b0700sf e

I/A Series® System
V8.8 Software Installation

Guide
*B0700SF* *E*
B0700SF
Rev E
February 9, 2016
Schneider Electric, Invensys, Foxboro, and I/A Series are trademarks of Schneider Electric SE, its subsidiaries
and affiliates.
All other brand names may be trademarks of their respective owners.
Copyright 2012–2016 Invensys Systems, Inc.

All rights reserved
Invensys System, Inc. is now part of Schneider Electric.
SOFTWARE LICENSE AND COPYRIGHT INFORMATION

Before using the Invensys Systems, Inc. supplied software supported by this documentation, you
should read and understand the following information concerning copyrighted software.
1. The license provisions in the software license for your system govern your obligations
and usage rights to the software described in this documentation. If any portion of
those license provisions is violated, Invensys Systems, Inc. will no longer provide you
with support services and assumes no further responsibilities for your system or its
operation.
2. All software issued by Invensys Systems, Inc. and copies of the software that you are
specifically permitted to make, are protected in accordance with Federal copyright
laws. It is illegal to make copies of any software media provided to you by
Invensys Systems, Inc. for any purpose other than those purposes mentioned in the
software license.
Contents
Preface................................................................................................................................. xxv
Purpose .................................................................................................................................. xxv
Revision Information ............................................................................................................. xxv
Reference Documents ............................................................................................................ xxv
Glossary ............................................................................................................................... xxvii
1. Software Installation Overview.......................................................................................... 1

Installation Concepts ................................................................................................................ 1
How to Use this Installation Guide ........................................................................................... 2
Overview of Supported Software Installations ........................................................................... 2
Determining Hardware Requirements ....................................................................................... 3
Pre-Installation System Backup ................................................................................................. 4
System Configuration and Creating Commit Installation Media ............................................... 4
I/A Series Software V8.8 Documentation .................................................................................. 5
Workstation Specific Operating System Media ......................................................................... 5
I/A Series Software v8.8 Media ................................................................................................. 7
Additional Media ...................................................................................................................... 9
Hardware and Software Specific Instruction Documents ......................................................... 11
2. Standard I/A Series Software v8.8 Day 0 Installation ...................................................... 13

Workstation/Server Preparation .............................................................................................. 13
Notes on Installing I/A Series System Software ....................................................................... 14
Changing the Station Name .................................................................................................... 14
Disabling the VirusScan Console ............................................................................................ 15
Preparing Network Interface Cards (NICs) For Installation .................................................... 17
Exiting During Software Installation ....................................................................................... 17
Installation Procedure ............................................................................................................. 18
Installing the I/A Series Software v8.8 Trailer CD-ROM ................................................... 29
Restarting Your System ...................................................................................................... 30
Configuring VirusScan Software ............................................................................................. 30
Installing Optional Software ................................................................................................... 30
System Manager and System Management Display Handler (SMDH)
Installation Notes ............................................................................................................... 31
Installing the Beep Driver (I/A Series Servers with FoxPanels Only) ................................... 32
iii
B0700SF – Rev E Contents
Setting Date and Time ............................................................................................................ 33

Completing Installation .......................................................................................................... 34
3. Installation or Migration Scenarios for Security Enhanced I/A Series Software v8.8........ 35
Scenario 1 ............................................................................................................................... 36
Scenario 2 ............................................................................................................................... 37
Scenario 3 ............................................................................................................................... 37
Scenario 4 ............................................................................................................................... 37
Scenario 5 ............................................................................................................................... 38
Scenario 6 ............................................................................................................................... 39
4. Security Enhanced I/A Series Software v8.8 Installation for Domain Controllers on
The MESH Control Network ............................................................................................. 41
Installing I/A Series SE Software v8.8 on Primary
Domain Controllers on The MESH Control Network ........................................................... 41
Server Preparation .............................................................................................................. 41
Notes on Installing I/A Series System Software ................................................................... 43
Changing the Station Name ............................................................................................... 44
Disabling the VirusScan Console ........................................................................................ 44
Preparing Network Interface Cards (NICs) For Installation ............................................... 45
Canceling and Resuming the Security Enhanced Installation Process ................................. 46
Installation Procedure ......................................................................................................... 47
Installing the I/A Series Software v8.8 Trailer CD-ROM .............................................. 62
Restarting Your System .................................................................................................. 63
Installing Optional Software ............................................................................................... 63
Installation Notes .......................................................................................................... 63
Primary Domain Controller Postinstallation Procedures .................................................... 65
Changing Passwords ...................................................................................................... 65
Creating Users in Active Directory ................................................................................ 68
Tombstone Lifetime Attribute in Active Directory ........................................................ 75
Backing Up Active Directory ......................................................................................... 75
Continuing Installation ...................................................................................................... 75
Installing Security Enhanced I/A Series Software v8.8
on Secondary Domain Controllers on The MESH Control Network ..................................... 76
Server Preparation .............................................................................................................. 76
Notes on Installing I/A Series System Software ................................................................... 77
Changing the Station Name ............................................................................................... 78
Disabling the VirusScan Console ........................................................................................ 79
Preparing Network Interface Cards (NICs) For Installation ............................................... 80
Canceling and Resuming the Security Enhanced Installation Process ................................. 81
Installation Procedure ......................................................................................................... 82
Installing the I/A Series Software v8.8 Trailer CD-ROM ............................................ 100
Restarting Your System ................................................................................................ 101
Installing Optional Software ............................................................................................. 101
iv
Contents B0700SF – Rev E

Installation Notes ........................................................................................................ 101
Secondary Domain Controller Post-Installation Procedures ............................................. 103
Changing Passwords .................................................................................................... 103
Backing Up Active Directory ....................................................................................... 104
Continuing Installation .................................................................................................... 104
5. Security Enhanced I/A Series Software v8.8 Installation for

New Off-MESH Domain Controllers ............................................................................... 105
on Off-MESH Primary Domain Controllers ......................................................................... 105
Server Preparation ............................................................................................................ 105
Notes on Installing I/A Series System Software ................................................................. 107
Changing the Station Name ............................................................................................. 108
Disabling the VirusScan Console ...................................................................................... 109
Canceling and Resuming the Security Enhanced Installation Process ............................... 111
Installation Procedure ....................................................................................................... 113
Primary Domain Controller Postinstallation Procedures .................................................. 128
Creating Users in Active Directory .............................................................................. 130
Tombstone Lifetime Attribute in Active Directory ...................................................... 138
on Off-MESH Secondary Domain Controllers ..................................................................... 139
Server Preparation ............................................................................................................ 139
Changing the Station Name ............................................................................................. 141
Disabling the VirusScan Console ...................................................................................... 141
Canceling and Resuming the Security Enhanced Installation Process ............................... 144
Installation Procedure ....................................................................................................... 146
Installation Notes ........................................................................................................ 161
Secondary Domain Controller Post-Installation Procedures ............................................. 163
Adding I/A Series Stations to Active Directory Post-Installation .................................. 164
6. Security Enhanced I/A Series Software v8.8 Installation

for Existing Off-MESH Primary Domain Controllers....................................................... 169
Overview ............................................................................................................................... 169
v

Disabling the VirusScan Console .......................................................................................... 170
Canceling and Resuming the Security Enhanced Installation Process .................................... 173
Installation Procedure ........................................................................................................... 175
Restarting Your System .................................................................................................... 183
Primary Domain Controller Post-Installation Procedures ...................................................... 184
Creating Users in Active Directory ................................................................................... 184
Adding I/A Series Stations to Active Directory Post-Installation .................................. 191
Tombstone Lifetime Attribute in Active Directory ........................................................... 193
Backing Up Active Directory ............................................................................................ 193
Continuing Installation ......................................................................................................... 193
7. Migrating I/A Series Software v8.5/8.6/8.7 to a New Primary

Domain Controller on The MESH Control Network ....................................................... 195
Preparing the Source Primary Domain Controller
(Existing On-MESH PDC with I/A Series Software v8.5/8.6/8.7) for Migration .................. 196
Preparation and Installation for New Target Primary Domain Controller ............................. 204
Preparing Network Interface Cards (NICs) For Installation ............................................. 204
Installation on New Target Primary Domain Controller .................................................. 204
Configuring for Existing Domain Clients with I/A Series Software v8.5/8.6/8.7 ................... 225
8. Migrating I/A Series Software v8.5/8.6/8.7 to a New Off-MESH

Primary Domain Controller .............................................................................................. 231
Preparing the Source Primary Domain Controller (Existing PDC with I/A Series Software
v8.5/8.6/8.7) for Migration ................................................................................................... 231
Preparation and Installation for New Target Primary Domain Controller ............................. 254
Adding I/A Series Stations to Active Directory Post-Installation ....................................... 274
9. Migrating I/A Series Software v8.5/8.6/8.7 to a Pre-Existing Off-MESH Primary

Domain Controller............................................................................................................ 279
Group Policy Settings Migration From Domains with I/A Series Software v8.7 or Earlier .... 280
Preparation for Installation .................................................................................................... 280
Disabling the VirusScan Console on Target Primary Domain Controller ......................... 282
Preparing the Source Primary Domain Controllers
for Transferring Active Directory Settings ............................................................................. 284
Preparing the Target Primary Domain Controllers ................................................................ 294
Installing Microsoft SQL Server 2008 SP3 Express Edition v10.00.5500.00 .................... 306
Installing Active Directory Migration Tool v3.2 ............................................................... 322
Migrating Passwords and Group Policy Objects
(GPOs) from Source Primary Domain Controller ................................................................. 328
vi
Installing Password Export Server v3.1 ............................................................................. 334

Migrating Active Directory Settings to the Target Primary Domain Controller .................... 339
Adding I/A Series Stations to Active Directory Post-Installation ....................................... 340
Migrating Domain Clients with I/A Series Software
v8.5/8.6/8.7 to the New Off-MESH Domain ....................................................................... 343
10. Security Enhanced I/A Series Software v8.8 Installation

for Domain Clients or Connecting Security Enhanced I/A Series Software v8.5-8.7
Domain Clients to Existing Off-MESH Networks ............................................................ 355
Workstation/Server Preparation ............................................................................................ 355
Notes for Installing I/A Series System Software ..................................................................... 356
Preparing Network Interface Cards (NICs) For Installation ............................................. 357
Migrating Domain Client from Domain in I/A Series System v8.7
Or Earlier to a Domain in I/A Series System v8.8 ............................................................ 358
Changing the Station Name .................................................................................................. 360
Disabling the VirusScan Console .......................................................................................... 360
Canceling and Resuming the Security Enhanced Installation Process .................................... 363
Installation Procedures .......................................................................................................... 364
Installation Procedure (On The MESH Control Network) .............................................. 365
Installation Procedure for Clients of New Off-MESH Domain Controllers ..................... 379
Installation Procedure for Pre-Existing Domain Clients
(I/A Series Software v8.5-v8.7) to Existing Off-MESH Domain Controllers .................... 397
Completing the Domain Client Installation ..................................................................... 402
Non-MESH Network Cables ...................................................................................... 403
Configuring VirusScan Software ........................................................................................... 403
Installing Optional Software ................................................................................................. 403
System Manager and System Management Display Handler (SMDH) Installation Notes 404
Setting Date and Time .......................................................................................................... 406
Domain Client Postinstallation Procedures ........................................................................... 406
Changing Passwords ......................................................................................................... 406
Re-Enabling the McAfee VirusScan Console ......................................................................... 408
11. Performing a Day 1 Installation .................................................................................. 411

Day 1 Operations (Secure or Standard I/A Series Software) .................................................. 411
Installing the I/A Series Software v8.8 Trailer CD-ROM ...................................................... 417
Performing a “Post-Commit for Pre-8.0” .............................................................................. 418
Instructions for Windows Workstations ...................................................................... 418
Instructions for Solaris Workstations ........................................................................... 419
vii
Appendix A. Startup Options ............................................................................................ 421
Appendix B. Changing the Station Name.......................................................................... 423
Appendix C. Excluding Files, Folders, and Drives ............................................................. 429
Appendix D. Secondary Domain Controllers in an I/A Series System ............................... 435

Active Directory Operations Master Roles ............................................................................. 435
Transferring the Operations Master Roles ............................................................................. 436
Seizing Active Directory Operations Master Roles ................................................................. 454
Restoring a PDC Server Station ............................................................................................ 459
Verifying Domain Controller Backup Functionality ............................................................. 484
Removing Domain Controller Functionality from a Workstation ......................................... 487
Forcefully Removing a Domain Controller from Active Directory ........................................ 492
Restoring Connections on a Single Domain Controller System ............................................. 497
Adjusting NIC Settings after Adding an SDC ....................................................................... 505
Backing Up Active Directory on Domain Controllers ........................................................... 507
Changing the Tombstone Lifetime Attribute in Active Directory .......................................... 508
Appendix E. Guidelines for Using

BESR for Backing Up and Restoring Domain Controllers ................................................ 515
Making Backup Images of Domain Controllers .................................................................... 515
Restoring Only One Domain Controller ............................................................................... 516
Restoring Multiple Domain Controllers from Backup Images ............................................... 516
Checking the Health of Active Directory .............................................................................. 517
Appendix F. I/A Series MESH Configurator ..................................................................... 519

Silent Installation .................................................................................................................. 519
Manual NIC Selection .......................................................................................................... 520
Post Day 0 Operations .......................................................................................................... 523
Identifying Cable A and Cable B ........................................................................................... 523
Appendix G. IASeries_NIC_Data.msi Installation (Pre-I/A Series Installation) ................ 525

Creating K0174KU-B CD-ROM with IASeries_NIC_Data.msi .......................................... 525
Installing K0174KU-B CD-ROM (Pre-I/A Series Installation) ............................................. 525
viii
Appendix H. SNMP Community String Configuration .................................................... 527
Appendix I. Telnet Installation.......................................................................................... 531

Installing Telnet on Workstations with Windows 7 Operating System ................................. 531
Installing Telnet on Servers with Windows Server 2008 R2 Standard Operating System ...... 532
Appendix J. Printer Sharing............................................................................................... 535

Turning on the Windows Firewall Service ............................................................................. 535
Sharing a Printer ................................................................................................................... 536
Connecting to a Shared Printer on Another I/A Series Station .............................................. 538
Appendix K. Troubleshooting ........................................................................................... 539

Setting Time Correctly After Failure to Continue
Software Installation After Reboot (SDC or Domain Client) ................................................ 539
ix
x
Figures
2-1. Disable Virus Scan Access Protection .......................................................................... 15
2-2. On-Access Scan Properties Dialog Box ........................................................................ 16
2-3. Confirming Cancellation of Software Installation ....................................................... 17
2-4. InstallShield Wizard Completed - Interrupted ............................................................ 18
2-5. AutoPlay Dialog Box ................................................................................................... 19
2-6. Microsoft Visual C++ 2010 Redistributable Package (x64) Installation Dialog Box ..... 20
2-7. Selecting to Install a Domain Controller ..................................................................... 21
2-8. Load Committed Configuration Install Files ............................................................... 22
2-9. Installation Media Folder Browser ............................................................................... 23
2-10. Load Committed Configuration Install Files - Binding ............................................... 24
2-11. I/A Series Network Installation (For Certain NIC Cards) ........................................... 25
2-12. I/A Series Installshield Wizard - Next .......................................................................... 25
2-13. I/A Series Installshield Wizard - Install ........................................................................ 26
2-14. Installation Media Dialog Box ..................................................................................... 27
2-15. Media Folder Browser ................................................................................................. 27
2-16. Installation Media Dialog Box - For Diskettes ............................................................. 28
2-17. Complete Installation .................................................................................................. 28
2-18. Example of Installation Log ......................................................................................... 29
2-19. Installing System Manager Server ................................................................................ 32
4-4. Confirming Installation Interruption .......................................................................... 47
4-12. Server Platform Setup Dialog Box ............................................................................... 53
4-13. Active Directory Warning ........................................................................................... 54
4-14. Active Directory Installation via DOS Window .......................................................... 54
4-15. Promoting to Primary Domain Controller via DOS Window ..................................... 55
4-16. Setting up the Platform for a Secure I/A Series Installation ......................................... 56
4-17. Active Directory Domain Settings Applied .................................................................. 57
4-18. I/A Series Secure User Accounts Dialog Box ............................................................... 57
4-19. Invensys IASeries Install: Workstation Reboot Request Dialog Box ............................ 58
4-20. You Are About To Be Logged Off Dialog Box ............................................................ 58
4-24. Example of Installation Log ......................................................................................... 62
4-25. Installing System Manager Server ................................................................................ 64
xi
B0700SF – Rev E Figures
4-26. Resetting Passwords via Active Directory Users and Computers .................................. 66
4-27. Resetting a Password ................................................................................................... 66
4-28. Setting the Restore Mode Password via ntdsutil.exe .................................................... 67
4-29. Using and Exiting ntdsutil.exe .................................................................................... 67
4-30. Creating Users via Active Directory Users and Computers .......................................... 68
4-31. New Object - User ...................................................................................................... 69
4-32. New Object - User - Password Updates ....................................................................... 70
4-33. New Object - User - Finish ......................................................................................... 70
4-34. Opening the New User Properties Dialog Box ............................................................ 71
4-35. New User Properties Dialog Box ................................................................................. 72
4-36. Select Groups .............................................................................................................. 73
4-37. Multiple Names Found Dialog Box ............................................................................ 73
4-38. Closing Select Groups Dialog Box .............................................................................. 74
4-39. Closing Properties Dialog Box .................................................................................... 74
4-43. Confirming Installation Interruption .......................................................................... 82
4-51. Server Platform Setup Dialog Box (SDC) .................................................................... 89
4-52. Resetting UTC Date ................................................................................................... 90
4-53. Unable to Determine Local Time on the PDC ............................................................ 90
4-54. Server Platform Setup Dialog Box (Second SDC) ....................................................... 91
4-55. Invensys IASeries Install: Workstation Reboot Request Dialog Box ............................ 92
4-56. Server Platform Setup Dialog Box (PDC Account Information) ................................. 93
4-57. Server Platform Setup Dialog Box (Verify Domain Name and Site Name Fields) ....... 94
4-58. Active Directory Installation via DOS Window .......................................................... 95
4-59. Assigning Role of Secondary Domain Controller via DOS Window ........................... 95
4-60. Setting Up the Platform for a Secure I/A Series Installation ......................................... 96
4-61. InstallShield Wizard for I/A Series Software ................................................................ 97
4-65. Example of Installation Log ....................................................................................... 100
4-66. Installing System Manager Server .............................................................................. 102
4-67. Setting the Restore Mode Password via ntdsutil.exe .................................................. 103
4-68. Using and Exiting ntdsutil.exe .................................................................................. 104
5-1. Disable Virus Scan Access Protection ........................................................................ 109
5-2. On-Access Scan Properties Dialog Box ...................................................................... 110
5-3. Confirming Cancellation of Software Installation ..................................................... 111
5-4. Confirming Installation Interruption ........................................................................ 111
5-5. InstallShield Wizard Completed - Interrupted .......................................................... 112
xii
Figures B0700SF – Rev E
5-6. Internet Protocol Version 4 (TCP/IPv4) Properties ................................................... 113

5-7. Set-ExecutionPolicy AllSigned .................................................................................. 114
5-8. AutoPlay Dialog Box ................................................................................................. 114
5-9. Microsoft Visual C++ 2010 Redistributable Package (x64) Installation Dialog Box ... 115
5-10. Selecting to Install a Domain Controller on an Off-MESH Domain ........................ 116
5-11. Load Committed Configuration Install Files ............................................................. 117
5-12. Installation Media Folder Browser ............................................................................. 118
5-13. Server Platform Setup ................................................................................................ 119
5-14. Collecting SDC Machine Info .................................................................................. 120
5-15. I/A Series Installation Warning ................................................................................. 120
5-16. Pick Type .................................................................................................................. 121
5-17. Active Directory Domain Name Warning ................................................................. 122
5-18. Active Directory Installation via DOS Window ........................................................ 122
5-19. Promoting to Primary Domain Controller via DOS Window ................................... 123
5-20. Setting up the Platform for a Secure I/A Series Installation ....................................... 124
5-21. Active Directory Domain Settings Applied ................................................................ 125
5-22. I/A Series Secure User Accounts Dialog Box ............................................................. 125
5-23. Adding New Computer Account ............................................................................... 126
5-25. Resetting Passwords via Active Directory Users and Computers ................................ 128
5-26. Resetting a Password ................................................................................................. 129
5-29. Creating Users via Active Directory Users and Computers ........................................ 131
5-30. New Object - User .................................................................................................... 132
5-31. New Object - User - Password Updates ..................................................................... 133
5-32. New Object - User - Finish ....................................................................................... 133
5-33. Opening the New User Properties Dialog Box .......................................................... 134
5-34. New User Properties Dialog Box ............................................................................... 135
5-35. Select Groups ............................................................................................................ 136
5-36. Multiple Names Found Dialog Box .......................................................................... 136
5-37. Closing Select Groups Dialog Box ............................................................................ 137
5-38. Closing Properties Dialog Box .................................................................................. 137
5-47. Selecting to Install a Domain Controller ................................................................... 149
5-51. Resetting UTC Date ................................................................................................. 153
5-52. Unable to Determine Local Time on the PDC .......................................................... 153
5-53. Server Platform Setup (Select Add Off-MESH) ......................................................... 154
xiii

5-56. Invensys IASeries Install: Workstation Reboot Request Dialog Box .......................... 155
5-57. Server Platform Setup (Authorize) ............................................................................. 156
5-58. Server Platform Setup (Prepare) ................................................................................ 157
5-59. Active Directory Domain Name Warning ................................................................. 157
5-60. Active Directory Installation via DOS Window ........................................................ 158
5-61. Assigning Role of Secondary Domain Controller via DOS Window ......................... 158
5-62. Setting Up the Platform for a Secure I/A Series Installation ....................................... 159
5-67. Selecting IA Computers -> New -> Computer .......................................................... 165
5-68. New Object - Computer ........................................................................................... 166
5-69. Selecting Pre-8.8 IA Computers -> New -> Computer .............................................. 166
6-8. Selecting to Install a Domain Controller on an Off-MESH Domain ........................ 177
6-12. Active Directory Domain Settings Applied ................................................................ 181
6-13. I/A Series Secure User Accounts Dialog Box ............................................................. 181
6-14. Finish Installation ..................................................................................................... 182
6-16. Creating Users via Active Directory Users and Computers ........................................ 184
6-17. New Object - User .................................................................................................... 185
6-18. New Object - User - Password Updates ..................................................................... 186
6-19. New Object - User - Finish ....................................................................................... 186
6-20. Opening the New User Properties Dialog Box .......................................................... 187
6-21. New User Properties Dialog Box ............................................................................... 188
6-22. Select Groups ............................................................................................................ 189
6-23. Multiple Names Found Dialog Box .......................................................................... 189
6-24. Closing Select Groups Dialog Box ............................................................................ 190
6-25. Closing Properties Dialog Box .................................................................................. 190
7-1. Active Directory Users and Computers Console (Administrator Account) ................ 197
7-2. [User] Properties Dialog Box ..................................................................................... 198
7-3. Adding User to Groups ............................................................................................. 199
xiv
7-5. Installation Disc Is Not Compatible With This Windows Version Warning ............. 201
7-6. Invoking adprep32 /forestprep .................................................................................. 201
7-7. Invoking adprep32 /domainprep /gpprep .................................................................. 202
7-8. Invoking adprep32 /rodcprep .................................................................................... 202
7-11. Selecting to Install a Domain Controller On-MESH ................................................ 207
7-15. I/A Series Network Installation (For Certain NIC Cards) ......................................... 210
7-16. Server Platform Setup Dialog Box ............................................................................. 211
7-17. I/A Series Installation Date Warning ......................................................................... 212
7-19. Server Platform Setup (For Second SDC) ................................................................. 213
7-21. Server Platform Setup (On-MESH) Continued ........................................................ 215
7-22. Server Platform Setup (On-MESH) Continued Part 2 .............................................. 216
7-23. Active Directory Warning ......................................................................................... 217
7-24. Active Directory Installation via a Command Prompt ............................................... 217
7-25. Assigning Role of Secondary Domain Controller via Command Prompt .................. 218
7-26. Verifying the Health of the Existing Active Directory System ................................... 219
7-27. I/A Series Installation Warning for DC Health Log File ............................................ 220
7-28. Verifying the Health of the Existing Active Directory System (Errors Found) ........... 221
7-29. I/A Series Installation Errors in DC Health Log File ................................................. 222
7-30. Setting Up the Platform For a Secure I/A Series Installation ...................................... 223
7-31. Installation Media Dialog Boxes ................................................................................ 224
7-32. Media Folder Browser ............................................................................................... 224
7-33. Installation Media Dialog Box - For Diskettes ........................................................... 225
7-34. Selecting FoxInt NDIS Intermediate Miniport Driver .............................................. 226
7-35. Adapter Properties Dialog Box .................................................................................. 226
7-36. Internet Protocol (TCP/IP) Properties Dialog Box .................................................... 227
8-2. [User] Properties Dialog Box ..................................................................................... 233
8-3. Adding User to Groups ............................................................................................. 234
8-5. Installation Disc Is Not Compatible With This Windows Version Warning ............. 236
8-6. Invoking adprep32 /forestprep .................................................................................. 236
8-7. Invoking adprep32 /domainprep /gpprep .................................................................. 237
8-8. Invoking adprep32 /rodcprep .................................................................................... 237
8-10. Advanced TCP/IP Settings Dialog Box (IP Settings) ................................................. 239
8-11. Advanced TCP/IP Settings Dialog Box (DNS) ......................................................... 240
8-13. DNS Manager Dialog Box (Server Properties) .......................................................... 242
8-14. Server Properties Dialog Box ..................................................................................... 243
8-15. DNS Manager Dialog Box (Removing Existing Stations) .......................................... 244
xv
8-16. DNS Manager Dialog Box (Reverse Lookup Zone) .................................................. 245
8-17. New Zone Wizard (Zone Type) ................................................................................ 246
8-18. New Zone Wizard (Active Directory Zone Replication Scope) ................................. 247
8-19. New Zone Wizard (Reverse Lookup Zone Name) ..................................................... 248
8-20. New Zone Wizard (Dynamic Update) ...................................................................... 249
8-21. DNS Manager Dialog Box (New Pointer) ................................................................. 250
8-22. New Resource Record Dialog Box ............................................................................. 251
8-23. Restart DNS Service .................................................................................................. 252
8-24. nslookup Service ....................................................................................................... 252
8-25. Local Area Connection 3 Properties .......................................................................... 254
8-27. Set-ExecutionPolicy AllSigned .................................................................................. 256
8-30. Selecting to Install a Domain Controller Off-MESH ................................................ 258
8-34. Server Platform Setup (Off-MESH) .......................................................................... 261
8-35. I/A Series Installation Date Warning ......................................................................... 262
8-37. Server Platform Setup (For Second SDC) ................................................................. 263
8-39. Server Platform Setup (Off-MESH) Continued ........................................................ 265
8-40. Active Directory Warning ......................................................................................... 265
8-41. Active Directory Installation via Command Prompt ................................................. 266
8-42. Assigning Role of Secondary Domain Controller via Command Prompt .................. 266
8-43. Verifying the Health of the Existing Active Directory System ................................... 267
8-44. I/A Series Installation Warning for DC Health Log File ............................................ 268
8-45. Verifying the Health of the Existing Active Directory System (Errors Found) ........... 269
8-46. I/A Series Installation Errors in DC Health Log File ................................................. 270
8-47. Setting Up the Platform For a Secure I/A Series Installation ...................................... 271
8-48. Configure DNS Setting Dialog Box .......................................................................... 272
8-49. Internet Protocol (TCP/IP) Properties - Removing On-MESH DNS Entries ........... 273
8-50. Internet Protocol (TCP/IP) Properties - Setting for Off-MESH
Network Interface Card ............................................................................................ 274
9-1. InterForestMigration Folder ...................................................................................... 281
9-4. Selecting Reset Password ........................................................................................... 284
9-5. Reset Password Dialog Box ....................................................................................... 285
9-6. Set-ExecutionPolicy Unrestricted .............................................................................. 285
9-7. Internet Protocol (TCP/IP) Properties Dialog Box - Off-MESH NIC Card ............. 286
9-8. Internet Protocol (TCP/IP) Properties Dialog Box - FoxInt NDIS Intermediate
Miniport Driver ........................................................................................................ 287
xvi
9-9. Ping Target PDC from Command Prompt ............................................................... 288

9-10. Execute PrepSourceDomainForMigration.ps1 Script ................................................ 289
9-11. Inter-Forest Migration Dialog Box ............................................................................ 290
9-12. Moving IA Computers and IA Users OUs into Migration OU ................................. 291
9-13. Moving Additional Users and Groups into the Migration OU .................................. 292
9-14. Migration OU - Populated ........................................................................................ 293
9-17. Selecting to Perform an Inter-Forest Migration ......................................................... 296
9-20. InstallShield Wizard Completed ................................................................................ 298
9-21. Internet Protocol (TCP/IP) Properties Dialog Box - Target PDC’s
Off-MESH NIC Card ............................................................................................... 299
9-22. Ping Source PDC from Command Prompt ............................................................... 300
9-23. Executing PrepTargetDomainForMigration.ps1 ....................................................... 301
9-25. Active Directory Migration Tool Window ................................................................ 303
9-26. Creating the Password Migration Export File ............................................................ 304
9-27. Administrators Properties Dialog Box ....................................................................... 304
9-28. Select Users, Contacts, Computers, Service Accounts or Groups Dialog Box ............ 305
9-29. SQL Server Installation Center - Start Installation .................................................... 306
9-30. SQL Server Installation Center - Setup Support Rules .............................................. 307
9-31. SQL Server Installation Center - License Key ............................................................ 308
9-32. SQL Server Installation Center - Accept License ....................................................... 309
9-33. SQL Server Installation Center - Install Setup Support Files ..................................... 310
9-34. SQL Server Installation Center - Setup Support Files Installed .................................. 311
9-35. SQL Server Installation Center - Feature Selection .................................................... 312
9-36. SQL Server Installation Center - Instance Configuration .......................................... 313
9-37. SQL Server Installation Center - Disk Space Requirements ....................................... 314
9-38. SQL Server Installation Center - Server Configuration .............................................. 315
9-39. SQL Server Installation Center - Database Engine Configuration ............................. 316
9-40. SQL Server Installation Center - Error and Usage Reporting .................................... 317
9-41. SQL Server Installation Center - Installation Rules ................................................... 318
9-42. SQL Server Installation Center - Ready to Install ...................................................... 319
9-43. SQL Server Installation Center - Installation Progress ............................................... 320
9-44. SQL Server Installation Center - Installation Complete ............................................ 321
9-45. Installing Active Directory Migration Tool v3.2 - Welcome ...................................... 322
9-46. Installing Active Directory Migration Tool v3.2 - License Agreement ....................... 323
9-47. Installing Active Directory Migration Tool v3.2 - Customer Experience
Improvement ............................................................................................................ 324
9-48. Installing Active Directory Migration Tool v3.2 - Database Selection ....................... 325
9-49. Installing Active Directory Migration Tool v3.2 - Database Import .......................... 326
9-50. Installing Active Directory Migration Tool v3.2 - Complete ..................................... 327
9-51. Installing pwdmig.msi ............................................................................................... 328
9-52. Select No .................................................................................................................. 328
9-53. Password Export Server Service ................................................................................. 329
9-54. Password Export Server Service Properties Dialog Box .............................................. 330
xvii
9-55. Group Policy Management Console (GPMC) .......................................................... 331

9-56. Group Policy Object Editor - Restricted Groups ....................................................... 332
9-57. Administrators Properties Dialog Box ....................................................................... 333
9-58. Add Member Dialog Box .......................................................................................... 333
9-59. ADMT Password Migration DLL Setup Welcome ................................................... 334
9-60. ADMT Password Migration DLL Setup - License Agreement ................................... 335
9-61. ADMT Password Migration DLL Setup - Encryption File ........................................ 336
9-62. Password for the Encryption Key .............................................................................. 336
9-63. ADMT Password Migration DLL Setup - Start Installation ...................................... 337
9-64. ADMT Password Migration DLL - Specifying User Account ................................... 337
9-65. ADMT Password Migration DLL - Account Granted Log On As a Service Right ..... 338
9-66. ADMT Password Migration DLL Setup - Finishing Installation ............................... 338
9-67. Restarting Your System ............................................................................................. 339
9-68. Executing .\ADInterForestMigration.ps1 .................................................................. 340
9-73. Adapter Properties Dialog Box .................................................................................. 343
9-74. Internet Protocol (TCP/IP) Properties Dialog Box - FoxInt NDIS Intermediate
Miniport Driver ........................................................................................................ 344
9-75. Internet Protocol (TCP/IP) Properties Dialog Box - Off-MESH NIC ...................... 345
9-76. Computer Name Changes - Name Temporary Workgroup ...................................... 346
9-77. Computer Name Changes - Enter Credentials .......................................................... 346
9-78. Computer Name Changes - Welcome to the Temporary Workgroup ....................... 347
9-79. Computer Name Changes - Note that Domain Client Must Be Restarted ................ 347
9-80. System Properties - Computer Name - Change ......................................................... 347
9-81. Computer Name Changes - Adding Off-MESH Domain ......................................... 348
9-82. Computer Name Changes - Enter Account Credentials ............................................ 348
9-83. Computer Name Changes - Welcome to the Off-MESH Domain ............................ 349
9-84. Computer Name Changes - Note that Domain Client Must Be Restarted ................ 349
9-85. System Properties Dialog Box - Closing .................................................................... 349
9-86. System Settings Change Dialog Box - Click No ........................................................ 350
9-87. Services Windows - FoxNTGUIAppServices ............................................................. 350
9-88. FoxNTGUIAppServices Properties Dialog Box ......................................................... 351
9-89. Services Dialog Box ................................................................................................... 351
9-90. Services Dialog Box ................................................................................................... 352
9-91. Executing SetIAStartupAcct ...................................................................................... 352
10-1. Adding Pre-Existing Domain Client to the Pre-8.8 IA Computers OU ..................... 359
10-2. Adding Pre-Existing Domain Client to the IA Computers OU ................................. 360
10-10. Selecting to Install a Secure Domain Client ............................................................... 367
xviii

10-14. Network Connections - Local Area Connection vs. NIC Adapter Device Number ... 371
10-15. Ready to Connect This Workstation to the I/A Series Domain ................................. 372
10-17. Unable to Determine Local Time .............................................................................. 373
10-19. You Are About To Be Logged Off Dialog Box .......................................................... 374
10-20. InstallShield Wizard for I/A Series Software .............................................................. 375
10-21. Installation Media Dialog Box ................................................................................... 376
10-27. Selecting to Install a Client in a Security Enhanced System ....................................... 381
10-28. Load Committed Configuration Install Files Dialog Box .......................................... 382
10-30. Load Committed Configuration Install Files Dialog Box - Bind ............................... 384
10-32. Network Connections - Local Area Connection vs. NIC Adapter Device Number ... 386
10-34. Ready to Connect This Workstation to the I/A Series Domain Dialog Box .............. 387
10-36. Unable to Determine Local Time .............................................................................. 388
10-38. Select a Host Domain for this workstation and click Connect Area ........................... 389
10-39. Workstation Reboot Request .................................................................................... 390
10-40. You Are About To Be Logged Off Dialog Box .......................................................... 390
10-41. Welcome to the InstallShield Wizard for I/A Series ................................................... 391
10-42. Ready to Install the Program ..................................................................................... 391
10-43. Installation Media Dialog Box ................................................................................... 392
10-46. Setting Internet Protocol Version 4 (TCP/IPv4) Properties ....................................... 395
10-48. Internet Protocol (TCP/IP) Properties Dialog Box - Off-MESH NIC Card ............. 398
10-49. Adding Pre-Existing Domain Client (I/A Series Software v8.5) to Active Directory .. 399
10-50. Domain Client Installation – Ready to Connect ....................................................... 400
10-51. Connecting to the I/A Series Domain ....................................................................... 401
10-52. Unable To Determine Local Time ............................................................................ 401
10-54. Resetting Passwords via Computer Management ....................................................... 407
10-55. Resetting Password for IAManager ............................................................................ 407
10-56. Confirming Password for IAManager ........................................................................ 408
11-1. I/A Series Reconcile Media Utility ............................................................................ 412
xix
11-2. Get SE Stations ......................................................................................................... 413

