b0700hc D

Foxboro™ DCS
Centralized Virtualization Management for Windows

Server 2016
User’s Guide
*B0700HC* *D*
B0700HC, Rev D
July 2022
https://www.se.com
Legal Information
The Schneider Electric brand and any trademarks of Schneider Electric SE and its
subsidiaries referred to in this guide are the property of Schneider Electric SE or its
subsidiaries. All other brands may be trademarks of their respective owners.
This guide and its content are protected under applicable copyright laws and furnished
for informational use only. No part of this guide may be reproduced or transmitted in
any form or by any means (electronic, mechanical, photocopying, recording, or
otherwise), for any purpose, without the prior written permission of Schneider Electric.
Schneider Electric does not grant any right or license for commercial use of the guide
or its content, except for a non-exclusive and personal license to consult it on an "as is"
basis. Schneider Electric products and equipment should be installed, operated,
serviced, and maintained only by qualified personnel.
As standards, specifications, and designs change from time to time, information
contained in this guide may be subject to change without notice.
To the extent permitted by applicable law, no responsibility or liability is assumed by
Schneider Electric and its subsidiaries for any errors or omissions in the informational
content of this material or consequences arising out of or resulting from the use of the
information contained herein.
Centralized Virtualization Management for Windows Server 2016
User’s Guide
Table of Contents
Preface ...............................................................................................................9
Revision Information.........................................................................................9
Related Documents..........................................................................................9
Schneider Electric Products Mentioned in this Document ..................................10
Global Customer Support ...............................................................................10
We Welcome Your Comments......................................................................... 11
Chapter 1: Overview of Virtualization ..........................................................12
Typical Virtualized System with CVM Functionality............................................12
Introduction to Central Virtualization Management (CVM)..................................12
Two Server Configuration..........................................................................13
Three Server Configuration .......................................................................13
Virtualization Host Network (VHN) ...................................................................13
Foxboro DCS Hyper-V Host Domain................................................................14
Chapter 2: Physical V91 Server Setup ........................................................16
Best Practices for Virtualization of Domain Controllers on Windows Server
2008-2016 .....................................................................................................16
Set Up the Physical V91 Server.......................................................................16
Configuring CVM Functionality ..................................................................17
Install McAfee Endpoint Security (Self-Managed) .............................................19
Chapter 3: Virtualization Host Network Connection Configuration on
a V91 Server ...................................................................................................20
Virtualization Host Network on the V91 Server..................................................20
Creating NIC Teaming When Using More Than on Network NIC...................20
Creating the Virtual Switch for the Virtualization Host ..................................22
Chapter 4: User Interface for the Installation/Configuration of the
CVM Active Directory Domain ......................................................................28
Configuration Services for Active Directory in Your Virtualized System ...............28
CVM Primary Domain Controller (PDC) Installation and Configuration on a
Virtual Windows Server 2016 ..........................................................................28
Prerequisites for Using the CVM User Interface ..........................................28
Installing and Configuring a CVM Primary Domain Controller .......................28
Verifying Successful Primary Domain Controller Installation and
Configuration ...........................................................................................40
Adding CVM Active Directory Structures to an Existing Windows Server 2016
Domain .........................................................................................................43
Verify Successful Active Directory Domain Structures Addition.....................45
Details of the Organizational Unit (OU) Structure and the Group Policy
Linkage for CVM Domain ................................................................................50
Schneider Electric ....................................................................................51
SE VM Host Accounts...............................................................................52
SE VM Hyper-V Servers............................................................................52
Remote Desktop Enabled Hyper-V Servers ................................................53
Secondary Domain Controller (SDC) Installation and Configuration on Virtual
Windows Server 2016 ....................................................................................54
B0700HC, Rev D 3
User’s Guide
Preliminary Steps .....................................................................................54

Installing and Configuring a Secondary Domain Controller...........................56
Addition of a V91 Windows Server 2016 to a CVM Domain................................60
Preliminary Steps .....................................................................................60
Configuring DNS for Client/Host ................................................................60
Adding a V91 Virtual Host running Windows Server 2016 OS to a
domain ....................................................................................................61
Chapter 5: Virtual Machines on Windows Server 2016 Hyper-V.............65
Install and Configure the McAfee ENS with ePO ...............................................65
Chapter 6: Replication Setup and Enabling Process ................................66
Replication Folder Location Setup ...................................................................66
Hyper-V Server Selection for Replication .........................................................67
Kerberos (HTTP) Usage .................................................................................70
Port Configuration (Custom or Default).......................................................70
Firewall Inbound Traffic Rule Configuration.................................................74
Certificate-based Authorization (HTTPS) Usage ...............................................87
Security Certificates..................................................................................87
Primary Server Certificate Requirements....................................................87
Replica Server Certificate Requirements ....................................................88
certutil Validation ......................................................................................88
Enable Replication on Hyper-V Server 2016 ...............................................89
Replication Firewall Rules .........................................................................92
Enable Replication Tasks................................................................................93
Initial Virtual Machine Replication over the Network or via an External
Drive .......................................................................................................93
Planned Failover and Unplanned Failover of Primary Virtual Machine
Operations to Replica Server ........................................................................ 102
Planned Failover .................................................................................... 102
Unplanned Event in Which Hardware Becomes Unavailable ...................... 106
Chapter 7: Live Migration Configuration ................................................... 115
Configure Live Migration on Hyper-V Host(s).................................................. 115
Configuring Initial Live Migration Settings ................................................. 115
Configure Live Migration Advanced Features............................................ 120
Performing Live Migration to Move a VM from One Hyper-V Host to
Another ....................................................................................................... 137
Chapter 8: Centralized Management of Virtual Machines ...................... 146
Hyper-V Manager for Starting and Stopping VMs............................................ 146
Starting the VM ...................................................................................... 146
Shutting down the VM ............................................................................. 148
State of Virtual Machines (VM) ...................................................................... 149
Setup for Health Alerts for Physical V91s and Virtual Machines Running on
V91s ........................................................................................................... 152
Health Alerts for Physical V91s................................................................ 152
Health Alerts for Virtual Machines Running on V91s .................................. 154
Observing Resource Utilization on the Physical V91 Host Server ..................... 157
Task Manager Application ....................................................................... 157
Resource Monitor to Accessing the Resource Monitor............................... 162
4 B0700HC, Rev D
User’s Guide
Viewing Resources Utilization of Virtual Machines .......................................... 166

