Experion Domain Implementation Audit Document

Doc Name: Experion Domain Implementation Audit

Document
Revision: 01
Date: Aug, 2021

Owner: HPS Technical Support

Intended Use: Reviews, Audits, Investigations
Reference: TAC Documents
 Honeywell
Honeywell Process Solutions – HPS Technical Support

REVISION DETAILS
•

0 18/08/2021 Initial Release

Rev. Date Details

Revision: 01 Document Name: Experion Domain Implementation Audit

Document
Date: Aug, 2021 Page: 2 of 37
 Honeywell
Honeywell Process Solutions – HPS Technical Support

GTAC AUDIT DOCUMENT MATRIX:

This document is only one aspect of the Global TAC System Audit documentation and must be used in parallel with
the referenced documents in the matrix below.

By implementing all the relevant Honeywell System audit checks this will improve the overall system robustness

The following matrix provides an overview of all current GTAC documents and recommended audit documents to
utilised for system types.

Experion with CDA Experion with TPS Experion with CDA

Article # Audit Document Title Experion Scada EAS/RESS/Eserver
points points and TPS points

Experion Server Client GTAC Audit

17371 x x x x x
Document

17989 Experion Network GTAC Audit Document x x x x x

only when using only when using only when using only when using
17369 EBR GTAC Audit document only whenusing EBR
EBR EBR EBR EBR
GTAC Audit Document for ExperionPKS
17334 x x
Controllers
only when using only when using
17323 GTAC Audit Document for ACE
ACE ACE
18007 GTAC HMIWEB Audit Document x x x x x
17368 Experion TPS Integration audit document x x
only when using only when using only when using only when using
22310 PHD Experion Link GTAC Audit document x if using PHD
PHD PHD PHD PHD
only when using only when using only when using only when using only when using
Experion Virtualization GTAC Audit
23440 Experion Experion Experion Experion Experion
Document
Virtualisation Virtualisation Virtualisation Virtualisation Virtualisation
only when using only when using only when using only when using only when using
25724 Experion Orion Console Audit Document Orion Console or Orion Console or Orion Console or Orion Console or Orion Console or
Wyse thin client Wyse thin client Wyse thin client Wyse thin client Wyse thin client

Revision: 01 Document Name: Experion Domain Implementation Audit

Document
Date: Aug, 2021 Page: 3 of 37
 Honeywell
Honeywell Process Solutions – HPS Technical Support

HOW TO USE THIS AUDIT DOCUMENT:

There are multiple ways to use this audit document, here are some tips:
1. Start with check #1 and proceed through the document
2. Start from the Checklist (at the end of this doc) and proceed through the checks applicable to your Experion
release using the hyperlinks for quick navigation as showed on the bitmaps below:

3. The check list can be saved to a suitable location & when a new revision of this audit document is released, it
would be used to identify in ‘Revision History’ what additional checks or updates have been made.
4. We would advise to use audit documents:
A. At the end of FAT
B. At the end of SAT
C. After patch installation
D. After release migration
E. As a Preventive Maintenance activity on periodic basis
F. When GTAC recommends upon any network related incident/problem

Revision: 01 Document Name: Experion Domain Implementation Audit

Document
Date: Aug, 2021 Page: 4 of 37
 Honeywell
Honeywell Process Solutions – HPS Technical Support

HOW TO FIND GTAC AUDIT DOCUMENTS:

This document is part of the Global TAC System Audit documents, they can be found on
www.honeywellprocess.com > Login> Support.
Once logged in and on the support portal, search for “TopicGTACAudit” as showed below, this would perform a
search and return all GTAC Audit documents or search for the article number provided in the previous section.

Revision: 01 Document Name: Experion Domain Implementation Audit

Document
Date: Aug, 2021 Page: 5 of 37
 Honeywell
Honeywell Process Solutions – HPS Technical Support

CONTENT:

1. NUMBER OF DOMAIN CONTROLLERS PER DOMAIN ........................................................ 8

2. WINDOWS DOMAIN NAME SYSTEM(DNS) SERVER CONFIGURATION .......................... 8

3. DOMAIN CONTROLLER IP CONFIGURATION FOR DNS SERVER ADDRESS

CONFIGURATION ......................................................................................................................... 11

4. TPS ORGANIZATIONAL UNITS(OU) AS PER SRP CLUSTERS ........................................ 13

5. DOMAIN SECURITY PACKAGE INSTALLATION ............................................................... 14

6. ACTIVE DIRECTORY SITES AND SUBNETS CONFIGURATION ...................................... 15

7. ACTIVE DIRECTORY REPLICATION SETTING. ................................................................. 16

8. DOMAIN CONTROLLER TIME SYNCHRONIZATION ......................................................... 17

9. HOST FILE ON DOMAIN CONTROLLER ............................................................................ 17

10. LOGON SCRIPTS ................................................................................................................. 19

