllers” on page 140.
111
B0700SX – Rev F 5. Enterprise Edition Control Core Services v9.4 Installation for New Off-Control Network Domain Controllers
Ensure server HW Assign Static IP Create required plant

compatibility with address to the users in AD
Server 2016 Foxboro Off-Control Network (ex: Engineer/Operator/
image. interface card Admin/ Etc.
Refer to B0700SY
If not new from factory Install Foxboro Server Enable Anti-Malware

restore Foxboro supplied 2016 Local Group software
Server 2016 image on Policies (LGPOs)
the server HW
Optionally install SDCs

Set Date/Time/TimeZone Install Anti-Malware (This is highly
on the OS software (ex: McAfee recommended)
ENS)
Connect the server

physically to Disable Anti-Malware
Off-Control Network software
EnsureOff-Control Install PDC

Network interface card
drivers are up to date
Server Preparation
vices system installed with the Enterprise Edition Control Core Services. For this procedure, it is
assumed that the PDC is installed on a separate network (which is called an “Off-Control Net-
work” network), not connected to the control network.
If this is a new station shipped from the Schneider-Electric factory with the V9.4 Restore image
identified by the media kits in Table 1-2 and verified in your workstation’s H-code, proceed to
“Notes on Installing Control Core Services” on page 113. If not, continue following the steps in
this section.
112
5. Enterprise Edition Control Core Services v9.4 Installation for New Off-Control Network Domain Controllers
NOTE
Install hardware, restore the Windows Server 2016 Standard operating system, and
Refer to Control Core Services v9.4 Release Notes (B0700SY) to check that your hard-
ware meets all hardware requirements specific to the Control Core Services V9.4
release. For instructions on installing memory upgrades, PCI cards, and so forth, refer
to the “Installing Hardware Upgrades” chapter of the Hardware and Software Specific
Instructions document shipped with your server.
a. If the server is new from factory with the Server 2016 image, then skip this step.
Otherwise, using the Control Core Services V9.4 Restore Media, restore the Win-
dows Server 2016 Standard operating system on your server. Follow the instruc-
tions of Appendix A “Startup Options”.
NOTE
Only use the media kits listed in Table 1-2 to restore the operating system of a sta-
tion with Control Core Services v9.4.
procedure below.
b. Set the time and date. Perform the following:

Date and Time.
♦ Click OK.
♦ Click OK.
c. For any procedures not found in Step 1.b above, refer to the “Installing and

Before you install Control Core Services, check that the server is physically connected to the Off-
Control Network and, if needed, that any network interface card drivers are updated. Refer to the
notes below.
♦ The server must be connected to the Off-Control Network before installing Control
Core Services software.
113

system instability.
NOTE
If you unplugged any non-control network cables prior to performing the Day 0
installation, plug in the non-control network cables at this time.
Assign a Static IPv4 Address to Off-Control Network Adapter

Proceed as follows:
1. Right-click on the Start button and, from the context menu that appears, select Con-
trol Panel.
2. Click Network and Internet.
3. Click Network and Sharing Center.
4. Click Change Adapter settings on the left pane.
5. Select the network adapter that represents the off-control network, right-click on the
adapter and choose Properties from the context menu.
6. Uncheck Internet Protocol Version 6 (TCP/IPv6) option.
7. Select the Internet Protocol Version 4 (TCP/IPv4) option and click the Properties
button.
8. Set a static IP address and preferred DNS server as shown in Figure 5-1.
NOTE
The IP address shown in your case need not match the IP address shown in
Figure 5-1.
114
Figure 5-1. Static IPv4 Assignment to PDC Off Control Network Adapter
the Installation Procedure

Proceed as follows:
Installation”.
date.
4. Run a full scan of the system to help ensure no viruses are present in the system before
work begins.
2016 Day 0 DVD” (K0177BP).
115
Figure 5-2. User Account Control
9. This will install Microsoft Visual C++ 2015 Redistributables", after installaing, the
CCS installer will be launched
116
10. Select Install CCS Software for Enterprise System. Then select the Instal-
lation Type as Active Directory Domain Services (AD DS) and Network Con-
nectivity as Off Control Network as shown in Figure 5-3.
Click Next to continue.
Figure 5-3. Selecting to Install a Domain Controller on an Off-Control Network Domain
NOTE
The installation can be resumed from where it stopped by relaunching the
Setup.exe.
117
NOTE
The browser for the folder which contains the committed configuration install files
opens, as shown in Figure 5-5. If the installation media with your Commit files is on
the server’s hard drive or a network, browse to the location of the media and click
Select Folder.
118
12. Click Next. The Server platform setup dialog box appears as shown in Figure 5-6.
Leave the Install as a Primary Domain Controller (PDC) choice selected.
If there is no SDC plan, click Skip and proceed to step 10.
119
13. If a Secondary Domain Controller (SDC) server is planned for this Control Core Ser-
vices system, add the SDC servers from the drop-down list by selecting the Add Off-
Mesh checkbox shown in Figure 5-6. The dialog box shown in Figure 5-7 opens to
indicate where the IP addresses for SDC stations can be set. Enter each of the known
SDC IP addresses and click Done.
Figure 5-6. Server Platform Setup
Figure 5-7. Collecting SDC Station Information
120
14. Once the SDC IP addresses are added, click Set to choose the SDC IP addresses or
Skip to choose no SDC station IP addresses. If this server does not have exactly one
statically set NIC adapter, the message shown in Figure 5-8 is displayed. Once the
NIC settings are corrected, you can click Set or Skip again to continue.
Figure 5-8. CCS Installation System Message Dialog Box
15. Enter the following information:

♦ In the section “Set Built-in Administrator Password…”, enter a new password for
the built-in administrator and re-enter the same password in the Confirm Pass-
word text box.
♦ In the section “Enter domain information for ….”, enter a new domain name, site
name and net BIOS name. These are defaulted to “offmesh”.
121
Figure 5-9. Enter Domain Information For Active Directory Setup
NOTE
The NetBIOS domain name is the name which you see when you log into the
domain. It is generated by the installation application and is displayed in the text
box “NetBIOS Name” shown in Figure 5-9. The generated NETBIOS name is
based on the domain name specified. The rules for generating a NETBIOS name
are:
- The maximum length of the name should be 15 characters.
- The minimum length of the name should be 2 characters.
- It can contain any combination of upper and lower case letters and numbers as
well as the following special characters: !, @, #, $, %, ^, &, ), (, -, {, }, and ~.
- These special characters are not allowed: \, /, :, *, ?, “, <, >, and |.
If the generated name does not conform with above rules or is not suitable to your
requirements, you are free to change it in the textbox. Note that generally, this value
is set to the same name as the last segment of the domain name.
16. Click Prepare.
122
17. The dialog box shown in Figure 5-10 appears. Make sure at this time that the name
you have chosen for your Active Directory domain is correct and will not conflict with
another domain on the same network. Click OK to continue.
Figure 5-10. Active Directory Domain Name System Message
promote the server to the role of Primary Domain Controller.
123
Figure 5-11. Active Directory Service Installation

Figure 5-12.
The DOS window shows the progress while the system is promoted to Primary
Domain Controller status and DNS is installed, as shown in Figure 5-13. Some
detected error messages are shown in the DOS window during the promotion of the
124
domain controller. These detected error messages pertain to static IP addresses, the
delegation of DNS, or default security settings for the Windows Server 2016 operat-
ing system. These detected error messages can be ignored.
Figure 5-13. Promoting to Primary Domain Controller via DOS Window
19. After the server is promoted to the Primary Domain Controller role, the window
shown in Figure 5-14 is displayed. After a few minutes, the server will automatically
reboot.
20. After the server reboots, log into the “Administrator” account with the password that
has been set in the “Server Platform Setup” screen.
125
21. Restart the installation by launching Setup.exe from the DVD drive, as described in
Step 2 above. The dialog box shown in Figure 5-15 is displayed. Click Apply.
Figure 5-15. Setting up the Platform for a Enterprise Edition Control Core Services Installation

During this stage it is normal to see detected errors that Active Directory is not yet
functional. The Active Directory verification process attempts to make it functional
and proceeds to the next step of configuring the Active Directory.
126
As part of the Active Directory configuration process, a DOS window is displayed

while the Active Directory domain settings are applied, as shown in Figure 5-17.
NOTE
If this command prompt indicates there are any detected errors, save the indicated
log file to an external drive for any possible analysis by Schneider Electric. Then rei-
mage the server and start the installation again.
22. Once the configuration of Active Directory is complete, the command prompt shows
if the process completed successfully, or with detected errors. The command prompt
“c:\windows\temp\2016offmeshpdc_config.log”.
Then the command prompt waits for any key to be pressed to proceed further. Press
<Enter> to dismiss the command prompt.
Figure 5-18. Active Directory Configuration Complete
23. The CCS Secure User Accounts dialog box opens as shown in Figure 5-19. Enter in
the user names and passwords for the CCS domain accounts and click Create. The
default user names are IADomainAdmin and IAInstaller.
127
NOTE
The names of these accounts may be changed from their default values.
The password has to meet this complexity criteria:
- Must not contain the user's account name or parts of the user's full name that
- An 8-character minimum password length
- Contain characters from three of the following four categories
- English uppercase characters (A-Z)
- English lowercase characters (a-z)
24. Click Done to complete the installation. The Workstation Reboot Request dialog box
appears. Click Reboot.
128
Figure 5-20. Workstation Reboot Request Dialog Box
25. The operating system shows a reboot message and after some time automatically
reboots the server.
26. At this point, the installation of PDC is complete. You can login with IADomainAd-
min to perform any further actions.
NOTE
NOTICE
POTENTIAL DATA LOSS
At this point the default Administrator account (which is internally

renamed as IAManager) on the PDC is disabled for security reasons.
You will be unable to login with this account on the PDC. The only
domain administrator at this point will be the IADomainAdmin user. If
you want to enable the Administrator (a.k.a IAManager) on the PDC,
the user.
Failure to follow these instructions can result in data loss
129

Reboot the server at this time.
1. Click the Start button and click Shut Down;, then select Restart from the pull-
down menu and click OK..
2. After the restart, logon as IADomainAdmin.

Primary Domain Controller Post-Installation Procedures
NOTICE
POTENTIAL DATA LOSS
The default Administrator account (internally renamed as IAManager)

on the PDC is disabled due to security reasons. You will be unable to
login with this account on the PDC. The only domain administrator at
this point will be the IADomainAdmin user.
If you want to enable the Administrator (aka IAManager) on the PDC,

the user. We advise to create another domain administrator user who
can act as a domain and enterprise administrator. The other domain
admin account can be useful in an event the first two domain admin
accounts get locked or become unusable.
Changing Passwords
Configure the restore mode password for Active Directory on this server at this time. Perform the
following steps:
130
1. Select Run from the Start menu and enter ntdsutil:
Figure 5-22. Setting the Restore Mode Password via ntdsutil.exe
2. Click OK.
set dsrm password
<password>
<password>
quit
quit
<SERVERNAME> is the actual name of your PDC server. <Password> is the newly
NOTE
131

Directory Users and Computers. You may need to scroll down to see this menu
selection.
2. Under the Accounts\Users\Standard OU, right-click Standard, and select New ->
User:
Users are created under the Accounts\Users\Standard OU, including IA Plant

132
ple,. Operator1).
4. Click Next.
7. Click Next.
133
134
135

Figure 5-30.
136
13. Select the desired Control Core Services or I/A Series standard user group (for exam-
ple, IA Plant Engineers) and click OK.
137
138


Back up the Active Directory at regular intervals on Control Core Services domain controller sta-
tions. Backing up Active Directory enables a smooth restoration of Control Core Services system
operations after an unexpected hardware or software suboptimal condition. See “Backing Up
Installation
Re-enable any antivirus software that is installed if it is not already enabled.
If you have a secondary domain controller on the same separate network, proceed to “Installing
Enterprise Edition Control Core Services v9.4 on Off-Control Network Secondary Domain Con-
trollers” on page 140.
If a SDC is not planned, proceed to Chapter 12 “Enterprise Edition Control Core Services v9.4
Installation for Domain Clients or Connecting Security Enhanced I/A Series Software v8.5-9.4
Domain Clients to Existing Off-Control Network Networks” for the installation procedure for
the domain clients.
Also, you can install any Control Core Services v9.4 trailers that are available at this time. Trailers
are provided with their own installation instructions.
139

v9.4 on Off-Control Network Secondary
Domain Controllers
This section describes how to install Enterprise Edition Control Core Services v9.4 on secondary
domain controller servers on a separate network from the control network.
Ensure server HW Install Anti-Malware

compatibility with Ensure Off-Control software (ex: McAfee
Server 2016 Foxboro Network interface card ENS)
image. drivers are up to date
Refer to B0700SY
Assign static IP Disable Anti-Malware

Restore Foxboro supplied address to the software
Server 2016 image on Off-Control Network
the server HW interface card
Install SDC
on the OS to match with
the PDC Ensure PDC is
pingable using IP
address Enable Anti-Malware
software
Connect the server

physically to the
Off-Control Network that Install Foxboro Server
is also connected to the 2016 Local Group
PDC Policies (LGPOs) Install CCS clients
Server Preparation
The secondary domain controller (SDC) has to be a server-class station installed with the Win-
dows Server 2016 Standard operating system. For this procedure, it is assumed that the SDC is
installed on a separate network (which is called “Off-Control Network”), not connected to the
control network.
Perform the following steps to set up the hardware and restore the operating system onto your sec-
ondary domain controller server:
NOTE
station’s
H-code, proceed to “Notes on Installing Control Core Services” on page 142. If
not, continue following the steps in this section.
140
1. Install hardware, install the Windows Server 2016 Standard operating system, and
hardware meets the hardware requirements specific to Control Core Services v9.4.
For instructions on installing memory upgrades, PCI cards, and so forth, refer to
the “Installing Hardware Upgrades” chapter of the Hardware and Software Specific
Otherwise, using the Control Core Services v9.4 Restore Media, restore the Win-
dows Server 2016 Standard operating system on your server. Follow the instruc-
tions of Appendix A “Startup Options”.
NOTE
Only use the media kits listed in Table 1-2 on page 7 to restore the operating system
of an V9.4 station.
procedure below.
c. Set the time and date.to match the date and time on the PDC. Perform the fol-
lowing:
Date and Time.
♦ Click OK.
♦ Click OK.
NOTE
While installing an SDC, it is vital to maintain that the UTC system time matches
the UTC system time on the domain (as viewed on the PDC). The date and time
have to match, though the time which Windows displays may differ if the time
zones are not the same on the two stations.
Be careful when changing the time zone prior to adjusting the system time as this
can cause the AM/PM setting to change.
Also, be aware that the checkbox included for some time zones which defines
whether or not the time will be automatically adjusted for Daylight Saving Time
can cause the system time to differ by an hour.
141

Before you install Control Core Services, check that the server is physically connected to the net-
work and that the PDC is on-line and attached to the same Off-Control Network.
♦ The server must be connected to the Off-Control Network before installing Control
Core Services.
♦ The network interface drivers may need updating before installing Control Core Ser-
vices v9.4. If upgrades are not completed prior to installation, it may lead to unstable
or unavailable communications. See the “Installing/Updating the Network Interface
Card Drivers” section in your Hardware and Software Specific Instructions document.
system instability.
NOTE

Proceed as follows:
1. Right-click on the Start button and, from the context menu that appears, select Con-
trol Panel.
4. Click Change Adapter settings on the left pane.
5. Select the network adapter that represents the off-control network, right-click on the
adapter and choose Properties from the context menu.
6. Uncheck Internet Protocol Version 6 (TCP/IPv6) option.
7. Select the Internet Protocol Version 4 (TCP/IPv4) option and click the Properties
button.
8. Set a static IP address and preferred DNS server as shown in Figure 5-34.
142
NOTE
The IP address shown in your case need not match the IP address shown in
Figure 5-34.
Figure 5-34. Static IPv4 Assignment to SDC Off Control Network Adapter
9. Confirm the PDC is pingable from this server using the off-control static IPv4 address
assigned to the PDC. If it is not, you might have to reboot the server and then
attempt the ping again. If the ping works after the reboot, proceed to next steps.
143
Figure 5-35. PDC Pingable from SDC Using the Off-Control Network Static IP Address
Installation
Proceed as follows:
2016 Day 0 DVD” (K0177BP).
Figure 5-36. UAC Prompt
144
Control Core Services or for an Enterprise Edition system. Select Install CCS
Software for Enterprise System.
Select the Installation Type as Active Directory Domain Services (AD DS).
Select the Network Connectivity Type as Off Control Type:
Figure 5-37. Selecting to Install a Domain Controller
14. Click Next.
NOTE
Click Cancel in any screen to stop the installation procedure. You can resume the
installation from where it stopped by relaunching the Setup.exe.
145
16. The browser for the folder containing the committed configuration install files opens,
Folder.
146
assigned to the PDC. If it is not, you may have to cancel the installation, reboot the
server and then reattempt the ping. If the ping works after the reboot, restart the
installation and proceed to next step.
Figure 5-40. PDC Pingable with Off-Control Network Static IP Address
147
Select the Install as a Secondary Domain Controller (SDC) radio button.
19. In the “Provide information for the domain joining account and click Authorize”
field, enter the IP Address of the Off-Control Network PDC server. Verify the
account name with authority to add workstation to the domain (i.e.
offmesh.local\IAInstaller). Enter the password for this account and click
Authorize.
Figure 5-42. Server Platform Setup Dialog Box (SDC) - Authorize
148
(see “Server Preparation” on page 140) and re-click Authorize.
the dialog box shown in Figure 5-44 is displayed. It is vital to check that the local and
remote system times match (including date, time, AM/PM, timezone) before continu-
ing. Note that the checkbox displayed for some time zones which allows the system to
automatically adjust for Daylight Saving Time can affect the time displayed by the
system by one hour.
21. When clicking the Authorize button results in a successful domain rights verification,
a message indicating this appears.
149
22. If there are more SDCs planned, choose Add Off-Mesh from the “Select the Second-
ary Domain Controller Stations” drop-down list. Only add this from the PDC.
Figure 5-46. Add Off-Mesh Option from Drop-Down List
23. In the dialog that appears, add the off-control IP addresses of those SDCs, and then
click Done.
Figure 5-47. Adding Additional Off-Mesh IPs for Other SDCs
24. Click Set.
Figure 5-48. Setting Off-Mesh IPs for SDCs
25. If there are no SDCs planned, click Skip (Figure 5-49)
150
Figure 5-49. Server Platform Setup Dialog Box (Second SDC)
26. Confirm that the PDC is pingable.

♦ FQDN (Fully Qualified Domain Name) of the PDC (ex:- <Host-
name>.offmesh.local)
♦ IP address of the PDC
♦ Domain name as shown in this figure.
151
Figure 5-50. Confirm Domain Name Pingable
27. Verify the name of the domain and click Connect.
Figure 5-51. Verify Domain Name Before Connect
152
28. A message appears to indicate that the connection to the domain has succeeded. If
unsuccessful, a reason it did not succeed is displayed. Click OK.
NOTE
If after connecting the domain client to an SDC and the software installation does
not continue after the reboot, the system time may not have been set correctly. Refer
to “Setting Time Correctly Software Installation Cannot Continue After Reboot
(SDC or Domain Client)” on page 577 to correct this.
30. The Windows sign out dialog box is displayed as in Figure 5-53. After a few minutes,
the server will automatically reboot.
Figure 5-53. Workstation Sign Out Dialog Box
31. After the server reboots, log on with the “IAInstaller” account using the password as it
was set during the PDC server's installation.
32. After a few minutes, the installation process restarts automatically. The Server plat-
form setup dialog appears as shown in Figure 5-54. Re-enter the Primary Domain
Controller’s IP Address, IAInstaller account name, the account password. Click
Authorize.
153
NOTE
Before clicking Authorize, confirm that the PDC is pingable using its off-control
network IP address. If the PDC is not pingable using its IP address, authorization
will be unsuccessful. For example, pinging 181.128.182.10 should succeed.
Figure 5-54. Server Platform Setup (Authorize)
33. When clicking the Authorize button results in a successful domain rights verification,
a message indicating this appears.
154
34. Verify the Domain Name and Site Name fields.
Figure 5-56. Server Platform Setup (Prepare)
NOTE
35. If you are satisfied with the domain and site names, click Prepare.
155
36. If the domain name or site do not match with those provided during PDC installa-
tion, the dialog box appears as shown in Figure 5-58.
Figure 5-58. Domain Name or Site Name Mismatch
NOTE
Click Cancel and correct the Domain/Site Name and click Prepare. Clicking on
OK and proceeding with incorrect domain/site name will cause the installation to be
unsuccessful.
37. If the site name and domain name matches with those provided during PDC installa-
tion, the dialog box shown in Figure 5-59 appears just to give you one more chance to
reverify. Check at this time that the name you have chosen for your Active Directory
domain is correct and will not conflict with another domain on the same network.
Click OK.
If the domain or site names do not match with the PDC, clicking OK will cause the
installation to not succeed.
156
Figure 5-59. System Message for Domain Name Check
38. To assist with a smooth installation process, verify that the PDC fully qualified
domain name is pingable and verify that there is no firewall between the PDC and
this server. This helps to ensure PDC and SDC data replication and synchronization.
a. Open command prompt.
b. Ping the PDC using its off-control network IP address with –a option.
c. The result of ping should show a fully qualified name of the PDC, as shown
Figure 5-60.
Figure 5-60. PDC’s Fully Qualified Domain Name Pingable
157
Figure 5-61. Active Directory Domain Services Install

Figure 5-62.
After the Active Directory Domain Services are installed, this dialog box is displayed
as shown in Figure 5-63.
158
Figure 5-63. User Credential for Prompting to SDC
40. The default username is <Domain Name>\IADomainAdmin. Enter the password for
the IADomain user and click OK. This launches a DOS prompt which promotes the
server to the Secondary Domain Controller (SDC) role, as shown in Figure 5-64.
Figure 5-64. Assigning Role of Secondary Domain Controller via DOS Window
NOTE
It is normal to see detected errors during promotion to domain controller. These
system messages pertain to DNS delegation, a default security setting for Windows
Server 2016 DCs etc. These can be ignored. See Figure 5-65.
159
Figure 5-65. Promote to Domain Controller Window Showing Detected Errors That Can Be Ignored
NOTE
The “You’re about to be signed out” screen appears. After a few minutes, the server will automati-
cally reboot.
160
The server reboots automatically after Active Directory has been installed.
41. After the server reboots, log into the “IAInstaller” account with the password as set in
the Server platform setup dialog box (Figure 5-56).
42. After a few minutes, the installation process restarts automatically. The dialog box
shown in Figure 5-68 is displayed. Click Apply.
161

During this stage, it is normal to see detected errors indicating that Active Directory is
not yet functional. The Active Directory verification process attempts to make it func-
tional and proceeds to the next step of configuring the Active Directory.
Figure 5-69. Active Directory Verification Process Attempting to Make Active Directory Functional
As part of the Active Directory configuration process, a DOS window is displayed

while the Active Directory domain settings are applied.
“c:\windows\temp\2016offmeshsdc_config.log”.
Figure 5-71. DOS Window Showing Completion of AD Configuration on SDC
162
NOTE
44. Click Done to complete the installation.

Figure 5-72. Ready to Click Done Button

Reboot the server at this time. Click the Start button and click Shut Down; select Restart

163
Secondary Domain Controller Post-Installation Procedures

Changing Passwords
After completing the installation of a secondary domain controller, set the restore mode password
for Active Directory on this server. Perform the following steps:
1. On Windows Server 2016 Standard servers, click Start and select the Search programs
and files field. Type ntdsutil and when the application name appears (ntdsu-
til.exe), click it.
2. Click OK.
set dsrm password
<password>
<password>
quit
quit
<SERVERNAME> is the actual name of your SDC server. <Password> is the newly
NOTE

tions. Backing up Active Directory maintains a smooth restoration of Control Core Services sys-
164
Adding Foxboro Stations to Active Directory Post-Installation

When first installed, the Off-Control Network PDC contains objects in Active Directory for the
Foxboro stations in the system. If stations are added to the Control Core Services system at a later
time, new objects have to be created manually in this PDC’s Active Directory.
1. Click the Start button, and then select Windows Administrative Tools ->
Active Directory Users and Computers. You may need to scroll down to see
this menu selection.
2. From Active Directory Users and Computers, right-click on the “IA Comput-
ers” OU and select New -> Computer as shown in Figure 5-74.
Figure 5-74. Selecting IA Computers -> New -> Computer
3. Enter the name of the new workstation in the Computer name field and click OK as
shown in Figure 5-75. The OU for “Pre-8.8 workstations” on migrated systems will
be named “Pre-8.8 IA Computers” as shown in Figure 5-76.
165
Figure 5-75. New Object - Computer
Figure 5-76. Selecting Pre-8.8 IA Computers -> New -> Computer
166
Finishing Post-Installation
Re-enable any antivirus software if not already enabled.
167
168
Services v9.4 Installation for
Existing Off-Control Network
Primary Domain Controllers
This chapter describes procedures to install Enterprise Edition Control Core Services v9.4 on an
existing primary domain controller server with Windows Server 2016 Standard on a separate
network (not on the Foxboro Evo Control Network).
Overview
If you already have a PDC with Windows Server 2016 Standard on which you want to install the
Control Core Services components for Active Directory, follow the instructions in this chapter to
perform this installation.
NOTE
For Off-Control Network PDCs, no upgrade is needed, as Control Core Services
software is not installed. It is not advisable to perform the Local Edition install for
off-Control Network PDCs.
NOTE
We recommend you have a Secondary Domain Controller (SDC) in place in order
to maintain high availability of the domain services in case the PDC is down for any
reason.
Be aware that this scenario does not include installation of an SDC. If you have an SDC, replicate
the Active Directory to that SDC after the Control Core Services installation to the PDC.
If a SDC is not installed and you want to add one now, you can purchase an Schneider Electric-
supplied SDC and install Control Core Services v9.4 on it as described in “Installing Enterprise
Edition Control Core Services v9.4 on Off-Control Network Secondary Domain Controllers” on
page 140. Alternately, you can use a non-Schneider Electric server as your SDC and install only
the appropriate Microsoft Active Directory software.

Before you install Control Core Services, check that the server is physically connected to the Off-
Control Network and, if needed, that any network interface card drivers are updated. Refer to the
notes below.
169
B0700SX – Rev F 6. Enterprise Edition Control Core Services v9.4 Installation for Existing Off-Control Network Primary Domain Controllers
♦ In Control Panel -> Network Connections, which lists the available NICs, it is inad-
visable to change the name of any “Local Area Connection x” network connection.
This can result in software installation issues or system instability.
♦ Use the IAInstaller account for the installation tasks. However, due to the
permissions assigned to IAInstaller, it is not to be used for any other role, such as
operation of the domain controllers.
♦ This diagram shows high level steps for this scenario.
Ensure server HW Create required plant

compatibility with users in AD
server 2016 Foxboro (ex: Engineer/
image. Operator/Admin)
Refer to B0700SY
If not new from

Enable Anti-Malware
factory, restore
software
Foxboro supplied
Server 2016 image on
the server HW
the source Win 2008 PDC
Install CCS
NOTE
Proceed as follows:
Installation”.
170
6. Enterprise Edition Control Core Services v9.4 Installation for Existing Off-Control Network Primary Domain Controllers B0700SX – Rev F
3. Ensure the following McAfee ENS components are up to date

work begins.
5. Disable anti-malware software such as McAfee ENS. Refer to Installation and Config-
uration of the McAfee ENS 10.5.2 with ePO 5.9.1 (B0700VW).
2016 Day 0 DVD” (K0177BP).
7. Navigate to the DVD drive and double-click setup.exe. If auto play is enabled, the
auto play dialog appears, from which you can directly run the setup.exe.
8. If UAC is enabled, you will either be asked for a consent (Yes/No) or asked for admin-
istrator credentials. Provide the necessary information for the UAC.Enter the built-in
administrator credentials when the UAC prompt appears.
171
9. This will install Microsoft Visual C++ 2015 Redistributables. After installing it will
launch the Installer Dialog.
10. Select Install CCS Software for Enterprise System. Then select the Instal-
lation Type as Active Directory Domain Services (AD DS) and choose the AD
Type as Use existing Non -Foxboro EVO AD as shown in Figure 6-1.
Click Next to continue.
Figure 6-1. Selecting to Install a Domain Controller on an Off-Control Network Domain
NOTE
Click Cancel in any screen to stop the installation procedure. You can resume the
installation from where it stopped by relaunching the Setup.exe.
as shown in Figure 6-2. Click Load to set the installation target drive to D:\ and load
the committed configuration files.
172
NOTE
The browser for the folder which contains the committed configuration install files
opens, as shown in Figure 6-3. If the installation media with your Commit files is on
the server’s hard drive or a network, browse to the location of the media and click
Select Folder.
173
NOTICE
POTENTIAL DATA LOSS
The installation program attempts to copy some GPO templates into

the SYSVOL folder in next screen when you click Apply. The
installation assumes the default SYSVOL path (c:\windows\SYSVOL)
for this purpose.
If you have installed SYSVOL at a different path, follow these steps so

the installation program copies the GPO templates to the correct
SYSVOL path.
12. If you have installed SYSVOL at a non-default path as specified in the above
NOTICE, please follow the below steps before proceeding with the actual installation,
so that the installation program copies the GPO templates to the correct SYSVOL
path.
a. Open the File Explorer and browse to the path C:\ProgramData\Invensys\IASer-
ies\Installer\SupportFiles\Configurations.
174
b. Remove the read only flag on the file

"ExistingDomain_2016OffMeshPDC_Config.xml" and by right clicking the file
and choosing Properties context menu and uncheck-in the Read-Only checkbox.
c. Open Notepad using RunAsAdmin.
d. Open the above-mentioned file
"ExistingDomain_2016OffMeshPDC_Config.xml" in Notepad application
invoked in the above step.
e. Look for the XML line shown below
f. Replace the text c:\windows\sysvol in the above line with the actual SYSVOL
path. For ex:- if you have installed SYSVOL at the location F:\ADSYSVOL then
the modified command will look this
g. Save and close the file.

h. Proceed with the installation.
175
13. Click Next. The dialog box appears as shown in Figure 6-4.
14. Read the above notice and then click Apply.
When the Active Directory is ready to be configured, a DOS window is displayed.

During this stage, it is normal to see detected errors indicating that the Active Direc-
tory is not yet functional. The Active Directory verification process attempts to make
the directory functional, and then proceeds to the next step of configuring the Active
Directory.
176
15. A command prompt is displayed while the Active Directory domain settings are
applied.
NOTE
c:\windows\temp\ExistingDomain_2016offmeshsdc_config.log
177
17. The CCS Secure User Accounts dialog box opens as shown in Figure 6-8. Enter in the
user name and password for the Control Core Services domain account and click
Create.
NOTE
The names of these accounts may be changed from their default values. The pass-
word has to meet this complexity criteria:
- Must not contain the user’s account name or parts of the user's full name that
- An 8-character minimum password length
- Contain characters from three of the following four categories
- English upper case characters (A-Z)
- English lower case characters (a-z)
18. The Workstation Reboot Request dialog box is displayed. Click Reboot to reboot the
server.
178
Figure 6-9. Workstation Reboot Request Dialog
19. An operating system reboot dialog box will appear. Wait several minutes, and the
machine will automatically reboot.
Figure 6-10. Operating System Reboot Dialog
20. Log in as the default administrator to perform any other manual configurations, such
as creating users and groups.
NOTE
In this version of the PDC installation, the default administrator is enabled and the
iadomainadmin user is not created.