11-3. Select the Location Where You Want Your Reconcile Files Saved ............................. 414
11-4. Try Another Diskette Warning ................................................................................. 414
11-5. Disable I/A Series Drivers and Services ...................................................................... 415
11-6. Perform a Day 1 Operation on the I/A Series Workstation ....................................... 416
B-1. System Window ........................................................................................................ 424
B-2. Computer Name Tab in the System Properties Dialog Box ....................................... 425
B-3. Computer Name Changes Dialog Box ...................................................................... 426
B-4. Restarting Your Computer To Apply Changes .......................................................... 427
C-1. On-Access Scan Statistics Dialog Box ........................................................................ 430
C-2. On-Access Scan Properties Dialog Box - Selecting All Processes ................................ 431
C-3. On-Access Scan Properties Dialog Box - Exclusions Tab ........................................... 432
C-4. On Access Scan Properties Dialog Box - Exclusions Tab ........................................... 433
C-5. Add Exclusion Item ................................................................................................... 433
C-6. Set Exclusions ........................................................................................................... 434
D-1. Transferring FSMO Roles ......................................................................................... 436
D-2. Active Directory Users and Computers - IADomainAdmin ...................................... 437
D-3. IADomainAdmin Properties Dialog Box ................................................................... 438
D-4. Select groups Dialog Box ........................................................................................... 439
D-5. Active Directory Users and Computers - Connect to Domain Controller ................. 439
D-6. Connect to Domain Controller Dialog Box .............................................................. 440
D-7. Active Directory Users and Computers - Set Operations Masters .............................. 441
D-8. Operations Master Dialog Box .................................................................................. 442
D-9. Operations Master - Confirm Transfer ...................................................................... 442
D-10. Operations Master - Confirm Change ....................................................................... 443
D-11. Active Directory Domains and Trusts - Connect to Domain Controller ................... 443
D-12. Active Directory Domains and Trusts - Selecting Domain Controller to Become
The New PDC .......................................................................................................... 444
D-13. Active Directory Domains and Trusts - Set Operations Masters ................................ 445
D-14. Change Operations Master ........................................................................................ 445
D-15. Active Directory Domains and Trusts - Confirm Yes ................................................ 446
D-16. Active Directory Domains and Trusts - Confirm OK ............................................... 446
D-17. Command Prompt - regsvr32 schmmgmt.dll ............................................................ 447
D-18. Confirm Operation ................................................................................................... 447
D-19. Confirm Operation ................................................................................................... 447
D-20. Microsoft Management Console - Selecting Add/Remove Snap-In ........................... 448
D-21. Add or Remove Snap-Ins Dialog Box ........................................................................ 449
D-22. Add or Remove Snap-Ins Dialog Box ........................................................................ 450
D-23. Microsoft Management Console - Selecting Change Domain Controller .................. 451
D-24. Change Domain Controller ...................................................................................... 451
D-25. Microsoft Management Console - Selecting Operations Master ................................ 452
D-26. Change Domain Controller ...................................................................................... 452
D-27. Change Schema Master Dialog Box .......................................................................... 453
D-28. Active Directory Domains and Trusts - Confirm Yes ................................................ 453
D-29. Active Directory Domains and Trusts - Confirm OK ............................................... 453
D-30. Seizing FSMO Roles ................................................................................................. 454
D-31. Role Seizure Confirmation Dialog Box ..................................................................... 455
xx
D-32. Role Seizure Confirmation Dialog Box ..................................................................... 455

D-33. Restoring FSMO Roles to a Primary Domain Controller That Had Its
Roles Seized .............................................................................................................. 460
D-34. Invoking dcpromo /forceremoval .............................................................................. 461
D-35. Acknowledging Warnings - Part 1 ............................................................................. 461
D-38. Active Directory Installation Wizard - Welcome ....................................................... 464
D-39. Active Directory Installation Wizard - Force Removal ............................................... 465
D-40. Active Directory Installation Wizard -Acknowledge .................................................. 465
D-41. Active Directory Installation Wizard - Administrator Password ................................. 466
D-42. Active Directory Installation Wizard - Summary ....................................................... 467
D-43. Active Directory Installation Wizard - Reading Domain Policy ................................. 468
D-44. Active Directory Installation Wizard - Completed .................................................... 468
D-45. Active Directory Installation Wizard - Restarting the Computer ............................... 469
D-46. Windows Security - Logging in IADomainAdmin .................................................... 469
D-50. Invoking dcpromo .................................................................................................... 471
D-52. Active Directory Installation Wizard - Operating System Compatibility ................... 472
D-53. Active Directory Installation Wizard - Domain Controller Type ............................... 473
D-54. Active Directory Installation Wizard - Additional Domain Controller ...................... 474
D-55. Active Directory Installation Wizard - Forest Root Domain ...................................... 475
D-56. Active Directory Installation Wizard - Site for New Domain Controller ................... 476
D-57. Active Directory Installation Wizard - Additional Domain Controller Options ........ 477
D-58. Static IP Assignment ................................................................................................. 478
D-59. Active Directory Installation Wizard - Continue ....................................................... 478
D-60. Active Directory Installation Wizard - Database and Log Folders .............................. 479
D-61. Active Directory Installation Wizard - Restore Mode Administrator Password .......... 480
D-63. Active Directory Installation Wizard - Configuring ................................................... 482
D-64. Active Directory Installation Wizard - Complete ....................................................... 482
D-65. Restarting the Computer ........................................................................................... 483
D-66. DNS Management - Selecting Lookup Zone Properties ............................................ 483
D-67. Zone Properties Dialog Box ...................................................................................... 484
D-68. nslookup for Client Stations (NESRV5.iaseries.local) ................................................ 485
D-69. nslookup for Client Stations (NESRV4.iaseries.local) ................................................ 486
D-70. Typical NIC Settings for a Client Workstation on a System with a Primary and
One Secondary DNS Server ...................................................................................... 487
D-71. Starting the Active Directory Installation Wizard ...................................................... 488
D-73. Active Directory Installation Wizard - Global Catalog Provider Warning ................. 489
D-74. Active Directory Installation Wizard - Remove Active Directory ............................... 489
D-75. Active Directory Installation Wizard - Administrator Password ................................. 490
D-77. Active Directory Installation Wizard - Configuring ................................................... 492
xxi
D-78. Active Directory Installation Wizard - Restarting the Computer ............................... 492
D-79. Active Directory Users and Computers - Delete a Domain Controller Connection ... 493
D-80. Active Directory Users and Computers - Delete Confirmation .................................. 493
D-81. Active Directory Users and Computers - Delete a Domain Controller Settings ......... 494
D-83. Active Directory Users and Computers - Deleting a Domain Controller ................... 495
D-84. Active Directory Users and Computers - Delete a Server ........................................... 495
D-86. Active Directory Users and Computers - Creating New Computer Account ............. 496
D-87. New Object - Computer Dialog Box ......................................................................... 497
D-88. Workstation System Properties .................................................................................. 498
D-89. Computer Name Changes Dialog Box - Workgroup ................................................. 499
D-90. Computer Name Change - Remember Local Admin Password ................................. 499
D-91. Log in IADomainAdmin ........................................................................................... 500
D-92. Computer Name Change - Welcome to the [YourName] Workgroup ...................... 500
D-93. Computer Name Change - Restart Computer ........................................................... 500
D-94. Closing System Properties Dialog Box ...................................................................... 501
D-95. Computer Name Changes Dialog Box - Domain ...................................................... 502
D-96. Windows Security Dialog Box ................................................................................... 502
D-97. Computer Name Changes Dialog Box - Welcome to the [YourName] Domain ....... 503
D-98. Computer Name Changes Dialog Box - Need to Restart To Apply Changes ............ 503
D-99. Close System Properties Dialog Box .......................................................................... 504
D-100. Computer Name Changes Dialog Box - Need to Restart To Apply Changes ............ 504
D-101. Local Area Connection Properties Dialog Box ........................................................... 505
D-102. Internet Protocol Version 4 (TCP/IP4) Properties Dialog Box .................................. 506
D-103. Advanced TCP/IP Settings Dialog Box .................................................................... 507
D-104. Opening ADSI Edit Directory Services ..................................................................... 509
D-105. ADSI Edit Directory Services - Connect To .............................................................. 509
D-106. ADSI Edit Directory Services - Configuration ........................................................... 510
D-107. ADSI Edit Directory Services - Properties Selection .................................................. 511
D-108. Attribute Editor - Attribute Selection ........................................................................ 512
D-109. Attribute Value -- Tombstone Lifetime Period .......................................................... 512
F-1. MESH Configurator NIC Selection .......................................................................... 519
F-2. NIC Selection on Unknown Platform/BIOS ............................................................. 520
F-3. Network Connections ............................................................................................... 521
F-4. Network Connections Showing Device Names ......................................................... 521
F-5. Off-MESH NIC Selection ........................................................................................ 522
F-6. NICs on The MESH Control Network Selection ..................................................... 522
H-1. SNMP Service Properties Dialog Box ........................................................................ 528
I-1. Windows Features Dialog Box .................................................................................. 531
I-2. Server Manager ......................................................................................................... 532
I-3. Add Features Wizard ................................................................................................. 533
I-4. Confirm Installation Selections ................................................................................. 534
J-1. Windows Firewall Settings ........................................................................................ 536
J-2. Printer Properties Dialog Box .................................................................................... 537
K-1. Run rsop.msc ............................................................................................................ 539
K-2. Resultant Set of Policy Window ................................................................................ 540
K-3. Computer Configuration Properties Dialog Box ....................................................... 541
xxii
Tables
1-1. I/A Series Software v8.8 Platform Specific Media Kits ................................................... 6
1-2. I/A Series Software v8.8 Day 0 Media Kit (K0201GA) ................................................. 8
1-3. Additional Packages for I/A Series Software V8.8 .......................................................... 9
3-1. Domain Controller Installation/Migration Scenarios for I/A Series Software v8.8 ....... 36
C-1. McAfee VirusScan Enterprise + AntiSpyware Enterprise Exclusion List .................... 429
xxiii
B0700SF – Rev E Tables
xxiv
Preface
Purpose
The purpose of this document is to describe I/A Series software installation on Windows worksta-
tions and servers. I/A Series software v8.8 software is not supported on Solaris stations.
I/A Series software v8.8 delivers optional enhanced security features for the I/A Series system that
facilitates meeting client and government specifications, for example, North American Electric
Reliability Corporation (NERC) standards.
During a Day 0 software installation, you will have an option of choosing to install the Security
Enhanced (SE) I/A Series software v8.8, which requires Microsoft Active Directory® network ser-
vices, or standard I/A Series software v8.8 without the security enhancements. Depending on
your environment, you may not be able to take advantage of security enhanced I/A Series software
v8.8, for example, if you need to allow an older third-party application to run that has not been
rewritten to work in the secure environment.
Revision Information
For this release of this document (B0700SF, Rev. E), the following changes were made:
Chapter 10 “Security Enhanced I/A Series Software v8.8 Installation for Domain Clients or
Connecting Security Enhanced I/A Series Software v8.5-8.7 Domain Clients to Existing Off-
MESH Networks”
 Added a note to Step 20 of “Installation Procedure for Clients of New Off-MESH
Domain Controllers” on page 379.
Reference Documents
You should be familiar with the following I/A Series® documents:
 System Management Displays (B0193JC)
 System Definition: A Step-By-Step Procedure (B0193WQ)
 System Definition Release Notes for Windows 7 and Windows Server 2008 (B0700SH)
 Time Synchronization User’s Guide (B0700AQ)
 The Foxboro Evo Control Network Architecture Guide (B0700AZ)
 Address Translation Station User’s Guide (B0700BP)
 Control Processor 270 (CP270) On-Line Image Update (B0700BY)
 Security Enhancements User's Guide for I/A Series Workstations with Windows 7 or
Windows Server 2008 Operating Systems (B0700ET)
 Symantec System Recovery 2011 Workstation Edition and Server Edition Guide for
I/A Series Workstations (B0700ES)
 McAfee VirusScan® and AntiSpyware Enterprise 8.8i Installation (B0700EQ)
xxv
B0700SF – Rev E Preface
 Optional McAfee® Security Products Installation and Configuration Guide

(B0700EX)
 FoxView™ and FoxDraw™ Software V10.3 Release Notes (B0700SA)
 I/A Series System V8.8 Release Notes (B0700SG)
 System Manager (B0750AP)
 System Manager V2.3 Release Notes (B0750RS)
 Foxboro Control Software Installation Guide (B0750RA)
 FERRET v5.4 and Later User's Guide (B0860AZ)
 FERRET v5.4 and Later Release Notes (B0860RH)
 Virtualization User’s Guide (B0700VM)
Hardware and Software Specific Documentation for Windows 7 Operating System
 Hardware and Software Specific Instructions for the Model H92 Workstation(HP Z400)
(Windows XP Pro Operating System) (B0700EM)
 Hardware and Software Specific Instructions for Model H92 with Windows 7 Operating
System (Z400) (B0700FF)
 Hardware and Software Specific Instructions for Model P92 Workstation (T3500 Gen II)
with Windows 7 Operating System (B0700FM)
 Hardware and Software Specific Instructions for Model P92 Workstation (T3500) with
Windows 7 Operating System (B0700FJ)
 Hardware and Software Specific Instructions for the Model H92 Workstation (HP Z420
Windows 7 Operating System) (B0700FS)
Hardware and Software Specific Documentation for Server 2008 R2 Standard Operating
System
 Hardware and Software Specific Instructions for Model P91 (T710 Gen II) with Win-
dows Server® 2008 Operating System (B0700FP)
 Hardware and Software Specific Instructions for Model P90 (R710 Gen II) with Windows
Server® 2008 Operating System (B0700FN)
 Hardware and Software Specific Instructions for Model P91 (T610) with Windows
Server® 2008 Operating System (B0700FL)
 Hardware and Software Specific Instructions for Model P90 (R710) with Windows
Server® 2008 Operating System (B0700FK)
 Hardware and Software Specific Instructions for Model H91 (HP ML350) (Windows
Server 2008 Operating System) (B0700FH)
 Hardware and Software Specific Instructions for Model H90 (DL380) (Windows Server
2008 Operating System) (B0700FG)
Hardware and Software Specific Documentation for Windows Server 2008 R2 Enterprise
Operating System
 Hardware and Software Specific Instructions for I/A Series Model V90 Server Virtualiza-
tion Host (DL380) (Windows Server 2008 R2 Enterprise Operating System) (B0700VA)
Most of these documents are available on the I/A Series Electronic Documentation media
(K0173WT). The latest revisions of each document are also available through our Invensys
Global Customer Support at https://support.ips.invensys.com.
xxvi
Preface B0700SF – Rev E
Glossary
Term Definition
Active Directory A network services application created by Microsoft Corporation.
FCS Configuration Tools Foxboro® Control Software suite of configuration tools (formerly
known as the InFusion™ Engineering Environment)
H90 or P90 A rack-mounted server class computer utilized as an I/A Series sys-
tem terminal server or a high availability workstation
H91 or P91 A tower server class computer utilized as an I/A Series system termi-
nal server or a high availability workstation
H92 or P92 A desktop workstation class computer utilized as an I/A Series sys-
tem workstation
Off-Mesh A descriptor applied to stations which are not located on The Mesh
control network - and instead connected via a separate customer-
supplied network.
The procedures for configuring these stations for a system with the
security enhanced I/A Series software differ significantly from the
procedures for configuring stations on The Mesh control network.
On-Mesh A descriptor applied to stations which are located on The Mesh con-
trol network.
PDC Primary Domain Controller
SDC Secondary Domain Controller
SE Security Enhanced I/A Series software
Security Enhanced (SE) I/A Series software containing the optional security enhancements.
I/A Series software V8.8
SMDH System Management Display Handler
SP Service Pack
Standard I/A Series I/A Series software without security enhancements installed.
software v8.8
SysDef I/A Series System Definition software
xxvii
B0700SF – Rev E Preface
xxviii
1. Software Installation Overview
This chapter provides an overview for the concepts and installation processes described in this
document.
This document describes installation of the standard and security enhanced I/A Series software
v8.8 on stations running the following operating systems:
 Windows 7
 Windows Server 2008 R2 Standard
The following information is provided in this chapter:
 How to use this installation guide
 Overview of the types of software installations supported by this release
 System configuration and creating the Commit installation media
 Pre-installation system backup
 How to acquire documentation for the I/A Series system v8.8
 Media upgrade kits for supported hardware
 Installation media for I/A Series software v8.8
NOTE
In this document, the term “workstation” can refer to both desktop workstations
and servers in an I/A Series system.
Installation Concepts
Starting with I/A Series software v8.8, the concept of installation has changed from a granular
model to a more comprehensive model. (Note that this section refers to installation on a new
workstation/server, rather than an upgrade to an existing Foxboro Evo or I/A Series software
installation.)
I/A Series software v8.7 and earlier had the concept of “selected package installation”, which
allowed each software package which was part of the I/A Series software to be installed separately -
for example, each package might be on a separate diskette, and only the diskettes you wanted
installed on a workstation/server could be provided during the installation.
In I/A Series software v8.8 and later, the installation process is more automated, providing more
flexibility to allow the appropriate system configuration application to determine which packages
are required for a workstation/server. Typically, the process works as follows:
1. The Foxboro system configuration application creates Commit media which specifies
which packages are to be installed on each workstation/server.
2. All packages, with the exception of the OS1FDB package, are provided on the instal-
lation DVD. The OS1FDB has several variations, and so the appropriate variation
must be selected
1
B0700SF – Rev E 1. Software Installation Overview
3. When run, the installation application installs the appropriate packages. If there are
any Device Integrator modules configured, then the OS1FDB media will be requested
individually per letterbug. A different set of OS1FDB media can be chosen for each
letterbug or this can be skipped per letterbug.
After the installation is complete, you can perform these installation tasks on the existing Foxboro
Evo or I/A Series software:
 Perform a Day 1 operation, which adds packages or updates the software configura-
tion based on changes from the system configuration application.
If you skipped the installation of the OS1FDB package, you can add it with this
operation.
 Perform a Repair operation, to verify that all files are present and not corrupted, and
applying updates and fixes as needed.
The method of upgrading to a new version of Foxboro Evo or I/A Series software differs signifi-
cantly depending from which version you are upgrading, and to which version you are upgrading.
For example, the upgrade from I/A Series software v8.5 to I/A Series software v8.7 is a Release
Update, which updates existing software packages but does not add any new packages.
Also, be aware of that for I/A Series software v8.8, serial alarm printers are no longer supported.
How to Use this Installation Guide

 Refer to the following sections in this chapter to determine the appropriate worksta-
tion hardware, software and documentation that is required for your installation:
 “System Configuration and Creating Commit Installation Media” on page 4
 “Pre-Installation System Backup” on page 4
 “I/A Series Software V8.8 Documentation” on page 5
 “Workstation Specific Operating System Media” on page 5 - describes the media
needed to install the OS for each workstation type
 “I/A Series Software v8.8 Media” on page 7
 “Additional Media” on page 9
 “Determining Hardware Requirements” on page 3
 “Hardware and Software Specific Instruction Documents” on page 11.
 To perform an installation for a system with standard I/A Series software v8.8, pro-
ceed to Chapter 2 “Standard I/A Series Software v8.8 Day 0 Installation” and perform
the procedures in this chapter.
 To perform an installation for a system with Security Enhanced (SE) I/A Series soft-
ware v8.8, proceed to Chapter 3 “Installation or Migration Scenarios for Security
Enhanced I/A Series Software v8.8”, which directs you to the appropriate chapter of
this document for the installation procedures for your specific system configuration.
Overview of Supported Software Installations

The I/A Series software v8.8 release supports seven different types of software installations.
Understanding and selecting the appropriate installation is a very important and is required prior
to beginning the I/A Series software v8.8 installation to your stations.
2
1. Software Installation Overview B0700SF – Rev E
 Standard I/A Series software installation - The standard I/A Series software is for sys-
tems that do not require Microsoft® Active Directory Domain Controllers. The same
standard installation is applied to all I/A workstations. For I/A Series software v8.8,
there is only one procedure for installing this software on a workstation or server.
Unlike the I/A Series software v8.6 and v8.7, I/A Series software v8.8 is not an
“upgrade” on top of I/A Series software v8.5. I/A Series software v8.8 must be
installed as a new image on a station which supports Windows 7 or Windows Server
2008 R2 Standard.
 Security-Enhanced (SE) I/A Series software installation - Security-Enhanced (SE)
I/A Series software are used on systems that require Microsoft® Active Directory
Domain Controllers. In these systems, all the workstation clients of these domain
controllers are members of a secure domain (domain clients). There are two separate
categories of security enhanced (SE) installations:
a. New security enhanced I/A Series software installations - There are three different
installation scenarios for these new installations.
b. Installation on existing stations with security enhanced I/A Series software v8.5,
v8.6. or v8.7 - There are three different scenarios for existing stations with security
enhanced software. These are referred to as migrations.
Refer to Chapter 3 “Installation or Migration Scenarios for Security Enhanced
I/A Series Software v8.8” for a detailed explanation of these scenarios.
Determining Hardware Requirements

I/A Series software v8.8 can be installed on the following workstation platforms, and any later
versions of these platforms which are released:
 Servers:
 H90 (HP DL380)
 H91 (HP ML350)
 Workstation: H92 (HP Z400 or HP Z420)
 Servers:
 P90 (R710 and R710 Gen II)
 P91 (T710 Gen II)
 P91 (T610)
 Workstation: P92*K, P92*L and P92*M (T3500 and T3500 Gen II)
 Virtual machines:
 Virtual machines running on Model V90 server virtualization host, as described in
Virtualization User’s Guide (B0700VM)
Some workstations and servers which were shipped versions of I/A Series software previous to
v8.8 can be upgraded to run I/A Series software v8.8, provided their hardware is upgraded to be
comparable to that of the workstations and servers listed above. For example, a legacy T3500 with
3 GB of RAM could be upgraded to run I/A Series software v8.8 as long as an additional GB of
RAM is installed.
3
For a list of the minimum hardware requirements, refer to the Hardware and Software Specific
Documentation listed in “Reference Documents” on page xxv and the following PSSes:
 Model H92 and Model P92 Workstations Windows® 7 Professional Operating System
(PSS 21H-4D13 B4)
 Model H91 and Model P91 Workstation Servers for the Windows Server® 2008 R2
Operating System (PSS 21H-4U6 B4)
 Model H90 and Model P90 Workstation Servers for the Windows Server® 2008 R2
Operating System (PSS 21H-4U12 B4)
Pre-Installation System Backup

Before installing a system with I/A Series software v8.8, be sure to back up your I/A Series work-
stations and servers. Refer to Symantec System Recovery 2011 Workstation Edition and Server Edi-
tion Guide for I/A Series Workstations (B0700ES) for instructions on backing up and restoring your
workstations.
NOTE
The PDC and SDC domain controller pair cannot be successfully backed up, as
such a backup procedure is not supported by Microsoft.
Next, you physically install the software on each target workstation. This procedure includes
installing a new operating system image on the station and performing a Day 0 installation, which
is a fresh I/A Series software installation that wipes out any I/A Series software installed on it pre-
viously.
If you are installing Security Enhanced (SE) I/A Series software v8.8, you MUST install the Pri-
mary Domain Controller (PDC) first.After Day 0 installations, controllers require an image
update, so careful planning will be required. The On-Line Image Update (or On-Line Upgrade)
procedure is not available for Day 0 installations because the control database files (workfiles) are
lost during the Day 0 software installation. To restore the control database after a Day 0 installa-
tion, you must perform an Initialize and LoadAll. The on-line image update procedure is available
for future upgrades that do not involve a Day 0 installation on the host workstation. Refer to Con-
trol Processor 270 (CP270) On-Line Image Update (B0700BY).
System Configuration and Creating Commit

Installation Media
The first phase of installing a system is the system configuration process, which includes creating,
importing, and/or editing a system configuration, and creating Commit installation media (on a
network drive, USB drive, diskette, etc). I/A Series software v8.8 system configuration can be
accomplished using the following software:
 System Definition 3.0 or later - For instructions on installing System Definition soft-
ware, refer to System Definition Release Notes for Windows 7 and Windows Server 2008
(B0700SH). To create the Commit installation media, follow the procedures in System
Definition: A Step-By-Step Procedure (B0193WQ).
4
 I/A Series Configurator Component (IACC) v2.5 or later - I/A Series System Configu-
ration Component (IACC) User's Guide (B0700FE).
 Foxboro Control Software (FCS) v4.0 or later - For instructions on installing FCS,
refer to Foxboro Control Software Installation Guide (B0750RA). To create the Commit
installation media, follow the procedures in Hardware Configuration User’s Guide
(B0750BB).
After creating or editing the system configuration, you must create Commit installation media for
use during software installation.
NOTE
Be sure to label Commit installation media with the I/A Series versions on which it
can be used, for example, V8.8 or V8.2/V8.3/V8.4/V8.4.x/V8.5/V8.6/V8.7/V8.8.
NOTE
You should have only a single System Configuration (set of Commit media) for
your I/A Series software. From a single configuration database, you can produce
media for multiple versions of I/A Series software by providing a Package Distribu-
tion Disk (10091). Starting with I/A Series software v8.8, there is no package distri-
bution disk, so this request can be ignored in System Definition. For earlier
versions, this was used to produce specific information on the Commit disk that
was used by the I/A Series installation application to allow systems with I/A Series
software v8.7 or earlier to co-exist with systems with I/A Series software v8.8.
See the documentation listed below for information on how to import existing con-
figurations using System Definition v3.1, IACC v2.6, or FCS v5.0.
NOTE
If importing an older configuration from an earlier version of System Definition
(pre-v3.0), any stations intended for use in an I/A Series system v8.8 must be
migrated to either the new WSTA70 (for Windows 7) or WSVR70 (for Windows
Server 2008 R2 Standard) station type. After migrating these stations, new Commit
media must be created.
I/A Series Software V8.8 Documentation

Verify that you have all the necessary documentation required for your installation. Refer to “Ref-
erence Documents” on page xxv for a list of all documentation related to the I/A Series software
V8.8 release. Most documents are located on the I/A Series software v8.8 Electronic Documenta-
tion media, and you can find the latest revisions of the documents on the Global CSC webpage
https://support.ips.invensys.com.
Workstation Specific Operating System Media

You will also need to install operating system images for each workstation on which you will
install the standard or security enhanced I/A Series software v8.8.
5
The following kits can be ordered from BuyAutomation. When ordering these Operating System
upgrade kits for use in servers, be aware of the intended use as a Primary or Secondary Domain
Controller, Terminal Server, or Highly Available Workstation. The use of a server as a Highly
Available workstation (with no domain controlling or Terminal Services (for Windows 7 stations)
or Remote Desktop Services (for Windows Server 2008 R2 Standard servers) has a different prod-
uct licensing scheme for deliverables that are part of these upgrade kit part numbers. The
K0174xx media disk part numbers that are used to load the systems are not listed in BuyAutoma-
tion.
Use Table 1-1 below to verify that you have the necessary media kit(s).
Table 1-1. I/A Series Software v8.8 Platform Specific Media Kits
Media Upgrade
Kit Part Number Kit Description
K0201FJ Windows 7 Professional SP1 Operating System Upgrade Kit for I/A Series
Workstation Dell T3500 P92 Style K Rev. A,B and Style L Rev. A, B
K0201FM Windows 7 Professional SP1 Operating System Upgrade Kit for I/A Series
Workstation Dell T3500 Gen II P92 Style M Rev. A,B
K0201FQ Windows 7 Professional SP1 Operating System Upgrade Kit for I/A Series
Workstation HP Z400 H92 Style A Rev. A, B
K0201FK Windows Server 2008 R2 Standard SP1 Operating System Upgrade Kit for
I/A Series Workstation Server Dell R710 Gen I Rack Mount P90 Style D
Rev. A, B Configured as Highly Available Workstation
K0201GL Windows Server 2008 R2 Standard SP1 Operating System Upgrade Kit for
I/A Series Workstation Server Dell T610 Tower P91 Style G Rev. A, B, C
Configured as Highly Available Workstation
K0201FL Windows Server 2008 R2 Standard SP1 Operating System Upgrade Kit for
I/A Series Server Dell R710 Gen I Rack Mount P90 Style D Rev. A, B Con-
figured as Server (Remote Desktop, Domain Controller, McAfee ePO, etc.)
K0201GM Windows Server 2008 R2 Standard SP1 Operating System Upgrade Kit for
I/A Series Server Dell T610 Tower P91 Style G Rev. A, B, C Configured as
Server (Remote Desktop, Domain Controller, McAfee ePO, etc.)
K0201FX Windows Server 2008 R2 Standard SP1 Operating System Upgrade Kit for
I/A Series Workstation Server Dell R710 Gen II Rack mount P90 Style E
Rev. A, B Configured as Highly Available Workstations
K0201GN Windows Server 2008 R2 Standard SP1 Operating System Upgrade Kit for
I/A Series Workstation Server Dell Dell T710 Gen II Tower P91 Style H
K0201FY Windows Server 2008 R2 Standard SP1 Operating System Upgrade Kit for
I/A Series Workstation Server Dell R710 Gen II Rack mount P90 Style E
Rev. A, B Configured as Server (Remote Desktop, Domain Controller,
McAfee ePO, etc.)
K0201GP Windows Server 2008 R2 Standard SP1 Operating System Upgrade Kit for
I/A Series Workstation Server Dell T710 Gen II Tower P91 Style H Rev. A,
B Configured as Server (Remote Desktop, Domain Controller, McAfee ePO,
etc.)
6
Table 1-1. I/A Series Software v8.8 Platform Specific Media Kits (Continued)
Media Upgrade
Kit Part Number Kit Description
K0201FN Windows Server 2008 R2 Standard SP1 Operating System Upgrade Kit for
I/A Series Workstation Server Dell R710 Gen II Rack mount P90 Style F
K0201GQ Windows Server 2008 R2 Standard SP1 Operating System Upgrade Kit for
I/A Series Workstation Server Dell T710 Gen II Tower P91 Style J Rev. A, B
Configured as Highly Available Workstations
K0201FP Windows Server 2008 R2 Standard SP1 Operating System Upgrade Kit for
I/A Series Workstation Server Dell R710 Gen II Rack mount P90 Style F
Rev. A, B Configured as Server (Remote Desktop, Domain Controller,
McAfee ePO, etc.)
K0201GR Windows Server 2008 R2 Standard SP1 Operating System Upgrade Kit for
I/A Series Workstation Server Dell T710 Gen II Tower P91 Style J Rev. A,
B Configured as Server (Remote Desktop, Domain Controller, McAfee ePO,
etc.)
K0201FT Windows Server 2008 R2 Standard SP1 Operating System Upgrade Kit for
I/A Series Workstation Server HP DL380 Rack server H90 Style A Rev. A
K0201FU Windows Server 2008 R2 Standard SP1 Operating System Upgrade Kit for
I/A Series Workstation Server HP DL380 Rack server H90 Style A Rev. A
Configured as Server (Remote Desktop, Domain Controller, McAfee ePO,
etc.)
K0201FR Windows Server 2008 R2 Standard SP1 Operating System Upgrade Kit for
I/A Series Workstation Server HP ML350 Tower Server H91 Style A Rev. A
K0201FS Windows Server 2008 R2 Standard SP1 Operating System Upgrade Kit for
I/A Series Workstation Server HP ML350 Tower Server H91 Style A Rev. A
Configured as Server (Remote Desktop, Domain Controller, McAfee ePO,
etc.)
NOTE
For the I/A Series workstation HP Z420, H92 Style C, use the media part number
K0174KC shipped with the workstation. If you wish to purchase backups of this
CD-ROM, be aware that it is not available through BuyAutomation; request it from
Global Customer Support at https://support.ips.invensys.com.
I/A Series Software v8.8 Media

Refer to the Hardware and Software Specific Instructions included with your station for the part
number of the restore DVD for your station.
7
Use the checklist below to verify that you have all the Day 0 media to install I/A Series software
v8.8:
Table 1-2. I/A Series Software v8.8 Day 0 Media Kit (K0201GA)
Media Kit DVD/CD

Part Number Part Number Description
K0174KE-A I/A Series software v8.8 Windows 7/Server 2008 R2 Day 0 DVD
K0174KT-A I/A Series software v8.8 Trailer Media
K0200RL-N SysDef v3.0 Media Kit, includes:
 System Definition V3.0 CD-ROM (K0200MG-V)
 SysDef Step-by-Step (B0193WQ-J)
 System Definition V3.0 Release Notes (B0193XW-M)
K0201CT-D I/A Series System Manager V2.3 Kit, includes:
 System Manager Software CD-ROM (K0174GG-D)
 System Manager Release Notes (B0750RS-D)
 System Manager User Guide (B0750AP-G)
K0201CE-D I/A Series FERRET v5.4 for Windows CD-ROM includes:
 FERRET v5.4 and Later User's Guide (B0860AZ-A)
 FERRET v5.4 and Later Release Notes (B0860RH-A)
K0174KF-A AIM*AT V3.4 CD ROM
K0174KK-A FRS for ADMC Interoperability CD-ROM between I/A Series
software v8.8 and earlier versions of I/A Series software
K0173WT V8.x Electronic Documentation DVD-ROM, Includes:
 V8.8 Software Installation Guide (B0700SF)
 V8.8 Release Notes (B0700SG)
8
Additional Media
Depending on your software configuration, you may also need additional software packages.
These packages are installed from their respective CDs or DVDs via standard installation proce-
dures, and are not included on the I/A Series software media.
Table 1-3. Additional Packages for I/A Series Software V8.8
Part Number Description

N/A System Commit installation media
Commit installation media is created during system configuration.
N/A Microsoft Windows 7 or Windows Server 2008 R2 Standard Service Pack 1
CD set
These CD sets are shipped with new workstations and servers and are also
available for older server platforms as server upgrade kits in
BuyAutomation.
Be sure that you use the CDs associated with the 64-bit version of the oper-
ating system.
K0201FW-A I/A Series software v8.7 HART and FOUNDATION fieldbus Update Media
Kit - Includes CD-ROM (K0174FD-A)
K0201GD-A FoxView/FoxDraw V10.3+ Media Kit for Windows 7/Server 2008 R2 -
Includes:
 FoxView/FoxDraw V10.3 Software CD-ROM (K0174KH-A)
 FoxView Software v10.3 (B0700FC)
 FoxDraw Software v10.3 (B0700FD)
 FoxView/FoxDraw v10.3 Release Notes (B0700SA)
K0201GE-A FoxDraw V10.3+ Media Kit for Windows 7/Server 2008 R2 - Includes:
 FoxDraw Standalone V10.3 Software CD-ROM (K0174KJ-A)
 FoxDraw Software v10.3 (B0700FD)
 FoxView/FoxDraw v10.3 Release Notes (B0700SA)
- EFS v2.4 Media Kits - order individually:
 PACTWARE - FDT Frame Application CD-ROM (K0201AV-C)
 HART (CodeWrights) Device Type Manager (DTM) Library CD-
ROM (K0201AW-D)
 FDT Device Manager Components (EFS) CD-ROM (K0201AX-E)
 Extended Frame Services 2.4 and I/A Series Communication DTMs
(B0400EF-G)
 EFS 2.4 Release Notes (B0400EH-F)
K0201GW-A Intelligent Field Device Configurator (IFDC) for Windows 7/Server 2008
R2 Media Kit, includes:
 IFDC Software CD-ROM (K0174KV)
 Intelligent Field Device Configurator (IFDC) V3.2 Release Notes
(Windows 7 and Windows Server 2008 Platforms) (B0700SK-A)
 Intelligent Field Device Configurator IFDC for use with I/A Series Systems
(B0700EU)
9
Table 1-3. Additional Packages for I/A Series Software V8.8 (Continued)

K0173WJ-D Transient Data Recording and Analysis v1.5, includes:
 Transient Data Recorder and Analyzer User's Guide (B0700AL-E)
 Transient Data Recorder and Analyzer (TDR/TDA) V1.5 Release Notes
(B0700RL-C)
K0173WH-D Sequence of Events (SOE), includes:
 Sequence of Events (SOE) User's Guide (B0700AK-G)
 Sequence of Events (SOE) V1.5 Release Notes (B0700RM-C)
K0201GC-A I/A Series Systems Configuration Component (IACC) v2.5 for Windows
Media Kit - Includes:
 IACC V2.5 CD-ROM (K0174KG-A)
 I/A Series Systems Configuration Component (IACC) User's Guide
(B0700FE)
 I/A Series Systems Intelligent Design Studio (IDS) Library for IACC
(B0400BQ-C)
 I/A Series Systems Learning to Use IACC (B0400BT-C)
 I/A Series Systems High Level Language (HLBL) User's Guide
(B0400DF-G)
 I/A Series Configuration Component (IACC) V2.5 Release Notes
(B0700SM-A)
K0201AX-E I/A Series Systems FDT Device Manager Components v2.4 for HART®
and FoxCom™ Devices
K0173XC-F MODBUS Driver for FDSI Modules v2.3 Ethernet (TCP/IP) and Serial
Media Kit
K0173XD-F OPC Client Driver for FDSI Modules v1.5 for DA V2.05 Media Kit -
Includes:
 OPC Client Driver for FDSI Modules CD-ROM (K0173WX-F)
 OPC Interface Downloadable Driver for FDSI CD-ROM
(K0173WG-C)
 FDSI Configurator V1.4 CD-ROM (K0173WZ-E)
K0201GX-A Sequential Function Chart Editor (FoxSFC) for Windows 7/Server 2008 R2
Media Kit - Includes CD-ROM (K0174KW-A)
The online help for this release of FoxSFC is displayed as “B0193UZ”.
However, Sequential Function Chart/Structured Text Configurator and Display
Manager for Sequence Blocks (B0193UZ) has been superceded by Sequential
Function Chart/Structured Text Configurator and Display Manager for
Sequence Blocks (B0700FV), which is available on the V8.x Electronic Docu-
mentation DVD-ROM (K0173WT) and the Global CSC webpage
https://support.ips.invensys.com.
K0201BM-B FDSI Ethernet/IP Driver V2.3 Media Kit - Includes:
 Field Device Systems Integrator Ethernet/IP Driver CD-ROM
(K0174CP-C)
 FDSI Driver - Allen-Bradley Ethernet/IP Driver (B0700BU-E)
 Allen Bradley Integrator 30 to FDSI Migration (DI700BS-A)
10
Table 1-3. Additional Packages for I/A Series Software V8.8 (Continued)

Q0301FZ-C AIM*AT I/A Series Information Suite - Includes:
 AIM*AT V3.4 CD ROM (K0174KF-A)
 I/A Series Report Package for Windows 7/Server 2008 R2 V5.2 CD-
ROM (K0174KX-A)
K0201BJ-D Field Device Systems Integrator Triconex TSAA Driver V2.4 - Includes:
 Field Device Systems Integrator Triconex TSAA Driver CD-ROM
(K0174DT-E)
K0201FV-A I/A Series® System McAfee® Products Media Kit: ePolicy Orchestrator 4.6
P1, Host Intrusion Prevention 8.0 P1, Device Control 9.2, Integrity Con-
trol 6.0 and Installation and Configuration Guide for I/A Series Systems
with install media and documentation
- Includes:
 Installation CD-ROM (K0174JZ)
 Optional McAfee® Security Products License Keys (J0201FL)
 Optional McAfee® Security Products Installation and Configuration
Guide (B0700EX-A)
Hardware and Software Specific Instruction

Documents
The Hardware and Software Specific Instructions documents for your stations will be used for set-
ting up your stations and installing hardware upgrades.
These documents have instructions for restoring the operating system (Quick Restore) and install-
ing I/A Series software. The procedures found in the Hardware and Software Specific Instructions
documents are superseded by the I/A Series software v8.8 procedures found in this document.
11
12
2. Standard I/A Series Software
v8.8 Day 0 Installation
This chapter describes procedures to perform an initial installation of I/A Series software v8.8 with-
out security enhancements. An initial installation, or an installation which removes all instances of
existing I/A Series software, is referred to as a “Day 0” operation.
Workstation/Server Preparation
This section applies to both Windows 7 and Windows Server 2008 R2 Standard stations on
which I/A Series software is being installed without security enhancements for the first time, or
overwriting existing I/A Series software. (This is referred to as a Day 0 installation, as opposed to
a Day 1 installation which is performed on a workstation/server on which the I/A Series software
have already been installed with the intention of retaining existing control databases and such.)
Perform the following steps to set up the hardware and restore the operating system onto your
workstation.
NOTE
If this is a new station shipped from the Invensys factory with the V8.8 Restore
image identified by the media kits in Table 1-1 and verified in your workstation’s
H-code (or P-code), proceed to “Notes on Installing I/A Series System Software” on
page 14. If not, continue following the steps in this section.
1. Install hardware, restore the Windows operating system, and update drivers for your
workstation. Perform the following:
a. Refer to I/A Series System V8.8 Release Notes (B0700SG) for hardware require-
ments specific to the V8.8 release. For instructions on installing memory
upgrades, PCI cards, and so forth, refer to the “Installing Hardware Upgrades”
chapter of the hardware and software specific instruction document shipped with
your workstation.
b. Using the V8.8 Restore Media, restore the Windows operating system on your
workstation. Follow the instructions of Appendix A “Startup Options”.
! WARNING
Only use the media kits listed in Table 1-1 to restore the operating system of an
V8.8 station.
Do not follow the instructions for installing I/A Series software from your hardware
specific instruction manual. Follow the software installation procedure below.
c. Set the time and date. Perform the following:
13
B0700SF – Rev E 2. Standard I/A Series Software v8.8 Day 0 Installation
 Open the Windows Date and Time applet by clicking the Date and Time
icon in the Control Panel.
 Click the Change Date and Time button.
 Adjust the date and time.
 Click OK.
 Click the Change time zone button.
Select the correct time zone from the drop-down list and select the checkbox
(if not already selected) to automatically adjust the clock for daylight saving
time (DST) changes, if desired.
 Click OK.
d. For any procedures not found in Step 1.b above, refer to the “Installing and
Updating Drivers” chapter of the hardware and software specific instruction docu-
ment shipped with the server.
2. Perform the procedures in Appendix G “IASeries_NIC_Data.msi Installation (Pre-
I/A Series Installation)” on page 525.
Notes on Installing I/A Series System Software

Before you install I/A Series software, make sure that the workstation is physically connected to
the network and, if required, that any network interface card drivers are updated. Refer to the
notes below.
Also, make sure the workstation is disconnected from any secondary (non-I/A Series) networks,
but do not disable the adapters for these network cards.
! CAUTION
GPS PCI time cards are installed only in primary and backup Master TimeKeeper
workstations or servers as configured for MTK. The MTK workstations or servers
with I/A Series software v8.8 and later must install the GPS PCI time card, driver,
and control utility before installing I/A Series software. Refer to the Time Synchroni-
zation User’s Guide (B0700AQ) to perform this installation.
! CAUTION
In Control Panel -> Network Connections, which lists the available NICs, do not
change the name of any “Local Area Connection x” network connection. This can
result in software installation issues or system instability.
Changing the Station Name

The Windows workstation or server name must match the workstation or server letterbug name
as it was configured in SysDef and saved onto your Commit installation media before you install
the I/A Series software. For instructions on modifying the computer name of your workstation or
server, refer to Appendix B “Changing the Station Name”.
14
2. Standard I/A Series Software v8.8 Day 0 Installation B0700SF – Rev E
Disabling the VirusScan Console

Proceed as follows:
1. Right-click the McAfee shield in the toolbar and click VirusScan Console.
2. Click Yes to accept the User Account Control (UAC) prompt.
3. If Access Protection is “Enabled”, right-click on Access Protection and select
Disable, as shown in Figure 2-1.
Figure 2-1. Disable Virus Scan Access Protection
4. Right-click on On-Access Scanner and select Disable.