11. GROUP POLICY CUSTOMIZATION ..................................................................................... 20

12. DOMAIN CONTROLLER EVENT ANALYSIS....................................................................... 21

13. LINK DOMAIN GROUPS ...................................................................................................... 21

14. DOMAIN CONTROLLER NAMING CONVENTION .............................................................. 22

15. FQDN (FULLY QUALIFIED DOMAIN NAME)....................................................................... 22

16. GLOBAL CATALOG (GC) .................................................................................................... 23

17. MS UPDATE INSTALLATIONS ............................................................................................ 24

18. DCDIAG OUTPUT ANALYSIS .............................................................................................. 25

19. VERIFY THAT THERE ARE NO READ ONLY DOMAIN CONTROLLERS .......................... 26

20. STATION OPERATION SLOWDOWN IF THE CONNECTIVITY TO A DOMAIN

CONTROLLER IS LOST TEMPORALLY...................................................................................... 28
Revision: 01 Document Name: Experion Domain Implementation Audit
Document
Date: Aug, 2021 Page: 6 of 37
 Honeywell
Honeywell Process Solutions – HPS Technical Support

21. LOCATION OF ACTIVE DIRECTORY DATABASE, LOG FILES, AND SYSVOL OBJECTS
29

22. WINDOWS INTERNET NAME SERVICE (WINS) ................................................................. 30

23. IPV6 CONFIGURATION ON DOMAIN CONTROLLER NODES........................................... 31

24. SETTING UP STANDBY OPERATIONS MASTER .............................................................. 32

25. SUPPORTED EXPERION RELEASES ................................................................................. 32

26. CHECK THAT NO ORGANIZATIONAL UNIT (OU) IS BUILT UNDER THE DOMAIN
CONTROLLERS OU IN ACTIVE DIRECTORY............................................................................. 33

27. VERIFY ACCOUNT & PASSWORD POLICY ON DOMAIN CONTROLLERS ..................... 34

28. FTE DRIVER INSTALLATION ON DOMAIN CONTROLLER ............................................... 35

29. REFERENCE DOCUMENTS ................................................................................................. 35

CHECKLIST .................................................................................................................................. 36

Revision: 01 Document Name: Experion Domain Implementation Audit

Document
Date: Aug, 2021 Page: 7 of 37
 Honeywell
Honeywell Process Solutions – HPS Technical Support

1. NUMBER OF DOMAIN CONTROLLERS PER DOMAIN

Applicable Experion releases:

All

Link Checkpoint 1

Honeywell recommends to have a minimum of two domain controllers per domain. When there are
multiple FTE network integrated with level 3 network, it is recommended to have one domain controller
for each level FTE Network.

Checked OK Checked - NOT Repeat Remarks/ Date of Check

OK

Once

2. WINDOWS DOMAIN NAME SYSTEM(DNS) SERVER CONFIGURATION

Applicable Experion releases:

All

Link Checkpoint 2

When the first domain controller for a domain is configured, DNS and GC server roles are enabled by default.
Though Microsoft recommends disabling these roles while creating additional domain controllers in the domain,
Honeywell recommendation is to configure DNS roles on each domain controller in the domain and it is essential
to configure DNS server to make sure that members of the active directory computers resolve their hosts and
IP addresses. In case of incorrect DNS server configuration there will be an unexpected network behaviour. It
is essential to configure forward and reverse lookup zones for DNS server to work properly.

Honeywell recommends to
a. Verify DNS role is active on each domain controller
b. Lookup-zone are configured for all available network.
A test can be performed to verify that the DNS server is working correctly and also that forward and reverse
lookup zones are configured properly. This has to be done on servers and console stations.
To verify the “Forward Lookup Zone” configuration, following test can be performed:
• Open command prompt
• Type nslookup <server name> e.g. nslookup r400-ace01
• If there is an entry available for the node then it will resolve with fully qualified DNS name and IP
address of the node as shown in Figure 23.1:

Revision: 01 Document Name: Experion Domain Implementation Audit

Document
Date: Aug, 2021 Page: 8 of 37
 Honeywell
Honeywell Process Solutions – HPS Technical Support

