Beruflich Dokumente
Kultur Dokumente
Guide
For PI Asset Framework 2.6.1 included with PI Server 2014 R2
OSIsoft, LLC
777 Davis St., Suite 250
San Leandro, CA 94577 USA
Tel: (01) 510-297-5800
Fax: (01) 510-357-8136
Web: http://www.osisoft.com
PI Asset Framework Installation and Upgrade Guide
2009-2014 by OSIsoft, LLC. All rights reserved.
No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or
by any means, mechanical, photocopying, recording, or otherwise, without the prior written permission
of OSIsoft, LLC.
OSIsoft, the OSIsoft logo and logotype, PI Analytics, PI ProcessBook, PI DataLink, ProcessPoint, PI Asset
Framework (PI AF), IT Monitor, MCN Health Monitor, PI System, PI ActiveView, PI ACE, PI AlarmView, PI
BatchView, PI Coresight, PI Data Services, PI Event Frames, PI Manual Logger, PI ProfileView, PI Web API,
PI WebParts, ProTRAQ, RLINK, RtAnalytics, RtBaseline, RtPortal, RtPM, RtReports and RtWebParts are all
trademarks of OSIsoft, LLC. All other trademarks or trade names used herein are the property of their
respective owners.
U.S. GOVERNMENT RIGHTS
Use, duplication or disclosure by the U.S. Government is subject to restrictions set forth in the OSIsoft,
LLC license agreement and as provided in DFARS 227.7202, DFARS 252.227-7013, FAR 12.212, FAR
52.227, as applicable. OSIsoft, LLC.
Version: 2.6.1
Published: July 2014
Contents
PI Asset Framework deployment.................................................................................1
PI System components.................................................................................................................................... 1
PI Server and PI Asset Framework (PI AF).................................................................................................... 2
PI AF architecture............................................................................................................................................ 3
PI Server, PI AF server, and SQL Server configuration options......................................................................... 3
Small system, single PI Server..................................................................................................................... 4
Larger, higher performance PI System........................................................................................................ 4
Distributed, highly available PI System........................................................................................................ 5
PI AF deployment options............................................................................................................................... 5
Simple PI AF deployment............................................................................................................................ 6
PI AF on a mirrored SQL Server....................................................................................................................7
PI AF server in a failover cluster....................................................................................................................7
PI AF collectives.......................................................................................................................................... 8
Deployment considerations for PI AF.........................................................................................................10
Frequently asked questions about PI AF deployment................................................................................. 10
PI AF high availability solutions......................................................................................................................12
Microsoft SQL Server-based high-availability solutions .............................................................................12
PI AF-based high availability solutions .......................................................................................................13
System requirements.....................................................................................................................................17
Hardware requirements............................................................................................................................. 17
Windows requirements for AF Server and AF Client................................................................................... 18
SQL Server requirements...........................................................................................................................18
Synchronization of time settings on PI System computers............................................................................ 19
Download the PI AF setup kit.........................................................................................................................19
Install Microsoft SQL Server.......................................................................................................................... 19
SQL Server considerations........................................................................................................................ 20
SQL Server installation guidelines............................................................................................................. 20
SQL Server roles and permissions for use with PI AF.................................................................................. 21
iii
Contents
Connect to a PI AF server...............................................................................................................................34
Add a PI AF server to the connection list........................................................................................................ 35
Fill in the Account field.............................................................................................................................. 36
Configure Active Directory access for contacts.......................................................................................... 36
Upgrade PI AF Client..................................................................................................................................... 38
Enable multiple languages for PI AF Client.....................................................................................................38
iv
Contents
Upgrade the PI AF SQL database on active node in a SQL Server Cluster................................................... 75
Upgrade the PI AF application service in a failover cluster.............................................................................. 77
Upgrade PI AF application service on active node in a failover cluster.........................................................77
Upgrade PI AF application service on non-active nodes in a failover cluster................................................78
Verify PI AF application service after cluster upgrade.....................................................................................79
Contents
Status details indicate no configured subscriber...........................................................................................111
PI AF collective creation fails due to login failure.......................................................................................... 111
Snapshot creation fails due to access error...................................................................................................112
PI AF collective cannot be created when SQL Server Agent is not running................................................... 112
vi
Contents
Delete SPNs for the PI AF application service...........................................................................................150
Configure Active Directory objects for delegation........................................................................................ 151
Configure delegation settings for the AFServer service computer............................................................ 151
Configure delegation settings for the machine account where the external data resides..........................152
Configure delegation settings for the domain account under which the AFServer service runs................. 153
Configure delegation settings for the domain account that controls access to the external data.............. 154
vii
Contents
viii
PI System components
At its simplest, PI is a data infrastructure. A basic PI System consists of the data source, the
data collector for that data source (they might be on the same computer), a PI Server combined
with an Asset Framework server, and an appropriate visualization tool on a PC.
The PI System collects, stores, and manages data from your plant or process. The PI System can
include many different products. PI interfaces retrieve data from your data sources and send it
to one or more PI Servers. Users on other computers can get data from PI Servers and display
it with client tools. The PI System includes:
Data sources
Data sources are the instruments that generate your data. They can be almost anything, and
they can connect to the interface nodes in a variety of different ways. PI Performance
Equations, PI ACE, and Totalizer are also considered data sources, even though they may be
hosted on the PI Server computer.
Interfaces
PI interfaces get the data from the data sources and send it to the PI Server. Each different
data source needs a PI interface that can interpret it. OSIsoft has over 300 different
interfaces.
PI Servers
The PI Server gets the data and routes it in real time throughout the PI System and your
entire information infrastructure, making it possible for everyone to work from a common
set of real-time data. Operators, engineers, managers, and other plant personnel can use
client applications to connect to the PI Server and view manufacturing data from the PI data
archives or from external data storage systems.
You use PI points to track the events that comprise your data history. When system
managers or OSIsoft field services engineers install a PI Server, they create a PI point for
every source of data that the PI System must track. PI Base Subsystem stores points and
their attributes in the point database.
The PI Asset Framework (AF) server contains asset or "metadata" that is usually organized
according to the assets that contain the points being monitored. Assets can be helpful to
users of the PI System who do not know or are not familiar with points. Using assets, they
can find the data they need without understanding the technical details of each piece of
equipment. Assets are also helpful in finding all of the points associated with a specific piece
of equipment.
Data access
PI System components communicate with each other through the PI SDK, PI API, and the PI
AF SDK. PI data access components include PI OLEDB with Microsoft SQL Server (Standard
or Enterprise) and PI Web Services with Microsoft IIS. They may also include relational data
providers such as PI ODBC and PI JDBC. PI Web Services retrieves PI System data using the
PI SDK and AF SDK, and other data access layers. In general, the PI Web Services host must
be configured with connection information to the desired PI Servers and PI AF servers.
Client applications
Operators, engineers, managers and other plant personnel use a variety of client
applications to connect to PI Servers and PI application servers to view plant data. PI
Coresight, PI ProcessBook, PI DataLink, and PI WebParts are all client applications.
PI AF architecture
PI AF uses a multi-tiered architecture. A minimal system consists of a client application or the
PI AF SDK, the PI AF server application service, and the PI AF SQL database.
In terms of physical topology, any configuration of the three tiers is possible, including running
all tiers on the same system or on separate systems.
Clients can communicate with multiple PI AF servers and multiple PI Servers.
A single PI AF server can service multiple clients.
A single PI AF SQL database can host multiple PI AF servers.
High availability features can be configured many ways, including load-balanced PI AF
servers, SQL Server mirroring, SQL Server replication, Microsoft Cluster Service (MSCS), or
combinations of these methods.
PI AF deployment options
Depending on your needs and goals, you have various options for deploying PI Asset
Framework, ranging from a simple deployment that uses one computer to a complex mirrored
PI Asset Framework Installation and Upgrade Guide
Simple PI AF deployment
For systems with few assets (10,000 or less) and low to moderate workloads (25,000 PI points
or fewer), OSIsoft recommends that you follow these guidelines:
Install PI Server, PI AF server, and SQL Server on the same computer.
Consider installing SQL Server on a different computer from the PI Server. Installing SQL
Server Standard or Enterprise edition on the same computer as the PI Server can
significantly degrade PI Server performance.
Possible deployment scenarios include:
Deploy the PI AF application service and PI AF SQL database on the same computer, and
deploy a PI AF client on the same computer or on a different computer.
Deploy the PI AF application service and PI AF SQL database on separate computers, and
deploy a PI AF client on one of these computers or on a different computer.
Deploy the PI AF application service on multiple computers that point to a single PI AF SQL
database, and deploy a network load balancer between the PI AF client and the AF
application services.
For example:
PI AF collectives
A PI AF collective is a set of PI AF servers that acts as the logical PI AF server in a PI System to
provide high availability (HA), disaster recovery, load distribution, and increased scalability.
Deployment scenarios for a PI AF collective include:
Multiple pairs of a PI AF application service and a PI AF SQL database (the PI AF application
service and PI AF SQL database pair can be on the same computer or different computers)
configured into an PI AF collective, with a PI AF client on the same computer or on a
different computer.
Multiple pairs of a PI AF application service and a PI AF SQL database configured into a PI
AF collective, with each pair configured as a SQL Server cluster or mirrored SQL Server.
PI Server collectives and PI AF collectives are independent; you do not need a PI Server
collective to create a PI AF collective or vice-versa. Neither the primary nor the secondary PI
AF server needs a PI Server installed.
A PI AF collective uses SQL Server replication to copy data from the primary PI AF SQL
database computer (publisher) to each of the secondary PI AF SQL database computers. The
PIFD database is the Microsoft SQL Server database where configuration information and userdefined PI AF databases are stored. When you create a PI AF collective, a distributor database
(PIFD_Distribution) is created to allow for SQL Server replication.
Each secondary server communicates with the primary server through a Windows
Communication Foundation (WCF) connection and reports its status information. The server
authenticates the WCF connection using a Windows certificate that the PI AF server generates
when it is started.
SQL Server replication transmits the primary PI AF servers certificate to each secondary
server. After the secondary server receives the primary servers certificate, it can communicate
its status to the primary server.
When PI AF data is changed on the primary PI AF server:
The log reader agent sends any changes from PIFD to the PIFD_Distribution database.
For each secondary server, its agent pushes changes to the SQL Server instance on the
secondary server.
In the figure, R/W indicates that the primary server supports reading and writing of data by PI
AF clients. R/O indicates the secondary servers only support reading of data by PI AF clients.
The primary server could be located at headquarters and each plant could have a secondary
server. Data writers always connect to the primary server to make changes. Users at each plant
10
Question
Answer
Yes
Yes
Yes
Yes
Explanation
Answer
Explanation
Yes
Yes
No
Yes
Yes
No
Yes
Is MS-DTC required?
No
11
Answer
Explanation
Yes
Advantages
Allows for full-time read/write
access to PI AF database.
No re-synchronization required.
Mirrored
12
Disadvantages
Advantages
Disadvantages
Advantages
Clustered
Disadvantages
Requires significant initial
investment in cluster hardware.
PI AF server unavailable during
cluster failover period.
No real advantage over having single
server service restart itself on
failure.
Network Load
Balancing (NLB)
PI AF collective
(with static load
balancing)
13
14
15
16
System requirements
Refer to the PI AF Release Notes for detailed system requirements.
Hardware requirements
PI AF is extremely flexible and supports the storage of many different kinds of objects. For
example: a PI AF object can be as simple as a static numeric value or string of text, or it can be a
much more complicated object such as PI Event Frames, custom data references, or even
binary objects. As such, it is not possible to definitely correlate the number of PI AF objects to
hardware requirements. However, there are some general guidelines.
Your hardware sizing should be based upon workload, not PI AF object count, because they do
not correlate. As input and output (I/O) workload increases, it is important to ensure the disk
subsystem can handle the I/O count as well as the storage requirements. Adding memory
(RAM) improves SQL Server read and write performance. Increasing the number or
performance of the CPU is helpful for concurrent users.