5. Right-click on On-Access Scanner and select Properties. The On-Access Scan
Properties dialog box opens as shown in Figure 2-2.
15
Figure 2-2. On-Access Scan Properties Dialog Box
6. Clear the check-box labeled Enable on-access scanning at system startup

and click Apply. Click OK.
NOTE
The check box should be re-enabled at the end of the installation.
16
Preparing Network Interface Cards (NICs) For

Installation
Before installing I/A Series software, for each installed NIC, you must set the NIC’s properties
“Flow Control” and “Speed & Duplex” manually as described below for the NICs on this station.
NOTE
Refer to the Hardware and Software Specific Instructions document included with
your station to determine the NIC cards it supports.
Proceed as follows:
1. Right-click the My Computer icon, and click Manage. Double-click Device Man-
ager. In the Device Manager window, expand the Network adapters list.
2. Right-click the desired card and click Properties. In the Properties dialog box that
appears, select the Advanced tab.
3. In the Property field, click Flow Control. In the Value field, select Disable from
the drop-down menu list.
4. In the Property field, click Speed & Duplex. In the Value field, in the drop-down
menu list:
 For a station on The Mesh control network, select 100 Mb Full.
 For a station on another network other than The Mesh control network (off-
Mesh), select Auto.
5. Click OK.
6. For each additional NIC, repeat Steps 2 through 5.
7. Shutdown and restart the system for the driver changes to take effect. Click the Start
button and click Shut Down; select Restart from the pull-down menu and click OK.
Exiting During Software Installation

If you click the Cancel button during the installation, the following dialog box appears:
Figure 2-3. Confirming Cancellation of Software Installation
Click Yes to cancel, or No to resume the installation process. If you click Yes, you are returned to
the installation dialog box as shown in Figure 2-4. If you want to see the installation log, check
Show the Windows Installer log. Click Finish.
17
Figure 2-4. InstallShield Wizard Completed - Interrupted
! CAUTION
Exiting during the software installation process causes an incomplete installation
and may cause the workstation to become unstable. This requires that you reload
the operating system.
To restart the installation process after clicking Cancel, re-insert the DVD labeled “I/A Series
v8.8 Day 0 DVD-ROM” (K0174KE-A). A dialog box appears asking if you want to continue
with the installation.
If you click Yes, the installation will return to the dialog box that was canceled. If you click No,
installation will restart from the beginning.
Installation Procedure
1. Ensure that the workstation is attached to The Mesh network.
2. Unplug any non-Mesh network cables.
3. Insert the DVD labeled “I/A Series v8.8 Day 0 DVD-ROM” (K0174KE-A), if it is
not already in the station.
4. If AutoPlay is enabled, the AutoPlay dialog box appears as shown in Figure 2-5. Click
Run setup.exe.
Otherwise, navigate to the DVD drive and double-click setup.exe.
18
Figure 2-5. AutoPlay Dialog Box
! CAUTION
If you are prompted with a dialog box indicating that you need to restart for the
configuration changes made to the Security Enhanced Installer to take effect, you
may have restored a pre-V8.8 image. If you are sure you used the proper V8.8
restore image, then reboot the server. Otherwise, restore the workstation using the
proper V8.8 restore media. (See page 5.)
If a dialog box appears indicating that .NET Framework is required, then you have
used incorrect restore media. Restore the workstation using the proper V8.8 Restore
media. (See page 5.)

6. A pre-requisite installation dialog box appears as shown in Figure 2-6. Click Install
to load the Microsoft Visual C++ 2010 Redistributable Package (x64) on the server.
19
Figure 2-6. Microsoft Visual C++ 2010 Redistributable Package (x64) Installation Dialog Box
20
7. Select the radio button setting for Install I/A Series software without
security enhancements. Click Next to continue.
Figure 2-7. Selecting to Install a Domain Controller
8. The next dialog box requests that you load the committed configuration install files,
as shown in Figure 2-8. Click Load to load the committed configuration files.
21
Figure 2-8. Load Committed Configuration Install Files
9. The browser for the folder containing the committed configuration install files opens,
as shown in Figure 2-9. If the installation media with your Commit files is on the
server’s hard drive or a network, browse to the location of the media and click Select
Folder. If the installation media with your Commit files is on a floppy diskette, put
the diskette in the diskette drive (A:\) and click Use Diskette.
NOTE
If you have multiple Commit diskettes, the Stamp ID: field in Figure 2-8 indicates
the number of the requested Commit diskette to the right of the Load button (101
for the first diskette, 102 for the second, and so forth). Insert each diskette in the set
and click Load.
22
Figure 2-9. Installation Media Folder Browser
23
10. Once the installation files have been loaded, click Bind as shown in Figure 2-10 to
launch I/A Series Network Installation.
:
Figure 2-10. Load Committed Configuration Install Files - Binding
11. The dialog box shown in Figure 2-11 is displayed if the network configuration from
System Definition does not match the available NIC hardware. Select the two net-
work cards and click Next.
! CAUTION
Be certain to pick the correct NICs as this selection cannot be changed later in the
installation.
If this dialog box is not displayed, the NIC cards have been automatically configured.
Proceed to the next step.
24
Figure 2-11. I/A Series Network Installation (For Certain NIC Cards)
12. The MSI installer opens for I/A Series Day 0 software. Click Next.
Figure 2-12. I/A Series Installshield Wizard - Next
25
13. Click Install to run the installation.
Figure 2-13. I/A Series Installshield Wizard - Install
14. If the OS1FDB package is configured on this server, the dialog box shown in
Figure 2-14 is displayed for each OS1FDB station configured to be hosted by the
workstation being installed.
NOTE
This will occur one time for each OS1FDB station configured.
Click one of the following:

 Click Load to install this package.
 Click Skip to bypass the installation of this package. If Skip is selected, the
installation will continue, but this dialog box will be displayed again for each of
the OS1FDB stations configured on this I/A Series workstation.
26
Figure 2-14. Installation Media Dialog Box
15. If you selected Load, the media folder browser opens.
Figure 2-15. Media Folder Browser
If your installation media for the OS1FDB package is not on a floppy diskette, browse
to the location of your stamped media and click the Select Folder button
If your installation media for the OS1FDB package is on a floppy diskette, click Use
Diskette. The diskette must be in the diskette drive (A:\). Once the Use Diskette
button is clicked, the diskette will be read.
27
16. If you selected Use Diskette in the previous step, the dialog box in Figure 2-16
appears. Insert the second diskette in the OS1FDB set and click Load. The diskette
must be inserted in drive A:\.
Figure 2-16. Installation Media Dialog Box - For Diskettes
17. Click Finish when the installation process is complete.
Figure 2-17. Complete Installation
At the end of the installation, the installation log is displayed. You can view this log
later by clicking the Start button and selecting All Programs -> Invensys ->
IASeries -> Utilities -> Log Viewer.
28
Figure 2-18. Example of Installation Log
Click on the Setup Log, Pkg Log, and Init Log buttons to view these logs. These
logs can also be printed.
Installing the I/A Series Software v8.8 Trailer CD-ROM

To complete the installation of I/A Series software v8.8, you must install the V8.8 trailer CD-
ROM (K0174KT). The trailer CD-ROM must be installed for stations running Windows 7 or
Windows Server 2008 R2 Standard operating systems:
1. Launch the trailer installation application (setup.exe):
 If you have the CD-ROM labeled “I/A Series 8.8 Trailer CD-ROM” (K0174KT),
insert this CD-ROM into the station. The installation launches automatically.
 If you acquired the trailer application setup.exe via another method, such as copy-
ing it from a shared network drive or downloading it from the GSC website, dou-
ble-click setup.exe to launch the installation.
2. Click Next and then click Install to start the installation process.
3. If the user currently logged in is not an administrator, a User Account Control (UAC)
prompt may appear. Click Yes to accept the UAC prompt.
29
NOTE
During the trailer installation, if the following message appears, “The Setup must
update files or services that cannot be updated while the system is running. If we
choose to continue, reboot will be required to continue the setup,” click OK. The
installation continues as normal. Do not reboot the station if you see this message.
This message is shown in the event that you are installing the trailer after booting
into the I/A Series software (which you should not have done if you are performing
this procedure as written in this section).
4. When the installation is complete, click Finish.

5. If you are installing the trailer via a CD-ROM, remove the trailer CD-ROM.
6. Restart your station as described in the following section.
A log file for the trailer installation is saved to: D:\usr\fox\sp\SetupLog.IAv88Trailer.txt
If a Day 1 operation is performed after the trailer has been applied, the trailer can be repaired to
add any versions of files (updated by the trailer) which are part of the newly added I/A Series
packages.
Restarting Your System

FoxView software may be installed prior to rebooting the workstation to eliminate one reboot.
Install FoxView™ and FoxDraw™ software from the FoxView/FoxDraw CD-ROM. Refer to
FoxView™ and FoxDraw™ Software V10.3 Release Notes (B0700SA) for installation instructions.
Reboot the workstation at this time. Click the Start button and click Shut Down; select Restart
from the pull-down menu and click OK.
Configuring VirusScan Software

McAfee VirusScan V8.8i software is installed on your station. Refer to Appendix C “Excluding
Files, Folders, and Drives” to exclude the recommended set of I/A Series files from scanning.
Installing Optional Software

After restarting the station following the I/A Series software installation, you may need to perform
one or more of the following tasks:
1. If not already installed, install FoxView™ and FoxDraw™ software from the Fox-
View/FoxDraw CD-ROM. Refer to FoxView™ and FoxDraw™ Software V10.3
Release Notes (B0700SA) for installation instructions.
2. Install AIM*Historian® software according to the instructions provided with the
AIM*Historian media.
3. It is highly recommended that you install Ferret software after installing I/A Series
software v8.8. Refer to FERRET v5.4 and Later User's Guide (B0860AZ) for installa-
tion instructions and FERRET v5.4 and Later Release Notes (B0860RH) for informa-
tion on using the Ferret software. These documents are available in PDF format on
the Ferret CD-ROM.
4. Install any other software media for selected optional packages.
30
System Manager and System Management Display Handler

(SMDH) Installation Notes
I/A Series system management is carried out by the operator primarily via the:
 System Manager, discussed in System Manager (B0750AP), or
 System Management Display Handler (SMDH), discussed in System Management
Displays (B0193JC).
Be aware of the following notes regarding the installation of these software packages.
 On servers/workstations configured with the SMDH package (ASMDW7), the Sys-
tem Manager will be installed. Uninstalling the System Manager through the
Programs and Features dialog box (accessed via the Control Panel) results in the
server/workstation defaulting to SMDH as the system management application.
 SMDH can only be invoked through FoxView. From the I/A Series initial display,
access the SMDH displays from the System button on the FoxView main window.
System Manager displays can be invoked directly, without the need for a separate
application.
Be aware that FoxView is not typically loaded on a domain controller. Invensys rec-
ommends the IAMESH only configuration on domain controllers, in which SMDH
or System Manager is not installed.
 On servers/workstations where System Manager is installed by the Day 0 installation
of I/A Series software, only the System Manager client is installed.
NOTE
The System Manager Server should be installed only if the IASVCS package is
assigned to the station.
To install the System Manager Server, proceed as follows

a. Insert the DVD labeled “I/A Series v8.8 Day 0 DVD-ROM” (K0174KE-A), if it
is not already in the drive and open the folder “\3rd_party\SystemManager”.
b. Double-click on setup.exe.
c. Click Next.
d. Keep the “Modify” choice selected (default) and click Next.
31
e. Under “System Manager Server”, select “This feature will be installed

on local hard drive”, as shown in Figure 2-19.
Figure 2-19. Installing System Manager Server
f. Click Next and then Install to install the System Manager Server.
 If the SMDH package was not configured and the System Manager client is not
installed, System Manager may be added by running the complete System Manager
installation process from the System Manager CD-ROM (K0174GG).
NOTE
The System Manager client is installed only if the IASVCS package is assigned to
the station.
Installing the Beep Driver (I/A Series Servers with FoxPanels

Only)
On I/A Series servers with Windows Server 2008 R2 Standard, FoxPanels requires that the Beep
Driver component be running to operate. This driver is disabled by default, and must be enabled
on these servers to enable redirection of the Beep Driver through the audio redirection mecha-
nism.
To enable the Beep Driver on servers with Windows Server 2008 R2 Standard, proceed as follows:
1. Install the Desktop Experience server feature.
a. Open the Server Manager as follows: click the Start button and click Control
Panel -> Administrative Tools, and double-click Server Manager.
32
Alternately, you can open a command prompt - click the Start button and click
Programs -> Accessories -> Command Prompt. Then, type
servermanager.msc and press <Enter>.
b. In the Features Summary section, click Add features.
c. Select the Desktop Experience check box, and then click Next.
d. Complete the wizard by clicking Install.
2. Configure the Windows Audio service to start automatically.
a. Open a command prompt, type Services.msc and press <Enter>.
b. Scroll down in the Services (Local) window, right-click Windows Audio and
select Properties.
c. In the General tab, select Automatic in the Startup Type drop-down menu.
d. Click OK.
e. Close the Services dialog box.
3. Open a command prompt.
a. Type the following: sc config beep start= auto
b. Press <Enter>. This configures the Beep Driver to start automatically.
4. Enable the SystemSoundsService task to run on user logon, as follows:
a. Open the Task Scheduler: click the Start button and click Control Panel ->
Administrative Tools and double-click Task Scheduler.
Alternately, you can open a command prompt, type Taskschd.msc and press
<Enter>.
b. Open the Task Library.
c. Navigate to the Microsoft/Windows/Multimedia section.
d. Right-click the SystemSoundsService task and click Enable.
e. Click OK.
f. Close the Task Scheduler.
The Beep Driver is enabled.
Setting Date and Time

For an internally sourced Master TimeKeeper (MTK), set the local date and time with either Sys-
tem Manager (default) or SMDH.
For instructions on how to set the date and time with the System Manager, refer to the section
“Date and Time Tools” in System Manager (B0750AP).
For instructions on how to set the date and time with the System Management Display Handler
(SMDH), proceed as follows:
1. From the I/A Series initial display, access System Management displays from the
System button on the FoxView main window.
33
2. From the System Monitor display, select the Time button to access the Set Date and
Time screen. Set the current date and time by clicking the appropriate arrows on the
screen. Click RETURN - SET.
For an active externally sourced MTK, the Set Date and Time display is unavailable. The date and
time are automatically established and synchronized by an external GPS satellite.
Refer to Time Synchronization User’s Guide (B0700AQ) for a complete description of the time
synchronization subsystem.
Completing Installation
To complete the installation, re-enable the Enable on-access scanning at system
startup feature in the McAfee VirusScan Console as follows:
3. Right-click on Access Protection and select Enable, as shown in Figure 2-1 on
page 15.
4. Right-click on On-Access Scanner and click Enable.
Properties dialog box opens as shown in Figure 2-2 on page 16.
6. Check the check-box labeled Enable on-access scanning at system startup
and click Apply.
7. Click OK to close this dialog box.
34
3. Installation or Migration
Scenarios for Security Enhanced
I/A Series Software v8.8
If you are performing an installation or migration for a system with Security Enhanced
I/A Series software v8.8, this chapter assists you in determining the various tasks needed for
your specific system configuration.
For installations that require additional security over that provided by the standard I/A Series soft-
ware v8.8, a system with the security enhanced I/A Series software v8.8 is available. This security
implementation involves having servers that provide the role of Microsoft® Active Directory
Domain Controllers. A domain controller is a server on a Microsoft Windows network that is
responsible for allowing host access to Windows domain resources. It stores user account informa-
tion, authenticates users and enforces security policy for a Windows domain.
There has to be at least one domain controller present to act as the “primary” domain controller,
but the recommendation is to have a second server acting as a “secondary” domain controller to
provide redundancy. All the workstation clients of these domain controllers are members of a
secure domain (domain clients).
Determine the installation scenario for your I/A Series system as follows:
1. There are two separate types of installations for systems with security enhanced
I/A Series software v8.8. Determine which are applicable for the stations in your
I/A Series system:
 New Installation - Installation of this security enhanced software on worksta-
tions/servers on which I/A Series software has never been installed. For this instal-
lation, the domain controllers and all client domain workstations are newly
installed with I/A Series software v8.8.
Workstations with standard I/A Series software can also be installed on the same
Mesh network but will not be members of the secure domain.
 Migration - Installation of this software on existing workstations/servers on which
security enhanced I/A Series software v8.5, v8.6. or v8.7 has been installed previ-
ously. One or more of the existing domain client workstations must remain in
place and co-exist on the same domain as the new domain clients with I/A Series
software v8.8 while the migration is occurring, but then that domain client can be
migrated to I/A Series software v8.8, and the old Active Directory GPOs and OUs
that support the older I/A Series version could be removed from Active Directory
eventually.
2. Next, the domain controller target destination must be determined. This is based on
where the domain controllers will be located after the installation:
 On-Mesh - On The Mesh control network.
 Off-Mesh - On a separate network.
35
B0700SF – Rev E 3. Installation or Migration Scenarios for Security Enhanced I/A Series Software v8.8
3. Once you have determined the installation type (New Installation or Migration) and
the domain controller target destination (On-Mesh or Off-Mesh), use this informa-
tion to select your installation scenario from Table 3-1. Then proceed to the appropri-
ate section in this document to install the software, as directed.
Table 3-1 provides the details concerning each different installation scenario.
Table 3-1. Domain Controller Installation/Migration Scenarios for I/A Series Software v8.8
Domain Controller Target Destination

Scenario Refer to
Type On-Mesh Off-Mesh Chapter
New 1 New On-Mesh PDC - Chapter 4 on
Installation (page 36) with I/A Series page 41
software v8.8
2 - New Off-Mesh PDC Chapter 5 on
(page 37) with I/A Series page 105
software v8.8
3 - Install I/A Series Chapter 6 on
(page 37) software v8.8 on Exist- page 169
ing Off-Mesh PDC with
Installation Type
Windows Server 2008

R2 Standard
Migration 4 PDC with I/A Series - Chapter 7 on
(page 37) software v8.7 page 195
->
New On-Mesh PDC
with I/A Series
software v8.8
5 PDC with I/A Series New Off-Mesh PDC Chapter 8 on
(page 38) software v8.7 -> with I/A Series page 231
software v8.8
6 PDC with I/A Series Existing Off-Mesh PDC Chapter 9 on
(page 39) software v8.7 -> page 279
These scenarios are explained below.
Scenario 1
In this scenario:
 New domain controllers (PDC and SDC) are located on The Mesh control network
(On-Mesh). All stations (new domain controllers and new domain client worksta-
tions) are loaded with I/A Series software v8.8.
 There are no stations with security enhanced I/A Series software v8.7 or earlier on the
domain.
 Stations with standard (non-SE) I/A Series software v8.8 or earlier are supported on
the same Mesh network but not on the secure domain.
36
3. Installation or Migration Scenarios for Security Enhanced I/A Series Software v8.8 B0700SF – Rev E
Refer to Chapter 4 “Security Enhanced I/A Series Software v8.8 Installation for Domain Control-
lers on The MESH Control Network” for the installation instructions for this scenario.
Scenario 2
In this scenario:
 New domain controllers (PDC and SDC) are located on a separate, customer-sup-
plied network (Off-Mesh). All stations (new domain controllers and new domain
client workstations) are loaded with I/A Series software v8.8.
domain.
Refer to Chapter 5 “Security Enhanced I/A Series Software v8.8 Installation for New Off-MESH
Domain Controllers” for the installation instructions for this scenario.
Scenario 3
This scenario is designed for systems in which you already have a PDC with Windows Server
2008 R2 Standard on which you want to install the I/A Series components for Active Directory.
In this scenario:
 I/A Series software v8.8 is installed to an existing PDC with Windows Server 2008 R2
Standard installed on an Off-Mesh network. The existing PDC is running Windows
Server 2008 R2 Standard with no I/A Series software. The existing PDC installed on a
separate network (Off-Mesh) is a customer-supplied station that has customer-specific
Active Directory components with no I/A Series software.
 This installation is not completely automated by the I/A Series software v8.8 installa-
tion program and requires some manual steps as indicated in Chapter 6 “Security
Enhanced I/A Series Software v8.8 Installation for Existing Off-MESH Primary
Domain Controllers”.
 All domain clients are installed as new workstations with I/A Series software v8.8.
domain.
Refer to Chapter 6 “Security Enhanced I/A Series Software v8.8 Installation for Existing Off-
MESH Primary Domain Controllers” for the installation instructions for this scenario.
Scenario 4
In this scenario:
 This is a migration of an existing PDC on The Mesh control network with Window
Server 2003 and I/A Series software v8.5, v8.6 or v8.7 to a new PDC on The Mesh
37
control network with Windows Server 2008 R2 Standard and I/A Series software
v8.8.
 The new PDC with Windows Server 2008 R2 Standard can either be a new server or
an existing SDC that is capable of running Windows Server 2008 R2 Standard.
 The installation is not completely automated by the I/A Series software v8.8 installa-
tion program and requires some manual steps as indicated in Chapter 7 “Migrating
I/A Series Software v8.5/8.6/8.7 to a New Primary Domain Controller on The
MESH Control Network”.
 The station name for the new PDC must be the name of a new station with I/A Series
software v8.8 that is configured to have only the IAMESH package. The name of this
station must be included on the Commit installation media.
 The existing PDC will switch roles and become an SDC on The Mesh control net-
work with Windows Server 2003. This station will keep its same name.
 SDCs are configured as follows:
 All existing SDCs with I/A Series software v8.7 or earlier must be taken off-line
(removing them from Active Directory, described in Appendix D “Secondary
Domain Controllers in an I/A Series System” - demoting is required for domain
controllers).
 These off-line stations must have Windows Server 2008 R2 Standard installed on
them (if their hardware supports this operating system).
 Each off-line station must have the appropriate software installed on them to
make them an SDC according to the instructions in this document.
This requires that either a new letterbug (station name) is provided which is desig-
nated as a station with I/A Series software v8.8 in the Commit installation media
or that the existing station name is converted in System Definition to be a station
with I/A Series software v8.8.
Refer to Chapter 7 “Migrating I/A Series Software v8.5/8.6/8.7 to a New Primary Domain Con-
troller on The MESH Control Network” for the installation instructions for this scenario.
Scenario 5
In this scenario:
Server 2003 and I/A Series software v8.5, v8.6 or v8.7 to a new PDC installed on a
separate network (Off-Mesh) with Windows Server 2008 R2 Standard and I/A Series
software v8.8.
 The new PDC with Windows Server 2008 R2 Standard can either be a new server or
an existing SDC that is capable of running Windows Server 2008 R2 Standard.
I/A Series Software v8.5/8.6/8.7 to a New Off-MESH Primary Domain Controller”.
 The station name for the new PDC does not have to be included on the Commit
installation media. This new name is configured in the Active Directory according to
the instructions.
38
3. Installation or Migration Scenarios for Security Enhanced I/A Series Software v8.8 B0700SF – Rev E
 The original PDC (with I/A Series software v8.5, v8.6 or v8.7) is no longer used after
the installation and can be removed.
 The old SDC must be removed. This involves demoting the domain controller and
removing from Active Directory. Any other SDC station on the I/A Series system v8.7
or earlier on The Mesh control network must also be removed and reloaded as stations
with I/A Series software v8.8 (Off-Mesh) if desired:
 All existing SDCs with I/A Series software v8.7 or earlier must be taken off-line
(removing them from Active Directory, described in Appendix D “Secondary
Domain Controllers in an I/A Series System” - demoting is required for domain
controllers).
 These off-line stations must have Windows Server 2008 R2 Standard installed on
them (if their hardware supports this operating system).
 Each off-line station must be installed as an Off-Mesh SDC according to the
instructions in this document.
Refer to Chapter 8 “Migrating I/A Series Software v8.5/8.6/8.7 to a New Off-MESH Primary
Domain Controller” for the installation instructions for this scenario.
Scenario 6
In this scenario:
Server 2003 and I/A Series software v8.5, v8.6 or v8.7 to an existing PDC on a sepa-
rate network (Off-Mesh) with Windows Server 2008 R2 Standard. The existing PDC
is a customer station that has customer-specific Active Directory components with no
I/A Series software.
I/A Series Software v8.5/8.6/8.7 to a Pre-Existing Off-MESH Primary Domain
Controller”.
 The station name for the new PDC does not have to be included on the Commit
installation media. This new name is configured in the Active Directory according to
the instructions.
 The original PDC and all original SDC stations (with I/A Series software v8.5, v8.6
or v8.7) will no longer function as domain controllers on the I/A Series network.
 It is possible to do one of the following with the original PDC and any original SDC
stations:
 Reload these stations with I/A Series software v8.5/8.6/8.7 and connect them to
the new migrated domain. This involves reloading the Windows Server 2003 R2
operating system on these station and re-installing I/A Series software as described
in I/A Series 8.5 Software Installation Guide (B0700SB).
 Remove Active Directory from these stations and then connect them directly to
the new domain without reloading I/A Series software (staying at v8.5/8.6/8.7).
This involves performing the procedures for demoting a domain controller, start-
ing with each SDC station and ending with the PDC station (all on the old
39
domain). Then, the stations must be connected physically to the new Off-Mesh
domain and then joined to the new Active Directory domain.
 Reload these stations with I/A Series software v8.8 (if the hardware supports the
Windows Server 2008 R2 Standard operating system). This involves backing up
anything relevant on the station, reloading the operating system, and installing
I/A Series software v8.8. In this case, these stations either need to be assigned a
new workstation name (change the Commit installation media to add a new sta-
tion with I/A Series software v8.8) or migrate the existing letterbug to become an
station with I/A Series v8.8 in System Definition, as described in System Defini-
tion: A Step-By-Step Procedure (B0193WQ).
NOTE
The procedure to add an SDC station to this domain after the migration is com-
pleted is out of the scope of this document. The domain is an existing setup and
already has its domain controllers configured.
Refer to Chapter 9 “Migrating I/A Series Software v8.5/8.6/8.7 to a Pre-Existing Off-MESH Pri-
mary Domain Controller” for the installation instructions for this scenario.
40
4. Security Enhanced I/A Series
Software v8.8 Installation for
Domain Controllers on
The MESH Control Network
This chapter describes procedures to install security enhanced I/A Series software v8.8 on
primary and secondary domain controller servers on The Mesh control network.
Proceed to the appropriate section:
 For Primary Domain Controllers on The Mesh control network, proceed to the next
section.
 For Secondary Domain Controllers on The Mesh control network, proceed to
“Installing Security Enhanced I/A Series Software v8.8 on Secondary Domain Con-
trollers on The MESH Control Network” on page 76.
NOTE
After the IAInstaller account has been created during the PDC software installation,
use this account for all subsequent installation tasks, such as installing additional
software. However, due to the permissions assigned to IAInstaller, do not use it for
any other role, such as operation of the station.
Installing I/A Series SE Software v8.8 on Primary

Domain Controllers on The MESH Control Network
This section describes how to install security enhanced I/A Series software v8.8 on primary
domain controller servers on The Mesh control network.
Server Preparation
The primary domain controller (PDC) must be a server-class station installed with the Windows
Server 2008 R2 Standard operating system, and must be the first station in the I/A Series system
installed with the security enhanced I/A Series software. For this procedure, it is assumed that the
PDC is installed on The Mesh control network (which is a dedicated I/A Series maintained net-
work).
Perform the following steps to set up the hardware and restore the operating system onto your pri-
mary domain controller server:
41
B0700SF – Rev E 4. Security Enhanced I/A Series Software v8.8 Installation for Domain Controllers
NOTE
1. Install hardware, restore the Windows Server 2008 R2 Standard operating system, and
update drivers for your server. Perform the following:
a. Refer to I/A Series System V8.8 Release Notes (B0700SG) to be sure that your hard-
ware meets all hardware requirements specific to the I/A Series software V8.8
release. For instructions on installing memory upgrades, PCI cards, and so forth,
refer to the “Installing Hardware Upgrades” chapter of the Hardware and Software
Specific Instructions document shipped with your server.
b. Using the V8.8 Restore Media, restore the Windows Server 2008 R2 Standard
operating system on your server. Follow the instructions of Appendix A “Startup
Options”.
! WARNING
V8.8 station.

 Click OK.
 Select the correct time zone from the drop-down list and select the checkbox
 Click OK.
Updating Drivers” chapter of the Hardware and Software Specific Instructions doc-
ument shipped with the server.
42
4. Security Enhanced I/A Series Software v8.8 Installation for Domain Controllers on The MESH Control Network

Before you install I/A Series software, make sure that the server is physically connected to the The
Mesh network and, if required, that any network interface card drivers are updated. Refer to the
notes below.
Also, make sure the server is disconnected from any secondary (non-I/A Series) networks, but do
not disable the adapters for these network cards.
! WARNING
The server must be connected to The Mesh network before installing I/A Series
software.
! CAUTION
Disconnect non-I/A Series network connections but do not disable the adapters for
these network cards.
! CAUTION
The network interface drivers used for connection to The Mesh may require updat-
ing before installing I/A Series Version 8.8 software. Failure to do this may lead to
communication errors. See Appendix A “Startup Options”.
! CAUTION
NOTE
It is not possible to log onto either type of domain controller (primary or second-
ary) with any of the standard I/A Series user accounts (such as users that are mem-
bers of the IA Plant Operators, IA Plant Admins, or IA Plant Engineers groups). It
is possible to log onto a domain controller with the “IAManager”, “IAInstaller”, and
“IADomainAdmin” accounts. However, all of the I/A Series software functionality
is not available through these user accounts. The recommended configuration for
the domain controllers is IAMESH only.
NOTE
On servers with the Windows Server 2008 R2 Standard operating system, it is rec-
ommended that no roles be added to the system which are not necessary for the
operation of the server. Adding unnecessary roles (for example, adding the Remote
Desktop Services role when the server is not to be used as a remote session host) can
create security weaknesses in the overall system.
43

The Windows server name must match the server letterbug name as it was configured in SysDef
and saved onto your Commit installation media before you install the I/A Series software. For
instructions on modifying the computer name of your server, refer to Appendix B “Changing the
Station Name”.

Proceed as follows:

44

NOTE
Preparing Network Interface Cards (NICs) For Installation

45
NOTE
Proceed as follows:
menu list:
Mesh), select Auto.
5. Click OK.
Canceling and Resuming the Security Enhanced Installation

Process
If you click the Cancel button during the security-enhanced installation, the following dialog
box appears:
Click Yes to cancel, or No to resume the installation process. If you click Yes, the following dialog
box appears. Click OK:
46
Figure 4-4. Confirming Installation Interruption
You are returned to the installation dialog box as shown in Figure 4-5. If you want to see the
installation log, check Show the Windows Installer log. Click Finish.
Proceed as follows:
1. Ensure that the server is attached to The Mesh network.
47

3. Insert the DVD labeled “I/A Series v8.8 Day 0 DVD-ROM” (K0174KE-A).
Run setup.exe.
! CAUTION
may have restored a non-secure image intended for I/A Series software v8.5-8.7 on
Windows XP or Windows Server 2003 R2. If you are sure you used the proper V8.8
restore image, then reboot the server. Otherwise, restore the server using the proper
V8.8 restore media. (See page 5.)

48
49
7. A dialog box appears that allows you to select whether you are installing I/A Series
software without security enhancements or for a security-enhanced system. Select
Install I/A Series software for a security enhanced system and
Install this workstation as a domain controller (secondary or pri-
mary):
8. If you are migrating from a previous version of I/A Series software (pre-v8.8), check
the “Migrate from Pre-8.8 I/A Series (PDC Only)” box. Otherwise, do not
check this box.
Security enhanced I/A Series software v8.8 should only be installed on the Windows 7
or Windows Server 2008 R2 Standard operating systems as provided by Invensys.
9. Click Next.
50
NOTE
and click Load.
51
12. Once the installation files have been loaded, click Bind as shown in Figure 4-9 on
page 51 to launch the I/A Series Network Installation.
System Definition does not match the available NIC hardware. If this dialog box is
displayed, select the two network cards and click Next.
! CAUTION
installation.
52
14. Click Next. The Server platform setup dialog appears as shown in Figure 4-12. Leave
the “Install as a Primary Domain Controller (PDC)” choice selected.
Figure 4-12. Server Platform Setup Dialog Box
53
15. If Secondary Domain Controller (SDC) stations are planned for this I/A Series sys-
tem, select the SDC stations from the “Select the Secondary Domain Controller Sta-
tions” drop-down list and click Set. If no SDC stations are planned, click Skip.
16. In the “Enter domain information for Active Directory setup and Prepare” area, enter
the name of your domain (iaseries.local is the default), the site name
(IASERIES is the default), and the password for the logged on user account (normally
the password for the Fox account). When done, click Prepare.
17. A warning dialog appears as shown in Figure 4-13. Ensure that the name you have
chosen for your Active Directory domain is correct and will not conflict with another
domain on the same network. Click OK to continue.
Figure 4-13. Active Directory Warning
18. Click Install to load the Active Directory Domain Services onto this server and to
promote the server to the role of Primary Domain Controller.
A DOS window is displayed while Active Directory is being installed, as shown in
Figure 4-14.
Figure 4-14. Active Directory Installation via DOS Window
54
The DOS window shows progress while the system is promoted to Primary Domain
Controller status and DNS is installed, as shown in Figure 4-15.
Figure 4-15. Promoting to Primary Domain Controller via DOS Window
19. The server reboots automatically after Active Directory has been installed.
After the server reboots, log into the “Administrator” account with the password
“Password1”.
20. Restart the installation by launching Setup.exe from the DVD drive, as described in
Steps 3- 4 above. The dialog box shown in Figure 4-16 is displayed. Click Apply.
55
Figure 4-16. Setting up the Platform for a Secure I/A Series Installation
A DOS window is displayed while the Active Directory domain settings are applied,
as shown in Figure 4-17.
56
Figure 4-17. Active Directory Domain Settings Applied
21. The I/A Series Secure User Accounts dialog box opens as shown in Figure 4-18. Enter
in the user names and passwords for the standard I/A Series domain accounts and
click Create.
Figure 4-18. I/A Series Secure User Accounts Dialog Box
57
NOTE
The names of these accounts may be changed, but the default values are recom-
mended. Passwords must meet password complexity requirements. Password com-
plexity requirements include: an 8-character minimum password length; at least one
lowercase character; at least one uppercase character; and at least one numeric
character.
22. When the Invensys IASeries Install: Workstation Reboot Request dialog box appears,
as shown in Figure 4-19, click Reboot.
Figure 4-19. Invensys IASeries Install: Workstation Reboot Request Dialog Box
The following dialog box indicates that the server will be rebooted.
Figure 4-20. You Are About To Be Logged Off Dialog Box
23. After the server reboots, log on with the “IA Installer” account with the password cho-
sen in the previous steps.
24. The installation continues automatically. Click Next and then Install to run the
installation.
Figure 4-21 is displayed.
To install this package, insert the first OS1FDB package diskette and click Load. After
the first disk has been loaded, insert the second OS1FDB package diskette and click
Load.
58
To bypass the installation of this package, click Skip. The installation continues, but
this dialog box is displayed again for each of the OS1FDB stations configured on this
station.
NOTE
59
60

At the end of the installation, the installation log is displayed. You can view the instal-
lation log at any time by clicking the Start button and selecting All Programs ->
Invensys -> IASeries -> Utilities -> Log Viewer.
61

62
NOTE

packages.