Domain Server name

and IP Address

Fully Qualified DNS

Name and the IP address
of the node
Figure 23.1: NSlookup – Forward Lookup Zone
• If nslookup does not resolve then it will throw an error message.
To verify the “reverse lookup zone” configuration, following test can be performed:
• Open command prompt
• Type nslookup <server IP address> e.g. nslookup xxx.xxx.xxx.xxxx
• If there is an entry available in reverse lookupzone then it will resolve with fully qualified name of
the computer as shown in Figure 23.2:

Domain Server name

and IP Address

Fully Qualified DNS

Name

Figure 23.2: NSlookup – Reverse Lookup Zone

There is also another way to verify if installed DNS server and forward and reverse lookup zones are configured
properly:
➢ Open the DNS management console on the DNS server machine (from Windows run type
dnsmgmt.msc and enter).
➢ In “forward lookup zone” check if nodes are registered with hostname as shown in Figure 23.3.

Verify the records are

available for nodes
registered in DNS server

Figure 23.3: DNS Management – Forward Lookup Zone

Revision: 01 Document Name: Experion Domain Implementation Audit
Document
Date: Aug, 2021 Page: 9 of 37
 Honeywell
Honeywell Process Solutions – HPS Technical Support

➢ Similarly on reverse lookup zone check the subnet (e.g. 172.20.x.x in Figure 23.4) of the network and
the PTR records available for registered nodes:

Verify PTR record

available for node

Figure 23.4: DNS Management – Reverse Lookup Zone

Checked OK Checked - NOT Repeat Remarks/ Date of Check

OK

Each network
modification

Revision: 01 Document Name: Experion Domain Implementation Audit

Document
Date: Aug, 2021 Page: 10 of 37
 Honeywell
Honeywell Process Solutions – HPS Technical Support

3. DOMAIN CONTROLLER IP CONFIGURATION FOR DNS SERVER ADDRESS

CONFIGURATION
Applicable Experion releases:

all

Link Checkpoint 3

To improve DNS operations in systems with two or more domain controllers it is recommended to set DNS
settings for each domain controller in such a way so local IP address is last in DNS order list:

On Windows 2003 based domain controllers, in case of two domain controllers :

• On DC1, set the DC2 IP as the first DNS Server and DC1 IP as the second
• On DC2, set the DC1 IP as the first DNS Server and DC2 IP as the second
• For each DC, on the DNS configuration, verify that 127.0.0.1 is configured the last in the
order of use as showed below for W2003 DCs.

On Windows 2008 or later based domain controllers, in case of two (or more) domain controllers:
• On DC1, set the DC1 IP as the first DNS Server and DC2 IP as the second
• On DC2, set the DC2 IP as the first DNS Server and DC1 IP as the second
• For each DC, on the DNS configuration, verify that 127.0.0.1 is configured the last in the order of use.

*Note: For systems with more than 2 DCs make sure local IP address (127.0.0.1) is set as last DNS server.

*Note: These settings require reboot in order to take effects.

DNS Server IP address configuration needs to be verified for domain controllers present in the domain.
In addition it is also important to verify DNS configuration on all nodes clients integrated to domain to
verify preferred and alternate IP configurations are configured correctly.

Revision: 01 Document Name: Experion Domain Implementation Audit

Document
Date: Aug, 2021 Page: 11 of 37
 Honeywell
Honeywell Process Solutions – HPS Technical Support

Checked Checked - Repeat Remarks/ Date of Check

OK NOT OK

6 months

Revision: 01 Document Name: Experion Domain Implementation Audit

Document
Date: Aug, 2021 Page: 12 of 37
 Honeywell
Honeywell Process Solutions – HPS Technical Support

4. TPS ORGANIZATIONAL UNITS(OU) AS PER SRP CLUSTERS

Applicable Experion releases:

all

Link Checkpoint 4

When multiple Experion servers pair are present in the same FTE community, Honeywell recommends
to split the Synchronized Repository provider (SRP into multiple SRP clusters based on multicast IP
address used for each SRP. Assign computer nodes to the respective OUs which SRP they belongs to.
The same principle must be followed for multiple FTE communities scenarios.
Refer to Experion Network Audit document section “Splitting the FTE and Synchronized Repository
Traffic” for further configuration details.

Checked Checked - Repeat Remarks/ Date of Check

OK NOT OK

6 months

Revision: 01 Document Name: Experion Domain Implementation Audit

Document
Date: Aug, 2021 Page: 13 of 37
 Honeywell
Honeywell Process Solutions – HPS Technical Support

5. DOMAIN SECURITY PACKAGE INSTALLATION

Applicable Experion releases:

All

Link Checkpoint 5
Domain Security Package needs to be installed only on one R/W domain controller in your domain. Preferably
on the Primary Domain Controller (PDC) as this is the DC installed first during domain setup.