179
Primary Domain Controller Post-Installation

Procedures
selection.
2. Under the Accounts\Users\Standard OU, right-click Standard, and select New ->
User:
180
Users are created under the Accounts\Users\Standard OU, including IA Plant

ple,. Operator1).
4. Click Next.
7. Click Next.
181
182
183

Figure 6-17.
184
13. Select the desired Control Core Services standard user group (for example, IA Plant
Engineers) and click OK.
185
186
Adding Foxboro Stations to Active Directory Post-Installation

1. Click the Start button, and then select Windows Administrative Tools ->
Active Directory Users and Computers. You may need to scroll down to see
this menu selection.
187
188


tions. Backing up Active Directory assists with a smooth restoration of Control Core Services sys-
Re-enable any antivirus software that is installed if it is not already enabled.
189
190
7. Migrating an On-Control
Windows Server 2008 Domain
Controller to a New Windows
Server 2016 Primary Domain
Controller on the On-Control
Network
This chapter describes the procedure to migrate an existing On-Control Network Primary
Domain Controller (PDC) with Windows Server 2008 running any of the following software
to a new On-Control Network Primary Domain Controller with Windows Server 2016:
♦ I/A Series software v8.8
♦ Foxboro Evo Control Core Services v9.0-9.3
♦ Foxboro Evo Control Core Services (any version) upgraded to support Windows 10
and Windows Server 2016 domain clients
The source station for this migration described in this chapter is the On-Control Network PDC
with Windows Server 2008.
NOTE
After this procedure is complete, any existing Server 2008 SDCs will continue to
work as SDCs and as a result changes will be replicated from the new Server 2016
PDC to these SDCs.
The target station for this migration indicated in this chapter refers to the new server running a
Schneider Electric-supplied OS image of Windows Server 2016.
NOTE
191
B0700SX – Rev F7. Migrating an On-Control Windows Server 2008 Domain Controller to a New Windows Server 2016 Primary Domain Controller
NOTICE
POTENTIAL DATA LOSS
• Before starting the migration, confirm that any Windows Server

2008-based SDCs are online and are connected to the PDC
network. The migration process will not complete successfully if
one or more of the Windows Server 2008 SDCs are not online
and connected. If there is an SDC in the Active Directory envi-
ronment that is not online (because it was not correctly decom-
missioned), clean up the metadata related to such SDCs. Refer
to Appendix K “Troubleshooting PDC Migration” for more infor-
mation on how to perform this metadata cleanup.
• We advise that the linking order of any non-Schneider Electric
custom GPOs be documented prior to proceeding further as
this installation may likely change the linking order of such
GPOs. After the installation is completed, you may change the
linking order of such custom GPOs to meet your operational
requirement. While doing so, it is important to ensure that rela-
tive linking order of Schneider Electric's GPOs is not changed.
Changing the relative linking order of Schneider Electric's GPO
might lead to unpredictable product behavior. Refer to
Appendix P “Linking Custom GPOs to Any CCS/CS Specific
OUs”.
• During the migration process, some existing Schneider Electric-
provided GPOs will change. As a result, changes to the GPO
will be overwritten. It is recommended that you back up any
Schneider Electric-provided GPOs that were changed after the
original installation.
• Do not change the name of any “Local Area Connection x” net-
work connections in the Control Panel. Doing so can result in
software installation issues or system instability.
NOTE
After the migration, both the domain clients which existed in Control Core Services
v9.0-9.3 or earlier and the new Control Core Services domain clients (Control Core
Services v9.4 or later) will be connected to the same domain. Existing group policies
will be maintained while new Control Core Services v9.4 group policies will be
enacted.
NOTE
To enhance cyber security, Schneider Electric-supplied Windows Server 2016 OS
images have the built-in administrator account disabled with a blank password.
192
7. Migrating an On-Control Windows Server 2008 Domain Controller to a New Windows Server 2016 Primary Domain Controller on the On-Control
NOTE
Once the migration process is complete, the target Windows Server 2016 server will
assume the role of Primary Domain Controller. The Server 2008 Domain Controller
which was a Primary Domain Controller assumes the role of a Secondary Domain
Controller (SDC) after the successful completion of migration. However, after the
migration, you can choose to decommission the Server 2008 Domain Controller.
Refer to Appendix C “Secondary Domain Controllers in a Foxboro Evo System” and
Appendix K “Troubleshooting PDC Migration”.
NOTICE
POTENTIAL DATA LOSS
The migration procedure outlined in this chapter should be run only

once, against the source Windows Server 2008 PDC. If you wish to
upgrade any Windows Server 2008 Secondary Domain Controllers
(SDCs) to Windows Server 2016, you must first remove them from the
domain, then rebuild them. For more information on rebuilding them
from the domain, refer to Appendix C “Secondary Domain Controllers
in a Foxboro Evo System” and Appendix K “Troubleshooting PDC
Migration”
193

Prepare Source Domain Prepare target Win2016 DC and migrate source 2008 DC to target server running
Controller - Win 2008 SE supplied Server 2016 OS image
Ensure server HW Disconnect any non-
On the 2008 source compatibility with Disable Anti-Malware
PDC, add iadomainadmin Control Network
server 2016 Foxboro software
user to Schema Admins, connections.
image. Do not disable them
Enterprise Admins Refer to B0700SY
groups
Install CCS using

the Migrate option
If not new from
Ensure any existing SDCs Change station name
factory, restore
are connected to the PDC, as per the commit
Foxboro supplied
online, and operational information
the server HW
Fix linking order of any
custom GPOs
Document linking order
Prepare NIC cards for
of any custom GPOs
Set Date/Time/TimeZone installation
the source Win 2008 PDC
Enable Anti-Malware
software
Install Foxboro Server
2016 Local Group
Connect the server Policies (LGPOs)
physically to the same
Control Network that Optionally delete and
is connected to the rebuild SDCs.
source PDC (Highly recommended)
software (ex: McAfee
ENS)
Configure existing
domain client’s NIC card
DNS entries to point to
new Win2016 PDC
Preparing the Source Primary Domain Controller

with Windows Server 2008
NOTE
After migration, the domain and forest functional levels can be raised to “Server
2016” only when all domain controllers are running the Windows Server 2016 OS
and all existing Windows Server 2008 domain controllers are decommissioned.
For the source station with Windows Server 2008, proceed as follows:
1. Log into the existing On-Control Network PDC with Windows Server 2008 using a
domain administrator account (such as IADomainAdmin).
194
2. Open the Active Directory Users and Computers console, click the Start button, and
then select Windows Administrative Tools -> Active Directory Users and
Computers.
3. Under the Users organizational unit (OU), find the domain administrator account
which is being used for this installation, as shown in Figure 7-1.
Figure 7-1. Active Directory Users and Computers Console (Administrator Account)
195
4. Right-click on the user name and click Properties. The user Properties dialog box
opens as shown in Figure 7-2.
Figure 7-2. IADomainAdmin Properties Dialog Box
5. Verify that the domain administrator account is a member of both the Schema
Admins and Enterprise Admins groups by selecting the Member Of tab as shown in
Figure 7-2. If this user account is not, the user has to be added to both these groups, as
follows:
a. From the Member Of tab, select the Add button.
b. Type in the name of the group which needs to be added (such as Schema Admins
or Enterprise Admins) and click OK, as shown in Figure 7-3. Repeat this for
each group.
196
Figure 7-3. Adding User to Groups
6. Click OK to close the user Properties dialog box.

7. Click on the IA Computers folder and verify that the new PDC server name is pres-
ent. If not, you have to add it as follows.
a. Right-click on IA Computers and select New -> Computer, as shown in
Figure 7-4.
b. Enter the name of the new computer and click OK.
197
8. If the current domain administrator account was added to either the “Schema
Admins” or “Enterprise Admins” in the steps above, log off and log back in using the
same account.
198
9. If you have custom GPOs, document the linking order of those GPOs. You can do
this by taking a screen capture of the current linking order at every OU.
Figure 7-5. Linking Order of GPOs for the Accounts OU
NOTE
NOTICE
POTENTIAL DATA LOSS
• Refer to Appendix L “Pre-Migration Settings for PDCs with Pre-

Control Core Services v9.3” for migration settings for PDCs
with pre-Control Core Services v9.3 software.
• Follow the steps outlined in “Helping to Avoid the Loss of Logon
Ability for Account1” on page 611. These steps are needed to
help to prevent the target Server 2016 machine from losing the
ability of local logons using the Account1 user account.
• Because the migration process will not address GPO settings,
follow the steps outlined in Appendix O “Verifying Group Policy
Settings Before Migration” to import any missing settings from
the existing GPOs.
Not following these steps will result in an unsuccessful migration.
NOTE
199
Preparation and Installation for New Target Primary

Domain Controller With Windows Server 2016
Proceed as follows on the server to become the new PDC.
Restore Windows Server 2016 on the Server

1. Install hardware and restore the Windows Server 2016 Standard operating system and
update the drivers for your system.
2. Refer to Control Core Services v9.4 Release Notes (B0700SY) to verify that your hard-
ware meets the requirements specific to CCS v9.4. For instructions on installing
memory upgrades, PCI cards, and so forth, refer to the Hardware and Software Specific
3. If the server is new from factory with the Server 2016 image then skip this step. Oth-
erwise use the v9.4 Restore Media to restore the Windows Server 2016 Standard oper-
ating system on your server. Refer to Appendix A “Startup Options”.
4. Set the time and date to match the source Windows 2008 PDC and click OK.
a. Open the Windows Date and Time applet by selecting Control Panel > Date and
Time.
b. Click Change Date and Time.
c. Adjust the date and time to match the source Windows 2008 PDC and click OK.
d. Click Change Time Zone.
e. Select the time zone from the drop-down menu and select the checkbox to auto-
matically adjust the clock for daylight saving time (DST) changes if desired.
f. Verify that the time zone matches the source Windows 2008 PDC and click OK.
5. For more information refer to the Hardware and Software Specific Instructions docu-
ment shipped with your server.

Services.
lead to unstable or unavailable communications. Refer to Appendix A “Startup
Options”.
♦ Do not change the name of any "Local Area Connection x" network connections in
the Control Panel. This can result in software installation issues or system instability.
200
♦ On servers with the Windows Server 2016 Standard operating system, we recommend
that no roles be added to the system that are not necessary for the operation of the
server.
Adding unnecessary roles (for example, adding the Remote Desktop Services role
when the server is not to be used as a remote session host) can create cyber- security
weaknesses in the overall system.

The Windows server name must match the server letterbug name as it was configured in SysDef
and saved onto your Commit installation media before you installed Control Core Services. For
Station Name”.
NOTICE
POTENTIAL DATA LOSS
procedure.
NOTE
Refer to the Hardware and Software Specific Instructions document included with
your station to determine the NIC cards it supports.
Proceed as follows:
1. Right-click the My Computer icon, and click Manage. Double-click Device Man-
ager. In the Device Manager window, expand the Network adapters list.
menu list:
5. Click OK.
201

NOTE
Before you run the health of the Active Directory domain, save the security and
application log from the Event Viewer and clear all of the log messages. Do this
because the health diagnostic tool attempts to analyze the detected errors on the
server that occurred before the migration process, and this has the potential to give
an impression that the migration was not successful.
Installation on New Target Primary Domain Controller

Proceed as follows:
Installation”.
date.
work begins.
2016 Day 0 DVD” (K0177BP).
202
9. A dialog box appears that allows you to select whether you are installing Control Core
Services for Local Edition or an Enterprise Edition System. Make the following selec-
tions in the dialog box:
♦ Select Install CCS for Enterprise System
♦ Select Active Directory Domain Services (AD DS)
♦ Select Install New AD(PDC/SDC)
♦ Select the checkbox Migrate CCS Configuration from an existing Fox-
boro EVO AD
♦
Select On Control server 2008 AD from the combo box
10. Choose the Connection type as “On Control Network”, as shown in Figure 7-7.
203
Figure 7-7. Selecting to Install a Domain Controller On-Control Network
NOTE
Click Cancel in any screen during the installation to cancel the installation proce-
dure. The installation can be resumed from where it was stopped by relaunching the
Setup.exe.
11. Click Next.

12. Acknowledge the message shown in Figure 7-8.
204
Figure 7-8. I/A Series Installation Message Dialog Box
205
The browser for the folder containing the committed configuration install files opens, as
shown in Figure 7-10. If the installation media with your Commit files is on the server’s
hard drive or a network, browse to the location of the media and click Select Folder.
14. Once the Commit files have been loaded, click Bind as shown in Figure 7-9 on
page 205 to launch the I/A Series Network Installation dialog box (Figure 7-11).
15. Select the two network cards representing On-Control Network and click Next.
NOTE
installation.
206
207
16. Click Next. The Server platform setup dialog appears as shown in Figure 7-12. The
Install as a Secondary Domain Controller (SDC) bullet is selected by
default. Initially, this station is installed as an SDC station and will be promoted to be
the PDC station before the installation completes.
17. Enter in the name of the PDC with Windows Server 2008 (from which you are
migrating), as shown in Figure 7-12.
In the Authorized Account field, verify that the domain joining account name dis-
played has the authority to add workstations to the domain
(i.e. on2008.local\IAInstaller).
In the Authorized Password field, enter the password for this account.
Authorize.
208
NOTE
Before clicking Authorize, confirm that the time zone and time of the machine
matches that of the PDC. Also confirm that the source PDC running Windows
Server 2008 R2 is pingable using the control network IP address. If the source PDC
is not pingable, you may have to cancel the setup, reboot Windows Server 2016,
and retest the ping. If it succeeds, restart the setup. Refer to Figure 7-13
Figure 7-13. Source 2008 PDC Pingable from Target 2016 Machine
18. If the local system time does not match the system time on the existing PDC (from
which you are migrating), a message is displayed as shown in Figure 7-14. Click OK.
Fix the local system time to match the existing PDC’s time and re-click Authorize.
Figure 7-14. Schneider Electric CCS Software Installation Dialog Box - Date Message
209
remote system times match (including date, time, AM/PM, time zone) before con-
tinuing. Note that the checkbox displayed for some time zones which allows the sys-
tem to automatically adjust for Daylight Saving Time can affect the time displayed by
the system by one hour.
If authorization is successful, the installation dialog box will display a message indicating join
rights verification.
Figure 7-16. Join Rights Verification
210
19. If there is another SDC station on the network, choose that SDC’s name from the
drop-down list and click Set, as shown in Figure 7-17. Otherwise, click Skip.
Figure 7-17. Server Platform Setup (For Second SDC)
20. Confirm that the domain name is pingable from the client. For example, ping
on2008.local should succeed.
211
21. In the “Select a Host Domain for this workstation and click Connect” field, verify the
name of the domain and click Connect. The message shown is in Figure 7-18 dis-
played to indicate that the connection to the domain has succeeded.
If unsuccessful, a reason for the operation to not succeed is displayed.
Figure 7-18. Schneider Electric CCS Install: Workstation Reboot Request Dialog Box
“
23. After the server reboots, log on with the “IAInstaller” account.
24. The installation continues automatically. The Server platform setup dialog box
appears.
Re-enter in the name of the PDC with Windows Server 2008 (from which you are
migrating), as shown in Figure 7-20.
In the Authorized Account field, verify that the domain joining account name dis-
played has the authority to add workstations to the domain
(i.e. on2008.local\IAInstaller).
In the Authorized Password field, enter the password for this account.
Authorize.
NOTE
Before clicking Authorize, confirm that the Server 2008 PDC is pingable using its
on-control network IP address. If the server 2008 PDC is not pingable using its IP
address, authorization will be unsuccessful. For example, ping 151.128.152.31
should succeed.
212
Figure 7-20. Server Platform Setup (On-Control Network) Continued
If authorization is successful, the installation dialog box will display a message indicating join
rights verification.
Figure 7-21. Join Rights Verification
213
25. Under the “Enter domain information for Active Directory setup and click Prepare”
area, verify the Domain Name and Site Name fields.
Figure 7-22. Server Platform Setup (On-Control Network) Continued - Part 2
NOTE
- Open the Command prompt.
- Type the command “dsquery site” and press <Enter>.
- The command result should show the site name, as shown in Figure 7-23.
214
26. If you are satisfied with the domain and site names click Prepare.
If the domain name or site name so not match with those provided during PDC installation, the
dialog box shown in Figure 7-24 appears.
Figure 7-24. Invalid Domain Name Dialog
NOTE
If the domain name is invalid and this dialog box appears, clicking OK will cause an
unsuccessful installation. Follow these steps:
- Correct the domain or site name on the Server Platform Setup screen.
- Click Cancel.
- Click Prepare to continue with the installation.
27. A dialog box appears as shown in Figure 7-25 that allows an additional opportunity to
reverify the site and domain name. Check that the name you have chosen for your
Active Directory domain is correct and will not conflict with another domain on the
215
same network.
Click OK.
domain name is pingable.
b. Ping the PDC using its on-control network IP address with –a option. For exam-
ple, ping -a 151.128.152.11.
The result of ping should show a fully qualified name on the server 2008 PDC. A
fully qualified name is in the format <machine name>.<domain name>. For example,
FL5007.on2008.local.
A command prompt is displayed while Active Directory is being installed, as shown in
Figure 7-26.
Figure 7-26. Active Directory Installation via a Command Prompt
The command prompt shows progress while the system is assigned to its Secondary
Domain Controller status and DNS is installed, as shown in Figure 7-27.
216
Figure 7-27. Assigning Role of Secondary Domain Controller via Command Prompt
A dialog box will be displayed which prompts for user name and password (default
username is IADomainAdmin). Enter the password and click OK. This will display a
Windows prompt as shown in Figure 7-28.
NOTE
Use the IADomainAdmin account only to add this station as a Secondary Domain
Controller.
Figure 7-28. Message Regarding Physical Adapters via Command Prompt
30. During the process of promoting the domain controller, the command prompt may
display several messages. Typically these are ignorable.
217
Figure 7-29. Promote to Domain Controller Window Showing Messages
NOTE
After the server reboots, log into the “IADomainAdmin” account.
218
32. After a few minutes, the installation restarts automatically and the Schneider Electric
CCS Software Installation dialog box appears as shown in Figure 7-31.
Figure 7-31. Verifying the Health of the Existing Active Directory System
33. Wait for at least ten minutes before clicking Verify. Replication from the source
PDC with Windows Server 2008 to this domain controller with Windows Server
2016 may still be in progress.
34. After the wait period, inspect the event viewer logs for these events:
♦ System
♦ Active Directory Web services
♦ DFS Replication
♦ Directory Service
♦ DNS Server
35. Analyze the event logs for any detected error messages. If required, take remediation
actions for the detected errors reported in the event logs. This may require an Active
Directory expert/Administrator. Some of the replication issues might need another
reboot of this server, which means you may have to cancel the installation, reboot the
219
server and restart the installation again (using IADomainAdmin login) to return to
the Verify button screen.
36. Click Verify to check the health of the Active Directory domain. This takes several
minutes.
During this stage, it is normal to see detected errors indicating that the Active
Directory is not yet functional. The Active Directory verification process attempts
to make the directory functional, and then proceeds to the next step of configuring
the Active Directory.
37. A command prompt is displayed which displays the progress of the health check oper-
ation. Once the operation is completed, the command window indicates whether the
process was completed successfully or with detected errors. The command window
also indicates the path to the log file, which is:
C:\windows\temp\DCHealthCheck.log
Press <Enter> to dismiss the command window.
Figure 7-33. DC Health Check Status
220
38. When finished, the dialog box shown in Figure 7-34 is displayed if detected errors are
found. One or more conditions could be detected including diagnostic suboptimal
conditions, event log detected errors, and replication suboptimal conditions.
Figure 7-34. CCS Installation Dialog Box - Message for DC Health Log File
221
39. To view the log, click View in Figure 7-35. After viewing the detected errors, it may
be necessary to correct the suboptimal conditions in the Active Directory domain.
Click the Verify button as many times as necessary after you take each corrective
action to check that no further conditions exist. After clicking Verify, clicking View
opens the updated diagnostic results.
Figure 7-35. Verifying the Health of the Existing Active Directory System (Detected Errors Found)
NOTE
Refer to Appendix K “Troubleshooting PDC Migration” for details on expected sys-
tem messages, indicators of a successful migration, and troubleshooting techniques.
Confirm that you analyze the log, discard known detected errors, troubleshoot issues,
and reverify. Repeat this process until you are confident that all suboptimal conditions
are resolved.
40. If it is determined that you can ignore these detected errors in the log, click Ignore to
continue, as shown in Figure 7-36. Acknowledge the message shown in Figure 7-36.
222
Figure 7-36. CCS Installation Dialog Box - Detected Errors in DC Health Log File
41. Click Next. The dialog box shown in Figure 7-37 is displayed. Click Apply.

During this stage, it is normal to see detected errors indicating that the Active
Directory is not yet functional. The Active Directory verification process attempts
223
to make the directory functional, and then proceeds to the next step of configuring
the Active Directory.
A command prompt is displayed while the Active Directory settings are applied.
Figure 7-39. Active Directory Configuration In Progress
42. During the Active Directory configuration, you are prompted to enter the credentials
of an account that is an administrator on all domain clients (including PDC/SDC). In
most cases, this account is a domain admin account (for example, iadomainadmin).
Enter the iadomainadmin account user name in the format of <domainname\<user-
name> and the account password, and press OK.
224
Figure 7-40. Active Directory Configuration Requesting Domain Admin Credentials
43. Once the configuration of Active Directory is complete, the command window shows
if the process completed successfully, or with detected errors. The command window
c:\windows\temp\2008On_or_OffMesh_to_2016OffMeshPDC_Config.log
Then the command window waits for any key to be pressed to proceed further. Press
<Enter> to dismiss the command window.
Figure 7-41. Active Directory Configuration Completed
NOTE
44. Control returns to the Installation window. Continue with the rest of the installation.
Once the installation is complete, click Finish to close the installer. Figure 7-42
depicts the series of installation screens until the final screen.
225
Figure 7-42. Installation Windows Depicting Progress Of Installation Until Completion
Load.
To bypass the installation of this package, click Skip. If Skip is selected, the installa-
tion will continue, but this dialog will be displayed again for each of the OS1FDB sta-
tions configured on this Foxboro station.
NOTE
226
Figure 7-43. Installation Media Dialog Boxes
227
must be inserted in drive A:\.

49. Reboot the server. Click the Start button and click Shut Down; select Restart from
50. Optionally, if you already have Server 2008 domain controllers on the system, we rec-
ommend that you decommission these domain controllers.
Refer to sections “Removing Domain Controller Functionality from a Workstation”
on page 527 and “Forcefully Removing a Domain Controller from Active Directory”
on page 532 in Appendix C “Secondary Domain Controllers in a Foxboro Evo Sys-
tem” for instructions on decommissioning domain controllers.
If needed, also refer to sections “How to Cleanup Active Directory After Domain
Controller Demotion” on page 591 and “How to Cleanup Domain Controllers That
Are Not Decommissioned” on page 595 in Appendix K “Troubleshooting PDC
Migration”.
51. Optionally, we also recommend that you install Server 2016 based Secondary domain
controllers at this point. Refer to the section “Installing Enterprise Edition Control
Core Services v9.4 on Secondary Domain Controllers on The Control Network” on
page 83 in Chapter 4 “Enterprise Edition Control Core Services v9.4 Installation for
New On-Control Network Domain Controllers” for more instructions.
52. If you had custom GPOs, then you must fix the linking order of those GPOs. Contact
the Cyber Security Team for more information. For more information refer to
Appendix P “Linking Custom GPOs to Any CCS/CS Specific OUs”.
NOTE
The installation procedure for the domain controller is finished.
228
NOTICE
POTENTIAL DATA LOSS

user.

the user.
Configuring for Existing Domain Clients

For the existing domain clients, proceed as follows:
1. Open the Internet Protocol (TCP/IP) Properties dialog box for the FoxInt NDIS
Intermediate Miniport Driver (Control Core Services/I/A Series network card).
a. On the desktop, right-click My Network Places, and click Properties.
b. In the Network and Connections dialog box, right-click the FoxInt NDIS Inter-
mediate Miniport Driver, and click Properties.
Figure 7-46. Selecting FoxInt NDIS Intermediate Miniport Driver
2. In the adapter’s Properties dialog box, in the “This connection uses the following
items” section, click Internet Protocol (TCP/IP), and then click Properties.
229
The Internet Protocol (TCP/IP) Properties dialog box appears as shown in

Figure 7-48.
Figure 7-47. Adapter Properties Dialog Box
3. The first two DNS entries are displayed in DNS server addresses section. Click
Advanced.
230
Figure 7-48. Internet Protocol (TCP/IP) Properties Dialog Box
NOTE
The installation will attempt to set the DNS entries on the existing stations with
I/A Series software v8.7 or earlier. However, this can not succeed for multiple rea-
sons. You may see messages similar to the following in the log (c:\win-
dows\temp\2008On_or_OffMesh_to_2016OnMeshPDC_Config.log):
Failed to configure the DNS setting for AW0001 station. Access is
denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED)).
Follow the instructions for setting up DNS entries on existing stations with
I/A Series software v8.7 or earlier for the stations with I/A Series software v8.7 or
earlier even though it is possible that some entries have been set already. It is vital to
system interoperability that these settings are made.
231
4. Set the first DNS entry in the list to match the IP address of the new PDC with Con-
trol Core Services v9.4. Add additional entries for any SDC stations. Click OK to save
the DNS settings.
NOTE
For the domain clients migrated from a domain with I/A Series Software v8.8 or
Foxboro Evo Control Core Services v9.0-9.3 to a domain with Control Core Ser-
vices v9.4, it may be necessary to move the migrated domain client’s object in Active
Directory before beginning the client’s installation procedure.
Refer to “Installing Optional Software” on page 72 to install any additional packages on your new
PDC.
Re-enable any anti-malware software such as McAfee ENS that is installed on the PDCs, SDCs
and domain clients if not already enabled.
ing Off-Control Network Networks” for the installation procedure for the new domain clients.
232
Controller on the Off-Control
Network
This chapter describes how to migrate an existing On-Control Network Primary Domain
Controller (PDC) with I/A Series Software v8.8 or Foxboro Evo Control Core Services v9.0-
9.3 to a new PDC with Windows Server 2016 Standard which is on a separate network, not
located on The Foxboro Evo Control Network (Off-Control Network).
The source station for this migration can either be:
♦ A new I/A Series server, shipped with a Control Core Services v9.0 (or later) image
installed.
♦ An existing SDC with I/A Series Software v8.8 or Foxboro Evo Control Core Services
v9.0-9.3 installed, which will be converted to a PDC with a Control Core Services
v9.4 (or later) image installed.
The target station (the station onto which the new software will be installed) for this migration
will become new PDC with Windows Server 2016 Standard.
After the migration, both the domain clients which existed in I/A Series software v8.8 or earlier
and the new Control Core Services domain clients (with Control Core Services v9.4) will be con-
nected to the same domain. Existing group policies will be maintained while new Control Core
Services v9.4 group policies will be enacted. The steps in this section only need to be followed
once for the domain migration in order to establish the new PDC station.
NOTE
PDC to these SDCs.
233
B0700SX – Rev F 8. Migrating an On-Control Windows Server 2008 Domain Controller to a New Windows Server 2016 Primary Domain
NOTICE
POTENTIAL DATA LOSS
Before starting the migration, confirm that any Windows Server 2008-
based SDCs are online and connected to the PDC network. The
migration process will not complete successfully if one or more
Windows Server 2008 SDC is not online and connected. If there is an
SDC in the Active Directory environment that is not online because it
was not correctly decommissioned, clean up the metadata related to
those SDCs. Refer to Appendix K “Troubleshooting PDC Migration” for
more information on how to perform a metadata cleanup.

domain. Refer to Appendix C “Secondary Domain Controllers in a
Foxboro Evo System” and Appendix K “Troubleshooting PDC
Migration” for more information.
Then rebuild them by referring to the appropriate sections for building

a new SDC.
NOTE
assume the role of Primary Domain Controller. The Server 2008 Domain Control-
ler which was a Primary Domain Controller assumes the role of a Secondary
Domain Controller (SDC) after the successful completion of migration. However,
after the migration, you can choose to decommission the Server 2008 Domain
Controller, Refer to Appendix C “Secondary Domain Controllers in a Foxboro Evo
System” and Appendix K “Troubleshooting PDC Migration” for more information.
NOTE
To enhance cyber security, Schneider electric-supplied Windows Server 2016 OS
234
8. Migrating an On-Control Windows Server 2008 Domain Controller to a New Windows Server 2016 Primary Domain
NOTICE
POTENTIAL EQUIPMENT DAMAGE AND DATA LOSS
This Active Directory migration process between On & Off MESH

domain controllers requires expert knowledge of Active Directory and
Domain Controllers. It is strongly recommended to request assistance
from the cyber security team when performing this migration. An
incorrect execution of the procedure can potentially render the current
domain controller unusable and can lead to potential operational
issues caused by the Domain Controller(s).
You must have an open project or Customer First contract with a cyber
security labor line item for assistance.
Failure to follow these instructions can result in equipment

damage and data loss.
235

Ensure server HW
Connect the server Set Date/Time/TimeZone Fix linking order of any
compatibility with
physically to the same on the OS to match with custom GPOs
server 2016 Foxboro
Off-Control Network to the source Win 2008 PDC
image.
which target 2016 is Refer to B0700SY
connected
Install Foxboro Server Enable Anti-Malware

2016 Local Group software
If not new from
Policies (LGPOs)
Document the linking factory, restore
order of any custome Foxboro supplied
GPOs Server 2016 image on
the server HW
Optionally delete and
Install Anti-Malware rebuild SDCs.
software (ex: McAfee (Highly recommended)
ENS)
On the 2008 source
PDC, add iadomainadmin Connect the server
user to Schema Admins, physically to the same
Enterprise Admins Control Network that
groups is connected to the Configure existing
source PDC Disable Anti-Malware domain client’s NIC card
software DNS entries to point to
new Win2016 PDC
Add target Win 2016

Server to “IA Computers” Assign Static IP address
OU in the source PDC to the Off-Control
Install CCS using
the Migrate option
Assign Static IP address

to the Off-Control Ensure Source Windows
Network interface card 2008 PDC is pingable
using Off-Control IP
address
Perform DNS
configuration changes
Ensure any existing SDCs

are connected to the PDC,
online, and operational.
Connect these SDCs to the
Off-Control Network
236

(Existing PDC with I/A Series Software v8.8 or
Foxboro Evo Control Core Services v9.0-9.3) for
Migration
NOTE
or all existing Windows Server 2008 domain controllers are decommissioned.
NOTE
Follow the steps outlined in “Helping to Avoid the Loss of Logon Ability for
Account1” on page 611. These steps are needed to help prevent the target Server 2016
machine from losing the ability of local logons using the Account1 user account.
237
NOTICE
POTENTIAL DATA LOSS

the existing GPOs.
might lead to unpredictable product behavior. Refer to
Appendix P “Linking Custom GPOs to Any CCS/CS Specific
OUs”.
• If you do not apply the migration settings for PDCs with pre-
Control Core Services v9.3 software, this will result in an unsuc-
cessful migration. Refer to Appendix L “Pre-Migration Settings
for PDCs with Pre-Control Core Services v9.3” for more infor-
mation.
238
Document Linking Order of Custom GPOs

If you have custom GPOs, document the linking order of those GPOs. You can do this by taking
a screen capture of the current linking order at every OU.
Adding IADomainAdmin User to Schema Admins, Enterprise

Admins Groups
For the source On-Control Network Primary Domain Controller (PDC) with I/A Series Software
v8.8 or Foxboro Evo Control Core Services v9.0-9.3 for this migration, proceed as follows:
1. Log into the existing On-Control Network PDC using a domain administrator
account (such as IADomainAdmin).
2. Open the Active Directory Users and Computers console, and then click the Start
button and select Windows Administrative Tools -> Active Directory
Users and Computers.
239
240
Figure 8-3. [User] Properties Dialog Box
5. Verify that the domain administrator account is a member of both the “Schema
Admins” and “Enterprise Admins” groups by selecting the Member Of tab as shown
in Figure 8-3. If this user account is not, the user has to be added to both these
groups, as follows:
b. Type in the name of the group which needs to be added (Schema Admins or
Enterprise Admins) and click OK, as shown in Figure 8-4. Repeat this for each
group.
241
Adding Target Server 2016 Name to IAComputers OU

NOTE
Complete these steps only if the target server 2016 does not already exist under the
IA.
Figure 8-5.
242
2. If the current domain administrator account was added to either the Schema Admins
or Enterprise Admins in the steps above, then log off from this account and log back
on to the station using the same account.
Changing Network Card Properties for On-Control Network

Adapter
Proceed as follows:
243
NOTE
On the desktop, right-click My Network Places, and click Properties.
c. In the Network and Connections dialog box, right-click the FoxInt NDIS Inter-
d. In the adapter’s Properties dialog box, in the “This connection uses the following
items” section, click Internet Protocol (TCP/IP), and then click Proper-
ties. The Internet Protocol (TCP/IP) Properties dialog box appears as shown in
Figure 8-6.
244
2. Remove the default gateway settings for this network interface by clicking Advanced.
In the Advanced TCP/IP Settings dialog box shown in Figure 8-7, click the IP
Settings tab. Under Default gateways, remove the entries.
Remove
all entries
Figure 8-7. Advanced TCP/IP Settings Dialog Box (IP Settings)
3. Click the DNS tab, as shown in Figure 8-8. In the DNS server addresses, in order of
use field, remove the entries. When done, click OK to close this dialog box and apply
the changes.
245
Remove
the entries
Figure 8-8. Advanced TCP/IP Settings Dialog Box (DNS)
Changing Network Card Properties for Off-Control Network

Adapter
NOTE
The machine should be connected to the off-control network.
1. Open the Internet Protocol (TCP/IP) Properties dialog box for the network adapter
for the new Off-Control Network.
b. In the Network and Sharing Center dialog box, right-click the network adapter
that the Off-Control Network domain controller will use, and click Properties.
c. In the adapter’s Properties dialog box, in the “This connection uses the following
items” section, click Internet Protocol (TCP/IP), and then click
Properties. The Internet Protocol (TCP/IP) Properties dialog box appears as
shown in Figure 8-9.
♦ Check the “Internet Protocol Version 4 (TCP/IPv4)” box.
♦ Click Properties to open the Properties dialog (Figure 8-9).
246
d. Set a new static IP address and assign the same address as preferred DNS server IP
address (shown as “181.182.81.11” as an example in Figure 8-9) and click OK.
After clicking on Close, the status of the Local Area Connection is “connected”.
2. Verify that the new IP address is shown in the result of the ipconfig (Figure 8-10). If
the new IP address is not shown, reboot the computer and reverify.
Figure 8-10. Ipconfig Command Showing New Static IP
247
DNS Configuration Changes

1. Open the DNS Manager. Click the Start button and select Programs -> Adminis-
trative Tools -> DNS. Expand the workstation name (shown as FL5007 in
Figure 8-11). Right-click on the workstation node in the tree and click Properties.
Figure 8-11. DNS Manager Dialog Box (Server Properties)
2. In the server Properties dialog box, click the Interfaces tab as shown in
Figure 8-12. Confirm that the following options are set:
a. Select the “Only the following IP addresses” radio button.
b. Check only the off-control IP addresses in the list of IP addresses. For example, in
Figure 8-12 only 181.128.182.11 is checked. If any other IP addresses are
checked, uncheck them.
248
Figure 8-12. Server Properties Dialog Box
3. Expand the node <workstation name> > Forward Lookup Zones > <domain
name>. Select the node showing the domain name (in this example, on2008.local).
Delete the DNS entries pointing to the on-control network IP address
249
(151.128.152.x series) and entries representing IPv6 addresses. Examples of such

entries are highlighted in Figure 8-13.
Figure 8-13. DNS Manager Dialog Box (Removing Existing Stations)
4. Confirm that Name Servers shows only the off-control IP addresses. If any other
entries are present, delete them:
a. Right-click on the node representing the domain name, and then click Proper-
ties.
250
Figure 8-14. Properties Context Menu
b. Navigate to the Name Servers tab.

c. Select the entry, and then click Remove.
251
Figure 8-15. Name Server Tab
Figure 8-16 shows an example of the final entries after deleting IPv6 entries and
entries representing on-control IP addresses.
Figure 8-16. Example DNS Entries
252
5. In the DNS Manager, remove the reverse lookup zone for the existing On-Control
Network (i.e. 151.128.152.x Subnet) as follows:
a. Expand the Reverse Lookup Zones folder, right-click on the Reverse Lookup
Zone you’d like to remove, and click Delete.
Figure 8-17. Delete Reverse Lookup Zone
b. In the confirmation dialog box, click Yes.
Figure 8-18. Delete Reverse Lookup Zone Confirmation
c. On the DNS system message dialog box, click Yes.
253
Figure 8-19. Delete Reverse Lookup Zone System Message Confirmation
6. Add a new reverse lookup zone for the new Off-Control Network as follows.
a. Right-click on Reverse Lookup Zones and select New Zone as shown in
Figure 8-20.
Figure 8-20. DNS Manager Dialog Box (Reverse Lookup Zone)
254
b. The Welcome to the New Zone wizard appears. Click Next.
Figure 8-21. Welcome Window for New Reverse Lookup Zone Creation
255
c. Click Next. Select Primary Zone and click Next as shown in Figure 8-22.
Figure 8-22. New Zone Wizard (Zone Type)
256
d. Click the “To all DNS servers in the Active Directory domain
on2008.local” bullet (“on2008.local” may vary depending on the actual
name of the Control Core Services domain) as shown in Figure 8-23. Click Next.
Figure 8-23. New Zone Wizard (Active Directory Zone Replication Scope)
257
e. Select IPv4Reverse Lookup Zone and click Next.
Figure 8-24. IPv4 Selection
258
f. In the Network ID field, enter in the first three octets of the Off-Control Network
card as shown in Figure 8-25. Click Next.
Figure 8-25. New Zone Wizard (Reverse Lookup Zone Name)
259
g. Click the Allow only secure dynamic updates bullet and click Next as
shown in Figure 8-26. Click Next.
Figure 8-26. New Zone Wizard (Dynamic Update)
260
h. Click Finish to close the New Zone Wizard.
Figure 8-27. New Zone Wizard (Closing)
261
i. Right-click on the new zone and select New Pointer as shown in Figure 8-28.
Figure 8-28. DNS Manager Dialog Box (New Pointer)
j. In the New Resource Record dialog box, complete the following steps:
♦ Enter the newly set static off-control IP address in the “Host IP Address” field
(Figure 8-29).
♦ In the “Host Name” field, enter the fully qualified name of the computer in
the format: <machinename>.<domainname>. For example,
FL5007.ON2008.LOCAL.
♦ Click OK.
262
Figure 8-29. New Resource Record Dialog Box
k. Close the DNS Manager.

l. Right-click the Start button and select Control Panel -> Administrative
Tools -> Services.
263
m. In the Services dialog box, right-click the DNS Server, and then click Restart as
Figure 8-30. Restart DNS Service
7. Click the Start button, and click Programs -> Accessories -> Command Prompt to
open a command prompt. Type nslookup and press <Enter>. If DNS is functioning
properly, it displays that it found the local DNS server with the IP address set in the
previous steps (shown as 181.128.182.11 in Figure 8-30).
NOTE
Until DNS is working properly, the migration procedure cannot continue.
Figure 8-31. nslookup Service
8. Type Ctrl+C and press <Enter> to terminate nslookup.

