OT: Windows - Domain vs Workgroup in plant environment

harryting

Lifetime Supporting Member
H
Join Date
May 2002
Location
Puget Sound
Posts
2,595
Some consultants told higher up that it would make sense to implement domain controller in the plant and that's what "most" people are doing now.

That has not been my experience so I want to do a sanity check on this.Just about all the plants I ever worked in have control equipment on static IP assignment and windows PC in workgroups. I can see for some situations, such as big plants, for FDA compliance, or a lot of operator work-stations that implement domain for user and machine management would make sense but most of plant got less than a dozen server/PCs. I just don't see the benefit out weight the additional overhead.

What's the experiences at your plants and why?
 
I've made it a point to remove PC's from the plant's domain controllers and isolate them at level 2 wherever possible. If you plant is less than like 100 devices, having a statically assigned network makes sense for one singular reason:

It is must easier to set up the IP address in a new device you are installing than to log into the switch and change the MAC address for DHCP.

We had DHCP on our network, but it had like 10 ip addresses in the pool with its own Wifi SSID to allow us to connect specifically to the controls network or allow us to plug in if we needed to and get an IP.

Basically, there is no need to add the complexity to your current solution. There is absolutely no benefit to doing so, and adding that complexity adds overhead, cost, and security risk. From what I can tell, most of the PC's are essentially just HMI's.
EDIT: I don't know why these forums keep inserting extra spaces.
 
If you are forced to use a domain controller make your own with two nic cards. One for your PLC network and one for your office network. Then have your IT folks add your domain as a trusted domain. Then you can control PC and PLC IP addressing and use the office domain to control logins. Its a nice way to handle operator logins. Also if a operator quits, there login stops working (providing the HR department disables their login).

For most plants I have worked with I have the IT folks create the groups; Operator; Supervisor; Maintenance; Engineer and PLCDevloper.


I have found that if you stress the security requirements the IT folks will want/have to work with you.


We are also starting to make all PCs Windows 10 LTSC. That's the stripped down version of Windows that doesn't require constant updates and lets you control when they update so you can make sure it will still be compatible with whatever HMI software you are running. It also has a very small footprint.
 
Last edited:
HarryTing > Just about all the plants I ever worked in have control equipment on static IP assignment and windows PC in workgroups.

The plant I work in . . .
The production equipment is static IP and the PC type computers are DHCP.
In a Domain. As mentioned above, I can log on to any computer in the
building with my log on credentials.

One department has three identical machines - with identical IP addresses.
and Cisco Pix boxes to 'NAT' translate the addresses so the machines can
communicate with each other. This system has another Pix box which allows
the system to communicate with a Server which is within the Domain.

Another department has PLC's and computer workstations which are static
IP and are in a workgroup. These are on a separate subnet of the domain.
With some black magic so that they can be accessed from the domain - but
only if one has the right accesses.

I suspect a Domain allows for greater security and more flexibility. But for
a small operation without the required IT expertise a workgroup is easier to
implement.

Poet.
 
sparkie said:
I've made it a point to remove PC's from the plant's domain controllers and isolate them at level 2 wherever possible. If you plant is less than like 100 devices, having a statically assigned network makes sense for one singular reason:

It is must easier to set up the IP address in a new device you are installing than to log into the switch and change the MAC address for DHCP.

We had DHCP on our network, but it had like 10 ip addresses in the pool with its own Wifi SSID to allow us to connect specifically to the controls network or allow us to plug in if we needed to and get an IP.

Basically, there is no need to add the complexity to your current solution. There is absolutely no benefit to doing so, and adding that complexity adds overhead, cost, and security risk. From what I can tell, most of the PC's are essentially just HMI's.
EDIT: I don't know why these forums keep inserting extra spaces.
Click to expand...

Domain controllers don't necessarily change the IP assignment on the computers or devices it is managing.

I have installed a Domain controller to integrate with iFix as our IT department (rightly, I might add) pointed out that our plant is more like a sieve than a production plant when it comes to process security.

The domain controllers make it really simple to manage the computers (I have 4 SCADA servers and about 20 nodes). If there's a setting that needs a tweak, I can do it from the Domain Controller and it goes to all computers in a group. It's pretty nifty.

The problem you'll find with Domain Controllers are likely elsewhere and not in the functionality itself.

Here's some of the problems I had:

- Budget and hardware, since logging in to your process requires a Domain Controller to be active, your network needs to be checked for weak points and a second Domain Controller should be added and synchronised so that should one die, the other can take over.

- Licensing. iFix is **** on all aspects, but the implementation of security is probably ten times worse than what most people think is their worst. Essentially you pay extra for the possibility of using a Domain Controller and it's done per node. At 4k GBP per node, even GE recommends that only servers have this functionality and update a couple of files and your nodes then read the files for user information instead of retrieving this from the Domain Controller.

- Functionality, the fall back logic in the event that your domain controller is down is really **** and too slow to even be remotely usable. This however is a problem of iFix not Domain controller. It also doesn't let you list a Domain and automatically find a server within the domain to verify credentials. The server is hardcoded.

- User management, iFix doesn't come with a user management functionality that allows you to manage users in your Domain. As such you need to log in to the domain controller and manage users from there.
 
harryting said:
Just about all the plants I ever worked in have control equipment on static IP assignment and windows PC in workgroups.
Click to expand...

That's the "traditional" way, it has it's limitations.

harryting said:
I just don't see the benefit out weight the additional overhead.
Click to expand...