Note: It is important to ensure active directory replication is working fine across all DCs in the domain. If there are any DCs,
on which replication is not working, policies will not be replicated.

Checked Checked - Repeat Remarks/ Date of Check

OK NOT OK

Once

Revision: 01 Document Name: Experion Domain Implementation Audit

Document
Date: Aug, 2021 Page: 14 of 37
 Honeywell
Honeywell Process Solutions – HPS Technical Support

6. ACTIVE DIRECTORY SITES AND SUBNETS CONFIGURATION

Applicable Experion releases:

R4xx on wards

Link Checkpoint 6

When Active Directory is set up at first time, by default “A Default site” is provided by the Microsoft
installation. It is good for simple installation.
When there are multiple FTE communities in the PCN domain, it is recommended to create sites as per
domain controller present in each FTE Network(subnet).
Create
1. One sites per FTE community assuming there is DC on that FTE community.
2. One site for L3 subnet.

Refer to Windows Domain Implementation Guide for Windows Server guide section “Configuring
Active Directory sites” for further details on how to configure the active directory sites and subnets.

Checked Checked - Repeat Remarks/ Date of Check

OK NOT OK

Each network
modification

Revision: 01 Document Name: Experion Domain Implementation Audit

Document
Date: Aug, 2021 Page: 15 of 37
 Honeywell
Honeywell Process Solutions – HPS Technical Support

7. ACTIVE DIRECTORY REPLICATION SETTING.

Applicable Experion releases:

All

Link Checkpoint 7

The minimum replication supported time is 15 mins, Honeywell recommends retaining 15 minutes
settings.
If slow links are used or in cases where the network traffic bandwidth is heavy, then replication interval
can be increased.

Note: This is applicable only when Active Directory Sites and Services implemented properly in the
PCN domain with the multiple FTE communities and there are more than one domain controller present
in that domain.

Checked OK Checked - NOT Repeat Remarks/ Date of Check

OK

6 months

Revision: 01 Document Name: Experion Domain Implementation Audit

Document
Date: Aug, 2021 Page: 16 of 37
 Honeywell
Honeywell Process Solutions – HPS Technical Support

8. DOMAIN CONTROLLER TIME SYNCHRONIZATION

Applicable Experion releases:

all

Link Checkpoint 8

Refer to Experion Network Audit document section “Time Sync configurations in Domain Environment”
for detailed information on how to setup the NTP in the domain environment.

Checked Checked - Repeat Remarks/ Date of Check

OK NOT OK

6 months

9. HOST FILE ON DOMAIN CONTROLLER

Applicable Experion releases:

All

Link Checkpoint 9

The Hosts file is an alternative way to resolve names on your network. By default, host to IP address mappings
that are configured in the Hosts file supersede the information in DNS. If there is an entry for a domain name in
the Hosts file, then the server will not attempt to query DNS servers for that name. Instead, the IP address that
is configured in the Hosts file will be used. If the IP address corresponding to a name changes and the Hosts
file is not updated, you may be unable to connect to the host.
On Domain Controllers, Honeywell recommendation is not to configure hosts file for any hosts which are already
part of the DNS server. Review the hosts file accordingly. Make sure to remove all entries of hosts which are
part of the domain.
E.g. If the eServer located in DMZ zone is not part of PCN domain, that node entry can be present in the hosts
file.

To configure the Hosts file :

1. On Domain Controllers, open an elevated command prompt.
2. Type the following command, and then press ENTER:

Copy notepad %windir%\system32\drivers\etc\hosts

3. Lines that begin with a “#” are considered as comments in the file and are inactive. Add a “#” at the
beginning of any lines with host entries you wish to inactivate or delete the lines from the Hosts file.
4. When you have completed configuring the Hosts file, click File, click Save, and then close Notepad

Once hosts files is corrected, open the DNS management window, and clear the DNS cache.

Revision: 01 Document Name: Experion Domain Implementation Audit

Document
Date: Aug, 2021 Page: 17 of 37
 Honeywell
Honeywell Process Solutions – HPS Technical Support

In Summary:

Node Type: Expected Host file configuration

Experion nodes, OPC Servers/Client, Configure Host file for Experion use.
Eserver, EAS, PHD,..
Domain Controllers with DNS function Host file on Domain Controllers, must either be:
• Empty
• Experion nodes must be commented (#)
• Not existing on disk (no host file on disk)
• Nodes which are not part for PCN domain

Checked Checked - Repeat Remarks/ Date of Check

OK NOT OK

6 months

Revision: 01 Document Name: Experion Domain Implementation Audit

Document
Date: Aug, 2021 Page: 18 of 37
 Honeywell
Honeywell Process Solutions – HPS Technical Support

10. LOGON SCRIPTS

Applicable Experion releases:

all

Link Checkpoint 10

Logon script configuration may vary from project to project based on the implementations. Use one of the
following:
a. Assigning logon scripts to domain groups and users using group policy
b. Assigning logon scripts to individual domain accounts
c. Assigning logon scripts to local accounts.