Preparation for the migration of this source PDC is now finished.
264
9. If you are upgrading an existing Secondary Domain Controller with I/A Series Soft-
ware v8.8 or Foxboro Evo Control Core Services v9.0-9.3 to become the new target
PDC, remove the Active Directory from this SDC as described in the following sub-
steps. If the system does not have an SDC and you are installing a new station as the
target PDC, proceed to “Preparation and Installation for New Target Primary
Domain Controller” on page 266.
To remove the Active Directory from the SDC, perform one of the two following
procedures:
a. Use dcpromo on the existing SDC to remove Active Directory as described in
“Removing Domain Controller Functionality from a Workstation” on page 527.
b. In Active Directory Sites and Services on the source PDC, click Actions ->
Refresh. The NTDS settings that were shown under the SDC name are
removed. If they are not, the removal operation of the Active Directory from the
SDC was unsuccessful and you cannot continue. Contact Global Customer Sup-
port for assistance.
-OR-
a. Use Symantec System Recovery (SSR) to load the new Control Core Services v9.4
platform image on the existing SDC station to be upgraded. Refer to Veritas Sys-
tem Recovery 2016 Desktop, Server and Virtual Editions Guide for I/A Series® and
Foxboro Evo™ Process Automation Systems (B0700HH) for instructions.
b. On the source PDC, click the Start button, and then select Windows Adminis-
trative Tools -> Active Directory Sites and Services. Navigate to
Sites -> [Domain Name] -> Servers -> [Name of SDC] and expand this last
node. Note that it contains the NTDS settings. Leave this displayed on the source
PDC for now.
10. Proceed to the next section.
265

Domain Controller
Proceed as follows on the server to become the new PDC:

1. Right-click on Start, and select Control Panel.
4. On the left pane, click Change Adapter Settings.
5. Right-click on the network adapter that represents the off-control network, and click
Properties.
6. Uncheck Internet Protocol Version 6 (TCP/TPv6).
7. Select Internet Protocol Version 4 (TCP/IPv4), and click Properties.
8. Set a static IP address and preferred DNS server (Figure 8-32).
NOTE
The IP address shown on your machine need not match the IP address shown in
Figure 8-32.
266
Figure 8-32. Static IPv4 Assignment to PDC Off-Control Network Adapter
9. Confirm that the new IP address is shown in the Ipconfig command result.
Figure 8-33. Verify Newly Assigned IP Address
10. Verify that the 2008 source PDC is pingable from the target PDC. If the ping does
not work, you may need to reboot the machine.
267
Figure 8-34. Verify Source 2008 PDC Pingable from Target PDC
Continuing the Installation Procedure

Figure 8-35.
1. Confirm that the time zone and time of the Server 2016 machine matches that of the
source 2008 PDC.
Installation”.
date.
work begins.
2016 Day 0 DVD” (K0177BP).
9. Click Yes to accept the User Account Control (UAC) prompt.
Services for Local Edition or an Enterprise Edition System.
♦ Select Install CCS for Enterprise System, select Active Directory
Domain Services (AD DS)
boro EVO AD
268
♦ Select “On Control server 2008 AD” from the combo box
♦ Choose Connection type as “Off Control”, as shown in Figure 8-36.
Figure 8-36. Selecting to Install a Domain Controller Off-Control Network
11. Click Next.

Figure 8-37. I/A Series Installation Dialog Box - Message
269
as shown in Figure 8-38. Click Load to set the installation target drive to D:\ and
load the committed configuration files.
Figure 8-39.The browser for the folder containing the committed configuration install files opens, as
shown in Figure 8-39. If the installation media with your Commit files is on the server’s hard drive or
a network, browse to the location of the media and click Select Folder.
14. Click Next. The I/A Series Software Installation dialog box appears as shown in
Figure 8-40, in which the “Install as a Secondary Domain Controller (SDC)” choice
is selected by default. Initially, this server will be installed as an SDC and will be pro-
moted to the role of the PDC before the installation completes.
270
Figure 8-40. Server Platform Setup (Off-Control Network)
field:
a. Enter the off-control network IP address of the source 2008 PDC (for example,
181.128.182.11).
b. Enter the account name that has the authority to add workstations to the domain
(for example, on2008.local\IAInstaller)
c. Enter the account password.
d. Confirm that the time zones, date, and time match with the PDC.
e. Click Authorize.
NOTE
Before clicking Authorize, confirm that the server 2008 PDC is pingable using the
off-control network IP address. If the server 2008 PDC is not pingable using its IP
should succeed.
271
Figure 8-41. Schneider Electric CCS Software Installation Dialog Box - Date System Message
remote system times match (including date, time, AM/PM) before continuing. Note
that the checkbox displayed for some time zones which allows the system to automat-
ically adjust for Daylight Saving Time can affect the time displayed by the system by
one hour.
If clicking Authorize results in a successful domain rights verification, you will

receive a “Join rights verified” system message.
272
Figure 8-43. Join Rights Verified
17. If there are more SDC stations on the off-control network (if there are no additional
SDCs, move to the next step):
a. Choose the “Add Off-Mesh” option from the “Select the Secondary Domain Con-
troller Stations” drop-down list.
Figure 8-44. Add Off-Mesh Option
b. In the dialog that appears, add the off-control network IP addresses of those SDCs
manually in the dialog that appears. When you’re finished, click Done.
Figure 8-45. Add Additional Off-Mesh IPs
c. Click Set.
Figure 8-46. Set the Off-Mesh IDs
273
18. If there are no additional SDCs to add, click Skip.
274
name of the domain and click Connect.
Figure 8-48. Verify Domain Name and Connect
20. The message shown is in Figure 8-49 displayed to indicate that the connection to the
domain has succeeded. Click Reboot.
If unsuccessful, a reason for the unsuccessful condition is displayed.
21. The “You’re about to be signed out” screen appears as shown in Figure 8-50. Click
Close.
appears.
a. Re-enter the IP address of the source Windows Server 2008 PDC (from which
you are migrating), as shown in Figure 8-51.
b. In the Authorized Account field, verify that the domain joining account name dis-
played has the authority to add workstations to the domain (i.e. iaser-
ies.local\IAInstaller).
275
c. In the Authorized Password field, enter the password for this account.
d. Authorize.
Figure 8-51. Server Platform Setup (Off-Control Network) Continued
24. If clicking Authorize results in a successful domain rights verification, a “Join client to
domain rights verified” message appears.
276
Figure 8-53. Verify Domain and Site Names
NOTE
To verify the site name, follow these steps on the source 2008 PDC:
If the domain name or site name are not identical to those provided during the PDC
installation, the dialog box shown in Figure 8-55 appears.
Figure 8-55. Domain Name or Site Name Invalid Dialog
NOTE
Clicking OK and proceeding with the incorrect domain or site name will cause the
installation to be unsuccessful.
27. If a mismatch occurs:

a. Click Cancel.
b. Correct the domain name or site name.
277
c. Click Prepare.
28. If the site name and domain name matches with those provided during the PDC
installation, the dialog box shown in Figure 8-56 appears. Check that the name you
have chosen for your Active Directory domain is correct and will not conflict with
Click OK.
Figure 8-57. Load Active Directory Domain Services
278

Figure 8-58.
Figure 8-58. Active Directory Installation via Command Prompt
After Active Directory Domain Services are installed, a dialog box is displayed as
Figure 8-59. Assigning Role of Secondary Domain Controller via Command Prompt
30. The default username is <domain name>\IADomainAdmin. Enter the password for
the IADomain user and click OK. This launches a DOS prompt that promotes the
279
Figure 8-60. Promote to Domain Controller Process
NOTE
If this occurs, reimage the station and restart the installation process.
NOTE
It is normal to see detected errors during promotion to the domain controller. These
messages pertain to DNS delegation, a default security setting for Windows Server
2016 DCs, etc. These detected errors can be ignored.
32. The installation restarts automatically and the I/A Series Software Installation dialog
box appears as shown in Figure 8-62.
280
33. Wait for at least 10 minutes before clicking Verify. Replication from the source PDC
with Windows Server 2008 to this domain controller with Windows Server 2016 may
still be in progress.
a. System
b. Active Directory Web Services
c. DFS Replication
d. Directory Service
e. DNS Server
actions for the detected errors reported in the event logs.
281
NOTE
The detected error remediation may require an Active Directory expert/administra-
tor. Some of the replication detected errors may require a server reboot, which may
also require you to cancel the installation, reboot the server, and restart the installa-
tion (using IADomainAdmin login) to return to the Verify button screen. Refer to
Appendix K “Troubleshooting PDC Migration” for more information on trouble-
shooting replication errors.
36. If any detected errors in the event logs are ignorable, save the logs and clear them.
Otherwise, the same detected errors will appear in the Verify button report as noise.
minutes.
Directory.
A command prompt, which shows the progress of the health check operation, is dis-
played. After the operation is finished, the command window indicates whether the
C:\windows\temp\DCHealthCheck.log.
38. Press <Enter> to dismiss the command window.
282
NOTE
39. When complete, the dialog box shown in Figure 8-62 is displayed if detected errors
are found. One or more conditions could be detected including diagnostic suboptimal
283
40. To view the log, click View, as shown in Figure 8-66. After viewing the detected
errors, it may be necessary to correct the issues in the Active Directory domain. Click
the Verify button as many times as necessary after you take each corrective action to
check that no further issues exist. After clicking Verify, clicking View opens the
updated diagnostic results.
NOTE
Refer to Appendix K “Troubleshooting PDC Migration” for details on expected
detected errors, indicators of a successful migration, and troubleshooting tech-
niques. Confirm that you analyze the log, discard known detected errors, trouble-
shoot issues, and reverify. Repeat this process until you are confident that all issues
are resolved.
41. If it is determined that you can ignore the detected errors in the log, click Ignore to
continue, as shown in Figure 8-62. Acknowledge the message shown in Figure 8-67.
284

Directory.
285
Figure 8-70. Active Directory Configuration in Progress
43. After the configuration of Active Directory is complete, the command prompt shows
Then the command prompt waits for any key to be pressed to proceed further.
Press <Enter> to dismiss the command prompt.
NOTE
44. Click Done.

ommend that you decommission these domain controllers. Refer to the sections
“Removing Domain Controller Functionality from a Workstation” on page 527 and
286
“Forcefully Removing a Domain Controller from Active Directory” on page 532 in

Appendix C “Secondary Domain Controllers in a Foxboro Evo System” for instruc-
tions on decommissioning domain controllers. Also refer to the sections “Cleanup
Procedure of Windows Server 2008 R2 PDC with Windows Server 2003 SDC Refer-
ences” on page 589, “How to Cleanup Active Directory After Domain Controller
Demotion” on page 591, and “How to Cleanup Domain Controllers That Are Not
Decommissioned” on page 595 in Appendix K “Troubleshooting PDC Migration”
for additional instructions.
controllers at this point. Refer to Chapter 5 “Enterprise Edition Control Core Ser-
vices v9.4 Installation for New Off-Control Network Domain Controllers” for
instructions.
the Cyber Security Team for more information. Refer to Appendix P “Linking Cus-
tom GPOs to Any CCS/CS Specific OUs”.
NOTICE
POTENTIAL DATA LOSS

user.

the user.
The installation procedure for the domain controller is complete.
Post-Installation Steps on Control Core Services Client

Workstations
1. For each Control Core Services domain client workstation, remove the On-Control
Network DNS entry from the Control Core Services/I/A Series network interface card
as follows. On the desktop, right-click Network, and click Properties.
In the Network and Sharing Center dialog box, click Manage network connec-
tions.
2. Right-click the Control Core Services/I/A Series network interface card, and click
Properties. In the adapter’s Properties dialog box, in the “This connection uses the
following items” section, click Internet Protocol (TCP/IP), and then click
Properties. The Internet Protocol (TCP/IP) Properties dialog box appears as shown
in Figure 8-72.
287
Remove the IP addresses from the Preferred DNS server and Alternate DNS server
fields.
Figure 8-72. Internet Protocol (TCP/IP) Properties - Removing On-Control Network

DNS Entries
288
3. Next, set the IP Address and DNS settings for the Off-Control Network interface card
according to the IP setting of the new Off-Control Network domain, as demonstrated
in Figure 8-73. Then click OK to apply the changes.
Figure 8-73. Internet Protocol (TCP/IP) Properties - Setting for Off-Control Network
Network Interface Card
4. Reboot the server.

5. Click the Start button and click Shut Down;, then select Restart from the pull-
down menu and click OK.
NOTE
After migration is finished, install Windows Server 2016 Standard with Control
Core Services v9.4 on your SDCs.
Adding Schneider Electric Stations to Active Directory Post-

Installation
289
selection.
290
291
NOTE
For the domain clients migrated from a domain with I/A Series Software v8.8 or
Foxboro Evo Control Core Services v9.0-9.3 to a domain with Control Core Ser-
vices v9.4, it may be necessary to move the migrated domain client’s object in Active
Directory before beginning the client’s installation procedure.
install McAfee Products Endpoint Protection on your PDC. Only install this software on one
domain controller in the system. Install this software according to Installation and Configuration of
the McAfee ENS 10.5.2 with ePO 5.9.1 (B0700VW).
Proceed to Chapter 4 “Enterprise Edition Control Core Services v9.4 Installation for New On-
Control Network Domain Controllers” for the installation procedure for the domain clients.
292
9. Migrating an Off-Control
Controller on the On-Control
Network
This chapter describes how to migrate an existing Off-Control Network Primary Domain
Controller (PDC) with Windows Server 2008 running any of the following software to a new
PDC with Windows Server 2016 Standard, located on Foxboro Evo Control Network
(hereafter referred to as “the control network”).
♦ I/A Series v8.8
♦ Foxboro Evo Control Services v9.0-v9.3
The source station for this migration refers to the PDC with Windows Server 2008.
NOTE
PDC to these SDCs.
The target station indicated in this chapter refers to the new PDC running Windows Server
2016.
After the migration, both the domain clients which existed in Control Core Services v9.x and the
new Control Core Services domain clients (Control Core Services v9.4 or later) will be connected
to the same domain. Existing group policies will be maintained while new Control Core Services
v9.4 group policies will be enacted. The steps in this section only need to be followed once for the
domain migration in order to establish the new PDC station.
Perform the procedures provided below.
NOTE
In Control Panel -> Network Connections, which lists the available NICs, it is inad-
293
B0700SX – Rev F9. Migrating an Off-Control Windows Server 2008 Domain Controller to a New Windows Server 2016 Primary Domain Controller
NOTE
To enhance cyber security, Schneider electric-supplied Windows Server 2016 OS
NOTE
Controller.
NOTICE
POTENTIAL DATA LOSS

domain. Then rebuild them. Refer to Appendix C “Secondary Domain
Controllers in a Foxboro Evo System” and Appendix K
“Troubleshooting PDC Migration” for more information.
Then rebuild them by referring to the appropriate sections for building

a new SDC.
294
9. Migrating an Off-Control Windows Server 2008 Domain Controller to a New Windows Server 2016 Primary Domain Controller on the On-Control
NOTICE
POTENTIAL DATA LOSS
Active Directory migration process between Off & On MESH domain

controllers requires expert knowledge of Active Directory and Domain
Controllers. It is strongly recommended to request assistance from the
cyber security team when performing this migration. An incorrect
execution of the procedure can potentially render the current domain
controller unusable and can lead to potential operational issues
caused by the Domain Controller(s). You must have an open project or
Customer First contract with a cyber security labor line item for
assistance.
295
Ensure server HW
Document the linking Set Date/Time/TimeZone Fix linking order of any
compatibility with
order of any custome on the OS to match with custom GPOs
server 2016 Foxboro
GPOs the source Win 2008 PDC
image.
Refer to B0700SY
Install Foxboro Server Enable Anti-Malware

On the 2008 source 2016 Local Group
PDC, add iadomainadmin If not new from software
Policies (LGPOs)
user to Schema Admins, factory, restore
Enterprise Admins Foxboro supplied
groups Server 2016 image on
the server HW
Install Anti-Malware rebuild SDCs.
software (ex: McAfee (Highly recommended)
ENS)
Add target Win 2016
Server to “IA Computers” Connect the server
OU in the source PDC physically to the same
Control Network that
is connected to the Configure existing
source PDC Disable Anti-Malware domain client’s NIC card
software DNS entries to point to
Ensure any existing SDCs new Win2016 PDC
are connected to the PDC,
online, and operational
Assign Static IP address
to the Off-Control
Install CCS using
the Migrate option
Ensure Source Windows

2008 PDC is pingable
using Off-Control IP
address

Running Windows Server 2008
NOTE
and all existing domain controllers with Windows Server 2008 are decommissioned.
296
NOTICE
POTENTIAL DATA LOSS
• The application of migration settings for PDCs with pre-Control

Core Services v9.3 software is required. If these settings are
not applied, the migration will be unsuccessful.Refer to
Appendix L “Pre-Migration Settings for PDCs with Pre-Control
Core Services v9.3” for more information.
the existing GPOs.
NOTE
NOTE
NOTICE
POTENTIAL DATA LOSS
We advise that you document the linking order of any non-Schneider

Electric custom GPOs prior to proceeding further because this
installation may change the linking order of your GPOs. After the
installation is complete, you may change the linking order of the
custom GPOs to meet your operational requirements. While doing so,
it is important to ensure that relative linking order of Schneider
Electric™ GPOs is not changed. Changing the relative linking order of
Schneider Electricâ€™s GPO might lead to unpredictable product
behavior. Refer to Appendix P “Linking Custom GPOs to Any CCS/CS
Specific OUs”.
297

a screen capture of the current linking order at every OU..
NOTICE
POTENTIAL DATA LOSS
During the migration process, some existing Schneider Electric-

provided GPOs will change. As a result, changes to the GPOs will be
overwritten. It is recommended that you back up any Schneider
Electric-provided GPOs that were changed after the original
installation.

Admins Groups
On the source station (PDC with Windows Server 2008), proceed as follows:
1. Log into the source 2008 PDC using a domain administrator account (such as
IADomainAdmin).
2. Open the Active Directory Users and Computers console, click the Start button, and
then select Windows Administrative Tools -> Active Directory Users and
Computers.
298
299
5. Verify that the domain administrator account is a member of both the Schema
Admins and Enterprise Admins groups by selecting the Member Of tab as shown in
Figure 9-3. If this user account is not, the user has to be added to both these groups, as
follows:
b. Type in the name of the group which needs to be added (such as Schema Admins
or Enterprise Admins) and click OK, as shown in Figure 9-4. Repeat this for
each group.
300
Adding Target Server 2016 Name to IA Computers OU

NOTE
Complete these steps only in the target server 2016 does not already exist under the
IA Computers OU.
Figure 9-5.
301
2. If the current domain administrator account was added to either the “Schema
Admins” or “Enterprise Admins” in the steps above, log off from this account and log
back onto the station using the same account.
3. If you are upgrading an existing Secondary Domain Controller with Control Core
Services v9.0-9.3 to become the new target PDC, remove the Active Directory from
this SDC as described in the following substeps. If you have not installed an SDC and
are installing a new station as the target PDC, proceed to “Preparation and Installa-
tion for New Target Primary Domain Controller” on page 304.
To remove the Active Directory from the SDC, perform one of the two following
procedures:
a. Use dcpromo on the existing SDC to remove Active Directory as described in
“Removing Domain Controller Functionality from a Workstation” on page 527.
b. In Active Directory Sites and Services on the source PDC, click Actions ->
Refresh. The NTDS settings that were shown under the SDC name are
302
removed. If they are not, the removal operation of the Active Directory from the
SDC was unsuccessful and you cannot continue. Contact Global Customer Sup-
port for assistance.
-OR-
a. Use Symantec System Recovery (SSR) to load the new Control Core Services v9.4
platform image on the existing SDC station to be upgraded. Refer to Veritas Sys-
tem Recovery 2016 Desktop, Server and Virtual Editions Guide for I/A Series® and
b. On the source PDC, click the Start button and then select Windows Adminis-
trative Tools -> Active Directory Sites and Services. Navigate to
Sites -> [Domain Name] -> Servers -> [Name of SDC]. Remove the SDC
station from the list along with every entry underneath.
4. Proceed to the next section.
303

Domain Controller
Proceed as follows on the server to become the new PDC.
NOTE
Before you run the health of the Active Directory domain, we recommend you save
the security and application log from the Event Viewer and clear all the log mes-
sages. That is because the health of the diagnostic tool attempts to analyze the
detected errors on the system that occurred before the migration process, and has
the potential to give an impression that the migration was not successful.
NOTICE
POTENTIAL DATA LOSS
procedure.
NOTE
Refer to the Hardware and Software Specific Instructions document included with
your station to determine the NIC cards it supports.
NOTE
sages. That is because the health diagnostic tool attempts to analyze the detected
errors on the system that occurred before the migration process, and has the poten-
tial to give an impression that the migration was not successful.
Proceed as follows:
1. Right-click the Network icon on the taskbar, and click Open Network and Shar-
ing Center. In the Network and Sharing Center window, click Change Adapter
settings.
appears, click the Configure button and then select the Advanced tab.
304
menu list:
5. Click OK.
Installation for New Target Primary Domain Controller

Proceed as follows:
NOTE
Disconnect the On-Control network connections before this procedure.

Properties.
NOTE
Figure 9-6.
305
306
not work, you may need to reboot the machine.

NOTE
The Windows Server 2016 Local Group Policies (LGPO) need to be installed on
the server before proceeding with the installation of Control Core Services v9.4.
Otherwise, the Control Core Services v9.4 installation will display the system mes-
sage shown in Figure 9-9. To install LGPOs for Windows Server 2016, refer to
Chapter 17 “Local Group Policy Installation”.
Figure 9-9. LGPO Policies System Message
Continue as follows:
1. Confirm that the time and time zone on the Server 2016 machine match the time of
the source 2008 PDC.
Installation”.
307
date.
work begins.
2016 Day 0 DVD” (K0177BP).
Figure 9-10. User Account Control Dialog Box
Services for a Local Edition or an Enterprise Edition System.
♦ Select Install New AD (PDC/SDC)
boro EVO AD
♦ Select Off Control server 2008 AD from the combo box
♦ Choose Connection type as “On Control”, as shown in Figure 9-11.
308
Figure 9-11. Selecting to Install a Domain Controller On-Control Network
11. Click Next.

Figure 9-12. Control Core Services Installation Message Dialog Box
309
NOTE
Folder.
310
14. Once the Commit files have been loaded, click Bind as shown in Figure 9-13.
15. Select two network cards representing the ON-Control network and click Next.
NOTE
installation.
311
312
16. Click Next. The Server platform setup dialog appears as shown in Figure 9-16. The
Install as a Secondary Domain Controller (SDC) bullet is selected by
default. Initially, this station is installed as an SDC station and will be promoted to be
the PDC station before the installation completes.
field:
181.128.182.11).
(for example, off2008.local\IAInstaller)
18. Click Authorize.
313
Figure 9-17. Schneider Electric CCS Software Installation Dialog Box - Date Message
remote system times match (including date, time, AM/PM) before continuing. Note
that the checkbox displayed for some time zones which allows the system to automat-
ically adjust for Daylight Saving Time can affect the time displayed by the system by
one hour.

314
SDCs, move to the next step):
b. In the dialog that appears, add the off-control IP addresses of those SDCs manu-
ally in the dialog that appears. When you’re finished, click Done.
Figure 9-21. Add Additional Off-Mesh IPs
c. Click Set.
315
21. If there are no additional SDCs to add, click Skip.
316
domain has succeeded.
If not successful, a reason for the operation to not succeed is displayed.
Figure 9-26. Workstation Reboot Dialog Box
appears.
a. Re-enter the IP address of the PDC with Windows Server 2008 (from which you
are migrating), as shown in Figure 9-27.
played has the authority to add workstations to the domain (i.e.
off2008.local\IAInstaller).
d. Authorize.
317
Figure 9-27. Server Platform Setup (On-Control Network) Continued Reauthorization
27. If clicking Authorize results in a successful domain rights verification, a “Join client
to domain rights verified” message appears.
318
28. Under the “Enter domain information for Active Directory setup and click Prepare”
area, verify the Domain Name and Site Name fields.
Figure 9-29. Verify Domain and Site Names and Click Prepare
NOTE
If the domain name or site name are not identical with those provided during the
PDC installation, the dialog box shown in Figure 9-31 appears.
NOTE
319
a. Click Cancel.
c. Click Prepare.
Click OK.
ple, ping -a 151.128.152.11.
FL5007OFF.off2008.local.
320
A DOS window is displayed while Active Directory is being installed, as shown in Figure 9-34.
Figure 9-34. Active Directory Installation via a Command Prompt
After Active Directory Domain Services are installed, a dialog box is displayed, as
321
Figure 9-35. Promote to Domain Controller Authentication Window
NOTE
messages pertain to DNS delegation, a default cyber-security setting for Windows
Server 2016 DCs, etc. These detected errors can be ignored.
322
NOTE
323
36. After a few minutes, the installation restarts automatically and the Schneider-Electric
37. Wait for at least 10 minutes before clicking Verify. Replication from the source PDC
with Windows Server 2008 to this domain controller with Windows Server 2016 may
still be in progress.
a. System
b. Active Directory Web Services
c. DFS Replication
d. Directory Service
e. DNS Server
324
NOTE
shooting replication detected errors.
40. If any detected errors in the event logs are ignorable, save the logs and clear them.
Otherwise, the same detected errors will appear in the Verify button report as noise.
minutes.
42. When the Active Directory is ready to be configured, a DOS window is displayed.
Directory.
Press <Enter> to dismiss the command window.
325
NOTE
43. When finished, the dialog box shown in Figure 9-41 is displayed if detected errors are
found. One or more conditions could be detected including diagnostic suboptimal
326
44. To view the log, click View in Figure 9-42. After viewing the detected errors, it may
be necessary to correct the suboptimal conditions in the Active Directory domain.
Click the Verify button as many times as necessary after you take each corrective
action to check that no further conditions exist. After clicking Verify, clicking View
opens the updated diagnostic results.
NOTE
are resolved.
45. If it is determined that you can ignore these detected errors in the log, click Ignore to
continue, as shown in Figure 9-43. Acknowledge this message.
327
46. Click Next. The dialog shown in Figure 9-44 is displayed. Click Apply.

328
Directory.
47. During configuration of the Active Directory the dialog box in Figure 9-47 appears
asking for domain administrator credentials. Enter your <domainname>\iadomainad-
min credentials in the dialog box.
Figure 9-47. Enter Domain Administrator Credentials Dialog
329
c:\windows\temp\2008On_or_OffMesh_to_2016OnMeshPDC_Config.log
NOTE
If this command prompt provides any system messages which include suboptimal
conditions, save the indicated log file to an external drive for any possible analysis
by Schneider Electric. Then reimage the server and start the installation again.
NOTE
This system message, that can appear in the log file, can be ignored:
Unable to find the CCS virtual NIC for station ‘<station name>’. This is because the NIC
descriptions on this computer did not match any of the expected NIC descriptions. Expected
NIC descriptions =’ FoxInt NDIS Intermediate Miniport Driver, REDL Virtual Miniport
Driver’
49. Control returns to the Installation window. Continue with the rest of the installation.
After the installation is complete, click Finish. Figure 9-49 depicts the series of
installation screens until the final screen.
330
Figure 9-49. Progress of Installation Until Completion
Installing the OS1FDB Package

If the OS1FDB package is configured on this server, the dialog box shown in Figure 9-50
is displayed.
331
50. To install the OS1FDB package:

a. Insert the first OS1FDB package diskette, and click Load.
b. After the first disk loads, insert the second OS1FDB package diskette, and click
Load.
c. To bypass the installation of this package, click Skip.
If Skip is selected, the installation will continue, but this dialog will be displayed
again for each of the OS1FDB stations configured on the Foxboro station.
If Load is selected, the media folder browser is displayed.
332
51. If your installation media for the OS1FDB package is not on a floppy diskette, browse
to the location of your stamped media and click Select Folder. If your installation
media for the OS1FDB package is on a floppy diskette, click Use Diskette. The
diskette must be in the diskette drive (A:\). After clicking Use Diskette, the diskette
will be read.
52. If you selected Use Diskette, the dialog box in Figure 9-52 appears. Insert the sec-
ond diskette in the OS1FDB set and click Load. The diskette must be inserted in
drive A:\.
333
Figure 9-52. Installation Media Dialog Box for Diskettes
53. Click Finish when the installation is complete.

54. Reboot the server.
a. Click Start, and then click Shut Down.
b. Select Restart, and click OK.
ommend that you decommission these domain controllers. Refer to the sections
“Removing Domain Controller Functionality from a Workstation” on page 527 and
tions on decommissioning domain controllers. Also refer to the sections “Cleanup
Decommissioned” on page 595 in Appendix K “Troubleshooting PDC Migration”
for additional instructions.
instructions.
334
NOTICE
POTENTIAL DATA LOSS

user.

the user.
Configuring for Existing Domain Clients

For the existing domain clients with Control Core Services v9.3, proceed as follows:
b. In the Network and Connections dialog box, right-click the FoxInt NDIS Inter-
Figure 9-54.
335
3. In the preferred DNS, add the IP address of the Windows Server 2016 PDC.
336
Post installation steps on the Server 2016 PDC

NOTE
These instructions are only applicable when you are ready to demote all the Off-
Control network Windows Server 2008 SDC(s) in the domain.
At this point, the Server 2016 PDC and the other Server 2008 SDCs are on both On-
Control and Off-Control networks. This is because, before the migration started the
Server 2008 domain controller was on Off-Control network. After the migration, the
Server 2016 domain controller has both On-Control and Off-Control networks attached
to it. As a result the DNS is configured to listen on IP addresses of both the networks.
When you decide to demote all the Off-Control Server 2008 domain controllers, there are
some additional steps you need to perform in-order to make the Server 2016 domain con-
troller purely On-Control based. Proceed as follows:
1. Demote the Off-Control Server 2008 SDC(s) using the instructions provided in the
section “Removing Domain Controller Functionality from a Workstation” in Appen-
dix D
2. At this point, the only domain controller in place is the Server 2016 PDC
337
NOTE
There could be Server 2016 SDCs as well. But the steps mentioned below are if per-
formed on Server 2016 PDC, they will automatically take effect on Server 2016
SDCs as well because of AD replication that occurs at frequent intervals.
3. Log onto the Server 2016 PDC using the IADomainAdmin account.
4. Open the DNS console (StartWindows Administrative Tools DNS).
5. In the left pane of the DNS tree, right-click on the node representing the machine
name. For example, FL5014.
6. Choose Properties context menu.
7. Navigate to the Interfaces tab.
8. Under the section “Only the following IP addresses:”, you will see multiple IP
addresses selected. One of these IP addresses represents the On-Control network (ex:-
151.128.152.x). The other IP addresses represent the Off-Control network (ex:-
181.128.182.x). Unselect everything except the IP addresses that represents the On-
Control Network, as shown in Figure 9-55.
Figure 9-55. DNS Console IP Addresses
9. Click OK to close the dialog box.
338
10. Expand the nodes <machine name>Reverse Lookup Zones. You will see multiple
nodes. Each node represents a reverse lookup zone for a designated network.
11. Delete all the reverse lookup zones except the zone representing the On-Control net-
work. To delete a zone, right-click on that zone and select Delete.
Figure 9-56. Reverse Lookup Zones for Off-/On-Control Networks
12. Expand the nodes <machine name>Forward Lookup Zones<domain name>,

and select the <domain name> node.
13. In the right pane, delete any Name Server (NS) records that represent the off-control
network IP addresses.
a. Double click on any of the Name Server record. This opens Name Servers tab of
the domain properties dialog box (Figure 9-58).
Figure 9-57. Name Server Record in DNS
b. Select Off-Control Network Name Servers, and then click Remove (Figure 9-58).
339
NOTE
If Server 2008 Off-Control Network SDCs are correctly demoted, the name server
records are automatically deleted and this step is not required any more.
Figure 9-58. Name Server Record Representing Off-Control Network
14. In the right pane you will see multiple DNS records. Some of these records point to
Off-Control network IP addresses. Delete all of these records.
340
Figure 9-59. DNS Records Pointing to Off-Control Network IP Addresses
15. Un-plug the Off-Control Network connections from all of the domain clients.
The domain clients should be connected only to the On-Control Network and their net-
work adapter needs to have DNS entries pointing to IP addresses of On-Control Network
PDC followed by On-Control network SDC1, SDC2 and so on.
Refer to “Installing Optional Software” on page 72 to install any additional packages on your new
PDC.
ing Off-Control Network Networks” for the installation procedure for the new domain clients.
341
342
10. Migrating an Off-Control
Controller on the Off-Control
Network
This chapter describes how to migrate an existing Off-Control Network Primary Domain
Controller (PDC) with Windows Server 2008 running any of the following software to a new
Off-Control Network Primary Domain Controller with Windows Server 2016:
♦ I/A Series software v8.8
♦ Foxboro Evo Control Core Services v9.0-9.3
The source station for this migration refers to the PDC with Windows Server 2008.
NOTE
PDC to these SDCs.
The target station indicated in this chapter refers to the new PDC running Windows Server
2016.
After the migration, both the domain clients which existed in Control Core Services v9.0-9.3 and
the new Control Core Services domain clients (Control Core Services v9.4 or later) will be con-
nected to the same domain. Existing group policies will be maintained while new Control Core
Services v9.4 group policies will be enacted. The steps in this section only need to be followed
once for the domain migration in order to establish the new PDC station.
Perform the procedures provided below.
NOTE
343
NOTE
To enhance cyber security, Schneider Electric-supplied Windows Server 2016 OS

Ensure server HW Assign static IP Install CCS using
On the 2008 source compatibility with
PDC, add iadomainadmin address to the Off- the Migrate option
server 2016 Foxboro Control Network
user to Schema Admins, image.
Enterprise Admins interface card
Refer to B0700SY
groups
Fix linking order of any

custom GPOs
If not new from
Ensure any existing SDCs Verify that source
factory, restore
are connected to the PDC, Win 2008 PDC is
Foxboro supplied
online, and operational pingable using IP
address
the server HW
Enable Anti-Malware
software
Add target Win 2016
server to Set Date/Time/TimeZone Install Foxboro Server
“IA Computers” OU on the OS to match with 2016 Local Group
in the source PDC the source Win 2008 PDC Policies (LGPOs)
rebuild SDCs.
(Highly recommended)
Connect the server Install Anti-Malware

Document linking order physically to the same software (ex: McAfee
of any custom GPOs Off-Control Network that ENS)
is connected to the Configure existing
source PDC domain client’s NIC card
DNS entries to point to
new Win2016 PDC
Disable Anti-Malware
software

With Windows Server 2008
NOTE
and all existing domain controllers with Windows Server 2008 are decommissioned.
344
10. Migrating an Off-Control Windows Server 2008 Domain Controller to a New Windows Server 2016 Primary Domain Controller on the Off-Control
NOTE
Refer to Appendix L “Pre-Migration Settings for PDCs with Pre-Control Core Ser-
vices v9.3” for migration settings for PDCs with pre-Control Core Services v9.3
software.
NOTICE
POTENTIAL DATA LOSS

might lead to unpredictable product behavior. Refer to Appen-
dix P “Linking Custom GPOs to Any CCS/CS Specific OUs”.
• If you do not apply the migration settings for PDCs with pre-
Control Core Services v9.3 software, this will result in an unsuc-
cessful migration. Refer to Appendix L “Pre-Migration Settings
for PDCs with Pre-Control Core Services v9.3”
NOTE
Controller
345
NOTE

a screen capture of the current linking order at every OU..

