I've made it a point to remove PC's from the plant's domain controllers and isolate them at level 2 wherever possible. If you plant is less than like 100 devices, having a statically assigned network makes sense for one singular reason:
It is must easier to set up the IP address in a new device you are installing than to log into the switch and change the MAC address for DHCP.
We had DHCP on our network, but it had like 10 ip addresses in the pool with its own Wifi SSID to allow us to connect specifically to the controls network or allow us to plug in if we needed to and get an IP.
Basically, there is no need to add the complexity to your current solution. There is absolutely no benefit to doing so, and adding that complexity adds overhead, cost, and security risk. From what I can tell, most of the PC's are essentially just HMI's.
EDIT: I don't know why these forums keep inserting extra spaces.
Domain controllers don't necessarily change the IP assignment on the computers or devices it is managing.
I have installed a Domain controller to integrate with iFix as our IT department (rightly, I might add) pointed out that our plant is more like a sieve than a production plant when it comes to process security.
The domain controllers make it really simple to manage the computers (I have 4 SCADA servers and about 20 nodes). If there's a setting that needs a tweak, I can do it from the Domain Controller and it goes to all computers in a group. It's pretty nifty.
The problem you'll find with Domain Controllers are likely elsewhere and not in the functionality itself.
Here's some of the problems I had:
- Budget and hardware, since logging in to your process requires a Domain Controller to be active, your network needs to be checked for weak points and a second Domain Controller should be added and synchronised so that should one die, the other can take over.
- Licensing. iFix is **** on all aspects, but the implementation of security is probably ten times worse than what most people think is their worst. Essentially you pay extra for the possibility of using a Domain Controller and it's done per node. At 4k GBP per node, even GE recommends that only servers have this functionality and update a couple of files and your nodes then read the files for user information instead of retrieving this from the Domain Controller.
- Functionality, the fall back logic in the event that your domain controller is down is really **** and too slow to even be remotely usable. This however is a problem of iFix not Domain controller. It also doesn't let you list a Domain and automatically find a server within the domain to verify credentials. The server is hardcoded.
- User management, iFix doesn't come with a user management functionality that allows you to manage users in your Domain. As such you need to log in to the domain controller and manage users from there.