Checked Checked - Repeat Remarks/ Date of Check

OK NOT OK

Once

Revision: 01 Document Name: Experion Domain Implementation Audit

Document
Date: Aug, 2021 Page: 19 of 37
 Honeywell
Honeywell Process Solutions – HPS Technical Support

11. GROUP POLICY CUSTOMIZATION

Applicable Experion releases:

all

Link Checkpoint 11

When customer install domain security package, Honeywell customizes the group policies to secure
PCN domain nodes. Honeywell ensures with these customizations, there is a protection to the process
operation and not impacts core Experion functionalities.
In case customer wants to implement additional domain-based policies, Honeywell recommends
1. Customer must consider this as a project special and test those customizations to ensure they
are not impacting Experion core functionalities.
2. Customer must create a new policy than customizing Honeywell configured policies
3. Customer should clearly document any custom policy implemented and make this available to
Honeywell on request in case of potential conflict with Honeywell software.
In case ensure to create a separate policy to implement those customizations.
Note that If any customization to the Honeywell policies will be overwritten part of new package
implementation

Checked Checked - Repeat Remarks/ Date of Check

OK NOT OK

Once

Revision: 01 Document Name: Experion Domain Implementation Audit

Document
Date: Aug, 2021 Page: 20 of 37
 Honeywell
Honeywell Process Solutions – HPS Technical Support

12. DOMAIN CONTROLLER EVENT ANALYSIS

Applicable Experion releases:

All

Link Checkpoint 12

Post domain controller integration, verify:

1. Replications are successful. Run “readmit /replsummary” and verify the command
output
2. Verify domain controller windows event logs for last 30 days to findout any major
errors.

Checked Checked - Repeat Remarks/ Date of Check

OK NOT OK

once

13. LINK DOMAIN GROUPS

Applicable Experion releases:

All

Link Checkpoint 13

On all Experion Servers and stations run “Link Domain Groups” application to link the Windows domain account
groups to the Windows local account groups.
Failure to perform this activity, domain users will not be authenticated on Experion machines.

Checked Checked - Repeat Remarks/ Date of Check

OK NOT OK

After each
Experion patch
install

Revision: 01 Document Name: Experion Domain Implementation Audit

Document
Date: Aug, 2021 Page: 21 of 37
 Honeywell
Honeywell Process Solutions – HPS Technical Support

14. DOMAIN CONTROLLER NAMING CONVENTION

Applicable Experion releases:

all

Link Checkpoint 14

Honeywell recommends the following while configuring domain names.

• The length of the domain name should contain 1 to 15 characters.
• Domain name should always consist of at least two parts, a name and a designator separated
.
by a period ( ) without bracket:

Checked Checked - Repeat Remarks/ Date of Check

OK NOT OK

Once

15. FQDN (FULLY QUALIFIED DOMAIN NAME)

Applicable Experion releases:

all

Link Checkpoint 15

Honeywell recommendation is use fully qualified domain name rather than the NETBIOS name.
The NETBIOS name must match the FQDN DNS name of the domain. For example, in the PCN.local,
PCN.local is the FQDN DNS domain name and PCN is the NETBIOS name

Checked Checked - Repeat Remarks/ Date of Check

OK NOT OK

Once

Revision: 01 Document Name: Experion Domain Implementation Audit

Document
Date: Aug, 2021 Page: 22 of 37
 Honeywell
Honeywell Process Solutions – HPS Technical Support

16. GLOBAL CATALOG (GC)

Applicable Experion releases:

all

Link Checkpoint 16

Verify all domain controllers are configured as global catalogue (GC) servers.

(Note: In mixed environment or windows 2003/2000, it is not recommended to configure the DC holding
infrastructure role as GC, if you are configuring only one DC as GC)

Checked Checked - Repeat Remarks/ Date of Check

OK NOT OK

Once

Revision: 01 Document Name: Experion Domain Implementation Audit

Document
Date: Aug, 2021 Page: 23 of 37
 Honeywell
Honeywell Process Solutions – HPS Technical Support

17. MS UPDATE INSTALLATIONS

Applicable Experion releases:

all

Link Checkpoint 17

Ensure domain controllers are installed with latest MS updates qualified by Honeywell. Honeywell
qualify MS updates for the Honeywell supported DC OS’s.