17
Yes
Yes
Yes
Yes
Test only
Yes
Test only
Yes
No
Yes
No
Yes
No
No
Windows XP
No
No
Details
Express
Standard
Enterprise
Datacenter
In general, OSIsoft recommends that you use SQL Server 2012 Enterprise edition, except in the
case of a small PI AF SQL database (PIFD) with few users and low usage. Although supported
by PI AF, SQL Server 2012 Express has a 1 GB memory limitation and 10 GB database size
limitation. In addition, SQL Server 2012 Express does not support Microsoft Business
Intelligence (BI) tools such as SQL Reporting Services and SQL Analysis Services. PI AF high
availability features are not supported with SQL Server 2012 Express.
When estimating the SQL Server disk space required for the PIFD, consider the type and
quantity of your PI AF objects. As a first order estimate, a PIFD with 50,000 elements each with
20 attributes of double data type would consume approximately 3 GB of disk space. If you use
18
19
Answer
No.
Yes.
20
Question
Answer
No.
Yes.
Answer
No.
No.
No.
Answer
No.
No.
1 or 2.
Low privileged login for account that runs the PI
AF server needs db_afserver role. Should not be
granted higher privilege. Never allow the PI AF
server to connect to SQL Server with SysAdmin
privileges.
For PI AF with high availability, SQL Server
replication is used and the PIAdmin user requires
the db_owner role during setup or during changes
to the SQL Server replication.
21
22
23
24
Procedure
1. Go to the directory where you downloaded the PI AF install kit.
a. Double-click the AFServer[VersionInfo]_.exe installation file, where
[VersionInfo] describes the version of the PI AF server installation kit. You may be
prompted by a User Account Control message to allow the installation run. Click Yes to
allow the installation to continue.
The Self-Extracting Executable window opens.
b. In the Self-Extracting Executable window, click Browse, select the directory where you
want to extract the files, and click OK.
The files are extracted, then the Welcome window opens. A list of the modules that will
be installed/upgraded is displayed. Review the list of modules and comments to ensure
there are no warnings displayed.
2. Click Next to start the installation of Microsoft .NET Framework 4.5.
If the PI AF server service was not stopped prior to beginning the upgrade, a Microsoft .NET
Framework 4.5 window opens, indicating the PI AF Server service is still running. You are
prompted to allow the setup to stop the service. If this is acceptable, click Yes. Or, you can
click No to cancel the setup. Alternatively, stop the service yourself and return to this dialog
and click Refresh, which closes this dialog and allows the .NET Framework 4.5 setup to
continue.
Once the .NET Framework 4.5 installation is complete, the Microsoft SQL Server 2012 Native
Client Setup window opens.
3. Click Next to start the SQL Server 2012 Native Client installation.
The SQL Server 2012 Native Client License Agreement window opens.
a. Read the License Terms. If you accept the terms, select the I accept the terms in the
license agreement option and click Next.
PI Asset Framework Installation and Upgrade Guide
25
Procedure
1. Connect PI System Explorer to upgraded AF server.
Procedure
1. If this is an upgrade, stop any PI AF application services.
2. On the SQL Server computer:
a. Run the setup program.
b. Click the arrow next to AF Application Service and select Entire feature will be
unavailable. The AF application service will remain uninstalled. The PI AF SQL scripts
needed to set up the AF SQL database will be executed.
Note:
During the installation, you will be prompted to provide the domain and name of the
system where the remote application server can be found so that the proper
authentication can be granted to the PI AF application service.
3. On the PI AF application service computer:
a. Run the setup program.
b. Click the arrow next to AF SQL Database and select Entire feature will be unavailable.
The AF SQL Scripts needed to setup the AF SQL database will not be executed.
The AF application service will be installed on the local hard drive.
27
28
Procedure
1. Create the AFServers local group on the PI AF SQL database computer.
2. Execute the SQL scripts to create and populate the PI AF SQL database.
3. Modify the PI AF application service connect string.
4. Direct PI AF application service to a different PI AF SQL database.
Procedure
1. On the computer on which the PI AF SQL database is installed, open Computer Management.
2. Create the AFServers local group if it does not already exist.
3. If the PI AF application service is not running under a domain account, use this syntax to
add the PI AF application service computer name to the AFServers group:
DOMAIN\ComputerName
In this example, the domain is OSI and the computer name is RADAT.
29
If the PI AF application service is running under a domain account, add the name of the
domain account under which the PI AF application service is running to the AFServers
group. Be sure to include domain information for the system using this format:
DOMAIN\DomainAccount
4. Create a SQL Server login and map it to both the AFServers local user group and the
db_AFServer database role.
Procedure
1. If this is an upgrade, stop the PI AF server service:
30
where:
<SQLName> is the name of the SQL Server into which the PI AF SQL database (PIFD) will be
installed.
\<SQLInstanceName> is optional, and should be included if SQL Server was installed with
an instance name.
PIFD is the name of the PI AF SQL database.
<SQLUserName> and <SQLUserPassword> are optional, and should be used if SQL Server
authentication is required to connect to SQL Server. If not provided, the scripts use
Windows authentication to connect to SQL Server.
The process is complete when the command line looks like:
c:\..\PIPC\AF\SQL\PISYSOLEDB>_
Procedure
1. In Windows Explorer, navigate to the ..\PIPC\AF folder on the PI AF application service
computer.
2. Use a text editor to open the PI AF application service configuration file,
AFService.exe.config.
3. Enter the name of the remote SQL Server, and the named instance if applicable, in the
connect string server.
Refer to the following lines of code:
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<appSettings>
<add key="connectString" value="Persist Security Info=False;Integrated
Security=SSPI;server=<SQLName>[\SQLInstance];database=PIFD;Application Name=AF
Application Server;"/>
<add key="streamedPort" value="5459"/>
31
If SQL Server is configured to use SQL Server mirroring, then add Failover
Partner=<SQLServerName>[\<InstanceName>] after the server=, as shown in the
following lines of code:
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<appSettings>
<add key="connectString" value="Persist Security Info=False;Integrated
Security=SSPI;server=<SQLName>[\SQLInstance];failover
partner=<SQLServerName>[\SQLInstance];database=PIFD;Application Name=AF
Application Server;"/>
<add key="streamedPort" value="5459"/>
To enable encrypted communication, add encrypt=Yes; to the code. See the Microsoft SQL
Native Client (http://msdn.microsoft.com/en-us/sqlserver/aa937733.aspx) documentation
for other options.
4. If the PI AF application service is running, stop and restart it for your changes to take effect.
Procedure
1. On the PI AF application service computer, edit the AFService.exe.config file in the
PIPC\AF folder and replace the server information with the name of the remote SQL Server
to be accessed.
2. Choose one of the following actions.
If the PI AF application service is using the NetworkService or LocalSystem account,
add the Domain\Machine Name for the remote PI AF server to the local AFServers
Windows group (on the PI AF SQL database computer).
If the PI AF application service has been modified to use any other account, add the
account under which it is running to the local AFServers Windows group (on the PI AF
SQL database computer).
3. Using an account with sufficient privileges to run the PI AF application service, perform one
of the following actions:
If the PI AF application service is running, restart the service for your changes to take
effect.
If the PI AF application service is not running, start the service for your changes to take
effect.
32
Install PI AF Client
The AF SDK and the PI SDK are installed as part of the PI AF Client installation.
The PI AF Client installation also includes these optional features:
PI System Explorer
PI System Explorer supports multiple languages. Install the PI System Explorer MUI
Language Pack to enable multi-language access. If PI System Explorer does not support a
particular language, the user interface displays English. See Enable multiple languages for
PI AF Client.
Note:
The PI System Explorer installation is not optional if you want to install the Analysis
Management plug-in.
Analysis Management
PI Builder
PI AF User Documentation
Procedure
1. Verify that you are logged in with administrative rights.
2. Go to the directory where you downloaded the PI AF install kit.
3. Double-click the AFClient[VersionInfo]_.exe, where [VersionInfo] describes the
version of the PI AF Client Kit.
4. You may be prompted by a User Account Control message to allow the installation to run.
Click Yes to allow the installation to continue.
The Self-Extracting Executable window opens.
33
Connect to a PI AF server
34
Procedure
1. In PI System Explorer, choose File > Connections.
The Servers window opens, displaying a list of any PI Server
or PI AF server
for
which a connection is configured. The currently connected servers are indicated with green
circles.
PI Servers versions 3.4.375 and 3.4.370 are indicated with a yellow triangle and a warning
that you are connected to an unsupported server. Connections to pre-3.4.370 servers are
not allowed.
2. To connect to a different PI AF server, right-click on the server name in the list and choose
Connect.
Note:
If the server you need is not displayed, you can add it as described in Add a PI AF
server to the connection list.
For any connected AF server, you can click Rename to enter a different name for it.
Note, however, that renaming the server impacts all clients. Name does not have to
match Description.
or PI AF server
for
35
Note:
You can modify the account only when disconnected from the server.
2. If you still cannot connect, see the troubleshooting topics in the PI AF Installation and
Upgrade guide.
36
Procedure
1. Open PI System Explorer and connect to a database that belongs to the PI AF server for
which you want to configure Active Directory access.
2. From the File menu, select AF Server Properties and from that window click the Configure
Active Directory Access for Contacts link.
3. In the Active Directory Domain Name text box, enter the full DNS name of the Active
Directory domain from which the contact names will be retrieved for the PI Notifications
Contacts (for example, contoso.com).
If this field is left blank, the domain in which the PI AF application service resides will be
used.
4. In the Active Directory Contact Sub-Folder text box, enter the path to the folder containing
the list of contacts for this domain.
In larger Active Directory domains, contacts may be organized within sub-folders. The use
of sub-folders can allow for faster retrieval of a list of Active Directory contacts.
Use the following structure for the sub-folder:
DomainUserFolder/SubDomainUserFolder/Sub SubDomainUserFolder
37
and
Top>Persons>OrganizationalPerson>User
Select this check box to return Persons, Organizational Persons, Contacts and Users from
the target Active Directory.
Clear the check box to return only Users.
Upgrade PI AF Client
Procedure
1. Verify that you are logged in with administrative rights.
2. Go to the directory where you downloaded the PI AF install kit.
3. Double-click the AFClient[VersionInfo]_.exe, where [VersionInfo] describes the
version of the PI AF Client Kit.
4. You may be prompted by a User Account Control message to allow the installation run. Click
Yes to allow the installation to continue.
The Self-Extracting Executable window opens.
5. Click Browse and select the directory where you want to extract the files, then click OK.
The files are extracted and the Welcome window opens and displays a list of the Modules
that will be upgraded.
6. Review the list of modules and comments to ensure there are no warnings displayed and
click OK. The Welcome to the PI AF Client 2014 Installation window opens.
7. Click Next.
8. Click Close.
Procedure
1. Download the PI Asset Framework (PI AF) 2014 MUI language pack from the OSIsoft
Technical Support website (http://techsupport.osisoft.com).
2. Install the PI Asset Framework (PI AF) 2014 MUI language pack.
39
40
41
42
Procedure
1. Pre-installation tasks for PI AF in a mirrored SQL Server session.
2. Install PI AF SQL database on principal and mirror servers.
3. Configure domain group for the PI AF application service in a mirrored SQL Server session.
4. Install the PI AF application service in a mirrored SQL Server session.
5. Create and map login and user accounts in a mirrored SQL Server system.
6. Configure PIFD database backups and restoration in a mirrored SQL Server session.
7. Create a mirrored SQL Server session on the principal server.
Procedure
1. Review PI AF security requirements.
2. Ensure the correct ports are open between each machine in the mirrored SQL Server
session and the PI AF application service computer.
3. Configure a domain group for the PI AF application service account.
4. Review the PI AF Link Subsystem user accounts.
43
Procedure
1. Run the PI AF server setup kit.
2. Deselect AF Application Service in the Select Features window.
3. Click Next. The Remote SQL Server Connection window opens with a drop-down list of SQL
instance names.
4. Review the name of the SQL Server instance in the drop-down list and choose one of these
options to validate the SQL Server connection:
Accept the name of the SQL Server instance that is listed by default.
Select the name of another SQL Server instance in the list.
Enter the name of a local SQL Server instance.
Enter a period (.) or leave the field blank to select the default SQL Server.