Reboot the server at this time. Click the Start button and click Shut Down; select Restart from
the pull-down menu and click OK.

After restarting the station following the I/A Series software installation, you can install ePolicy
Orchestrator on your PDC. This software should only be installed on one domain controller in
the system. Install this software according to Optional McAfee® Security Products Installation and
Configuration Guide (B0700EX).

Installation Notes
Displays (B0193JC).
application.
63

of I/A Series software, only the System Manager client is installed. To install the Sys-
tem Manager Server, proceed as follows
c. Click Next.
NOTE
the station.
64
 In order to run the Foxboro Control Panel applet, navigate to the folder
D:\usr\fox\system32. Right-click on Foxboro.cpl, select Run as Adminis-
trator, and click OK to close the dialog box. Click Yes to accept the User Account
Control (UAC) prompt.
NOTE
On I/A Series servers with Windows Server 2008 R2 Standard, FoxPanels requires
that the Beep Driver component be running to operate. If you have FoxPanels on
this domain controller, refer to “Installing the Beep Driver (I/A Series Servers with
FoxPanels Only)” on page 32 for installation instructions.
Primary Domain Controller Postinstallation Procedures

Changing Passwords
After completing the installation of the PDC, the password for the administrator account on the
domain should be changed. Initially, this password is set to “Password1” for the Invensys supplied
server images. When setting this password, it must meet the password complexity requirements
which are enforced on the I/A Series system domain.
Perform the following steps:
1. Click the Start button and select Control Panel -> Administrative Tools ->
Active Directory Users and Computers. Right-click on the Administrator
65
account under the Accounts\Users\Administrators OU which was renamed to

IAManager during the I/A Series installation. Select Reset Password:
Figure 4-26. Resetting Passwords via Active Directory Users and Computers
2. Enter the new password and confirm it in the Reset Password dialog box:
Figure 4-27. Resetting a Password
3. Click OK.
The restore mode password for Active Directory on this server should be configured at this time.
66
1. Select Run from the Start menu and enter ntdsutil.exe:
Figure 4-28. Setting the Restore Mode Password via ntdsutil.exe
2. Click OK.
3. Type the following text in the command prompt window:
set dsrm password
reset password on server <SERVERNAME>
<password>
<password>
quit
quit
<SERVERNAME> is the actual name of your PDC server. <Password> is the newly
chosen Active Directory Restore Mode password.
NOTE
Be sure to document this password and save it in a secure place for future retrieval.
Without this password you will not be able to recover Active Directory.
Figure 4-29. Using and Exiting ntdsutil.exe
67
In addition, set the passwords for all of the domain client workstations. Initially the local
IAManager account (the original Administrator account on all of the domain clients) has its pass-
word set to Password1. On each domain client, the password should be changed.
Creating Users in Active Directory

The following steps can be used to create an Operator account in the Active Directory domain.
This is a default group. Similar steps can be taken to create other customized accounts, such as
Maintenance and Engineer accounts. Refer to Security Enhancements User's Guide for I/A Series
Workstations with Windows 7 or Windows Server 2008 Operating Systems (B0700ET) for informa-
tion on creating customized accounts.
Active Directory Users and Computers. You may need to scroll down to see
this menu selection.
2. Under the Invensys\Accounts\Users\Standard OU, right-click Standard, and select
New -> User:
Figure 4-30. Creating Users via Active Directory Users and Computers
All users are created under the Accounts\Users\Standard OU, including IA Plant
Engineers, IA Plant Operators, and IA Plant Admins.
The dialog box shown in Figure 4-31 opens.
68
Figure 4-31. New Object - User
3. Enter the First name, Full name, and User logon name as the same value (for exam-
ple,. Operator1).
4. Click Next.
5. In the dialog box shown in Figure 4-32, clear the User must change password at
next logon check box. Select the Password never expires check box.
6. Enter the password and confirm the password.
7. Click Next.
69
Figure 4-32. New Object - User - Password Updates
8. Click Finish as shown in Figure 4-33.
Figure 4-33. New Object - User - Finish
70
9. Double-click on the new user name in the Active Directory Users and Computers dia-
log box to open the Properties dialog box, as shown in Figure 4-34.
Figure 4-34. Opening the New User Properties Dialog Box
71
10. Select the Member Of tab, as shown in Figure 4-35.
Figure 4-35. New User Properties Dialog Box
11. Click the Add button.

12. Type in the text “IA Plant” and click the Check Names button as shown in
Figure 4-36.
72
Figure 4-36. Select Groups
13. Select the desired I/A Series standard user group (for example, IA Plant Engineers)
and click OK.
Figure 4-37. Multiple Names Found Dialog Box
73
14. Click OK to close the Select Groups dialog box shown in Figure 4-38.
Figure 4-38. Closing Select Groups Dialog Box
15. Click OK to close the Properties dialog box shown in Figure 4-39.
Figure 4-39. Closing Properties Dialog Box
74
16. Repeat the above steps for as many users as desired. The different standard user groups
provide different policy settings and system access.
Tombstone Lifetime Attribute in Active Directory

By default the Active Directory tombstone lifetime is sixty days. Having a longer tombstone life-
time decreases the chance that a deleted object remains in the local directory of a disconnected
Domain Controller beyond the time when the object is permanently deleted from online DCs.
It is highly recommended that you review information regarding the tombstone lifetime attribute
in “Backing Up Active Directory on Domain Controllers” on page 507. If you want to alter the
default value, use the procedure “Changing the Tombstone Lifetime Attribute in Active Direc-
tory” on page 508.
Backing Up Active Directory

You should back up Active Directory at regular intervals on I/A Series domain controller stations.
Backing up Active Directory ensures a smooth restoration of I/A Series system operations after an
unexpected hardware or software failure. See “Backing Up Active Directory on Domain Control-
lers” on page 507 for additional information.
Continuing Installation
Re-enable the Enable on-access scanning at system startup feature in the McAfee
VirusScan Console as follows:
and click Apply.
If you have a secondary domain controller on The Mesh control network, proceed to “Installing
Security Enhanced I/A Series Software v8.8 on Secondary Domain Controllers on The MESH
Control Network” on page 76.
If you do not have an SDC, proceed to Chapter 10 “Security Enhanced I/A Series Software v8.8
Installation for Domain Clients or Connecting Security Enhanced I/A Series Software v8.5-8.7
Domain Clients to Existing Off-MESH Networks” for the installation procedure for the domain
clients.
75

on Secondary Domain Controllers on The MESH
Control Network
This section describes how to install security enhanced I/A Series software v8.8 on secondary
domain controller servers on The Mesh control network.
Server Preparation
The secondary domain controller (SDC) must be a server-class station installed with the Win-
dows Server 2008 R2 Standard operating system. For this procedure, it is assumed that the SDC
is installed on The Mesh control network (which is a dedicated I/A Series maintained network).
Perform the following steps to set up the hardware and restore the operating system onto your sec-
ondary domain controller server:
NOTE
1. Install hardware, install the Windows Server 2008 R2 Standard operating system, and
Options”.
! WARNING
V8.8 station.
c. Set the time and date.to match the date and time on the PDC. Perform the fol-
lowing:
76
 Click OK.
 Click OK.
NOTE
While installing an SDC, it is important to ensure that the UTC system time
matches the UTC system time on the domain (as viewed on the PDC). The date
and time must match, though the time which Windows displays may differ if the
time zones are not the same on the two stations.
Be careful when changing the time zone prior to adjusting the system time as this
can cause the AM/PM setting to change.
Also, be aware that the checkbox included for some time zones which defines
whether or not the time will be automatically adjusted for Daylight Saving Time
can cause the system time to differ by an hour.

Before you install I/A Series software, make sure that the server is physically connected to the net-
work and that the PDC is on-line and attached to The Mesh.
! WARNING
The server must be connected to The Mesh network before installing I/A Series
software.
! CAUTION
77
! CAUTION
ing before installing I/A Series Version 8.8 software. Failure to do this may lead to
communication errors. See “Installing/Updating the Network Interface Card Driv-
ers” section in your Hardware and Software Specific Instructions document.
! CAUTION
NOTE
NOTE

Station Name”.
78

Proceed as follows:

79

NOTE

80
NOTE
Proceed as follows:
menu list:
Mesh), select Auto.
5. Click OK.

Process
box appears:
81
Proceed as follows:
82
1. Ensure that the Primary Domain Controller has been installed and is attached to The
Mesh network.
2. Ensure that the Secondary Domain Controller server is attached to The Mesh
network.
5. If AutoPlay is enabled, the AutoPlay dialog box appears as shown in Figure 4-45.
Click Run setup.exe.
! CAUTION
used incorrect restore media. Restore the server using the proper V8.8 Restore
83
7. A pre-requisite installation dialog box appears as shown in Figure 4-46. Click

Install to load the Microsoft Visual C++ 2010 Redistributable Package (x64) on the
server.
84
Install this workstation as a domain controller (secondary or pri-
mary):
9. Click Next.
as shown in Figure 4-48. Click Load to load the install files.
85
NOTE
and click Load.
86
12. Once the Commit files have been loaded, click Bind as shown in Figure 4-9 on
page 51 to launch the I/A Series Network Installation utility.
System Definition does not match the available NIC hardware. Select the two net-
! CAUTION
installation.
87
14. Click Next. The Server platform setup dialog appears as shown in Figure 4-51. Select
the “Install as a Secondary Domain Controller (SDC)” radio button.
88
Figure 4-51. Server Platform Setup Dialog Box (SDC)
15. In the “Provide information for the domain administrator account and click Autho-
rize” area (see Figure 4-51), enter in the name of the primary domain controller
(PDC) station. Verify the account name with authority to add workstation to the
domain (i.e. iaseries.local\IAInstaller). Enter the password for this account and click
Authorize.
16. If the local system time does not match the PDC system time, the dialog box shown
in Figure 4-52 appears. Click OK. Fix the local system time to match the PDC time
(see “Server Preparation” on page 76) and re-click Authorize.
89
Figure 4-52. Resetting UTC Date
In some cases, it will not be possible to determine the remote system time. In this case,
the dialog box shown in Figure 4-53 is displayed. It is important to ensure that the
local and remote system times match (including date, time, AM/PM) before continu-
ing. Note that the checkbox displayed for some time zones which allows the system to
automatically adjust for Daylight Saving Time can affect the time displayed by the
system by one hour.
Figure 4-53. Unable to Determine Local Time on the PDC
17. If there is another Secondary Domain Controller on the network, choose that SDC’s
name from the “Select the Secondary Domain Controller Stations” drop-down list
and click Set, as shown in Figure 4-54. Otherwise, click Skip.
90
Figure 4-54. Server Platform Setup Dialog Box (Second SDC)
18. Verify the name of the domain and click Connect.

19. A message appears to indicate that the connection to the domain has succeeded. If
unsuccessful, a reason for the failure is displayed.
Click OK.
NOTE
If after connecting the domain client to an SDC and the software installation does
not continue after the reboot, the system time may not have been set correctly. Refer
to “Setting Time Correctly After Failure to Continue Software Installation After
Reboot (SDC or Domain Client)” on page 539 to correct this.
91
21. After the server reboots, log onto the server with the “IA Installer” account using the
password as it was set during the PDC server’s installation.
22. The installation restarts automatically. The Server platform setup dialog box appears
as shown in Figure 4-56. Re-enter the PDC’s server name, domain “admin” account
name, and domain “admin” account password. Click Authorize.
92
Figure 4-56. Server Platform Setup Dialog Box (PDC Account Information)
23. Verify the Domain Name and Site Name fields, shown in Figure 4-57. If satisfied,
click Prepare.
93
Figure 4-57. Server Platform Setup Dialog Box (Verify Domain Name and Site Name Fields)
24. A warning dialog appears. Ensure that the name you have chosen for your Active
Directory domain is correct and will not conflict with another domain on the same
network.
assign the server to the role of Secondary Domain Controller.
Figure 4-58.
94
The DOS window shows progress while the system is assigned to its Secondary
Domain Controller status and DNS is installed, as shown in Figure 4-59.
Figure 4-59. Assigning Role of Secondary Domain Controller via DOS Window
After the server reboots, log into the “IA Installer” account with the password as set in
the Server platform setup dialog box above (Figure 4-57).
27. The installation process restarts automatically. The dialog box shown in Figure 4-60 is
displayed. Click Apply.
95
Figure 4-60. Setting Up the Platform for a Secure I/A Series Installation
A DOS window is displayed while the Active Directory domain settings are applied.
96
28. Click Next and then Install to run the installation.
Figure 4-61. InstallShield Wizard for I/A Series Software
Load.
SDC.
97
98

At the end of the installation, the installation log is displayed. You can view the instal-
lation log at any time by clicking the Start button and selecting All Programs ->
Invensys -> IASeries -> Utilities -> Log Viewer.
99

100
NOTE

packages.


Orchestrator on your SDC. This software should only be installed on one domain controller in

Installation Notes
Displays (B0193JC).
application.
101

c. Click Next.
installed, the System Manager may be added by running the complete System Man-
ager installation process from the System Manager CD-ROM (K0174GG).
NOTE
the station.
102
Secondary Domain Controller Post-Installation Procedures

Changing Passwords
After completing the installation of a secondary domain controller, you should set the restore
mode password for Active Directory on this server. Perform the following steps:
2. Click OK.
set dsrm password
<password>
<password>
quit
quit
<SERVERNAME> is the actual name of your SDC server. <Password> is the newly
103
NOTE

and click Apply.
Proceed to Chapter 10 “Security Enhanced I/A Series Software v8.8 Installation for Domain Cli-
ents or Connecting Security Enhanced I/A Series Software v8.5-8.7 Domain Clients to Existing
Off-MESH Networks” for the installation procedure for the domain clients.
104
Software v8.8 Installation for
New Off-MESH Domain
Controllers
This chapter describes procedures to install security enhanced I/A Series software v8.8 on new
primary and secondary domain controller servers on a separate network from The Mesh control
network.
Proceed to the appropriate section:
 For Off-Mesh Primary Domain Controllers, proceed to the next section.
 For Off-Mesh Secondary Domain Controllers, proceed to “Installing Security
Enhanced I/A Series Software v8.8 on Off-MESH Secondary Domain Controllers”
on page 139.
NOTE
Use the “IA Installer” account for all installation tasks. However, due to the
permissions assigned to “IA Installer”, do not use it for any other role, such as
operation of the station.

on Off-MESH Primary Domain Controllers
This section describes how to install security enhanced I/A Series software v8.8 on new primary
domain controller servers on a separate network from The Mesh control network.
Server Preparation
The primary domain controller (PDC) must be a server-class station installed with the Windows
Server 2008 R2 Standard operating system, and must be the first station in the I/A Series system
installed with the security enhanced I/A Series software. For this procedure, it is assumed that the
PDC is installed on a separate network (which is called an “Off-Mesh” network), not connected
to The Mesh control network.
Perform the following steps to set up the hardware and restore the operating system onto your pri-
mary domain controller server:
105
B0700SF – Rev E 5. Security Enhanced I/A Series Software v8.8 Installation for New Off-MESH Domain Controllers
NOTE
1. Install hardware, restore the Windows Server 2008 R2 Standard operating system, and
Options”.
! WARNING
V8.8 station.

 Click OK.
 Click OK.
106
5. Security Enhanced I/A Series Software v8.8 Installation for New Off-MESH Domain Controllers B0700SF – Rev E

Before you install I/A Series software, make sure that the server is physically connected to the Off-
notes below.
! WARNING
The server must be connected to the Off-Mesh network before installing I/A Series
software.
! CAUTION
! CAUTION
ing before installing I/A Series software v8.8. Failure to do this may lead to commu-
nication errors. See Appendix A “Startup Options”.
! CAUTION
NOTE
bers of the IA Plant Operators, IA Plant Admins, or IA Plant Engineers groups).
NOTE
107

Station Name”.
108

Proceed as follows:

109

NOTE
110

Process
box appears:
111
112
NOTE
If you unplugged any non-Mesh network cables prior to performing the Day 0
installation, plug in the non-Mesh network cables at this time.
Proceed as follows:
1. Click the Start button and then click Control Panel -> Network and Sharing
Center. In the Tasks pane, click Change adapter settings.
2. Right-click the connection that you want to change, and then click Properties. If
you are prompted for an administrator password or confirmation, type the password
or provide confirmation.
3. Click the Networking tab. Under “This connection uses the following items”, click
Internet Protocol Version 4 (TCP/IPv4), and then click Properties. The
Internet Protocol Version 4 (TCP/IPv4) Properties dialog box opens as shown in
Figure 5-6.
4. Set the server to have exactly one statically configured NIC adapter for use by Active
Directory, as shown in Figure 5-6. Click OK when done.
Note: The IP address does not need to match the IP address shown in this figure.
Figure 5-6. Internet Protocol Version 4 (TCP/IPv4) Properties
113
5. Set the PowerShell execution policy on the server by executing the following com-
mand from within Windows PowerShell:
Set-ExecutionPolicy AllSigned
Figure 5-7. Set-ExecutionPolicy AllSigned
Run setup.exe.
114
! CAUTION

115
10. Select the Install I/A Series software for a security enhanced system.
Then select Install the workstation as an OFF-MESH domain controller
(secondary or primary) bullets as shown in Figure 5-10.
Click Next to continue.
Figure 5-10. Selecting to Install a Domain Controller on an Off-MESH Domain
116
12. The browser for the folder which contains the committed configuration install files
opens, as shown in Figure 5-12. If the installation media with your Commit files is on
the server’s hard drive or a network, browse to the location of the media and click
Select Folder. If the installation media with your Commit files is on a floppy dis-
kette, put the diskette in the diskette drive (A:\) and click Use Diskette.
NOTE
and click Load.
117
118
13. Click Next. The Server platform setup dialog box appears as shown in Figure 5-13.
Leave the Install as a Primary Domain Controller (PDC) choice selected.
Figure 5-13. Server Platform Setup
119
14. If a Secondary Domain Controller (SDC) server is planned for this I/A Series system,
add the SDC servers from the drop-down list by selecting the Add Off-Mesh check-
box shown in Figure 5-13. The dialog box shown in Figure 5-14 opens to indicate
where the IP addresses for SDC stations can be set. Enter each of the known SDC IP
addresses and click Done.
Figure 5-14. Collecting SDC Machine Info
15. In Figure 5-15, click Set to choose the SDC stations in your list or Skip to choose no
SDC station IP addresses. If this server does not have exactly one statically set NIC
adapter, the message shown in Figure 5-15 is displayed. Once the NIC settings are
corrected, you can click Set or Skip again to continue.
Figure 5-15. I/A Series Installation Warning
120
16. Enter the name of your domain (offmesh.local is the default), the site name
(OFFMESH is the default), and the password for the logged on user account (normally
the password for the Fox account).
Figure 5-16. Pick Type
17. Click Prepare.
121
18. The warning dialog box shown in Figure 5-17 appears. Make sure at this time that the
name you have chosen for your Active Directory domain is correct and will not con-
flict with another domain on the same network. Click OK to continue.
Figure 5-17. Active Directory Domain Name Warning
promote the server to the role of Primary Domain Controller.
Figure 5-18.
The DOS window shows progress while the system is promoted to Primary Domain
Controller status and DNS is installed, as shown in Figure 5-19.
122
Figure 5-19. Promoting to Primary Domain Controller via DOS Window
After the server reboots, log into the “Administrator” account with the password
“Password1” or the actual password if the password was changed prior to installing
I/A Series software.
123
21. Restart the installation by launching Setup.exe from the DVD drive, as described in
Step 3 above. The dialog box shown in Figure 5-20 is displayed. Click Apply.
Figure 5-20. Setting up the Platform for a Secure I/A Series Installation
124
A DOS window is displayed while the Active Directory domain settings are applied,
as shown in Figure 5-21.
in the user names and passwords for the standard I/A Series domain accounts and
click Create.
125
NOTE
character.
23. Add a new Computer account for any SDC stations that will be added to the domain.
Click the Start button and select Control Panel -> Administrative Tools ->
Active Directory Users and Computers.
24. In the console tree, right-click Computers (under Active Directory Users and
Computers\domain node\Computers).
25. Point to New, and then click Computer. In the New Object dialog box that appears
(see Figure 5-23), add the new computer name in both “Computer name” fields.
Figure 5-23. Adding New Computer Account
26. Click OK.
126
Click on the Setup Log, Pkg Log, and Init Log buttons to view these logs. These logs can also
be printed.
Restart your server as described in the following section.


Orchestrator on your PDC. This software should only be installed on one domain controller in
NOTE
this domain controller, refer to “Installing the Beep Driver (I/A Series Servers with
FoxPanels Only)” on page 32 for installation instructions.
127
Primary Domain Controller Postinstallation Procedures

Changing Passwords
After completing the installation of the PDC, the password for the administrator account on the
domain should be changed. Initially, this password is set to “Password1” for the Invensys supplied
server images. When setting this password, it must meet the password complexity requirements
which are enforced on the I/A Series system domain.
Active Directory Users and Computers. Right-click on the Administrator
account under the Accounts\Users\Administrators OU which was renamed to IAMan-
ager during the I/A Series installation. Select Reset Password:
Figure 5-25. Resetting Passwords via Active Directory Users and Computers
128
2. Enter the new password and confirm it in the Reset Password dialog box:
Figure 5-26. Resetting a Password
3. Click OK.
The restore mode password for Active Directory on this server should be configured at this time.
2. Click OK.
set dsrm password
<password>
<password>
quit
quit
<SERVERNAME> is the actual name of your PDC server. <Password> is the newly
129
NOTE

130
2. Under the Accounts\Users\Standard OU, right-click Standard, and select New ->
User:
131
ple,. Operator1).
4. Click Next.
7. Click Next.
132
133
134

Figure 5-35.
135
and click OK.
136
137


and click Apply.
If you have a secondary domain controller on the same separate network, proceed to “Installing
Security Enhanced I/A Series Software v8.8 on Off-MESH Secondary Domain Controllers” on
page 139.
If you do not have an SDC, proceed to Chapter 10 “Security Enhanced I/A Series Software v8.8
Installation for Domain Clients or Connecting Security Enhanced I/A Series Software v8.5-8.7
Domain Clients to Existing Off-MESH Networks” for the installation procedure for the domain
clients.
138

on Off-MESH Secondary Domain Controllers
This section describes how to install security enhanced I/A Series software v8.8 on secondary
domain controller servers on a separate network from The Mesh control network.
Server Preparation
The secondary domain controller (SDC) must be a server-class station installed with the Win-
dows Server 2008 R2 Standard operating system. For this procedure, it is assumed that the SDC
is installed on a separate network (which is called an “Off-Mesh” network), not connected to The
Mesh control network.
Perform the following steps to set up the hardware and restore the operating system onto your sec-
ondary domain controller server:
NOTE
1. Install hardware, install the Windows Server 2008 R2 Standard operating system, and
Options”.
! WARNING
Only use the media kits listed in Table 1-1 on page 6 to restore the operating system
of an V8.8 station.
c. Set the time and date.to match the date and time on the PDC. Perform the fol-
lowing:
139
 Click OK.
 Click OK.
NOTE
While installing an SDC, it is important to ensure that the UTC system time
matches the UTC system time on the domain (as viewed on the PDC). The date
and time must match, though the time which Windows displays may differ if the
time zones are not the same on the two stations.

Before you install I/A Series software, make sure that the server is physically connected to the net-
work and that the PDC is on-line and attached to the same Off-Mesh network.
! WARNING
The server must be connected to the Off-Mesh network before installing I/A Series
software.
! CAUTION
140
! CAUTION
The network interface drivers may require updating before installing I/A Series soft-
ware v8.8. Failure to do this may lead to communication errors. See the “Install-
ing/Updating the Network Interface Card Drivers” section in your Hardware and
Software Specific Instructions document.
! CAUTION
NOTE
NOTE

Station Name”.

Proceed as follows:
141

142

NOTE
143

Process
box appears:
144
145
NOTE
Proceed as follows:
1. Click the Start button and then click Control Panel -> Network and Sharing
Center. In the Tasks pane, click Change adapter settings.
2. Right-click the connection that you want to change, and then click Properties. If
you are prompted for an administrator password or confirmation, type the password
or provide confirmation.
3. Click the Networking tab. Under “This connection uses the following items”, click
Internet Protocol Version 4 (TCP/IPv4), and then click Properties. The
Internet Protocol Version 4 (TCP/IPv4) Properties dialog box opens as shown in
Figure 5-44.
4. Set the server to have exactly one statically configured NIC adapter for use by Active
Directory, as shown in Figure 5-44. Click OK when done.
Note: The IP address does not need to match the IP address shown in this figure.
146
! CAUTION
147

server.
148
Install this workstation as an OFF-MESH domain controller (second-
ary or primary):
10. Click Next.
149
NOTE
and click Load.
150
151
13. Click Next. The Server platform setup dialog box appears as shown in Figure 5-50.
Select the Install as an off-mesh Secondary Domain Controller (SDC)
radio button.
14. In the Domain Controller IP Address field, enter the IP address of the Off-Mesh PDC
server and the password of the account authorized to add stations to the domain
(default value is offmesh.local\IAInstaller). Click Authorize.
(see “Server Preparation” on page 139) and re-click Authorize.
152
system by one hour.
153
16. If Secondary Domain Controller (SDC) servers are planned for this I/A Series system,
add the SDC servers from the drop-down list by selecting the Add Off-Mesh check-
box shown in Figure 5-53.
Figure 5-53. Server Platform Setup (Select Add Off-MESH)
17. The dialog box shown in Figure 5-54 opens to indicate where the IP addresses for
SDC stations can be set. Enter each of the known SDC IP addresses and click Done.
154
18. In Figure 5-53, click Set to choose the SDC stations in your list or Skip to choose no
SDC station IP addresses. If this server does not have exactly one statically set NIC
adapter, the message shown in Figure 5-55 is displayed. Once the NIC settings are
corrected, you can click Set or Skip again to continue.
19. Verify the name of the domain and click Connect. If successful, a message is displayed
to indicate that the connection to the domain has succeeded. If unsuccessful, a reason
for the failure is displayed.
21. After the server reboots, log on with the “IAInstaller” account with the password cho-
sen during the PDC station installation.
22. The installation process restarts automatically. The Server platform setup dialog
appears as shown in Figure 5-57. Re-enter the Domain Controller IP Address, domain
admin account name (Authorized Account), and domain admin account password
(Authorized Password). Click Authorize.
155
Figure 5-57. Server Platform Setup (Authorize)
156
23. Verify the Domain Name and Site Name fields and click the Prepare button.
Figure 5-58. Server Platform Setup (Prepare)
24. The warning dialog box shown in Figure 5-59 appears. Make sure at this time that the
name you have chosen for your Active Directory domain is correct. Click OK to
continue.
Figure 5-59. Active Directory Domain Name Warning
157
Figure 5-60.
The DOS window shows progress while the system is assigned to its Secondary
Figure 5-61. Assigning Role of Secondary Domain Controller via DOS Window
158
After the server reboots, log into the “IAInstaller” account with the password as set in
the Server platform setup dialog box above.
27. The installation process restarts automatically. The dialog box shown in Figure 5-62 is
displayed. Click Apply.
Figure 5-62. Setting Up the Platform for a Secure I/A Series Installation
A DOS window is displayed while the Active Directory domain settings are applied.
The installation of the Off-Mesh SDC server is complete. DNS is installed automatically with
Active Directory.
159
be printed.

160
NOTE

packages.


Orchestrator on your SDC. This software should only be installed on one domain controller in

Installation Notes
Displays (B0193JC).
application.
161

c. Click Next.
installed, the System Manager may be added by running the complete System Man-
ager installation process from the System Manager CD-ROM (K0174GG).
NOTE
the station.
162
Secondary Domain Controller Post-Installation Procedures

Changing Passwords
After completing the installation of a secondary domain controller, you should set the restore
mode password for Active Directory on this server. Perform the following steps:
2. Click OK.
set dsrm password
<password>
<password>
quit
quit
<SERVERNAME> is the actual name of your SDC server. <Password> is the newly
163
NOTE

Adding I/A Series Stations to Active Directory Post-Installation

When first installed, the Off-Mesh PDC contains objects in Active Directory for all I/A Series sta-
tions in the system. If stations are added to the I/A Series system at a later time, new objects must
be created manually in this PDC’s Active Directory.
2. From Active Directory Users and Computers, right-click on the “IA Comput-
ers” OU and select New -> Computer as shown in Figure 5-67.
164
Figure 5-67. Selecting IA Computers -> New -> Computer
3. Enter the name of the new workstation in the Computer name field and click OK as
shown in Figure 5-68. The OU for “Pre-8.8 workstations” on migrated systems will
be named “Pre-8.8 IA Computers” as shown in Figure 5-69.
165
Figure 5-68. New Object - Computer
Figure 5-69. Selecting Pre-8.8 IA Computers -> New -> Computer
166
and click Apply.
167
168
Software v8.8 Installation
for Existing Off-MESH Primary
Domain Controllers
This chapter describes procedures to install security enhanced I/A Series software v8.8 on an
existing primary domain controller server with Windows Server 2008 R2 Standard on a
separate network (not on The Mesh control network).
Overview
If you already have a PDC with Windows Server 2008 R2 Standard on which you want to install
the I/A Series components for Active Directory, follow the instructions in this chapter to perform
this installation.
Be aware that this scenario does not include installation of an SDC. If you have an SDC, the
Active Directory should be replicated to that SDC after the I/A Series installation to the PDC.
If you do not have an SDC and want to add one now, you can purchase an Invensys-supplied
SDC and install I/A Series software v8.8 on it as described in “Installing Security Enhanced
I/A Series Software v8.8 on Off-MESH Secondary Domain Controllers” on page 139. Alter-
nately, you can use a non-Invensys server as your SDC and install only the appropriate Microsoft
Active Directory software.

Before you install I/A Series software, make sure that the server is physically connected to the Off-
notes below.
Next, make sure the server is disconnected from any secondary (non-I/A Series) networks, but do
NOTE
“IADomainAdmin” accounts.
169
B0700SF – Rev E 6. Security Enhanced I/A Series Software v8.8 Installation for Existing Off-MESH Primary
! CAUTION
NOTE
NOTE
Use the IAInstaller account for all installation tasks. However, due to the
permissions assigned to IAInstaller, do not use it for any other role, such as
Also before continuing, perform the procedures in Appendix G “IASeries_NIC_Data.msi Instal-

lation (Pre-I/A Series Installation)” on page 525.

Proceed as follows:
170
6. Security Enhanced I/A Series Software v8.8 Installation for Existing Off-MESH Primary Domain Controllers B0700SF

171

NOTE
172
Canceling and Resuming the Security Enhanced

Installation Process
box appears:
173
174
NOTE
Proceed as follows:
Run setup.exe.
! CAUTION

175
176
5. Select the Install I/A Series software for a security enhanced system
and Install to an existing OFF-MESH PDC station (PDC only) bullets as
shown in Figure 6-8.
Click Next to continue.
Figure 6-8. Selecting to Install a Domain Controller on an Off-MESH Domain
as shown in Figure 6-9. Click Load to set the installation target drive to D:\ and load
the committed configuration files.
177
7. The browser for the folder which contains the committed configuration install files
opens, as shown in Figure 6-10. If the installation media with your Commit files is on
the server’s hard drive or a network, browse to the location of the media and click
Select Folder. If the installation media with your Commit files is on a floppy dis-
kette, put the diskette in the diskette drive (A:\) and click Use Diskette.
NOTE
and click Load.
178
179
8. Click Next. The dialog box appears as shown in Figure 6-11. Click Apply.
180
9. A command prompt is displayed while the Active Directory domain settings are
applied. When asked Do you want to run software from this trusted pub-
lisher, press A (for Always run) and press <Enter>. This allows the signed scripts to
configure your system.
in the user name and password for the standard I/A Series domain account and click
Create.
181
NOTE
character.
11. Click Finish.
Figure 6-14. Finish Installation
At the end of the installation, the installation log is displayed. You can view the installation log at
any time by clicking the Start button and selecting All Programs -> Invensys -> IASeries ->
Utilities -> Log Viewer.
182
be printed.

183
Primary Domain Controller Post-Installation

Procedures
2. Under the Accounts\Users\Standard OU, right-click Standard, and select New ->
User:
184
ple,. Operator1).
4. Click Next.
7. Click Next.
185
186
187

Figure 6-22.
188
and click OK.
189
190

191
192


and click Apply.
193
194
7. Migrating I/A Series Software
v8.5/8.6/8.7 to a New Primary
Domain Controller on The MESH
Control Network
This chapter describes how to migrate an existing On-Mesh Primary Domain Controller
(PDC) with I/A Series software v8.5/8.6/8.7 to a new PDC with Windows Server 2008 R2
Standard, located on The Mesh control network.
The source station for this migration can either be:
 A new I/A Series server, shipped with an I/A Series software v8.8 (or later) image
installed.
 An existing SDC with I/A Series software v8.5/8.6/8.7 installed, which will be con-
verted to a PDC with an I/A Series software v8.8 (or later) image installed.
The target station (the station onto which the new software will be installed) for this migration is
the new PDC with Windows Server 2008 R2 Standard.
After the migration, both the domain clients which existed pre-I/A Series software v8.8 and the
new I/A Series domain clients (post-I/A Series software v8.8) will be connected to the same
domain. Existing group policies will be maintained while new I/A Series software v8.8 group pol-
icies will be enacted. The steps in this section only need to be followed once for the domain
migration in order to establish the new PDC station.
Perform the procedures provided below.
! CAUTION
195
B0700SF – Rev E 7. Migrating I/A Series Software v8.5/8.6/8.7 to a New Primary Domain Controller

(Existing On-MESH PDC with I/A Series Software
v8.5/8.6/8.7) for Migration
NOTE
Once complete, all existing SDC stations with I/A Series software v8.5/8.6/8.7
must be reloaded as SDC stations with I/A Series software v8.8 running on the
Microsoft Windows Server 2008 R2 Standard operating system. Once this has been
done, the domain and forest functional levels can be raised to “Server 2008.”
NOTE
Do not reload an existing SDC with I/A Series software v8.5-8.7 with the Windows
Server 2008 R2 Standard operating system if this SDC will be used as the new
PDC.
For the source On-Mesh Primary Domain Controller (PDC) with I/A Series software
v8.5/8.6/8.7 for this migration, proceed as follows:
1. Log into the existing (pre-I/A Series software v8.8) On-Mesh PDC using a domain
administrator account (such as IADomainAdmin).
2. Open the Active Directory Users and Computers console - click the Start button and
select Control Panel -> Administrative Tools -> Active Directory Users
and Computers.
3. Under the Users organizational unit (OU), find the domain administrator account
which is being used for this installation, as shown in Figure 7-1.
196
7. Migrating I/A Series Software v8.5/8.6/8.7 to a New Primary Domain Controller on The MESH Control Network
Figure 7-1. Active Directory Users and Computers Console (Administrator Account)
197
4. Right-click on the user name and click Properties. The user Properties dialog box
opens as shown in Figure 7-2.
Figure 7-2. [User] Properties Dialog Box
5. Verify that the domain administrator account is a member of both the Schema
Admins and Enterprise Admins groups by selecting the Member Of tab as shown in
Figure 7-2. If this user account is not, the user must be added to both these groups, as
follows:
a. From the Member Of tab, select the Add button.
b. Type in the name of the group which needs to be added (such as Schema Admins
or Enterprise Admins) and click OK, as shown in Figure 7-3. Repeat this for
each group.
198
Figure 7-3. Adding User to Groups
6. Click OK to close the user Properties dialog box.