Checked Checked - Repeat Remarks/ Date of Check

OK NOT OK

Minimum once in
3 months

Revision: 01 Document Name: Experion Domain Implementation Audit

Document
Date: Aug, 2021 Page: 24 of 37
 Honeywell
Honeywell Process Solutions – HPS Technical Support

18. DCDIAG OUTPUT ANALYSIS

Applicable Experion releases:

all

Link Checkpoint 18

Run the DCDiag output on all DCs and analyse the output file for errors reported. Please verify there
are no replication or functional errors reported in the DCDiag that impacts replication or Experion
functionality.

Checked Checked - Repeat Remarks/ Date of Check

OK NOT OK

Quaterly

Revision: 01 Document Name: Experion Domain Implementation Audit

Document
Date: Aug, 2021 Page: 25 of 37
 Honeywell
Honeywell Process Solutions – HPS Technical Support

19. VERIFY THAT THERE ARE NO READ ONLY DOMAIN CONTROLLERS

Applicable Experion releases:

All

Link Checkpoint 19

Introduction:

Reliable Windows authentication is key to a robust Experion system, outside of operator’s logging in
there are lots of other authentication activities happening in the background and losing the ability to
authenticate is a significant loss and should be protected against.
For control systems, having a functional authentication is a critical function that needs to be considered
with the right system architecture.

Read Only Domain Controller (RODC) and Windows authentication:

As per Microsoft design RODC are dependent on Writable DC (RWDC) for an authentication, in a
scenario where a RODC would be configured on L2 and a RWDC on L3, any authentication required by
Experion would be passed from L2 to L3, which would make Experion vulnerable if in case of a network
disruption to L3 or if the L3 Domain Controller is unavailable (e.g. applying security update, reboots,
etc.).

In more details, for authentication a writable DC is required, hence all Experion authentication is going
to the L3 DC. Some Active Directory (AD) queries server does as part of operator login and operator or
group configuration in Experion may be able to be handled by the RODC, but the actual authentication
for operator security and for any other reason (e.g. login to desktop) will go to the L3 DC.

RODCs will refer authentication request onto a Read-Write (RW) DC and may cache these credentials
for future authentication depending on policy, so to be sure authentication succeeds an RW DC needs
to be available all the time.

An RODC can handle many other AD read requests where the call permits it, but many of the Windows
AD API calls require that a flag be set advising that using an RODC is permitted where available, and
some calls do not provide this option and thus always require an RW DC even for a read operation.

One advantage of an RODC is that it reduces the replication traffic since it is not two way but one way
from an RWDC to the RODC; however, this advantage is negated by the impact on authentication
robustness.

Impact on Experion:

A failing or slow Windows authentication may impact the entire Windows infrastructure and applications
using it. As a consequence, multiple applications and Windows functions would be impacted.
From an Experion angle, RPC call failures and timeouts would be expected impacting Experion core
functions like OPC, DSA, Console Station Synchronization processes, etc…

Revision: 01 Document Name: Experion Domain Implementation Audit

Document
Date: Aug, 2021 Page: 26 of 37
 Honeywell
Honeywell Process Solutions – HPS Technical Support

Similarly, loss of Level 3 Domain connectivity could impact multiple Experion clusters for topologies
where multiple Experion clusters with RODC share a common Level 3 DC.
This is the reason why we are recommending a robust Windows domain infrastructure, the Experion
documentation would be enhanced to cover this topic in similar details.

Recommendations:

Here are high level architecture guidelines:

➢ We are recommending systems to be configured with at least a peer domain controller, with a
fully functional Domain Controller (RWDC) on Level 2.
➢ At least 1 RWDC per L2 FTE Community
➢ When using sites, each site should have at least one read/write DC.
➢ L3 Domain Controller must have the System Management Services disabled (when installed)

Checking for RODC:

From the Domain Controller, type the command “nltest /dclist: domainname”, RODC would be identified as
shown below.

Get list of DCs in domain '' from '\\DCA.pcn.local'.

