Blog

Back to All Posts

Posted by Jamie Godbout

Advancing Automation Technology -  How to Specify a Domain Controller

June 4, 2019

Advancing Automation Technology series will take an in-depth look into how the latest technology is being used to develop state-of-the-art control systems.  We will select various software and hardware packages being used today, and provide you with the best practice techniques on how to apply them, and when you should consider applying each topic.

The domain controller is the component in the FactoryTalk Batch process control system that controls authorized users and equipment. The domain is a logical grouping of hardware and users that belong together on a system. Most companies will have a corporate domain like Microsoft.com or google.com. These corporate domains will usually contain all the users authorized to access their computer systems and how much access each user will have on a particular system.

Occasionally, in an effort to simplify things, the decision will be made to put the manufacturing system on the corporate network. This is almost always a grave mistake. It is standard practice and highly recommended that the manufacturing system stand alone, and mostly isolated, from any other network. There should exist points of entry from the corporate network and perhaps a tightly controlled point of entry to the internet, but those points must be clearly defined, controlled, and secured. I will post a blog discussing why it is better to isolate your manufacturing network in a future entry so keep an eye out.

Now that the manufacturing network is going to be isolated from other networks you will need something to manage users, resources, and authentication. You will need a domain and a domain controller. This post will help you to specify the requirements you will need to build a domain controller, keep a watch for a future post where I will describe in detail how to setup and configure a domain controller to be used on your plant control system.

Hardware Requirements

The computer you will need to function as a domain controller does not need to be very powerful, but it shouldn’t be virtual. The reason I prefer the DC to be non-virtual is because the virtual system will need to authenticate users and if your DC is on that virtual system and has not started yet, you can run into a catch 22 situation. If you put the DC on a physical server then you can start up that machine and have your authentication services ready, as you start up the rest of the system.

That said, installing the domain controller on a virtual system is possible and it could save some money as you wouldn’t have to put up $4,000 for another server. The trade-off is you may have some extra steps in getting your system started. For the purpose of this post I’m going to specify the physical hardware that I prefer to use, if you chose to go the way of a virtual domain controller, this section will not be relevant to you.

Everybody has a particular preference on server brand, my preference is Dell PowerEdge R620 servers for my systems. There isn’t any specific reason for this other then I happened to have started using Dell servers, and it stuck. You can use Cisco, HP, IBM, whatever your personal preference, or if you your company has a standard type of server, it would be a good idea to stay consistent. The engine running under the hood is the import thing.

The domain controller can be a base level server and doesn’t need a lot of bells and whistles. So try to save some money here and save the extras for the virtual system host(s). The important requirements are going to include:

  • 19” Rack Mount Server
  • Rack Mounting Slide Rails
  • Cable Management Arm
  • Dual Core Processor (no need to upgrade the CPU, the default processor should be fine)
  • 4 GB of RAM
  • At least 80GB of storage (Hard drives)
  • Go for the hardware RAID controllers, don’t depend on software RAID
  • With the domain controller I would go with RAID 1 (mirrored drives) so you only need 2 drives, in the unfortunate event one fails
  • At least 1 gigabit Ethernet port, most will come with at least two ports
  • CD or DVD drive
  • Redundant power supplies (make sure the power supplies are big enough for the selected hardware, Dell will show a warning if this is a problem)

Software Requirements

The software requirements for the domain controller are not very complicated. You only need the operating system. The most common, and in fact the only one that I use, is Microsoft Windows Server. You will have to check with the compatibility on the control system, but for the domain controller Windows Server 2012 R2 will be the OS of choice in almost all situations. The operating systems will include all the software you will require, but you will need to install and configure the OS to run the domain controller services such as Active Directory.

Generally, I will also setup a DHCP server on the domain controller and provide a small pool of DHCP IP addresses to accommodate the occasional support engineer who needs to plug into the network. This way that engineer will not have to reconfigure their laptop to get on the network. It also helps when spinning up a new server for the first time. The server will be given a dynamic IP address and then you can go in to update the IP address to the appropriate static address.

Summary

The domain controller is going to be the component in your system that will control who has access to what system and when. It will distribute security and preference policies to the users on your control system and handle any dynamic IP addressing that may be required. Fortunately, these functions do not require a lot of processing, memory, or storage power so we can specify a somewhat light weight server that is rack mountable to do the job.

Opt for a standard 19” rack mount server with the default options and Windows Server 2012 R2 to be the domain controller. It will do the job just fine.

On a side note, if you decide you would prefer to make the DC virtual to cut the expense of a separate machine, create a new virtual machine with Windows Server OS, and give that machine similar hardware specifications as described above. You will just have to manage local user accounts on the vMare vCenter machine to create the domain controller on the host and configure the virtual machine.

Click here to return to Part I of What Do You Need to Implement a FactoryTalk Batch Solution.

Click here to see my previous post discussing difference between a FactoryTalk Batch solution and a traditional PLC project.

If you have any questions concerning your process control system or require some assistance, You can also reach out to our Controls and Automation experts through our

Help Desk

About the Author:

Jamie has left Hallam-ICS to pursue other endeavors, but his sound advice continues to be valued.

About Hallam-ICS:

Hallam-ICS is an engineering and automation company that designs MEP systems for facilities and plants, engineers control and automation solutions, and ensures safety and regulatory compliance through arc flash studies, commissioning, and validation. Our offices are located in Massachusetts, Connecticut, New York, Vermont and North Carolina and our projects take us world-wide. 

Contact Us

 

Topics: Process Control and Plant Automation

Jamie Godbout

By Jamie Godbout

Find me on:

June 4, 2019

Next Blog Post Previous Blog Post