Rebooting/Re-initializing Server Hardware Remotely ...................................... 169
Chapter 9: Troubleshooting ........................................................................ 172
WinRM Is Not Running ................................................................................. 172
Modifying the WinRM Service.................................................................. 173
Modifying the Group Policy on the Domain ............................................... 177
Viewing Security Certificate Condition on the HP HomePage........................... 188
Pinging between V91 Servers Results in Timeout ........................................... 188
Creating Custom Firewall Rule ................................................................ 189
Certificate Creation Using the OpenSSL Tool.................................................. 198
Appendix A: NIC Teaming in Combination with Various NIC
Selections Available with V91 ..................................................................... 199
Scenario 1: Four RJ-45 Cu Integrated Network Interface Ports ........................ 199
Scenario 2: Two Single Port FDCN NICs + Four RJ-45 Cu Integrated
NICs ........................................................................................................... 199
Scenario 3: Two Dual Port FDCN NICs + Four RJ-45 Cu Integrated
NICs ........................................................................................................... 200
Scenario 4: Two single port FDCN NICs + Two single port RJ-45 PCIe NIC +
4 RJ-45 Integrated NICs ............................................................................... 200
Scenario 5: Two Dual Port FDCN NICs + Two Dual Port Additional NICs + 4
RJ-45 Cu Integrated NICs............................................................................. 201
Appendix B: IP Address Schemes ............................................................. 202
Appendix C: Certificate Creation Using the Makecert Tool .................... 203
Download/Extract Makecert.exe from Microsoft Windows SDK for Windows
10 and .NET Framework 4 ............................................................................ 203
Links to Makecert.exe (Certificate Creation Tool) ...................................... 203
Download Certificate Creation Tool .......................................................... 203
Creating Certificates Using makecert.exe....................................................... 208
Exporting Certificate to VM Host Manager ................................................ 214
Importing Certificate to Target Hyper-V Replica Servers ............................ 219
Appendix D: Certificate Creation Using the OpenSSL Tool.................... 230
Create Certifications Using OpenSSL ............................................................ 230
Download OpenSSL Installation Files ...................................................... 230
Installing OpenSSL Setups...................................................................... 230
Modify Environment Variable Path to OpenSSL Executable from Any
Path ...................................................................................................... 234
Creation of Root CA (Certificate Authority) and Client Certificates .................... 239
Creating the Root CA.............................................................................. 239
Creating and Signing Certificates............................................................. 239
Installing Certificates on Clients ............................................................... 241
Create the Registry Key .......................................................................... 242
Appendix E: Network Drive Access ........................................................... 243
Editing CVM PDC Settings............................................................................ 243
Updating Policy Settings on V91 Host ............................................................ 245
Appendix F: Performance Counters .......................................................... 246
Editing CVM PDC Settings............................................................................ 246
B0700HC, Rev D 5
User’s Guide
Monitoring Performance Counters on the V91 Host......................................... 248

Appendix G: Enabling Remote Desktop Services ................................... 249
Appendix H: Creating VMHostAdmin Users in the Active
Directory......................................................................................................... 254
Glossary ......................................................................................................... 261
Index ............................................................................................................... 265
6 B0700HC, Rev D
Centralized Virtualization Management for Windows Server
2016 User’s Guide
Important Safety Instructions

Read these instructions carefully and look at the equipment to become familiar with it
before trying to install, operate, service, or maintain it. The following safety messages
might appear throughout this manual or on the equipment to warn of potential hazards
or to call attention to information that clarifies or simplifies a procedure.
The addition of this symbol to a “Danger” or “Warning” safety message