Admins Groups
On the source station (PDC with Windows Server 2008), proceed as follows:
1. Log into the source PDC with Windows Server 2008 using a domain administrator
account (such as IADomainAdmin).
2. Open the Active Directory Users and Computers console - click the Start button and
select Windows Administrative Tools -> Active Directory Users and Com-
puters.
346
347
5. Verify that the domain administrator account is a member of both the “Schema
Admins” and “Enterprise Admins” groups by selecting the Member Of tab as shown
in Figure 10-3. If this user account is not, the user has to be added to both these
groups, as follows:
b. Type in the name of the group which needs to be added (Schema Admins or
Enterprise Admins) and click OK, as shown in Figure 10-4. Repeat this for each
group.
348
Adding Target Server 2016 Name to IA Computers OU

NOTE
Complete these steps only if the target server 2016 does not already exist under the
IA Computers OU.
1. In the “Active Directory Users and Computers” console, expand the nodes <domain-
name> > Invensys.
Figure 10-5.
349
3. If the current domain administrator account was added to either the Schema Admins
or Enterprise Admins in the steps above, then log off and log back in to the station
using the same account.
350
Preparation and Installation for Target Primary

Domain Controller with Windows Server 2016
Proceed as follows on the server to become the new PDC:
Server Preparation
vices system installed with the Enterprise Edition Control Core Services software. For this proce-
dure, it is assumed that the PDC is installed on the control network (which is a dedicated Control
Core Services maintained network).
NOTE
station’s
H-code (or P-code), proceed to “Important Information on Installing Control Core
Services” on page 53. If not, continue following the steps in this section.
1. Install hardware, restore the Windows Server 2016 Standard operating system, and
a. Refer to Control Core Services v9.4 Release Notes (B0700SY) to be certain that your
hardware meets the hardware requirements specific to Control Core Services
V9.4. For instructions on installing memory upgrades, PCI cards, and so forth,
refer to the “Installing Hardware Upgrades” chapter of the Hardware and Software
Specific Instructions document shipped with your server.
b. If the server is new from factory with the Server 2016 image, then skip this step.
procedure below.
♦ Open the Windows Date and Time applet by selecting Control Panel ->
Date and Time.
♦ Click OK.
351
♦ Click OK.

Services.
lead to unstable or unavailable communications. See Appendix A “Startup Options”.
system instability.

NOTE
sages. That is because the health diagnostic tool attempts to analyze the detected
errors on the system that occurred before the migration process, and has the poten-
tial to give an impression that the migration was not successful.

352
Properties.
NOTE
Figure 10-6.
353
not work, you may need to reboot the station.

Continue as follows:
1. Confirm that the system time and time zone (including the daylight savings time flag)
match those of the source PDC.
Installation”.
date.
354

work begins.
2016 Day 0 DVD” (K0177BP).
Figure 10-9. User Account Control Dialog Box
Services for Local Edition or Enterprise Edition. Make the following selections in the
dialog box:
boro EVO AD
♦ Select “Off Control server 2008 AD” from the combo box
♦ Choose the Connection type as “Off Control Network”, as shown in
Figure 10-10.
355
Figure 10-10. Selecting to Install a Domain Controller Off-Control Network
NOTE
Setup.exe.
11. Click Next.

356
Figure 10-11. CCS Installation Dialog Box - Message
357
NOTE
Folder.
The “Install as a Secondary Domain Controller (SDC)” bullet is selected by default.
Initially, this station is installed as an SDC station and will be promoted to be the
PDC station before the installation completes.
358
Figure 10-14. Server Platform Setup (Off-Control Network)
field:
181.128.182.11).
(for example, off2008.local\IAInstaller)
e. Click Authorize.
NOTE
should succeed.
359
Figure 10-15. Schneider Electric CCS Software Installation Dialog Box - Date System Message
the dialog box shown in Figure 10-16 is displayed. It is vital to check that the local
and remote system times match (including date, time, AM/PM) before continuing.
Note that the checkbox displayed for some time zones which allows the system to
automatically adjust for Daylight Saving Time can affect the time displayed by the
system by one hour.

360
SDCs, move to step 14):
b. In the dialog that appears, add the off-control IP addresses of those SDCs manu-
ally in the dialog that appears. When you’re finished, click Done.
Figure 10-19. Add Additional Off-Mesh IDs
c. Click Set.
d. If there are no additional SDCs to add, click Skip.
361
18. Confirm that the domain name is pingable from the machine. For example, ping
off2008.local should succeed.
domain has succeeded. Click Reboot.
If unsuccessful, a reason for the unsuccessful condition is displayed.
362
few minutes, the server will reboot automatically.
appears.
a. Re-enter the IP address of the PDC with Windows Server 2008 (from which you
are migrating), as shown in Figure 10-25.
played has the authority to add workstations to the domain (i.e.
off2008.local\IAInstaller as in the example).
d. Authorize.
NOTE
should succeed.
363
Figure 10-25. Server Platform Setup (Off-Control Network) Continued - Re-Authorization
24. If clicking Authorize results in a successful domain rights verification, a “Join client to
domain rights verified” message appears.
364
NOTE
27. If the domain name or site name are not identical with those provided during the
PDC installation, the dialog box shown in Figure 10-28 appears.
NOTE

a. Click Cancel.
c. Click Prepare.
Click OK.
365
ple, ping -a 151.128.152.11.
FL5007OFF.off2008.local.
366
A DOS window is displayed while Active Directory is being installed, as shown in Figure 10-31.
Figure 10-31. Active Directory Installation via Command Prompt
After Active Directory Domain Services are installed, a dialog box is displayed as
367
Figure 10-32. Promote to DC Authentication Window
NOTE
messages pertain to DNS delegation, a default security setting for Windows Server
2016 DCs, etc. These detected errors can be ignored.
368
NOTE
34. After a few minutes, the installation restarts automatically and the Schneider Electric
369
35. Wait for at least ten minutes before clicking Verify. Replication from the source
PDC with Windows Server 2008 to this domain controller with Windows Server
2016 may still be in progress.
♦ System
♦ Active Directory Web services
♦ DFS Replication
♦ Directory Service
♦ DNS Server
370
NOTE
shooting replication detected errors.
38. If you determine that any detected errors in the event logs are ignorable, save the logs
and clear them off. Otherwise these same detected errors will appear in the Verify but-
ton report as noise.
minutes.
Directory.
40. Press <Enter> to dismiss the command window.
371
NOTE
41. When complete, the dialog box shown in Figure 10-35 is displayed if detected errors
are found. One or more conditions could be detected including diagnostic suboptimal
42. To view the log, click View, as shown in Figure 10-39. After viewing the detected
errors, it may be necessary to correct the issues in the Active Directory domain. Click
the Verify button as many times as necessary after you take each corrective action to
check that no further issues exist. After clicking Verify, clicking View opens the
updated diagnostic results.
372
NOTE
are resolved.
43. If it is determined that you can ignore the detected errors in the log, click Ignore to
continue, as shown in Figure 10-35. Acknowledge the message shown in
Figure 10-40.
373

374
Directory.
A command prompt is displayed while the Active Directory settings are being applied.
NOTE
375
46. When the focus returns to the Installation window, click Done.
Figure 10-45. Setting Up Platform for CCS Installation Screen with Done Button Enabled
ommend that you decommission these domain controllers. Refer to sections “Remov-
ing Domain Controller Functionality from a Workstation” on page 527 and
tions on decommissioning domain controllers.. Also refer to the sections “Cleanup
Decommissioned” on page 595 in Appendix K “Troubleshooting PDC Migration” for
additional instructions.
instructions.
376
NOTICE
POTENTIAL DATA LOSS

user.

the user.
Post-Installation Steps on Control Core Services

Client Workstations
For the existing domain clients, proceed as follows:
1. Right-click the Network icon on the taskbar, and click Open Network and Shar-
ing Center. In the Network and Sharing Center window, click Change Adapter
settings.
1. Open the Internet Protocol (TCP/IP) Properties dialog box for the Off-Control Net-
work interface card. See Figure 10-47.
377
Figure 10-47.
378
3. If there are one or more Secondary Domain Controller(s), continue as follows:

a. Click the Advanced button to open the Advanced TCP/IP settings dialog box.
b. Click the DNS tab.
c. In the section “DNS server addresses, in order of use:”, remove any existing IP
addresses.
d. Add IP addresses in the order of PDC, SDC1, SDC2, and so on.
NOTE
Use the Add… button repeatedly to add these IP addresses.
e. Close all dialog boxes.
NOTE
If the existing Windows 2008 PDC is downgraded or removed from the Domain
/network, then the IP address related to the system to be deleted from the DNS list.
379
NOTE
For the domain clients migrated from a domain with I/A Series software
v8.5/8.6/8.7 to a domain with Control Core Services v9.4, it may be necessary to
move the migrated domain client’s object in Active Directory before beginning the
client’s installation procedure.
install McAfee Products Endpoint Protection on your PDC. Only install this software on one
domain controller in the system. Install this software according to Installation and Configuration of
the McAfee ENS 10.5.2 with ePO 5.9.1 (B0700VW).
Proceed to Chapter 4 “Enterprise Edition Control Core Services v9.4 Installation for New On-
Control Network Domain Controllers” for the installation procedure for the domain clients.
380
Controller to a New Windows 2016
Primary Domain Controller on an
On- or Off-Control Network
This chapter describes the procedure to migrate an existing On-Control Network Primary
Domain Controller (PDC) with Windows Server 2003 running I/A Series software v8.5- 8.7 to
a new On/Off-Control Network Primary Domain Controller with Windows Server 2016.
The domain controller migration from Windows Server 2003 to Windows Server 2016 is a two-
step process.
1. Migrate from Windows Server 2003 to Windows Server 2008
2. Migrate from Windows Server 2008 to Windows Server 2016
Each of the steps is described in detail below.
Migrate from Windows Server 2003 to Windows

Server 2008
Following migration paths are possible in this step.
Source Domain Controller Target Domain Controller Instructions for Migration

On-Control Windows On-Control Windows Refer to user guide
Server 2003 Server 2008 B0700SU, Chapter 7
On-Control Windows Off-Control Windows Refer to user guide
Server 2003 Server 2008 B0700SU, Chapter 8
381
B0700SX – Rev F 11. Migrating an On-Control Windows Server 2003 Domain Controller to a New Windows 2016 Primary Domain Controller on
NOTICE
POTENTIAL DATA LOSS

NOTE
Controller.
NOTICE
POTENTIAL DATA LOSS

domain. Then rebuild them.
382
11. Migrating an On-Control Windows Server 2003 Domain Controller to a New Windows 2016 Primary Domain Controller on an On- or Off-Control
If you have any custom GPOs document the linking order of those GPOs.
For example take a screenshot of the current linking order at every OU, as shown in this figure. .
Items to Verify After Migrating to Windows Server 2008 and

Before Migrating to Windows Server 2016
1. Confirm any Windows Server 2003 based SDCs are decommissioned. For procedure
to demote a domain controller refer to “Removing Domain Controller Functionality
from a Workstation” on page 527 in Appendix D.
2. Confirm all the SDCs are connected to the domain and are online.
3. If for some reason, any of the domain controllers (SDC/PDC) were taken out without
following the correct procedure outlined in “Removing Domain Controller Function-
ality from a Workstation” on page 527 in Appendix D, then you will need to forcibly
remove the remnants of such domain controllers from Active Directory database. To
do this, follow the instructions in “How to Cleanup Domain Controllers That Are
Not Decommissioned” on page 595 in Appendix L.
4. Clean up any Windows Server 2003 SDC references from Active Directory. To do
this, follow the instructions in “Cleanup Procedure of Windows Server 2008 R2 PDC
with Windows Server 2003 SDC References” on page 589 in Appendix L.
5. Clean up the DNS records of the domain controllers that are removed forcibly or
decommissioned. To do this, follow the instructions in “How to Cleanup DNS” on
page 596 in Appendix L.
6. At this point, the only domain controllers (PDC/SDC) in the system should be based
on Windows Server 2008. And none of the FSMO roles should be held by any of the
removed/decommissioned domain controllers. The FSMO roles should be held by the
active Windows Server 2008 domain controllers.
7. Disable the “Certificate Path Validation Settings” setting from the IA Computers v1.0
GPO. Without doing this, migration to Server 2016 will not succeed. Instructions for
383
B0700SX – Rev F 11. Migrating an On-Control Windows Server 2003 Domain Controller to a New Windows 2016 Primary Domain Controller on
this are documented in Appendix L “Pre-Migration Settings for PDCs with Pre-Con-
trol Core Services v9.3”.
8. So as to make sure that any migration instanced that did not succeed during migra-
tion to Server 2016, it is not recommended to remove the ability for local logon for
the Account1 user from the target Server 2016 PDC. Perform the steps outlined in
“Helping to Avoid the Loss of Logon Ability for Account1” on page 611.
9. Because the migration process will not address GPO settings, follow the steps out-
lined in Appendix O “Verifying Group Policy Settings Before Migration” to import
any missing settings from the existing GPOs.
10. Take a backup of any GPOs that have been changed/customized. This is because some
of the GPOs will be changed during migration.
Migrate from Windows Server 2008 to Windows

Server 2016
These migration paths are possible in this step.
Source Domain Controller Target Domain Controller Instructions for Migration

On-Control Windows On-Control Windows Refer to Chapter 7 in this
Server 2008 Server 2016 user guide
On-Control Windows Off-Control Windows Refer to Chapter 8 in this
Off-Control Windows On-Control Windows Refer to Chapter 9 in this
Off-Control Windows Off-Control Windows Refer to Chapter 10 in this
384
Services v9.4 Installation for
Domain Clients or Connecting
Security Enhanced I/A Series
Software v8.5-9.4 Domain Clients
to Existing Off-Control Network
Networks
your domain clients and connect them to the appropriate On-Control Network or Off-Control
Network domain controller. It also describes how to connect an existing domain client with
I/A Series software v8.5-v9.4 to an existing Off-Control Network domain controller.
Workstation/Server Preparation
This section applies to the Windows 10 and Windows Server 2016 Standard stations that are
being installed as domain clients. The domain client may be connected to a domain controller
either on the Foxboro Evo Control Network (which is a dedicated Foxboro maintained network,
hereafter known as “the control network”) or on another network (either an “Off-Control Net-
work” or an “Auxiliary Communication Network (ACN)” - this procedure is for “Off-Control
Networks” - refer to the virtualization manuals for connections to ACNs).
Dialog boxes on these two types of platforms may differ slightly, but will be functionally identical,
with minor exceptions as documented below.
Perform the following steps to set up the hardware and restore the operating system onto your
workstation:
NOTE
station’s
H-code, proceed to “Notes for Installing Control Core Services” on page 387. If
not, continue following the steps in this section.
1. Install hardware, restore the Windows operating system, and update drivers for your
workstation or server. Perform the following:
385
B0700SX – Rev F 12. Enterprise Edition Control Core Services v9.4 Installation for Domain Clients or Connecting Security Enhanced I/A Series
hardware meets the hardware requirements specific to the V9.4 release. For
instructions on installing memory upgrades, PCI cards, and so forth, refer to the
“Installing Hardware Upgrades” chapter of the hardware and software specific
instruction document shipped with your workstation or server.
Otherwise using the V9.4 Restore Media, restore the Windows operating system
on your workstation or server. Follow the instructions of Appendix A “Startup
Options”.
NOTE
Only use the media kits listed in Table 1-2 to restore the operating system of a sta-
tion with Control Core Services v9.4.
With the exception of step d below, it is inadvisable to follow the instructions for
installing Control Core Services from your hardware specific instruction manual.
Follow the software installation procedure below.

Date and Time.
♦ Click OK.
♦ Click OK.
NOTE
While installing an Active Directory domain client, it is vital to check that the UTC
system time matches the UTC system time on the domain (as viewed on the PDC).
The date and time have to match, though the time which Windows displays may
differ if the time zones are not the same on the two stations.
Be careful when changing the time zone prior to adjusting the system time as this
can cause the AM/PM setting to change.
Also, be aware that the checkbox included for some time zones which defines
whether or not the time will be automatically adjusted for Daylight Saving Time
can cause the system time to differ by an hour.
Updating Drivers” chapter of the hardware and software specific instruction docu-
ment shipped with the station.
386
12. Enterprise Edition Control Core Services v9.4 Installation for Domain Clients or Connecting Security Enhanced I/A Series Software v8.5-9.4 Domain
Notes for Installing Control Core Services

Before you install Control Core Services, check that the station is physically connected to the con-
trol network and that the PDC is on-line and attached to the control network or a secondary
(non-Foxboro) network for an Off-Control Network PDC.
If the PDC is on the control network, check the station is disconnected from any secondary (non-
Foxboro) networks (with the exception of the ACN if used). However, these network cards have
to have their adapters enabled (i.e. not disabled).
NOTE
NOTE
On servers with the Windows Server 2016 Standard operating system, it is recom-
mended that no roles be added to the system which are not necessary for the opera-
tion of the server. Adding unnecessary roles (for example, adding the Remote
Desktop Services role when the server is not to be used as a remote session host) can
create cyber-security weaknesses in the overall system.
NOTE
Use the IAInstaller account for the installation tasks. However, due to the
permissions assigned to IAInstaller, it is inadvisable to use it for any other role, such
as operation of the domain controllers.

the Control Core Services. For instructions on modifying the computer name of your workstation
or server, refer to Appendix B “Changing the Station Name”.
Installation Procedures
The following installation procedures are provided:
♦ “Installation Procedure (On The Control Network)” on page 388 - for domain clients
with Control Core Services v9.4 on the control network
♦ “Installation Procedure for Clients of New Off-Control Network Domain Control-
lers” on page 407 - for domain clients with Control Core Services v9.4 on a new Off-
Control Network
387
♦ “Installation Procedure for Pre-Existing Domain Clients (I/A Series Software v8.5-
v8.7) to Existing Off-Control Network Domain Controllers” on page 430 - for pre-
existing domain clients with I/A Series software v8.5-v8.7 on an existing Off-Control
Network.
Installation Procedure (On The Control Network)

Proceed as follows:
1. Check that the Primary Domain Controller (for this domain client) has been installed
and is attached to the control network.
2. Check that the domain client’s object is under IA Computers Organizational Unit
(OU) in the Active Directory.
3. Check that the domain client workstation is attached to the control network.
5. Install Local Group Policies appropriate to OS of the client. Refer to Chapter 17
“Local Group Policy Installation”.
6. Install Anti-Malware software such as McAfee ENS. Refer to Installation and Configu-
date. Refer to Installation and Configuration of the McAfee ENS 10.5.2 with ePO 5.9.1
(B0700VW).
work begins.
9. Disable Anti-Malware software such as McAfee ENS. Refer to Refer to Installation
and Configuration of the McAfee ENS 10.5.2 with ePO 5.9.1 (B0700VW).
2016 Day 0 DVD” (K0177BP).
NOTE
If a dialog box appears indicating that.NET Framework is required, then you have
used incorrect restore media. Restore the station using the proper V9.4 Restore
media. (See page 6.)
388
Figure 12-1. UAC Prompt for IASeries.SecureSetup.exe
389
Control Core Services or for an Enterprise Edition system. Select Install Enter-
prise Edition Control Core Services and Control Core Services (CCS)
Client:
Figure 12-2. Selecting to Install an Active Directory Client
NOTE
Setup.exe.
14. Click Next.
390
as shown in Figure 12-3. Select the Use an On-CONTROL Domain Controller
radio button. Click Load to load the committed configuration files.
NOTE
Folder.
391
launch the I/A Series Network Installation dialog box (Figure 12-5).
17. The dialog box shown in Figure 12-5 is displayed if the network configuration from
System Definition do not match the available NIC hardware.
392
Otherwise, proceed as follows:

♦ For an On-Control Network domain client, the dialog box, shown in Figure 12-5,
asks you to select the NICs to be connected to the Foxboro network. Select the
two network cards and click Next.
NOTE
installation.
NIC Adapter Device Number
NOTE: I/A Series Network Installation dialog box shown above is for an On-Control Network domain
client, and is provided to illustrate the concept of the NIC Adapter Device Number only.
Figure 12-5. I/A Series Network Installation Dialog Box (For Certain NIC Cards)
NOTE
For help in determining the correct network adapters) to select, click the Start
button and then select Settings -> Network & Internet -> Change Adapter
Settings. The Network Connections dialog box appears as shown in Figure 12-6.
Identify the NIC adapter device number for the NIC to be connected to the
Domain Controller’s network (in optimal cases, it has an entry in the Connectivity
column).
Be advised that the NIC Adapter Device Number indicated in Figure 12-5 aligns
with the NIC Adapter Device Number shown in Figure 12-6. It is not advisable to
confuse this with the Local Area Connection number (shown in Figure 12-6).
393
Local Area Connection Number NIC Adapter Device Number

Indicates if there is a physical
cable connection to this NIC
Figure 12-6. Network Connections - Local Area Connection vs. NIC Adapter Device Number
18. The Configure User Accounts dialog box appears. This dialog box allows you to
change the factory configured password for Account1. Enter a new password in the
Password text box and re-enter the same password in the Confirm PW text box. Then
click Configure.
394
Figure 12-7. Configure User Accounts
19. Click Next.

20. Confirm the PDC is pingable from this server using the on-control static IPv4 address
395
Figure 12-8. PDC Pingable with On-Control Network Static IP Address
21. The Ready to connect this workstation to the Control Core Services domain dialog
box appears as shown in Figure 12-9.
♦ Enter the name (letterbug) of the domain controller server.
♦ In the “Authorized Account” text box, change the domain name to <domain-
name>\IaInstaller where <domainname> is the actual domain name specified
during PDC installation.
♦ In the “Authorize Password” text box, enter the password for the IAInstaller user.
♦ Click the Authorize button.
NOTE
Before clicking the Authorize button, confirm the server’s time and timezone match
with that of the PDC.
396
Figure 12-9. Ready to Connect This Workstation to the CCS Domain
(see “Workstation/Server Preparation” on page 385) and re-click Authorize.
397
the dialog box shown in Figure 12-11 is displayed. It is vital that you check that the
local and remote system times match (including date, time, AM/PM) before continu-
ing. Be advised that the checkbox displayed for some time zones which allows the sys-
tem to automatically adjust for Daylight Saving Time can affect the time displayed by
the system by one hour.
Figure 12-11. Unable to Determine Local Time
NOTE
If after connecting the domain client to a Control Core Services domain and the
software installation does not continue after the reboot, the system time may not
have been set correctly. Refer to “Setting Time Correctly Software Installation Can-
not Continue After Reboot (SDC or Domain Client)” on page 577 to correct this.
23. Click Next.
398
24. If a Secondary Domain Controller (SDC) is planned for this Control Core Services
system, select the SDC from the “Select the Secondary Domain Controller Stations”
drop-down list and click Set. If no SDC station is planned, click Skip.
Figure 12-12. Select SDCs from List
25. Confirm the PDC is pingable from this server using the on-control static IPv4 address
399
Figure 12-13. PDC Pingable with On-Control Network Static IP Address
26. Confirm that the nslookup command shows the on-control PDC’s fully qualified
domain name or the domain name and its IPv4 address, as shown in Figure 12-14. If
the nslookup command shows the desired result, proceed to the next step.
Figure 12-14. nslookup Command
NOTE
If the nslookup command does not show the On-Control Network PDC name or
the domain name, then the DNS resolution is not working correctly. Follow these
steps:
- Verify that the client’s REDL network adapter has the first DNS address pointing to
the PDC (for instance, the PDC’s on-control IP address).
- Cancel the installation.
- Reboot the client.
- Restart the installation.
27. Confirm that domain name is pingable from the client (Figure 12-15).
400
Figure 12-15. Domain Name Pingable
28. Fill in the name of the host domain (foxboro.local is the default) and click
Connect.
Figure 12-16. Click Connect Button
29. If the workstation is successfully connected to the domain, the dialog box shown in
Figure 12-17 appears. Click Reboot.
The dialog box in Figure 12-18 indicates that the server will be rebooted.
401
Figure 12-18. You Are About To Be Logged Off Dialog Box
30. When the station reboots, log into the domain using the “IA Installer” account.
31. After a few minutes, the installation restarts automatically. Click Next and then
Install to run the installation process as shown in Figure 12-19.
Figure 12-19. InstallShield Wizard for Foxboro Evo Control Core Services
NOTE
In some cases, the installation is not able to restart automatically after logging in
with the IA Installer account. If the installation does not restart automatically, it can
be resumed manually by executing setup.exe directly from the DVD drive.
402
Figure 12-20. Reboot or Logoff Requested
Load.
Foxboro station.
NOTE
403
404

At the end of the installation, the installation log is displayed.
You can view the installation log at any time by clicking the Start button and selecting
Foxboro Core Service -> Log Viewer.
405
36. Proceed to “Completing the Domain Client Installation” on page 435.
NOTE
On Windows 10, and Windows Server 2016 domain clients, the default administra-
tor who is internally renamed to IAManager is disabled by the end of client installa-
tion for cyber-security reasons. The only administrator available for local login will
be “Account1”.
406
Installation Procedure for Clients of New Off-Control Network

Domain Controllers
NOTE
It is inadvisable to set up the Off-Control Network NIC manually prior to install-
ing the Control Core Services. This will be handled automatically during the instal-
lation.
This procedure is for adding domain clients to new Off-Control Network domain controllers.
Proceed as follows:
1. In optimal conditions, these steps have already been performed as part of server prep-
aration. However, it is good protocol to check again to check the following have been
completed:
a. Check the PDC for this domain client has been installed and is attached to the
secondary (non-Foxboro) network.
b. Check that the domain client’s object is under IA Computers Organizational Unit
(OU) in the Active Directory.
c. Check the domain client is attached to the control network.
d. Check the domain client is attached to the secondary (non-Foxboro) network.
2. Install Local Group Policies appropriate to OS of the client. Refer to Chapter 17
“Local Group Policy Installation”.
4. If McAfee ENS is installed ensure the following McAfee ENS components are up to
date.
♦ ENS McAfee DAT file
work begins.
e. Disable anti-malware software such as McAfee ENS. Refer to Installation and Con-
figuration of the McAfee ENS 10.5.2 with ePO 5.9.1 (B0700VW).
2016 Day 0 DVD” (K0177BP).
NOTE
If a dialog box appears indicating that.NET Framework is required, then you have
used incorrect restore media. Restore the server using the proper Control Core Ser-
vices v9.4 Restore media. (See page 6.)
407
Figure 12-25. UAC Prompt for IASeries.SecureSetup.exe
408
♦ Select Enterprise Edition Control Core Services and Control Core
Services (CCS) Client as shown in Figure 12-26.
♦ Click Next.
Figure 12-26. Selecting to Install a Client in an Enterprise Edition System
409
10. The Load committed configuration install files dialog box appears as shown in
Figure 12-27.
Select the Use an Off-CONTROL Domain Controller radio button. Enter the IP
address for the Off-Control Network PDC. Enter the IP address and net mask for the
local Off-Control Network NIC card or select the Use DHCP checkbox. Click
Select.
Figure 12-27. Load Committed Configuration Install Files Dialog Box
NOTE
Control Core Services can only be installed to the D:\ drive.
NOTE
Click Load to load the committed configuration files.
Folder.
410
411
11. Once the Commit files have been loaded, click Bind as shown in Figure 12-29 to
launch the Control Core Services/I/A Series network installation.
Figure 12-29. Load Committed Configuration Install Files Dialog Box - Bind
NOTE
If after clicking the Bind button, the installation does not proceed and the Bind
button is still enabled, it is likely that the Off-Control Network NIC card was con-
figured with the desired IP address prior to running the Control Core Services
installation. If this is the case, reset the Off-Control Network NIC settings to use
DHCP and re-click the Bind button.
412
Figure 12-30. Load Committed Configuration Install Files Dialog Box - Detected Error Message if
Selected IP Address is Already In Use
NOTE
If after clicking the Bind button, the install does not proceed and the Load button
is enabled, it is likely that there is a mismatch in the configuration between your
NIC hardware and your network system configuration. Verify and fix the commit-
ted configuration install files as necessary and reload these install files in order to
continue.
12. The dialog box shown in Figure 12-31 is displayed. Select the onboard NIC that
communicates with the PDC and the SDC on the secondary network (that is, the
Off-Control Network NIC). This NIC was set up on page 410. Then click Next.
NOTE
installation. Refer to the explanation on page 393 for the difference between the
NIC adapter device number and the local area connection number for a NIC.
413
NIC Adapter Device Number
NOTE: DC Network Installation dialog box shown above is for an On-Control Network domain
client, and is provided to illustrate the concept of the NIC Adapter Device Number only.
Figure 12-31. DC Network Installation (For Certain NIC Cards)
NOTE
For help in determining the correct network adapters) to select, click the Start
button and then select Settings -> Network & Internet -> Change Adapter
Settings. The Network Connections dialog box appears as shown in Figure 12-32.
Identify the NIC adapter device number for the NIC to be connected to the
Domain Controller’s network (in optimal conditions, it has an entry in the Connec-
tivity column).
Note that the NIC Adapter Device Number indicated in Figure 12-31 aligns with
the NIC Adapter Device Number shown in Figure 12-32. It is inadvisable to con-
fuse this with the Local Area Connection number (shown in Figure 12-32).
414
Local Area Connection Number NIC Adapter Device Number

Indicates if there is a physical
cable connection to this NIC
Figure 12-32. Network Connections - Local Area Connection vs. NIC Adapter Device Number
13. Select the NICs) that communicate with the control network (that is, the On-Control
Network NICs). Then click Next.
Figure 12-33. I/A Series Network Installation (For Certain NIC Cards)
14. Click Next. The Configure User Accounts dialog appears as shown in the
Figure 12-34. Enter a new password for Account1 in the Password text box and re-
enter the same password in the Confirm Password text box. Then click the Config-
ure button.
415
Figure 12-34. Configure Password for Account1 User
416
Figure 12-35. PDC Pingable from Client Using Off-Control Network Static IP Address
16. Click Next.

17. The Ready to connect this workstation to the Control Core Services/I/A Series
domain dialog box appears as shown in Figure 12-36.
♦ Enter the IP address of the domain controller server.
♦ In the “Authorized Account” text box, change the domain name to
<domainname>\IAInstaller where <domainname> is the actual domain name
specified during PDC installation.
♦ In the “Authorize Password” text box, enter the password for the IAInstaller user.
♦ Click the Authorize button.
NOTE
Before clicking the Authorize button, confirm the server's time and timezone match
with that of the PDC.
NOTE
There are instances in which “offmesh.local” will not be your domain, such as if
your domain controllers were migrated off of the control network.
NOTE
It may be necessary to use a different account in this dialog box if migrating to an
existing Off-Control Network domain. In this case, the Administrator account may
be necessary depending on how the “IA Installer” group member has been config-
ured.
417
Figure 12-36. Ready to Connect This Workstation to the Control Core Services Domain Dialog Box
(see “Workstation/Server Preparation” on page 385) and re-click Authorize.
418
the dialog box shown in Figure 12-38 is displayed. It is vital to check that the local
and remote system times match (including date, time, AM/PM) before continuing.
Be advised that the checkbox displayed for some time zones which allows the system
to automatically adjust for Daylight Saving Time can affect the time displayed by the
system by one hour.
Figure 12-38. Unable to Determine Local Time
19. Click Next.