If you install the SQL scripts manually and cannot validate the SQL Server connection due to
security issues, deselect the Validate connection to the remote SQL Server check box. The
PI AF server will not function until the SQL scripts are installed.
5. Click Next.
6. Leave the values blank in the Remote Application Server Connection window because the PI
AF application service is required to run under a domain account.
7. Click Next and continue to run through the setup kit prompts that remain until the
installation is complete.
44
Procedure
1. Open the Active Directory Users and Computers utility and connect to the domain
that contains the PI AF application service account:
a. Open a command window.
b. Type dsa.msc.
c. Click OK.
2. Right-click the Users node in the left pane, and select New Group.
3. In the Group name field, enter a name, such as AFServers.
4. Set the Group Scope to Global.
5. Set the Group Type to Security.
6. Click OK to create the domain group.
7. Right-click the newly created group (such as AFServers) and select Properties.
8. Select the Members tab and click Add.
9. In the Enter the object names to select field, enter the name of the domain user under
which the PI AF server application service runs.
10. Click OK.
11. Close the Active Directory Users and Computers utility.
Procedure
1. Run the PI AF server setup kit on the machine that will run the PI AF application service.
2. On the Select Features window, cancel the AF SQL Database feature selection.
3. Click Next.
45
If you are installing the SQL scripts manually, and cannot validate the SQL Server
connection because of security issues, clear the Validate connection to the remote SQL
Server check box to skip the validation step. Note that the PI AF server will not function
until the SQL scripts are run.
5. Click Next and continue to run through the setup kit prompts that remain until the
installation is complete.
6. Verify that the PI AF application service runs under a domain account. For details, see
Configure a domain group for the PI AF application service account in a failover cluster.
7. The AFService.exe.config file must be updated to reference the failover partner. Follow
the instructions in Modify the PI AF application service connect string, ensuring the
connection string includes the " failover partner" entry. Restart the PI AF Service after you
update the connection string and save the file.
Procedure
1. Open Microsoft SQL Server Management Studio, and connect to the SQL Server instance that
stores the PI AF SQL database (PIFD).
2. Under the SQL Server instance, expand Security > Logins.
a. Right-click the Logins folder and select New Login.
b. To include the groups object type, click Search.
c. Click Object Types in the Select User Group window.
d. Select Groups in the Object Types window.
e. Click OK to return to the window.
f. In the Select User Group window, click Locations.
g. In the Locations window, select the Entire Directory folder and click OK.
h. Enter the domain user group and include the domain name in the Enter the object name
to select field with this format: YourDomain\YourAFDomainGroup
i. Click OK to return to the General page.
3. Select the Windows authentication option.
4. Select the User Mapping page.
5. Under Users mapped to this login, select Map in the PIFD database row.
46
Procedure
1. Open Microsoft SQL Server Management Studio, and connect to the SQL Server instance that
stores the PI AF SQL database (PIFD).
2. Expand Databases > PIFD > Security > Users.
3. Delete the PI AF database user:
AFServers
47
49
50
51
Procedure
1. Right-click PIFD and select Tasks > Restore > Database.
2. In the Restore Database PIFD window, click the Device option to open the Select backup
devices window.
3. Click Add to open the Locate Backup File window.
4. Navigate to and select the files for the PIFD database backup and the transaction log and
click OK. Click OK to return to the Restore Database PIFD window.
5. In the Options page, select the Overwrite the existing database (WITH REPLACE) check box.
6. Ensure the Recovery State is set to RESTORE WITH RECOVERY.
7. Click OK. When the restoration is complete, a message indicates that a successful restore
was completed. Click OK. The PIFD database no longer shows any text to the right of the
PIFD text.
Procedure
Upgrade PI AF on the principal server machine
a. Run the PI AF server setup kit on the machine that was used as the principal server in
the mirrored SQL Server session.
You will not be prompted to select installation features or enter any information. Ensure
the PI AF server setup kit runs through to completion, without errors.
Upgrade PI AF on the mirror server machine
a. Run the PI AF server setup kit on the machine that was used as the mirror server in the
mirrored SQL Server session.
You will not be prompted to select installation features or enter any information. Ensure
the PI AF server setup kit runs through to completion, without errors.
Upgrade PI AF on the application server machine
a. Run the PI AF server setup file on the machine used to run the PI AF application service,
selecting the option to upgrade the PI AF application server.
When the upgrade is complete, verify the PI AF service is still running under the correct
domain account. Then, start the PI AF service.
52
Procedure
1. Review the connect string in the AFService.exe.config file in the C:\Program Files
\PIPC\AF folder. Verify that the string references the correct failover partner. To find the
connect string, review the backup copy of the file that was made when you prepared for the
upgrade.
2. If the connect string is not correct, use the backup copy of the file in the
AFService.exe.config file to overwrite the file in the C:\Program Files\PIPC\AF
folder.
3. In the Services applet, restart the PI AF application service.
53
54
55
Procedure
1. Review the following Microsoft documentation:
Windows Server 2008 R2: Failover Clusters in Windows Server 2008 R2
Windows Server 2012: What's New in Failover Clustering in Windows 2012
2. Install and configure these failover clustering features on the machines that you use for PI
Asset Framework:
Note:
It is important that you install Microsoft Failover Clustering before you install the SQL
Server Cluster.
Microsoft Failover Clustering. Create one failover cluster for the machines on which the
SQL Server Cluster will be installed. Create a separate failover cluster for the machines
on which the PI AF application services will be installed.
SQL Server Cluster. Install SQL Server Cluster on the machines that are used for the PI AF
database only.
3. Review PI AF security overview.
a. Verify that an AFServers domain user group has been created and that it contains the
correct members.
See Configure a domain group for the PI AF application service account in a failover
cluster for details.
b. Review and verify that the failover cluster environment that you use for PI Asset
Framework is configured as described in Security considerations for the AF Link to PI
feature in failover clusters.
4. On each SQL Server Cluster node, verify that the correct ports are open between each
computer. See Firewalls and PI AF security for details.
56
57
58
Procedure
1. Open the Active Directory Users and Computers utility and connect to the domain
that contains the PI AF application service account:
a. Open a command window.
b. Type dsa.msc.
c. Click OK.
2. Right-click the Users node in the left pane, and select New Group.
3. In the Group name field, enter a name, such as AFServers.
4. Set the Group Scope to Global.
5. Set the Group Type to Security.
6. Click OK to create the domain group.
7. Right-click the newly created group (such as AFServers) and select Properties.
8. Select the Members tab and click Add.
9. In the Enter the object names to select field, enter the name of the domain user under
which the PI AF server application service runs.
10. Click OK.
11. Close the Active Directory Users and Computers utility.
Procedure
1. Install PI AF SQL database feature on each SQL Server failover cluster machine.
2. Execute SQL scripts in a failover cluster.
3. Create and map a SQL Server login.
4. Delete local logins and user.
5. Verify SQL Server service in a failover cluster.
59
Install PI AF SQL database feature on each SQL Server failover cluster machine
Install the PI AF SQL database feature on each machine in the SQL Server Cluster before you
install the PI AF application service in the other failover cluster.
Procedure
1. Open the directory where the PI AF installation program files are located and run the setup
kit. The PI AF Server Self Extracting Executing window opens.
2. Select an extraction path in the PI AF Server Self Extracting Executing window. You can use
the default installation path, or enter a new path.
3. Click OK to open the Welcome to the PI AF Server Setup window.
4. Review the list of components that are required as part of the PI AF server installation in
the Welcome to the PI AF Server Setup window. For each component, a Status column in the
list indicates whether the component is installed and whether it will be installed.
5. Click OK. Microsoft .NET Framework 4.5 installs if it is not installed.
6. Click Next. If the Microsoft SQL Server Native Client is not installs, it begins to install.
7. Click Next.
8. To install the Microsoft SQL Server Native Client:
a. Click Next in the Microsoft SQL Server Native Client window if you accept the terms of
the license agreement for the Microsoft SQL Server Native Client.
b. Keep the default selections of the choices for the Microsoft SQL Server Native Client and
click Next.
c. Click Install.
d. Click Finish to complete the installation of the Microsoft SQL Server Native Client. The
Microsoft Visual C++ 2012 re-distributable components are installed.
9. Review the PI AF Server Installation page and click Next.
10. Click Browse to select a path to the directory for the PI AF installation, or leave the path to
the default directory and click Next. The Select Features window opens.
11. Deselect AF Application Service and AF SQL Script Execution to remove these features from
the list of items to be installed.
Note:
The PI AF server setup kit does not support the feature that installs the AF database
when the setup kit is run on a SQL Server Cluster. Instead, the SQL scripts that install
the AF database must be manually executed. For details, see Execute SQL scripts in a
failover cluster.
12. Click Next.
13. Enter the name of the SQL Server Cluster in the MSSQLSERVER field. If applicable, include
the SQL instance name. Do not include the SQL instance name in the MSSQLSERVER field if
60
Procedure
1. On the active SQL Server Cluster node only, open a command prompt window.
2. Change the directory to the SQL folder in the \PIPC\AF folder (for example: cd c:
\program files\PIPC\AF\SQL).
3. Use the following syntax to execute the SQL scripts found in the SQL folder:
PI Asset Framework Installation and Upgrade Guide
61
where:
<SQLClusterName> is the name of the SQL Server Cluster machine for the PI AF SQL
database (PIFD).
<SQLClusterInstanceName> is optional, and should be included if the SQL Server Cluster
was installed with a named instance.
PIFD is the name of the PI AF SQL database.
<SQLUserName> and <SQLUserPassword> are only needed if mixed mode authentication
is required to connect to the SQL Server cluster. Omit these to use Windows
authentication. Typically, mixed mode authentication is required when the PI AF SQL
database and PI AF application service are on different, non-trusted domains.
When the process is complete, the command line looks like the following:
c:\..\PIPC\AF\SQL\PISYSOLEDB>_
Procedure
1. Open Microsoft SQL Server Management Studio, and connect to the SQL Server cluster
instance that stores the PI AF SQL database (PIFD).
2. Under the SQL Server cluster instance, expand Security > Logins.
a. Right-click the Logins folder and select New Login:.
b. Enter the domain user group including the domain name (YourDomain
\YourAFDomainGroup) in the Login name field.
3. If you receive a message that the value entered is invalid, it is necessary to search for a
group name. In order to do such a search, you must manually include the Groups as a search
object type. To include the groups object type:
a. Click Search.
b. In the Select User Group window, click Object Types.
c. In the Object Types window, select Groups.
d. Click OK to return to the Select User Group window.
e. Enter the domain user group, including the domain name YourDomain
\YourAFDomainGroup, in the Enter the object name to select field.
f. Click OK to return to the General page.
62
Procedure
1. Open Microsoft SQL Server Management Studio, and connect to the SQL Server instance that
stores the PI AF SQL database (PIFD).
2. Expand Databases > PIFD > Security > Users.
3. Delete the PI AF database user:
AFServers
Procedure
1. On each machine in the SQL Server Cluster:
a. Click Start > Administrative Tools > Services.
The Services window opens.
2. Scroll to the SQL Server service.
All nodes should show the services Startup Type as Manual. Only one node should show
the service as Started.
63
Procedure
1. Install the PI AF application service in the failover cluster.
2. Configure PI AF application service on Windows Server 2008 R2 in a failover cluster.
3. Modify the default number of failovers on Windows Server 2008.
4. Configure PI AF application service on Windows Server 2012 in a failover cluster.
5. Verify PI AF application service after failover cluster installation.
6. Configure certificates for PI AF high availability in a failover cluster.
64
Procedure
1. Open the directory where the PI AF installation program files are located and run the setup
kit. The PI AF Server Self Extracting Executing window opens.
2. Select an Extraction path in the PI AF Server Self Extracting Executing window. You can use
the default installation path, or enter a new path.
3. Click OK. The Welcome to the PI AF Server Setup window opens.
4. Review the list of components that are required as part of the PI AF server installation in
the Welcome to the PI AF Server Setup window. For each component, a Status indicates
whether the component is installed and whether it will be installed.