7. Click on the IA Computers folder and verify that the new PDC server name is pres-
ent. If not, you must add it as follows.
a. Right-click on IA Computers and select New -> Computer, as shown in
Figure 7-4.
b. Enter the name of the new computer and click OK.
199
8. If the current domain administrator account was added to either the “Schema
Admins” or “Enterprise Admins” in the steps above, log off from this account and log
back on to the station using the same account.
200
9. Insert the Microsoft® Windows Server® 2008 R2 Standard DVD. Acknowledge the
warning shown in Figure 7-5.
Figure 7-5. Installation Disc Is Not Compatible With This Windows Version Warning
10. Open a command prompt. Click the Start button, click Programs -> Accessories -
> Command Prompt.
11. In the command prompt, navigate to the “E:\Support\ADPrep” folder. As shown in
Figure 7-6, enter the following command: adprep32 /forestprep
Figure 7-6. Invoking adprep32 /forestprep
12. Enter “c” at the prompt to continue.
201
13. As shown in Figure 7-7, enter the following command:

adprep32 /domainprep /gpprep
Figure 7-7. Invoking adprep32 /domainprep /gpprep

adprep32 /rodcprep
Figure 7-8. Invoking adprep32 /rodcprep
15. Review the adprep logs in C:\Windows\Debug\adprep\logs\.

Preparation for the migration of this source PDC is complete.
202
16. If you are upgrading an existing Secondary Domain Controller with I/A Series soft-
ware v8.5/8.6/8.7 to become the new target PDC, you must remove the Active Direc-
tory from this SDC as described in the following substeps. If you do not have an SDC
and are installing a new station as the target PDC, proceed to “Preparation and Instal-
lation for New Target Primary Domain Controller” on page 204.
To remove the Active Directory from the SDC, perform one of the two following
procedures:
a. Use dcpromo on the existing SDC to remove Active Directory as described in
“Removing Domain Controller Functionality from a Workstation” on page 487.
b. In Active Directory Sites and Services on the source PDC, click Actions ->
Refresh. The NTDS settings that were shown under the SDC name are
removed. If they are not, the removal operation of the Active Directory from the
SDC was unsuccessful and you cannot continue. Contact Global Customer Sup-
port for assistance.
-OR-
a. Use Symantec System Recovery (SSR) to load the new I/A Series software v8.8
platform image on the existing SDC station to be upgraded. Refer to Symantec
System Recovery 2011 Workstation Edition and Server Edition Guide for I/A Series
Workstations (B0700ES) for instructions.
b. On the source PDC, click the Start button and select Control Panel -> Admin-
istrative Tools -> Active Directory Sites and Services. Navigate to
Sites -> [Domain Name] -> Servers -> [Name of SDC]. Remove the SDC
station from the list along with every entry underneath.
17. Proceed to the next section.
203
Preparation and Installation for New Target Primary

Domain Controller
Proceed as follows on the server to become the new PDC.
NOTE

NOTE
Proceed as follows:
menu list:
Mesh), select Auto.
5. Click OK.
Installation on New Target Primary Domain Controller

Proceed as follows:
204
Run setup.exe.
! CAUTION
used incorrect restore media. Restore the server using the proper v8.8 (or later)
Restore media.

server.
205
Install the workstation as a domain controller (secondary or pri-
mary), as shown in Figure 7-11.
Also select the check box labeled Migrate from Pre-8.8 I/A Series (PDC
Only) under the selection you checked, as shown in Figure 7-11.
206
Figure 7-11. Selecting to Install a Domain Controller On-MESH
7. Click Next.
8. Acknowledge the warning shown in Figure 7-12.
207
Folder. If the installation media with your Commit files is on a diskette, put the dis-
kette in the diskette drive (A:\) and click Use Diskette.
NOTE
and click Load.
208
11. Once the Commit files have been loaded, click Bind as shown in Figure 7-13 on
page 208 to launch the I/A Series Network Installation utility.
12. The dialog box shown in Figure 7-15 is displayed for some servers (Dell T3500 and
R710 servers) if the network configuration from System Definition does not match
the available NIC hardware. Select the two network cards and click Next.
! CAUTION
installation.
209
210
13. Click Next. The Server platform setup dialog appears as shown in Figure 7-16. The
Install as a Secondary Domain Controller (SDC) bullet is selected by
default. Initially, this station is installed as an SDC station and will be promoted to be
the PDC station before the installation completes.
Figure 7-16. Server Platform Setup Dialog Box
14. Enter in the name of the existing PDC (from which you are migrating), as shown in
Figure 7-16.
In the Authorized Account field, verify that the domain joining account name dis-
played has the authority to add workstations to the domain
(i.e. iaseries.local\IAInstaller).
In the Authorized Password field, enter the password for this account.
When finished, click Authorize.
211
15. If the local system time does not match the system time on the existing PDC (from
which you are migrating), a message is displayed as shown in Figure 7-17. Click OK.
Fix the local system time to match the existing PDC’s time and re-click Authorize.
Figure 7-17. I/A Series Installation Date Warning
system by one hour.
212
16. If there is another SDC station on the network, choose that SDC’s name from the
drop-down list and click Set, as shown in Figure 7-19. Otherwise, click Skip.
Figure 7-19. Server Platform Setup (For Second SDC)
213
17. In the “Select a Host Domain for this workstation and click Connect” field, verify the
name of the domain and click Connect. The message shown is in Figure 7-20 dis-
played to indicate that the connection to the domain has succeeded.
If unsuccessful, a reason for the failure is displayed.
18. After the server reboots, log on with the “IAInstaller” account with the password as it
was set during the PDC’s installation.
19. The installation continues automatically. The Server platform setup dialog box
appears.
Re-enter in the name of the existing PDC (from which you are migrating), as shown
in Figure 7-21.
214
Figure 7-21. Server Platform Setup (On-MESH) Continued
215
20. Under the “Enter domain information for Active Directory setup and click Prepare”
area, verify the Domain Name and Site Name fields and click the Prepare button.
Figure 7-22. Server Platform Setup (On-MESH) Continued Part 2
216
domain on the same network.m
A command prompt is displayed while Active Directory is being installed, as shown in
Figure 7-24.
Figure 7-24. Active Directory Installation via a Command Prompt
The command prompt shows progress while the system is assigned to its Secondary
217
Figure 7-25. Assigning Role of Secondary Domain Controller via Command Prompt
After the server reboots, log into the “IADomainAdmin” account with the password as
set during the PDC’s installation.
218
24. The installation restarts automatically and the I/A Series Software Installation dialog
box appears as shown in Figure 7-26. Click Verify to check the health of the Active
Directory domain. This takes several minutes. It may be necessary to wait as much as
an hour before proceeding past this dialog box, depending on how long it takes for
Active Directory to replicate to this new SDC.
Figure 7-26. Verifying the Health of the Existing Active Directory System
219
25. When complete, the warning dialog box shown in Figure 7-27 is displayed if errors
are found. One or more conditions could be detected including diagnostic failures,
event log errors, and replication failures.
Figure 7-27. I/A Series Installation Warning for DC Health Log File
220
26. To view the log, click View in Figure 7-28. After viewing the errors, it may be neces-
sary to correct the issues in the Active Directory domain. Click the Verify button as
many times as necessary after you take each corrective action to ensure that no further
issues exist. After clicking Verify, clicking View opens the updated diagnostic results.
Figure 7-28. Verifying the Health of the Existing Active Directory System (Errors Found)
NOTE
The following error messages are expected during a migration and can be safely
ignored:
Warning 1:
Warning: SVRINF is not advertising as a time server.
......................... SVRINF failed test Advertising
Invalid service type: RpcSs on SVRINF, current value
WIN32_OWN_PROCESS, expected value WIN32_SHARE_PROCESS
w32time Service is stopped on [SVRINF]
......................... SVRINF failed test Services
221
Warning 2:
Warning: DcGetDcName(TIME_SERVER) call failed, error 1355
A Time Server could not be located.
The server holding the PDC role is down.
Warning: DcGetDcName(GOOD_TIME_SERVER_PREFERRED) call failed,
error 1355
A Good Time Server could not be located.
......................... iaseries.local failed test LocatorCheck
NOTE
It can take several hours for event log messages which were generated during the
migration to clear from this log. System log failures (such as the following) should
be investigated if they persist long after the migration has completed.
......................... NESRV4 failed test SystemLog
27. If it is determined that it is safe to ignore the errors in the log, click Ignore to con-
tinue, as shown in Figure 7-29. Acknowledge the following warning.
Figure 7-29. I/A Series Installation Errors in DC Health Log File
222
28. Click Next. The dialog shown in Figure 7-30 is displayed. Click Apply.
Figure 7-30. Setting Up the Platform For a Secure I/A Series Installation
A command prompt is displayed while the Active Directory settings are applied.
29. Click Next and then Install to run the installation.
Load.
To bypass the installation of this package, click Skip. If Skip is selected, the installa-
tion will continue, but this dialog will be displayed again for each of the OS1FDB sta-
tions configured on this I/A Series station.
NOTE
223
Figure 7-31. Installation Media Dialog Boxes
224

34. Reboot the server. Click the Start button and click Shut Down; select Restart from
The installation procedure for the domain controller is complete.
NOTE
After migration is complete, install Windows Server 2008 R2 Standard with
I/A Series software v8.8 on all of your SDCs.
Configuring for Existing Domain Clients with

I/A Series Software v8.5/8.6/8.7
For all existing domain clients with I/A Series software v8.5/8.6/8.7, proceed as follows:
1. Open the Internet Protocol (TCP/IP) Properties dialog box for the FoxInt NDIS
Intermediate Miniport Driver (I/A Series network card).
a. On the desktop, right-click My Network Places, and click Properties.
b. In the Network and Connections dialog box, right-click the FoxInt NDIS Inter-
mediate Miniport Driver, and click Properties.
225
Figure 7-34. Selecting FoxInt NDIS Intermediate Miniport Driver
2. In the adapter’s Properties dialog box, in the “This connection uses the following
items” section, click Internet Protocol (TCP/IP), and then click Properties.
The Internet Protocol (TCP/IP) Properties dialog box appears as shown in
Figure 7-36.
Figure 7-35. Adapter Properties Dialog Box
226
3. The first two DNS entries are displayed in DNS server addresses section. Click
Advanced.
Figure 7-36. Internet Protocol (TCP/IP) Properties Dialog Box
NOTE
The installation will attempt to set the DNS entries on the existing stations with
I/A Series software v8.7 or earlier. However, this can fail for multiple reasons. You
may see the following message in the AD Setup log (D:\usr\fox\sp\ADSetup.log):
Failed to configure the DNS setting for AW0001 station. Access is
denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED)).
The instructions for setting up DNS entries on existing stations with I/A Series
software v8.7 or earlier should be followed for all stations with I/A Series software
v8.7 or earlier even though it is possible that some entries have been set already. It is
critical to system interoperability that these settings are made.
227
4. Set the first DNS entry in the list to match the IP address of the new PDC with
I/A Series software v8.8. Add additional entries for any SDC stations (with Windows
Server 2003 or Server 2008 R2 Standard). Click OK to save the DNS settings.
NOTE
For all domain clients migrated from a domain with I/A Series software
v8.5/8.6/8.7 to a domain with I/A Series software v8.8, it may be necessary to move
the migrated domain client’s object in Active Directory before beginning the client’s
installation procedure. Refer to “Migrating Domain Client from Domain in
I/A Series System v8.7 Or Earlier to a Domain in I/A Series System v8.8” on
page 358.
Refer to “Installing Optional Software” on page 63 to install any additional packages on your new
PDC.
Be sure to re-enable McAfee VirusScan on all the PDCs, SDCs and domain clients on which you
disabled it. Refer to “Re-Enabling the McAfee VirusScan Console” on page 408.
228
Off-MESH Networks” for the installation procedure for all new domain clients.
229
230
v8.5/8.6/8.7 to a New Off-MESH
Primary Domain Controller
This chapter describes how to migrate an existing On-Mesh Primary Domain Controller
(PDC) with I/A Series software v8.5/8.6/8.7 to a new PDC with Windows Server 2008 R2
Standard which is on a separate network, not located on The Mesh control network (Off-
Mesh).
The source station for this migration can either be:
 A new I/A Series server, shipped with an I/A Series software v8.8 (or later) image
installed.
 An existing SDC with I/A Series software v8.5/8.6/8.7 installed, which will be con-
verted to a PDC with an I/A Series software v8.8 (or later) image installed.
The target station (the station onto which the new software will be installed) for this migration
will become new PDC with Windows Server 2008 R2 Standard.
After the migration, both the domain clients which existed pre-I/A Series software v8.8 and the
new I/A Series domain clients (with I/A Series software v8.8) will be connected to the same
domain. Existing group policies will be maintained while new I/A Series software v8.8 group pol-
icies will be enacted. The steps in this section only need to be followed once for the domain
migration in order to establish the new PDC station.
Perform the procedures provided below.

(Existing PDC with I/A Series Software v8.5/8.6/8.7)
for Migration
NOTE
Once complete, all existing SDC stations with I/A Series software v8.5/8.6/8.7
must be reloaded as Off-Mesh SDC stations with I/A Series software v8.8 running
on the Microsoft Windows Server 2008 R2 Standard operating system. Once this
has been done, the domain and forest functional levels can be raised to “Server
2008.”
For the source On-Mesh Primary Domain Controller (PDC) with I/A Series software
v8.5/8.6/8.7 for this migration, proceed as follows:
1. Log into the existing On-Mesh PDC using a domain administrator account (such as
IADomainAdmin).
231
B0700SF – Rev E 8. Migrating I/A Series Software v8.5/8.6/8.7 to a New Off-MESH Primary Domain Controller
select Programs -> Administrative Tools -> Active Directory Users and
Computers.
3. Under the Users organizational unit (OU), find the domain administrator account
which is being used for this installation, as shown in Figure 8-1.
232
8. Migrating I/A Series Software v8.5/8.6/8.7 to a New Off-MESH Primary Domain Controller B0700SF – Rev E
4. Right-click on the user name and click Properties. The user Properties dialog box
opens as shown in Figure 8-2.
Figure 8-2. [User] Properties Dialog Box
5. Verify that the domain administrator account is a member of both the “Schema
Admins” and “Enterprise Admins” groups by selecting the Member Of tab as shown
in Figure 8-2. If this user account is not, the user must be added to both these groups,
as follows:
a. From the Member Of tab, select the Add button.
b. Type in the name of the group which needs to be added (Schema Admins or
Enterprise Admins) and click OK, as shown in Figure 8-3. Repeat this for each
group.
233
Figure 8-3. Adding User to Groups
6. Click OK to close the user Properties dialog box.

7. Click on the IA Computers folder and verify that the new PDC server name is pres-
ent. If not, you must add it as follows.
a. Right-click on IA Computers and select New -> Computer, as shown in
Figure 8-4.
b. Enter the name of the new computer and click OK.
234
8. If the current domain administrator account was added to either the Schema Admins
or Enterprise Admins in the steps above, then log off from this account and log back
on to the station using the same account.
235
9. Insert the Microsoft® Windows Server® 2008 R2 Standard DVD that was delivered
with your server. Acknowledge the warning shown in Figure 8-5.
Figure 8-5. Installation Disc Is Not Compatible With This Windows Version Warning
10. Open a command prompt. Click the Start button, and click Programs -> Accesso-
ries -> Command Prompt.
11. In the command prompt, change the directory to the “E:\Support\ADPrep” folder. As
shown in Figure 8-6, enter the following command: adprep32 /forestprep
Figure 8-6. Invoking adprep32 /forestprep
12. Enter “c” at the prompt to continue.
236

adprep32 /domainprep /gpprep
Figure 8-7. Invoking adprep32 /domainprep /gpprep

adprep32 /rodcprep
Figure 8-8. Invoking adprep32 /rodcprep
15. Review the adprep logs in C:\Windows\Debug\adprep\logs\.

237
! CAUTION
In Network Connections, which lists the available NICs, do not change the name of
any “Local Area Connection x” network connection. This can result in software
installation issues or system instability.
c. In the adapter’s Properties dialog box, in the “This connection uses the following
items” section, click Internet Protocol (TCP/IP), and then click Proper-
ties. The Internet Protocol (TCP/IP) Properties dialog box appears as shown in
Figure 8-9.
238
17. Remove all default gateway settings for this network interface by clicking Advanced.
In the Advanced TCP/IP Settings dialog box shown in Figure 8-10, click the IP
Settings tab. Under Default gateways, remove all the entries.
Remove
all entries
Figure 8-10. Advanced TCP/IP Settings Dialog Box (IP Settings)
18. Click the DNS tab, as shown in Figure 8-11. In the DNS server addresses, in order of
use field, remove all the entries. When done, click OK to close this dialog box and
apply the changes.
239
Remove
all entries
Figure 8-11. Advanced TCP/IP Settings Dialog Box (DNS)
19. Open the Internet Protocol (TCP/IP) Properties dialog box for the network adapter
for the new Off-Mesh I/A Series network.
b. In the Network and Sharing Center dialog box, right-click the network adapter
that the Off-Mesh domain controller will use, and click Properties.
items” section, click Internet Protocol (TCP/IP), and then click
Properties. The Internet Protocol (TCP/IP) Properties dialog box appears as
d. Set the IP address and preferred DNS server IP address to the same value (shown
as “181.182.81.1” as an example in Figure 8-12) and click OK.
240
After clicking on Close, the status of the Local Area Connection is “connected”.
241
20. Open the DNS Manager. Click the Start button and select Programs -> Adminis-
trative Tools -> DNS. Right-click on the DNS server (workstation name, shown as
“SVRINF” in Figure 8-13) and click Properties.
Figure 8-13. DNS Manager Dialog Box (Server Properties)
21. In the server Properties dialog box, click the Interfaces tab as shown in
Figure 8-14. Select all IP addresses in the list, except one, and click Remove.
For the last IP address, change it to be the IP address of the Off-Mesh network card
configured in the previous step.
Click Add then select the remaining IP address and click Remove.
Click OK in Properties dialog box.
242
Remove
all entries
and add one
for the new
Off-MESH
network card.
Figure 8-14. Server Properties Dialog Box
243
22. In the DNS Manager, select the I/A Series forward lookup zone (i.e. iaseries.local).
Remove the entries for the existing I/A Series stations which are on the existing
I/A Series Mesh control network, as shown in Figure 8-15.
Figure 8-15. DNS Manager Dialog Box (Removing Existing Stations)
23. In the DNS Manager, remove the reverse lookup zone for the existing On-Mesh
I/A Series network (i.e. 151.128.152.x Subnet).
24. Add a new reverse lookup zone for the new Off-Mesh I/A Series network as follows.
244
a. Right-click on Reverse Lookup Zones and select New Zone as shown in

Figure 8-16.
Figure 8-16. DNS Manager Dialog Box (Reverse Lookup Zone)
245
b. Click Next. Select Primary Zone and click Next as shown in Figure 8-17.
Figure 8-17. New Zone Wizard (Zone Type)
246
c. Click the “To all DNS servers in the Active Directory domain
iaseries.local” bullet (“iaseries.local” may vary depending on the actual
name of the I/A Series domain) as shown in Figure 8-18. Click Next.
Figure 8-18. New Zone Wizard (Active Directory Zone Replication Scope)
247
d. In the Network ID field, enter in the first three octets of the Off-Mesh I/A Series
network card as shown in Figure 8-19. Click Next.
Figure 8-19. New Zone Wizard (Reverse Lookup Zone Name)
248
e. Click the Allow only secure dynamic updates bullet and click Next as
shown in Figure 8-20. Click Finish to close the New Zone Wizard.
Figure 8-20. New Zone Wizard (Dynamic Update)
249
f. Right-click on the new zone and select New Pointer as shown in Figure 8-21.
Figure 8-21. DNS Manager Dialog Box (New Pointer)
250
g. In the New Resource Record dialog box, set the pointer value to the last octet in
the Off-Mesh I/A Series network card’s IP address as shown in Figure 8-22.
In the Host name field, enter the full name of your server (“svrinf.iaseries.local” is
the example shown in Figure 8-22) and click OK.
Figure 8-22. New Resource Record Dialog Box
h. Close the DNS Manager.

i. Click the Start button and select Control Panel -> Administrative Tools ->
Services.
251
j. In the Services dialog box, right-click the DNS Server, and then click Restart as
Figure 8-23. Restart DNS Service
25. Click the Start button, and click Programs -> Accessories -> Command Prompt to
open a command prompt. Type nslookup and press <Enter>. If DNS is functioning
properly, it should show that it found the local DNS server with the IP address set in
the previous steps (shown as 181.182.81.1 in Figure 8-23).
! CAUTION
Until DNS is working properly, the migration procedure cannot continue.
Figure 8-24. nslookup Service
26. Type Ctrl+C and press <Enter> to terminate nslookup.
252
Preparation for the migration of this source PDC is complete.

27. If you are upgrading an existing Secondary Domain Controller with I/A Series Soft-
ware v8.5/8.6/8.7 to become the new target PDC, you must remove the Active Direc-
tory from this SDC as described in the following substeps. If you do not have an SDC
and are installing a new station as the target PDC, proceed to “Preparation and Instal-
lation for New Target Primary Domain Controller” on page 254.
To remove the Active Directory from the SDC, perform one of the two following
procedures:
a. Use dcpromo on the existing SDC to remove Active Directory as described in
“Removing Domain Controller Functionality from a Workstation” on page 487.
b. In Active Directory Sites and Services on the source PDC, click Actions ->
Refresh. The NTDS settings that were shown under the SDC name are
removed. If they are not, the removal operation of the Active Directory from the
SDC was unsuccessful and you cannot continue. Contact Global Customer Sup-
port for assistance.
-OR-
a. Use Symantec System Recovery (SSR) to load the new I/A Series software v8.8
platform image on the existing SDC station to be upgraded. Refer to Symantec
System Recovery 2011 Workstation Edition and Server Edition Guide for I/A Series
Workstations (B0700ES) for instructions.
b. On the source PDC, click the Start button and select Control Panel -> Admin-
istrative Tools -> Active Directory Sites and Services. Navigate to
Sites -> [Domain Name] -> Servers -> [Name of SDC] and expand this last
node. Note that it contains the NTDS settings. Leave this displayed on the source
PDC for now.
28. Proceed to the next section.
253
Preparation and Installation for New Target Primary

Domain Controller
Proceed as follows on the server to become the new PDC:
NOTE

2. On the station which is to become the new Off-Mesh I/A Series PDC, find the net-
work adapter for the new Off-Mesh I/A Series network.
Click the Start button and then click Control Panel -> Network and Sharing
Center. In the Tasks pane, click Change adapter settings. Right-click on the
adapter and click Properties.
Figure 8-25. Local Area Connection 3 Properties
254
c. In this same dialog box, select Internet Protocol Version 4 (TCP/IPv4)

and click Properties. In the Internet Protocol Version 4 (TCP/IPv4) Properties
dialog box, as shown in Figure 8-26, set the IP address and subnet mask for the
Off-Mesh NIC so that it can communicate with the Off-Mesh network card in
the existing On-Mesh PDC with I/A Series software v8.5/8.6/8.7. At this point, it
should be possible to ping the existing On-Mesh PDC from the new PDC.
3. Set the PowerShell execution policy on the target PDC by executing the following
command from within Windows PowerShell:
Set-ExecutionPolicy AllSigned
255
Figure 8-27. Set-ExecutionPolicy AllSigned
256
! CAUTION
used incorrect restore media. Restore the server using the proper I/A Series software
v8.8 (or later) Restore media.

server.
Install the workstation as an OFF-MESH domain controller (second-
ary or primary), as shown in Figure 8-30.
Also select the check box labeled Migrate from Pre-8.8 I/A Series (PDC
Only) under the selection you checked, as shown in Figure 8-30.
257
Figure 8-30. Selecting to Install a Domain Controller Off-MESH
9. Click Next.
10. Acknowledge the warning shown in Figure 8-31.
258
as shown in Figure 8-32. Click Load to set the installation target drive to D:\ and
load the committed configuration files.
NOTE
and click Load.
259
13. Click Next. The I/A Series Software Installation dialog box appears as shown in
Figure 8-34, in which the “Install as a Secondary Domain Controller (SDC)” choice
is selected by default. Initially, this server will be installed as an SDC and will be pro-
moted to the role of the PDC before the installation completes.
260
Figure 8-34. Server Platform Setup (Off-MESH)
14. Enter in the IP address of the existing PDC (from which you are migrating), as shown
in Figure 8-34.
261
15. If the local system time does not match the system time on the existing PDC (from
which you are migrating), a message is displayed as shown in Figure 8-35. Click OK.
Fix the local system time to match the existing PDC’s time and re-click Authorize.
Figure 8-35. I/A Series Installation Date Warning
system by one hour.
262
16. If there is another SDC station on the network, choose that SDC’s name from the
drop-down list and click Set, as shown in Figure 8-37. Otherwise, click Skip.
Figure 8-37. Server Platform Setup (For Second SDC)
263
17. In the “Select a Host Domain for this workstation and click Connect” field, verify the
name of the domain and click Connect. The message shown is in Figure 8-38 dis-
played to indicate that the connection to the domain has succeeded.
If unsuccessful, a reason for the failure is displayed.
18. After the server reboots, log on with the “IAInstaller” account with the password as it
was set during the PDC’s installation.
19. The installation continues automatically. The Server platform setup dialog box
appears.
Re-enter in the IP address of the existing PDC (from which you are migrating), as
played has the authority to add workstations to the domain (i.e. iaseries.local\IAIn-
staller).
264
Figure 8-39. Server Platform Setup (Off-MESH) Continued
20. Under the “Enter domain information for Active Directory setup and click Prepare”
area, verify the Domain Name and Site Name fields and click the Prepare button.
domain on the same network.
265
A command prompt is displayed while Active Directory is being installed, as shown in
Figure 8-41.
Figure 8-41. Active Directory Installation via Command Prompt
The command prompt shows progress while the system is assigned to its Secondary
Figure 8-42. Assigning Role of Secondary Domain Controller via Command Prompt
266
After the server reboots, log into the “IADomainAdmin” account with the password as
set during the PDC’s installation.
24. The installation restarts automatically and the I/A Series Software Installation dialog
box appears as shown in Figure 8-43. Click Verify to check the health of the Active
Directory domain. This takes several minutes. It may be necessary to wait as much as
an hour before proceeding past this dialog box, depending on how long it takes for
Active Directory to replicate to this new station.
Figure 8-43. Verifying the Health of the Existing Active Directory System
267
25. When complete, the warning dialog box shown in Figure 8-43 is displayed if errors
are found. One or more conditions could be detected including diagnostic failures,
event log errors, and replication failures.
Figure 8-44. I/A Series Installation Warning for DC Health Log File
268
26. To view the log, click View in Figure 8-44. After viewing the errors, it may be neces-
sary to correct the issues in the Active Directory domain. Click the Verify button as
many times as necessary after you take each corrective action to ensure that no further
issues exist. After clicking Verify, clicking View opens the updated diagnostic results.
Figure 8-45. Verifying the Health of the Existing Active Directory System (Errors Found)
NOTE
The following error messages are expected during a migration and can be safely
ignored:
Warning 1:
Warning: SVRINF is not advertising as a time server.
......................... SVRINF failed test Advertising
Invalid service type: RpcSs on SVRINF, current value
WIN32_OWN_PROCESS, expected value WIN32_SHARE_PROCESS
w32time Service is stopped on [SVRINF]
......................... SVRINF failed test Services
269
Warning 2:
Warning: DcGetDcName(TIME_SERVER) call failed, error 1355
A Time Server could not be located.
The server holding the PDC role is down.
Warning: DcGetDcName(GOOD_TIME_SERVER_PREFERRED) call failed,
error 1355
A Good Time Server could not be located.
......................... iaseries.local failed test LocatorCheck
NOTE
It can take several hours for event log messages which were generated during the
migration to clear from this log. System log failures (such as the following) should
be investigated if they persist long after the migration has completed.
......................... NESRV4 failed test SystemLog
27. If it is determined that it is safe to ignore the errors in the log, click Ignore to con-
tinue, as shown in Figure 8-43. Acknowledge the following warning.
Figure 8-46. I/A Series Installation Errors in DC Health Log File
270
28. Click Next. The dialog shown in Figure 8-47 is displayed. Click Apply.
Figure 8-47. Setting Up the Platform For a Secure I/A Series Installation
A command prompt is displayed while the Active Directory settings are applied.
29. Click Finish.
271
30. When prompted, enter the required information for the Active Directory settings.
Enter the administrator account name on the I/A Series v8.5/8.6/8.7 domain (default
is iaseries.local\IAManager). Enter the password for the administrator account on the
I/A Series v8.5/8.6/8.7 domain. Click OK.
Figure 8-48. Configure DNS Setting Dialog Box
31. Review the Active Directory setup log (%ALLUSERSPROFILE%\Invensys\IASer-

ies\Installer\TarOutput_NNNNNNNNNNNNNNN\ADSetup.log) for errors.
32. Click Finish.
33. For each I/A Series domain client workstation, remove the On-Mesh DNS entry from
the I/A Series network interface card as follows. On the desktop, right-click Network,
and click Properties.
In the Network and Sharing Center dialog box, click Manage network connec-
tions.
NOTE
272
34. Right-click the I/A Series network interface card, and click Properties.
In the adapter’s Properties dialog box, in the “This connection uses the following
items” section, click Internet Protocol (TCP/IP), and then click Properties.
The Internet Protocol (TCP/IP) Properties dialog box appears as shown in
Figure 8-49.
Remove the IP addresses from the Preferred DNS server and Alternate DNS server
fields.
Clear
these
fields.
Figure 8-49. Internet Protocol (TCP/IP) Properties - Removing On-MESH DNS Entries
273
35. Next, set the IP Address and DNS settings for the Off-Mesh network interface card
according to the IP setting of the new Off-Mesh domain, as demonstrated in
Figure 8-50. Then click OK to apply the changes.
Set
these
fields.
Figure 8-50. Internet Protocol (TCP/IP) Properties - Setting for Off-MESH

Network Interface Card
36. Reboot the server. Click the Start button and click Shut Down; select Restart from
The installation procedure for the domain controller is complete.
NOTE

274
275
276
NOTE
page 358.
Refer to “Installing Optional Software” on page 63 to install any additional packages on your new
PDC.
277
278
v8.5/8.6/8.7 to a Pre-Existing Off-
MESH Primary Domain Controller
This chapter describes how to migrate an existing (source) On-Mesh Primary Domain
Controller with I/A Series software v8.5/8.6/8.7 and Windows Server 2003 to a pre-existing
(target) Off-Mesh Primary Domain Controller (PDC) with I/A Series software v8.8 or later
and Windows Server 2008 R2 Standard.
This procedure involves:
 Copying the inter-forest migration scripts to a portable drive, and downloading the
required third-party software
 Transferring the Active Directory Settings from the source On-Mesh PDC to the tar-
get Off-Mesh PDC
 Installing required third-party software to the target Off-Mesh PDC
 Migrating passwords and group policy objects (GPOs) from the source On-Mesh
PDC (with the Password Export Server) to the target Off-Mesh PDC
 Migrating the domain clients with I/A Series software v8.5/8.6/8.7) to the new Off-
Mesh domain.
You must transfer all user accounts, groups and computers manually to the migration organiza-
tional unit (OU) on the source On-Mesh PDC.
The inter-forest migration scripts on the I/A Series v8.8 Day 0 DVD-ROM will:
 Migrate all the user accounts, groups, group memberships, passwords and security
identifiers (SIDs) from the On-Mesh PDC’s migration OU to the pre-existing Off-
Mesh PDC’s migration OU.
 Install the new I/A Series Security Phase 2 Active Directory components on the target
Off-Mesh PDC automatically using other scripts.
After migrating the user accounts, groups and computers, each client workstation must be
removed from the source On-Mesh PDC and added to the target Off-Mesh PDC (the station
onto which the new software will be installed).
In these procedures, the:
 Existing On-Mesh Primary Domain Controller with I/A Series software v8.5/8.6/8.7
and Windows Server 2003 is referred to as the source PDC.
 Existing Off-Mesh Primary Domain Controller (PDC) with Windows Server 2008
R2 Standard and the I/A Series software v8.8 Active Directory group policies or Phase
2 Active Directory security components installed on it is referred to as the target
PDC.
279
B0700SF – Rev E 9. Migrating I/A Series Software v8.5/8.6/8.7 to a Pre-Existing Off-MESH Primary Domain
Group Policy Settings Migration From Domains with

I/A Series Software v8.7 or Earlier
When migrating from an On-Mesh domain with I/A Series software v8.7 or earlier to an existing
Off-Mesh domain with I/A Series software v8.8 or later, there are group policy settings in the
domain with I/A Series software v8.7 or earlier that will not automatically be in effect after per-
forming the migration. This is to prevent the introduction of changes to your existing domain at
such a base level that could adversely affect other nodes that are already working in that existing
domain.
This is particularly true of settings that were in the Default Domain Controllers Policy group pol-
icy objects (GPOs) for domains with I/A Series software v8.7 or earlier. These group policy set-
tings will not be applied to your existing domain controller GPO.
For convenience, the installation application for I/A Series software v8.8 copies the Default
Domain Controllers Policy for a domain with I/A Series software v8.7 or earlier to the new
domain as the “Pre-8.8 Default Domain Controllers Policy” but it will not be linked to any OU.
It is there for reference to capture the domain controller policies that were in effect in the domain
with I/A Series software v8.7 or earlier.
It is your responsibility and at your discretion whether or not to manually add any settings that
were in the Default Domain Controllers Policy for a domain with I/A Series software v8.7 or ear-
lier to your own existing domain controllers group policy.
One such policy is the Password Complexity setting. Invensys supplies an enhanced Password
Complexity policy that you can turn on optionally if you want to require that all passwords con-
tain four types of characters (upper, lower, numbers, and symbols). This policy setting is described
in Security Enhancements User's Guide for I/A Series Workstations with Windows 7 or Windows
Server 2008 Operating Systems (B0700ET). If the Invensys-supplied enhanced Password Complex-
ity policy had been enabled in the domain controller policy for a domain with I/A Series software
v8.7 or earlier, it will need to be added to the domain controllers policy on the existing Off-Mesh
domain manually.
Preparation for Installation

To prepare for the installation of the target Off-Mesh PDC (with I/A Series v8.8 or later), proceed
as follows:
2. Copy the inter-forest migration scripts from the DVD labeled “I/A Series v8.8 Day 0
DVD-ROM” (K0174KE-A) onto a portable drive that can be used for the setup of
the Off-Mesh PDC. The scripts are located in the \InterForestMigration folder as
280
9. Migrating I/A Series Software v8.5/8.6/8.7 to a Pre-Existing Off-MESH Primary Domain Controller B0700SF – Rev E
Figure 9-1. InterForestMigration Folder
3. Download the following third-party installation packages from Microsoft:

 Microsoft SQL Server 2008 SP3 Express Edition v10.00.5500.00 (32-bit installer
for installation on 64-bit workstations) - SQLEXPR_x86_ENU.exe (dated
10/6/2011), available here:
https://www.microsoft.com/en-us/download/details.aspx?id=27597
NOTE
SQL Server 2008 R2 Express Edition is not supported.
 Active Directory Migration Tool v3.2 - admtsetup32.exe (dated 6/18/2010),

available here:
 Password Export Server version 3.1 (x86) - pwdmig.msi (dated 7/9/2008),
available here:
NOTE
This is NOT the pwdmig.msi file found in the support files provided with the
Windows Server 2003 R2 operating system.
281
! CAUTION
Disabling the VirusScan Console on Target Primary Domain

Controller
Proceed as follows to disable the McAfee VirusScan Control on the target PDC:

282

NOTE
283
Preparing the Source Primary Domain Controllers

for Transferring Active Directory Settings
To prepare the source PDC (with I/A Series software v8.5/8.6/8.7) to have its Active Directory
settings transferred to the target PDC (with I/A Series v8.8 or later), proceed as follows:
1. On the source PDC, change the password of the IAManager account to match the
password of the Administrator account on the target PDC. Click the Start button and
and Computers. In Active Directory Users and Computers, right click on the user
account and select Reset Password.
Figure 9-4. Selecting Reset Password
284
2. Enter the password in the two fields as shown in Figure 9-5 and click OK.
Figure 9-5. Reset Password Dialog Box
3. Log off from the source PDC and log back into the source PDC using the newly-set
password.
4. Set the PowerShell execution policy on the source PDC by executing the following
command from within Windows PowerShell:
Set-ExecutionPolicy Unrestricted
Figure 9-6. Set-ExecutionPolicy Unrestricted
5. Open the Internet Protocol (TCP/IP) Properties dialog box for the Off-Mesh NIC
card as follows:
b. In the Network and Connections dialog box, right-click the Off-Mesh NIC card,
285
c. In the card’s Properties dialog box, in the “This connection uses the following
Figure 9-7.
d. In the Internet Protocol (TCP/IP) Properties dialog box, set the TCP/IP address
and DNS server address to match the network settings of the target PDC. The
DNS server address should be the IP address of the target PDC.
These should match the similar

settings in the Target PDC
IP Address of the Target PDC
Figure 9-7. Internet Protocol (TCP/IP) Properties Dialog Box - Off-MESH NIC Card
NOTE
286
6. Open the Properties dialog box for the FoxInt NDIS Intermediate Miniport Driver
(I/A Series network card).
c. Disable the TCP/IP protocol on the FoxInt NDIS Intermediate Miniport Driver
by un-checking the Internet Protocol (TCP/IP) check box in the list of supported
protocols as shown in Figure 9-8.
Uncheck
Figure 9-8. Internet Protocol (TCP/IP) Properties Dialog Box - FoxInt NDIS Intermediate
Miniport Driver
287
open a command prompt. Verify the basic TCP/IP connectivity by pinging the target
PDC from the command prompt.
Figure 9-9. Ping Target PDC from Command Prompt
288
8. Open Windows PowerShell and navigate to the folder containing the inter-forest
migration scripts (.\InterForestMigration\PrepSourceDomain), to which you copied
them in “Preparation for Installation” on page 280. In the Windows PowerShell com-
mand prompt, execute the command .\PrepSourceDomainForMigration.ps1 to
prepare the source PDC for migration
NOTE
If Windows PowerShell was already open before this step to set an execution policy,
the PowerShell command prompt must be closed and then reopened before per-
forming this step.
Figure 9-10. Execute PrepSourceDomainForMigration.ps1 Script
289
9. In the Inter-Forest Migration dialog box, shown in Figure 9-11, provide the
information requested for your source and target PDCs. In this example, the target
PDC is named existing.local with an IP address of 181.182.81.1 and an administra-
tor account name of Administrator. The source PDC IP address is 181.182.81.2 in
this example.
Note: Values shown are examples only.