indicates that an electrical hazard exists that results in personal injury if
the instructions are not followed.
This safety alert symbol that lets you know about potential personal
injury hazards. Obey all safety messages with this symbol to avoid
possible injury or death.
DANGER
DANGER indicates a hazardous situation which, if not avoided, will result in death
or serious injury.
Failure to follow these instructions will result in death or serious injury.
WARNING
WARNING indicates a hazardous situation that, if not avoided, could result in
death or serious injury.
Failure to follow these instructions can result in death, serious injury, or
equipment damage.
CAUTION
CAUTION indicates a hazardous situation that, if not avoided, could result in
minor or moderate injury.
Failure to follow these instructions can result in injury or equipment damage.
NOTICE
NOTICE is used to address practices not related to physical injury.
Failure to follow these instructions can result in equipment damage.
Please Note
Electrical equipment should only be installed, operated, serviced, and maintained by
qualified personnel. No responsibility is assumed by Schneider Electric for any
consequences arising out of the use of this material.
A qualified person is one who has skills and knowledge related to the construction,
installation, and operation of electrical equipment and has received safety training to
recognize and avoid the hazards involved.
B0700HC, Rev D 7
n k
Bla
ef t
y L
all
io n
n t
Inte
ge
P a
h i s
T
Preface 2016 User’s Guide
Preface
EcoStruxure™ Foxboro DCS™ systems with Windows Server® 2016 allow you to run
Hyper-V virtual machines with EcoStruxure™ Foxboro™ DCS Control Core Services
v9.4 or later software and connect to them using thin clients.
The virtualization of the Control Core Services and EcoStruxure™ Foxboro™ DCS
Control Software (Control Software) is supported on the Microsoft® Hyper-V™
hypervisor on the V91 EcoStruxure™ Foxboro™ DCS Virtualization Server. The
number of virtual machines able to run on a single V91 have been optimized to
maintain that the virtual machines behave logically on Foxboro DCS systems the
same as physical stations.
NOTE: Virtualization is not supported on Magelis servers.
This user document is written for experienced Foxboro DCS system users. It focuses
on what is different for a virtualized Foxboro DCS system in comparison to our
standard physical Foxboro DCS system. This user document assumes that the reader
is already familiar with Control Core Services v9.4 and Foxboro DCS Control Software
v7.1 or later, the Foxboro DCS Control Network (Control Network), and Windows
Server® 2016 Standard functionality (including Remote Desktop Services
capabilities). If you are not already knowledgeable with these subject areas, review
the documents listed in Related Documents, page 9. The intent of this user document
is to not repeat functionality that is already documented in other locations.
For information regarding the Model V91 Server Virtualization Host, see the
document: Hardware and Software Specific Instructions for Model V91 Server
Virtualization Host (HP DL380 Gen9) Windows Server 2016 Operating System
(B0700HE).
Revision Information
This revision of the document includes these changes:
Throughout • Updated documentation references.
Related Documents
• Alarm and Display Manager Configurator (ADMC) Guide (B0700AM)
• Control Core Services v9.4 Software Installation Guide (B0700SX)
• Control Core Services v9.4 Release Notes (B0700SY)
• Control Core Services v9.5 Software Installation Guide (B0700TC)
• Control Core Services v9.5 Release Notes (B0700TD)
• Control Core Services v9.6 Software Installation Guide (B0700TK)
• Control Core Services v9.6 Release Notes (B0700TL)
• Control Software v7.2 Installation Guide (B0750RA)
• I/A Series Configuration Component (IACC) User's Guide (B0700FE)
• I/A Series Configuration Component (IACC) V2.6.4 Release Notes (B0700SM)
• Integrated Control Configurator (B0193AV)
• Control Database Deployment User's Guide (B0750AJ)
• Flat Panel Monitor Software Setup for UNIX® and Windows® Workstations
(B0193PL)
B0700HC, Rev D 9
User’s Guide Preface
• Framer and Alarm Management User’s Guide (B0750AR)

• Hardware and Software Specific Instructions for Model V91 Server Virtualization
Host (HP DL380 Gen9) Windows Server 2016 Operating System (B0700HE)
• McAfee ENS 10.7 and ePO 5.10 Installation Guide (B0700WK)
• Monitors for Windows Workstations Installation and Configuration Guide
(B0700GD)
• Security Implementation User's Guide for I/A Series and Foxboro DCS
Workstations (Windows 10 or Windows Server 2016 Operating Systems)
(B0700HG)
• System Management Displays Guide (B0193JC)
• System Manager User’s Guide (B0750AP)
• System Manager V2.12 Release Notes (B0750RS)
• Symantec System Recovery 2011 Workstation Edition and Server Edition Guide
for I/A Series Workstations (B0700ES)
• Switch Configurator Application Software (SCAS) for the Control Network User’s
Guide (B0700CA)
• Control Network Architecture Guide (B0700AZ)
• Thin Client User’s Guide (B0700VN)
• Veritas System Recovery 2016 Desktop, Server and Virtual Editions Guide for I/A
Series® and Foxboro™ DCS Process Automation Systems (B0700EY)
• Virtualization User's Guide for Windows Server 2016 (B0700HD)
• Workstation Alarm Management Guide (B0700AT)
The latest revisions of each document are also available through our Global Customer
Support at https://pasupport.schneider-electric.com (registration required).
Schneider Electric Products Mentioned in this Document

EcoStruxure™ Foxboro™ DCS
EcoStruxure™ Foxboro™ DCS Control Core Services
EcoStruxure™ Foxboro™ DCS Control Editors
EcoStruxure™ Foxboro™ DCS Control HMI
EcoStruxure™ Foxboro™ DCS Control Network
EcoStruxure™ Foxboro™ DCS Control Software
EcoStruxure™ Foxboro™ DCS System Definition
EcoStruxure™ Foxboro™ DCS System Manager
V91 EcoStruxure™ Foxboro™ DCS Virtualization Server
Global Customer Support

For support, visit https://pasupport.schneider-electric.com (registration required).
10 B0700HC, Rev D
Preface 2016 User’s Guide
We Welcome Your Comments

To help us improve documentation, we want to know about any corrections,
clarifications, or further information you would find useful. Send us an email at
systemstechpubs@se.com.
This email address is only for documentation feedback. If you have a technical
problem or question, contact Global Customer Support.
B0700HC, Rev D 11
User’s Guide Chapter 1: Overview of Virtualization
Chapter 1: Overview of Virtualization

Typical Virtualized System with CVM Functionality
This image provides an example view of a virtualized Foxboro DCS system using a
networked V91 server with CVM functionality.
Figure 1 - Typical Virtualized System Using Standalone V91 with the Virtual Host
Network
TC TC TC TC TC TC TC TC TC TC TC TC TC TC TC
100Mbps 100Mbps
1Gbps DCS Auxiliary Communications Network (ACN) 1Gbps 1Gbps