5. Click OK. Microsoft .NET Framework 4.5 installs if it is not installed.
6. Click Next. If the Microsoft SQL Server Native Client is not installed, it begins to install.
7. Click Next.
8. In the Microsoft SQL Server Native Client window:
a. Click Next if you accept the terms of the license agreement for the Microsoft SQL Server
Native Client.
b. Keep the default selections of the choices for the Microsoft SQL Server Native Client and
click Next.
c. Click Install.
d. Click Finish to complete the installation of the Microsoft SQL Server Native Client. The
Microsoft Visual C++ 2012 re-distributable components are installed.
9. Review the PI AF Server Installation window and click Next.
10. Click Browse to select a path to the directory for the PI AF installation, or leave the path to
the default directory and click Next. The Select Features window opens.
11. Deselect AF Application Service and AF SQL Script Execution to remove these features from
the list of items to be installed. When the PI AF server setup kit is run on a SQL Server
Cluster; the AF SQL Script Execution feature is not supported. Therefore, the SQL scripts
must be manually executed. See Execute SQL scripts in a failover cluster.
12. Click AF SQL Database and select Entire feature will be unavailable. You will install only the
AF Application Service feature.
13. Click Next.
14. Enter the name of the SQL Server Cluster in the MSSQLSERVER field. If applicable, include
the SQL instance name. Do not include the SQL instance name in the MSSQLSERVER field if
the default name is blank; a blank field indicates that the default SQL instance is used and
you are not required to include the SQL instance name.
Enter these names with this format:
<SQLClusterName>[\<SQLClusterInstanceName>]
Where:
<SQLClusterName> is the name of the SQL Server cluster into which the PI AF SQL database
(PIFD) will be installed.
65
Procedure
1. Using Failover Cluster Manager:
a. Right-click Services and applications.
b. Select More Actions.
c. Select Create Empty Service or Application. A new entry is added with the name of New
service or application.
d. Right-click the newly created New service or application and select Rename.
e. Enter a name for your PI AF application service cluster, such as AF SERVER.
f. Right-click the newly renamed application service cluster; in this example, select AF
SERVER.
g. Select Add a Resource.
h. Select Click Access Point.
2. In the New Resource Wizard:
66
67
Procedure
1. In the Failover Cluster Management snap-in, right-click the service and select Properties.
2. Select the Failover tab and modify the number.
Procedure
1. Using Failover Cluster Manager:
a. Right-click Roles.
b. Select Create Empty Role. A new entry is added with the name of New Role.
c. Right-click the newly created New Role and select Properties.
d. In the New Roles Properties window, change the name to identify your PI AF server. For
example, AFSERVER. In the Preferred Owners section, select the check boxes of the
machines that are in the failover cluster for PI AF and click OK.
e. Right-click the newly renamed application service cluster; in this example, select AF
SERVER.
f. Select Add a Resource.
g. Select Click Access Point.
2. In the New Resource Wizard:
a. Specify the name and IP address of the PI AF application service cluster. A new DNS
entry will be created using the Network name and IP address values. The Network name
and/or IP address will be used by AF clients to connect to the PI AF application service
cluster.
b. Enter the Network Name of the PI AF application service cluster in the Name box, such
as AFServerCluster.
c. Enter the appropriate static IP address in the row that represents the Public network
connection in the cluster.
d. De-select the check mark that is beside any other networks listed in the box. Ensure you
do not already have an Active Directory entry for the Network Name you entered.
e. Click Next. The Confirmation window appears.
68
69
Procedure
1. Click Start > Administrative Tools > Services on the active node in the failover cluster. The
Services window opens.
2. Scroll to the AF Server service.
The active node should show the service as Started.
3. Use the cluster administration tool for your operating system to move the service to
another node:
Windows Server 2008 R2: In the Failover Cluster Management snap-in, right-click the
service and select Move this service or application to another node > Move to node
<name of non-active node in Microsoft Cluster>.
Windows 2012: In the Failover Cluster Manager, right-click the service Role and select
Move | Select Node. In the Move Clustered Role window, select the next AF Server node
and click OK.
4. Verify that the service is running on the new owner node and shows the services Startup
Type as Manual.
5. Repeat the previous steps until you have verified that all nodes in the cluster can take
control of the service.
6. If the clustered PI AF application service will be part of a PI AF collective, see Configure
certificates for PI AF high availability in a failover cluster.
7. For failover clusters on Windows Server 2008 R2, you can change the frequency and
number of times that a cluster machine will fail over. See Modify the default number of
failovers on Windows Server 2008.
70
Procedure
1. Copy the AF server certificate, named AFServer.pfx and located in the C:\ProgramData
\OSIsoft\AF directory, from the active node in the failover cluster to the same location on
other machines in the failover cluster.
2. Use the cluster administration tool for your operating system to restart the PI AF
application service on each machine in the failover cluster.
Windows Server 2008 R2: In the Failover Cluster Management snap-in, right-click the
service and select Move this service or application to another node > Move to node
<name of non-active node in Microsoft Cluster>.
71
72
Procedure
1. Take PI AF server offline before failover cluster upgrade.
2. Upgrade the PI AF SQL database in a failover cluster.
3. Upgrade the PI AF application service in a failover cluster.
4. Verify PI AF application service after cluster upgrade.
Procedure
1. Open the failover cluster tool for your operating system.
2. On the failover cluster machine that is active:
For Windows 2008 R2:
In the Failover Cluster Manager, select the AFSERVER service in the left pane.
In the right pane, the Server Name and Other Resources list appears.
Right-click the PI AF application service in the list and select Take this resource
offline.
For Windows 2012:
Select Roles in the left pane and then in the right pane, right-click the AF SERVER role
and select Stop Role.
In the right pane, the Server Name and Other Resources list displays.
Right-click the PI AF application service in the list and select Take this resource
offline.
73
Procedure
1. Go to the directory where you downloaded the PI AF installation program files on the
Windows server that uses Microsoft Failover Clustering and run the setup kit.
2. After the files are extracted to a temporary directory, click OK and then click Next.
The Welcome to the PI AF Server Setup window shows a list of modules that are required for
the PI AF installation.
3. Click OK.
Microsoft .NET Framework 4.5 is installed if it is not on the machine. Microsoft SQL Server
Native Client installation begins, if it is not installed.
4. Click Next.
74
Procedure
1. Go to the directory where you downloaded the PI AF installation program files and run the
setup kit.
2. After the files are extracted to a temporary directory, click OK and then click Next.
The Welcome to the PI AF Server Setup window shows a list of modules that are required for
the PI AF installation.
3. Click OK.
Microsoft .NET Framework 4.5 is installed if it is not on the machine. Microsoft SQL Server
Native Client installation begins, if it is not installed.
4. Click Next.
5. If you accept the license terms, click the option to accept the terms and then click Next.
75
where:
<SQLClusterName> is the name of the SQL Server Cluster node for the PI AF SQL
database (PIFD).
<SQLClusterInstanceName> is optional, and should be included if the SQL Server
Cluster was installed with a named instance.
PIFD is the name of the PI AF SQL database.
<SQLUserName> and <SQLUserPassword> are only needed if mixed mode
authentication is required to connect to the SQL Server cluster. To use Windows
authentication, omit these. Typically, mixed mode authentication is required when the
PI AF SQL database and PI AF application service are on different, non-trusted
domains.
When the process is complete, the command line looks like the following:
c:\..\PIPC\AF\SQL\PISYSOLEDB>_
12. Contact your SQL Server administrator and verify that the local NTAUTHORITY
\NetworkService login is not required for other uses. If the login is not required, delete it.
13. Delete the following local SQL Server login if it exists: LocalMachineName\AFservers.
14. In Microsoft SQL Server Management Studio, expand SQLClusterInstance > PIFD > Security
> Users.
15. Delete the following SQL Server users, if they exist.
PIFD AF Servers
NTAUTHORITY\NetworkService
76
Procedure
1. Upgrade PI AF application service on active node in a failover cluster.
2. Upgrade PI AF application service on non-active nodes in a failover cluster.
Procedure
1. Go to the directory where you downloaded the PI AF installation program files and run the
setup kit.
2. After the files are extracted to a temporary directory, click OK and then click Next.
The Welcome to the PI AF Server Setup window shows a list of modules that are required for
the PI AF installation.
3. Click OK.
Microsoft .NET Framework 4.5 is installed if it is not on the machine. Microsoft SQL Server
Native Client installation begins, if it is not installed.
4. Click Next.
5. If you accept the license terms, click the option to accept the terms and then click Next.
6. Use the default selections of the features for Microsoft SQL Server Native Client and then
click Install.
7. Click Finish. The Microsoft Visual C++ 2012 re-distributable files are installed.
8. Review the Welcome to the PI AF Server 2013 Installation window and then click Next.
9. Accept the default Destination Folder and click Next.
Note:
The PI AF setup kit does not allow you to change the destination folder on an upgrade.
77
Procedure
1. Log onto the non-active PI AF application service cluster node.
2. Go to the directory where you downloaded the PI Asset Framework installation files and
run the setup kit.
3. Select or enter an extraction path in the PI AF Server Self Extracting Executing window. Use
the default installation path, or enter a new path.
4. Click OK.
5. Ensure the PI AF Server 2.x Application service is still configured to run under the correct
domain account.
78
In Windows 2008: Select the PI AF Application service in the left pane, and then rightclick the PI AF Server 2.x Application Service in the right pane and select Properties.
In Windows 2012: Select Roles in the left pane and then right-click the PI AF server role
in the right pane and select Properties.
3. In the Startup parameters list, change the text to refer to the correct path and file name for
the AFService file. For example, by default the AFService file is installed as: Files\PIPC\AF
\AFService.exe. This should be changed to: C:\Program Files\PIPC\AF
\AFService.exe
4. Click OK to close the Properties window.
79
Procedure
1. Log on to the active node of the cluster on which the PI AF application service is installed.
2. Resume the non-active node or nodes in the cluster.
In Windows 2012, click Do Not Fail Roles Back
3. Bring the PI AF server resource/role online.
4. Open the Services list and ensure that the Startup Type is Manual for the PI AF Server
service on each machine in the cluster. Only one machine should show the service as
Started.
5. Verify a client application can connect using the network name assigned to the cluster.
6. Repeat the previous steps to verify that all nodes in the failover cluster can run the PI AF
Server service and that a client application can connect.
Results
The upgrade of PI AF server on in a failover cluster is now complete.
80
81
Procedure
1. Run the PI AF server setup kit. When prompted to select PI AF features, select only the PI AF
SQL Database and PI AF SQL Script Execution features.
2. When prompted, enter the domain and name of the machine on which the PI AF application
service feature will be installed.
Procedure
1. Follow these steps to install PI AF while you are creating an availability group.
It is important to complete the procedures in the order listed here.
a. Install PI AF on the primary replica machine in the SQL Server availability group.
b. Install PI AF on the secondary replica machines in the SQL Server availability group.
c. Install PI AF application service for use with a SQL Server availability group.
d. Create a SQL login for the primary replica machine in the SQL Server availability group.
82
Procedure
1. Run the PI AF server setup kit. When prompted, select only the AF SQL Database feature
without the AF SQL Script Execution option.
2. Click Next and continue to run through the setup kit prompts that remain until the
installation of the PI AF SQL database is complete.
Install PI AF application service for use with a SQL Server availability group
Install the PI AF application service on a machine that is not included in the Windows Server
failover cluster.
83
Procedure
1. Run the PI AF setup kit. When prompted, specify the name and, if appropriate, instance, of
the SQL Server machine that is designated as the primary replica of the availability group.
2. Click Next and continue to run through the setup kit prompts that remain until the
installation of the PI AF application service is complete.
Create a SQL login for the primary replica machine in the SQL Server
availability group
Create a SQL login on the SQL Server machine that is designated as the primary replica for the
SQL Server availability group and is:
Based on the domain group that contains the domain account under which the PI AF
application service is running.
Mapped to the PI AF SQL database (PIFD) database.
Assigned to the db_AFServer role.
Create SQL logins for the secondary replica machines in a SQL Server
availability group
On each SQL Server machine that is designated as a secondary replica in the availability group,
create a SQL login that is based on the domain group that contains the domain account under
which the PI AF application service is running. These SQL logins do not need to be assigned any
role memberships at this time.