Figure 9-11. Inter-Forest Migration Dialog Box
10. Review the Active Directory setup log (D:\usr\fox\sp\ADSetup.log) for errors.
290
11. From within Active Directory Users and Computers, drag the “IA Computers” and
“IA Users” Organizational Units (OUs) to the Migration OU as shown in
Figure 9-12.
Figure 9-12. Moving IA Computers and IA Users OUs into Migration OU
291
12. Select the Exceed_Users group, the IA Installer group, the IA Services group, the
IA Services user (named IAServices in Figure 9-13), and the IA Installer user (named
IAInstaller in Figure 9-13) from within the Users OU. Drag these users and groups to
the Migration OU as shown in Figure 9-13.
Figure 9-13. Moving Additional Users and Groups into the Migration OU
292
13. After the previous steps have been performed, the Migration OU appears as shown in
Figure 9-14.
Figure 9-14. Migration OU - Populated
Any additional users and groups may also be dragged into the Migration OU if they
are to be migrated. However, the migration process does not support migrating
custom OUs. All objects must be located directly under the Migration OU.
NOTE
Any non-standard accounts or groups (such as those which were not created by
default during the installation of I/A Series software v8.5) will be migrated if they
are placed directly inside the Migration OU. However, any links which had been
made to group policy objects (GPOs) before the migration will be lost. After the
migration is complete, it will be necessary to recreate the OUs which had contained
these Active Directory objects and manually move the objects into their respective
OUs. It will also be necessary to re-establish any links to the GPOs in order for
these user groups and accounts to work as they had on the pre-migrated system.
293
Preparing the Target Primary Domain Controllers

Proceed as follows to transfer the source PDC’s (with I/A Series software v8.5/8.6/8.7) Active
Directory settings to the target PDC (with I/A Series v8.8 or later):
1. Ensure you are logged in as Administrator. In the target PDC (with I/A Series v8.8 or
later), insert the DVD labeled “I/A Series v8.8 Day 0 DVD-ROM” (K0174KE-A).

server.
294
295
Perform an inter-forest migration, Pre-8.8 to existing OFF-MESH
(load commit files only)
Figure 9-17. Selecting to Perform an Inter-Forest Migration
6. Click Next.
296
as shown in Figure 9-18. Click Load to set the installation target drive to D:\ and
load the committed configuration files.
NOTE
and click Load.
297
9. Click Next.
10. Once the committed configuration installation files have been loaded, click Finish.
Figure 9-20. InstallShield Wizard Completed
298
11. Verify that the TCP/IP settings for the target PDC are compatible with the settings
made on the source PDC. Open the Internet Protocol (TCP/IP) Properties dialog box
for the target PDC’s Off-Mesh NIC card as follows:
a. On the desktop of the target PDC, right-click My Network Places, and click
Properties.
Figure 9-21.
d. In the Internet Protocol (TCP/IP) Properties dialog box, ensure the IP address is
compatible with the settings made for the source domain controller. When fin-
ished, click OK twice to close these dialog boxes.
These should be compatible

with the settings made for the
Source domain controller.
Figure 9-21. Internet Protocol (TCP/IP) Properties Dialog Box - Target PDC’s
Off-MESH NIC Card
299
open a command prompt. Verify the basic TCP/IP connectivity by pinging the target
PDC from the command prompt.
Figure 9-22. Ping Source PDC from Command Prompt
13. Install the Microsoft SQL Server 2008 SP3 Express Edition software v10.00.5500.00
downloaded in “Preparation for Installation” on page 280, using the directions
described in “Installing Microsoft SQL Server 2008 SP3 Express Edition
v10.00.5500.00” on page 306.
Note that SQL Server 2008 R2 Express Edition is not supported.
300
14. Open Windows PowerShell and navigate to the folder containing the inter-forest
migration scripts (.\InterForestMigration\PrepTargetDomain), to which you copied
them in “Preparation for Installation” on page 280. In the Windows PowerShell com-
mand prompt, execute the command .\PrepTargetDomainForMigration.ps1 to
prepare the target PDC for migration
Figure 9-23. Executing PrepTargetDomainForMigration.ps1
301
15. In the Inter-Forest Migration dialog box, shown in Figure 9-24, provide the
information requested for your source PDC. In this example, the source PDC is
named iaseries.local with an IP address of 181.182.81.2 and an administrator
account name of IAManager.

ies\Installer\TarOutput_NNNNNNNNNNNNNNNNNN\ADSetup.log) for errors
once the scripts executed in the previous steps have completed.
17. Install Active Directory Migration Tool v3.2 (admtsetup32.exe) downloaded in “Prep-
aration for Installation” on page 280, using the directions in “Installing Active Direc-
tory Migration Tool v3.2” on page 322.
Be sure to use “.\SQLEXPRESS” as your SQL Server instance name unless a different
instance name was selected during the SQL Server installation.
18. Open Active Directory Migration Tool under Administrative Tools and verify
that there are no errors reported in the ADMT window, shown in Figure 9-25. If
errors were reported, the migration cannot continue until they are resolved. Make
sure that ADMT v3.2 was installed under the correct user account and that SQL
Server 2008 Express is also correctly installed. It may be necessary to uninstall and
reinstall ADMT 3.2 (as described in “Installing Active Directory Migration Tool
v3.2” on page 322) to resolve issues before continuing.
302
Figure 9-25. Active Directory Migration Tool Window
open a command prompt. Create the password migration export file by executing the
following command from the command prompt:
C:\Windows\admt\admt.exe key /opt:create /sd:“[SOURCE_PDC]”
/kf:“[PASSWORD_EXPORT_FILE]” /KeyPassword:“[PASSWORD]”
Where:
[SOURCE_PDC] is the name of the source PDC.
[PASSWORD_EXPORT_FILE] is the location and name for the new password
export file.
[PASSWORD] is the key password.
For example (as shown in Figure 9-26), if the name of the source PDC is “iaser-
ies.local” and the name of the password export file is “D:\source.pes”, the command
would be:
C:\Windows\admt\admt.exe key /opt:create /sd:“iaseries.local”
/kf:“D:\source.pes” /KeyPassword:“Password1”
303
Figure 9-26. Creating the Password Migration Export File
20. From Active Directory Users and Computers, right-click on the Built-in Admin-
istrators group and select Properties. In the Administrators Properties dialog
box, select the Members tab and click the Add button as shown in Figure 9-27.
Figure 9-27. Administrators Properties Dialog Box
304
21. In the Select Users, Contacts, Computers, Service Accounts or Groups dialog box,
enter the full name of the source PDC’s administrator account (in this example,
IASERIES\IAManager) and click OK.
Figure 9-28. Select Users, Contacts, Computers, Service Accounts or Groups Dialog Box
22. Click OK to close the Administrators Properties dialog box.

23. Reboot the target PDC. Click the Start button and click Shut Down; select Restart
305
Installing Microsoft SQL Server 2008 SP3 Express Edition

v10.00.5500.00
Install Microsoft SQL Server 2008 Express Edition SP3 as follows.
1. Run the SQLEXPR_x86_ENU.exe file you downloaded in “Preparation for Installa-
tion” on page 280.
2. Select Installation on the left-hand side of the SQL Server Installation Center dia-
log box. Click the link for New SQL Server stand-alone installation or add
features to an existing installation.
Figure 9-29. SQL Server Installation Center - Start Installation
306
3. Click OK.
Figure 9-30. SQL Server Installation Center - Setup Support Rules
307
4. Click Next.
Figure 9-31. SQL Server Installation Center - License Key
308
5. Check the I accept the license terms check box and click Next.
Figure 9-32. SQL Server Installation Center - Accept License
309
6. Click Install to install the setup support files.
Figure 9-33. SQL Server Installation Center - Install Setup Support Files
310
7. Click Next.
Figure 9-34. SQL Server Installation Center - Setup Support Files Installed
311
8. Check the Database Engine Services check box and click Next.
Figure 9-35. SQL Server Installation Center - Feature Selection
312
9. Confirm the instance name of SQLExpress and click Next.
Figure 9-36. SQL Server Installation Center - Instance Configuration
313
10. Click Next.
Figure 9-37. SQL Server Installation Center - Disk Space Requirements
314
11. Select the “NT AUTHORITY\SYSTEM” account for the SQL Server Database
Engine. Then, click Next.
Figure 9-38. SQL Server Installation Center - Server Configuration
315
12. Add the Administrator account as a SQL Server Administrator

(EXISTING\Administrator). Then, click Next.
Figure 9-39. SQL Server Installation Center - Database Engine Configuration
316
13. Click Next.
Figure 9-40. SQL Server Installation Center - Error and Usage Reporting
317
14. Click Next.
Figure 9-41. SQL Server Installation Center - Installation Rules
318
15. Click Install to install SQL Server 2008 Express, SP3.
Figure 9-42. SQL Server Installation Center - Ready to Install
319
16. Click Next.
Figure 9-43. SQL Server Installation Center - Installation Progress
320
17. Click Close when the installation is complete.
Figure 9-44. SQL Server Installation Center - Installation Complete
321
Installing Active Directory Migration Tool v3.2

To install the Active Directory Migration Tool (ADMT) v3.2, proceed as follows:
1. In Windows Explorer, double-click the Active Directory Migration Tool installer
(admtsetup32.exe) which you downloaded in “Preparation for Installation” on
page 280.
2. As shown in Figure 9-45, click Next.
Figure 9-45. Installing Active Directory Migration Tool v3.2 - Welcome
322
3. As shown in Figure 9-46, select the I Agree radio button and click Next.
Figure 9-46. Installing Active Directory Migration Tool v3.2 - License Agreement
323
4. As shown in Figure 9-47, leave the default setting and click Next.
Figure 9-47. Installing Active Directory Migration Tool v3.2 - Customer Experience
Improvement
324
5. Enter the instance name (chosen during the SQL Server 2008 Express SP3 installa-
tion). The default is .\SQLEXPRESS as shown in Figure 9-48. Then click Next.
Figure 9-48. Installing Active Directory Migration Tool v3.2 - Database Selection
325
6. Click Next.
Figure 9-49. Installing Active Directory Migration Tool v3.2 - Database Import
326
7. When prompted as shown in Figure 9-50, click Finish to complete the Active Direc-
tory Migration Tool installation.
Figure 9-50. Installing Active Directory Migration Tool v3.2 - Complete
327
Migrating Passwords and Group Policy Objects

(GPOs) from Source Primary Domain Controller
To migrate the passwords and the group policy objects (GPO) from the source PDC, proceed as
follows:
1. Install Password Export Server v3.1 (x86) (pwdmig.msi), downloaded in “Preparation
for Installation” on page 280, with the procedure described in “Installing Password
Export Server v3.1” on page 334.
Figure 9-51. Installing pwdmig.msi
2. At the end of the Password Migration service installation, when asked if you want to
restart the computer (see Figure 9-52), select No.
Figure 9-52. Select No
328
3. Click Start -> Run. In the Run dialog box, type services.msc and click OK. The
Services dialog appears. Right-click on the Password Export Server Service
entry and select Properties.
Figure 9-53. Password Export Server Service
329
4. In the Service Properties dialog box, select a startup type of Automatic and click OK.
Figure 9-54. Password Export Server Service Properties Dialog Box
5. Close the Services window.

6. Open the Group Policy Management Console (GPMC) - click the Start button and
select Control Panel -> Administrative Tools -> Group Policy Manage-
ment.
330
7. In the GPMC console tree, locate the Default Domain Controllers GPO as shown in
Figure 9-55, right-click it and select Edit.
Figure 9-55. Group Policy Management Console (GPMC)
331
8. Navigate to Computer Configuration -> Windows Settings -> Security

Settings -> Restricted Groups as shown in Figure 9-56. Right-click on
Administrators and select Properties.
Figure 9-56. Group Policy Object Editor - Restricted Groups
332
9. Click Add adjacent to the “Members of this group” area.
Figure 9-57. Administrators Properties Dialog Box
10. Enter the name of the Administrator account on the target domain and click OK.
Figure 9-58. Add Member Dialog Box
11. Click OK to exit the Administrators Properties dialog box.

12. Reboot the source PDC. Click the Start button and click Shut Down; select Restart
13. After the source PDC finishes rebooting, log into the PDC with the IAManager
account. You must be logged in with this account for the Password Export Server Ser-
vice to run.
333
Installing Password Export Server v3.1

Proceed as follows on the source PDC:
1. In Windows Explorer, double-click the Password Export Server v3.1 installer
(pwdmig.msi) which was downloaded in “Preparation for Installation” on page 280.
2. When the Welcome screen shown in Figure 9-59 appears, click Next.
Figure 9-59. ADMT Password Migration DLL Setup Welcome
334
3. As shown in Figure 9-60, select the I Accept the License Agreement radio but-
ton and click Next.
Figure 9-60. ADMT Password Migration DLL Setup - License Agreement
335
4. Click Browse as shown in Figure 9-61. Browse to the location in which you created
the source.pes file in “Preparing the Target Primary Domain Controllers” on
page 294. (For example, in Figure 9-61, the location is D:\.) Click OK to close the
Browse dialog box. Then click Next.
Figure 9-61. ADMT Password Migration DLL Setup - Encryption File
5. When the dialog box shown in Figure 9-62 appears, type the password you provided
for this file in “Preparing the Target Primary Domain Controllers” on page 294
(“Password1”) in the Password and Confirm fields. Then click Next.
Figure 9-62. Password for the Encryption Key
336
6. As shown in Figure 9-63, click Next.
Figure 9-63. ADMT Password Migration DLL Setup - Start Installation
7. When the dialog box shown in Figure 9-64 appears, enter the source PDC Adminis-
trator account credentials (IASERIES\IAManager) to configure the Password Export
Server and click OK.
Figure 9-64. ADMT Password Migration DLL - Specifying User Account
337
8. Click OK.
Figure 9-65. ADMT Password Migration DLL - Account Granted Log On As a Service Right
9. Click Finish to complete the Password Export Server Service installation.
Figure 9-66. ADMT Password Migration DLL Setup - Finishing Installation
338
10. Do not restart the source PDC. When prompted as shown in Figure 9-67, click No.
Figure 9-67. Restarting Your System
Migrating Active Directory Settings to the Target

To migrate the Active Directory settings to the target PDC, proceed as follows:
1. Log into the target PDC using the Administrator account to be used for the
migration.
2. To turn off the Windows PowerShell signing restriction, open a Windows PowerShell
(x86) command prompt - 32-bit version only - and execute the following command:
Set-ExecutionPolicy Unrestricted
NOTE
1) You cannot use the 64-bit Windows PowerShell to execute these scripts.
2) The source PDC must be available and must be logged into with the account
under which the Password Export Server Service is setup to run.
3. Re-open a Windows PowerShell (x86) command prompt - 32-bit version only.

4. Navigate to the folder containing the migration scripts (.\InterForestMigra-
tion\Migrate) to which you moved them in “Preparation for Installation” on
page 280.
In the command prompt, execute the following command as shown in Figure 9-68:
.\ADInterForestMigration.ps1
339
Figure 9-68. Executing .\ADInterForestMigration.ps1
5. When prompted, provide the name of the source PDC (iaseries.local in the example
shown in Figure 9-69).
Note: Value shown is an example only.
The migration takes several minutes to complete.

ies\Installer\TarOutput_NNNNNNNNNNNNNNNNNN\ADSetup.log) for
errors.

340
341
342
Migrating Domain Clients with I/A Series Software

v8.5/8.6/8.7 to the New Off-MESH Domain
To migrate the existing domain clients (with I/A Series software v8.5/8.6/8.7) to the new Off-
Mesh domain, proceed as follows:
ties.
Figure 9-73. Adapter Properties Dialog Box
343
d. The Internet Protocol (TCP/IP) Properties dialog box appears as shown in

Figure 9-74. Remove all DNS server entries.
Figure 9-74. Internet Protocol (TCP/IP) Properties Dialog Box - FoxInt NDIS Intermediate
Miniport Driver
2. Open the Internet Protocol (TCP/IP) Properties dialog box for the Off-Mesh NIC.
a. In the Network and Connections dialog box, right-click the Off-Mesh NIC, and
click Properties.
b. In the NIC’s Properties dialog box, in the “This connection uses the following
ties.
344
c. The Internet Protocol (TCP/IP) Properties dialog box appears as shown in

Figure 9-75. Setup the TCP/IP entries for IP address and DNS servers which are
compatible with the new Off-Mesh domain network. The primary DNS setting
should be the IP address of the target PDC.
IP Address of
the Target
PDC
Figure 9-75. Internet Protocol (TCP/IP) Properties Dialog Box - Off-MESH NIC
345
3. On the desktop, right-click My Computer and select Properties. In the System

Properties dialog box, select the Computer Name tab. Click the Change button.
Select the Workgroup radio button and enter a name for a temporary workgroup.
When finished, click OK.
Figure 9-76. Computer Name Changes - Name Temporary Workgroup
4. When asked, enter the IAManager account credentials and click OK.
Figure 9-77. Computer Name Changes - Enter Credentials
346
5. Click OK.
Figure 9-78. Computer Name Changes - Welcome to the Temporary Workgroup
6. Click OK.
Figure 9-79. Computer Name Changes - Note that Domain Client Must Be Restarted
7. In the System Properties dialog box, in the Computer Name tab, click the Change
button again.
Figure 9-80. System Properties - Computer Name - Change
347
8. Select the Domain radio button and enter in the name of the Off-Mesh domain.
Click OK.
Figure 9-81. Computer Name Changes - Adding Off-MESH Domain
9. Enter the credentials for an account with permission to add stations to the Off-Mesh
domain and click OK.
Figure 9-82. Computer Name Changes - Enter Account Credentials
348
10. Click OK.
Figure 9-83. Computer Name Changes - Welcome to the Off-MESH Domain
11. Click OK.
Figure 9-84. Computer Name Changes - Note that Domain Client Must Be Restarted
12. Click OK as shown in Figure 9-85. Do not reboot the computer when prompted.
Figure 9-85. System Properties Dialog Box - Closing
349
13. Click No, as shown in Figure 9-86.
Figure 9-86. System Settings Change Dialog Box - Click No
14. Click Start -> Run. In the Run dialog box, type services.msc and click OK. The
Services dialog appears. Right-click on FoxNTGUIAppServices and select
Properties.
Figure 9-87. Services Windows - FoxNTGUIAppServices
350
15. Select the Log On tab as shown in Figure 9-88. In the “This account:” field, enter the
name of the IAServices account on the new Off-Mesh domain. After the migration, it
should only be necessary to change the domain name. Enter and confirm the pass-
word for this account. When finished, click OK.
Figure 9-88. FoxNTGUIAppServices Properties Dialog Box
16. The dialog box shown in Figure 9-89 appears if the account information was entered
correctly. Click OK.
Figure 9-89. Services Dialog Box
351
17. Click OK.
Figure 9-90. Services Dialog Box
open a command prompt. Type the following command and then press <Enter>:
SetIAStartupAcct
Figure 9-91. Executing SetIAStartupAcct
19. Reboot the domain client. Click the Start button and click Shut Down; select
Restart from the pull-down menu and click OK.
The migration process is complete.
NOTE
352
NOTE
page 358.
Refer to “Installing Optional Software” on page 63 to install any additional packages on the PDC.
353
354
Software v8.8 Installation
for Domain Clients or Connecting Security Enhanced
I/A Series Software v8.5-8.7
Domain Clients to Existing Off-MESH Networks
This chapter describes procedures to install security enhanced I/A Series software v8.8 on your
domain clients and connect them to the appropriate On-Mesh or Off-Mesh domain controller.
It also describes how to connect an existing domain client with I/A Series software v8.5-v8.7 to
an existing Off-Mesh domain controller.
Workstation/Server Preparation
This section applies to the Windows 7 and Windows Server 2008 R2 Standard stations that are
being installed as domain clients. The domain client may be connected to a domain client either
on The Mesh control network (which is a dedicated I/A Series maintained network) or on
another network (which is called an “Off-Mesh” network).
Dialog boxes on these two types of platforms may differ slightly, but will be functionally identical,
with minor exceptions as documented below.
Perform the following steps to set up the hardware and restore the operating system onto your
workstation:
NOTE
H-code (or P-code), proceed to “Notes for Installing I/A Series System Software” on
1. Install hardware, restore the Windows operating system, and update drivers for your
workstation or server. Perform the following:
ware meets all hardware requirements specific to the V8.8 release. For instructions
on installing memory upgrades, PCI cards, and so forth, refer to the “Installing
Hardware Upgrades” chapter of the hardware and software specific instruction
document shipped with your workstation or server.
b. Using the V8.8 Restore Media, restore the Windows operating system on your
workstation or server. Follow the instructions of Appendix A “Startup Options”.
355
B0700SF – Rev E 10. Security Enhanced I/A Series Software v8.8 Installation
! WARNING
V8.8 station.

 Click OK.
 Click OK.
NOTE
While installing a secure domain client, it is important to ensure that the UTC sys-
tem time matches the UTC system time on the domain (as viewed on the PDC).
The date and time must match, though the time which Windows displays may dif-
fer if the time zones are not the same on the two stations.
Updating Drivers” chapter of the hardware and software specific instruction docu-
ment shipped with the station.
Notes for Installing I/A Series System Software

Before you install I/A Series software, make sure that the station is physically connected to The
Mesh control network and that the PDC is on-line and attached to The Mesh or a secondary
(non-I/A Series) network for an Off-Mesh PDC.
If the PDC is on The Mesh control network, make sure the station is disconnected from any sec-
ondary (non-I/A Series) networks, but do not disable the adapters for these network cards.
356
10. Security Enhanced I/A Series Software v8.8 Installation for Domain Clients or Connecting Security Enhanced
! CAUTION
! CAUTION
GPS PCI time cards are installed only in primary and backup Master TimeKeeper
workstations or stations as configured for MTK. The MTK workstations or stations
with I/A Series software v8.8 and later must install the GPS PCI time card, driver,
and control utility before installing I/A Series software. Refer to the Time Synchroni-
zation User’s Guide (B0700AQ) to perform this installation.
NOTE
NOTE

NOTE
Proceed as follows:
menu list:
357

Mesh), select Auto.
5. Click OK.
Migrating Domain Client from Domain in I/A Series System v8.7

Or Earlier to a Domain in I/A Series System v8.8
If you have migrated a domain client from a domain in an I/A Series system with I/A Series soft-
ware v8.7 or earlier to a domain with I/A Series software v8.8, it may be necessary to move the
migrated domain client’s object in Active Directory before beginning the client’s installation pro-
cedure.
This may be necessary as there is a different Organizational Unit (OU) in Active Directory for the
domain clients from a domain with I/A Series software v8.7 or earlier and the domain clients in a
domain with I/A Series software v8.8. Proceed as follows:
1. On the target PDC, log in using a domain administrator account.
and Computers.
358
3. Determine if the account of the domain client to be installed as an I/A Series software
v8.8 domain client is in the “Pre-8.8 IA Computers” OU as shown in Figure 10-1.
Figure 10-1. Adding Pre-Existing Domain Client to the Pre-8.8 IA Computers OU
359
4. Drag the account of the domain client into the “IA Computers” OU as shown in
Figure 10-2.
Figure 10-2. Adding Pre-Existing Domain Client to the IA Computers OU

the I/A Series software. For instructions on modifying the computer name of your workstation or
server, refer to Appendix B “Changing the Station Name”.

Proceed as follows:
360

361

NOTE
362
Canceling and Resuming the Security Enhanced

Installation Process
box appears:
363
Installation Procedures
The following installation procedures are provided:
 “Installation Procedure (On The MESH Control Network)” on page 365 - for
domain clients with I/A Series software v8.8 on The Mesh control network
 “Installation Procedure for Clients of New Off-MESH Domain Controllers” on
page 379 - for domain clients with I/A Series software v8.8 on a new Off-Mesh
network
 “Installation Procedure for Pre-Existing Domain Clients (I/A Series Software v8.5-
v8.7) to Existing Off-MESH Domain Controllers” on page 397 - for pre-existing
domain clients with I/A Series software v8.5-v8.7 on an existing Off-Mesh network.
364
Installation Procedure (On The MESH Control Network)

Proceed as follows:
1. Ensure that the Primary Domain Controller (for this domain client) has been installed
and is attached to The Mesh network.
2. Ensure that the domain client’s object is under the correct I/A Series software v8.8
Organizational Unit (OU) in the Active Directory.
3. Ensure that the domain client workstation is attached to The Mesh network.
! CAUTION
restore image, then reboot the station. Otherwise, restore the station using the
used incorrect restore media. Restore the station using the proper V8.8 Restore
365

workstation.
366
Install this workstation as a client workstation:
Figure 10-10. Selecting to Install a Secure Domain Client
10. Click Next.
367
as shown in Figure 10-11. Select the Use an On-MESH Domain Controller radio
button. Click Load to load the committed configuration files.
NOTE
If you have multiple Commit diskettes, the Stamp ID: field in Figure 10-11 indi-
cates the number of the requested Commit diskette to the right of the Load button
(101 for the first diskette, 102 for the second, and so forth). Insert each diskette in
the set and click Load.
368
13. Once the installation files have been loaded, click Bind as shown in Figure 10-11 to
launch the I/A Series Network Installation utility.
System Definition do not match the available NIC hardware.
If this dialog boxes is not displayed, the NIC cards have been automatically config-
ured. Proceed to the next step.
369
Otherwise, proceed as follows:

 For an On-Mesh domain client, the dialog box, shown in Figure 10-13, asks you
to select the NICs to be connected to the I/A Series network. Select the two net-
! CAUTION
installation.
NIC Adapter Device Number
NOTE: I/A Series Network Installation dialog box shown above is for an On-MESH domain client,
and is provided to illustrate the concept of the NIC Adapter Device Number only.
NOTE
For help in determining the correct network adapter(s) to select, click the Start
button and then select Control Panel -> Network and Internet -> Network
Connections. The Network Connections dialog box appears as shown in
Figure 10-14. Identify the NIC adapter device number for the NIC to be connected
to the Domain Controller’s network (it should have an entry in the Connectivity
column).
Note that the NIC Adapter Device Number indicated in Figure 10-13 aligns with
the NIC Adapter Device Number shown in Figure 10-14. This should not be
confused with the Local Area Connection number (shown in Figure 10-14).
370
Local Area Connection Number NIC Adapter Device Number

Indicates if there is a physical
cable connection to this NIC
Figure 10-14. Network Connections - Local Area Connection vs. NIC Adapter Device Number
15. The Ready to connect this workstation to the I/A Series domain dialog box appears as
shown in Figure 10-15. Enter the name (letterbug) of the domain controller server
and the password for the “IA Installer” account. Verify the user account with authori-
zation to add stations to the domain.
 If “offmesh.local” is the name of your domain, enter the password and click
Authorize.
 If “offmesh.local” is not your domain, change the domain name, enter the pass-
word and click Authorize.
371
Figure 10-15. Ready to Connect This Workstation to the I/A Series Domain
(see “Workstation/Server Preparation” on page 355) and re-click Authorize.
372
system by one hour.
Figure 10-17. Unable to Determine Local Time
NOTE
If after connecting the domain client to an I/A Series domain and the software
installation does not continue after the reboot, the system time may not have been
set correctly. Refer to “Setting Time Correctly After Failure to Continue Software
Installation After Reboot (SDC or Domain Client)” on page 539 to correct this.
373
17. If a Secondary Domain Controller (SDC) is planned for this I/A Series system, select
the SDC from the “Select the Secondary Domain Controller Stations” drop-down list
and click Set. If no SDC station is planned, click Skip.
18. Fill in the name of the host domain (iaseries.local is the default) and click
Connect.
19. If the workstation is connected to the domain, the dialog box shown in Figure 10-18
appears. Click Reboot.
The following dialog box indicates that the server will be rebooted.
20. When the station reboots, log into the domain using the “IA Installer” account.
374
21. The installation restarts automatically. Click Next and then Install to run the
installation process.
Figure 10-20. InstallShield Wizard for I/A Series Software
Load.
I/A Series station.
NOTE
375
376

At the end of the installation, the installation log is displayed.
You can view the installation log at any time by clicking the Start button and selecting
All Programs -> Invensys -> IASeries -> Utilities -> Log Viewer.
377
26. Proceed to “Completing the Domain Client Installation” on page 402.
378
Installation Procedure for Clients of New Off-MESH Domain

Controllers
NOTE
Do not set up the Off-Mesh NIC manually prior to installing the I/A Series soft-
ware. This will be handled automatically during the installation.
This procedure is for adding domain clients to new Off-Mesh domain controllers. Proceed as
follows:
1. Ensure the PDC for this domain client has been installed and is attached to the sec-
ondary (non-I/A Series) network.
2. Ensure that the domain client’s object is under the correct I/A Series software v8.8
Organizational Unit (OU) in the Active Directory.
3. Ensure the domain client is attached to The Mesh control network.
4. Ensure the domain client is attached to the secondary (non-I/A Series) network.
379
! CAUTION
restore image, then reboot the station. Otherwise, restore the station using the

server.
380
9. Select the Install I/A Series software for a security enhanced system
bullet as shown in Figure 10-27. Ensure that Install this workstation as a
client workstation is selected. Then click Next.
Figure 10-27. Selecting to Install a Client in a Security Enhanced System
381
10. The Load committed configuration install files dialog box appears as shown in
Figure 10-28.
Select the Use an Off-MESH Domain Controller radio button. Enter the IP
address for the Off-Mesh PDC. Enter the IP address and net mask for the local Off-
Mesh NIC card or select the Use DHCP check box. Click Select.
Figure 10-28. Load Committed Configuration Install Files Dialog Box
NOTE
I/A Series software can only be installed to the D:\ drive.
11. Click Load to load the committed configuration files.

The browser for the folder containing the committed configuration install files opens,
382
NOTE
If you have multiple Commit diskettes, the Stamp ID: field in Figure 10-29 indi-
cates the number of the requested Commit diskette to the right of the Load button
(101 for the first diskette, 102 for the second, and so forth). Insert each diskette in
the set and click Load.
383
12. Once the Commit files have been loaded, click Bind as shown in Figure 10-30 to
launch the I/A Series network installation.
Figure 10-30. Load Committed Configuration Install Files Dialog Box - Bind
NOTE
If after clicking the Bind button, the installation does not proceed and the Bind
button is still enabled, it is likely that the Off-Mesh NIC card was configured with
the desired IP address prior to running the I/A Series installation. If this is the case,
reset the Off-Mesh NIC settings to use DHCP and re-click the Bind button.
NOTE
If after clicking the Bind button, the install does not proceed and the Load button
is enabled, it is likely that there is a mismatch in the configuration between your
NIC hardware and your network system configuration. Verify and fix the commit-
ted configuration install files as necessary and reload these install files in order to
continue.
384
13. The dialog box shown in Figure 10-31 is displayed. Select the onboard NIC that
communicates with the PDC and the SDC on the secondary network (that is, the
Off-Mesh NIC). This NIC was set up on page 382. Then click Next.
! CAUTION
installation. Refer to the explanation on page 371 for the difference between the
NIC adapter device number and the local area connection number for a NIC.
NIC Adapter Device Number
NOTE: I/A Series Network Installation dialog box shown above is for an On-MESH domain client,
and is provided to illustrate the concept of the NIC Adapter Device Number only.
NOTE
For help in determining the correct network adapter(s) to select, click the Start
button and then select Control Panel -> Network and Internet -> Network
Connections. The Network Connections dialog box appears as shown in
Figure 10-32. Identify the NIC adapter device number for the NIC to be connected
to the Domain Controller’s network (it should have an entry in the Connectivity
column).
Note that the NIC Adapter Device Number indicated in Figure 10-31 aligns with
the NIC Adapter Device Number shown in Figure 10-32. This should not be
confused with the Local Area Connection number (shown in Figure 10-32).
385
Local Area Connection Number NIC Adapter Device Number

Indicates if there is a physical
cable connection to this NIC
Figure 10-32. Network Connections - Local Area Connection vs. NIC Adapter Device Number
14. Select the NIC(s) that communicate with The Mesh control network (that is, the On-
Mesh NICs). Then click Next.
15. Click Next. The Ready to connect this workstation to the I/A Series domain dialog
box appears as shown in Figure 10-34. Fill in the Domain Controller IP Address of
the PDC server, and verify the user account with authorization to add stations to the
domain.
 If “offmesh.local” is the name of your domain, enter the password and click
Authorize.
386
 If “offmesh.local” is not your domain, change the domain name, enter the pass-
word and click Authorize.
NOTE
There are instances in which “offmesh.local” will not be your domain, such as if
your domain controllers were migrated off of The Mesh control network.
NOTE
It may be necessary to use a different account in this dialog box if migrating to an
existing Off-Mesh domain. In this case, the Administrator account may be neces-
sary depending on how the “IA Installer” group member has been configured.
Figure 10-34. Ready to Connect This Workstation to the I/A Series Domain Dialog Box
(see “Workstation/Server Preparation” on page 355) and re-click Authorize.
387
system by one hour.
Figure 10-36. Unable to Determine Local Time
17. If SDC stations are planned for this I/A Series system, expand the drop-down list
from “Select the Secondary Controller Domains” and select the Add Off-Mesh entry.
A dialog box opens in which the IP addresses for SDC stations can be set. Enter each
of the known SDC’s IP addresses and click Done.
388
18. Click Set to choose the SDC stations in your list or Skip to choose no SDC station
IP addresses. If this station has more than one statically set NIC adapter, a message is
displayed indicating that the domain controller must have at least one NIC card con-
figured with a static IP address in order to continue the installation. Once the NIC
settings are corrected, click Set or Skip again to continue.
19. The “Select a Host Domain for this workstation and click Connect” area is added as
shown in Figure 10-38. If “offmesh.local” is not the name of your domain, change the
domain field as needed. Click Connect.
Figure 10-38. Select a Host Domain for this workstation and click Connect Area
389
20. If connected to the domain, the message shown in Figure 10-39 is displayed.
Figure 10-39. Workstation Reboot Request
Click Reboot. The following dialog box indicates that the station is about to be
rebooted.
NOTE
If the installation returns the error message stating that a restart could not be sched-
uled, start the installation manually after the reboot completes. (You should not
wait for a restart since the error message states that the restart will not occur.) Be
aware that if you start the setup.exe installer and no GUI opens, wait for several
minutes for the GUI to open, as a large amount of data in the setup needs to be
copied to the local support folder. Check the Task Manager to confirm that
setup.exe is running. If it is still running, continue to wait.
21. When the station reboots, log into the domain using the “IAInstaller” account.
390
22. The installation restarts automatically. You may have to wait for a few minutes before
the installation continues. Click Next.
Figure 10-41. Welcome to the InstallShield Wizard for I/A Series
23. Click Install to run the installation process.
Figure 10-42. Ready to Install the Program
391
Load.
I/A Series station.
NOTE
392
393
NOTE
The DNS entries for the Off-Mesh NIC fail to set during the domain client instal-
lation. After completing the I/A Series installation, but before rebooting the
domain client, open the Off-Mesh NIC card settings in the Internet Protocol Ver-
sion 4 (TCP/IPv4) Properties dialog box as follows:
Click the Start button and then click Control Panel -> Network and Sharing
Center. In the Tasks pane, click Change adapter settings. Right-click on the
adapter and click Properties.
In this same dialog box, select Internet Protocol Version 4 (TCP/IPv4) and
click Properties. In the Internet Protocol Version 4 (TCP/IPv4) Properties dialog
box, as shown in Figure 10-46, set the first DNS entry to be the IP address of the
Off-Mesh PDC station. Set all additional DNS entries to be the IP addresses of the
Off-Mesh SDC stations.
394
IP Address for Off-MESH PDC
IP Address for Off-MESH SDC
Figure 10-46. Setting Internet Protocol Version 4 (TCP/IPv4) Properties
At the end of the installation, the installation log is displayed.