PCN1DC.dcs.local [RODC] [DS] Site: FTECOMM1-Site
PCN2DC.dcs.local [RODC] [DS] Site: FTECOMM2-Site
PCN3DC.dcs.local [RODC] [DS] Site: FTECOMM3-Site
DCB.pcn.local [PDC] [DS] Site: Default-First-Site-Name
DCA.pcn.local [DS] Site: Default-First-Site-Name

Changing from a RODC to RWDC:

Here are the high-level tasks to switch from an existing RODC to a RWDC:

➢ Demote RODC
➢ Run the Meta data clean up procedure from writeable DC - follow https://docs.microsoft.com/en-us/windows-
server/identity/ad-ds/deploy/ad-ds-metadata-cleanup )
➢ Promote as a writable DC

Checked Checked - Repeat Remarks/ Date of Check

OK NOT OK

Half yearly

Revision: 01 Document Name: Experion Domain Implementation Audit

Document
Date: Aug, 2021 Page: 27 of 37
 Honeywell
Honeywell Process Solutions – HPS Technical Support

20. STATION OPERATION SLOWDOWN IF THE CONNECTIVITY TO A DOMAIN

CONTROLLER IS LOST TEMPORALLY
Applicable Experion releases:

Refer KSM

Link Checkpoint 20

Station operation may slowdown if the connectivity to a Domain Controller is lost temporally. Refer to to
KSM-2015-032 for guidance. Click here for KSM.
In case if you are not able to open the KSM in support portal knowledge base search for “KSM 2015-
032 - Station operation may slowdown if the connectivity to a Domain Controller is lost
temporally” or article number 000064964

Checked Checked - Repeat Remarks/ Date of Check

OK NOT OK

Quarterly

Revision: 01 Document Name: Experion Domain Implementation Audit

Document
Date: Aug, 2021 Page: 28 of 37
 Honeywell
Honeywell Process Solutions – HPS Technical Support

21. LOCATION OF ACTIVE DIRECTORY DATABASE, LOG FILES, AND SYSVOL

OBJECTS
Applicable Experion releases:

all

Link Checkpoint 21

Though Microsoft recommends placing the Database, Log files, and SYSVOL objects on different drives in a
system for optimal performance, Honeywell recommends using the following default locations.
• Active Directory Database — C:\Windows\NTDS
• Log Files — C:\Windows\NTDS
• SYSVOL — C:\Windows\SYSVOL

Repeat Remarks/ Date of Check

Checked Checked -
OK NOT OK
Half Yearly

Revision: 01 Document Name: Experion Domain Implementation Audit

Document
Date: Aug, 2021 Page: 29 of 37
 Honeywell
Honeywell Process Solutions – HPS Technical Support

22. WINDOWS INTERNET NAME SERVICE (WINS)

Applicable Experion releases:

all

Link Checkpoint 22

WINS servers are not required in Experion network. Do not configure WINS for domain controllers.

Checked OK Checked - NOT OK Repeat Remarks/ Date

of Check

Once

Revision: 01 Document Name: Experion Domain Implementation Audit

Document
Date: Aug, 2021 Page: 30 of 37
 Honeywell
Honeywell Process Solutions – HPS Technical Support

23. IPV6 CONFIGURATION ON DOMAIN CONTROLLER NODES

Applicable Experion releases:

All when using CF9

Link Checkpoint 23

Domain controllers installed in FTE network with Experion R5xx system must have IPv6 enabled.

Checked Checked - Repeat Remarks/ Date of Check

OK NOT OK

Half yearly

Revision: 01 Document Name: Experion Domain Implementation Audit

Document
Date: Aug, 2021 Page: 31 of 37
 Honeywell
Honeywell Process Solutions – HPS Technical Support

24. SETTING UP STANDBY OPERATIONS MASTER

Applicable Experion releases:

all

Link Checkpoint 24

Honeywell do not recommend implementing standby FSMO role on any DCs in the Experion process control
Network. Even though Microsoft supports, Honeywell is not recommending

Checked Checked - Repeat Remarks/ Date of Check

OK NOT OK

Once

25. SUPPORTED EXPERION RELEASES

Applicable Experion releases:

All

Link Checkpoint 25

Upon each Experion release Honeywell updates the documentation for the supported Experion
releases and Domain controller OS compatibility.
Honeywell recommends to refer to “Windows Domain and Workgroup Planning Guide” “Supported
Experion Releases” section.

Checked Checked - Repeat Remarks/ Date of Check

OK NOT OK

Once

Revision: 01 Document Name: Experion Domain Implementation Audit

Document
Date: Aug, 2021 Page: 32 of 37
 Honeywell
Honeywell Process Solutions – HPS Technical Support

26. CHECK THAT NO ORGANIZATIONAL UNIT (OU) IS BUILT UNDER THE DOMAIN
CONTROLLERS OU IN ACTIVE DIRECTORY
Applicable Experion releases:

ALL

Link Checkpoint 26

On the Domain Controller, in Active Directory, verify that no organizational unit (OU) is built under the
Domain Controllers OU as showed in the example below. Make sure that Domain Controllers OU
contains DC computers only, no Experion nodes should be put in this OU.
Contact HPS Technical Support to resolve the problem if found incorrect.