84
Procedure
1. On the SQL Server machine that will serve as the primary replica of the availability group,
open the SQL Server Management tool and connect to the instance that will host the
availability group.
2. Expand the AlwaysOn High Availability folder.
3. Expand and right-click the Availability Groups folder and select New Availability Group
Wizard.
4. Enter a name for the availability group in the Specify Availability Group Name window and
click Next.
5. Review the list of databases in the Select Databases window. This list shows databases that
are installed in the instance of SQL Server within which the availability group is included.
To set up an availability group for use with PI AF:
a. Review the status messages for each of the databases listed in the Select Databases
window, to determine whether a database can be selected. For example, a database
cannot be used in an availability group if it belongs to an existing availability group, does
not meet the prerequisites for being added to an availability group.
b. Select the check boxes for the PI AF SQL database (PIFD) that you want to include in the
availability group. You can also add other databases to the availability group; you can
choose as many databases as you want, provided that the PIFD is included and that all
databases that you include meet the prerequisites.
c. Resolve any such issues before you continue with the availability group creation. You do
not need to close the New Availability Group wizard to make corrections; leave it open
while you return to SQL Server Management Studio to make corrections. After the
corrections have been made, return to the New Availability Group wizard and click
Refresh. When the database statuses indicate Meets prerequisites, you can continue with
the process.
d. Click Next.
If you select Create an availability group listener now use the New Availability Group
Wizard to:
Enter the Listener DNS Name.
Enter the Port number.
See Configure a Server to Listen on a Specific TCP Port (SQL Server Configuration
Manager) (http://msdn.microsoft.com/en-us/library/ms177440.aspx) and Availability
85
Configure the PI AF connection string for use with a SQL Server availability
group
Procedure
1. On the AF server machine, open the AFService.exe.config file in the ..\PIPC\AF
folder.
2. Edit the server portion of the connect string so that it is directed at the availability group
listener and the availability group listeners port that you defined in Create a SQL Server
availability group for use with PI AF. You must change the ListenerName,Port in this
string: <add key="connectString" value="Persist Security
Info=False;Integrated
Security=SSPI;server=ListenerName,Port;database=PIFD;Application
Name=AF Application Server;" />
Procedure
1. On the SQL Server machine that is the primary replica of the availability group, open the
SQL Server Management tool and connect to the instance that will host the availability
group.
2. Expand the AlwaysOn High Availability folder.
3. Expand and right-click the Availability Groups folder and select New Availability Group
Wizard.
PI Asset Framework Installation and Upgrade Guide
87
Procedure
1. Run the PI AF server setup kit on the SQL Server machine that is the primary replica of the
availability group; select only the AF SQL Database and AF SQL Script Execution options. If
88
89
90
Procedure
1. Prepare to create a PI AF collective.
2. Create a PI AF collective.
3. Configure PI AF collective properties.
4. Check PI AF collective status.
5. Add a secondary server to a PI AF collective.
6. Connect or switch to a specific member of a PI AF collective.
7. Remove a secondary server from a PI AF collective.
8. Stop or start replication.
9. Reinitialize a PI AF collective member.
10. Configure permissions on the replication data folder.
Procedure
1. Make sure that you meet all general collective creation requirements. See Configuration
requirements for PI AF collectives.
2. Make sure that you meet all SQL Server requirements. See SQL Server requirements for PI
AF collectives.
3. Make sure that you meet all security requirements. See Security requirements for PI AF
collectives .
PI Asset Framework Installation and Upgrade Guide
91
92
93
Action required
Run as a low-privileged account.
Do not run the SQL Server Database Engine service under an account with
local or domain administrative privileges.
Action required
Run as a low-privileged account.
Do not run as NetworkService.
Primary PI AF server
No action required.
If it does not already exist, create a login in SQL Server for the account
under which the SQL Server Agent service runs.
Assign the db_owner database role on the PIFD database to this
account.
Do not grant the SysAdmin server role to this account.
Assign write permission to the \repldata folder. Sample path:
C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS
\MSSQL\repldata
For more information, refer to Configure permissions on the replication
data folder.
Secondary PI AF SQL
databases
If it does not already exist, create a login in SQL Server for the account
under which the SQL Agent service runs on the primary.
Assign the db_owner database role on the PIFD database to this
account.
Do not grant the SysAdmin server role to this account.
PI AF application service
By default, the PI AF application service is run under the NT Authority\Network Service
account. However, NT Authority\Network Service is not required for this service. Do not
run it under the Local System account either. The best practice is to use a low-privileged
domain account, as this account does not require special access to the PI AF SQL database. The
PI AF application service account is added to a local Windows security group, which is
assigned the appropriate access in the PI AF SQL database.
Component
Permissions
Action required
Run as a low-privileged account.
Do not run as Local System.
Primary PI AF server
No action required.
94
Action required
In Windows, add the domain account under which the PI AF application
service runs to the local AFServers group.
Do not create a SQL login for the PI AF application service account.
Do not assign the db_owner database role on the PIFD database to the PI
AF application service account.
Do not grant the SysAdmin server role to the PI AF application service
account.
Secondary PI AF SQL
databases
PI AF collective creator
A domain user, with Windows credentials that are authenticated by PI AF, Windows, and SQL
Server, runs the PI System Explorer client that is used to create the AF collective.
Component
Action required
Permissions
The credentials that are used to create the AF collective are used only once to
create the PI AF collective. After you create the AF collective, you can remove
the special permissions.
Primary PI AF server
Secondary PI AF servers Add the credentials used to create the AF Collective in PI System Explorer to
the Local Administrators group.
Primary PI AF SQL
database
If it does not already exist, create a login in SQL Server for the PI AF
collective creator's domain account.
Add the credentials used to create the AF Collective in PI System Explorer
to the Local Administrators group.
Grant the SysAdmin server role to this account.
Secondary PI AF SQL
databases
If it does not already exist, create a login in SQL Server for the PI AF
collective creator's domain account.
Grant the SysAdmin server role to this account.
Action required
Permissions
95
Action required
Primary PI AF server
No action required.
If it does not already exist, create a login in SQL Server for the AFServers
local group.
Note:
The db_AFServer database role for the PIFD_distribution database
is automatically assigned to this account when the AF collective is
created.
Grant the db_AFServer database role on the PIFD database to this
account.
Do not assign the db_owner database role on the PIFD database to this
account.
Do not grant the SysAdmin server role to this account.
Secondary PI AF SQL
databases
If it does not already exist, create a login in SQL Server for the AFServers
local group.
Grant the db_AFServer database role on the PIFD database to this
account.
Do not assign the db_owner database role on the PIFD database to this
account.
Do not grant the SysAdmin server role to this account.
Procedure
1. Using the Windows credentials that you will use to create the collective, login to the
workstation from which you will create the collective (do not do this on the SQL Server
computer) and connect to each PI AF server that will be part of the collective.
2. On the same workstation, verify that you can perform a simple file share access to each SQL
Server:
a. Select Start > Run.
b. Enter \\SQL_Server_computer_name for each SQL server.
This ensures that your credentials authenticate to each SQL Server at the Windows level.
3. Establish a connection to each SQL Server via SQL Server Management Studio (SSMS) or
sqlcmd.exe.
4. Once connected, run the following query:
SELECT IS_SRVROLEMEMBER (sysadmin) "is sysadmin", CURRENT_USER "connected
as", SYSTEM_USER "login user" ;
where
"is sysadmin" returns 1=true, 0=false
96
Create a PI AF collective
Before you start
Perform all the steps in Prepare to create a PI AF collective.
Procedure
1. Start the SQL Server Agent Service.
SQL Server replication depends on the SQL Server Agent service. If it is not running, when
you attempt to set up a PI AF collective, the setup fails without warning. The only way to
recover is to delete the collective, start the SQL Server Agent service, then set up the
collective.
2. In PI System Explorer (PSE), select File > Connections to open the Servers window.
3. Right-click on an AF server that you want in the collective and select Create Collective.
The Create New Collective - Verify Backup Completed window opens.
4. Click to select the I have verified my backups are valid check box and click Next.
The Create New Collective - Select Primary window opens.
5. Choose your primary server.
6. Click Next.
The Create New Collective - Select Secondary Servers window opens.
7. From the Server list, select a PI AF server to add to the collective as a secondary server and
click Add. Repeat to add additional secondary servers. If you want to create the collective
without adding a secondary, then skip this step.
PI Asset Framework Installation and Upgrade Guide
97
Results
When the replication process is complete, the status for the first row (the snapshot creation)
shows Succeeded. The status for the second row (the replication process as it relates to the
primary server) shows Idle. The status for the third row and subsequent rows (the replication
process as it relates to the secondary servers) shows Idle. For details about the collective
status, see PI AF collective status details.
This error can be corrected during the PI AF collective creation process; it is not necessary to
exit the Create New Collective window. The PI AF collective creation process will continue
normally after the following steps are completed.
Procedure
1. Open Microsoft SQL Server Management Studio, and connect to the SQL Server instance for
the primary server in the PI AF collective.
2. Under the SQL Server cluster instance, expand Security > Logins.
3. Right-click the login created for the AFServers domain group and select Properties.
98
99
Procedure
1. PI AF collective status details.
100
101
Procedure
1. In PI System Explorer (PSE), click File > Connections to open the Servers window.
2. Right-click the primary PI AF server and select Add Server to Collective. The Adding
Secondaries Select Secondary Servers window opens.
3. From the Server list, select the PI AF server to add to the collective as a secondary server.
4. Click Add to add the PI AF server to the list.
5. Click Next.
The Adding Secondaries - Verify Selections window opens.
6. Click Next. The secondary server is added to the collective.
The Adding Secondaries Finishing window appears. The process of replicating data to the
secondary server begins and the window displays collective status details during the
process. When the replication process is complete on the secondary server, the Status for
the third and subsequent rows display Idle. For more on status details, see PI AF collective
status details.
Note:
If you click Exit before the window lists the newly added secondary server, the
replication process stops on that secondary server. A message appears that indicates
the replication process is not complete. You will need to start the replication process
on any secondary servers that currently belong to the collective.
Procedure
1. In PI System Explorer, select Connections.
2. Right-click the collective and choose Connect to Collective Member.
The Choose Collective Member window opens.
3. In the Collective Member list, select the collective member to which you want to connect.
4. Click OK.
You are now connected to the selected collective member.
102
Procedure
1. In PI System Explorer (PSE), select File > Connections to open the Servers window.
2. Select the AF Collective that contains the secondary server to be removed and click the
Properties button.
3. Click the Collective tab.
4. Right-click the secondary server and select Delete.
103
Procedure
1. In PI System Explorer, select File > Connections.
2. Right-click the AF Collective that contains the servers on which you want to start replication
and click the Properties button.
3. Click the Collective tab.
4. Right-click the server and select Start Replication. If this is the primary server, you also
need to start replication on each secondary server.
Procedure
1. In PI System Explorer, select File > Connections.
2. Right-click the AF Collective that contains the server you want to reinitialize and click the
Properties button.
3. Click the Collective tab.
4. Right-click the server and select Reinitialize Replication.
104
Procedure
1. On the primary PI AF SQL database computer, open Windows Explorer.
2. Navigate to the \repldata folder for the SQL Server instance where the PI AF SQL database
is installed.
3. Right-click the \repldata folder and select Properties.
4. Click the Security tab and click Edit.
The Permissions for repldata window opens.
5. Click Add.
The Select Users, Computers, or Groups window opens.
6. Check that the From this location: field shows the correct domain. If not, click Location and
navigate to and select the correct domain.
7. In the Enter the object names to select field, enter the name of the domain account under
which the SQL Server Agent service runs.
8. Click OK.
The Permissions for repldata window opens.
9. In the Permissions for [SQL Agent Account Name] area, select the Modify check box,
ensuring that all check boxes except Full control and Special permissions are selected.
10. Click OK.
11. Click OK to return to Windows Explorer.
105
106
PI AF collective upgrades
The PI AF upgrade process requires that you run the upgrades executable file on each
computer in the PI AF collective. All of the PI AF servers in a PI AF collective must be the same
PI AF version. To minimize the amount of time when your PI AF users cannot write to the PI AF
SQL database, and to maximize the availability of the PI AF data as read-only to your PI AF
users, upgrade the primary PI AF server first. Then upgrade the secondary PI AF servers.