Depends on how much you need to integrate into the production system into the business system. Pretty much any SCADA system we are putting into a plant is being hosted in a virtual environment the customer IT provides and supports. This also means they are responsible for keeping the SCADA terminals patched and up-to-date. At the end of the day, running SCADA PCs on dated/non-patched versions of windows are over. Domain is the only way to manage these activities.

There are also security requirements to be tied into the business active directory as well as email/SMS alerts. All of which is easier to access when part of a domain.

Current project I am on will have all SCADA server and terminals on their domain and all PLC control devices on an isolated VLAN w/static IP assignments.
 
Domain environments allow for better security because it can be enforced from a single console (so you will have time to make it happen...) , Better fluidity because your desktop profile can follow you from machine to machine via your logon, and the best part, GPO's which can make sweeping changes to all machines at once, update software, change drive mapping, about anything.

I employ it because I am the sole admin for couple dozen machines and it makes my life easier. But there is complexity that goes with it that also must be maintained. DHCP doesn't really play a role in this decision, you can have IP assignments either way or in any combination as long as DNS is maintained. In a windows domain DNS really matters and is always the first suspect.
 
Here we have an intranet (domain) for ERP, accounting, mail, etc. At the same time I have my workgroup network with three servers, six PCs , and more than 65 plcs and lots of panelviews, several IP printers, etc.
I got a bridge between the two networks.
No problem so far , this has been that way for more than 14 years.
 
We have two different networks. Corp and plant
You need to keep the plant away from the corp network for security - virus protection and nosey people. our plant pc's are in workgroups and automatically log in, they are in use 24/7.

if management can see and get to the plant pc's they will then ask for the plc / scada software and then they will make changes without having a clue what the process is, like timers, counters because the process is to slow. they will make online changes while maintenance is working on the equipment and get someone hurt. they make changes while maintenance is doing edit and corrupt the program. been there, done that as I am sure others have also.

james
 
Thanks for the feedback, great stuff. Some new ideas and also confirms a lot of what I kinda know but weren't so sure about.
 
I hope the consultant did not make a business case on "most people are doing it now."

Either there's a case for "you're not managing your pcs effectively now" AND "you could manage it effectively using a domain because ____."

Reasons I would switch to putting my winPCs on a domain would include:
Your backup strategy isn't working
You don't change passwords when workers leave or change roles
You aren't auditing the user permissions
You aren't managing Windows updates
You log in with a local admin account when a normal user would suffice
An effective IT department exists who respect the importance of the availability of the plant.

If it was me, I would either trust in the IT of a large organisation, or not use Windows network services at all for the plant.

If you and your team are comfortable managing the workgroup, and you can address the concerns the consultant raised without using a DC, then business as usual for you!
 
Something to think about. If you plan on using virtual servers at one point or thin clients.
Latest MS Server software, requires a domain controller to configure a Terminal server., some of the VM Ware appliances require a DNS server.
If you are going virtual, you can add a small 4GB, 1 core DNS/Domain controller to two physical hosts, at little expense.
 
Ken Moore said:
Something to think about. If you plan on using virtual servers at one point or thin clients.
Latest MS Server software, requires a domain controller to configure a Terminal server., some of the VM Ware appliances require a DNS server.
If you are going virtual, you can add a small 4GB, 1 core DNS/Domain controller to two physical hosts, at little expense.
Click to expand...

That's news to me and a valid consideration. Some of our plant is migrating their HMI to VM. The new ABB DCS for example, are delivered from factory as VMs but I don't recall they are in a Domain. I will have to check.

Also, related to this. I tried to config a Dell server with Server 2019 preinstalled and it won't let me checkout with 2 VM in addition to the host unless I add 2 more license of Server 2019. It seems Microsoft changed their term and according to one site, quote here:

If you use virtualization on your physical server with Windows Server 2019, you can use the host OS only to maintain and manage the Hyper-V role and virtual machines. You cannot install Windows Server 2019 on a physical server, run two VMs on it and get three full-fledged Windows server instances for your tasks.
Click to expand...

I had thought at one time Microsoft let one use the host license for 2 more VM instances. So, I might as well go with VMware VSXi and stay with Desktop OS as VM.
 
We have the 3-tier design here.
Enterprise - FW - DMZ - FW - MFG

All our new HMIs are setup to use either LDAP or if windows based, joined directly to a subdomain off the primary domain.

Since I work in Pharma - The centralized login controls, password policies, timesync and automated backups are pretty much the only way to roll these days.
 

Similar Topics

A
Wago added to Windows Domain
I am trying to add a wago 750-882 to a windows domain. I have found several links to adding a linux machine to windows domain but nothing...
Replies
12
Views
3,198
rdrast
rdrast
F
Rockwell Windows Linked Users in Domain
Hi, I'm a new user to Rockwell and I'll trying to setup a Domain and running into problems. The history... The project was initially...
Replies
1
Views
4,534
FKelly
F
R
Panelview Plus RSView ME with Windows Domain security
Can anyone point me to some tips and tricks for getting the Windows based security on a PanelViewPlus to work properly. I configured the domain...
Replies
8
Views
8,779
Dravik
D
D
Studio 5000 33.00.02 DVD 2 Windows 11 installation issue
Hi everyone, I have an issue with installation of Studio 5000 33.00.02 DVD Media disc 2 with View Designer on Windows 11. After installation...
Replies
0
Views
70
dudek1989
D
A
Windows 11 laptop
Hello all, Hope everyone enjoying their weekend. I just recently bought a laptop to upgrade my old one with i3 its getting slow on me. But when i...
Replies
7
Views
388
Akparjay
A
Back
Top Bottom