20. If SDC stations are planned for this Control Core Services system, follow these sub-
steps. Otherwise, click the Skip button and proceed to the next step.
a. Expand the drop-down list from the “Select the Secondary Controller Domains”
selection.
b. Select the option “Add Off-Mesh”.
419
Figure 12-39. Add Off-Mesh SDC During Client Install
c. The “Collecting SDC Machine Info” dialog box appears as shown in

Figure 12-40. Add the IP addresses of the SDCs one after the other using the
“add” hyperlink in the dialog box. After the IP addresses are added, click Done
button in the dialog box.
Figure 12-40. Add SDC IP Addresses
d. Click the Set button.
Figure 12-41. Set Button Clicked
420
Figure 12-42. PDC Pingable with Off-Control Network Static IP Address
22. Confirm that the nslookup command shows the off-control PDC’s fully qualified
domain name or the domain name and its IPv4 address, as shown in Figure 12-43. If
the nslookup command shows the desired result, proceed to the next step.
Figure 12-43. nslookup Command
NOTE
If the nslookup command does not show the Off-Control Network PDC name or
the domain name, then the DNS resolution is not working correctly. Follow these
steps:
- Verify that the client’s REDL network adapter has the first DNS address pointing to
the PDC (for instance, the PDC’s off-control IP address).
- Cancel the installation.
- Reboot the client.
- Restart the installation.
23. Confirm that domain name is pingable from the client (Figure 12-44).
421
Figure 12-44. Domain Name Pingable
24. Fill in the name of the host domain (offmesh.local is the default) and click Con-
nect. This value is pre-populated for you with the same value as that the one present
in the “Provide information for the domain joining…." area.
422
Figure 12-45. Select a Host Domain for this Workstation and Click Connect Area
25. If the workstation is successfully connected to the domain, the message shown in
Figure 12-46 is displayed. Click Reboot.
Figure 12-46. Workstation Reboot Request
The dialog box in Figure 12-47 indicates that the station will be rebooted.
423
Figure 12-47. You Are About To Be Logged Off Dialog Box
26. When the station reboots, log into the domain using the “IAInstaller” account.
27. If the Workstation Reboot Request dialog box appears again (it will have text similar
to “A reboot or system logoff has been requested...”), click Finish.
Then you have to reboot the station manually. Click the Start button and click Shut
Down; select Restart from the pull-down menu and click OK.
After the station reboots, log into the domain using the “IAInstaller” account.
28. After a few minutes, the installation restarts automatically. In this case, you may have
to wait for a few minutes before the installation continues, and then click Next.
Figure 12-48. Welcome to the InstallShield Wizard for Foxboro Evo Control Core Services
If the installation does not continue automatically after a few minutes, navigate to the
DVD drive and double-click setup.exe. You may be prompted to set the IP Address
of the PDC, SDC, and local station again, as shown in Figure 12-27 “Load Commit-
ted Configuration Install Files Dialog Box” on page 410, and to set the domain name
424
as shown in Figure 12-36 “Ready to Connect This Workstation to the Control Core
Services Domain Dialog Box” on page 418.
Then you may have to reload the committed configuration files as shown in
Figure 12-28 “Installation Media Folder Browser” on page 411. After these files have
been reloaded, the installation process continues.
Click Next, then click Install and finally when the installation is complete, click
Finish to close the installation process.
Figure 12-49. Rest of the Installation Process
Load.
Foxboro station.
NOTE
425
426
NOTE
The DNS entries for the Off-Control Network NIC sometimes are not saved dur-
ing the domain client installation. After completing the Control Core Services
installation, but before rebooting the domain client, open the Off-Control Network
NIC card settings in the Internet Protocol Version 4 (TCP/IPv4) Properties dialog
box as follows:
Click the Start button, and then click Settings -> Network & Internet ->
Change Adapter Settings. Right-click on the adapter and click Properties.
In this same dialog box, select Internet Protocol Version 4 (TCP/IPv4) and
click Properties. In the Internet Protocol Version 4 (TCP/IPv4) Properties dialog
box, as shown in Figure 12-53, set the first DNS entry to be the IP address of the
Off-Control Network PDC station. Set the additional DNS entries to be the IP
addresses of the Off-Control Network SDC stations.
427
Figure 12-53. Setting Internet Protocol Version 4 (TCP/IPv4) Properties
At the end of the installation, the installation log is displayed.

You can view the installation log at any time by clicking the Start button and selecting
Foxboro Core Service -> Log Viewer.
428
32. Proceed to “Completing the Domain Client Installation” on page 435.
429
Installation Procedure for Pre-Existing Domain Clients

(I/A Series Software v8.5-v8.7) to Existing Off-Control Network
Domain Controllers
You can install a pre-existing domain client with I/A Series software v8.5-v8.7 and directly con-
nect it to an existing Off-Control Network domain as long as it has been migrated using the pro-
cedures detailed in one of the following chapters:
♦ Chapter 7 “Migrating an On-Control Windows Server 2008 Domain Controller to a
New Windows Server 2016 Primary Domain Controller on the On-Control
Network”
♦ Chapter 8 “Migrating an On-Control Windows Server 2008 Domain Controller to a
New Windows Server 2016 Primary Domain Controller on the Off-Control
Network”
♦ Chapter 9 “Migrating an Off-Control Windows Server 2008 Domain Controller to a
New Windows Server 2016 Primary Domain Controller on the On-Control
Network”
♦ Chapter 10 “Migrating an Off-Control Windows Server 2008 Domain Controller to
a New Windows Server 2016 Primary Domain Controller on the Off-Control
Network”.
Previously, Off-Control Network domains in I/A Series systems v8.5-8.7 were not supported.
However, you can use the installer on your existing CD labeled “I/A Series 8.5 XP Day 0 CD-
ROM” (K0174GD) to attach the domain client to a migrated Off-Control Network domain in a
Control Core Services v9.4.
For the entire set of installation instructions, refer to the chapter “V8.5 I/A Series SE Software
Installation for a Domain Client” in I/A Series 8.5 Software Installation Guide (B0700SB), avail-
able through the Global Customer Support at https://pasupport.schneider-electric.com.
Proceed as follows:
1. Before running the installer on your pre-existing domain client, set up a connection to
the Off-Control Network and set the IP address and DNS settings for the Off-Con-
trol Network NIC as described below.
Open the Internet Protocol (TCP/IP) Properties dialog box for the domain client’s
Off-Control Network NIC card as follows:
b. In the Network and Connections dialog box, right-click the Off-Control Network
NIC card, and click Properties.
c. In the card’s Properties dialog box, in the “This connection uses the following
items” section, click Internet Protocol (TCP/IP), and then click Proper-
ties. The Internet Protocol (TCP/IP) Properties dialog box appears as shown in
Figure 12-55.
d. In the Internet Protocol (TCP/IP) Properties dialog box, set the TCP/IP address
and DNS server address to match the network settings of the target PDC (that is,
the PDF with Control Core Services v9.4 for the Off-Control Network network).
it is advisable for the preferred DNS server address to be the IP address of the tar-
get PDC.
430
If your system has an SDC, add the IP address of the SDC to the Alternate DNS
server field.
Figure 12-55. Internet Protocol (TCP/IP) Properties Dialog Box - Off-Control Network
NIC Card
2. If the pre-existing domain client was not a part of the original I/A Series configuration
prior to the migration of the target PDC, it may be necessary to add the domain cli-
ent to Active Directory. On the target PDC, in Active Directory Users and Comput-
ers, check that there is a computer account for the pre-existing domain client in the
“Pre-8.8 IA Computers” OU as shown in Figure 12-56.
431
Figure 12-56. Adding Pre-Existing Domain Client (I/A Series Software v8.5) to Active Directory
3. Proceed with the installation instructions in “Installation Procedure” in the chapter

“V8.5 I/A Series SE Software Installation for a Domain Client” in I/A Series 8.5 Soft-
ware Installation Guide (B0700SB) through Step 16 (which, in the current draft, is the
step which reads as follows: “After completing network setup, click Next on the
I/A Series Software Installation dialog box”).
432
4. At Step 16, when the “Ready to connect this workstation to the I/A Series domain”
page appears as shown in Figure 12-57, in the Domain Controller Letterbug field,
enter the IP address for the target PDC.
Also enter:
♦ In the Domain Admin Account field, the domain name and domain administra-
tor account name (created during the domain client’s former PDC’s installation)
♦ In the Domain Admin Password field, the domain administrator password (set
during the PDC server installation)
Figure 12-57. Domain Client Installation – Ready to Connect
5. Click Authorize.
433
6. At this point, it is inadvisable to select any SDC stations. Select the Skip button when
prompted, as shown in Figure 12-58.
Figure 12-58. Connecting to the Control Core Services/I/A Series Domain
7. Click Connect.
8. A dialog box appears regarding the time on the domain client workstation matching
the time on the domain, as shown in Figure 12-59. Check the date and time are cor-
rect to within five minutes before continuing. Perform the instructions provided in
Step 21 of “Installation Procedure” in I/A Series 8.5 Software Installation Guide
(B0700SB).
Figure 12-59. Unable To Determine Local Time
434
9. Continue with Step 22 of “Installation Procedure” in I/A Series 8.5 Software Installa-
tion Guide (B0700SB) and finish the installation procedure.
Completing the Domain Client Installation


FoxView software may be installed prior to rebooting the workstation or server to reduce the need
for one reboot. Install FoxView™ and FoxDraw™ software from the FoxView/FoxDraw CD-
ROM. Refer to FoxView and FoxDraw Software V10.5 Release Notes (B0700SZ) for installation
instructions.
Also install System Manager v2.11 (or later) which is not installed by Control Core Services v9.4,
as well as any other software you wish to install at this time prior to reboot.
Reboot the workstation at this time. Click the Start button and click Shut Down; select Restart
Non-Control Network Cables

If you unplugged any non-control network cables prior to performing the Day 0 installation, plug
in the non-control network cables at this time.

Refer to Appendix J “Installing Optional Software”.
Setting Date and Time

For an internally sourced Master TimeKeeper (MTK), set the local date and time with either Sys-
tem Manager (default) or SMDH.
For instructions on how to set the date and time with the System Manager, refer to the section
“Date and Time Tools” in System Manager (B0750AP).
For instructions on how to set the date and time with the System Management Display Handler
(SMDH), proceed as follows:
1. From the Control Core Services initial display, access System Management displays
from the System button on the FoxView main window.
2. From the System Monitor display, select the Time button to access the Set Date and
Time screen. Set the current date and time by clicking the appropriate arrows on the
screen. Click RETURN - SET.
435
For an active externally sourced MTK, the Set Date and Time display is unavailable. The date and
time are automatically established and synchronized by an external GPS satellite.
Refer to Time Synchronization User’s Guide (B0700AQ) for the description of the time synchroni-
zation subsystem.
NOTICE
POTENTIAL DATA LOSS
Account1 is the administrator account on Windows 10 and Windows

Server 2016 domain clients. If this account is renamed on any domain
client, the renamed account name must be added to the group policy
on the Primary Domain Controller as described in this Notice. Failing
to follow this procedure will cause the user to not be able to log in onto
the workstation as a local user.
Refer to Appendix N “Local Administrator Login on Windows 10,

Windows Server 2016 Machines” for further instructions.
Re-Enabling Anti-Malware Software

At the end of the installation process, re-enable any anti-malware software such as McAfee ENS
that is installed.
Refer to Installation and Configuration of the McAfee ENS 10.5.2 with ePO 5.9.1 (B0700VW).
436
13. Upgrading Control Core
Services v9.4 (Day 1 Installation or
Repair Operation)
This chapter describes the procedure to upgrade Control Core Services v9.4 through a Day 1
installation.
Before performing this installation procedure, the Control Core Services have to be already
installed on the workstation and be running. You have to allow the software installation proce-
dures to turn off the Control Core Services as needed.
NOTE
Exiting or cancelling during the software installation process causes an incomplete
installation and may cause the station to become unstable. This requires that you
reload the operating system.
NOTE
Use the IAInstaller account for all installation tasks. However, due to the
permissions assigned to IAInstaller, it is not to be used for any other role, such as
operation of the domain controllers.
Day 1 Operations (Local Edition or Enterprise Edition

Control Core Services)
This procedure is only to create the reconcile files and it is recommended that you do it first; it
can be performed from a single workstation. Then, you will take the reconcile files to System Def-
inition in order to create a Day 1 Commit installation media. Then you will insert the Day 0
installation DVD.
Perform the following steps to set up for installation:
1. Open the I/A Series Reconcile Media Utility as follows. Open the Start menu and
select from the Start button -> All Programs -> Invensys -> IASeries -> Utili-
ties -> Reconcile.
3. The I/A Series Reconcile Media Utility opens as shown in Figure 13-1.
437
B0700SX – Rev F 13. Upgrading Control Core Services v9.4 (Day 1 Installation or Repair Operation)
Figure 13-1. I/A Series Reconcile Media Utility
4. Click Get Standard Stations to get the reconcile files for Local Edition Foxboro
stations.
5. When prompted, fill in the Primary Domain Controller server name (Domain Con-
troller Name), Domain Name, Secure Username and Secure Password. If the domain
is Off-Control Network, provide the PDC station’s IP address instead of the
workstation name.
438
13. Upgrading Control Core Services v9.4 (Day 1 Installation or Repair Operation) B0700SX – Rev F
6. Click Get SE Stations to get the reconcile files for Enterprise Edition Control
Core Services stations using the provided credentials.
Figure 13-2. Get SE Stations
7. Select the stations that need to be reconciled in the check-list box on the left-hand
side of the dialog box.
8. Select the appropriate radio button at the top of the dialog box: Create new
reconcile media or Appending to existing reconcile media.
9. Click Create to write to the media. The folder browser dialog box opens, as shown in
Figure 13-3.
439
Figure 13-3. Select the Location Where You Want Your Reconcile Files Saved
10. If you want to write the installation files to a diskette, be aware that the diskette has to
already be in a tar format.
To write to a tar format floppy diskette in the diskette drive (A:\), click Use
Diskette.
To write the installation files to a folder location, select a folder and click Select
Folder.
11. If you selected Appending to existing reconcile media in Step 8 and
Reconcile installation media (with media number 201) is not provided in the A:\
floppy drive, the dialog box shown in Figure 13-4 is displayed.
Figure 13-4. Try Another Diskette Message
440
12. Use the Reconcile media generated with this utility within System Definition to
update the commit media.
13. Insert the Day 0 DVD in the workstation/server for which you want to perform a
Day 1 installation.
14. Run setup.exe and accept the UAC prompt.
15. If Control Core Services are running, the dialog box shown in Figure 13-5 is dis-
played.
Figure 13-5. Disable Control Core Services Drivers and Services
16. Click Yes and reboot the workstation manually. Click the Start button and click Shut
Restart setup.exe after rebooting the workstation.
441
The I/A Series Software Installation dialog box appears, as shown in Figure 13-6.
Figure 13-6. Control Core Services Software Installation Dialog Box
442
17. Select the Perform a Day 1 operation on the Control Core Services
workstation bullet in the I/A Series Software Installation dialog box, as shown in
Figure 13-7.
Figure 13-7. Perform a Day 1 Operation on the Foxboro Evo workstation
18. Click Load to load the updated Commit files.
443
19. Once the Commit files have been loaded, I/A Series Software Installation dialog box
appears as shown in Figure 13-8. Click Install.
Figure 13-8. Ready to Install on the Foxboro Evo Workstation
20. Proceed with the installation wizard until the installation is complete. Click Finish
to close the installation.
The installation continues without user interaction until the end, when the log viewer
utility is displayed. You can view the installation log at any time by clicking the Start
button and selecting Foxboro DCS Control Core Services -> Log Viewer.
444
21. Reboot the workstation. Click the Start button and click Shut Down; select Restart
NOTE
Perform a Day 1 installation on the Foxboro stations every time the System Defini-
tion is changed.
Repair Operations (Local Edition or Enterprise Edition

Control Core Services)
Control Core Services v9.4 can also be repaired directly from the I/A Series Software Installation
application. Using this method, the application updates any Control Core Services v9.4 files
which are found to be different than the files originally installed.
Proceed as follows:
1. Insert the Day 0 DVD in the workstation/server for which you want to perform a
Repair installation.
2. Run setup.exe. and accept the UAC prompt.
445
3. If Control Core Services is running, the dialog box shown in Figure 13-10 is dis-
played.
Figure 13-10. Disable Control Core Services Drivers and Services
4. Click Yes and reboot the workstation manually. Click the Start button and click Shut
Restart setup.exe after rebooting the workstation.
446
The I/A Series Software Installation dialog box appears, as shown in Figure 13-6.
Figure 13-11. Control Core Services Software Installation Dialog Box
447
5. Select the Perform a Repair operation on the I/A Series workstation

bullet in the I/A Series Software Installation dialog box, as shown in Figure 13-12.
Figure 13-12. Perform a Repair Operation on the Foxboro Evo Workstation
6. Click Install.
448
7. The Foxboro Evo Control Core Services Installshield Wizard appears as shown in
Figure 13-13. Proceed through the wizard to finish this operation.
Figure 13-13. Foxboro Evo Control Core Services Installshield Wizard
The repair operation continues without user interaction until the end, when the log
viewer utility is displayed. You can view the installation log at any time by clicking the
Start button and selecting Foxboro DCS Control Core Services -> Log Viewer.
449
8. Reboot the workstation. Click the Start button and click Shut Down; select Restart
Performing a “Post-Commit for Pre-8.0”

NOTE
It is not advisable to install this software on workstations on the Control Network.
Perform this step on each Nodebus workstation after every Commit installation or
any installation where the workstation operating system is selected for installation.
The following procedure has to be performed after a Day 1 installation procedure on each of the
Nodebus workstations (AP, AW, and WP) to add Control Core Services addressing information to
the host files on Nodebus components. To perform the Post-Commit for I/A Series software Pre-
8.0, install the Pre-V8.1 Compatibility Diskette on each Nodebus workstation.
450
The following sections detail the steps for installing the disk on the two platforms.
Instructions for Windows Workstations

To execute the procedure on Nodebus (V6.x/V7.x, etc.) Foxboro workstations running the
Windows 10 operating system:
1. Insert the K0173XN diskette.
2. Open a Command Prompt window, and type the following:
d:
ncenv
sh
tar xvf A: ./usr/fox/bin/mkhosts.sh
cd /usr/fox/bin
sh mkhosts.sh
3. A reboot of the workstation is not needed.
Instructions for Solaris Workstations

To execute the procedure on Nodebus (V6.x/V7.x, etc.) I/A Series workstations running the
Solaris 2.5.1 or Solaris 2.8 (also referred to as “Solaris 8”) operating system:
1. Insert the K0173XN diskette.
2. Open a VT100 session, and type the following:
cd /
tar xvf /dev/fd0 ./usr/fox/bin/mkhosts.sh
cd /usr/fox/bin
mkhosts.sh
3. A reboot of the workstation is not needed.
451
452
14. Enhancing Server 2008 PDC
running I/A Series Software v8.8 or
Control Core Services v9.0-v9.3 to
Support Windows 10 and Server
2016 Domain Clients
This chapter describes procedure to enhance an existing on/off-Control Network station with
Security Enhanced I/A Series software v8.8, Foxboro Evo Control Core Services v9.0-v9.3 to
support domain clients running CCS v9.4 on Windows 10 and Windows Server 2016. The
existing domain controller clients running I/A Series software v8.8 or Control Core Services
v9.0-9.3 would continue to operate seamlessly after this upgrade.
NOTICE
POTENTIAL DATA LOSS

• The migration procedure outlined in this chapter should be run
only once, against the source Windows Server 2008 PDC. If
you wish to upgrade any Windows Server 2008 Secondary
Domain Controllers (SDCs) to Windows Server 2016, you must
first remove them from the domain. Refer to Appendix C “Sec-
ondary Domain Controllers in a Foxboro Evo System” and
Appendix K “Troubleshooting PDC Migration” for information
on removing SDCs and building a new SDC.
To enhance the domain controller, perform this procedure.
453
B0700SX – Rev F 14. Enhancing Server 2008 PDC running I/A Series Software v8.8 or Control Core Services v9.0-v9.3 to Support Windows 10 and
1. Login to the Primary Domain Controller with Domain Administrator credentials,

typically as the IADomainAdmin user.
this by taking a screenshot of the current linking order at every OU..
3. Insert the Control Core Services v9.4 media.

4. Open a command prompt in Administrator mode. When the User Account Control
dialog box appears, click Yes.
Figure 14-2. User Account Control for Command Prompt in Administrator Mode
5. In the command prompt, change the directory to

“<media drive>:\GroupPolicy\BatchFiles” where <media drive> is the drive on
which the CCS media resides.
454
14. Enhancing Server 2008 PDC running I/A Series Software v8.8 or Control Core Services v9.0-v9.3 to Support Windows 10 and Server 2016 Domain
NOTICE
POTENTIAL DATA LOSS
The installation program attempts to copy some GPO templates into

SYSVOL folder in next step when you run the batch file
Update2008PDC.bat. The installation assumes default SYSVOL path
(c:\windows\SYSVOL) for this purpose. If you have installed SYSVOL
at a different path, please follow the below steps before proceeding
with the actual installation, so that the installation program copies the
GPO templates to the correct SYSVOL path.
6. If you have installed SYSVOL at a non-default path as specified in the above

NOTICE, please follow the below steps before proceeding with the actual installation,
so that the installation program copies the GPO templates to the correct SYSVOL
path.
a. Navigate to the CCS9.4 DVD drive.
b. Copy the folder "GroupPolicy" in the DVD drive to any drive of your choice. For
ex:- D:\
c. Open the File Explorer and navigate to "D:\GroupPolicy\Configurations".
d. Remove the read only flag on the file "2008PDCDelta_Config.xml" and by right
clicking the file and choosing Properties context menu and uncheck-in the Read-
Only checkbox. If the Read-Only flag is already removed, proceed to next step.
e. Open Notepad using RunAsAdmin.
f. In Notepad, open the file "2008PDCDelta_Config.xml".
g. Look for this XML line.
<CopyFolder SrcPath="..\PolicyDefinitions" DestPath="c:\windows\sys-
vol\domain\policies"/>
Replace the text c:\windows\sysvol in the above line with the actual SYSVOL
path. For ex:- if you have installed SYSVOL at the location F:\ADSYSVOL then
the modified command will look this
<CopyFolder SrcPath="..\PolicyDefinitions" DestPath="F:\ADSYS-
VOL\domain\policies"/>
h. Save and close the file.
i. In the command prompt you have already opened, change the directory to
"D:\GroupPolicy\BatchFiles". Note:- This path will change based on where you
have copied the GroupPolicy folder in step#(b).
j. Proceed to the next step of the installation.
455
NOTE
If you have installed IA9.3 or prior version in the PDC using the option "Install to
an existing OFF-MESH PDC station (PDC Only) shown below, then follow these
additional steps before proceeding further with the installation.
If you have already followed the steps to cater to SYSVOL path being different from non-default
path, then you can skip the steps (a) - (e) mentioned below and directly edit the file
"2008PDCDelta_Config.xml"
a. Navigate to the CCS9.4 DVD drive.
b. Copy the folder "GroupPolicy" in the DVD drive to any drive of your choice. For
ex:- D:\
c. Open the File Explorer and navigate to "D:\GroupPolicy\Configurations".
d. Remove the read only flag on the file "2008PDCDelta_Config.xml" and by right
clicking the file and choosing Properties context menu and uncheck-in the Read-
Only checkbox. If the Read-Only flag is already removed, proceed to next step.
e. Open Notepad using RunAsAdmin.
f. In Notepad, open the file "2008PDCDelta_Config.xml".
g. Find and delete these 3 lines:
♦ <LinkGPOToOU GPOName="Invensys Code Signing Certificates v1.2"
OUPath="\Domain Controllers"/>
♦ <ChangeGPOLinkOrder OUPath="\Domain Controllers" LinkOrder="1,2"
GPONames="Invensys Domain Controllers Policy v1.0,Invensys Code Sign-
ing Certificates v1.2"/>
♦ <ChangeGPOLinkOrder OUPath="\Domain Controllers" LinkOrder="1"
GPONames="FCS Base Domain Controllers"/>
h. Save and close the file.
i. In the command prompt you have already opened, change the directory to
"D:\GroupPolicy\BatchFiles". Note:- This path will change based on where you
have copied the GroupPolicy folder in step#(b).
j. Proceed to the next step in the installation.
7. Type Update2008PDC.bat and press <Enter>.
The PDC update installation starts.
that directory functional, and then proceeds to the next step of configuring the Active
Directory.
456
14. Enhancing Server 2008 PDC running I/A Series Software v8.8 or Control Core Services v9.0-v9.3 to Support Windows 10 and Server 2016 Domain
8. At the end of the installation, a progress window displays a message “AD configura-
tion is complete”, and asks you to “Press any key to exit…” as shown in Figure 14-4.
The progress window displays the log file location with a message “Check Log
file:<path to log file>”.
Figure 14-4. Administrator: Update 2008 AD Command Prompt
9. Press any key to close the command window and complete the installation of the
updates for the PDC with Windows Server 2008.
10. Open the log file at the path c:\windows\temp\2008PDCDelta_Config.log and
check for any detected errors.
11. If there are no detected errors in the log file, the upgrade is successful. If there are
detected errors, contact your system administrator.
12. If you had any custom GPOs then you must fix the linking order of those GPOs.
Contact cyber security team for more information. For more information refer to
457
NOTICE
POTENTIAL DATA LOSS
At this point the default Administrator account (which is internally renamed as

IAManager) on the PDC is disabled for security reasons. You will be unable to login
with this account on the PDC. The only domain administrator at this point will be the
IADomainAdmin user. If you want to enable the Administrator (aka IAManager) on the
PDC, you can use Active Directory Users and Computers console to enable the user
458
15. Enhancing Control Core
Services Security for Interforest
Migrated PDC with Windows
Server 2016 to Support Windows
10 and Windows Server 2016
Domain Clients
This chapter describes the procedure to enhance Control Core Services security for an Interforest
migrated PDC with Windows Server 2016. This will not affect the existing domain clients
and the security policies will be applied to only Control Core Services clients.
Interforest migration refers to AD object migration between two different domains within differ-
ent forests. This chapter assumes that you have already performed an interforest migration from a
Windows Server 2008 based domain controller to a Windows Server 2016 domain controller
using standard Microsoft documented procedures. It also assumes that the Invensys/Schneider
Electric AD objects existed in the Windows Server 2008 based domain controller prior to per-
forming interforest migration.
For your reference, here are links to documentation that describes the general procedure involved
in an interforest migration. However, it is recommended you refer to official documentation for
performing interforest migration from Windows Server 2008 to Windows Server 2016.
https://social.technet.microsoft.com/wiki/contents/articles/11996.admt-3-2-interforest-migration-part-
1.aspx
http://social.technet.microsoft.com/wiki/contents/articles/16208.interforest-migration-with-admt-3-2-
part-2.aspx
https://social.technet.microsoft.com/wiki/contents/articles/16621.admt-3-2-interforest-migration-part-
3.aspx
459
B0700SX – Rev F15. Enhancing Control Core Services Security for Interforest Migrated PDC with Windows Server 2016 to Support Windows 10 and
NOTICE
POTENTIAL DATA LOSS
We advise that the linking order of any non-Schneider Electric custom

GPOs be documented prior to proceeding further as this installation
may likely change the linking order of such GPOs. After the installation
is completed, you may change the linking order of such custom GPOs
to meet your operational requirement. While doing so, it is important to
ensure that relative linking order of Schneider Electric's GPOs is not
changed. Changing the relative linking order of Schneider Electric's
GPO might lead to unpredictable product behavior. Refer to Appendix
P “Linking Custom GPOs to Any CCS/CS Specific OUs”.
To enhance the domain controller, perform this procedure.

1. Login to the Primary Domain Controller with Domain Administrator credentials,
typically as the IADomainAdmin user.
this by taking a screen capture of the current linking order at every OU..
3. Insert the Control Core Services v9.4 media.

4. Open a command prompt in Administrator mode. When the User Account Control
dialog box appears, click Yes.
460
15. Enhancing Control Core Services Security for Interforest Migrated PDC with Windows Server 2016 to Support Windows 10 and Windows Server 2016
Figure 15-2. User Account Control for Command Prompt in Administrator Mode
5. In the command prompt, change the directory to

“<media drive>:\GroupPolicy\BatchFiles” where <media drive> is the drive on
which the CCS media resides.
6. Type update2016PDC_ForInterForestMigration.bat and press <Enter>.
The PDC update installation starts.
that directory functional, and then proceeds to the next step of configuring the Active
Directory.
7. At the end of the installation, a progress window displays a message “AD configura-
tion is complete”, and asks you to “Press any key to exit…” as shown in Figure 15-4.
The progress window displays the log file location with a message “Check Log
file:<path to log file>”.
461
B0700SX – Rev F15. Enhancing Control Core Services Security for Interforest Migrated PDC with Windows Server 2016 to Support Windows 10 and
Figure 15-4. Administrator: Update 2016 AD Command Prompt
8. Press any key to close the command window and complete the installation of the
updates for the PDC with Windows Server 2016.
9. Open the log file at the path c:\windows\temp\2016PDCDelta_Config.log and
check for any detected errors.
10. If there are no detected errors in the log file, the upgrade is successful. If there are
detected errors, contact your system administrator.
462
16. Post-Installation and Migration
Procedures
This chapter describes the post-installation and migration procedures for Control Core Services
v9.4 software.
Restoring the CSA Database

If you took a backup of CSA, restore the CSA files using the CSA_Merge utility as described in
“Restoring CSA (CSA_Merge)” in Control Core Services v9.4 Release Notes (B0700SY).
NOTE
If you perform a Day 1 operation in order to move the Compound Summary Access
(CSA) server package from one workstation with CCS v9.4 to another workstation
with CCS v9.4 and you have performed deployments to CNI stations involving
CNI hosted alarm destinations, the following special action is needed.
Move the C:\ProgramData\Invensys\IASeries\AccessListEdi-
tor\cs_devmon_CNI.cfg file from the old CSA workstation to the new CSA work-
station prior to initiating any subsequent deployments to the CNI stations.
Furthermore, you have to copy the following CNI configuration files to the new
CSA server workstation:
C:\ProgramData\Invensys\IASeries\AccessListEditor\NamespaceMap.xml
C:\ProgramData\Invensys\IASeries\AccessListEditor\ConnectionSettings\CNI-
Config.xml
Configuring Display Color Settings

The workstation and server platforms supported by Control Core Services v9.4 have to use the
“Highest (32 bit)” color quality display property value for the displays.
For H90 and H91 servers, refer to the information in the “Quick Restore” chapter of the server’s
Hardware and Software Specific Instructions document.
For H92 workstations, refer to the “Installing and Updating Drivers” chapter of the workstation’s
Hardware and Software Specific Instructions document.
Updating FCP270s, ZCP270s, FCP280s, and ATS

Images
Perform an IMAGE UPDATE for Control Processor 270s (FCP270 and ZCP270), FCP280s,
and Address Translation Stations (ATSs) hosted by stations with Control Core Services v9.4. For
control processors, refer to the appropriate user’s guide. You can perform an image upgrade to the
463
B0700SX – Rev F 16. Post-Installation and Migration Procedures
Control Core Services v9.4 image of the FCP280, FCP270, or ZCP270 without initializing its
database.
For ATSs, refer to Address Translation Station User's Guide (B0700BP) for instructions.
When the update process is finished, verify that the station is at the correct image level. For the
latest EEPROM and image revision levels for Control Core Services v9.4 refer to Appendix B
“EEPROM Revision Levels” in Control Core Services v9.4 Release Notes (B0700SY).
For legacy control processors, refer to this same appendix in B0700SY for the latest image version
numbers for these modules supported by Control Core Services v9.4.
Performing EEPROM Updates

Perform an EEPROM update of the FCMs and FBMs that are not at the revision level specified
for v9.4 software. For details, refer to Appendix B “EEPROM Revision Levels” in Control Core
Services v9.4 Release Notes (B0700SY).
Backing Up Hard Disks

Veritas Backup Exec System Recovery software is included with Control Core Services. It is rec-
ommended that you use the Symantec software package for your system backup and recovery
needs.
Refer to Veritas System Recovery 16 Desktop, Server and Virtual Editions Guide for I/A Series® and
Reconciling the Configuration

The last phase of the software installation process is the reconciliation phase. Reconciliation is
needed after every committed install (Day 0 or Day 1). The reconcile process is used to update the
software install status of each Control Core Services package on each Foxboro station in the sys-
tem configuration for the Foxboro Evo system. The reconcile media is created on the Foxboro Evo
system after installation and then imported into System Definition.
More information on the reconcile process can be found in “Reconciling the System Configura-
tion” in System Definition: A Step-by-Step Procedure (B0193WQ, Rev. P or later) for a complete
description of reconciliation.
Alarm Manager Multi-Head Video Configurations

By default, the Alarm Manager chooses its window size based on the size of the overall desktop. In
a dual or quad-headed configuration, this choice may not be optimal.
After Control Core Services is installed, there are two methods that can be used to change the size
and position of the Alarm Manager:
♦ Use the graphical Alarm/Display Manager configurator, which is described in Work-
station Alarm Management (B0700AT) or
♦ Manually edit the Alarm Manager configuration file which is described as follows:
1. Save a backup of the following file: D:\usr\fox\customer\alarms\cfg\am_def.cfg
464
16. Post-Installation and Migration Procedures B0700SX – Rev F
2. Open the original am_def.cfg file in an editor (such as Wordpad or vi).