Procedure
1. Upgrade the primary PI AF server.
2. Upgrade secondary PI AF servers.
3. Restart replication on upgraded PI AF computers.
Procedure
1. Backup of the primary PI AF SQL databases.
2. Stop replication on the primary PI AF SQL database computer.
3. Shut down the primary PI AF application service.
4. Run the setup program on the primary PI AF server.
107
PI AF collective upgrades
Caution:
Any updates that are in progress are likely to be lost. It is recommended that you
notify your users ahead of time that they should not attempt to make any changes to
the PI AF SQL data during the brief period of time it takes to install the PI AF upgrade.
2. On the primary PI AF SQL database computer, verify that replication is complete:
a. Check the synchronization status of primary PI AF server under Replication > Local
Publications > [PIFD]: PIAF > [Primary Database Server Name].[PIFD].
b. Right-click and select View Synchronization Status.
3. On the secondary PI AF SQL database computers, verify that replication is complete:
a. Check the synchronization status of each secondary PI AF server under Replication >
Local Subscriptions > [PIFD]: PIAF > [Secondary Database Server Name].[PIFD].
b. Right-click and select View Synchronization Status.
4. In PI System Explorer, select File > Connections.
The Servers window opens.
5. Right click the AF Collective and select Properties.
6. Select the Collective tab.
7. Right-click the primary server and select Stop Replication.
Replication is stopped on the primary server and all secondary servers. As long as the
collective still exists, you can start replication on the primary server at a later time; you will
need to start replication on each secondary server, too.
PI AF collective upgrades
Procedure
1. In PI System Explorer, select File > Connections.
2. Right-click on a member of the collective, then click Properties.
3. Click the Collective tab.
4. Right-click the server and select Start Replication. If this is the primary server, you also
need to start replication on each secondary server. The PI AF collective upgrade process is
complete.
109
PI AF collective upgrades
110
Troubleshoot PI AF collectives
Use the topics in this section to troubleshoot issues with PI AF collectives.
This message indicates that the logged-on user is unable to access one of the servers included
in the collective. The error is most likely related to the fact that the logged-on user does not
have the correct permissions on the primary PI AF SQL database computer.
Review the Application event logs on the PI AF server and PI AF SQL database computers,
beginning with the primary PI AF server, to determine which computer is receiving the
connection error.
Be sure that the login account is given sysadmin privileges to SQL Server on the AF SQL
database computer.
111
Troubleshoot PI AF collectives
In the SnapShot status row (the first row in the bottom section), the message displays:
Access to the path [..\repldata\...] is denied.
This message indicates that the SQL Server Agent service account does not have Write access
to the \repldata folder for the SQL Server instance into which the primary PI AF SQL
database was installed. See Configure permissions on the replication data folder.
After setting the proper security permissions on the \repldata folder, exit the Create New
Collective Finishing window. A message displays, indicating the primary servers replication
has not finished.
Click OK and return to the Collective tab in the AF Server Properties window. Delete the
collective, then recreate the collective, and the snapshot is created correctly.
Click OK to exit the error window. In the Create New Collective Finishing window the same
message appears. Click Cancel to exit the window. The collective was not created. Start the SQL
Server Agent service on the primary server, then create the new collective.
112
PI AF silent installations
The bundled PI AF server installations extract several installation modules. The setup.ini
configuration file specifies the components of the installation process, their order, and the
arguments used to launch them. Modify this file to specify different command-line arguments
to different stages of the setup. This may be useful for situations where the environment is well
controlled and the options are known in advance, such as an embedded installation.
The PI AF Server bundle also includes a silent.ini file that contains modifications to
setup.ini that are typically needed to run a silent installation. You can augment these
arguments by adding any of the options described below.
Note:
You must run command-line examples from an Administrator command prompt when
running on Windows 7 or other recent operating systems when running as a normal
user.
Description
ADDLOCAL
ALLUSERS
REBOOT
FDSQLDBSERVER
113
PI AF silent installations
Argument
Description
FDSQLDBNAME
FDSQLDBVALIDATE
FD_REMOTEAPPS
Description
ALL
N/A
FD_AppsServer
PI AF Application Service
FD_SQLServer
PI AF SQL Database
FD_SQLScriptExecution
114
PI AF silent installations
Note the following information about the syntax:
The /i argument specifies an installation.
The /qn argument specifies quiet mode, which suppresses dialog boxes and prompts.
For Version #, specify either x64 or x86 to run the .msi script that is appropriate for your
operating system.
If the ADDLOCAL property is not defined on the command line, it defaults to ALL.
Spaces are not allowed between ADDLOCAL= and its value.
Components to
install
All PI AF server
features
Syntax
Notes
The
FD_SQLScriptExecution
feature is part of the
FD_SQLServer feature.
Therefore, to include
FD_SQLScriptExecution
specify ADDLOCAL=FD_
SQLServer,FD_SQLScr
iptExecution .
115
PI AF silent installations
Description
ADDLOCAL
ALLUSERS
REBOOT
AFSERVER
ONLYSHOWSERVER
AFSDKONLY
116
Description
ALL
N/A
PI AF silent installations
Internal Feature Name / Name
Used in Command Line
Description
FD_AFSDK
PI AF SDK
FD_AFExplorer
PI System Explorer
FD_AFBuilder
PI Builder
FD_AFAnalysisMgmt
Analysis Management
FD_AFDocs
PI AF documentation
Syntax
Notes
PI AF Client on AF
application service
computer
msiexec.exe /i AFClient_Version
#.msi
REBOOT=Suppress ALLUSERS=1 /qn
msiexec.exe /i AFClient_Version
#.msi
REBOOT=Suppress ALLUSERS=1
AF_SERVER=PI AF server name /qn
117
PI AF silent installations
Components to install
Syntax
Notes
The PI AF SDK feature is
required.
118
PI AF security overview
This section discusses security guidelines for PI AF.
119
PI AF security overview
Do not grant non-admin PI AF users any SQL Server access privileges on a PI AF SQL
database, except for PI AF collective administrators, who must have SysAdmin privilege for
their Windows account.
See these Microsoft SQL Server Security documents for further information:
Security Considerations for a SQL Server Installation (http://msdn.microsoft.com/enus/library/ms144228.aspx)
Securing SQL Server (http://msdn.microsoft.com/en-us/library/bb283235.aspx)
Action required
Run as a low-privileged account.
Do not run the SQL Server Database Engine service under an account with
local or domain administrative privileges.
Action required
Run as a low-privileged account.
Do not run as NetworkService.
Primary PI AF server
No action required.
120
PI AF security overview
Component
Primary PI AF SQL
database
Action required
If it does not already exist, create a login in SQL Server for the account
under which the SQL Server Agent service runs.
Assign the db_owner database role on the PIFD database to this
account.
Do not grant the SysAdmin server role to this account.
Assign write permission to the \repldata folder. Sample path:
C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS
\MSSQL\repldata
For more information, refer to Configure permissions on the replication
data folder.
Secondary PI AF SQL
databases
If it does not already exist, create a login in SQL Server for the account
under which the SQL Agent service runs on the primary.
Assign the db_owner database role on the PIFD database to this
account.
Do not grant the SysAdmin server role to this account.
PI AF application service
By default, the PI AF application service is run under the NT Authority\Network Service
account. However, NT Authority\Network Service is not required for this service. Do not
run it under the Local System account either. The best practice is to use a low-privileged
domain account, as this account does not require special access to the PI AF SQL database. The
PI AF application service account is added to a local Windows security group, which is
assigned the appropriate access in the PI AF SQL database.
Component
Permissions
Action required
Run as a low-privileged account.
Do not run as Local System.
Primary PI AF server
No action required.
Secondary PI AF SQL
databases
121
PI AF security overview
PI AF collective creator
A domain user, with Windows credentials that are authenticated by PI AF, Windows, and SQL
Server, runs the PI System Explorer client that is used to create the AF collective.
Component
Action required
Permissions
The credentials that are used to create the AF collective are used only once to
create the PI AF collective. After you create the AF collective, you can remove
the special permissions.
Primary PI AF server
Secondary PI AF servers Add the credentials used to create the AF Collective in PI System Explorer to
the Local Administrators group.
Primary PI AF SQL
database
If it does not already exist, create a login in SQL Server for the PI AF
collective creator's domain account.
Add the credentials used to create the AF Collective in PI System Explorer
to the Local Administrators group.
Grant the SysAdmin server role to this account.
Secondary PI AF SQL
databases
If it does not already exist, create a login in SQL Server for the PI AF
collective creator's domain account.
Grant the SysAdmin server role to this account.
Action required
Permissions
Primary PI AF server
No action required.
If it does not already exist, create a login in SQL Server for the AFServers
local group.
Note:
The db_AFServer database role for the PIFD_distribution database
is automatically assigned to this account when the AF collective is
created.
Grant the db_AFServer database role on the PIFD database to this
account.
Do not assign the db_owner database role on the PIFD database to this
account.
Do not grant the SysAdmin server role to this account.
122
PI AF security overview
Component
Secondary PI AF SQL
databases
Action required
If it does not already exist, create a login in SQL Server for the AFServers
local group.
Grant the db_AFServer database role on the PIFD database to this
account.
Do not assign the db_owner database role on the PIFD database to this
account.
Do not grant the SysAdmin server role to this account.
Procedure
1. Using the Windows credentials that you will use to create the collective, login to the
workstation from which you will create the collective (do not do this on the SQL Server
computer) and connect to each PI AF server that will be part of the collective.
2. On the same workstation, verify that you can perform a simple file share access to each SQL
Server:
a. Select Start > Run.
b. Enter \\SQL_Server_computer_name for each SQL server.
This ensures that your credentials authenticate to each SQL Server at the Windows level.
3. Establish a connection to each SQL Server via SQL Server Management Studio (SSMS) or
sqlcmd.exe.
4. Once connected, run the following query:
SELECT IS_SRVROLEMEMBER (sysadmin) "is sysadmin", CURRENT_USER "connected
as", SYSTEM_USER "login user" ;
123
PI AF security overview
where
"is sysadmin" returns 1=true, 0=false
"connected as" returns "dbo"
"login user" returns the users Windows user principal
Do not proceed until the connection and query succeeds for each SQL Server that will be
part of your PI AF collective.
Procedure
For security reasons, OSIsoft recommends that you change the PI AF application service to
run under a domain account (Run the PI AF application service under a domain account).
Note:
If PI AF application service and PI AF SQL database computers are located in different
domains, and a trust does not exist between those domains, then the default
configuration will not work. You must use SQL Server authentication to enable
communication between the computers (Configure PI AF to use SQL Server security).
Procedure
1. Identify the domain account that you want to use for the PI AF Server application service.
2. Add a domain user to the AFServers local user group. The application service gets the
required access to the PI AF SQL database through this local group on the SQL database
computer.
3. Open the Services administrative tool on the PI AF server computer.
124
PI AF security overview
4. Right-click the PI AF Application Service and select Properties.
5. Click the Log On tab and change the account to a domain account, using the DOMAIN
\account format, or click the Browse button to search for and select the domain account to
use.
6. Enter the account's Password twice, and click OK.
7. Right-click the PI AF Application Service and select Restart. A message appears indicating
the service is being stopped, and then started. The service is now running under the new
account.
8. Remove the previous accounts access to the PIFD database.
Most often, the previous account was the default account, NetworkService. For example,
see Remove NetworkService account access to the PI AF SQL database.
Note:
After you remove the NetworkService account from the PIFD database, any time you
run the setup program (repair or upgrade), you might need to repeat this step.
9. Reconfigure the properties on the PI AF server to reference the new PI AF application
service account:
a. In PI System Explorer, select File > Connections.
b. Right-click the AF server in the list and click Disconnect, if it is available.
c. Right-click the AF server in the list and click Properties.
d. Type in name of the account under which the AFServer service runs. For example:
DomainName\AccountName.
e. Click Connect. If PI System Explorer cannot make connection to the PI AF server, see
Cannot connect to AF server.
f. Click OK.
10. Click Close.
125
PI AF security overview
Local computer accounts, such as NetworkService, typically have permission to set an SPN.