1Gbps
R C C R C C C C C S C C R C F R
D C S D S C C V V D C C C C D C C D
P M Virtualization Host M + S S S S
S S S S S D P S S S S
V V V V V V V Network S e V V V V V V V V CS or CCS CS or CCS
C D D P M M M M
M M M M M M M 1Gbps M M M M with RDS with RDS
C C O
V91 V91
1Gbps 1Gbps
FDCN
100Mbps
Control Control Control Control

CS or CCS CS or CCS CS or CCS CS or CCS Processor Processor Processor Processor
ePO - McAfee ePolicy Orchestrator (Can be installed PDC or SDC)

FDCN - Foxboro DCS Control Network (Control Network)
CCS - Foxboro DCS Control Core Software (Control Core Software)
CS - Foxboro DCS Control Software (Control Software)
PDC - Primary domain controller
RDS - Remote Desktop Services (formerly known as Terminal Services)
SD + ePO - Secondary domain controller & ePO on same VM
VM - Virtual Machine
V91 - Configure to order Model code server with Server OS Hyper-V
CVMPDC - Primary domain controller for V91 Server Only
CVMSDC - Secondary domain controller for V91 Server Only
Introduction to Central Virtualization Management (CVM)

When V91 servers are networked together by connecting the physical host servers to
a network and having them as part of a Windows Active Directory domain, it is
possible to manage and monitor multiple V91 servers from a single location. As
explained in the image in Typical Virtualized System with CVM Functionality, page 12,
there are two major requirements for this use case:
• V91 servers must be connected via a common network. This network is a
customer-supplied network. For more information about this network, see
Virtualization Host Network (VHN), page 13.
• V91 servers must be part of the same Active Directory domain. Instructions for
creation of a domain using virtual machines are provided in Chapter 4: User
Interface for the Installation/Configuration of the CVM Active Directory Domain,
page 28.
12 B0700HC, Rev D
Chapter 1: Overview of Virtualization 2016 User’s Guide
Two Server Configuration

Figure 2 - VHN Dedicated Network - No Switch Needed for Two Servers
CVM Domain as VM Two Servers VM-16

Replica
3 4 6 7 PDC For
VMs
VM-5 DCS
1 1 Replica TC TC TC Primary 1 1 1 1
SDC For 8 9 2 3 VMs No SDC (VM-00)
VMs 2 3 4 5 Replication
DCS Required
PDC (VM-0)
No 1 2 3 4 Primary
Replication VMs V91-2 VM Host 2016
Required NIC
TEAM NIC
V91-1 VM Host 2016 NIC TEAM
DCS ACN
TEAM
NIC
TEAM
Control Network
No Replication for Domain Virtual Machines (PDC or SDC)
Three Server Configuration

Figure 3 - VHN Dedicated Network - Switches Needed for Three Servers
CVM Domain as VM Three Servers VM-16

Replica
3 4 6 7 PDC For
VMs
VM-5 DCS
1 1 Replica TC TC TC Primary 1 1 1 1
SDC For 8 9 2 3 VMs No SDC (VM-00)
VMs 2 3 4 5 Replication
DCS Required
PDC (VM-0)
No 1 2 3 4 Primary
Replication VMs V91-2 VM Host 2016
Required NIC
TEAM NIC
V91-1 VM Host 2016 NIC TEAM
DCS ACN
TEAM
NIC
TEAM
Control Network
Replica 1 1 VM-10
1 2 No
VMs 4 5 Replication NIC
Primary VM-10 TEAM
6 7 8 9 No
VMs Replication
V91-3 VM Host 2016

NIC
TEAM
No Replication for Domain Virtual Machines (PDC or SDC)
Virtualization Host Network
Virtualization Host Network (VHN)

NOTE: We recommend that the VHN be separate from the DCS ACN network for
security reasons. The DCS ACN is typically exposed to operators and therefore
represents a security threat if used for the VHN.
The Virtualization Host Network is a dedicated network which is required if CVM
functionality is desired between multiple V91 Servers. With this customer-supplied
network, up to two V91 Servers can be connected via crossover/direct connect cable
without the need for a switch to be used. The maximum distance possible using
single-mode fiber NICs (RH103AT) is 10 kilometers. Using the NIC teaming features
described in Appendix A: NIC Teaming in Combination with Various NIC Selections
Available with V91, page 199, you can use multiple NICs together for redundancy.
B0700HC, Rev D 13
User’s Guide Chapter 1: Overview of Virtualization
See VHN Dedicated Network - No Switch Needed for Two Servers, page 13 for an
example of two V91 servers on the Virtualization Host Network.
When connecting more than two V91 Servers, use a suitable switch/or pair of
switches for redundancy. The switch must be able to support connections to the 1Gb
Copper or 1Gb Fiber NICs available with the V91 server. For a full list of NICs
available with V91, see Appendix A: NIC Teaming in Combination with Various NIC
Selections Available with V91, page 199. See VHN Dedicated Network - Switches
Needed for Three Servers, page 13 for an example of three V91 servers on the
Virtualization Host Network.
The resulting network created with the switches must be able to handle bandwidth
and latency requirements as indicated in these tables.
Table 1 - Bandwidth Requirements
No. Type of VM Bandwidth Required

Initial Replication / Ongoing Replication Average
Move Size
30 5 15
Seconds Minutes Minutes
1 Very Light VM 20 to 50 GB or more 200 KB 2 MB 7 MB
(a)
(Not many
changes) such
as Operator
station
2 Heavy VM 80 GB to 120 GB or 1 MB 128 MB 670 MB
(regular more(a)
changes) such
as Historian
(a) The total size of the virtual machine depends on the type of applications installed
on the VM and the hard drive space used.
The next table provides maximum network latency that can be tolerated for successful
ongoing replication. These results are based on a historian VM with 5K points
changing every second.
For the test setup, two V91 servers with a direct connect cable for Virtualization Host
Network was used. Network latency was introduced using “Microsoft's Network
Emulator for Windows Toolkit (NEWT)”.
Table 2 - Network Latency
Maximum Network Latency for Successful