3. Corresponding to each type of Alarm Manager window is a line that contains the
string: WinSizPos.
These lines determine the size and position of each window, and can be edited to pro-
vide a more desirable layout. Table 16-1 provides the parameters available to you to
use in this string.
For example, in a configuration with four heads arranged in a 2x2 array, a good choice
is to make the windows quarter screen. To do this, change every WinSizPos line to
QUR for quarter screen, upper right. You can search and replace these settings as long
as case sensitivity is on.
Table 16-1. WinSizPos Parameters
String Meaning
F Full
D__ Default size (__- see below)
_T_ Top
_L_ Lower
__L Left
__R Right
Q__ Quarter size (__- see below)
I__ Intermediate size (__- see below)
_U_ Upper
_L_ Lower
__L Left
__R Right
You have completed installation and configuration of the dual-head video card driv-
ers. Proceed to “Installing the Control Core Services v9.4 Trailer Media” on page 108
to install Control Core Services on your workstation.
465
B0700SX – Rev F 16. Post-Installation and Migration Procedures
466
17. Local Group Policy Installation
This chapter provides the procedure to import Local Group Policy Settings onto Foxboro Evo
platform workstations running Windows 10 and Windows Server 2016 operating systems.
Procedure for Importing Windows 10 Local Group

Policy Settings
This process is as follows:
1. Insert the media “Foxboro Evo Local Group Policy Object for Windows 10”
(K0177BZ) into the CD drive. K0177BZ is part of the OS Image Upgrade kits
K0204AG and K0204AH which are required for the H92 station, and is provided
with new H92 platform orders.
2. Right-click the Start button and, from the context menu that appears, click
Command Prompt (Admin).
3. When the User Account Control confirmation dialog box appears, click Yes.
4. In the command prompt, navigate to the location on the DVD where the
“RunWin10LGPO.bat” file is located.
5. In the command prompt, type RunWin10LGPO.bat and press <ENTER>.
6. The program asks you to enter Y/N with a question “Do you wish to continue with
the installation”. Click the Y key and then press <ENTER> to continue.
The Local Security policy for Windows 10 will be installed.
7. Press the <ENTER> key to exit the program.
8. The results of the LGPO installation are logged in the files: C:\tmp\lgpo.out and
C:\tmp\lgpo.err. Check for any detected error messages in these files and contact
your system administrator for help resolving them.
9. For a successful installation, reboot/restart the workstation.
Procedure for Importing Windows Server 2016 Local

Group Policy Settings to H90 or VM
This process is as follows:
1. Insert the media “Foxboro Evo Local Group Policy Object for Server 2016”
(K0177BY) into the CD drive. K0177BY is part of the OS Image Upgrade kits
K0204AJ, K0204AK, and K0204AW which are required for the H90 and VM sta-
tions, and is provided with new H90 or VM platform orders.
2. Right-click the Start button and, from the context menu that appears, click
Command Prompt (Admin).
3. When the User Account Control confirmation dialog box appears, click Yes.
467
B0700SX – Rev F 17. Local Group Policy Installation
4. In the command prompt, navigate to the location on the DVD where the
“RunServer2016LGPO.bat” file is located.
5. In the command prompt, type RunServer2016LGPO.bat and press <ENTER>.
6. The program asks you to enter Y/N with a question “Do you wish to continue with
the installation”. Click the Y key and then press <ENTER> to continue.
The Local Security policy for Windows Server 2016 will be installed.
7. Press <ENTER> key to exit the program.
8. The results of the LGPO installation are logged in the files: C:\tmp\lgpo.out and
C:\tmp\lgpo.err. Check for any detected error messages in these files and contact
your system administrator for help resolving them.
9. For a successful installation, reboot/restart the server.
468
Appendix A. Startup Options
This appendix describes the startup options in Foxboro Evo workstations and servers.
For the startup options in Foxboro Evo workstations and servers, refer to:
♦ For Local Edition Control Core Services installations - see “Control Core Services
Startup and Security Options” in Control Core Services v9.4 Release Notes (B0700SY)
♦ For Enterprise Edition Control Core Services installations - see “I/A Series Startup
and Security Options” in Security Implementation User’s Guide for I/A Series and Fox-
boro Evo Workstations (Windows 10 or Windows Server 2016 Operating Systems)
(B0700HG)
469
B0700SX – Rev F Appendix A. Startup Options
470
Appendix B. Changing the Station
Name
This appendix describes how to change a station’s name.
the Control Core Services. For systems with multiple workstations or servers, you have to change
the default workstation/server names.
The Foxboro Evo workstation/server letterbug is an uppercase six-character alphanumeric work-
station name recognized by the Control Core Services. The letterbug is defined during System
Definition and is written to the Commit installation media.
To make your workstation or server letterbug name match your host name, perform the following
procedure:
1. Right-click on This PC on the desktop and select Properties.
471
B0700SX – Rev F Appendix B. Changing the Station Name
2. In the System Properties dialog box, select the Computer Name tab (Figure B-1).
Figure B-1. Computer Name Tab in the System Properties Dialog Box
472
Appendix B. Changing the Station Name B0700SX – Rev F
3. In the Computer Name tab, click Change. The Computer Name Changes dialog box
opens (Figure B-2).
Type in station letterbug;

for example, INF1AW
Figure B-2. Computer Name Changes Dialog Box
4. In the Computer Name Changes dialog box, click Computer Name and (using only
uppercase characters) change the name to the applicable letterbug assignment on the
Commit. Click OK.
NOTE
The Computer Name field has to contain six (6) uppercase characters and numbers.
5. Click Workgroup in the “Member of ” section of the Computer Name Changes dialog
box and confirm that the workgroup name is WORKGROUP. (see Figure B-2).
6. In the Computer Name Changes dialog box, click OK.
7. Click OK to close the System Properties dialog box.
473
B0700SX – Rev F Appendix B. Changing the Station Name
8. A message box shown in Figure B-3 opens asking if you want to restart your com-
puter. Click OK.
Figure B-3. Restarting Your Computer To Apply Changes
9. When the system restarts, it logs you on as the “Account1” user account. Proceed with
the Control Core Services installation.
474
Appendix C. Secondary Domain
Controllers in a Foxboro Evo System
This chapter details the installation and configuration procedures for Enterprise Edition
Control Core Services v9.1 or later systems, which may also include Control Software v5.0 or
later software.
In the Enterprise Edition Control Core Services system, the secondary domain controller (SDC)
functions as a backup to the primary domain controller (PDC) server for both Active Directory
and DNS services. This means that if the PDC becomes unavailable for any reason, the SDC pro-
vides such functions as:
♦ Servicing log on requests to the Foxboro network
♦ Allowing for the creation, deletion, and modification of user accounts
♦ Servicing DNS name resolution requests
Some functionality will be unavailable or may be limited during the time that a PDC is offline
and the SDC has not been promoted to PDC. This includes, but is not limited to:
♦ Domain schema cannot be extended.
♦ New SDC workstations cannot be added to the domain.
♦ Ability to add users and computers to the domain may be limited.
♦ Group polices cannot be edited.
It is recommended that the PDC remain the PDC and the SDC stations remain as SDC stations
once the Enterprise Edition Control Core Services system has been installed. If a PDC is unavail-
able for a short period of time (e.g. less than a week), it is highly recommended that an SDC is
not promoted to take over the role of PDC. This is because the offline PDC will not be automat-
ically demoted to be an SDC. During this time when the PDC is offline, it is inadvisable to add
any new stations. When the PDC comes back online, there would be two primary domain con-
trollers, one of which has to then be demoted.
NOTE
Avoid bringing up two PDC stations on the Control Core Services system.
Active Directory Operations Master Roles

If there is a need to promote an SDC to become the PDC, it is better to do this while the PDC is
still available. This is the preferred method for passing primary domain controller functionality to
a different server on the Control Core Services system, so that the primary domain controller will
automatically be demoted to a secondary domain controller.
There are five Flexible Single Master Operation (FSMO) roles which are transferable between
domain controllers within an Active Directory domain or forest:
♦ RID (Relative ID) Master
475
B0700SX – Rev F Appendix C. Secondary Domain Controllers in a Foxboro Evo System
♦ PDC Emulator
♦ Infrastructure Master
♦ Domain Naming Master
♦ Schema Master
Note that these roles are also referred to as “operations master” roles. The steps in the next section
provide a method for transferring the five roles from the PDC to one of the SDC servers.
Transferring the Operations Master Roles

In this procedure, the example name of the PDC is “NESRV5” while the example name of the
SDC is “NESRV4”. The transfer procedure is illustrated in Figure C-1.
Server 1 (NESRV5) Role Server 2 (NESRV4) Role
Primary Domain Secondary Domain

Controller Controller
FSMO roles are transferred to

existing Secondary Domain Secondary Domain Primary Domain
Controller Controller Controller
Figure C-1. Transferring FSMO Roles
Proceed as follows to transfer the domain controller roles from a working PDC to an existing sec-
ondary domain controller:
1. To transfer the RID Master, PDC Emulator, and Infrastructure Master FSMO roles:
a. Click the Start button, and then select Windows Administrative Tools ->
Active Directory Users and Computers.
b. Open Active Directory Users and Computers in the left-hand tree view
and open the domain (iaseries.local) -> Invensys -> Accounts -> Users ->
Administrators. In the right-hand pane, right-click IADomainAdmin and select
Properties.
476
Appendix C. Secondary Domain Controllers in a Foxboro Evo System B0700SX – Rev F
Figure C-2. Active Directory Users and Computers - IADomainAdmin
c. In the Properties dialog box, select the Member Of tab.
477
Figure C-3. IADomainAdmin Properties Dialog Box
d. Click the Add button.

e. Type in the text “Schema” and click the Check Names button.
f. Select the desired user group (i.e. Schema Admins).
478
Figure C-4. Select groups Dialog Box
g. Click OK and then click OK again on the Properties dialog box.

h. Right-click on Active Directory Users and Computers in the left-hand tree
view and select Change Domain Controller.
Figure C-5. Active Directory Users and Computers - Connect to Domain Controller
i. Select the domain controller which is to become the new PDC. Click OK.
479
Figure C-6. Connect to Domain Controller Dialog Box
480
j. Right-click on Active Directory Users and Computers in the left-hand tree

view and select All Tasks -> Operations Masters.
Figure C-7. Active Directory Users and Computers - Set Operations Masters
481
k. Select the RID tab and click the Change button.
Figure C-8. Operations Master Dialog Box
l. Click Yes to confirm the change.
Figure C-9. Operations Master - Confirm Transfer
m. Select the PDC tab and click the Change button.

n. Click OK to confirm the change.
482
Figure C-10. Operations Master - Confirm Change
o. Select the Infrastructure tab and click the Change button.

p. Click OK to confirm the change.
2. To transfer the Domain Naming Master FSMO role:
a. Click the Start button, and then select Windows Administrative Tools ->
Active Directory Domains and Trusts.
b. Right-click on Active Directory Domains and Trusts in the left-hand tree
view and select Change Active Directory Domain Controller.
Figure C-11. Active Directory Domains and Trusts - Connect to Domain Controller
c. Select the domain controller which is to become the new PDC.
483
Figure C-12. Active Directory Domains and Trusts - Selecting Domain Controller to Become
The New PDC
484
d. Right-click on Active Directory Domains and Trusts in the left-hand tree

view and select Operations Master.
Figure C-13. Active Directory Domains and Trusts - Set Operations Masters
e. Press the Change button.
Figure C-14. Change Operations Master
f. Click Yes to confirm the change.
485
Figure C-15. Active Directory Domains and Trusts - Confirm Yes
g. Click OK.
Figure C-16. Active Directory Domains and Trusts - Confirm OK
3. To transfer the Schema Master FSMO role:
NOTE
This procedure can only be completed by a schema administrator. By default, the
only user with schema administrator privileges is the system administrator (i.e., the
user account which is named IAManager at the time the workstation is first
installed). Since this account is disabled on the PDC for security reasons, you have
two choices:
- Enable the Administrator (a.k.a. IAManager) using Active Directory Users and
Computers console.
- Add IADomainAdmin to Schema Admins group and use IADomainAdmin user
account to perform the operations described in this appendix.
a. Open a command prompt. From the Start menu, click All Programs -> Win-
dows System/Accessories -> Command Prompt.
b. In the command prompt, type regsvr32 schmmgmt.dll and press <Enter>.
This will register the Scheme Management DLL.
486
Figure C-17. Command Prompt - regsvr32 schmmgmt.dll
c. Click OK to confirm the operation completed successfully.
Figure C-18. Confirm Operation
d. Open the Run window, type MMC and press <Enter>. This will open the Micro-
soft Management Console.
Figure C-19. Confirm Operation
e. Select Add/Remove Snap-In from the File menu.
487
Figure C-20. Microsoft Management Console - Selecting Add/Remove Snap-In
4. From Available Snap-ins, select Active Directory Schema and click Add.
488
Figure C-21. Add or Remove Snap-Ins Dialog Box
5. Click OK.
489
Figure C-22. Add or Remove Snap-Ins Dialog Box
490
f. Right-click on Active Directory Schema in the left-hand tree view and select
Change Active Directory Domain Controller.
Figure C-23. Microsoft Management Console - Selecting Change Domain Controller
g. Select the domain controller which is to become the new PDC.
Figure C-24. Change Domain Controller
491
h. Right-click on Active Directory Schema in the left-hand tree view and select
Operations Master.
Figure C-25. Microsoft Management Console - Selecting Operations Master
i. Click OK.
Figure C-26. Change Domain Controller
j. Click the Change button.
492
Figure C-27. Change Schema Master Dialog Box
k. Click Yes to confirm the change.
Figure C-28. Active Directory Domains and Trusts - Confirm Yes
l. Click OK.
Figure C-29. Active Directory Domains and Trusts - Confirm OK
493
Seizing Active Directory Operations Master Roles

In the event that the PDC is no longer available, one of the SDCs may still be promoted to be a
primary domain controller. To do this, follow the procedure below to seize the domain controller
roles for an existing SDC. This procedure provides a method for seizing the five roles and assign-
ing them to one of the SDC servers, and is illustrated in Figure C-30.

Unavailable
PDC is unavailable due to
a hardware or software Primary Domain Secondary Domain
detected issue. Controller Controller
Unavailable
FSMO roles are seized by the
existing SDC. This server Primary Domain Primary Domain
becomes the Primary Domain Controller Controller
Controller.
Figure C-30. Seizing FSMO Roles
NOTE
This is a last-resort measure that it is only advisable for you to do if the PDC hold-
ing the roles will not be able to be restored. Once you perform this procedure, you
will not be able to bring the PDC back online without first removing its installation
of Active Directory. (This is discussed in a later section.)
To seize the Active Directory roles because the PDC will no longer be available:
1. On the SDC server which will become the PDC, open the Run window, type ntdsu-
til and press <Enter>. This starts the Active Directory Services Maintenance Utility.
494
Figure C-31. Role Seizure Confirmation Dialog Box
2. Type roles and press <Enter>.

3. At the fsmo maintenance: prompt, type connections and press <Enter>.
4. At the server connections: prompt, type connect to server <servername> and
press <Enter>. In this case, <servername> is the name of the SDC being promoted
to PDC.
5. At the server connections: prompt, type q and press <Enter>.
6. At the fsmo maintenance: prompt, type seize naming master and press <Enter>.
7. At the fsmo maintenance: prompt, type seize infrastructure master and press
<Enter>.
8. At the fsmo maintenance: prompt, type seize PDC and press <Enter>.
9. At the fsmo maintenance: prompt, type seize RID master and press <Enter>.
10. At the fsmo maintenance: prompt, type seize schema master and press <Enter>.
During each role seizure call, the Active Directory Services Maintenance Utility will
attempt to transfer the role by contacting the PDC. A time-out will occur while this
happens, followed by a system message. A dialog box appears as shown in
Figure C-32, asking to confirm the seizure of the role. Click Yes to seize the role.
Figure C-32. Role Seizure Confirmation Dialog Box
495
The entire text of the above operation appears similar to the following in the com-
mand prompt window. Text in bold is the text entered by the user.
C:\Windows\system32\ntdsutil.exe: roles
fsmo maintenance: connections
server connections: connect to server NESRV4.iaseries.local
Binding to NESRV4.iaseries.local ...
Connected to NESRV4.iaseries.local using credentials of locally logged on
user.
server connections: q
fsmo maintenance: seize naming master
Attempting safe transfer of domain naming FSMO before seizure.
ldap_modify_sW error 0x34(52 (Unavailable).
Ldap extended error message is 000020AF: SvcErr: DSID-03210397, problem
5002 (UNAVAILABLE), data 1722
Win32 error returned is 0x20af(The requested FSMO operation failed. The

current FSMO holder could not be contacted.)
)
Depending on the error code this may indicate a connection,
ldap, or role transfer error.
Transfer of domain naming FSMO failed, proceeding with seizure ...
Server "NESRV4.iaseries.local" knows about 5 roles
Schema - CN=NTDS Settings,CN=NESRV5,CN=Servers,CN=IASERIES,CN=Sites,CN=
Configuration,DC=iaseries,DC=local
Naming Master - CN=NTDS Settings,CN=NESRV4,CN=Servers,CN=IASERIES,CN=
Sites,CN=Configuration,DC=iaseries,DC=local
PDC - CN=NTDS Settings,CN=NESRV5,CN=Servers,CN=IASERIES,CN=Sites,CN=Con-
figuration,DC=iaseries,DC=local
RID - CN=NTDS Settings,CN=NESRV5,CN=Servers,CN=IASERIES,CN=Sites,CN=Con-
Infrastructure - CN=NTDS Settings,CN=NESRV5,CN=Servers,CN=IASERIES,CN=
fsmo maintenance: seize infrastructure master
Attempting safe transfer of infrastructure FSMO before seizure.

)
Transfer of infrastructure FSMO failed, proceeding with seizure ...
496

fsmo maintenance: seize PDC
Attempting safe transfer of PDC FSMO before seizure.

)
Transfer of PDC FSMO failed, proceeding with seizure ...
fsmo maintenance: seize RID master
Attempting safe transfer of RID FSMO before seizure.
Ldap extended error message is 000020AF: SvcErr: DSID-03210CB1, problem

)
Transfer of RID FSMO failed, proceeding with seizure ...
Searching for highest rid pool in domain
497

Attempting safe transfer of RID FSMO before seizure.
Ldap extended error message is 000020AF: SvcErr: DSID-03210CB1, problem

)
Transfer of RID FSMO failed, proceeding with seizure ...
Searching for highest rid pool in domain
fsmo maintenance: seize schema master
Attempting safe transfer of schema FSMO before seizure.

)
Transfer of schema FSMO failed, proceeding with seizure ...
498

fsmo maintenance:
Restoring a PDC Server Station

If the PDC station which had its roles seized becomes available later (e.g., through a hardware fix
or a ghost image restore), it cannot be returned to the Foxboro network until it has had its Active
Directory removed. This is due to the fact that the software on that station is still configured to be
the primary domain controller.
The instructions to remove Active Directory from this workstation before placing it back on the
Foxboro network are provided below. This procedure is illustrated in Figure C-33.
499
Unavailable
Primary Domain Controller
(PDC) NESRV5 is unavailable. Primary Domain Primary Domain
NESRV4 has seized FSMO Controller Controller
roles and is the only PDC on
the system.
Disconnected from
Foxboro Network
and Restarted
NESRV5 is physically
disconnected from the Primary Domain Primary Domain
Foxboro network prior Controller Controller
to restarting.
Connected to
Foxboro Network
Active Directory is removed
from NESRV5 and it is No Longer a Primary Domain
reconnected to the Foxboro Domain Controller Controller
network.
Active Directory is restored

on NESRV5 which is now Secondary Domain Primary Domain
a Secondary Domain Controller Controller Controller
on the Foxboro network.
Optional - Transfer FSMO

roles back to the original
PDC server (NESRV5).
Figure C-33. Restoring FSMO Roles to a Primary Domain Controller That Had Its Roles Seized
Alternatively, you can remove and restore the Active Directory by reinstalling the operating system
and Control Core Services on this workstation. (This is a longer and more complicated procedure
than the one described in Figure C-33 but it is a viable alternative.) To accomplish this, com-
pletely reload this workstation from the base Schneider Electric-provided Day 0 workstation
image and follow the instructions for installing a secondary domain controller provided in
Chapter 4 “Enterprise Edition Control Core Services v9.4 Installation for New On-Control Net-
work Domain Controllers” or Chapter 5 “Enterprise Edition Control Core Services v9.4 Installa-
tion for New Off-Control Network Domain Controllers”. Once this workstation is completely
installed as an SDC, follow the procedure listed below for promoting this workstation to be the
PDC while the existing primary domain controller is still available to be demoted.
500
Proceed as follows:
1. Start the server up while physically disconnected from the Foxboro network.
2. Right-click the Start button, and then select Run. Type “Services.msc” to open the
Services Windows, and stop the Net Logon service.
3. Open the Run window, type dcpromo /forceremoval. Press <Enter>.
Figure C-34. Invoking dcpromo /forceremoval
4. If this server previously held all five FSMO roles, six messages will be displayed; one
for each role previously held and one additional message is displayed for the data held
in Active Directory for the DNS server. Acknowledge each message as they are dis-
played to continue. See Figure C-35 through Figure C-37.
Figure C-35. Acknowledging Messages - Part 1
501
502
503
5. At the dialog box shown in Figure C-38, click Next.
Figure C-38. Active Directory Installation Wizard - Welcome
504
6. Click Next.
Figure C-39. Active Directory Installation Wizard - Force Removal
7. Click OK.
Figure C-40. Active Directory Installation Wizard -Acknowledge
505
8. Enter an Administrator account password for the new local Administrator account on
this server. The name of this account will be Administrator which is different from
the account name originally created by the Control Core Services installation. This
account name can be changed later through the standard Microsoft dialog boxes.
Click Next.
Figure C-41. Active Directory Installation Wizard - Administrator Password
506
9. Click Next.
Figure C-42. Active Directory Installation Wizard - Summary
507
10. Wait while the configurator reads the domain policy.
Figure C-43. Active Directory Installation Wizard - Reading Domain Policy
11. Click Finish when the process completes.
Figure C-44. Active Directory Installation Wizard - Completed
508
12. Physically reconnect the workstation to the Foxboro network.

13. Restart the workstation.
Figure C-45. Active Directory Installation Wizard - Restarting the Computer
14. This workstation has to be manually added back onto the domain. Use the
IADomainAdmin account along with the password entered above to log onto the
workstation.
Figure C-46. Windows Security - Logging in IADomainAdmin
15. Right-click the Start button and select Control Panel -> System and Security
-> System on the right-hand pane.
16. Click Advanced system settings from the left-hand pane.
17. Select the Computer tab and click the Change button.
18. Select the Domain radio button and enter the domain name.
19. A dialog box, shown in Figure C-47, indicates that the computer has been added to
the domain. Click OK.
509
20. A dialog box, shown in Figure C-48, indicates that the computer has to be restarted.
Click OK.
21. In Figure C-49, click Restart Now to have the workstation restart.
22. If this workstation has to be reloaded as a primary or secondary domain controller, the
dcpromo utility can be used to reinstall Active Directory. The remaining steps below
describe reloading Active Directory on the unsuccessful server.
Open the Run dialog box, shown in Figure C-50, and type dcpromo. Press <Enter>.
510
Figure C-50. Invoking dcpromo
23. In Figure C-51, click Next.
511
24. In Figure C-52, click Next.
Figure C-52. Active Directory Installation Wizard - Operating System Compatibility
512
25. Select the second radio button indicating that this is an additional domain controller
for an existing domain and click Next.
Figure C-53. Active Directory Installation Wizard - Domain Controller Type
513
26. Enter the domain name and click Next.
Figure C-54. Active Directory Installation Wizard - Additional Domain Controller
514
27. Select the forest root domain name and click Next.
Figure C-55. Active Directory Installation Wizard - Forest Root Domain
515
28. Select the site for the new domain controller and click Next.
Figure C-56. Active Directory Installation Wizard - Site for New Domain Controller
516
29. Click Next.
Figure C-57. Active Directory Installation Wizard - Additional Domain Controller Options
517
30. Click No, I will assign static IP addresses to all physical network
adapters.
Figure C-58. Static IP Assignment
31. Click Yes.
Figure C-59. Active Directory Installation Wizard - Continue
518
32. Keep the default folder paths. Click Next.
Figure C-60. Active Directory Installation Wizard - Database and Log Folders
519
33. Enter a restore mode password and confirm. Click Next.
Figure C-61. Active Directory Installation Wizard - Restore Mode Administrator Password
520
34. Click Next to confirm your choices.
521
35. Wait while the wizard configures the Active Directory Domain Services.
Figure C-63. Active Directory Installation Wizard - Configuring
36. Click Finish when done.
Figure C-64. Active Directory Installation Wizard - Finished
522
37. In Figure C-65, allow the computer to restart.
Figure C-65. Restarting the Computer
38. Reboot the server and log in with a domain administrator user account.
39. Click the Start button and select Windows Administrative Tools -> DNS.
40. Right-click on each forward and reverse lookup zone and select Properties. Opti-
mally, there are three in total.
Figure C-66. DNS Management - Selecting Lookup Zone Properties
523
41. Check the Allow Zone Transfers checkbox and select the second radio button
choice to allow transfers only to servers listed on the Name Server tab. Click OK.
Figure C-67. Zone Properties Dialog Box
42. The server may now be restored as a PDC or be left as an SDC station. To make this
server a PDC, refer to “Transferring the Operations Master Roles” on page 476 to
transfer domain controller roles from one domain controller to another.
When you have completed the restoration, verify that the SDC is working properly, as discussed
in the next subsection.
Verifying Domain Controller Backup Functionality

Once a Control Core Services system has been installed with both a primary and secondary
domain controller, verify that the backup functionality is working properly.
To test that the SDC is servicing logon requests and allowing for the creation of new user
accounts while the PDC is offline, proceed as follows:
1. Create a new user account on the SDC while the PDC is offline.
2. Add this user account to one of the Local Edition Control Core Services groups (for
example, IA Plant Operators).
524
3. Use this new user account to log onto one of the client workstations.
To test that the SDC is servicing DNS name resolution requests while the backup is offline, pro-
ceed as follows:
1. Open a command prompt on one of the client workstations.
2. With the PDC still connected to the network, type nslookup and press <Enter>.
3. With the PDC still connected to the network, in the command prompt, type
“nslookup <CLIENT2>”, where <CLIENT2> is another client station on the domain.
The IP address of the second client will be retrieved from the primary DNS server
(NESRV5.iaseries.local in this case) to verify that the PDC is no longer available
4. Type “nslookup <CLIENT2> <SDCStationName>” to verify tat the SDC responds to
the DNS request.
Figure C-68. nslookup for Client Stations (NESRV5.iaseries.local)
5. Disconnect the PDC from the network.

6. Open a command prompt on one of the client workstations.
7. With the PDC disconnected from the network, type nslookup and press <Enter>.
8. Type <CLIENT2>, where <CLIENT2> is another client on the domain. The IP address
of the second client will be retrieved from the secondary DNS server
(NESRV4.iaseries.local in this case).
525
Figure C-69. nslookup for Client Stations (NESRV4.iaseries.local)
9. In the event that this does not work with the PDC disconnected, it is possible that the
NIC card settings were not made for the SDC when the Control Core Services was
installed. On every workstation, in optimal conditions, the SDC IP addresses were
configured as secondary DNS locators. The NIC settings most likely appear as shown
in Figure C-70 for a client workstation on a system with a primary and one secondary
DNS server. These settings are only necessary for the FoxInt NDIS Intermediate
Miniport Drive. In this case, 151.128.152.205 is for the PDC and 151.128.152.209
is for the SDC.
526
Figure C-70. Typical NIC Settings for a Client Workstation on a System with a Primary and
One Secondary DNS Server
Removing Domain Controller Functionality from a

Workstation
In the event that a domain controller has to have Active Directory removed, it is recommended
that the Microsoft dcpromo utility be used to perform this operation.
1. Right-click the Start button and select Run. Type “Services.msc” to open the Ser-
vices windows. Stop the Net Logon service.
527
2. From the Run window, enter dcpromo. Click OK.
Figure C-71. Starting the Active Directory Installation Wizard
3. Click Next.
528
4. Click OK to the dialog box shown in Figure C-73. The SDC is also a Global Catalog
provider.
Figure C-73. Active Directory Installation Wizard - Global Catalog Provider Message
5. Leave un-checked the checkbox indicating that this is the last domain controller in the
domain. Click Next.
Figure C-74. Active Directory Installation Wizard - Remove Active Directory
529
6. Enter an Administrator account password for the new local Administrator account on
this server. The name of this account will be Administrator which is different from
the account name originally created by the Control Core Services installation. This
account name can be changed later through the standard Microsoft dialog boxes.
Click Next.
Figure C-75. Active Directory Installation Wizard - Administrator Password
530
7. Click Next.
531
8. Wait while the wizard configures the Active Directory Domain Services.
Figure C-77. Active Directory Installation Wizard - Configuring
9. Click Finish when the process completes.

10. Restart the computer.
Figure C-78. Active Directory Installation Wizard - Restarting the Computer
Forcefully Removing a Domain Controller from

Active Directory
In the event that a domain controller has become unavailable and will not be restored from a
saved image, remove this domain controller from the Active Directory domain with the following
procedure. This procedure will not successfully remove a domain controller if it holds one or
more of the FSMO roles. These roles have to be transferred to another domain controller before
proceeding, as discussed in “Transferring the Operations Master Roles” on page 476.
If the domain controller is not available, the master roles cannot be transferred. In this case, refer
to “Seizing Active Directory Operations Master Roles” on page 494.
532
Proceed as follows:
1. Click the Start button and select Windows Administrative Tools -> Active
Directory Sites and Services.
2. Navigate to the Domain Controllers entry in the tree view under the domain
name.
3. Right-click on the domain controller connection in the right-hand pane to remove
and select Delete.
Figure C-79. Active Directory Sites and Services - Delete a Domain Controller Connection
4. Click Yes to confirm.
Figure C-80. Active Directory Users and Computers - Delete Confirmation
533
5. Right-click on the domain controller settings to remove in the left-hand pane and
select Delete.
Figure C-81. Active Directory Sites and Services - Delete a Domain Controller Settings
534
7. When the dialog box shown in Figure C-83 appears, select Delete.
Figure C-83. Active Directory Users and Computers - Deleting a Domain Controller
8. Right-click on the server to remove in the left-hand pane and select Delete.
Figure C-84. Active Directory Users and Computers - Delete a Server
535
10. If this workstation is to be added back to the system as a domain client, this worksta-
tion name has to be added manually to the list of IA Computers in Active Directory.
Navigate to the IA Computers entry in the tree view under the domain name.
11. Right-click on IA Computers and select New -> Computer.
Figure C-86. Active Directory Users and Computers - Creating New Computer Account
536
12. Enter the name of the Foxboro Evo workstation and click OK.
Figure C-87. New Object - Computer Dialog Box
Restoring Connections on a Single Domain Controller

System
If the PDC becomes unavailable and there are no SDCs on the Control Core Services system, the
original PDC may be reloaded from a ghost image or reloaded from the base Schneider Electric-
provided Day 0 workstation images. However, the functionality of the Control Core Services sys-
tem will be very limited during the time which the PDC is unavailable. On each client worksta-
tion, only domain accounts (including operators and administrators) which have already been
used to log on to that workstation may be used. This is because the account credentials for these
accounts have been cached locally.
After the PDC station has been completely restored, the following procedure has to be performed
on each of the client workstations in order to restore the connection to the domain.
NOTE
These steps are not necessary if there was an SDC present on the Foxboro network.
537
Proceed as follows:
1. Right-click on This PC in the Windows Explorer and select Properties -> Change
Settings on the right pane.
Figure C-88. Workstation System Properties
538
2. Select the Workgroup radio button and enter a workgroup name.
Figure C-89. Computer Name Changes Dialog Box - Workgroup
3. Enter domain administrator credentials and click OK.

4. Click OK when the following dialog box appears.
Figure C-90. Computer Name Change - Remember Local Admin Password
539
5. Log in as IADomainAdmin.
Figure C-91. Log in IADomainAdmin
6. A dialog box indicates that the computer has been added to the workgroup entered.
Click OK.
Figure C-92. Computer Name Change - Welcome to the [YourName] Workgroup
7. A dialog box indicates that you will need to restart the station to apply the
changes.Click OK.
Figure C-93. Computer Name Change - Restart Computer
540
8. Click Close to close the System Properties dialog box.
Figure C-94. Closing System Properties Dialog Box
9. Upon closing the System Properties dialog box, click Yes to have the workstation
restarted.
10. After the workstation restarts, log on with the local administrator account credentials.
11. On Windows Server 2016 Standard servers, in File Explorer, right-click This PC and
click Properties. Click Change Settings in the View basic information about
your computer dialog box.
12. Select the Domain radio button and enter the domain name.
541
Figure C-95. Computer Name Changes Dialog Box - Domain
13. When prompted, add the username and password of the account with permission to
join this domain. Click OK when done.
Figure C-96. Windows Security Dialog Box
542
14. A dialog box indicates that the computer has been added to the domain. Click OK.
Figure C-97. Computer Name Changes Dialog Box - Welcome to the [YourName] Domain
15. A dialog box indicates that the computer has to be restarted. Click OK.
Figure C-98. Computer Name Changes Dialog Box - Need to Restart To Apply Changes
543
16. Click Close to close the System Properties dialog box.
Figure C-99. Close System Properties Dialog Box
17. Upon closing the System Properties dialog box, click Restart Now to have the
workstation restart.
Figure C-100. Computer Name Changes Dialog Box - Need to Restart To Apply Changes
544
Adjusting NIC Settings after Adding an SDC

If this SDC server name was not selected from the SDC drop-down list during the installation of
the PDC or any of the clients, including additional SDC servers, then the NIC card settings have
to be adjusted on those stations at this time.
On each of these stations, configure the SDC IP address as a secondary DNS locator:
1. Open the Network and Sharing Center from the Control Panel.
2. Click Change adapter settings in the left-hand pane.
3. Right-click on the entry for REDL Virtual Miniport Driver and select Proper-
ties.
4. Select Internet Protocol 4 (TCP/IPv4) and click Properties.
Figure C-101. Local Area Connection Properties Dialog Box
545
5. Click the Advanced button.
Figure C-102. Internet Protocol Version 4 (TCP/IP4) Properties Dialog Box
546
6. In the Advanced TCP/IP Settings dialog box, select the DNS tab.
This is how it is recommended that the NIC settings appear for a client workstation
on a system with a primary and one secondary DNS server. These settings are only
necessary for the FoxInt NDIS Intermediate Miniport Driver. In this case, the IP
address ending in 84 is for the PDC and the IP address ending in 112 is for the SDC.
Add the SDC IP Address on each station if it is not already present.
Figure C-103. Advanced TCP/IP Settings Dialog Box
Backing Up Active Directory on Domain Controllers

Back up Active Directory at regular intervals on Control Core Services domain controller stations
in order to maintain a smooth restoration of Control Core Services system operations following
unexpected system optimal conditions (software or hardware). At a minimum, perform these
backups at least every 60 days, which is the default value of the tombstone lifetime for Active
Directory backups. Backups may be taken less often if the tombstone lifetime value is increased
(see the “Changing the Tombstone Lifetime Attribute in Active Directory” on page 548). This
value is stored in Active Directory under the tombstoneLifetime attribute and defines the
length of time for which a backup is valid and usable for restoring Active Directory objects. With
a valid backup available, any objects created in Active Directory after the initial Control Core Ser-
547
vices software installation can be easily restored. This includes policies that have been defined in
addition to the Local Edition Control Core Services system policies. Refer to these documents:
♦ https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/manage/ad-forest-
recovery-backing-up-a-full-server
♦ https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/manage/ad-forest-
recovery-guide
for information on performing Active Directory backups.
NOTE
It is highly recommended that the procedures in “Changing the Tombstone Lifetime
Attribute in Active Directory” on page 548 are performed for changing the tomb-
stone lifetime value. This will confirm that backups remain current and usable. A
value of a least 180 days is recommended. Do this before BESR or Active Directory
backups are taken. Also, check that the value changed is replicated to all domain
controllers before creating backups.
NOTE
Refer to Appendix D “Guidelines for Using Veritas System Recovery for Backing
Up and Restoring Domain Controllers” for additional information on backups.
Changing the Tombstone Lifetime Attribute in Active

Directory
By default, the Active Directory tombstone lifetime is 180 days. This value can be changed if nec-
essary. Having a longer tombstone lifetime decreases the chance that a deleted object remains in
the local directory of a disconnected Domain Controller beyond the time when the object is per-
manently deleted from online Domain Controllers.
The easiest way to modify this attribute value is by using the ADSI Edit tool.
NOTE
Certain Windows Support Tools, if used improperly, might cause your computer to
stop functioning. It is recommended that only experienced users install and use
Windows Support Tools.
In order to perform the following steps, you can use the IADomainAdmin account or you will
need to be a member of the “Enterprise Admins” group.
To view or change attribute values by using ADSI Edit:
1. Click Start, click Run, type ADSIEdit.msc and then click OK.
548
Figure C-104. Opening ADSI Edit Directory Services
2. Right-click on the ADSI Edit node and select Connect to.
Figure C-105. ADSI Edit Directory Services - Connect To
549
3. From the drop-down menu under “Select a well known naming context”, select
Configuration. Click OK.
Figure C-106. ADSI Edit Directory Services - Configuration
550
4. Expand the Configuration node.