However, domain accounts often do not. If the PI AF application service is running under an
account that does not have the privileges to create an SPN then extra configuration is needed
for a client such as PI System Explorer to connect to that PI AF server using an SPN. See View
the PI AF application service domain account permissions.
Procedure
1. View the PI AF application service domain account permissions.
2. Manipulate an SPN with setspn.
Note that the UPN setting (userPrincipalName) is commented out and the SPN
(servicePrincipalName) setting is enabled.
To configure the PI AF server to use a UPN instead of an SPN, comment out the
servicePrincipalName element and uncomment the userPrincipalName element. The
value of the userPrincipalName would be the domain credentials under which the PI AF
server is running. For example:
<identity>
<!--<servicePrincipalName value="AFServer" />-->
<userPrincipalName value="username@domain"/>
</identity>
126
PI AF security overview
Procedure
1. On the PI AF SQL database computer, click Start > Administrative Tools > Computer
Management.
2. Under Computer Management (Local), expand System Tools > Local Users and Groups >
Groups.
3. In the list of groups, double-click AFServers.
4. Select the NetworkService account and click Remove.
5. Click OK and click Close.
6. Open SQL Server Management Studio and connect to the SQL Server instance in which the
PIFD database resides.
7. Expand the PIFD database and navigate to the Security > Schemas folder.
127
PI AF security overview
Procedure
1. On the PI AF SQL database computer, click Start > Administrative Tools > Computer
Management.
2. Under Computer Management (Local), expand System Tools > Local Users and Groups >
Groups.
3. In the list of groups, double-click AFServers.
128
PI AF security overview
4. Add the domain account under which the PI AF application service is running to the
AFServers group. If it is running under the NT AUTHORITY\NetworkService account, add
the PI AF servers system account to this group.
Note:
If the PI AF application service is running as the LocalService account, then you will
likely need to use SQL Server security instead of integrated security.
5. Close Computer Management.
129
PI AF security overview
Procedure
1. In the Microsoft SQL Server Management Studio, connect to the SQL Server instance that
stores the PI AF SQL database (PIFD).
2. Under the SQL Server instance, expand Security > Logins.
3. Create a new login and enter a name in the Login name field.
4. Select the SQL Server authentication option.
5. Enter the password in the Password and Confirm password fields.
6. In Default database, select PIFD.
130
PI AF security overview
131
PI AF security overview
10. Under Database role membership for: PIFD, select the db_AFServer check box.
11. Click OK.
PI AF security overview
Note:
OSIsoft recommends that you limit access to the AFService.exe.config file to
authorized users, including the account under which the PI AF application service runs.
To do so:
limit access to log on to the PI AF Server, or
set a security descriptor on the AFService.exe.config file or its directory.
Procedure
1. Open the AFService.exe.config file with a text editor, such as Notepad.
2. Locate the connect-string key. It has the following format:
<add key="connectString" value="Persist Security Info=False;Integrated
Security=SSPI;server=.\phxtest;database=PIFD;Application Name=AF Application
Server;"/>
133
PI AF security overview
Procedure
1. On the PI AF server computer, open the AFService.exe.config file with a text editor,
such as Notepad.
2. Locate the connect-string key. It has the following format:
Integrated Security:
<add key="connectString" value="Persist Security Info=False;Integrated
Security=SSPI;server=.\phxtest;database=PIFD;Application Name=AF
Application Server;"/>
3. Modify the connect string, specifying the new location of the server. You can use a computer
name or an IP address, and can include the SQL Server instance name.
Integrated Security:
<add key="connectString" value="Persist Security Info=False;Integrated
Security=SSPI;server=AFSQLDB\SQLEXPRESS;database=PIFD;Application Name=AF
Application Server;"/>
Procedure
1. Configure SQL Server to allow remote connections. See the Microsoft SQL Server library
(http://technet.microsoft.com/library/bb545450.aspx).
2. Configure PI AF to use SQL server security. See Configure PI AF to use SQL Server security.
3. If you are using a named instance of SQL Server and have not specified a port in the connect
string, then make sure the SQL Server Browser service is running on the SQL Server
computer. To promote the most secure environment, you should specify the port in the
connection string.
4. Ensure that your system security is configured as described in Firewalls and PI AF security.
134
PI AF security overview
PI System Explorer
Analysis Management
PI Builder
PI AF User Documentation
PI System Explorer and other PI AF SDK clients communicate with PI AF server using Windows
authentication. Except for configuration of a PI AF collective, the PI AF SDK never connects
directly to SQL Server. When you attempt to connect to a PI AF server through PI System
Explorer, your login credentials are used. If you have permission to access the PI AF server, the
connection is made.
If you do not have the appropriate rights, a login dialog box appears where you can enter
credentials. For example, this can occur if you are logged in as a local user, are not a domain
user, or if the client computer is in a domain other than the domain of the PI AF server.
Procedure
Run PI System Explorer as Administrator:
a. On the Start menu, right-click PI System Explorer or other PI AF client.
b. Select Run as Administrator.
Set PI System Explorer to run as Administrator every time it is started:
a. On the Start menu, right-click PI System Explorer (or other PI AF client).
b. Select Properties.
c. On the Compatibility tab, select the Run this program as an administrator check box.
Modify the PI AF security settings so that the user or a group containing the user (other
than local Administrators) has appropriate privileges.
Procedure
1. Make sure that the PI AF server is version 2.0.4 or later. If the version is older, upgrade it
first.
2. Create the same local account on both computers. Use the same password, too.
3. Set the firewalls to open the incoming connections on PI AF server. See Considerations for
firewalls and ports for PI AF to determine which ports should be open.
4. Log on to the PI System Explorer client computer using the new local account.
PI Asset Framework Installation and Upgrade Guide
135
PI AF security overview
5. Open PI System Explorer and try to connect to the target PI AF server.
6. In PI System Explorer, on either the Database Properties dialog box or the Select Database
dialog box, click
to open the System Properties dialog box.
7. Set Name and Host to the actual settings of your PI AF server. Account remains empty.
8. Click OK.
9. Click Connect to initiate a connection.
10. If you have a connection problem, see Set audit policy and Set sharing and security model
for local account.
Procedure
1. Set audit policy.
2. Set sharing and security model for local account.
3. Configure Active Directory access for contacts.
Procedure
1. Click Start > Administrative Tools > Local Security Policy.
2. Under Security Settings, select Local Policies > Audit Policy.
3. Set the security setting to Success, Failure for the following policies:
Audit account logon events
Audit logon events
Audit object access
Audit privilege use
To do so:
a. Right-click each policy and choose Properties.
b. Select the Success and Failure check boxes.
c. Click OK.
Procedure
1. On the PI AF server computer, click Start > Administrative Tools > Local Security Policy.
2. Under Security Settings, select Local Policies > Security Options.
136
PI AF security overview
3. Right-click Network access: Sharing and security model for local account and choose
Properties.
4. Set the security setting to Classic - local users authenticate as themselves.
5. Click OK to save your change.
Procedure
1. Open PI System Explorer and connect to a database that belongs to the PI AF server for
which you want to configure Active Directory access.
2. From the File menu, select AF Server Properties and from that window click the Configure
Active Directory Access for Contacts link.
3. In the Active Directory Domain Name text box, enter the full DNS name of the Active
Directory domain from which the contact names will be retrieved for the PI Notifications
Contacts (for example, contoso.com).
If this field is left blank, the domain in which the PI AF application service resides will be
used.
4. In the Active Directory Contact Sub-Folder text box, enter the path to the folder containing
the list of contacts for this domain.
In larger Active Directory domains, contacts may be organized within sub-folders. The use
of sub-folders can allow for faster retrieval of a list of Active Directory contacts.
Use the following structure for the sub-folder:
DomainUserFolder/SubDomainUserFolder/Sub SubDomainUserFolder
137
PI AF security overview
Directory, this option can be used. As long as the user account under which the
connecting client application is running has permission to read Active Directory, a list of
contact names is returned to the Contacts list. The contents of the Contacts list may vary,
depending upon the access account used, since the security to read the contact list is
determined by Active Directory.
Note:
Specifying this option may require Kerberos configuration if an AF SDK application
will be using impersonation in a middle tier, such as a Web Service.
Use the specified account
This option allows you to specify an account to use to read the Active Directory. This can
be useful when the Active Directory and PI AF server are in different domains or when
the accounts in the first two options have no permission to read the Active Directory. For
Account Name, use the format Domain\User. Make sure the specified account has the
appropriate permission to read the target Active Directory.
6. Check Use Active Directory's locally cached Global Catalog to use the global catalog for
Active Directory domain controller searches. Otherwise searches must go to the owning
domain controller.
Active Directory holds information in a distributed data repository called a global catalog.
For installations where there are multiple, distributed domain controllers, each domain
controller has a cache of the portions of the global catalog for which it is not responsible, so
that Active Directory searches do not have to be referred to the owning domain controller.
This improves performance for queries that must otherwise have to access a remote
domain controller.
7. Choose a setting for Return All Persons.
Active Directory objects are derived from one another as follows:
Top>Persons>OrganizationalPerson>Contact
and
Top>Persons>OrganizationalPerson>User
Select this check box to return Persons, Organizational Persons, Contacts and Users from
the target Active Directory.
Clear the check box to return only Users.
138
139
140
Command
Default Setting
afdiag /DT
enabled
disabled
afdiag /DTImp
Change security
settings for all
tables.
141
142
143
Delegation example
Here is an example of how PI AF might use Kerberos delegation:
Rita, a PI AF Client user, has permission to access data from a table in a SQL Server database.
144
Procedure
1. Assign the Read servicePrincipalName and Write servicePrincipalName
permissions to the following Active Directory objects:
Domain account under which the AFServer service runs, if you want its SPNs to be
automatically managed.
Domain account under which the SQL Server service runs, assuming the linked AF Table
is a SQL Server table AND you want its SPNs to be automatically managed.
See Assign permissions to service accounts with ADSI Edit snap-in.
2. Create the required SPNs for the following objects:
SPNs must be manually created by an Administrative user for the AFServer service, IF
you did not assign the Read servicePrincipalName and Write
servicePrincipalName permissions to the AFServer service's domain account.
SPNs must be manually created by an Administrative user for the SQL Server service, IF
the AF Table is linked to a SQL Server table and IF you did not assign the Read
servicePrincipalName and Write servicePrincipalName permissions to the SQL Server
services domain account.
145
Procedure
1. Assign the Read servicePrincipalName and Write servicePrincipalName
permissions to the following Active Directory objects:
Domain account under which the AFServer service runs if you want its SPNs to be
automatically managed.
Domain account under which the SQL Server service runs, assuming the linked AF Table
is a SQL Server table AND you want its SPNs to be automatically managed.
See Assign permissions to service accounts with ADSI Edit snap-in.
2. Create the Required SPNs for the following objects:
The AFServer service.
SPNs must be manually created by an Administrative user for the AFServer service, if
you did not assign the Read servicePrincipalName and Write
servicePrincipalName permissions to the AFServer service's domain account.
The SQL Server service.
SPNs must be manually created by an Administrative user for the SQL Server service, if:
146
Procedure
1. From the Start menu, type adsiedit.msc in the Search box and press Enter.
If the ADSI Edit snap-in is installed on the machine, the ADSI Edit snap-in opens in the
Microsoft Management Console window.
a. If this is the first time the ADSI Edit snap-in has been opened, there are no active
connections for Active Directory Services. Right-click ADSI Edit in the console and select
Connect to to open the Connection Settings window.
b. Leave the default settings and click OK.
A new entry is added to the console with the following format "Default naming
context [mymachine.mydomain.com]".
147
148
Procedure
To view SPNs for a PI AF application service running under the NetworkService account,
enter this command:
setspn -l machine_name
where machine_name is the machine on which the PI AF application service runs.
SPNs assigned to this machine are returned in this list format:
AFServer/machine_FQDN
AFServer/machine_name
where:
machine_FQDN is the fully-qualified domain name of the machine on which the PI AF
application service runs
machine_name is the machine on which the PI AF application service runs
To view SPNs for a PI AF application service running under a domain account, enter this
command:
setspn -l domain\account_name
where domain\account_name is the domain account under which the PI AF application
service runs.