Replication
Replication Frequency Every 30 Every 5 minutes Every 15 minutes
seconds
Network Latency 15 milliseconds 100 milliseconds 250 milliseconds
Foxboro DCS Hyper-V Host Domain

Foxboro DCS Hyper-V Host domain is a dedicated Windows Server 2016-based
domain for V91 Servers only. Use of this domain and connecting V91 servers via the
Virtualization Host Network provides these benefits in addition to the benefits of
Server 2016 based Hyper-V:
14 B0700HC, Rev D
Chapter 1: Overview of Virtualization 2016 User’s Guide
• Monitor all connected V91 servers from a single location. Configuration

instructions for CVM are described in Chapter 4: User Interface for the
Installation/Configuration of the CVM Active Directory Domain, page 28. CVM
features/tasks are explained in Chapter 8: Centralized Management of Virtual
Machines, page 146.
• Create backup/replica virtual machines and automatically keep them in
synchronization. This replication and its configuration and setup are described in
Chapter 6: Replication Setup and Enabling Process, page 66.
• Move a virtual machine from one V91 server to another with minimal or no
interruption to the virtual machine or any user connected to the virtual machine.
Live migration and its configuration and setup are described in Chapter 7: Live
Migration Configuration, page 115.
B0700HC, Rev D 15
User’s Guide Chapter 2: Physical V91 Server Setup
Chapter 2: Physical V91 Server Setup

Best Practices for Virtualization of Domain Controllers on
Windows Server 2008-2016
These are a compilation of best practices for the virtualization of domain controllers
with Windows Server 2008-2016:
NOTICE
POTENTIAL DATA LOSS
• Do not pause or stop a virtual machine that is running a domain controller. To
stop it, always shut down a domain controller from within Windows.
• Do not copy or clone VHD files of a virtual machine that is running a domain
controller. Always perform proper backup/restore operations using the supported
backup software.
• Do not use the Snapshot/Checkpoint feature or store the saved state as a
backup of a virtual machine domain controller.
• Do not use the Export feature on a virtual machine that is running a domain
controller (except for lab testing).
• Do not restore a domain controller or attempt to roll back the contents of an
Active Directory database by any means other than using the supported backup
software.
• Do not use Hyper-V replication for any domain controller (PDC, SDC) VMs.
• Performing any of these actions might result in Active Directory corruption, which
might require restoring from backup or rebuilding one or all the active directory
domain controllers.
Failure to follow these instructions can result in data loss.
Set Up the Physical V91 Server

Setup the physical V91 server and activate the Windows Server 2016 Standard
operating system on Model V91 server virtualization hosts.
NOTICE
POTENTIAL SECURITY VULNERABILITY
The default factory-shipped Administrator account name and the password for the
account in the V91 server virtualization host are:
• Account Name: Account1
• Account As-Shipped Password: Password1
We strongly advise that you change the default password after receiving the V91.
Verify that any new passwords are documented in a secured location.
Failure to follow these instructions will leave the system accessible to
unauthorized users.
This chapter provides this information:

• A flowchart indicating the information required to set up your virtual machines on
a V91 virtualization host
16 B0700HC, Rev D
Chapter 2: Physical V91 Server Setup 2016 User’s Guide
• The manual steps required to set up the physical server, with references to more
detailed information
◦ Before installing the Antivirus software, you must install the Local Group
Policies.
◦ We strongly recommend that you install approved security patches. The latest
security patches are available on the Global Customer Support at https://
pasupport.schneider-electric.com (registration required)
Figure 4 - Flowchart for Creating Virtual Machines on a V91 Server

Virtualization Host
Need to create a
No Setup V91
Virtual Machine
Gather information on how

many VMs are needed and
Is V91 all what functionality is needed
setup in each VM and purchase V91
Yes
Gather information on what Is host OS

function this VM will perform No Install Host OS
installed
and make decision
1. How much disk space
2. How many NICS
3. How much RAM Yes
4. On/Off Control Network
5. I/A Series or FCS Install LGPOs
Install Antivirus software

Create VM with configuration
options
Activate the Host OS
Install Server 2016 OS and Setup the Physical NIC

LGPO in the VM and activate it Connections
Setup preferred Anti-Virus

Product End point protection
Is CVM
Setup Virtualization
functionality Yes
Host Network
needed?
Pre-software installation steps
Set up Virtualization Host
Domain
No
Install Software (CCS and CS)
Join V91 Servers to the domain
Setup the Virtual Networking for
Post software install steps Control Network & DCS ACN
VM ready for use Ready to start creating