You can view the installation log at any time by clicking the Start button and selecting
All Programs -> Invensys -> IASeries -> Utilities -> Log Viewer.
395
28. Proceed to “Completing the Domain Client Installation” on page 402.
396
Installation Procedure for Pre-Existing Domain Clients

(I/A Series Software v8.5-v8.7) to Existing Off-MESH Domain
Controllers
You can install a pre-existing domain client with I/A Series software v8.5-v8.7 and directly con-
nect it to an existing Off-Mesh domain as long as it has been migrated using the procedures
detailed in Chapter 7 “Migrating I/A Series Software v8.5/8.6/8.7 to a New Primary Domain
Controller on The MESH Control Network”, Chapter 8 “Migrating I/A Series Software
v8.5/8.6/8.7 to a New Off-MESH Primary Domain Controller” or Chapter 9 “Migrating
I/A Series Software v8.5/8.6/8.7 to a Pre-Existing Off-MESH Primary Domain Controller”.
Previously, Off-Mesh domains in I/A Series systems v8.5-8.7 were not supported. However, you
can use the installer on your existing CD labeled “I/A Series 8.5 XP Day 0 CD-ROM”
(K0174GD) to attach the domain client to a migrated Off-Mesh domain in an I/A Series system
v8.8.
For complete installation instructions, refer to the chapter “V8.5 I/A Series SE Software Installa-
tion for a Domain Client” in I/A Series 8.5 Software Installation Guide (B0700SB), available
through the Global Customer Support at https://support.ips.invensys.com.
Proceed as follows:
1. Before running the installer on your pre-existing domain client, set up a connection to
the Off-Mesh network and set the IP address and DNS settings for the Off-Mesh
NIC as described below.
Open the Internet Protocol (TCP/IP) Properties dialog box for the domain client’s
Off-Mesh NIC card as follows:
Figure 10-48.
d. In the Internet Protocol (TCP/IP) Properties dialog box, set the TCP/IP address
and DNS server address to match the network settings of the target PDC (that is,
the PDF with I/A Series software v8.8 for the Off-Mesh network). The preferred
DNS server address should be the IP address of the target PDC.
If your system has an SDC, add the IP address of the SDC to the Alternate DNS
server field.
397
These should match the similar

settings in the Target PDC
IP Address of the Target PDC

If your system has an SDC,
add the IP address of the SDC
here
Figure 10-48. Internet Protocol (TCP/IP) Properties Dialog Box - Off-MESH NIC Card
2. If the pre-existing domain client was not a part of the original I/A Series configuration
prior to the migration of the target PDC, it may be necessary to add the domain cli-
ent to Active Directory. On the target PDC, in Active Directory Users and Comput-
ers, ensure that there is a computer account for the pre-existing domain client in the
“Pre-8.8 IA Computers” OU as shown in Figure 10-49.
398
Figure 10-49. Adding Pre-Existing Domain Client (I/A Series Software v8.5) to Active Directory
3. Proceed with the installation instructions in “Installation Procedure” in the chapter

“V8.5 I/A Series SE Software Installation for a Domain Client” in I/A Series 8.5 Soft-
ware Installation Guide (B0700SB) through Step 16 (which, in the current draft, is the
step which reads as follows: “After completing network setup, click Next on the
I/A Series Software Installation dialog box”).
399
4. At Step 16, when the “Ready to connect this workstation to the I/A Series domain”
page appears as shown in Figure 10-50, in the Domain Controller Letterbug field,
enter the IP address for the target PDC.
Also enter:
 In the Domain Admin Account field, the domain name and domain administra-
tor account name (created during the domain client’s former PDC’s installation)
 In the Domain Admin Password field, the domain administrator password (set
during the PDC server installation)
Figure 10-50. Domain Client Installation – Ready to Connect
5. Click Authorize.
400
6. Do not select any SDC stations. Select the Skip button when prompted, as shown in
Figure 10-51.
Figure 10-51. Connecting to the I/A Series Domain
7. Click Connect.
8. A warning dialog box appears regarding the time on the domain client workstation
matching the time on the domain, as shown in Figure 10-52. Ensure the date and
time are correct to within five minutes before continuing. Perform the instructions
provided in Step 21 of “Installation Procedure” in I/A Series 8.5 Software Installation
Guide (B0700SB).
Figure 10-52. Unable To Determine Local Time
401
9. Continue with Step 22 of “Installation Procedure” in I/A Series 8.5 Software Installa-
tion Guide (B0700SB) and complete the installation procedure.
Completing the Domain Client Installation

NOTE

packages.

FoxView software may be installed prior to rebooting the workstation or server to eliminate one
reboot. Install FoxView™ and FoxDraw™ software from the FoxView/FoxDraw CD-ROM.
Refer to FoxView™ and FoxDraw™ Software V10.3 Release Notes (B0700SA) for installation
instructions.
Reboot the workstation at this time. Click the Start button and click Shut Down; select Restart
402
Non-MESH Network Cables

If you unplugged any non-Mesh network cables prior to performing the Day 0 installation, plug
in the non-Mesh network cables at this time.
Configuring VirusScan Software

McAfee VirusScan V8.8i software is installed on your workstation. Refer to Appendix C “Exclud-
ing Files, Folders, and Drives” to exclude the recommended set of I/A Series files from scanning.

After restarting the station following the I/A Series software installation, you may need to perform
one or more of the following tasks:
1. If not already installed, install FoxView™ and FoxDraw™ software from the Fox-
View/FoxDraw CD-ROM. Refer to FoxView™ and FoxDraw™ Software V10.3
Release Notes (B0700SA) for installation instructions.
2. Install AIM*Historian® software according to the instructions provided with the
AIM*Historian media.
3. It is highly recommended that you install Ferret software after installing I/A Series
software v8.8. Refer to FERRET v5.4 and Later User's Guide (B0860AZ) for installa-
tion instructions and FERRET v5.4 and Later Release Notes (B0860RH) for informa-
tion on using the Ferret software. These documents are available in PDF format on
the Ferret CD-ROM.
4. Install any other software media for selected optional packages.
403
System Manager and System Management Display Handler

(SMDH) Installation Notes
NOTE
Skip this section for all Off-Mesh domain controllers.
Displays (B0193JC).
application.
of I/A Series software, only the System Manager client is installed.
NOTE
The System Manager Server should be installed only if the IASVCS package is
assigned to the station.
To install the System Manager Server, proceed as follows

c. Click Next.
404
NOTE
the station.
 When logging into domain client workstations, an I/A Series user account should be
used, which is a member of one of the standard I/A Series user groups such as IA Plant
Engineers or IA Plant Operators.
! CAUTION
Logging on with the IAInstaller account will not result in the logon command run-
ning; FoxView will not start and Exceed will not be launched.
405
NOTE
this server, refer to “Installing the Beep Driver (I/A Series Servers with FoxPanels
Only)” on page 32 for installation instructions.
Setting Date and Time

For an internally sourced Master TimeKeeper (MTK), set the local date and time with either Sys-
tem Manager (default) or SMDH.
For instructions on how to set the date and time with the System Manager, refer to the section
“Date and Time Tools” in System Manager (B0750AP).
For instructions on how to set the date and time with the System Management Display Handler
(SMDH), proceed as follows:
1. From the I/A Series initial display, access System Management displays from the
System button on the FoxView main window.
2. From the System Monitor display, select the Time button to access the Set Date and
Time screen. Set the current date and time by clicking the appropriate arrows on the
screen. Click RETURN - SET.
For an active externally sourced MTK, the Set Date and Time display is unavailable. The date and
time are automatically established and synchronized by an external GPS satellite.
Refer to Time Synchronization User’s Guide (B0700AQ) for a complete description of the time
synchronization subsystem.
Domain Client Postinstallation Procedures

Changing Passwords
The local Administrator account password should be changed once the installation of the client
machine has been completed. The account name is IAManager and the initial password set for
the Invensys supplied workstation image is “Password1”. However, during the PDC installation,
you may have defined new passwords.
406
Computer Management. Right-click on the IAManager account and select Set
Password.
Figure 10-54. Resetting Passwords via Computer Management
2. Passwords changed in this manner will result in certain encrypted data becoming inac-
cessible. At this point, make sure there is no encrypted data stored under this user
account and click Proceed.
Figure 10-55. Resetting Password for IAManager
407
3. Enter in the new password and confirm this entry. Any password entered after the
installation of the secure I/A Series system must meet domain password complexity
requirements.
Figure 10-56. Confirming Password for IAManager
4. Click OK to set the password.
Re-Enabling the McAfee VirusScan Console

At the end of the installation process, you must re-enable McAfee VirusScan Console on all sta-
tions for which it was disabled - PDCs, SDCs, and domain clients. On each station, proceed as
follows:
3. Right-click on Access Protection and select Enable.
4. Right-click on On-Access Scanner and click Enable.
408

and click Apply.
409
410
11. Performing a Day 1 Installation
This chapter describes the procedure to perform a Day 1 Installation.
Before performing this installation procedure, the I/A Series software must already be installed on
the workstation and be running. You must allow the software installation procedures to turn off
the I/A Series software as required.
! CAUTION
Exiting or cancelling during the software installation process causes an incomplete
installation and may cause the station to become unstable. This requires that you
reload the operating system.
NOTE
Day 1 Operations (Secure or Standard I/A Series

Software)
This procedure is only to create the reconcile files and should be done first; it can be performed
from a single workstation. Then, you will take the reconcile files to System Definition in order to
create a Day 1 Commit installation media. Then you will insert the Day 0 installation DVD.
Perform the following steps to set up for installation:
1. Open the I/A Series Reconcile Media Utility as follows. Open the Start menu and
select from the Start button -> All Programs -> Invensys -> IASeries -> Utili-
ties -> Reconcile.
3. The I/A Series Reconcile Media Utility opens as shown in Figure 11-1.
411
B0700SF – Rev E 11. Performing a Day 1 Installation
Figure 11-1. I/A Series Reconcile Media Utility
4. Click Get Standard Stations to get all reconcile files for standard I/A Series sta-
tions.
5. When prompted, fill in the Primary Domain Controller server name (Domain Con-
troller Name), Domain Name, Secure Username and Secure Password. If the domain
is Off-Mesh, the PDC station’s IP address should be provided instead of the
workstation name.
412
11. Performing a Day 1 Installation B0700SF – Rev E
6. Click Get SE Stations to get all reconcile files for secure I/A Series stations using
the provided credentials.
Figure 11-2. Get SE Stations
7. Select the stations that need to be reconciled in the check-list box on the left-hand
side of the dialog box.
8. Select the appropriate radio button at the top of the dialog box: Create new
reconcile media or Appending to existing reconcile media.
9. Click Create to write to the media. The folder browser dialog box opens, as shown in
Figure 11-3.
413
Figure 11-3. Select the Location Where You Want Your Reconcile Files Saved
10. If you want to write the installation files to a diskette, be aware that the diskette must
already be in a tar format.
To write to a tar format floppy diskette in the diskette drive (A:\), click Use
Diskette.
To write the installation files to a folder location, select a folder and click Select
Folder.
11. If you selected Appending to existing reconcile media in Step 8 and
Reconcile installation media (with media number 201) is not provided in the A:\
floppy drive, the dialog box shown in Figure 11-4 is displayed.
Figure 11-4. Try Another Diskette Warning
414
12. Use the Reconcile media generated with this utility within I/A Series System Defini-
tion to update the commit media.
13. Insert the Day 0 DVD in the workstation/server for which you want to perform a
Day 1 installation.
14. Run setup.exe. If I/A Series software is running, the dialog shown in Figure 11-5 is
displayed.
Figure 11-5. Disable I/A Series Drivers and Services
15. Click Yes and reboot the workstation manually. Click the Start button and click Shut
Down; select Restart from the pull-down menu and click OK.
Restart setup.exe after rebooting the workstation.
16. Select the Perform a Day 1 operation on the I/A Series workstation
bullet in the I/A Series Software Installation dialog box, as shown in Figure 11-6.
415
Figure 11-6. Perform a Day 1 Operation on the I/A Series Workstation
17. Click Load to load the updated Commit files.

18. Once the Commit files have been loaded, the installation continues without user
interaction until the end, when the log viewer utility is displayed. You can view the
installation log at any time by clicking the Start button and selecting All Programs -
> Invensys -> IASeries -> Utilities -> Log Viewer.
416
19. Reboot the workstation. Click the Start button and click Shut Down; select Restart
20. Install the V8.8 trailer CD-ROM as described in the following section.
NOTE
A Day 1 installation should be performed on all I/A Series stations every time the
System Definition is changed.
Installing the I/A Series Software v8.8 Trailer CD-

ROM
417
NOTE

6. Restart your station. Click the Start button and click Shut Down; select Restart
packages.
Performing a “Post-Commit for Pre-8.0”

NOTE
Do not install this software on workstations on The Mesh. Perform this step on all
Nodebus workstations after every Commit installation or any installation where the
workstation operating system is selected for installation.
The following procedure must be performed after a Day 1 installation procedure on all Nodebus
workstations (AP, AW, and WP) to add I/A Series addressing information to the host files on
Nodebus components. To perform the Post-Commit for Pre-8.0, install the Pre-V8.1
Compatibility Diskette on each Nodebus workstation.
The following sections detail the steps for installing the disk on the two platforms.
Instructions for Windows Workstations

To execute the procedure on Nodebus (V6.x/V7.x, etc.) I/A Series workstations running the
Windows NT Workstation 4.0, Windows NT Server 4.0, Windows XP or Windows 7 operating
system:
418
1. Insert the K0173XN diskette.

2. Open a Command Prompt window, and type the following:
d:
ncenv
sh
tar xvf A: ./usr/fox/bin/mkhosts.sh
cd /usr/fox/bin
sh mkhosts.sh
3. A reboot of the workstation is not required.
Instructions for Solaris Workstations

To execute the procedure on Nodebus (V6.x/V7.x, etc.) I/A Series workstations running the
Solaris 2.5.1 or Solaris 2.8 (also referred to as “Solaris 8”) operating system:
1. Insert the K0173XN diskette.
2. Open a VT100 session, and type the following:
cd /
tar xvf /dev/fd0 ./usr/fox/bin/mkhosts.sh
cd /usr/fox/bin
mkhosts.sh
3. A reboot of the workstation is not required.
419
420
Appendix A. Startup Options
This appendix describes the startup options in I/A Series workstations and servers.
For the startup options in I/A Series workstations and servers, refer to:
 For standard I/A Series installations - see “I/A Series Startup Account” and “I/A Series
Startup and Security Options” in I/A Series System V8.8 Release Notes (B0700SG)
 For security enhanced I/A Series installations - see “I/A Series Startup and Security
Options” in Security Enhancements User's Guide for I/A Series Workstations with Win-
dows 7 or Windows Server 2008 Operating Systems (B0700ET)
421
B0700SF – Rev E Appendix A. Startup Options
422
Appendix B. Changing the Station
Name
This appendix describes how to change a station’s name.
the I/A Series software. For systems with multiple workstations or servers, you must change the
default workstation/server names.
The I/A Series workstation/server letterbug is an uppercase six-character alphanumeric worksta-
tion name recognized by the I/A Series software. The letterbug is defined during System Defini-
tion and is written to the Commit installation media.
To make your workstation or server letterbug name match your host name, perform the following
procedure:
1. Click the Start button and click Control Panel.
2. In the Control Panel group, double-click System. The System Properties dialog box
opens.
423
B0700SF – Rev E Appendix B. Changing the Station Name
3. Click Advanced system settings in the left pane of the System window.
Figure B-1. System Window
424
Appendix B. Changing the Station Name B0700SF – Rev E
4. In the System Properties dialog box, select the Computer Name tab (Figure B-2).
Figure B-2. Computer Name Tab in the System Properties Dialog Box
425
5. In the Computer Name tab, click Change. The Computer Name Changes dialog box
opens (Figure B-3).
Type in station letterbug;

for example, INF1AW
Figure B-3. Computer Name Changes Dialog Box
6. In the Computer Name Changes dialog box, click Computer Name and (using all
uppercase characters) change the name to the applicable letterbug assignment on the
Commit. Click OK.
NOTE
The Computer Name field must contain six (6) uppercase characters and numbers.
7. Click Workgroup in the “Member of ” section of the Computer Name Changes dialog
box and ensure that the workgroup name is WORKGROUP. (see Figure B-3).
8. In the Computer Name Changes dialog box, click OK.
9. Click OK to close the System Properties dialog box.
426
Appendix B. Changing the Station Name B0700SF – Rev E
10. A message box opens asking if you want to restart your computer. Click OK.
Figure B-4. Restarting Your Computer To Apply Changes
11. When the system restarts, it logs you on as “Fox”. Proceed with I/A Series software
installation.
427
428
Appendix C. Excluding Files,
Folders, and Drives
This appendix provides procedures for excluding files, folders and drives from the McAfee
VirusScan Enterprise + AntiSpyware Enterprise software.
The following files and folders must be excluded on I/A Series H91/P91 and H92/P92
workstations:
Table C-1. McAfee VirusScan Enterprise + AntiSpyware Enterprise Exclusion List
Exclude
File or Folder to Exclude Subfolders?
D:\usr\fox\exten\dcisrvr.exe No
D:\usr\fox\exten\fbmload.exe No
D:\usr\fox\exten\rls.exe No
D:\usr\fox\exten\romload_srvr.exe No
D:\usr\fox\sp\files\iom* No
D:\usr\fox\exten\om_impdb.exe No
For each file listed above, proceed as follows to exclude these files:
1. Double-click the VirusScan icon in the system tray to bring up the VirusScan Status
window.
429
B0700SF – Rev E Appendix C. Excluding Files, Folders, and Drives
2. Click on the Properties button in the VirusScan Status window.
Figure C-1. On-Access Scan Statistics Dialog Box
430
Appendix C. Excluding Files, Folders, and Drives B0700SF – Rev E
3. Select the All Processes icons in the left pane.
Figure C-2. On-Access Scan Properties Dialog Box - Selecting All Processes
431
4. Click the Exclusions tab, and then click Exclusions to open the Set Exclusions
dialog box. Initially, the Set Exclusions dialog box appears blank, indicating that no
files are excluded from scanning.
Figure C-3. On-Access Scan Properties Dialog Box - Exclusions Tab
432
Appendix C. Excluding Files, Folders, and Drives B0700SF – Rev E
5. Click Add to open the Add Exclusion Item dialog box.
Figure C-4. On Access Scan Properties Dialog Box - Exclusions Tab
6. In the What to exclude area, select By name/location.

a. Specify the name or location. For particular files listed above, enter the full-path of
the file, or click Browse. To exclude all iom files, enter
D:\usr\fox\sp\files\iom*.
Figure C-5. Add Exclusion Item
433
7. In the When to exclude area, specify when to exclude the items from scanning.
Choose On read and On write.
8. Click OK to save your changes and return to the Set Exclusions dialog box.
Figure C-6. Set Exclusions
9. Click OK to close the Set Exclusions dialog box.

10. Click OK to close the On-Access Scan Properties dialog box.
For more information, refer to McAfee VirusScan® and AntiSpyware Enterprise 8.8i Installation
(B0700EQ).
434
Appendix D. Secondary Domain
Controllers in an I/A Series System
This chapter details the installation and configuration procedures for the security enhancements
provided for I/A Series v8.8 or later systems, which may also include FCS 4.0 or later software.
In the security-enhanced I/A Series system, the secondary domain controller (SDC) functions as a
backup to the primary domain controller (PDC) server for both Active Directory and DNS ser-
vices. This means that if the PDC becomes unavailable for any reason, the SDC provides such
functions as:
 Servicing log on requests to the I/A Series network
 Allowing for the creation, deletion, and modification of user accounts
 Servicing DNS name resolution requests
Some functionality will be unavailable or may be limited during the time that a PDC is offline
and the SDC has not been promoted to PDC. This includes, but is not limited to:
 Domain schema cannot be extended.
 New SDC workstations cannot be added to the domain.
 Ability to add users and computers to the domain may be limited.
 Group polices cannot be edited.
It is recommended that the PDC remain the PDC and all SDC stations remain as SDC stations
once the security-enhanced I/A Series system has been installed. If a PDC is unavailable for a
short period of time (e.g. less than a week), it is highly recommended that an SDC is not pro-
moted to take over the role of PDC. This is because the offline PDC will not be automatically
demoted to be an SDC. During this time when the PDC is offline, do not add any new stations.
When the PDC comes back online, there would be two primary domain controllers, one of which
must then be demoted.
! CAUTION
Bringing up two PDC stations on the I/A Series system must be avoided.
Active Directory Operations Master Roles

If there is a need to promote an SDC to become the PDC, it is always better to do this while the
PDC is still available. This is the preferred method for passing primary domain controller func-
tionality to a different server on the I/A Series system, so that the primary domain controller will
automatically be demoted to a secondary domain controller.
There are five FSMO (Flexible Single Master Operation) roles which are transferable between
domain controllers within an Active Directory domain or forest:
 RID (Relative ID) Master
 PDC Emulator
435
B0700SF – Rev E Appendix D. Secondary Domain Controllers in an I/A Series System
 Infrastructure Master
 Domain Naming Master
 Schema Master
Note that these roles are also referred to as “operations master” roles. The steps in the next section
provide a method for transferring all five roles from the PDC to one of the SDC servers.
Transferring the Operations Master Roles

In this procedure, the example name of the PDC is “NESRV5” while the example name of the
SDC is “NESRV4”. The transfer procedure is illustrated in Figure D-1.
Server 1 (NESRV5) Role Server 2 (NESRV4) Role
Primary Domain Secondary Domain

Controller Controller
FSMO roles are transferred to

existing Secondary Domain Secondary Domain Primary Domain
Controller Controller Controller
Figure D-1. Transferring FSMO Roles
Proceed as follows to transfer the domain controller roles from a working PDC to an existing sec-
ondary domain controller:
1. To transfer the RID Master, PDC Emulator, and Infrastructure Master FSMO roles:
a. Click the Start button and select Control Panel -> Administrative Tools ->
b. Open Active Directory Users and Computers in the left-hand tree view
and open the domain (iaseries.local) -> Invensys -> Accounts -> Users ->
Administrators. In the right-hand pane, right-click IADomainAdmin and select
Properties.
436
Appendix D. Secondary Domain Controllers in an I/A Series System B0700SF – Rev E
Figure D-2. Active Directory Users and Computers - IADomainAdmin
c. In the Properties dialog box, select the Member Of tab.
437
Figure D-3. IADomainAdmin Properties Dialog Box
d. Click the Add button.

e. Type in the text “Schema” and click the Check Names button.
f. Select the desired user group (i.e. Schema Admins).
438
Figure D-4. Select groups Dialog Box
g. Click OK and then click OK again on the Properties dialog box.

h. Right-click on Active Directory Users and Computers in the left-hand tree
view and select Change Domain Controller.
Figure D-5. Active Directory Users and Computers - Connect to Domain Controller
i. Select the domain controller which is to become the new PDC. Click OK.
439
Figure D-6. Connect to Domain Controller Dialog Box
440
j. Right-click on Active Directory Users and Computers in the left-hand tree

view and select All Tasks -> Operations Masters.
Figure D-7. Active Directory Users and Computers - Set Operations Masters
441
k. Select the RID tab and click the Change button.
Figure D-8. Operations Master Dialog Box
l. Click Yes to confirm the change.
Figure D-9. Operations Master - Confirm Transfer
m. Select the PDC tab and click the Change button.

n. Click OK to confirm the change.
442
Figure D-10. Operations Master - Confirm Change
o. Select the Infrastructure tab and click the Change button.

p. Click OK to confirm the change.
2. To transfer the Domain Naming Master FSMO role:
a. Click the Start button and select Control Panel -> Administrative Tools ->
Active Directory Domains and Trusts.
b. Right-click on Active Directory Domains and Trusts in the left-hand tree
view and select Change Active Directory Domain Controller.
Figure D-11. Active Directory Domains and Trusts - Connect to Domain Controller
c. Select the domain controller which is to become the new PDC.
443
Figure D-12. Active Directory Domains and Trusts - Selecting Domain Controller to Become
The New PDC
444
d. Right-click on Active Directory Domains and Trusts in the left-hand tree

view and select Operations Master.
Figure D-13. Active Directory Domains and Trusts - Set Operations Masters
e. Press the Change button.
Figure D-14. Change Operations Master
f. Click Yes to confirm the change.
445
Figure D-15. Active Directory Domains and Trusts - Confirm Yes
g. Click OK.
Figure D-16. Active Directory Domains and Trusts - Confirm OK
3. To transfer the Schema Master FSMO role:
NOTE
This procedure can only be completed by a schema administrator. By default, the
only user with schema administrator privileges is the system administrator (i.e., the
user account which is named IAManager at the time the workstation is first
installed).
a. Open a command prompt. From the Start menu, click Programs -> Accesso-
ries -> Command Prompt.
b. In the command prompt, type regsvr32 schmmgmt.dll and press <Enter>.
This will register the Scheme Management DLL.
446
Figure D-17. Command Prompt - regsvr32 schmmgmt.dll
c. Click OK to confirm the operation completed successfully.
Figure D-18. Confirm Operation
d. Open the Run window, type MMC and press <Enter>. This will open the Micro-
soft Management Console.
Figure D-19. Confirm Operation
e. Select Add/Remove Snap-In from the File menu.
447
Figure D-20. Microsoft Management Console - Selecting Add/Remove Snap-In
4. From Available Snap-ins, select Active Directory Schema and click Add.
448
Figure D-21. Add or Remove Snap-Ins Dialog Box
5. Click OK.
449
Figure D-22. Add or Remove Snap-Ins Dialog Box
450
f. Right-click on Active Directory Schema in the left-hand tree view and select
Change Active Directory Domain Controller.
Figure D-23. Microsoft Management Console - Selecting Change Domain Controller
g. Select the domain controller which is to become the new PDC.
Figure D-24. Change Domain Controller
451
h. Right-click on Active Directory Schema in the left-hand tree view and select
Operations Master.
Figure D-25. Microsoft Management Console - Selecting Operations Master
i. Click OK.
Figure D-26. Change Domain Controller
j. Click the Change button.
452
Figure D-27. Change Schema Master Dialog Box
k. Click Yes to confirm the change.
Figure D-28. Active Directory Domains and Trusts - Confirm Yes
l. Click OK.
Figure D-29. Active Directory Domains and Trusts - Confirm OK
453
Seizing Active Directory Operations Master Roles

In the event that the PDC is no longer available, one of the SDCs may still be promoted to be a
primary domain controller. To do this, follow the procedure below to seize the domain controller
roles for an existing SDC. This procedure provides a method for seizing all five roles and assigning
them to one of the SDC servers, and is illustrated in Figure D-30.

Unavailable
PDC is unavailable due to
a hardware or software failure. Primary Domain Secondary Domain
Unavailable
FSMO roles are seized by the
existing SDC. This server Primary Domain Primary Domain
becomes the Primary Domain Controller Controller
Controller.
Figure D-30. Seizing FSMO Roles
NOTE
This is a last-resort measure that should only be taken if the PDC holding the roles
will not be able to be restored. Once you perform this procedure, you will not be
able to bring the PDC back online without first removing its installation of Active
Directory. (This is discussed in a later section.)
To seize the Active Directory roles because the PDC will no longer be available:
1. On the SDC server which will become the PDC, open the Run window, type ntdsu-
til and press <Enter>. This starts the Active Directory Services Maintenance Utility.
454
Figure D-31. Role Seizure Confirmation Dialog Box
2. Type roles and press <Enter>.

3. At the fsmo maintenance: prompt, type connections and press <Enter>.
4. At the server connections: prompt, type connect to server <servername> and
press <Enter>. In this case, <servername> is the name of the SDC being promoted
to PDC.
5. At the server connections: prompt, type q and press <Enter>.
6. At the fsmo maintenance: prompt, type seize naming master and press <Enter>.
7. At the fsmo maintenance: prompt, type seize infrastructure master and press
<Enter>.
8. At the fsmo maintenance: prompt, type seize PDC and press <Enter>.
9. At the fsmo maintenance: prompt, type seize RID master and press <Enter>.
10. At the fsmo maintenance: prompt, type seize schema master and press <Enter>.
During each role seizure call, the Active Directory Services Maintenance Utility will
attempt to transfer the role by contacting the PDC. A time-out will occur while this
happens, followed by an error message. A dialog will appear, asking to confirm the sei-
zure of the role. Click Yes to seize the role.
Figure D-32. Role Seizure Confirmation Dialog Box
455
The full text of the above operation should appear similar to the following in the com-
mand prompt window. Text in bold is the text entered by the user.
C:\Windows\system32\ntdsutil.exe: roles
fsmo maintenance: connections
server connections: connect to server NESRV4.iaseries.local
Binding to NESRV4.iaseries.local ...
Connected to NESRV4.iaseries.local using credentials of locally logged on
user.
server connections: q
fsmo maintenance: seize naming master
Attempting safe transfer of domain naming FSMO before seizure.
ldap_modify_sW error 0x34(52 (Unavailable).
Ldap extended error message is 000020AF: SvcErr: DSID-03210397, problem
5002 (UNAVAILABLE), data 1722
Win32 error returned is 0x20af(The requested FSMO operation failed. The

current FSMO holder could not be contacted.)
)
Depending on the error code this may indicate a connection,
ldap, or role transfer error.
Transfer of domain naming FSMO failed, proceeding with seizure ...
Server "NESRV4.iaseries.local" knows about 5 roles
Schema - CN=NTDS Settings,CN=NESRV5,CN=Servers,CN=IASERIES,CN=Sites,CN=
Configuration,DC=iaseries,DC=local
Naming Master - CN=NTDS Settings,CN=NESRV4,CN=Servers,CN=IASERIES,CN=
Sites,CN=Configuration,DC=iaseries,DC=local
PDC - CN=NTDS Settings,CN=NESRV5,CN=Servers,CN=IASERIES,CN=Sites,CN=Con-
figuration,DC=iaseries,DC=local
RID - CN=NTDS Settings,CN=NESRV5,CN=Servers,CN=IASERIES,CN=Sites,CN=Con-
Infrastructure - CN=NTDS Settings,CN=NESRV5,CN=Servers,CN=IASERIES,CN=
fsmo maintenance: seize infrastructure master
Attempting safe transfer of infrastructure FSMO before seizure.

)
Transfer of infrastructure FSMO failed, proceeding with seizure ...
456

fsmo maintenance: seize PDC
Attempting safe transfer of PDC FSMO before seizure.

)
Transfer of PDC FSMO failed, proceeding with seizure ...
fsmo maintenance: seize RID master
Attempting safe transfer of RID FSMO before seizure.
Ldap extended error message is 000020AF: SvcErr: DSID-03210CB1, problem

)
Transfer of RID FSMO failed, proceeding with seizure ...
Searching for highest rid pool in domain
457

Attempting safe transfer of RID FSMO before seizure.
Ldap extended error message is 000020AF: SvcErr: DSID-03210CB1, problem

)
Transfer of RID FSMO failed, proceeding with seizure ...
Searching for highest rid pool in domain
fsmo maintenance: seize schema master
Attempting safe transfer of schema FSMO before seizure.

)
Transfer of schema FSMO failed, proceeding with seizure ...
458

fsmo maintenance:
Restoring a PDC Server Station

If the PDC station which had its roles seized becomes available later (e.g., through a hardware fix
or a ghost image restore), it cannot be returned to the I/A Series network until it has had its Active
Directory removed. This is due to the fact that the software on that station is still configured to be
the primary domain controller.
The instructions to remove Active Directory from this workstation before placing it back on the
I/A Series network are provided below. This procedure is illustrated in Figure D-33.
459
Unavailable
(PDC) NESRV5 is unavailable. Primary Domain Primary Domain
NESRV4 has seized FSMO Controller Controller
roles and is the only PDC on
the system.
Disconnected from
I/A Series Network
and Restarted
NESRV5 is physically
disconnected from the Primary Domain Primary Domain
I/A Series network prior Controller Controller
to restarting.
Connected to
I/A Series Network
Active Directory is removed
from NESRV5 and it is No Longer a Primary Domain
reconnected to the I/A Series Domain Controller Controller
network.
Active Directory is restored

on NESRV5 which is now Secondary Domain Primary Domain
a Secondary Domain Controller Controller Controller
on the I/A Series network.
Optional - Transfer FSMO

roles back to the original
PDC server (NESRV5).
Figure D-33. Restoring FSMO Roles to a Primary Domain Controller That Had Its Roles Seized
Alternatively, you can remove and restore the Active Directory by reinstalling the operating system
and I/A Series software on this workstation. (This is a longer and more complicated procedure
than the one described in Figure D-33 but it is a viable alternative.) To accomplish this, com-
pletely reload this workstation from the base Invensys-provided Day 0 workstation image and fol-
low the instructions for installing a secondary domain controller provided in Chapter 4 “Security
Enhanced I/A Series Software v8.8 Installation for Domain Controllers on The MESH Control
Network” or Chapter 5 “Security Enhanced I/A Series Software v8.8 Installation for New Off-
MESH Domain Controllers”. Once this workstation is completely installed as an SDC, follow the
procedure listed below for promoting this workstation to be the PDC while the existing primary
domain controller is still available to be demoted.
460
Proceed as follows:
1. Start the server up while physically disconnected from the I/A Series network.
Services, stop the Net Logon service.
3. Open the Run window, type dcpromo /forceremoval. Press <Enter>.
Figure D-34. Invoking dcpromo /forceremoval
4. If this server previously held all five FSMO roles, six warnings will be displayed; one
for each role previously held and one additional warning is displayed for the data held
in Active Directory for the DNS server. Acknowledge each warning as they are dis-
played to continue. See Figure D-35 through Figure D-37.
Figure D-35. Acknowledging Warnings - Part 1
461
462
463
5. At the following dialog box, click Next.
Figure D-38. Active Directory Installation Wizard - Welcome
464
6. Click Next.
Figure D-39. Active Directory Installation Wizard - Force Removal
7. Click OK.
Figure D-40. Active Directory Installation Wizard -Acknowledge
465
8. Enter an Administrator account password for the new local Administrator account on
this server. The name of this account will be Administrator which is different from
the account name originally created by the I/A Series installation. This account name
can be changed later through the standard Microsoft dialog boxes. Click Next.
Figure D-41. Active Directory Installation Wizard - Administrator Password
466
9. Click Next.
Figure D-42. Active Directory Installation Wizard - Summary
467
10. Wait while the configurator reads the domain policy.
Figure D-43. Active Directory Installation Wizard - Reading Domain Policy
11. Click Finish when the process completes.
Figure D-44. Active Directory Installation Wizard - Completed
468
12. Physically reconnect the workstation to the I/A Series network.

13. Restart the workstation.
Figure D-45. Active Directory Installation Wizard - Restarting the Computer
14. This workstation must be manually added back onto the domain. Use the IADomain-
Admin account along with the password entered above to log onto the workstation.
Figure D-46. Windows Security - Logging in IADomainAdmin
15. Click the Start button and select Control Panel -> System. From the System win-
dow, select Advanced system settings from the left-hand pane. Click the Change
button on the System Properties dialog box.
16. Select the Domain radio button and enter the domain name.
17. A dialog box will indicate that the computer has been added to the domain. Click OK.
469
18. A dialog box will indicate that the computer must be restarted. Click OK.
19. Click Restart Now to have the workstation restart.
20. If this workstation must be reloaded as a primary or secondary domain controller, the
dcpromo utility can be used to reinstall Active Directory. The remaining steps below
describe reloading Active Directory on the failed server.
Open the Run windows, and type dcpromo. Press <Enter>.
470
Figure D-50. Invoking dcpromo
21. Click Next.
471
22. Click Next.
Figure D-52. Active Directory Installation Wizard - Operating System Compatibility
472
23. Select the second radio button indicating that this is an additional domain controller
for an existing domain and click Next.
Figure D-53. Active Directory Installation Wizard - Domain Controller Type
473
24. Enter the domain name and click Next.
Figure D-54. Active Directory Installation Wizard - Additional Domain Controller
474
25. Select the forest root domain name and click Next.
Figure D-55. Active Directory Installation Wizard - Forest Root Domain
475
26. Select the site for the new domain controller and click Next.
Figure D-56. Active Directory Installation Wizard - Site for New Domain Controller
476
27. Click Next.
Figure D-57. Active Directory Installation Wizard - Additional Domain Controller Options
477
28. Click No, I will assign static IP addresses to all physical network
adapters.
Figure D-58. Static IP Assignment
29. Click Yes.
Figure D-59. Active Directory Installation Wizard - Continue
478
30. Keep the default folder paths. Click Next.
Figure D-60. Active Directory Installation Wizard - Database and Log Folders
479
31. Enter a restore mode password and confirm. Click Next.
Figure D-61. Active Directory Installation Wizard - Restore Mode Administrator Password
480
32. Click Next to confirm your choices.
481
33. Wait while the wizard configures the Active Directory Domain Services.
Figure D-63. Active Directory Installation Wizard - Configuring
34. Click Finish when done.
Figure D-64. Active Directory Installation Wizard - Complete
482
35. Allow the computer to restart.
Figure D-65. Restarting the Computer
36. Reboot the server and log in with a domain administrator user account.
DNS.
38. Right-click on each forward and reverse lookup zone and select Properties. There
should be three in total.
Figure D-66. DNS Management - Selecting Lookup Zone Properties
483
39. Check the Allow Zone Transfers checkbox and select the second radio button
choice to allow transfers only to servers listed on the Name Server tab. Click OK.
Figure D-67. Zone Properties Dialog Box
40. The server may now be restored as a PDC or be left as an SDC station. To make this
server a PDC, refer to “Transferring the Operations Master Roles” on page 436 to
transfer domain controller roles from one domain controller to another.
When you have completed the restoration, verify that the SDC is working properly, as discussed
in the next subsection.
Verifying Domain Controller Backup Functionality

Once an I/A Series system has been installed with both a primary and secondary domain control-
ler, verify that the backup functionality is working properly.
To test that the SDC is servicing logon requests and allowing for the creation of new user
accounts while the PDC is offline, proceed as follows:
1. Create a new user account on the SDC while the PDC is offline.
2. Add this user account to one of the standard I/A Series groups (for example, IA Plant
Operators).
484
3. Use this new user account to log onto one of the client workstations.
To test that the SDC is servicing DNS name resolution requests while the backup is offline, pro-
ceed as follows:
1. Open a command prompt on one of the client workstations.
2. With the PDC still connected to the network, type nslookup and press <Enter>.
3. With the PDC still connected to the network, in the command prompt, type
“nslookup <CLIENT2>”, where <CLIENT2> is another client station on the domain.
The IP address of the second client will be retrieved from the primary DNS server
(NESRV5.iaseries.local in this case) to verify that the PDC is no longer available
4. Type “nslookup <CLIENT2> <SDCStationName>” to verify tat the SDC responds to
the DNS request.
Figure D-68. nslookup for Client Stations (NESRV5.iaseries.local)
5. Disconnect the PDC from the network.

