XA in local workgroup service account and other accounts in domain level
Hello,
Want to run XA in local service account and install and other users in domain level.
Reason is if domain fails still want to login locally and control/monitor data from service account.
It will be helpful when more than 10xA system (geographically separated) and integrated to common MSI system so when domain fails wants to run local plant atleast by service account.
Want to run XA in local service account and install and other users in domain level.
Reason is if domain fails still want to login locally and control/monitor data from service account.
It will be helpful when more than 10xA system (geographically separated) and integrated to common MSI system so when domain fails wants to run local plant atleast by service account.
Answers
0
I don't think this is possible anymore since Windows Server 2008 or better (might be 2012), as the system requires you to use the Domain Service account (with local access) vs a local account being tied to a Domain account. The 800xA v6 system build does not recognise this setup and you will have loading and system access issues afterwards.
1
Hi
This is possible and personally have done for one of the customer and is running without any issues.
Step 1 : Prepare your OS + prerequisites for all nodes
Step 2 : Create Local 800xA Service account, Installer Account & Groups
Step 3 : Join all nodes to the domain
Step 4 : Login with local Installer Account and install 800xA and post installation steps.
Step 5 : Sync Domain Users with 800xA User Structure. Here you will have issues. The workaround is to have create a local account with same username and password as that of user present in the Domain. make it a memeber of IndustrialIT User & Admin groups. Login with this account to sync users.
Best Regards
Sunny Khatri
This is possible and personally have done for one of the customer and is running without any issues.
Step 1 : Prepare your OS + prerequisites for all nodes
Step 2 : Create Local 800xA Service account, Installer Account & Groups
Step 3 : Join all nodes to the domain
Step 4 : Login with local Installer Account and install 800xA and post installation steps.
Step 5 : Sync Domain Users with 800xA User Structure. Here you will have issues. The workaround is to have create a local account with same username and password as that of user present in the Domain. make it a memeber of IndustrialIT User & Admin groups. Login with this account to sync users.
Best Regards
Sunny Khatri
Answered 8 months ago
1
The "domain failing" shouldn't be a problem. The system will continue to run on cached account credentials for some considerable time. (Several days at least, usually longer. Just don't rely on forever)
I am unconvinced that Sunny's solution of mixed local and Domain accounts actually works any better than using domain accounts properly. A local account and domain account are NOT the same thing - even if they have the same password. In a domain, security and access rights to pretty much EVERYTHING is controlled by Kerberos authentication through the domain controllers. The local service accounts require network access to the Aspect Servers and Connectivity Servers and these rights are provided by the Domain. The local service accounts will use cached account credentials if the Domain is down for any reason - just the same as if they were Domain service accounts.
(I'm happy to be proven wrong by the way)
I am unconvinced that Sunny's solution of mixed local and Domain accounts actually works any better than using domain accounts properly. A local account and domain account are NOT the same thing - even if they have the same password. In a domain, security and access rights to pretty much EVERYTHING is controlled by Kerberos authentication through the domain controllers. The local service accounts require network access to the Aspect Servers and Connectivity Servers and these rights are provided by the Domain. The local service accounts will use cached account credentials if the Domain is down for any reason - just the same as if they were Domain service accounts.
(I'm happy to be proven wrong by the way)
Answered 8 months ago
0
Hi!
I would rather look into the possibility of adding local domain controllers on each geographical site, promote them and join the domain.
This will be a more useful and proved working solution.
BR
I would rather look into the possibility of adding local domain controllers on each geographical site, promote them and join the domain.
This will be a more useful and proved working solution.
BR
Answered 7 months ago
Add new comment