SPNs assigned to this domain account are returned in this list format:
AFServer/machine_FQDN
AFServer/machine_name
where:
machine_FQDN is the fully-qualified domain name of the machine on which the PI AF
application service runs
machine_name is the machine on which the PI AF application service runs
149
Procedure
To create two SPNs for a PI AF application service running under the NetworkService
account, enter these two commands in sequence:
setspn -s AFServer\machine_FQDN machine_name
c:\> setspn s AFServer\[machine_name] [machine_name]
where:
machine_FQDN is the fully-qualified domain name of the machine on which the PI AF
application service runs
machine_name is the machine on which the PI AF application service runs
The -s option of setspn checks for duplicate SPNs before creating new SPNs.
To create two SPNs for a PI AF application service running under a domain account, enter
these two commands in sequence:
setspn -s AFServer\machine_FQDN domain\account_name
setspn -s AFServer\machine_name domain\account_name
where:
machine_FQDN is the fully-qualified domain name of the machine on which the PI AF
application service runs
machine_name is the machine on which the PI AF application service runs
domain\account_name is the domain account under which the PI AF application service
runs
For information on working with SPNs for SQL Server, see the Microsoft website http://
technet.microsoft.com/en-us/library/ms191153.aspx.
Procedure
To delete the two SPNs created for a PI AF application service that runs under the
NetworkService account, enter these two commands in sequence:
setspn -d AFServer\machine_FQDN machine_name
150
Procedure
1. From the Start menu, type dsa.msc in the Search box and press Enter.
151
Configure delegation settings for the machine account where the external data
resides
Before you start
Ensure you are logged into the domain to which the AFServer service's domain account
belongs.
Procedure
1. From the Start menu, type dsa.msc in the Search box and press Enter.
152
Configure delegation settings for the domain account under which the
AFServer service runs
Before you start
Ensure you are logged into the domain to which the AFServer service's domain account
belongs.
Procedure
1. From the Start menu, type dsa.msc in the Search box and press Enter.
The Active Directory Users and Computers snap-in opens in the Microsoft Management
Console window.
2. Locate and expand the container in which the computer account for the AFServer service
resides.
153
Configure delegation settings for the domain account that controls access to
the external data
Before you start
Ensure you are logged into the domain to which the AFServer service's domain account
belongs.
Procedure
1. From the Start menu, type dsa.msc in the Search box and press Enter.
The Active Directory Users and Computers snap-in opens in the Microsoft Management
Console window.
2. Locate and expand the container in which the user account under which the service that
controls access to the external data source resides.
3. Right-click the account, and then click Properties.
The user account's Properties window opens with the General tab selected.
154
Results
Your system is now configured to support constrained delegation between the AFServer
service and the specified service that allows access to the external data.
155
156
157
Firewall with PI Server in the DMZ and PI AF and SQL Server on the LAN
In this scenario, only the PI Server resides in the DMZ. The SQL Server and PI AF server are
connected to the LAN. This scenario might occur when customers want to access data from
foreign databases or synchronize PI AF assets with an ERP or maintenance system.
158
159
160
Connection Type
Description
161
162
163
164
PI AF object security
Security in PI AF is tightly bound to Windows security. Objects and their effective permissions
are based on the Windows user identity. You can set permissions for individual objects and for
collections.
Note:
If users have administration privileges on the PI AF server, then they are granted all
security rights to all objects within the PI AF server, including all databases. This is true
regardless of whether the user is granted or denied specific rights on individual objects.
AFElementTemplate
AFContact
AFEnumerationSet
AFCategory
AFReferenceType
AFDatabase
AFTable
AFAnalysis
AFNotification
AFAnalyisTemplate
AFNotificationContactTemplate
AFElement
UOMDatabase
165
PI AF object security
Procedure
1. Right-click the object and select Security from the menu. The permission properties dialog
box for the selected object appears.
2. Select users and set permissions as needed. Permissions are defined in AF object access
permission settings.
Groups and users used to define security are based on Windows security. It is better to
assign permissions to groups, rather than users. It is inefficient to maintain user accounts
directly.
Element security
When you change access permissions for an element, the access permissions for any parent or
child elements might also change. The behavior depends on the reference type.
Reference type
Description
Weak
Composition
Access permissions for child and parent are always the same.
If you change the access permissions for the child, the parent access permissions are
automatically changed to match the child permissions. Similarly, if you change the access
permissions for the parent, the child access permissions are automatically changed to match
the parent permissions. These changes cascade down (and up) through the hierarchy.
Parent-child
Child elements do not inherit the access permissions from the parent element. You can copy
the parent's access permissions to all of the child objects in the primary path. This process
needs to be repeated each time the parent's access permissions change and you want the
child elements in the primary path to have the new access permissions.
Child elements in the primary path are easily noted: they have strong references to their
parent element and are owned by the parent element. They have the standard element icon in
the hierarchy.
Child elements that have a strong reference to the parent element, but are owned by a
different element, are not in the primary path. These child elements have a reference arrow
on the standard element icon, making it obvious that they are not in the primary path.
166
PI AF object security
Procedure
1. In the Browser, right-click on the object for which you want to change permission
inheritance and choose Security from the menu.
2. In the Permissions for <Object> window, click Advanced.
3. In the Advanced Security Settings for <Object> window, make the desired access permission
changes.
a. Select the Principal you want to change.
b. Click Edit.
c. In the Permission Entry for <Object> window, select the desired permissions and click
OK.
4. At the bottom of the Advanced Security Settings for <Object> window, click the Replace all
child object permission entries with inheritable permission entries from this object
checkbox.
Note:
If you are using an older operating system, this checkbox is worded slightly
differently, but has the same effect.
5. Click OK.
6. In the Windows Security window, click Yes.
7. Click OK to close the Permissions for <Object> window.
Results
The parent object's access permissions are copied to all child objects in the primary path, this
one time. You need to repeat this process any time the parent's access permissions change and
you want to once again copy those permissions to all child objects in the primary path.
167
PI AF object security
frames have a reference arrow on the standard event frame icon, making it obvious that they
are not in the primary path.
Transfer
When you create a new transfer, its access permissions are assigned based on the new
transfer's assigned transfer template, if it was created based on a template. Transfers that are
not created based on a transfer template are assigned access permissions based on the transfer
security item associated with the current PI AF database.
UOM security
You cannot set permissions for individual UOMs or UOM classes. However, you can set
permissions for the entire UOM database. Right-click in a blank area, as shown in the following
figure, and select Security.
Note:
UOMs are always readable (always have the Read permission) regardless of their
security settings.
168
PI AF object security
Definition
Read
Write
Delete
Admin
ReadData
WriteData
Execute
Subscribe
Subscribe Others
169
PI AF object security
To exclude a subset of a group that has allowed permissions.
To exclude one special permission when you have already granted full control to a user or
group.
Note:
PI Module Database does not support the Deny option. If you are using both PI MDB and
PI AF, avoid the Deny option to prevent synchronization problems.
Procedure
1. Open PI System Explorer and click the Library button in the Navigator pane.
2. Right-click on the PI AF database icon (the root object in the Browser) and choose Security
then the desired collection type. The Permissions window appears.
3. Set the appropriate permissions for the collection.
4. To set the permissions for existing members of a collection, click Advanced. The Advanced
Security Settings window appears.
5. Select the Replace permission entries check box.
6. Select the permission entry and then click Edit.
7. Specify the permissions, which are described in Setting permissions for objects.
170
PI AF backup considerations
Perform backups of your database on a regular basis. Use Microsoft SQL Server Management
Studio or the sqlcmd command utility.
Consider these points as you design a backup strategy:
Standard maintenance best practices include log backups, daily data backups, and periodic
re-index on all databases.
When the SQL Server Agent is available (all editions of SQL Server except Express), PI AF
will automatically install and schedule a nightly SQL Server backup. Refer to the
Maintenance.sql file located in the PIPC\AF\SQL directory.
Releases beginning with PI AF 2.1 schedule a SQL Server Agent job to back up data and logs.
SQL Server replication requires the SQL Server Agent on the publisher (primary) instance.
Frequency of backup depends on your application; nightly backups might be best. The
default backup does a complete backup every night at 0315, local time. However, you can
change the time and can change the frequency and whether full or differential backups are
done.
Place the back up file on a different physical disk from where the SQL Server data is located.
You might not be able to write to the root folder of C:\ drive. Use another drive, such as a
network drive, or a subfolder.
SQL Express 2008 does not include a job scheduler, so you need to use a Windows utility to
schedule the backup. You can use the following command to run the backup:
sqlcmd -S <SQLINSTANCE> -d PIFD -Q "EXEC dbo.usp_backup @outpath = N'',
@allwaysfullbackup = 1;" -E
You will need the sysadmin, db_owner, or db_backupoperator role. The least privilege is the
best security practice.
Back up the master database regularly. This database contains the metadata for the PIFD
database, such as the database properties, table definitions, and so forth. The PI AF
scheduled backup backs up the PIFD, master, msdb, and PIFD_distribution databases.
OSIsoft recommends that you change your PIFD database from the simple recovery model
to the full recovery model to allow point-in-time recovery. The PI AF Server installation kit
configures the PIFD database with a simple recovery model by default. With this simple
recovery model, transaction logs cannot be backed up and point-of-failure recovery is not
possible. If you set the PIFD database to the full recovery model, the PIFD transaction logs
PI Asset Framework Installation and Upgrade Guide
171
Procedure
1. On the PI AF server computer, select Control Panel > Administrative Tools > Performance
Monitor.
2. In the Performance Monitor window, under Monitoring Tools, select Performance Monitor.
3. In the right-hand pane, click the green plus sign.
4. In the Add Counters dialog box, scroll down to and expand PI AF Server to show the Health
counter.
5. Select the Health counter and click OK.
The Performance Monitor now displays the PI AF Server Health counter in the chart. The
performance counter can have two values:
0
PI AF server is not running or cannot establish a successful connection with SQL Server,
or the PI AF Service account is not member of the Windows Performance Monitor Users
group.
1
PI AF server is running and communicating successfully with SQL Server.
172
Procedure
1. On the PI AF server computer, select Control Panel > Administrative Tools > Performance
Monitor.
2. In the Performance Monitor window, under Monitoring Tools, select Performance Monitor.
3. In the right-hand pane, click the green plus sign.
4. In the Add Counters dialog box, scroll down to and expand PI AF Server to show the Health
counter.
5. Select the Health counter and click OK.
The Performance Monitor now displays the PI AF Server Health counter in the chart. The
performance counter can have two values:
0
PI AF server is not running or cannot establish a successful connection with SQL Server,
or the PI AF Service account is not member of the Windows Performance Monitor Users
group.
1
PI AF server is running and communicating successfully with SQL Server.
173
Are the firewall settings correct? See Considerations for firewalls and ports for PI AF.
Do you have possible DNS errors on your network? Check with your network administrator.
A Service Principal Name (SPN) has not been generated for the AFServer service's domain
account, if the AFServer service is running under a domain account. If the service is running
under the NetworkService account, then a Service Principal Name has not been generated
for the machine on which the AFServer service is running (the latter is an unlikely scenario
because the NetworkService, by default, has the required permissions to generate an SPN
for the machine). See Check and set permissions for SPN creation.
174
Troubleshoot PI AF collectives
Use the topics in this section to troubleshoot issues with PI AF collectives.
175
This message indicates that the logged-on user is unable to access one of the servers included
in the collective. The error is most likely related to the fact that the logged-on user does not
have the correct permissions on the primary PI AF SQL database computer.
Review the Application event logs on the PI AF server and PI AF SQL database computers,
beginning with the primary PI AF server, to determine which computer is receiving the
connection error.
Be sure that the login account is given sysadmin privileges to SQL Server on the AF SQL
database computer.
In the SnapShot status row (the first row in the bottom section), the message displays:
Access to the path [..\repldata\...] is denied.
176
Click OK to exit the error window. In the Create New Collective Finishing window the same
message appears. Click Cancel to exit the window. The collective was not created. Start the SQL
Server Agent service on the primary server, then create the new collective.
177
178
179
180