5. Expand:
CN=Configuration,DC=<ForestRootDN>
where “<ForestRootDN>” is the Distinguished Name of your Active Directory Forest
Root domain. For example, if your domain's name is iaseries.local, then the DN for it
would be:
DC=iaseries,DC=local
6. Navigate to:
CN=Services > CN=Windows NT > CN=Directory Service
7. Right-click on Directory Service and choose Properties.
Figure C-107. ADSI Edit Directory Services - Properties Selection
551
8. In the CN=Directory Service Properties dialog box, scroll down, click the tomb-
stoneLifetime attribute, and click Edit.
Figure C-108. Attribute Editor - Attribute Selection
9. Configure the tombstone lifetime period (in days), then click OK.
Figure C-109. Attribute Value -- Tombstone Lifetime Period
10. Click OK and then close the ADSI Edit tool.

When you view the properties, if no value is set (shows up as “<Not Set>”) it means that the
default value is in effect. Any value that you type in the Attribute Editor Value field replaces the
default value when you click OK.
552
In order to verify the value has been set, the following command can be executed in a command
prompt window:
dsquery * "cn=Directory Service,cn=Windows NT,cn=Services,
cn=Configuration,dc=iaseries,dc=local" -scope base -attr tombstonelifetime
If your domain name is not “iaseries.local,” then replace the distinguished name of the domain in
the above command from “dc=iaseries,dc=local” to the actual distinguished name of your domain.
553
554
Appendix D. Guidelines for Using
Veritas System Recovery for
Backing Up and Restoring
Domain Controllers
This appendix provides guidelines for using Veritas System Recovery to backup and restore
images on domain controllers.
The Veritas System Recovery product is used to backup and restore Foxboro Evo workstations and
servers. However, when used with domain controllers (PDC or SDC), restoring an old image that
has Active Directory installed on it is a last resort approach when you have more than one
domain controller. If you have a working domain controller and you need to restore another
domain controller, it is optimal to reinstall the second domain controller and allow replication to
occur with the good domain controller instead of restoring the second domain controller from a
backup image.
The Veritas System Recovery product and the procedures for using this product are described in
Veritas System Recovery 2016 Desktop, Server and Virtual Editions Guide for I/A Series® and Foxboro
Evo™ Process Automation Systems (B0700HH).
For normal backups of Active Directory, the optimal practice is to perform a System State backup
and a group policy backup:
♦ Refer to https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/manage/ad-forest-
recovery-guide for information on performing Active Directory backups.
♦ Use the Group Policy Management Console (GPMC) to perform group policy back-
ups. Right-click the Start button and select Control Panel -> Administrative
Tools -> Group Policy Management.
In the case of servers that have Active Directory installed on them, i.e., domain controllers, follow
these guidelines if you are forced to restore them from Veritas System Recovery backups.
NOTE
These procedures refer to tools that are part of the Windows Support Tools. If you
have not installed these tools, refer to “Changing the Tombstone Lifetime Attribute
in Active Directory” on page 548.
Making Backup Images of Domain Controllers

Proceed as follows:
1. After installing a domain controller, it is strongly recommended that you change the
tombstone lifetime value to suit your backup practices. The default is 180 days for
Windows Server 2016 Standard. If you want to restore images older than the default
555
B0700SX – Rev F Appendix D. Guidelines for Using Veritas System Recovery for Backing Up and Restoring Domain Controllers
value, change this value accordingly as described in “Changing the Tombstone Life-
time Attribute in Active Directory” on page 548.
2. It is inadvisable to make the initial backup of domain controllers until they have been
running for at least twelve hours.
3. If you have secondary domain controllers, make sure the PDC and SDC are working
together properly. See “Checking the Health of Active Directory” on page 557.
4. Make entire backups of both the PDC and the SDC about the same time (separated
by minutes, not hours).
5. Backup each of the active drives (e.g., C: and D:) at the same time.
6. Check that you have selected the “Verify Recovery Point” option in the BESR window
when creating the backup image.
Restoring Only One Domain Controller

This procedure applies when there is only one domain controller being restored (for example, in
the case of a hardware unavailability), whether it is the only domain controller or there are multi-
ple domain controllers present. Proceed as follows:
1. It is not advisable for the domain controller backup image to be older (i.e., greater)
than the tombstone lifetime value.
2. Shutdown the domain controller and restore its Veritas System Recovery image as
described in Veritas System Recovery 2016 Desktop, Server and Virtual Editions Guide
for I/A Series® and Foxboro Evo™ Process Automation Systems (B0700HH).
3. After the domain controller is rebooted, verify it is working properly. See “Checking
the Health of Active Directory” on page 557.
Restoring Multiple Domain Controllers from Backup

Images
If it is necessary to restore multiple domain controllers from backup images at the same time, such
as in a testing environment, perform the following procedure:
1. It is not advisable for the domain controller backup images to be older (i.e., greater)
than the tombstone lifetime value. The backup images should have been created
about the same time.
2. Shutdown the domain controllers.
3. Boot up only the PDC and restore its Veritas System Recovery backup image as
described in Veritas System Recovery 2016 Desktop, Server and Virtual Editions Guide
for I/A Series® and Foxboro Evo™ Process Automation Systems (B0700HH).
4. Seize the FSMO roles as described in “Seizing Active Directory Operations Master
Roles” on page 494. Be aware that this procedure is described in the context of mov-
ing these roles to another domain controller when the PDC is no longer available. In
the context for this procedure, it is performed on a PDC that is being restored from a
BESR image. This may not be necessary but it is good practice. In any case, verify the
roles.
556
Appendix D. Guidelines for Using Veritas System Recovery for Backing Up and Restoring Domain Controllers B0700SX – Rev F
5. Set the PDC as “authoritative” for SYSVOL. Refer to the “Authoritative FRS restore”
procedure described in the following Microsoft article:
http://support.microsoft.com/kb/290762
6. Boot up the next domain controller (SDC). If this SDC is On-Control Network,
restore its Veritas System Recovery backup image as described in Veritas System Recov-
ery 2016 Desktop, Server and Virtual Editions Guide for I/A Series® and Foxboro Evo™
Process Automation Systems (B0700HH). If this SDC is Off-Control Network, it is rec-
ommended that the box be reinstalled.
7. After the domain controller is rebooted, if it has been reinstalled, join it to the
domain. In any case, verify it is working properly. See the next section’s instructions
on checking the health of Active Directory.
8. Repeat steps 6 and 7 for each additional domain controller.
Checking the Health of Active Directory

Perform the following checks to assess the health of Active Directory.
If there is only one domain controller, you can run the following:
1. Open a command prompt window - click the Start button and then select Programs
-> Windows System /Accessories -> Command Prompt.
2. Type dcdiag and press <Enter>. This will start the process of checking for detected
errors.
If there are multiple domain controllers, verify that replication is working:
1. Open a command prompt window - click the Start button and then select Programs
-> Windows System /Accessories -> Command Prompt.
2. Type repadmin /showreps and press <Enter>. Verify the operations finished suc-
cessfully.
3. Launch the Event Viewer (click the Start button and select Control Panel -> Sys-
tem and Security -> Administrative Tools -> Event Viewer).
a. Look in the Application log and verify there are no “userenv” detected errors.
b. Look in the File Replication Service log and verify that an Event “13516” message
is at the top of the log.
557
B0700SX – Rev F Appendix D. Guidelines for Using Veritas System Recovery for Backing Up and Restoring Domain Controllers
558
Appendix E. I/A Series MESH
Configurator
This appendix describes how to use the I/A Series Mesh Configurator for workstations with
Windows 10 and servers with Windows Server 2016 Standard on the Foxboro Evo Control
Network (hereafter referred to as “the control network”).
The I/A Series Mesh Configurator application installs the COMEX protocol and Redundant
Ethernet Data Link (REDL) virtual adapter, and configures Internet Protocol (IP) addresses for
stations on the control network. A station can have one or two connections to the control net-
work (if it has one or two switch connections in System Definition).
The Mesh Configurator provides a user interface to select the Network Interface Cards (NICs) for
these connections.
Figure E-1. MESH Configurator NIC Selection
Silent Installation
The Day 0 installer will attempt to configure the control network connections automatically. You
are not prompted with a graphical interface if the workstation has:
♦ Two switch connections, and there are exactly two NICs in PCI slots, or
♦ One switch connection, and there is exactly one NIC in a PCI slot.
In these cases, The Mesh Configurator selects the NIC(s) in the PCI Slot(s) for the control net-
work connections.
559
B0700SX – Rev F Appendix E. I/A Series MESH Configurator
Manual NIC Selection

The graphical interface is presented if:
♦ The location of a NIC cannot be identified as an Integrated port or PCI Slot,
♦ The workstation is using an Off-Control Network Domain Controller, or
♦ The configurator is run after the Day 0 installation.
In Windows 10 and Windows Server 2016 Standard, it is no longer possible programmatically to
determine the slot of each NIC, so The Mesh Configurator attempts to map the location of each
NIC, based on the platform and BIOS settings. If this mapping does not succeed, the location of
each NIC is listed as “Unknown”.
Figure E-2. NIC Selection on Unknown Platform/BIOS
When NIC locations are “Unknown”, you need to manually select the NICs for the control net-
work connections. The following procedure is recommended:
1. Disconnect each of the Ethernet cables except those from the control network (and
from the Off-Control Network Domain Controller, if one is in use).
NOTE
It is not advisable to assign static IP addresses to the workstation NICs before run-
ning The Mesh Configurator. If the configurator reports an IP conflict, find the
adapter with the duplicate IP address, change it to use DHCP, then run the config-
urator again.
2. Display the Network Connections from the Start menu -> Network and Sharing
Center -> Change adapter settings (or type “view network connections”
from the Start menu search bar), and set the view to Details.
560
Appendix E. I/A Series MESH Configurator B0700SX – Rev F
Figure E-3. Network Connections
3. By default, the columns are not wide enough to display the necessary information.
Resize the Device Name column so it is wide enough to show the entire text:
Figure E-4. Network Connections Showing Device Names
4. Identify and record the Device Names that lack a red X next to their icons. Select
these Device Names in The Mesh Configurator.
NOTE
Take care not to confuse Names with Device Names. In the above example, the
Allied Telesis adapter 2 is not the same NIC as Local Area Connection 2.
5. If installing with an Off-Control Network Domain Controller, you are prompted to

select the NIC connected to the Domain Controller’s network.
561
Figure E-5. Off-Control Network NIC Selection
6. After selecting the NIC for the Off-Control Network Domain Controller (or if
installing without one), you are prompted to select the NIC(s) connected to the con-
trol network.
Figure E-6. NICs on The MESH Control Network Selection
NOTE
A NIC selected for the Off-Control Network Domain Controller will be removed
from the list of available NICs when selecting the control network connection(s).
Unless there is a detected error or further user interaction is needed, The Mesh Configurator exits
silently. If no system message is returned, this indicates a successful installation.
562
Appendix E. I/A Series MESH Configurator B0700SX – Rev F
Post Day 0 Operations

After adding, replacing, or moving an NIC, run The Mesh Configurator to maintain proper net-
work bindings.
NOTE
You must run The Mesh Configurator after restoring a workstation image from a
backup created on different hardware (for example, when replacing hardware that
has suboptimal conditions).
Open the configurator from the Start menu -> Foxboro DCS Control Core Services ->
Mesh Configurator (or type “mesh configurator” from the Start menu search bar).
♦ The Mesh Configurator cannot run while the control networking is enabled. If neces-
sary, it will turn off Control Core Services and restart the workstation before running.
♦ The Mesh Configurator can only be run by users with administrator credentials.
The configurator remembers the selections made on previous installations. Previously selected
NIC(s) will be checked; you can leave them checked or select new NIC(s). If you originally
installed The Mesh Configurator with an Off-Control Network Domain Controller, it prompts
you to select the NIC connected to the Domain Controller’s network.
NOTE
The Mesh Configurator does not support Post Day 0 Operations on single-NIC
configurations.
Identifying Cable A and Cable B

When two connections to the control network are configured, the connection in the lower num-
bered slot is considered Cable A, while the connection in the higher numbered slot is considered
Cable B. (If the slots are not numbered, the top slot is Cable A, while the bottom slot is Cable B.)
If one Ethernet port is a PCI slot and the other is an Integrated port, the PCI Slot is Cable A and
the Integrated port is Cable B. This configuration is not recommended.
Due to operating system limitations, if the locations are “Unknown”, the Cable A and Cable B
selection will be non-deterministic, and may change each time you run the configurator. In this
case, the cables have to be manually identified by unplugging each cable and noting which cable is
marked “bad” in your System Management tools. For details, refer to “Monitoring the System in
System Management Displays (B0193JC), or “Workstations, Peripherals, and Network Printers” in
System Manager (B0750AP).
563
564
Appendix F. SNMP Community
String Configuration
This appendix describes how to configure the SNMP community string for workstations with
Windows 10 and servers with Windows Server 2016 Standard.
SNMP (Simple Network Management Protocol) is an internet protocol used in network manage-
ment systems to monitor network-attached devices such as workstations, servers, routers,
switches, and so forth.
The SNMP community string is a text string that acts as a password to authenticate messages that
are sent between the management software and the device (the SNMP agent). This string has to
be configured in two places: the SNMP service (included with the Windows operating system)
and the Server Manager configuration file. Configure it only after the Control Core Services have
been installed on the workstation or server.
NOTE
The community string is case-sensitive and has to be identical in both places.
To configure the SNMP service, proceed as follows:

1. Log on with an account that has administrative privileges.
2. Right-click the Start button, and then select Control Panel -> Administrative
Tools -> Services.
3. Scroll down to the SNMP Service, right-click on it, and then click Properties.
4. In the SNMP Service Properties dialog box, shown in Figure F-1, select the Security
tab.
5. During the initial installation of the Control Core Services, a default “Invensys” com-
munity string is added to the workstation/server. If this default string is present in the
Accepted community names field (see Figure F-1), you have to remove it. After the
initial installation of the Control Core Services, this default string is listed in the
servm.cfg file. Proceed as follows:
a. Using File/Windows Explorer, navigate to the \usr\fox\sysmgm\smat\ folder on
the drive on which the Control Core Services are installed (typically D:\).
b. If present, open the text file named: servm.cfg
If this file is not present, then it is likely that the default string has already been
removed at an earlier time, and you can skip to step 8.
c. In the servm.cfg file, locate the default string, adjacent to the text
“default_string: ”. Now you can close the servm.cfg file.
d. Once you know the default string, click that string in the Accepted community
names field in the SNMP Service Properties dialog box, and click Remove.
565
B0700SX – Rev F Appendix F. SNMP Community String Configuration
Figure F-1. SNMP Service Properties Dialog Box
6. Under “Accepted community names” area, click the Add… button.

7. Select the appropriate permission level for the community string in the “Community
Rights” drop-down list to specify how the host processes SNMP requests from the
selected community. Normally, READ ONLY is recommended.
8. In the “Community Name” box, type your community string.
NOTE
Be aware that your community string is case-sensitive.
9. Click Add.
To limit the acceptance of SNMP packets, click the Accept SNMP packets from
these hosts bullet. Click the Add… button, and then type the appropriate host
name, IP address or IPX address in the Host name, IP or IPX address box. You can
restrict the access to the local host (127.0.0.1) or only specific servers by using this set-
ting.
10. Click OK when done.
566
Appendix F. SNMP Community String Configuration B0700SX – Rev F
11. For the settings to take effect, right-click the SNMP service from the Services window.
Stop and then restart the SNMP service.
To configure the Server Manager configuration file, proceed as follows:
1. Using File/Windows Explorer, navigate to the \usr\fox\sysmgm\smat\ folder on the
drive on which the Control Core Services are installed (typically D:\).
2. Open (or create) the text file named: servm.cfg
3. Type the community string using the following format:
default_string: yourcommunitystring
(Type in the same string you used above.)
4. Save the file and then reboot.
For cyber-security purposes, it is highly recommended that a well-known default community
string such as “public” is not used. Use a string that is compliant with your site’s password com-
plexity policy.
567
B0700SX – Rev F Appendix F. SNMP Community String Configuration
568
Appendix G. Telnet Installation
This appendix describes how to install the optional application telnet on systems with
Windows 10 and Windows Server 2016 Standard operating systems, if desired.
By default, telnet is not installed on systems with Windows 10 and Windows Server 2016 Stan-
dard operating systems. Telnet is an optional feature and if it is needed, it can be installed manu-
ally as described below.
Installing Telnet on Workstations with Windows 10

Operating System
Proceed as follows:
1. Log on to the workstation using an account with administrative privileges.
2. Right-click the Start button, and then click Control Panel -> Programs and
Features.
3. Click “Turn Windows features on or off ” in the left pane.
4. Scroll down to the Telnet Client checkbox and check the box next to it, as shown in
Figure G-1.
Figure G-1. Windows Features Dialog Box
5. Click OK to close the Windows Features dialog box. The telnet application will be
installed.
To use the telnet application, open a command prompt window and type telnet to start a ses-
sion.
569
B0700SX – Rev F Appendix G. Telnet Installation
Installing Telnet on Servers with Windows Server

2016 Standard Operating System
Proceed as follows:
1. Log on to the server using an account with administrative privileges.
2. Click on the Start button, and then click Control Panel -> Programs and Fea-
tures.
3. Click “Turn Windows features on or off ” in the left pane. The Server Manager
window opens.
Figure G-2. Server Manager
4. Click Features in the left pane as shown in Figure G-2.

5. Click Add Features in the right pane as shown in Figure G-2. The Add Features
wizard opens.
570
Appendix G. Telnet Installation B0700SX – Rev F
6. In the Add Features Wizard, scroll down to the Telnet Client checkbox and check the
box next to it, as shown in Figure G-3.
Figure G-3. Add Features Wizard
7. When Confirm Installation Selections opens, click Install as shown in Figure G-4.
571
B0700SX – Rev F Appendix G. Telnet Installation
Figure G-4. Confirm Installation Selections
8. A dialog will appear showing the installation progress. When the installation is com-
pleted, click Close.
To use the telnet application, open a command prompt window and type telnet to start a ses-
sion.
572
Appendix H. Printer Sharing
This appendix describes how to enable sharing to printers on stations with Windows 10 and
Windows Server 2016 Standard operating systems, if desired.
As with previous Microsoft operating systems, Windows 10 and Windows Server 2016 Standard
allow a printer to be shared by multiple stations.
However, to do this, Microsoft needs the Windows Firewall service to be enabled.
NOTE
Enabling this service does not mandate the Microsoft Windows Firewall to be used.
For Foxboro Evo workstations and servers, Schneider Electric provides the McAfee
configurable firewall as the preferred firewall and recommends that the Microsoft
Windows Firewall not be used.
Turning on the Windows Firewall Service

To turn on the Windows Firewall service without turning on the Windows Firewall itself, proceed
as follows:
1. Log on to the workstation or server using an account that has administrative
privileges.
2. Right-click the Start button, and select Run. Type “Services.msc” to open Ser-
vices windows.
3. In the Services window, scroll down to the Windows Firewall service, right-click
on it, and then click Properties.
4. Change the “Startup type” to Automatic. Click Apply.
5. Click Start.
6. Click OK.
7. Close the Services window.
The Windows firewall is automatically turned on when this service is enabled. The
firewall has to be turned off as follows:
8. Right-click the Start button, and select Control Panel -> System and Security
-> Windows Firewall.
9. At the left edge of the window, click Turn Windows Firewall on or off.
10. In each section, select the Turn off Windows Firewall (not recommended)
radio button as shown in Figure H-1.
573
B0700SX – Rev F Appendix H. Printer Sharing
Figure H-1. Windows Firewall Settings
11. Click OK.

12. Close the Windows Firewall window.
NOTE
If you are on an Enhanced Security system, you will also see a category for Domain
network location settings.
In an Enhanced Security system, these settings are managed through Group Policies
and may not be modifiable on the client station.
Sharing a Printer
To share a printer hosted by a workstation with Windows 10 and Windows Server 2016 Standard,
proceed as follows:
1. Click the Start button, and click Devices and Printers.
2. Right-click the icon of the printer that is to be shared and select Printer
properties.
3. In the Properties dialog box, click the Sharing tab.
4. Click the Change Sharing Options button if it is displayed as shown in
Figure H-2.
574
Appendix H. Printer Sharing B0700SX – Rev F
Figure H-2. Printer Properties Dialog Box
5. Check the “Share this printer” checkbox and type in a Share name.
6. If this printer will be shared with a station that has a 32-bit OS (such as an x86 version
of Windows XP), install additional drivers (before setting up the station with
Windows XP) by clicking the Additional Drivers… button and then by checking
the x86 checkbox.
Otherwise, click OK. If you see the following system message, the Windows Firewall
service has not been turned on as described in the previous section: “Operation
could not be completed (Error 0x000006D9)”
575
B0700SX – Rev F Appendix H. Printer Sharing
Connecting to a Shared Printer on Another Control

Core Services Station
To use the shared printer from another Control Core Services station, run the “Add Printer” wiz-
ard on that station. For a station with Windows 10 and Windows Server 2016 Standard, proceed
as follows
1. Click the Start button, and click Devices and Printers.
2. Click Add a printer at the top (or right-click in the window and select Add a
printer).
3. Click Add a network, wireless or Bluetooth printer.
4. In the Add Printer dialog box, click The printer that I want isn't listed.
5. Click the Select a shared printer by name radio button.
6. Type the location of the printer, e.g., \\computername\printername, where “computer-
name” is the name of the computer hosting the printer and “printername” is the share
name you chose in step 5 in the previous section.
7. Click Next. If prompted to install drivers to finish the install, click Yes and respond
to the prompts.
576
Appendix I. Troubleshooting
This appendix provides troubleshooting procedures.
Setting Time Correctly Software Installation Cannot

Continue After Reboot (SDC or Domain Client)
If after connecting an SDC or an Active Directory domain client to a Control Core Services
domain and the software installation does not continue after a reboot, the system time may not
have been set correctly. An indication that this has occurred is that the software installation
attempts to continue but will not until a username and password is provided for an account with
administrative privileges.
To verify if the time has not been properly set, proceed as follows to check that the group policies
are being applied:
1. On a Windows Server 2016 Standard server, click Start, and in the Search programs
and files text box, type “rsop.msc” and double-click the application when it appears
in the list.
2. In the Resultant Set of Policy window, right-click on Computer Configuration and
select Properties as shown in Figure I-1. The red X on the Computer Configura-
tion entry indicates that a suboptimal condition occurred when applying policies on
this station.
577
B0700SX – Rev F Appendix I. Troubleshooting
Figure I-1. Resultant Set of Policy Window
578
Appendix I. Troubleshooting B0700SX – Rev F
3. In the Computer Configuration Properties dialog box, select the Error Informa-
tion tab to view the detected errors for this policy set. The detected error shown in
Figure I-2 indicates that the time does not match the time on the domain controller:
“The clocks on the client and server machine are skewed.”
Figure I-2. Computer Configuration Properties Dialog Box
4. If the detected error shown in Figure I-2 is found on your system, fix the time on the
SDC or domain client as described in the “Server Preparation” of the appropriate
chapter for your station in this document and reboot. After rebooting, the software
installation may be restarted by running Setup.exe on the installation DVD.
Accept the UAC request in order to start the installation.
System Message During NIC Binding

Occasionally, the message in Figure I-3 may appear while binding the NIC cards during the Con-
trol Core Services v9.4 installation. Upon encountering this message, retry the NIC binding oper-
ation. Retrying a NIC binding will be successful in most cases. An upcoming patch from
Microsoft will resolve this issue in the Windows operating system. However as of the publication
of this document, no date has been announced yet for the release of this patch.
579
B0700SX – Rev F Appendix I. Troubleshooting
Figure I-3. Mesh Configurator Detected Error Dialog Box
580
Appendix J. Installing Optional
Software
This appendix provides procedures for installing optional software on your
workstation/server/domain client.
After restarting the station following the Control Core Services installation, you may need to per-
form one or more of the following tasks:
1. If not already installed, install FoxView™ and FoxDraw™ software from the Fox-
View/FoxDraw CD-ROM. Refer to FoxView and FoxDraw Software V10.5 Release
Notes (B0700SZ) for installation instructions.
2. Install Wonderware® Historian according to the instructions provided in
Wonderware® FactorySuite® IndustrialSQL Server™ Installation Guide. The Wonder-
ware Historian may be installed on workstations/servers with Control Core Services or
on “off-platform” workstations/servers that is, stations without Control Core Services.
-OR-
Install AIM*Historian® software according to the instructions provided with the
AIM*Historian media.
3. If desired, install Foxboro Evo™ Control Software according to the instructions pro-
vided with the Foxboro Evo Control Software Installation Guide (B0750RA). This may
include the Control Editors and Control HMI applications:
♦ Control HMI and its components has to be installed on workstations/servers with
Control Core Services installed.
♦ The Control Editors and Galaxy Repository may be installed on worksta-
tions/servers with Control Core Services or on “off-platform” workstations/servers
that is, stations without Control Core Services.
4. It is highly recommended that you install FERRET software after installing Control
Core Services v9.4. Refer to FERRET v6.1.1 (Windows Platforms) and FERRET v6.1.1
(UNIX Platforms) User's Guide (B0860BU) for installation instructions and FERRET
v6.1.2 Installation and Release Notes (B0860RU) for information on using the FER-
RET software. These documents are available in PDF format on the FERRET
CD-ROM.
5. Install System Manager. On stations which have at least the IASVCS package config-
ured in System Definition, System Manager can be installed. During installation, the
System Manager Service is de-selected by default. Only select to install the System
Manager server on a limited number of workstation on your network. Also note that
the System Manager client can only connect to a System Manager service of the same
version. See System Manager (B0750AP) for more details.
6. Install any other software media for selected optional packages.
581
B0700SX – Rev F Appendix J. Installing Optional Software
582
Appendix K. Troubleshooting PDC
Migration
This appendix provides procedures for troubleshooting the PDC migration process.
Indicators of a Potentially Successful Migration

Typically when a migration is successful, the appropriate messages are shown in the event log. The
screenshots displayed in this section indicate a potentially successful migration.
1. DFS Replication event log
Figure K-1. DFS Replication Event Log
583
B0700SX – Rev F Appendix K. Troubleshooting PDC Migration
2. Directory Service event log
Figure K-2. Directory Service Event Log
3. DNS Server event log
Figure K-3. DNS Server Event Log
584
Appendix K. Troubleshooting PDC Migration B0700SX – Rev F
4. Active Directory Web Services event log
Figure K-4. Active Directory Web Services Event Log
5. The DCHealthCheck log must show that DNS tests have passed.
Figure K-5. DCHealthCheck Log - DNS Tests Passed
585
6. The DCHealthCheck log must show that consistency checks are successful.
Figure K-6. DCHealthCheck Log - Consistency Checks Successful
7. The DCHealthCheck log must show that replication from inbound neighbors in the
topology is successful.
Figure K-7. DCHealthCheck Log - Replication From Inbound Neighbors in the Topology Is Success-
ful
586
8. The DCHealthCheck log must show no detected errors for the replication summary.
Figure K-8. DCHealthCheck Log - No Detected Errors for Replication Summary
Expected Detected Errors in DCHealthCheckLog

These detected errors are expected in the DCHealthCheck log and can be ignored.
♦ <PDC name> failed test Advertising
♦ Warning: <PDC name> is not advertising as a time server.
♦ Warning: Attribute userAccountControl of PDCOFF is:
0x82020 = ( PASSWD_NOTREQD | SERVER_TRUST_ACCOUNT |
TRUSTED_FOR_DELEGATION
Typical setting for a DC is 0x82000 = ( SERVER_TRUST_ACCOUNT |
TRUSTED_FOR_DELEGATION )
This may be affecting replication?
NOTE
The above message is a result of a detected error that exists in Microsoft software.
It occurs when we pre-create a computer account in ADUC and then promote it as
DC, the UserAccountControl is set to 532512 instead of the default 532480. You
need to manually set the value to 532480 in ADSIEDIT.MSC.
UserAccountControl values for the certain objects:
Typical user: 0x200 (512)
Domain controller: 0x82000 (532480)
Workstation/server: 0x1000 (4096)
Change it to represent 0x82000.
587
Figure K-9. UserAccountControl Set to 532512 Instead Of Default 532480
♦ Invalid service startup type: w32time on <PDC name>, current value

DISABLED, expected value DEMAND_START
♦ w32time Service is stopped on [<PDC name>]
♦ <PDC name> failed test Services
♦ Warning: DcGetDcName(TIME_SERVER) call failed, error 1355
♦ A Time Server could not be located. The server holding the PDC
role is down.
♦ Warning: DcGetDcName(GOOD_TIME_SERVER_PREFERRED) call failed,
error 1355, A Good Time Server could not be located.
♦ <domain name> failed test LocatorCheck
Troubleshooting AD Replication Issues

The most common replication issues during PDC migration and their resolution/troubleshooting
techniques are described at these hyperlinks:
https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/manage/troubleshoot/troubleshooting-
active-directory-replication-problems
https://docs.microsoft.com/en-us/windows-server/troubleshoot/windows-server-support-solutions
588
Cleanup Procedure of Windows Server 2008 R2 PDC

with Windows Server 2003 SDC References
As part of the upgrade process there are steps that need to be taken to confirm a successful Win-
dows Server 2008 R2 to Server 2016 upgrade.
All the steps mentioned in this appendix have to be performed as a domain administrator.
1. Confirm that the Windows Server 2008 R2 server is assigned all the FSMO roles. To
do this, proceed as follows
a. On the Windows Server 2008 R2 server, open an administrative command
prompt window and run the command “Netdom query fsmo”.
b. The result should be all FSMO roles are assigned to the Windows Server 2008 R2
server. If not, follow the substeps below to move the FSMO roles.
c. If one or more FSMO roles are still held by one or more Windows Server 2003
domain controllers, all of which online, follow the substeps in step 2 “Transfer
FSMO roles”.
d. If one or more FSMO roles are held by any Windows Server 2003 domain con-
troller that is not online and was taken out without following the proper decom-
missioning procedure, follow the steps mentioned in step 3 “Seizing FSMO roles”.
2. Transfer FSMO roles.
a. Open a PowerShell window in administrator mode.
b. Execute these commands:
Import-module activedirectory
Move-ADDirectoryServerOperationMasterRole <targetcomputername> <list
of FSMO roles to be transferred>
NOTE
<computername> is the name of the 2008R2 server that wants to get the FSMO
roles.
<list of FSMO roles to be transferred> is a comma-separated list of FSMO roles that
are held by the Windows Server 2003 domain controller.
Refer to documentation on this command here: https://technet.microsoft.com/en-
us/library/ee617229.aspx
c. Verify that all FSMO roles have been successfully transferred to the Windows
Server 2008 R2 server by running the DOS command “netdom query fsmo” as
mentioned in Step1.
3. Seize FSMO roles.
a. Open a PowerShell window in administrator mode.
b. Execute these commands:
Import-module activedirectory
Move-ADDirectoryServerOperationMasterRole <targetcomputername> <list
of FSMO roles to be transferred> -Force
589
NOTE
<computername> is the name of the Windows Server 2008 R2 server that wants to
get the FSMO roles.
<list of FSMO roles to be transferred> is a comma-separated list of FSMO roles that
are held by the Windows Server 2003 domain controller that is now not con-
nected/live.
Refer to documentation on this command here: https://technet.microsoft.com/en-
us/library/ee617229.aspx
The -Force switch forces the transfer of FSMO roles even though the Windows
Server 2003 domain controller is not live or connected.
c. Verify that all FSMO roles have been successfully transferred to the Windows
Server 2008 R2 server by running the DOS command “netdom query fsmo” as
mentioned in Step1.
4. Check the network for any remaining Windows Server 2003 domain controllers. If
there are Windows Server 2003 domain controllers remaining, run dcpromo on all
Windows Server 2003 domain controllers and complete the steps in “How to
Cleanup Active Directory After Domain Controller Demotion” on page 591.
5. If one or more Windows Server 2003 domain controllers are not connected, live, or
permanently taken offline without performing proper decommissioning, perform the
steps in “How to Cleanup Domain Controllers That Are Not Decommissioned” on
page 595.
6. Clean up the DNS entries of obsolete domain controllers (that are taken offline with-
out being decommissioned). Follow the steps in “How to Cleanup DNS” on
page 596.
7. As part of the cleanup procedure, remove all addresses in the Host file “c:\win-
dows\system32\drivers\etc\hosts”. Figure K-10 is the screen shot of an empty hosts
file.
Figure K-10. Empty Hosts File
590
How to Cleanup Active Directory After Domain

Controller Demotion
NOTICE
POTENTIAL DATA LOSS
If you use the ADSI Edit snap-in, the LDP utility, or any other LDAP
version 3 client, and you incorrectly modify the attributes of Active
Directory objects, you can cause invalid configuration, which may
require you to reinstall Microsoft Active Directory Server. Schneider
Electric cannot guarantee that detected problems that occur if you
incorrectly modify Active Directory object attributes can be solved.
Modify these attributes at your own risk.
The Active Directory Installation Wizard (Dcpromo.exe) is used for promoting a server to a
domain controller and for demoting a domain controller to a member server (or to a stand-alone
server in a workgroup if the domain controller is the last in the domain). As part of the demotion
process, the wizard removes the configuration data for the domain controller from Active Direc-
tory.
Windows Server 2003 Service Pack 1 (SP1) or later Enhanced

version of Ntdsutil.exe
The version of Ntdsutil.exe that is included with Service Pack 1 or later service packs for Win-
dows Server 2003 has been enhanced to make the metadata cleanup process complete. The Ntd-
sutil.exe version that is included with SP1 or later service packs does this when metadata cleanup
is run:
♦ Removes the NTDSA or NTDS Setting subject
♦ Removes inbound AD connection objects that existing destination domain controllers
use to replicate from the source domain controller being deleted
♦ Removes the computer account
♦ Removes FRS member object
♦ Removes FRS subscriber objects
♦ Tries to seize flexible single operations master roles (also known as flexible single mas-
ter operations or FSMO) held by the DC that are being removed.
591
NOTICE
POTENTIAL DATA LOSS
The administrator must also make sure that replication has occurred
since the demotion before manually removing the NTDS Settings
object for any server. Using the Ntdsutil utility incorrectly may result in
partial or complete loss of Active Directory functionality.
Procedure for Windows Server 2003 SP1 or Later