VMs
Configuring CVM Functionality

1. On each V91 Server, set up the virtual network for the Virtualization Host
Network. See Chapter 3: Virtualization Host Network Connection Configuration
on a V91 Server, page 20 for more information.
B0700HC, Rev D 17
User’s Guide Chapter 2: Physical V91 Server Setup
2. On any V91 Server, create a Virtual Machine (VM) for the Server 2016 CVM
Primary Domain Controller (PDC). On another V91 Server, create a VM for the
Server 2016 CVM Secondary Domain Controller (SDC). See Virtualization for
Windows Server 2016 User's Guide (B0700HD).
3. Install the Windows Server 2016 VM image (K0177BD) on the CVM PDC VM and
the CVM SDC VM. After reboot, set the CVM PDC and SDC computer names.
See Virtualization for Windows Server 2016 User's Guide (B0700HD).
4. On the CVM PDC and SDC VMs, install a preferred virus scanner. See Related
Documents, page 9 for the latest McAfee ENS and ePO Installation Guide.
5. On the CVM PDC and SDC VMs, activate Windows Server 2016 OS. For more
information., see Hardware and Software Specific Instructions for Model V91
Server Virtualization Host (HP DL380 Gen9) Windows Server 2016 Operating
System (B0700HE).
6. On each V91 Host Server, assign IP addresses for the CVM PDC and SDC into
the DNS Server entries. See Chapter 3: Virtualization Host Network Connection
Configuration on a V91 Server, page 20.
7. Install Active Directory on the CVM PDC and SDC VMs. See Chapter 4: User
Interface for the Installation/Configuration of the CVM Active Directory Domain,
page 28.
8. Add the physical V91 Host Servers to the domain. See Addition of a V91
Windows Server 2016 to a CVM Domain, page 60.
9. To install the remaining (non CVM PDC and SDC) VM images, see Virtualization
for Windows Server 2016 User's Guide (B0700HD).
18 B0700HC, Rev D
Chapter 2: Physical V91 Server Setup 2016 User’s Guide
10. For more information, see Chapter 3: Virtualization Host Network Connection
Configuration on a V91 Server, page 20, Chapter 6: Replication Setup and
Enabling Process, page 66, and Chapter 7: Live Migration Configuration, page
115.
Figure 5 - Process Flow
On Hosts Servers On CVM PDC and SDC On Foxboro VMs
Create a VM and install Create VM and

Install 2016 OS Win server 2016 OS restore 2016 OS
Install latest 2016

LGPOs policies
Install latest 2016 Install latest 2016
LGPOs and LGPOs
reboot the systems
Install ENS
(Self-Managed) and
import ENS policy Install CCS
Install ENS (Self-

Managed) and import
Update ENS V3DAT file Install ePO, Agent,
ENS policy
and EP content ENS, DLP, and RSD
Add VHN adapters

Install ENS V3 DAT to the VMs Deploy McAfee
file and EP and assign IP products to the clients
content
Install CVM PDC
and SDC using Disable Threat
CVMGUI.exe Prevention (ENS)
Create VHN network
and assign IP to VHN
switch Assign DNS server IP Install CS
to the hosts and add
host CVM domain
Configure replication
Re-enable Threat
and live migration on
Preventions (ENS)
hosts
Install McAfee Endpoint Security (Self-Managed)

See Related Documents, page 9 for the latest McAfee ENS and ePO Installation
Guide to install the McAfee products.
B0700HC, Rev D 19
Centralized Virtualization Management for Windows Server 2016 Chapter 3: Virtualization Host Network Connection
User’s Guide Configuration on a V91 Server
Chapter 3: Virtualization Host Network Connection

Configuration on a V91 Server
When using more than one V91 server (two or more servers) with CVM functionality,
they must be connected to the Virtualization Host Network (VHN). This task involves
these steps:
• If more than one NIC is involved, a NIC team must be created.
• A virtual switch must be created on the network to connect to the virtual host.
Virtualization Host Network on the V91 Server

NOTE: When using more than one NIC for this network, create a NIC team first.
Creating NIC Teaming When Using More Than on Network NIC

1. Open the Server Manager and browse to Local Server. Select NIC Teaming
Disabled.
2. On the TASKS menu, click New Team.
20 B0700HC, Rev D
Chapter 3: Virtualization Host Network Connection Configuration Centralized Virtualization Management for Windows Server
on a V91 Server 2016 User’s Guide
3. Select the checkbox for each of the selected NICS to be used for the NIC
teaming. Enter a Team Name. In the example image, the Virtualization Host
Network Team uses two NICS.
The configured team name with related information appears in the NIC Teaming
window.
B0700HC, Rev D 21
4. Close all windows.

The newly created team appears in this image as Microsoft Network Adapter
Multiplexor Driver NIC in the Network Connections window.
Creating the Virtual Switch for the Virtualization Host

1. In the right panel, open Hyper-V Manager. Click Start and then click
Administrative Tools > Hyper-V Manager. Then, to open the Virtual switch
manager, click Virtual Switch Manager
22 B0700HC, Rev D
2. On the Virtual Switch Manager window, select New virtual network switch and
in the Create Virtual Switch panel, select External. Click Create Virtual Switch.
3. In the Virtual Switch Manager window, enter the Virtual Switch Properties
information. For example:
a. For the name, enter Virtualization Host Network Connection.
b. Select Microsoft Network Adapter Multiplexor Driver from the external
network list.
c. Select Allow Management operating system to share this network
adapter.
d. Click Apply.
B0700HC, Rev D 23
4. If this message appears, click Yes.
24 B0700HC, Rev D
5. On the Network Connections screen, the newly created connection appears as:
• Device Name: Hyper-V Virtual Ethernet Adapter
• Network Name: vEthernet (Virtualization Host Network Connection)
6. Right-click this network name and select Properties.
B0700HC, Rev D 25
7. On the User Account Control (UAC) dialog box, click Yes.
8. On the related Properties screen under Networking, click Internet Protocol

Version 4 (TCP/IPv4) and then Properties.
26 B0700HC, Rev D
9. Enter the IP address for this host and click OK. See Appendix B: IP Address
Schemes, page 202 for IP address suggestions.
10. Close all windows.