Checked Checked - Repeat Remarks/ Date of Check

OK NOT OK

Once

Revision: 01 Document Name: Experion Domain Implementation Audit

Document
Date: Aug, 2021 Page: 33 of 37
 Honeywell
Honeywell Process Solutions – HPS Technical Support

27. VERIFY ACCOUNT & PASSWORD POLICY ON DOMAIN CONTROLLERS

Applicable Experion releases:

Win 2016 Domain Controller

Link Checkpoint 27

With later versions of Windows Server (e.g. Windows Server 2016) the Domain Controller is installed by
default with built in Account/Password policies that might conflict with customer requirement (password
age/complexity, etc…). It is important to review them and configure in allignement with the customer
need. Note that these policy do not apply to Experion Service account (mngr, …).

Checked Checked - Repeat Remarks/ Date of Check

OK NOT OK

Once

Revision: 01 Document Name: Experion Domain Implementation Audit

Document
Date: Aug, 2021 Page: 34 of 37
 Honeywell
Honeywell Process Solutions – HPS Technical Support

28. FTE DRIVER INSTALLATION ON DOMAIN CONTROLLER

Applicable Experion releases:

All

Link Checkpoint 28

When domain controller is installed in Level 2 FTE community:

➢ Verify Hardware Platform meets Honeywell FTE guideline
➢ Verufy Operating System is supported by the FTE driver.
➢ Install FTE driver using the Experion Installation Media. Refer to FTE Installation and Service Guide
section “Install and configure FTE on domain controllers”
➢ FTE hotfixes are applicable for domain controllers. Verify DCs are installed with latest FTE hotfix.
Refer to Experion Update Matrix for the latest available for the Experion release installed.
Note :- Before installation, It is recommended to refer to the SCN “Applicable Nodes” section to verify
FTE driver / hotfix is validated for Domain controller.

Checked Checked - Repeat Remarks/ Date of Check

OK NOT OK

After each
patch
installation

29. REFERENCE DOCUMENTS

Following are useful reference documents to implement domain for Experion PKS System:
➢ Windows Domain Implementation Guide (Refer to respective OS release document, e.g:
Windows-Domain-Implementation-Guide-for-Windows-Server-2016-EPDOC-X472-en-516A.pdf
is for R516 release with Windows Server 2016)
➢ Windows Domain and Workgroup Planning Guide

Revision: 01 Document Name: Experion Domain Implementation Audit

Document
Date: Aug, 2021 Page: 35 of 37
 Honeywell
Honeywell Process Solutions – HPS Technical Support

CHECKLIST

Applicable Not
Check Checked Checked Date of
Topic Experion applicabl Repeat Remarks
Point OK NOT OK Check
releases e

Number of Domain
1 Controllers per
Domain
Windows Domain
Name System(DNS)
2
Server
Configuration
Domain Controller
IP Configuration for
3
DNS Server address
configuration
TPS Organizational
4 units(OU) as per
SRP clusters
Domain security
5 package
installation
Active directory
6 sites and subnets
configuration
Active directory
7
replication setting.
Domain controller
8 time
synchronization
HOST file on
9
domain controller
10 Logon scripts
Group Policy
11
customization
domain Controller
12
Event Analysis
Link Domain
13
Groups
Domain controller
14
Naming convention
FQDN (fully
15 qualified domain
name)
16 Global Catalog (GC)
MS update
17
installations
DCDiag output
18
analysis

Revision: 01 Document Name: Experion Domain Implementation Audit

Document
Date: Aug, 2021 Page: 36 of 37
 Honeywell
Honeywell Process Solutions – HPS Technical Support

Applicable Not
Check Checked Checked Date of
Topic Experion applicabl Repeat Remarks
Point OK NOT OK Check
releases e

Verify that there

19 are no Read Only
Domain Controllers
Station operation
slowdown if the
20 connectivity to a
Domain Controller
is lost temporally
Location of Active
Directory
21 Database, Log files,
and SYSVOL
objects
Windows Internet
22 Name Service
(WINS)
IPv6 Configuration
23 on Domain
controller nodes
Setting Up Standby
24
Operations Master
Supported
25
Experion releases
Check that no
Organizational unit
(OU) is Built under
26
the Domain
Controllers OU in
Active Directory
Verify Account &
Password Policy on
27
Win 2016 Domain
Controllers
FTE Driver
28 Installation on
Domain Controller

Revision: 01 Document Name: Experion Domain Implementation Audit

Document
Date: Aug, 2021 Page: 37 of 37