Proceed as follows:
1. Click Start -> Programs -> Accessories, and then click Command Prompt.
2. At the command prompt, type ntdsutil, and then press <Enter>.
3. Type metadata cleanup, and then press <Enter>. Based on the options given, the
administrator can perform the removal, but additional configuration parameters must
be specified before the removal can occur.
4. Type connections and press <Enter>. This menu is used to connect to the specific
server where the changes occur. If the currently-logged-on user does not have adminis-
trative permissions, different credentials can be supplied by specifying the credentials
to use before making the connection. To do this, type
set creds DomainNameUserNamePassword, and then press <Enter>. For a null
password, type null for the password parameter.
5. Type connect to server <servername>, and then press <Enter>. You should
receive confirmation that the connection is successfully established. If a detected error
occurs, verify that the domain controller being used in the connection is available and
the credentials you supplied have administrative permissions on the server.
NOTE
If you try to connect to the same server that you want to delete, when you try to
delete the server that step 15 refers to, you may receive this system message:
Error 2094. The DSA Object cannot be deleted0x2094
6. Type quit, and then press <Enter>. The Metadata Cleanup menu appears.
7. Type select operation target and press <Enter>.
8. Type list domains and press <Enter>. A list of domains in the forest is displayed,
each with an associated number.
9. Type select domain <number> and press <Enter>, where <number> is the number
associated with the domain the server you are removing. The domain you select is
used to determine whether the server being removed is the last domain controller of
that domain.
592
10. Type list sites and press <Enter>. A list of sites, each with an associated number,
appears.
11. Type select site <number> and press <Enter>, where <number> is the number
associated with the site the server you are removing. You should receive a confirmation
listing the site and domain you chose.
12. Type list servers in site and press <Enter>. A list of servers in the site, each
with an associated number, is displayed.
13. Type select server <number>, where <number> is the number associated with the
server you want to remove. You receive a confirmation listing the selected server, its
Domain Name System (DNS) host name, and the location of the server's computer
account you want to remove.
14. Type quit and press <Enter>. The Metadata Cleanup menu appears.
15. Type remove selected server and press <Enter>. You should receive confirma-
tion that the removal completed successfully. If you receive this message, the NTDS
Settings object may already be removed from Active Directory as the result of another
administrator removing the NTDS Settings object or replication of the successful
removal of the object after running the DCPROMO utility.
Error 8419 (0x20E3)
The DSA object could not be found
NOTE
You may also see this message when you try to bind to the domain controller that
will be removed. Ntdsutil has to bind to a domain controller other than the one that
will be removed with metadata cleanup.
16. Type quit, and then press <Enter> at each menu quit the Ntdsutil utility. You
should receive confirmation that the connection disconnected successfully.
17. Remove the cname record in the _msdcs.root domain of forest zone in DNS. Assum-
ing that domain controller will be reinstalled and re-promoted, a new NTDS Settings
object is created with a new GUID and a matching cname record in DNS. The
domain controllers that exist should not use the old cname record.
As best practice, you should delete the host name and other DNS records. If the lease
time that remains on Dynamic Host Configuration Protocol (DHCP) address
assigned to offline server is exceeded then another client can obtain the IP address of
the problem domain controller.
18. In the DNS console, use the DNS MMC to delete the A record in DNS. The
A record is also known as the Host record. To delete the A record, right-click the
A record, and then click Delete. Also, delete the cname record in the _msdcs con-
tainer. To do this, expand the _msdcs container, right-click cname, and then click
Delete.
593
NOTE
If this is a DNS server, remove the reference to this domain controller under the
Name Servers tab. To do this, in the DNS console, click the domain name under
Forward Lookup Zones, and then remove this server from the Name Servers tab.
NOTE
If you have reverse lookup zones, also remove the server from these zones.
19. If the deleted computer is the last domain controller in a child domain, and the child
domain was also deleted, use ADSIEdit to delete the trustDomain object for the child.
To do this, follow these steps:
a. Click Start, click Run, type adsiedit.msc, and then click OK.
b. Expand the Domain NC container.
c. Expand DC=Your Domain, DC=COM, PRI, LOCAL, NET.
d. Expand CN=System.
e. Right-click the Trust Domain object, and then click Delete.
20. Use Active Directory Sites and Services to remove the domain controller. To do this,
follow these steps:
a. Start Active Directory Sites and Services.
b. Expand Sites.
c. Expand the server's site. The default site is Default-First-Site-Name.
d. Expand Server.
e. Right-click the domain controller, and then click Delete.
21. When you use DFS Replication in Windows Server 2008 and in later versions, the
current version of Ntdsutil.exe does not clean up the DFS Replication object. In this
case, you can use Adsiedit.msc to correct the DFS Replication objects for Active
Directory Domain Services (AD DS) manually. To do this, follow these steps:
a. Logon a domain controller as a domain administrator in the affected domain.
b. Start Adsiedit.msc.
c. Connect to the default naming context.
d. Locate the following DFS Replication topology container:
CN=Topology,CN=Domain System Volume,CN=DFSR-Globalsettings,CN=Sys-
tem,DC=Your Domain,DC=Domain Suffix
e. Delete the msDFSR-Member CN object that has the old computer name.
594
How to Cleanup Domain Controllers That Are Not

Decommissioned
NOTE
The procedure mentioned in this section is described at the link: https://tech-
net.microsoft.com/en-us/library/cc816907(v=ws.10).aspx
Proceed as follows:
1. Open Active Directory Users and Computers.
On the Start menu, select Administrative Tools, and then click Active Direc-
tory Users and Computers.
2. If you have identified replication partners in preparation for this procedure and if you
are not connected to a replication partner of the removed domain controller whose
metadata you are cleaning up, right-click Active Directory Users and Comput-
ers <DomainControllerName>, and then click Change Domain Controller. Click
the name of the domain controller from which you want to remove the metadata, and
then click OK.
3. Expand the domain of the domain controller that was forcibly removed, and then
click Domain Controllers.
4. In the details pane, right-click the computer object of the domain controller whose
metadata you want to clean up, and then click Delete.
Figure K-11. Active Directory Users and Computers - Delete Computer
595
5. In the Active Directory Domain Services dialog box, click Yes to confirm the com-
puter object deletion.
6. In the Deleting Domain Controller dialog box, select This Domain Controller is
permanently offline and can no longer be demoted using the Active
Directory Domain Services Installation Wizard (DCPROMO), and then
click Delete.
Figure K-12. Active Directory Users and Computers - Delete Computer - Part 2
7. If the domain controller is a global catalog server, in the Delete Domain Controller
dialog box, click Yes to continue with the deletion.
8. If the domain controller currently holds one or more operations master roles, click OK
to move the role or roles to the domain controller that is shown.
You cannot change this domain controller. If you want to move the role to a different domain
controller, you must move the role after you complete the server metadata cleanup procedure.
How to Cleanup DNS

You can clean up DNS of any obsolete records belonging to a domain controller that is not cor-
rectly decommissioned or taken offline permanently without decommissioning.
Proceed as follows:
1. Open the DNS application (Control Panel -> Administrative tools -> DNS).
2. Expand DNS -> <servername> -> Forward Lookup Zones.
3. Click every node under the Forward lookup zone node (by expanding each child
node) and from the right pane of the console, delete all entries related to the obsolete
domain controller
596
4. Expand DNS -> <servername> -> Reverse Lookup Zones.

5. Delete all child nodes that represent IP addresses of the obsolete domain controllers.
597
598
Appendix L. Pre-Migration Settings
for PDCs with Pre-Control Core
Services v9.3
This appendix provides procedures for configuring the pre-migration settings for a PDC
running pre-Control Core Services v9.3 software.
Proceed as follows:
1. On the existing PDC with Windows Server 2008 and pre-Control Core Services v9.3
software, login as IADomainAdmin user, and from the Run field, and open
gpmc.msc.
Figure L-1. Opening gpmc.msc
This opens the Group Policy Management Console.
599
B0700SX – Rev F Appendix L. Pre-Migration Settings for PDCs with Pre-Control Core Services v9.3
2. Once the console is opened, navigate to the “Invensys IA Computers v1.0” policy as
shown below.
Figure L-2. Invensys IA Computers v1.0 Policy
600
Appendix L. Pre-Migration Settings for PDCs with Pre-Control Core Services v9.3 B0700SX – Rev F
3. Right-click on “Invensys IA Computers v1.0” and select Edit. This opens the Group
Policy Management Editor.
Figure L-3. Selecting Edit
601
4. Navigate to Compute Configuration ->Windows Settings -> Security Set-

tings -> Public Key Policies.
Figure L-4. Navigating to Public Key Policies
602
Appendix L. Pre-Migration Settings for PDCs with Pre-Control Core Services v9.3 B0700SX – Rev F
5. From the right panel, select Certificate Path Validation Settings.
Figure L-5. Selecting Certificate Path Validation Settings
6. Double-click Certificate Path Validation Settings and the Properties win-

dow will be opened as shown below.
Figure L-6. Invoking the Properties Window
603
7. Select the Trusted Publishers tab and uncheck “Define these Policy Settings”.
Then click OK.
Now the migration can be started.
8. After the migration is successful, recheck the “Define these Policy Settings” checkbox.
604
Appendix M. Files to Back
Up/Restore
This appendix details the Local Edition Control Core Services files and directories to consider
backing up when migrating from I/A Series software v8.8 or earlier or Control Core Services
v9.0-9.3 to Control Core Services v9.4 on a hard drive of a Windows workstation for
restoration onto the Day 0 drive.
You can back up the user files, and files that support applications.
Saving Files
For workstations running the Windows operating system, files have to be saved to removable
media or some other medium, for example, a recordable CD in order for the files to be restored
after the installation.
Files to Back Up/Restore for Day 0 Migration

Files listed in the following subsections may be backed up from your pre-v8.8 Windows system
for later restoration.
CNI Files
On the CSA server workstation:
♦ C:\ProgramData\Invensys\IASeries\AccessListEditor\cs_devmon_CNI.cfg
♦ C:\ProgramData\Invensys\IASeries\AccessListEditor\NamespaceMap.xml
♦ C:\ProgramData\Invensys\IASeries\AccessListEditor\ConnectionSettings\CNIConfig.x
ml
On the CNI host workstations:
♦ C:\ProgramData\Invensys\IASeries\AccessListEditor\*.xml {For the entire set of
Access List configuration files}
Application Databases
Consider backing up the following application database files. These files reside on the D: drive of
a Windows workstation.
Files requiring changes need to be recustomized.
NOTE
It is inadvisable to only replace Day 0 files with older files.
605
B0700SX – Rev F Appendix M. Files to Back Up/Restore
AIM*API
For detailed information on saving the AIM*Historian database, refer to AIM*Historian User's
Guide (B0193YL) and AIM*AT Installation Guide (B0193YM).
NOTE
Stop the processes that write to the database (Historian, AIM*Historian, or
FoxAMI™, for example).
Consider backing up the following application database files:

♦ \opt\aim\bin\an_init.tcp (server file)
♦ \opt\aim\bin\aimapi.cfg
♦ \opt\aim\bin\alias.cfg
Control Libraries
♦ \opt\fox\ciocfg\sequenlibrary
♦ \opt\fox\ciocfg\sequeninclude
♦ \opt\fox\ciocfg\plblibrary
Display-Related Files
Back up every customized display file. No display file conversion is necessary when migrating dis-
play files from a pre-V8.x Windows workstation. Display file conversion may be needed if you
have displays from a UNIX-based workstation that you would like to port to a V8.x Windows sys-
tem. Refer to the appendix titled, “Display Convert Utility” in FoxDraw™ Software (B0700FD)
for instructions on using the conversion utility.
Customized markers, fonts, faceplates, and so forth, developed using the FoxDraw package, are
stored in the directory /opt/customer/displib.
Consider backing up the following display-related files. These files reside on the D: drive of a
Windows workstation.
♦ \usr\fox\alarms\<logical_name>AAtab1
♦ \usr\fox\alarms\<logical_name>AApan1
♦ \usr\fox\alarms\commgrp.cfg
♦ \usr\fox\alarms\alarms.fmt
♦ \usr\fox\alarms\<logical_name>.apc (or <logical_name>.apccr)1
♦ \usr\fox\alarms\horn.cfg
♦ \usr\fox\wp\data\wp5?_cmds2
♦ \usr\fox\wp\data\wp5?_glbls.12
♦ \usr\fox\wp\data\wp5?_glbls.all2
♦ \usr\fox\wp\data\am_cmds2
1. Before restoration, make sure file names contain the correct workstation’s logical name.
2. Files requiring changes need to be recustomized. It is inadvisable to simply replace Day 0 files with
older files.
606
Appendix M. Files to Back Up/Restore B0700SX – Rev F
♦ \usr\fox\customer\hi\dmcfg2
♦ \usr\fox\customer\alarms\cfg2
♦ \usr\fox\customer\config2
♦ \opt\menus
♦ \opt\disp
♦ \usr\disp
♦ \opt\customer
♦ \opt\custom\Initial_Disp.*2
♦ \opt\fox\env\*.*2
♦ Customer Display Files.
System-Related Files
Consider backing up the following system-related files. These files reside on the D: drive of a
Windows workstation.
Application Files
♦ \etc\fox\opsys_usr.cfg3
Historian or AIM*Historian Files

♦ \opt\aim\inst
♦ \opt\aim\myfiles.
User Applications and Third-Party Package Files

The databases and configuration files for user applications and third-party packages have to be
backed up. Include Foxboro Industry or Application Group applications found in /etc/fox/rc.fox-
apps and /usr/fox/bin/user_apps.dat.
Following Control Core Services installation, these files can be restored and the applications and
third-party packages can be reloaded or installed from user- or vendor-supplied media.
NOTE
Reinstallation of third-party packages mandates that the original or a newer version
of the package media is available. Consult with the vendor to determine compatibil-
ity and rekeying requirements.
3. New (Day 0) versions of these files may need customization using data from your older files. It is
inadvisable to simply replace the Day 0 files with the older files.
607
Backing Up and Restoring Compound Summary

Access (CSA)
NOTE
It is inadvisable to use other methods of backing up and restoring CSA database
files, such as archiving the data files from or to the /opt/fox/csa directory.
NOTE
In the following CSA procedures, keep in mind that the term “50 Series” applies to
workstations running the UNIX operating system, and the term “70 Series” applies
to workstations running the Windows operating system.
To perform the CSA operations below, you need to be in a VT100 session or Command prompt
window on the CSA host station.
♦ On 50 Series stations, use a WYSE terminal or start a VT100 session from the
SftMnt pull-down menu.
♦ On 70 Series stations, start up a Command Prompt window, and type the following
to get into a Shell mode:
D:
ncenv
sh
Backing Up CSA (CSA_Save)

On the CSA host station, perform CSA_Save to back up the CSA database files.
NOTE
The CSA_Save operation might not succeed for individual stations that have com-
pounds without blocks. When this occurs, remove the empty compound, using the
Integrated Control Configurator, and retry the CSA_Save operation.
1. Back up the CSA database files. Before performing this operation, consider the
following:
♦ An empty directory has to be available for the CSA_Save operation. The
(CSA_Save) operation might not succeed for stations for which a file already
exists.
♦ For drive space requirements, assume that you need 15 KB of space per control
station. Use the df command to check available drive space in the /usr partition.
2. Type the following:
cd /usr/fox/csa
mkdir save
CSA_Save ./save
This saves the CSA files in the /usr/fox/csa/save directory. There is one text file for
each control station.
608
Appendix M. Files to Back Up/Restore B0700SX – Rev F
3. Verify the contents of the save file(s). Type the following:

cd /usr/fox/csa/save
ls -l
Verify that each control station has a text file in this directory.
4. Archive the files onto removable media. Type the following:
tar cvf /dev/fd0 /usr/fox/csa/save (50 Series diskette)
tar cvf a: /usr/fox/csa/save (70 Series diskette)
tar cvf f: \csa_save.tar /usr/fox/csa/save (70 series USB drive)
The drive letter “f:”, as shown in the above example may vary depending on the
other peripherals attached.
Relocating CSA
After modifying System Definition to move CSA to a new host, you have to perform these proce-
dures:
1. Perform a CSA_Save operation on the original host. Refer to “Backing Up CSA
(CSA_Save)” on page 608 for more information.
NOTE
If you perform a Day 1 operation in order to move the Compound Summary Access
(CSA) server package from one workstation with CCS v9.4 to another workstation
with CCS v9.4 and you have performed deployments to CNI stations involving
CNI hosted alarm destinations, the following special action is required.
Move the C:\ProgramData\Invensys\IASeries\AccessListEdi-
tor\cs_devmon_CNI.cfg file from the old CSA workstation to the new CSA work-
station prior to initiating any subsequent deployments to the CNI stations.
Furthermore, copy the following CNI configuration files to the new CSA server
workstation:
C:\ProgramData\Invensys\IASeries\AccessListEditor\NamespaceMap.xml
C:\ProgramData\Invensys\IASeries\AccessListEditor\ConnectionSettings\CNICo
nfig.xml
2. Remove CSA from the original host.

To remove CSA from a pre-v8.8 workstation, type the following:
♦ cd /usr/fox/bin
♦ Use an editor such as vi or Wordpad to open the file fox_apps.dat.
♦ Delete the record “ACSA”
♦ Save the file and exit the editor
♦ Reboot the workstation
To remove CSA from a workstation with I/A Series software v8.8 or Control Core
Services v9.0 or later:
♦ Perform a Day 1 installation on the workstation using the committed configu-
ration files from updated System Definition.
609
3. Install CSA on the new host (as part of a Day 0 or Day 1 installation) using the com-
mitted configuration files from the updated System Definition.
4. Perform a CSA_Merge operation on the new host. Refer to “Restoring CSA
(CSA_Merge)” on page 610 for more information.
NOTE
The CSA Server does not start and CSA_Merge utility does not work on the new
host until CSA has been removed from the original host.
Restoring CSA (CSA_Merge)

On the CSA host station, perform CSA_Merge to restore the CSA database files.
1. Extract the CSA files produced by the CSA backup procedure. Insert the removable
media and type the following:
tar xvf /dev/fd0 (50 Series diskette)
tar xvf a: * (70 Series diskette)
tar xvf f:\csa_save.tar (70 Series USB drive)
The drive letter “f ”, as shown in the above example may vary depending on the
other peripherals attached.
2. Restore the CSA database. Type the following:
cd /usr/fox/csa
CSA_Merge ./save
3. You can remove the CSA text files at this time to recover drive space. Type:
rm -r /usr/fox/csa/save
610
Appendix N. Local Administrator
Login on Windows 10, Windows
Server 2016 Machines
On Windows 10/Windows Server 2016 images supplied by Foxboro, the only administrator is an
account named “Account1”. After these machines join the domain on which Invensys/Schneider
Electric GPOs are applied, only local administrators are allowed for local login. Domain users
(even non-administrators) however are still allowed login.
Renaming Account1 on Windows 10/Windows Server

2016 Machines
In case of any domain connectivity issues, you might need to logon to these machines using a
local account. In this case, you can use Account1. However if you happen to rename this account,
the machine will lose the ability to logon locally using the renamed account. To keep this from
happening, perform the below steps immediately after renaming the account and while the
machine is still connected to the domain.
1. On the Primary Domain Controller, log in as a domain administrator user, such as
IADomainAdmin.
2. Open the Group Policy Management Console (gpmc.msc).
3. Navigate to and expand “Forest:{ForestName} à Domains à {DomainName} à Group
Policy Objects” node.
4. Right click on “Invensys IA Computers v2.0” GPO and select Edit.
5. Navigate to and click on the “Computer Configurations -> Policies -> Win-
dows Settings -> Security Settings -> Restricted Groups” node
6. Double-click Administrators on the right side view
7. Add <name> to “Members of this group” by clicking the Add… button where <name>
is the renamed account.
8. Close Group Policy Management Control.
This step will make certain that the renamed account1 user account does not lose logon-
capability on the Windows 10/ Server 2016 station.
Helping to Avoid the Loss of Logon Ability for

Account1
During domain controller migration from Windows Server 2008 to Server 2016, the target Win-
dows Server 2016 station first joins the domain as a regular domain client and then gets promoted
to a domain controller. However, if there are any migrations that did not succeed after the
machine joins the domain but before it gets promoted to domain controller, the machine will not
611
B0700SX – Rev F Appendix N. Local Administrator Login on Windows 10, Windows Server 2016 Machines
have the ability to log in using the local “Account1” user account. To keep this from happening,
perform these steps before starting the migration process.
1. On the source Windows Server 2008 Primary Domain Controller, login as a domain
administrator user such as IADomainAdmin.
2. Open the Group Policy Management Console (gpmc.msc).
3. Navigate to and expand “Forest:{ForestName} -> Domains -> {DomainName} ->
Group Policy Objects” node.
4. Right click on the “Invensys IA Computers v1.0” GPO and select Edit.
5. Navigate to and click on the “Computer Configurations -> Policies -> Windows
Settings -> Security Settings -> Restricted Groups” node.
6. Double-click Administrators on the right side view.
7. Add “Account1” to “Members of this group” by clicking the Add… button
8. Close Group Policy Management Control.
612
Appendix O. Verifying Group
Policy Settings Before Migration
This appendix provides procedures for verifying and importing Group Policy (GPO) settings
before migration.
All the steps described in this Appendix must be performed on the Server 2008 domain controller
using the IADomainAdmin account.
The following GPOs should be checked to verify that they are not empty:
♦ Invensys Base Non-IA v1.0
♦ Invensys Base Policy v1.0
♦ Invensys Domain Controllers Policy v1.0
♦ Invensys Domain Policy v1.0
♦ Invensys Enhanced Interactive Logon Banner ON v1.0
♦ Invensys Enhanced Screen Saver Enabled Filtered v1.0
♦ Invensys FoxView Environments v1.0
♦ Invensys IA Users Filtered v1.0
♦ Invensys Interactive Logon Banner OFF v1.0
♦ Invensys Plant Admins Filtered v1.0
♦ Invensys Plant Engineers Filtered v1.0
Verifying GPO Settings

1. Open group policy management console (StartRungpmc.msc).
2. Navigate to the node For.est:<forest name>Domains<domain name>Group
Policy Objects
3. Select the GPO that you want to verify.
4. On the right pane, select the Settings tab. The tab is not empty for a valid GPO.
Figure O-1 shows a sample GPO that is empty.
613
B0700SX – Rev F Appendix O. Verifying Group Policy Settings Before Migration
Figure O-1. Empty GPO Settings Tab
Importing GPO Settings

If any GPO displays no settings under both Computer Configuration and User Configuration
(Figure O-1), import the settings using these steps:
1. Insert the Control Core Services 9.4 media into the DVD drive.
2. Navigate to <Media Drive>:\Group Policy\GPOs folder
3. Copy all .zip files to a temporary location. For example, d:\tempGPOs.
4. Extract all GPOs in the chosen location. In this location, there should be one folder
per GPO.
5. Navigate to the <Media Drive>:\Group Policy\Migtables folder.
6. Copy the file MasterMigrationTable.migtable to the chosen temp location in
which you copied the .zip files.
7. Edit the MasterMigrationTable.migtable in Notepad.
a. Replace all occurrences of mydomain.local with the actual domain name (for
example, iaseries.local).
b. Save the changes to the file, and close Notepad.
8. Right-click on the GPO that is missing its settings, and select Import Settings….
The Import Settings Wizard appears.
9. Click Next.
10. Click Next to ignore backing up the GPO.
614
Appendix O. Verifying Group Policy Settings Before Migration B0700SX – Rev F
11. In the Backup Folder field, provide the following path to the GPO settings:
d:\tempGPOs\<gponame>\<gponame>
NOTE
The actual path will change based on where you have extracted the GPO zip files.
12. Click Next.

The source GPO dialog box should list the GPO name from which you are import-
ing. This should be the same name as the GPO into which you are importing.
13. Click Next.
14. Click Next.
15. If the GPO you are importing has migtable references, the Migrating References dia-
log will appear. Complete these steps in this dialog box. If this dialog box does not
appear, move to the next step.
a. In this dialog box, select the radio button “Using this migration table to map
them from the destination GPO.”
b. Click Browse and select the file MasterMigrationTable.migtable that you
have edited.
c. Click Next.
16. Click Finish.
17. Click OK to close the Import Wizard. Ignore any system messages shown in the dialog
box.
18. Repeat the process for all GPOs that are missing settings.
615
B0700SX – Rev F Appendix O. Verifying Group Policy Settings Before Migration
616
Appendix P. Linking Custom GPOs
to Any CCS/CS Specific OUs
This appendix provides the guidelines for linking custom GPOs to any of the Foxboro Control
Core Services (CCS) and/or Control Software (CS) specific OUs.
Foxboro supplied GPOs for Control Core Services (CCS) and Control Software (CS) products
are linked to various OUs. The following list shows the OUs to which these GPOs are linked:
♦ \<domain level>
♦ \<Domain>\Domain Controllers
♦ \<Domain>\Invensys
♦ \<Domain>\Invensys\Accounts
♦ \<Domain>\Invensys\IA Computers
♦ \<Domain>\Invensys\IA Computers\Autologon Consoles
♦ \<Domain>\Invensys\IA Computers\Remote Desktop Servers
♦ \<Domain>\Invensys\IA Computers\Remote Desktop Servers\Thin Client Accessible
Servers
♦ \<Domain>\Invensys\Non-IA Servers
♦ \<Domain>\Invensys\Non-IA Workstations
NOTICE
Loss of Data
It is important that CCS/CS products with Foxboro supplied

GPOs are linked to their respective OUs in the correct linking
order. Otherwise, the product functionality can be unpredict-
able.
Failure to follow these instructions can result in loss of data.
When necessary, you can create custom GPOs and link them to the above mentioned OUs to
meet your own operational needs. If that is the case, it is important to be aware of the following
guidelines for linking these custom GPOs:
♦ Ensure that the custom GPOs do not have settings that conflict with the settings in
the Foxboro supplied GPOs.
♦ If you are absolutely certain that the settings do not conflict, then the custom
GPO can be linked in any order within an OU.
♦ If any of your custom GPO settings must take precedence over the Foxboro sup-
plied GPO settings, you must link it at the highest level in the OU.
617
B0700SX – Rev F Appendix P. Linking Custom GPOs to Any CCS/CS Specific OUs
NOTE
When the custom GPO settings conflict with the Foxboro supplied GPO settings,
it is assumed that you are fully aware of the potential consequences to the product
functionality. A GPO with the least linking order takes the highest precedence; that
is, its GPO settings overwrite any of the same GPO settings that were processed
before it.
♦ Regardless of the link order of your custom GPO in an OU, do preserve the relative
linking order of the Foxboro supplied GPOs, which is the sequence of the Foxboro
supplied GPOs linked to a specific OU.
Figure P-1 shows an example of the relative linking order of the Foxboro supplied
GPOs to the IA Computers OU. The GPOs include CCS and CS GPOs.
Figure P-1. Linked Group Policy Objects - Foxboro Supplied GPO

Relative Linking Order
In Figure P-1, the Foxboro Evo CNI Computer Policy 1.0 is applied (processed) first
among the other GPOs linked to the IA Computers OU because its linking order
number (Link Order 6) is the highest. This GPO is followed by the other GPOs in
the following relative linking order:
♦ Invensys FoxView Environments v1.0 (Link Order 5)
♦ Invensys IA Computers v2.0 (Link Order 4)
♦ SE Server 2016 Member Server Secuity Compliance v1.0 (Link Order 3)
♦ SE Win10 Computer Security Compliance v1.0 (Link Order 2)
♦ FCS Computers v2.0 (Link Order 1)
NOTE
To avoid an incorrect relative linking order for the Foxboro supplied GPOs, do not
change the sequence of these GPOs being applied.
618
Appendix P. Linking Custom GPOs to Any CCS/CS Specific OUs B0700SX – Rev F
Custom GPO Linking Order Examples

The following examples show various scenarios of custom GPO linking order.
Example 1 - Correct (Most Common)

In Figure P-2, the Custom GPO is at Link Order 1, which means it gets applied last.
Since the relative linking order of the Foxboro supplied GPOs (Links 7 thru 2) remains
unchanged, this link order is acceptable.
Figure P-2. Linked Group Policy Objects - CustomGPO - Link Order 1
Example 2 - Correct
In Figure P-3, the custom GPO is at Link Order 7 which means it gets applied first. Since the rel-
ative linking order of the Foxboro supplied GPOs (Links 6 thru 1) remains unchanged, this link
order is acceptable.
Example 3 - Correct
In Figure P-4, the custom GPO is at Link Order 3 which means it gets applied fifth in the order
from first to last (Link 7 to Link 3). Since the relative linking order of the Foxboro supplied GPOs
remains unchanged, this link order is acceptable.
619
Example 4 - Incorrect
In Figure P-5, the custom GPO is at Link Order 3, which means it is applied fifth in the order
from first to last. This is NOT acceptable because the relative linking order of the Foxboro sup-
plied GPOs is also changed as shown in Link 1 and 2. Observe that FCS Computers v2.0 is
applied before SE Win10 Computer Security Compliance v1.0 which is incorrect and this
reverse order will cause issues with CS product behavior.
Foxboro supplied GPOs out-of-order
Example 5 - Correct (Customer Example with CCS 9.4 Install)

In Figure P-6, custom GPOs are at Link Order 1 thru 6 so they get applied last in the IA Com-
puters OU. Since the relative linking order of the Foxboro supplied GPOs (Link 7 thru 13)
remains unchanged, this link order is acceptable.
620
Figure P-6. Linked Group Policy Objects - CustomGPO - Link Order 1 through 6
However, when CCS 9.4 is installed, the GPO ordering is redone/changed as shown in
Figure P-7. Since the customer’s custom GPOs are meant to intentionally change settings set by
the Foxboro supplied GPOs, these custom GPOs must be moved so they can be applied last.
Figure P-7. Linked Group Policy Objects - Foxboro Supplied GPOs -

Link Order 1 thru 4, and Link Order 13 and 14
Figure P-8 shows the corrected and final view of the IA Computers OU once the custom GPOs
and Foxboro supplied GPOs have been properly re-ordered. The custom GPOs take precedence
since they are applied last.
621
Figure P-8. Linked Group Policy Objects - Previous Custom GPO Link Order Re-ordered Properly
622
623
Schneider Electric Systems USA, Inc.
38 Neponset Avenue
Foxborough, MA 02035-2037
United States of America
www.schneider-electric.com
Global Customer Support

https://pasupport.schneider-electric.com

b0700sx F PDF

Uploaded by

Copyright:

Available Formats

b0700sx F PDF

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

b0700sx F PDF

Uploaded by

Copyright:

Available Formats

Foxboro Evo™

Process Automation System

Control Core Services v9.4

Copyright 2018-2019 Schneider Electric.

SOFTWARE LICENSE AND COPYRIGHT INFORMATION

1. Software Installation Overview.......................................................................................... 1

2. Local Edition Control Core Services v9.4 Day 0 Installation............................................. 9

Restarting Your System ...................................................................................................... 26

Continuing Installation ...................................................................................................... 82

7. Migrating an On-Control Windows Server 2008 Domain Controller to a New

8. Migrating an On-Control Windows Server 2008 Domain Controller to a New

9. Migrating an Off-Control Windows Server 2008 Domain Controller to a New

10. Migrating an Off-Control Windows Server 2008 Domain Controller to a New

11. Migrating an On-Control Windows Server 2003 Domain Controller to a New

Changing the Station Name .................................................................................................. 387

16. Post-Installation and Migration Procedures ................................................................ 463

17. Local Group Policy Installation ................................................................................... 467

Appendix A. Startup Options ............................................................................................ 469

Appendix B. Changing the Station Name.......................................................................... 471

Appendix C. Secondary Domain Controllers in a Foxboro Evo System ............................. 475

Appendix E. I/A Series MESH Configurator ..................................................................... 559

Appendix F. SNMP Community String Configuration ..................................................... 565

Appendix G. Telnet Installation ........................................................................................ 569

Appendix H. Printer Sharing............................................................................................. 573

Appendix I. Troubleshooting ............................................................................................ 577

Appendix J. Installing Optional Software .......................................................................... 581

Appendix K. Troubleshooting PDC Migration ................................................................. 583

Appendix M. Files to Back Up/Restore ............................................................................. 605

Appendix N. Local Administrator Login on Windows 10, Windows Server 2016

Appendix O. Verifying Group Policy Settings Before Migration ....................................... 613

4-20. InstallShield Wizard Completed .................................................................................. 69

4-68. Media Folder Browser ............................................................................................... 106

5-43. Resetting UTC Date ................................................................................................. 149

6-12. New Object - User .................................................................................................... 181

9-1. Linking Order of GPOs for the Accounts OU .......................................................... 298

9-48. Active Directory Configuration Complete ................................................................. 330

10-37. DC Health Check Status ........................................................................................... 371

15-4. Administrator: Update 2016 AD Command Prompt ................................................ 462

C-44. Active Directory Installation Wizard - Completed .................................................... 508

C-91. Log in IADomainAdmin ........................................................................................... 540

L-1. Opening gpmc.msc ................................................................................................... 599

The addition of either symbol to a "Danger" or

This is the safety alert symbol. It is used to alert you to

♦Updated the section“Preparing the Source Primary Domain Controller (Existing

Cyber Security Team

America GCS Asia Pacific GCS EMEA GCS

How to Use this Installation Guide

Overview of Supported Software Installations

Determining Hardware Requirements

Table 1-1. Platforms Supporting Control Core Services v9.4

Station Type Platform with Multicore CPU Cores Enabled

H92 HP Z440 Workstation (Model H92, Style J/A or newer style)

Table 1-1. Platforms Supporting Control Core Services v9.4 (Continued)

Station Type Platform with Multicore CPU Cores Enabled

Pre-Installation System Backup

System Configuration and Creating Commit

Control Core Services v9.4 Documentation

Hardware and Software Specific Instruction Documents

Workstation Specific Operating System Media