11. Repeat Step 1 through Step 10 for each of the V91 servers.
NOTE: To verify that you set up the network correctly, try pinging between the
V91 servers after setting up the VHN network. For pinging between V91 hosts
servers detected issues, see Pinging between V91 Servers Results in
Timeout, page 188.
B0700HC, Rev D 27
Centralized Virtualization Management for Windows Server 2016 Chapter 4: User Interface for the Installation/Configuration of
User’s Guide the CVM Active Directory Domain
Chapter 4: User Interface for the Installation/

Configuration of the CVM Active Directory Domain
The Centralized Virtualization Management (CVM) user interface for Windows Server
2016 enables you to perform these tasks:
• CVM Primary Domain Controller installation and configuration
• CVM Secondary Domain Controller installation and configuration
• Add a Windows Server 2016 Server virtualization host to the CVM Domain
• Add CVM Active Directory (AD) structures to an existing corporate Active
Directory
You can use the CVM user interface for installing and configuring primary and
secondary domain controllers, adding a virtual server to a domain, and installing CVM
security policies on existing domain controllers.
Configuration Services for Active Directory in Your

Virtualized System
To provide guidance on configuring the Active Directory at your site (including the
ability to install CVM Active Directory structures (OUs and GPOs) to the Foxboro DCS
Active Directory), we recommend contracting with the Schneider Electric
Cybersecurity Services Team for an engineered solution.
More information about Schneider Electric Cybersecurity Services can be found at:
https://www.se.com/ww/en/work/solutions/cybersecurity/.
CVM Primary Domain Controller (PDC) Installation and

Configuration on a Virtual Windows Server 2016
Prerequisites for Using the CVM User Interface
Set up and configure the Virtualization Host Network. See Virtualization Host Network
(VHN), page 13 and Chapter 3: Virtualization Host Network Connection Configuration
on a V91 Server, page 20.
Installing and Configuring a CVM Primary Domain Controller

You need the CVM CONFIGURATION SETUP MEDIA – Windows Server 2016
(K0177CC) that provides the CVMGui.exe executable.
To install and configure a PDC on the virtual windows server:
1. Create a Windows Server 2016 virtual server machine, see Virtualization for
28 B0700HC, Rev D
Chapter 4: User Interface for the Installation/Configuration of the Centralized Virtualization Management for Windows Server
CVM Active Directory Domain 2016 User’s Guide
2. When the CVM VM starts, the system should automatically logon with Account1
user. If it does not, log in as Account1 using default Password1 as the password.
Open Hyper-V and start the PDC VM.
NOTE: This Account1 will be deleted after the Active Directory is configured.
B0700HC, Rev D 29
3. Configure the DNS for PDC:

a. In the Taskbar, right-click the Network and click Open Network and
Sharing Center.
b. From the View Your Active Networks field, click the adapter that will be
configured for CVM Domain. The adapter (Ethernet) Status appears.
c. Click Properties, the adapter (Ethernet) Properties appears.
30 B0700HC, Rev D
d. Select the Internet Protocol Version 4 (TCP/IPv4) checkbox and click

Properties. The Internet Protocol Version 4 (TCP/IPv4) Properties
window appears.
e. Click Use the Following DNS Server Address. Enter the PDC IP address
in the Alternate DNS Server field. Click OK.
B0700HC, Rev D 31
4. Install Local Group Policy Object for Server 2016. For more information, see
the Local Group Policy Installation Guide (B0799FA).
5. Install Self Managed ENS. See Related Documents, page 9 for the latest McAfee
ENS and ePO Installation Guide.
6. Disable Threat Prevention of the ENS. See Related Documents, page 9 for the
latest McAfee ENS and ePO Installation Guide.
7. Insert the V91 Virtualization Configuration Setup Media DVD into the DVD drive
on the V91 host machine.
8. Copy the ISO image from the DVD drive to either the host v91's hard drive or an
external hard drive.
9. On the CVM VM, from the main menu bar, Click Media > DVD Drive > Insert
Disk to browse for the ISO image from the host’s hard drive or external hard
drive.
32 B0700HC, Rev D
10. Browse to the location where you have copied the CVM ISO media and double-
click CVMGui.exe to start the PDC installation and configuration.
NOTE: When system reboot is pending and you try to install the CVMGUI.
exe, the system message will display. Click OK to reboot the machine. The
CVMGUI.exe installation will start automatically after reboot.
NOTE:
• Verify that only one instance of the CVMGui.exe is running.
• These common steps (Step 1 through Step 9) are also repeated for
Secondary Domain Controller (SDC) Installation and Configuration on
Virtual Windows Server 2016, page 54.
B0700HC, Rev D 33
11. Select Create New Server 2016 Primary Domain Controller. Click Next to start
the PDC installation.
NOTE: For security reasons, the built-in administrator account is disabled on

the platform image running the Windows Server 2016 OS. The Domain
Controller installation procedure requires that the built-in administrator's
account be enabled with a valid password. The password should be a
minimum of 8 characters containing at least one upper case letter, one lower
case letter, and a numeric digit. After a successful configuration of the Active
Domain, the installation program disables the Administrator account.
34 B0700HC, Rev D
12. Enter the password for the built-in administrator in the Create Built-in
Administrator Password fields and click Set. After successfully configured, the
password fields will be disabled and the Domain Information group of fields will
be enabled.
13. The NetBIOS domain name is the name that you see when you log into the
domain. It is generated by the installation application and appears in the text box
NetBIOS Name. The generated NETBIOS name is based on the domain name
specified. The rules for generating a NETBIOS name are:
• The maximum length of the name should be 15 characters.
• The minimum length of the name should be 2 characters.
• It can contain any combination of upper and lower case letters and numbers
as well as special characters.
• It allows only -(Hyphen) and _(underscore) special characters.
• If the generated name does not conform with these rules or is not suitable to
your requirements, you are free to change it in the textbox. Generally, this
value is set to the same name as the last segment of the domain name.
14. Under Domain Information enter the DSRM password. The DSRM password
must have a minimum of 14 characters with at least one upper case letter, at least
one lower case letter and at least one numeric digit.
B0700HC, Rev D 35
15. Click Next.