6. Open a command prompt on one of the client workstations.
7. With the PDC disconnected from the network, type nslookup and press <Enter>.
8. Type <CLIENT2>, where <CLIENT2> is another client on the domain. The IP address
of the second client will be retrieved from the secondary DNS server
(NESRV4.iaseries.local in this case).
485
Figure D-69. nslookup for Client Stations (NESRV4.iaseries.local)
9. In the event that this does not work with the PDC disconnected, it is possible that the
NIC card settings were not made for the SDC when the I/A Series software was
installed. On every workstation, the SDC IP addresses should be configured as sec-
ondary DNS locators. The NIC settings should appear as shown in Figure D-70 for a
client workstation on a system with a primary and one secondary DNS server. These
settings are only necessary for the FoxInt NDIS Intermediate Miniport Drive. In this
case, 151.128.152.205 is for the PDC and 151.128.152.209 is for the SDC.
486
Figure D-70. Typical NIC Settings for a Client Workstation on a System with a Primary and
One Secondary DNS Server
Removing Domain Controller Functionality from a

Workstation
In the event that a domain controller must have Active Directory removed, it is always recom-
mended that the Microsoft dcpromo utility be used to perform this operation.
Services. Stop the Net Logon service.
487
2. From the Run window, enter dcpromo. Click OK.
Figure D-71. Starting the Active Directory Installation Wizard
3. Click Next.
488
4. Click OK to the following warning. The SDC is also a Global Catalog provider.
Figure D-73. Active Directory Installation Wizard - Global Catalog Provider Warning
5. Leave un-checked the check box indicating that this is the last domain controller in
the domain. Click Next.
Figure D-74. Active Directory Installation Wizard - Remove Active Directory
489
6. Enter an Administrator account password for the new local Administrator account on
this server. The name of this account will be Administrator which is different from
the account name originally created by the I/A Series installation. This account name
can be changed later through the standard Microsoft dialog boxes. Click Next.
Figure D-75. Active Directory Installation Wizard - Administrator Password
490
7. Click Next.
491
8. Wait while the wizard configures the Active Directory Domain Services.
Figure D-77. Active Directory Installation Wizard - Configuring
9. Click Finish when the process completes.

10. Restart the computer.
Figure D-78. Active Directory Installation Wizard - Restarting the Computer
Forcefully Removing a Domain Controller from

Active Directory
In the event that a domain controller has failed and will not be restored from a saved image,
remove this domain controller from the Active Directory domain with the following procedure.
This procedure will not successfully remove a domain controller if it holds one or more of the
FSMO roles. These roles must be transferred to another domain controller before proceeding, as
discussed in “Transferring the Operations Master Roles” on page 436.
If the domain controller is not available, the master roles cannot be transferred. In this case, refer
to “Seizing Active Directory Operations Master Roles” on page 454.
492
Proceed as follows:
2. Navigate to the Domain Controllers entry in the tree view under the domain
name.
3. Right-click on the domain controller connection in the right-hand pane to remove
and select Delete.
Figure D-79. Active Directory Users and Computers - Delete a Domain Controller Connection
4. Click Yes to confirm.
Figure D-80. Active Directory Users and Computers - Delete Confirmation
493
5. Right-click on the domain controller settings to remove in the left-hand pane and
select Delete.
Figure D-81. Active Directory Users and Computers - Delete a Domain Controller Settings
494
7. When the following warning appears, select Delete.
Figure D-83. Active Directory Users and Computers - Deleting a Domain Controller
8. Right-click on the server to remove in the left-hand pane and select Delete.
Figure D-84. Active Directory Users and Computers - Delete a Server
495
10. If this workstation is to be added back to the system as a domain client, this worksta-
tion name must be added manually to the list of IA Computers in Active Directory.
Navigate to the IA Computers entry in the tree view under the domain name.
11. Right-click on IA Computers and select New -> Computer.
Figure D-86. Active Directory Users and Computers - Creating New Computer Account
496
12. Enter the name of the I/A Series workstation and click OK.
Figure D-87. New Object - Computer Dialog Box
Restoring Connections on a Single Domain Controller

System
If the PDC becomes unavailable and there are no SDCs on the I/A Series system, the original
PDC may be reloaded from a ghost image or reloaded from the base Invensys-provided Day 0
workstation images. However, the functionality of the I/A Series system will be very limited dur-
ing the time which the PDC is unavailable. On each client workstation, only domain accounts
(including operators and administrators) which have already been used to log on to that worksta-
tion may be used. This is because the account credentials for these accounts have been cached
locally.
After the PDC station has been completely restored, the following procedure must be performed
on each of the client workstations in order to restore the connection to the domain.
NOTE
These steps are not necessary if there was an SDC present on the I/A Series
network.
497
Proceed as follows:
1. Right-click on My Computer in Windows Explorer and select Properties. Click
the Change button on the System Properties dialog box.
Figure D-88. Workstation System Properties
498
2. Select the Workgroup radio button and enter a workgroup name.
Figure D-89. Computer Name Changes Dialog Box - Workgroup
3. Enter domain administrator credentials and click OK.

4. Click OK when the following dialog box appears.
Figure D-90. Computer Name Change - Remember Local Admin Password
499
5. Log in as IADomainAdmin.
Figure D-91. Log in IADomainAdmin
6. A dialog box indicates that the computer has been added to the workgroup entered.
Click OK.
Figure D-92. Computer Name Change - Welcome to the [YourName] Workgroup
7. A dialog box indicates that you will need to restart the station to apply the
changes.Click OK.
Figure D-93. Computer Name Change - Restart Computer
500
8. Click Close to close the System Properties dialog box.
Figure D-94. Closing System Properties Dialog Box
9. Upon closing the System Properties dialog box, click Yes to have the workstation
restarted.
10. After the workstation restarts, log on with the local administrator account credentials.
11. Right-click on My Computer in Windows Explorer and select Properties. Click the
Change button on the System Properties dialog box.
12. Select the Domain radio button and enter the domain name.
501
Figure D-95. Computer Name Changes Dialog Box - Domain
13. When prompted, add the username and password of the account with permission to
join this domain. Click OK when done.
Figure D-96. Windows Security Dialog Box
502
14. A dialog box indicates that the computer has been added to the domain. Click OK.
Figure D-97. Computer Name Changes Dialog Box - Welcome to the [YourName] Domain
15. A dialog box indicates that the computer must be restarted. Click OK.
Figure D-98. Computer Name Changes Dialog Box - Need to Restart To Apply Changes
503
16. Click Close to close the System Properties dialog box.
Figure D-99. Close System Properties Dialog Box
17. Upon closing the System Properties dialog box, click Restart Now to have the
workstation restart.
Figure D-100. Computer Name Changes Dialog Box - Need to Restart To Apply Changes
504
Adjusting NIC Settings after Adding an SDC

If this SDC server name was not selected from the SDC drop-down list during the installation of
the PDC or any of the clients, including additional SDC servers, then the NIC card settings must
be adjusted on those stations at this time.
On each of these stations, the SDC IP address should be configured as a secondary DNS locator:
1. Open the Network and Sharing Center from the Control Panel.
2. Click Change adapter settings in the left-hand pane.
3. Right-click on the entry for REDL Virtual Miniport Driver and select Proper-
ties.
4. Select Internet Protocol 4 (TCP/IPv4) and click Properties.
Figure D-101. Local Area Connection Properties Dialog Box
505
5. Click the Advanced button.
Figure D-102. Internet Protocol Version 4 (TCP/IP4) Properties Dialog Box
506
6. In the Advanced TCP/IP Settings dialog box, select the DNS tab.
This is what the NIC settings should look like for a client workstation on a system
with a primary and one secondary DNS server. These settings are only necessary for
the FoxInt NDIS Intermediate Miniport Driver. In this case, the IP address ending in
84 is for the PDC and the IP address ending in 112 is for the SDC. Add the SDC IP
Address on each station if it is not already present.
Figure D-103. Advanced TCP/IP Settings Dialog Box
Backing Up Active Directory on Domain Controllers

Active Directory should be backed up at regular intervals on I/A Series domain controller stations
in order to ensure a smooth restoration of I/A Series system operations following unexpected sys-
tem failures (software or hardware). At a minimum, these backups should be performed at least
every 60 days, which is the default value of the tombstone lifetime for Active Directory backups.
Backups may be taken less often if the tombstone lifetime value is increased (see the following sec-
tion). This value is stored in Active Directory under the tombstoneLifetime attribute and
defines the length of time for which a backup is valid and usable for restoring Active Directory
objects. With a valid backup available, any objects created in Active Directory after the initial I/A
Series software installation can be easily restored. This includes policies that have been defined in
addition to the standard I/A Series system policies. Refer to http://technet.microsoft.com/en-us/mag-
507
azine/2008.05.adbackup.aspx?pr=blog for information on performing Active Directory backups.
NOTE
It is highly recommended that the following procedures are performed for changing
the tombstone lifetime value. This will help ensure that backups remain current and
usable. A value of a least 180 days is recommended. This should be done before
BESR or Active Directory backups are taken. Also, make sure that the value
changed is replicated to all domain controllers before creating backups.
NOTE
Refer to Appendix E “Guidelines for Using BESR for Backing Up and Restoring
Domain Controllers” for additional information on backups.
Changing the Tombstone Lifetime Attribute in Active

Directory
By default, the Active Directory tombstone lifetime is sixty days. This value can be changed if
necessary. Having a longer tombstone lifetime decreases the chance that a deleted object remains
in the local directory of a disconnected Domain Controller beyond the time when the object is
permanently deleted from online Domain Controllers.
The easiest way to modify this attribute value is by using the ADSI Edit tool.
! WARNING
Certain Windows Support Tools, if used improperly, might cause your computer to
stop functioning. It is recommended that only experienced users install and use
Windows Support Tools.
In order to perform the following steps, you can use the IADomainAdmin account or you will
need to be a member of the “Enterprise Admins” group.
To view or change attribute values by using ADSI Edit:
1. Click Start, click Run, type ADSIEdit.msc and then click OK.
508
Figure D-104. Opening ADSI Edit Directory Services
2. Right-click on the ADSI Edit node and select Connect to.
Figure D-105. ADSI Edit Directory Services - Connect To
509
3. From the drop-down menu under “Select a well known naming context”, select
Configuration. Click OK.
Figure D-106. ADSI Edit Directory Services - Configuration
510
4. Expand the Configuration node.

5. Expand:
CN=Configuration,DC=<ForestRootDN>
where “<ForestRootDN>” is the Distinguished Name of your Active Directory Forest
Root domain. For example, if your domain's name is iaseries.local, then the DN for it
would be:
DC=iaseries,DC=local
6. Navigate to:
CN=Services > CN=Windows NT > CN=Directory Service
7. Right-click on Directory Service and choose Properties.
Figure D-107. ADSI Edit Directory Services - Properties Selection
511
8. In the CN=Directory Service Properties dialog, scroll down, click the tomb-
stoneLifetime attribute, and click Edit.
Figure D-108. Attribute Editor - Attribute Selection
9. Configure the tombstone lifetime period (in days), then click OK.
Figure D-109. Attribute Value -- Tombstone Lifetime Period
10. Click OK and then close the ADSI Edit tool.

When you view the properties, if no value is set (shows up as “<Not Set>”) it means that the
default value is in effect. Any value that you type in the Attribute Editor Value field replaces the
default value when you click OK.
512
In order to verify the value has been set, the following command can be executed in a command
prompt window:
dsquery * "cn=Directory Service,cn=Windows NT,cn=Services,
cn=Configuration,dc=iaseries,dc=local" -scope base -attr tombstonelifetime
If your domain name is not “iaseries.local,” then replace the distinguished name of the domain in
the above command from “dc=iaseries,dc=local” to the actual distinguished name of your domain.
513
514
Appendix E. Guidelines for Using
BESR for Backing Up and Restoring
Domain Controllers
This appendix provides guidelines for using Symantec Backup Exec System Recovery (BESR) to
backup and restore images on domain controllers.
The Symantec Backup Exec System Recovery (BESR) product is used to backup and restore
I/A Series workstations and servers. However, when used with domain controllers (PDC or SDC),
restoring an old image that has Active Directory installed on it is a last resort approach when you
have more than one domain controller. If you have a working domain controller and you need to
restore another domain controller, it is best to reinstall the second domain controller and allow
replication to occur with the good domain controller instead of restoring the second domain con-
troller from a backup image.
The Symantec Backup Exec System Recovery (BESR) product and all procedures for using this
product are described in Symantec System Recovery 2011 Workstation Edition and Server Edition
Guide for I/A Series Workstations (B0700ES).
For normal backups of Active Directory, the best practice is to perform a System State backup and
a group policy backup:
 Refer to http://technet.microsoft.com/en-us/magazine/2008.05.adbackup.aspx?pr=blog for
information on performing Active Directory backups.
 Use the Group Policy Management Console (GPMC) to perform group policy back-
ups. Click the Start button and select Control Panel -> Administrative Tools -
> Group Policy Management.
In the case of servers that have Active Directory installed on them, i.e., domain controllers, the
following guidelines should be followed if you are forced to restore them from BESR backups.
NOTE
These procedures refer to tools that are part of the Windows Support Tools. If you
have not installed these tools, refer to “Changing the Tombstone Lifetime Attribute
in Active Directory” on page 508.
Making Backup Images of Domain Controllers

Proceed as follows:
1. After installing a domain controller, it is strongly recommended that you change the
tombstone lifetime value to suit your backup practices. The default is 180 days for
Server 2008 R2 Standard [for Server 2003, it was 60 days]. If you intend to restore
images older than the default value, you must change this value accordingly as
515
B0700SF – Rev E Appendix E. Guidelines for Using BESR for Backing Up and Restoring Domain Controllers
described in “Changing the Tombstone Lifetime Attribute in Active Directory” on

page 508.
2. Do not make the initial backup of domain controllers until they have been running
for at least twelve hours.
3. If you have secondary domain controllers, make sure the PDC and SDC are working
together properly. See “Checking the Health of Active Directory” on page 517.
4. You should make full backups of both the PDC and the SDC about the same time
(separated by minutes, not hours).
5. Backup all the active drives (e.g., C: and D:) at the same time.
6. Be sure to select the “Verify Recovery Point” option in the BESR window when creat-
ing the backup image.
Restoring Only One Domain Controller

This procedure applies when there is only one domain controller being restored (for example, in
the case of a hardware failure), whether it is the only domain controller or there are multiple
domain controllers present. Proceed as follows:
1. The domain controller backup image should not be older (i.e., greater) than the
tombstone lifetime value.
2. Shutdown the domain controller and restore its BESR image as described in Symantec
System Recovery 2011 Workstation Edition and Server Edition Guide for I/A Series Work-
stations (B0700ES).
3. After the domain controller is rebooted, verify it is working properly. See “Checking
the Health of Active Directory” on page 517.
Restoring Multiple Domain Controllers from Backup

Images
If it is necessary to restore multiple domain controllers from backup images at the same time, such
as in a testing environment, perform the following procedure:
1. The domain controller backup images should not be older (i.e., greater) than the
tombstone lifetime value. The backup images should have been created about the
same time.
2. Shutdown the domain controllers.
3. Boot up only the PDC and restore its BESR backup image as described in Symantec
System Recovery 2011 Workstation Edition and Server Edition Guide for I/A Series Work-
stations (B0700ES).
4. Seize the FSMO roles as described in “Seizing Active Directory Operations Master
Roles” on page 454. Be aware that this procedure is described in the context of mov-
ing these roles to another domain controller when the PDC is no longer available. In
the context for this procedure, it is performed on a PDC that is being restored from a
BESR image. This may not be necessary but it is good practice. In any case, verify the
roles.
516
Appendix E. Guidelines for Using BESR for Backing Up and Restoring Domain Controllers B0700SF – Rev E
5. Set the PDC as “authoritative” for SYSVOL. Refer to the “Authoritative FRS restore”
procedure described in the following Microsoft article:
http://support.microsoft.com/kb/290762
6. Boot up the next domain controller (SDC). If this SDC is On-Mesh, restore its BESR
backup image as described in Symantec System Recovery 2011 Workstation Edition and
Server Edition Guide for I/A Series Workstations (B0700ES). If this SDC is Off-Mesh, it
is recommended that the box be reinstalled.
7. After the domain controller is rebooted, if it has been reinstalled, join it to the
domain. In any case, verify it is working properly. See the next section’s instructions
on checking the health of Active Directory.
8. Repeat steps 6 and 7 for each additional domain controller.
Checking the Health of Active Directory

Perform the following checks to assess the health of Active Directory.
If there is only one domain controller, you can run the following:
1. Open a command prompt window - click the Start button and then select Programs
-> Accessories -> Command Prompt.
2. Type dcdiag and press <Enter>. This will start the process of checking for errors.
If there are multiple domain controllers, you should verify that replication is working:
1. Open a command prompt window - click the Start button and then select Programs
-> Accessories -> Command Prompt.
2. Type repadmin /showreps and press <Enter>. Verify there are no failures.
3. Launch the Event Viewer (click the Start button -> Control Panel -> Administra-
tive Tools -> Event Viewer).
a. Look in the Application log and verify there are no “userenv” errors.
b. Look in the File Replication Service log and verify that an Event “13516” message
is at the top of the log.
517
B0700SF – Rev E Appendix E. Guidelines for Using BESR for Backing Up and Restoring Domain Controllers
518
Appendix F. I/A Series MESH
Configurator
This appendix describes how to use the I/A Series Mesh Configurator for workstations with
Windows 7 and servers with Windows Server 2008 R2 Standard on The Mesh control
network.
The I/A Series Mesh Configurator application installs the COMEX protocol and Redundant
Ethernet Data Link (REDL) virtual adapter, and configures Internet Protocol (IP) addresses for
stations on The Mesh control network. A station can have one or two connections to The Mesh
(if it has one or two switch connections in System Definition).
The Mesh Configurator provides a user interface to select the Network Interface Cards (NICs) for
these connections.
Figure F-1. MESH Configurator NIC Selection
Silent Installation
The Day 0 installer will attempt to configure The Mesh connections automatically. You are not
prompted with a graphical interface if the workstation has:
 Two switch connections, and there are exactly two NICs in PCI Slots, or
 One switch connection, and there is exactly one NIC in a PCI Slot.
In these cases, The Mesh Configurator selects the NIC(s) in the PCI Slot(s) for The Mesh con-
nections.
519
B0700SF – Rev E Appendix F. I/A Series MESH Configurator
Manual NIC Selection

The graphical interface is always presented if:
 The location of a NIC cannot be identified as an Integrated port or PCI Slot,
 The workstation is using an Off-Mesh Domain Controller, or
 The configurator is run after the Day 0 installation.
In Windows 7 or Windows Server 2008 R2 Standard, it is no longer possible programmatically to
determine the slot of each NIC, so The Mesh Configurator attempts to map the location of each
NIC, based on the platform and BIOS settings. If this mapping fails, the location of each NIC is
listed as “Unknown”.
Figure F-2. NIC Selection on Unknown Platform/BIOS
When NIC locations are “Unknown”, you need to manually select the NICs for The Mesh con-
nections. The following procedure is recommended:
1. Disconnect all Ethernet cables except those from The Mesh (and from the Off-Mesh
Domain Controller, if one is in use).
NOTE
Do not assign static IP addresses to the workstation NICs before running The Mesh
Configurator. If the configurator reports an IP conflict, find the adapter with the
duplicate IP address, change it to use DHCP, then run the configurator again.
2. Display the Network Connections from the Start menu -> Network and Sharing
Center -> Change adapter settings (or type “view network connections”
from the Start menu search bar), and set the view to Details.
520
Appendix F. I/A Series MESH Configurator B0700SF – Rev E
Figure F-3. Network Connections
3. By default, the columns are not wide enough to display all the necessary information.
Resize the Device Name column so it is wide enough to show the full text:
Figure F-4. Network Connections Showing Device Names
4. Identify and record the Device Names that do not have a red X next to their icons.
These are the Device Names that should be selected in The Mesh Configurator.
NOTE
Take care not to confuse Names with Device Names. In the above example, the
Allied Telesis adapter 2 is not the same NIC as Local Area Connection 2.
5. If installing with an Off-Mesh Domain Controller, you are prompted to select the
NIC connected to the Domain Controller’s network.
521
Figure F-5. Off-MESH NIC Selection
6. After selecting the NIC for the Off-Mesh Domain Controller (or if installing without
one), you are prompted to select the NIC(s) connected to The Mesh control network.
Figure F-6. NICs on The MESH Control Network Selection
NOTE
A NIC selected for the Off-Mesh Domain Controller will be removed from the list
of available NICs when selecting The Mesh connection(s).
Unless there is an error or further user interaction is required, The Mesh Configurator exits
silently. If no error message is returned, this indicates a successful installation.
522
Appendix F. I/A Series MESH Configurator B0700SF – Rev E
Post Day 0 Operations

After adding, replacing, or moving an NIC, you must run The Mesh Configurator to ensure
proper network bindings.
NOTE
You must run The Mesh Configurator after restoring a workstation image from a
backup created on different hardware (for example, when replacing defective hard-
ware).
Open the configurator from the Start menu -> All Programs -> Invensys -> IASeries ->
Utilities -> Mesh Configurator (or type “mesh configurator” from the Start menu
search bar).
 The Mesh Configurator cannot run while The Mesh networking is enabled. If neces-
sary, it will turn off I/A Series and restart the workstation before running.
 The Mesh Configurator can only be run by users with administrator credentials.
The configurator remembers the selections made on previous installations. Previously selected
NIC(s) will be checked; you can leave them checked or select new NIC(s). If you originally
installed The Mesh Configurator with an Off-Mesh Domain Controller, it prompts you to select
the NIC connected to the Domain Controller’s network.
NOTE
The Mesh Configurator does not support Post Day 0 Operations on single-NIC
configurations.
Identifying Cable A and Cable B

When two connections to The Mesh control network are configured, the connection in the lower
numbered slot is considered Cable A, while the connection in the higher numbered slot is consid-
ered Cable B. (If the slots are not numbered, the top slot is Cable A, while the bottom slot is
Cable B.)
If one Ethernet port is a PCI slot and the other is an Integrated port, the PCI Slot is Cable A and
the Integrated port is Cable B. This configuration is not recommended.
Due to operating system limitations, if the locations are “Unknown”, the Cable A and Cable B
selection will be non-deterministic, and may change each time you run the configurator. In this
case, the cables have to be manually identified by unplugging each cable and noting which cable is
marked “bad” in your System Management tools. For details, refer to “Monitoring the System in
System Management Displays (B0193JC), or “Workstations, Peripherals, and Network Printers” in
System Manager (B0750AP).
523
524
Appendix G. IASeries_NIC_Data.m
si Installation (Pre-I/A Series
Installation)
This appendix describes how to acquire and install the IASeries_NIC_Data.msi file, which
replaces the PCIBusSlotAddress.xml file in the Day 0 image.
Creating K0174KU-B CD-ROM with

IASeries_NIC_Data.msi
The IASeries_NIC_Data.msi file must be downloaded from the Global Customer Support web-
site. Proceed as follows:
1. Download this file from the following URL:
https://support.ips.invensys.com/content/kpka/files/not/not178/IASeries_NIC_Data.msi
This file has the following properties:
 Date: Tuesday, July 24, 2012, 2:25:26 PM
 Size: 44.0 KB (45,056 bytes)
2. Burn this file to a CD-ROM.
3. Label this CD-ROM as “K0174KU Rev B, I/S Series Ver. 8.8 Install XML
File”. Slip the CD-ROM into a protective case.
This file must be installed before the I/A Series software v8.8 installation.
Installing K0174KU-B CD-ROM (Pre-I/A Series

Installation)
Before installing the I/A Series software v8.8, you must install the IASeries_NIC_Data.msi file on
the K0174KU-B CD-ROM you burned above. Proceed as follows:
1. Insert the K0174KU, Rev B CD-ROM into the DVD/CD drive of the station on
which you are installing the I/A Series software v8.8.
2. When the auto-play startup menu opens, click on Open Folders to view the files.
3. At the “Files currently on Disc (1)” window, double-click IASeries_NIC_Data.msi
to run it.
5. The file installs the PCIBusSlotAddress.xml file. A progress bar appears and
disappears quickly.
525
B0700SF – Rev E Appendix G. IASeries_NIC_Data.msi Installation (Pre-I/A Series Installation)
6. Verify the installation. In Windows Explorer, open the C:\Drivers\Invensys folder.

The original PCIBusSlotAddress.xml file is 10Kb.
The Rev. B update of PCIBusSlotAddress.xml is 11Kb.
7. Remove the CD-ROM and store it with the I/A Series installation DVD.
You may install the I/A Series software v8.8 now.
526
Appendix H. SNMP Community
String Configuration
This appendix describes how to configure the SNMP community string for workstations with
Windows 7 and servers with Windows Server 2008 R2 Standard.
SNMP (Simple Network Management Protocol) is an internet protocol used in network manage-
ment systems to monitor network-attached devices such as workstations, servers, routers,
switches, and so forth.
The SNMP community string is a text string that acts as a password to authenticate messages that
are sent between the management software and the device (the SNMP agent). This string must be
configured in two places: the SNMP service (included with the Windows operating system) and
the I/A Series Server Manager configuration file. It should be configured only after the I/A Series
software has been installed on the workstation or server.
NOTE
The community string is case-sensitive and must be identical in both places.
To configure the SNMP service, proceed as follows:

1. Log on with an account that has administrative privileges.
2. Click the Start button, and click Control Panel -> Administrative Tools ->
Services.
3. Scroll down to the SNMP Service, right-click on it, and then click Properties.
4. In the SNMP Service Properties dialog box, shown in Figure H-1, select the Secu-
rity tab.
5. During the initial installation of the I/A Series software, a default “Invensys” commu-
nity string is added to the workstation/server. If this default string is present in the
Accepted community names field (see Figure H-1), you must remove it. After the ini-
tial installation of the I/A Series software, this default string is listed in the servm.cfg
file. Proceed as follows:
a. Using Windows Explorer, navigate to the \usr\fox\sysmgm\smat\ folder on the
drive on which the I/A Series software is installed (typically D:\).
b. If present, open the text file named: servm.cfg
If this file is not present, then it is likely that the default string has already been
removed at an earlier time, and you can skip to step 8.
c. In the servm.cfg file, locate the default string, adjacent to the text
“default_string: ”. Now you can close the servm.cfg file.
d. Once you know the default string, click that string in the Accepted community
names field in the SNMP Service Properties dialog box, and click Remove.
527
B0700SF – Rev E Appendix H. SNMP Community String Configuration
Figure H-1. SNMP Service Properties Dialog Box
6. Under “Accepted community names” area, click the Add… button.

7. Select the appropriate permission level for the community string in the “Community
Rights” drop-down list to specify how the host processes SNMP requests from the
selected community. Normally, READ ONLY is recommended.
8. In the “Community Name” box, type your community string.
NOTE
Be aware that your community string is case-sensitive.
9. Click Add.
To limit the acceptance of SNMP packets, click the Accept SNMP packets from
these hosts bullet. Click the Add… button, and then type the appropriate host
name, IP address or IPX address in the Host name, IP or IPX address box. You can
restrict the access to the local host (127.0.0.1) or only specific servers by using this set-
ting.
10. Click OK when done.
528
Appendix H. SNMP Community String Configuration B0700SF – Rev E
11. For the settings to take effect, right-click the SNMP service from the Services window.
Stop and then restart the SNMP service.
To configure the I/A Series Server Manager configuration file, proceed as follows:
1. Using Windows Explorer, navigate to the \usr\fox\sysmgm\smat\ folder on the drive
on which the I/A Series software is installed (typically D:\).
2. Open (or create) the text file named: servm.cfg
3. Type the community string using the following format:
default_string: yourcommunitystring
(Type in the same string you used above.)
4. Save the file and then reboot.
For security purposes, it is highly recommended that you do not use a well-known default com-
munity string such as “public.” You should use a string that is compliant with your site’s password
complexity policy.
529
B0700SF – Rev E Appendix H. SNMP Community String Configuration
530
Appendix I. Telnet Installation
This appendix describes how to install the optional application telnet on systems with
Windows 7 or Windows Server 2008 R2 Standard operating systems, if desired.
By default, telnet is not installed on systems with Windows 7 or Windows Server 2008 R2 Stan-
dard operating systems. Telnet is an optional feature and if it is needed, it can be installed manu-
ally as described below.
Installing Telnet on Workstations with Windows 7

Operating System
Proceed as follows:
1. Log on to the workstation using an account with administrative privileges.
2. Click on the Start button, and then click Control Panel -> Programs and Fea-
tures.
3. Click “Turn Windows features on or off ” in the left pane.
4. Scroll down to the Telnet Client checkbox and check the box next to it, as shown in
Figure I-1.
Figure I-1. Windows Features Dialog Box
5. Click OK to close the Windows Features dialog box. The telnet application will be
installed.
To use the telnet application, open a command prompt window and type telnet to start a ses-
sion.
531
B0700SF – Rev E Appendix I. Telnet Installation
Installing Telnet on Servers with Windows Server

2008 R2 Standard Operating System
Proceed as follows:
1. Log on to the server using an account with administrative privileges.
2. Click on the Start button, and then click Control Panel -> Programs and Fea-
tures.
3. Click “Turn Windows features on or off ” in the left pane. The Server Manager
window opens.
Figure I-2. Server Manager
4. Click Features in the left pane as shown in Figure I-2.

5. Click Add Features in the right pane as shown in Figure I-2. The Add Features wiz-
ard opens.
532
Appendix I. Telnet Installation B0700SF – Rev E
6. In the Add Features Wizard, scroll down to the Telnet Client checkbox and check the
box next to it, as shown in Figure I-3.
Figure I-3. Add Features Wizard
7. When Confirm Installation Selections opens, click Install as shown in Figure I-4.
533
B0700SF – Rev E Appendix I. Telnet Installation
Figure I-4. Confirm Installation Selections
8. A dialog will appear showing the installation progress. When the installation is com-
pleted, click Close.
To use the telnet application, open a command prompt window and type telnet to start a ses-
sion.
534
Appendix J. Printer Sharing
This appendix describes how to enable sharing to printers on stations with Windows 7 or
Windows Server 2008 R2 Standard operating systems, if desired.
As with previous Microsoft operating systems, Windows 7 and Windows Server 2008 R2 Stan-
dard allow a printer to be shared by multiple stations.
However, to do this, Microsoft requires that the Windows Firewall service be enabled.
NOTE
Enabling this service does not require the Microsoft Windows Firewall to be used.
For I/A Series workstations and servers, Invensys provides the McAfee
configurable firewall as the preferred firewall and recommends that the Microsoft
Windows Firewall not be used.
Turning on the Windows Firewall Service

To turn on the Windows Firewall service without turning on the Windows Firewall itself, proceed
as follows:
1. Log on to the workstation or server using an account that has administrative
privileges.
2. Click the Start button, and select Control Panel -> Administrative Tools ->
Services.
3. In the Services window, scroll down to the Windows Firewall service, right-click
on it, and then click Properties.
4. Change the “Startup type” to Automatic. Click Apply.
5. Click Start.
6. Click OK.
7. Close the Services window.
On standard I/A Series stations (that is, stations which do not have security enhancements for
I/A Series software), the Windows firewall is automatically turned on when this service is enabled.
The firewall must be turned off as follows:
8. Click the Start button, and select Control Panel -> Windows Firewall.
9. At the left edge of the window, click Turn Windows Firewall on or off.
10. In each section, select the Turn off Windows Firewall (not recommended)
radio button as shown in Figure J-1.
535
B0700SF – Rev E Appendix J. Printer Sharing
Figure J-1. Windows Firewall Settings
11. Click OK.

12. Close the Windows Firewall window.
Sharing a Printer
To share a printer hosted by a workstation with Windows 7 or Windows Server 2008 R2 Stan-
dard, proceed as follows:
1. Click the Start button, and click Devices and Printers.
2. Right-click the icon of the printer that is to be shared and select Printer
properties.
3. In the Properties dialog box, click the Sharing tab.
4. Click the Change Sharing Options button if it is displayed as shown in Figure J-2.
536
Appendix J. Printer Sharing B0700SF – Rev E
Figure J-2. Printer Properties Dialog Box
5. Check the “Share this printer” checkbox and type in a Share name.
6. If this printer will be shared with a station that has a 32-bit OS (such as an x86 version
of Windows XP), install additional drivers (before setting up the station with
Windows XP) by clicking the Additional Drivers… button and then by checking
the x86 checkbox.
Otherwise, click OK. If you see the following error, the Windows Firewall service has
not been turned on as described in the previous section: “Operation could not be
completed (Error 0x000006D9)”
537
B0700SF – Rev E Appendix J. Printer Sharing
Connecting to a Shared Printer on Another I/A Series

Station
To use the shared printer from another I/A Series station, run the “Add Printer” wizard on that
station. For a station with Windows 7 or Windows Server 2008 R2 Standard, proceed as follows
1. Click the Start button, and click Devices and Printers.
2. Click Add a printer at the top (or right-click in the window and select Add a
printer).
3. Click Add a network, wireless or Bluetooth printer.
4. In the Add Printer dialog box, click The printer that I want isn't listed.
5. Click the Select a shared printer by name radio button.
6. Type the location of the printer, e.g., \\computername\printername, where “computer-
name” is the name of the computer hosting the printer and “printername” is the share
name you chose in step 5 in the previous section.
7. Click Next. If prompted to install drivers to complete install, click Yes and respond
to the prompts.
538
Appendix K. Troubleshooting
This appendix provides troubleshooting procedures.
Setting Time Correctly After Failure to Continue

Software Installation After Reboot (SDC or Domain
Client)
If after connecting an SDC or a secure domain client to an I/A Series domain and the software
installation does not continue after a reboot, the system time may not have been set correctly. An
indication that this has occurred is that the software installation attempts to continue but will not
until a username and password is provided for an account with administrative privileges.
To verify if the time has not been properly set, proceed as follows to check that the group policies
are being applied:
1. From the start menu, select Run. In the Open: field, type “rsop.msc” as shown in
Figure K-1 and click OK to continue.
Figure K-1. Run rsop.msc
539
B0700SF – Rev E Appendix K. Troubleshooting
2. In the Resultant Set of Policy window, right-click on Computer Configuration and

select Properties as shown in Figure K-2. The red X on the Computer Configura-
tion entry indicates that there is a problem applying policies on this station.
Figure K-2. Resultant Set of Policy Window
540
Appendix K. Troubleshooting B0700SF – Rev E
3. In the Computer Configuration Properties dialog box, select the Error Informa-
tion tab to view the errors for this policy set. The error shown in Figure K-3 indicates
that the time does not match the time on the domain controller: “The clocks on the
client and server machine are skewed.”
Figure K-3. Computer Configuration Properties Dialog Box
4. If the error shown in Figure K-3 is found on your system, fix the time on the SDC or
domain client as described in the “Server Preparation” of the appropriate chapter for
your station in this document and reboot. After rebooting, the software installation
may be restarted by running Setup.exe on the installation DVD.
Accept the UAC request in order to start the installation.
541
Invensys Systems, Inc.
38 Neponset Avenue
Foxborough, MA 02035-2037
United States of America
www.schneider-electric.com
Global Customer Support

Inside U.S.: 1-866-746-6477
Outside U.S.: 1-508-549-2424
Website: https://support.ips.invensys.com

b0700sf e

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

b0700sf e

Uploaded by

Copyright:

Available Formats

I/A Series® System

V8.8 Software Installation

Copyright 2012–2016 Invensys Systems, Inc.

Invensys System, Inc. is now part of Schneider Electric.

SOFTWARE LICENSE AND COPYRIGHT INFORMATION

1. Software Installation Overview.......................................................................................... 1

2. Standard I/A Series Software v8.8 Day 0 Installation ...................................................... 13

Setting Date and Time ............................................................................................................ 33

System Manager and System Management Display Handler (SMDH)

5. Security Enhanced I/A Series Software v8.8 Installation for

6. Security Enhanced I/A Series Software v8.8 Installation

Notes on Installing I/A Series System Software ................................................................. 169

7. Migrating I/A Series Software v8.5/8.6/8.7 to a New Primary

8. Migrating I/A Series Software v8.5/8.6/8.7 to a New Off-MESH

9. Migrating I/A Series Software v8.5/8.6/8.7 to a Pre-Existing Off-MESH Primary

Installing Password Export Server v3.1 ............................................................................. 334

10. Security Enhanced I/A Series Software v8.8 Installation

11. Performing a Day 1 Installation .................................................................................. 411

Appendix A. Startup Options ............................................................................................ 421

Appendix B. Changing the Station Name.......................................................................... 423

Appendix C. Excluding Files, Folders, and Drives ............................................................. 429

Appendix D. Secondary Domain Controllers in an I/A Series System ............................... 435

Appendix E. Guidelines for Using

Appendix F. I/A Series MESH Configurator ..................................................................... 519

Appendix G. IASeries_NIC_Data.msi Installation (Pre-I/A Series Installation) ................ 525

Appendix H. SNMP Community String Configuration .................................................... 527

Appendix I. Telnet Installation.......................................................................................... 531

Appendix J. Printer Sharing............................................................................................... 535

Appendix K. Troubleshooting ........................................................................................... 539

5-6. Internet Protocol Version 4 (TCP/IPv4) Properties ................................................... 113

5-54. Collecting SDC Machine Info .................................................................................. 154

9-9. Ping Target PDC from Command Prompt ............................................................... 288

9-55. Group Policy Management Console (GPMC) .......................................................... 331

10-11. Load Committed Configuration Install Files ............................................................. 368

11-2. Get SE Stations ......................................................................................................... 413

D-32. Role Seizure Confirmation Dialog Box ..................................................................... 455

 Optional McAfee® Security Products Installation and Configuration Guide

How to Use this Installation Guide

Overview of Supported Software Installations

Determining Hardware Requirements

Pre-Installation System Backup

System Configuration and Creating Commit

I/A Series Software V8.8 Documentation

Workstation Specific Operating System Media

I/A Series Software v8.8 Media

Media Kit DVD/CD

Table 1-3. Additional Packages for I/A Series Software V8.8

Part Number Description

Part Number Description

Part Number Description

Hardware and Software Specific Instruction

c. Set the time and date. Perform the following:

Notes on Installing I/A Series System Software

Changing the Station Name

Disabling the VirusScan Console

Figure 2-1. Disable Virus Scan Access Protection

4. Right-click on On-Access Scanner and select Disable.

Figure 2-2. On-Access Scan Properties Dialog Box

6. Clear the check-box labeled Enable on-access scanning at system startup

Preparing Network Interface Cards (NICs) For

Exiting During Software Installation

Figure 2-3. Confirming Cancellation of Software Installation

Figure 2-4. InstallShield Wizard Completed - Interrupted