NOTE: All the fields in the Domain Information group are filled with default
values. However, different names can be used instead of default values.
16. When the Confirmation dialog box for the Active Directory installation process
appears, click Yes to proceed.
This usually takes a few minutes to complete. Wait while Active Directory is being
installed.
36 B0700HC, Rev D
17. When the Active Directory installation has successfully completed, the Active
Directory Installation dialog box appears indicating you can restart the server.
Click Yes to reboot the server. If you click No, you must reboot the server
manually.
NOTICE
POTENTIAL INSTALLATION FAILURE
It is inadvisable to make changes to the computer time between reboots.
Failure to follow these instructions can result in an installation failure.
18. As the server is rebooting, you are notified, click Close to continue.
19. When the Server restarts, it prompts for unlock, press Ctrl+Alt+Del. The login
screen appears. Login with the Built-in administrator user.
B0700HC, Rev D 37
20. When you log in to the server, the User Account Control (UAC) dialog box
appears. Click Yes to continue with the installation.
21. The installation resumes and the Groups and Users Configuration appears
filled with default usernames for the CVM domain. If you want to change the
default usernames, enter the desired username for each of the user accounts as
well as the associated passwords. Click Apply.
NOTE:
• If you cannot see the Groups and Users Configuration window,
browse to the location on the virtual server where the CVM ISO media is
copied and open CVMGui.exe to proceed with the installation.
• VMDomainAdmin and VMHostAdmin users require a minimum 14
character length password with at least one upper case letter, at least
one lower case letter, and at least one numeric digit.
38 B0700HC, Rev D
22. When creating users and installing group policies, this message appears.
23. In the Reboot request window, click Reboot to complete the Primary Domain
Controller installation.
B0700HC, Rev D 39
Verifying Successful Primary Domain Controller Installation and

Configuration
In successful installations, all the required Organizational Units are created as shown
in these sample screens.
View these screens for verification/confirmation:
1. On the PDC that you just created, open the Active Directory Users and
Computers console, click Start > Windows Administrative tools > Active
Directory Users and Computers.
2. Under Schneider Electric, the folder structure appears within the SE VM Host
Accounts and SE VM Host Computers.
40 B0700HC, Rev D
3. Under the SE VM Host Groups organizational unit, these administrator groups

appear:
• VMDomainAdmins
• VMHostAdmins
NOTE: VMDomainAdmin and VMHostAdmin are the default names used
during the PDC installation. If different names are used, then those
names appear here.
4. Under the SE VM Host Users, these users appear:

• VMDomainAdmin
• VMHostAdmin
B0700HC, Rev D 41
5. Confirm the User Account memberships are configured as shown in these

images.
42 B0700HC, Rev D
6. In Organizational Units on the new Primary Domain Controller, confirm that these
group policy objects were created.
Adding CVM Active Directory Structures to an Existing

Windows Server 2016 Domain
The CVM system is governed by a set of group policies. user groups and organization
units. These polices are applied onto V91 virtualization hosts that participate in the
CVM system.
Use this installation option to add Schneider Electric supplied CVM Active Directory
Objects to an existing Active Directory (for example, MyCorp.com). The CVM related
objects are added under a separate “Schneider Electric” OU. Therefore, adding these
B0700HC, Rev D 43
structures does not have any impact on the functionality of the users/computers/
policies of the existing domain. The “Schneider Electric” OU has an inheritance block
in order to help prevent the policies of the existing domain being applied on the CVM
V91 hosts.
NOTE: As a standard supported solution, we do not recommend adding the CVM
Active Directory Structures to an existing Foxboro DCS Windows Server 2016
Active Directory. For other Engineered Solutions available, see Configuration
Services for Active Directory in Your Virtualized System, page 28.
After installing, a V91 virtualization host can be joined to the domain. In this scenario,
a V91 host will be under the “SE VM Hyper-V Servers” OU to help ensure that only the
CVM group polices are applied on to the V91 host.
1. Log on to the enterprise domain controller as domain administrator.
2. Browse to the DVD-ROM location and open the CVMGui.exe file.
3. Click Add AD Structures to Existing Server 2016 Domain. Click Next.
The installation progress is shown.
44 B0700HC, Rev D
4. After the completion of the install process, the Group Policy Settings Applied
Successfully confirmation dialog box appears. Click OK. The installation is
complete.
5. To verify the CVM Security Configuration settings for this existing domain, see
Verifying Successful Primary Domain Controller Installation and Configuration,
page 40.
NOTE:
• The Group policies and Organization Unit (OU) structure are imported to
an existing domain. SE VM Host Users are not created.
• After completion of this step, add a user of VMHostAdmin. Use this user
account to log on to the V91 domain clients that will be a part of the CVM
system. See Appendix H: Creating VMHostAdmin Users in the Active
Directory, page 254 for the procedure.
Verify Successful Active Directory Domain Structures Addition

The Organizational Unit structure in this image indicates the group policy linkage for
the CVM Domain. The additional images provide the group policy details related to the
structure.
B0700HC, Rev D 45
Schneider Electric
This is the top level OU. The Virt IE 11 Merged Baseline 2.0 policy is linked to this
OU. The policy is applicable to all the entities underneath this OU. There are two more
OUs under it: SE VM Host Accounts and SE VM Host Computers.
NOTE: For Schneider Electric OU the Block Inheritance flag is applied which
means that the policies above the Schneider Electric OU will not be applied to
Schneider Electric OU.
46 B0700HC, Rev D
This image shows the details of the Group Policy Inheritance for the Schneider
Electric OU.
SE VM Host Accounts
This OU is under Schneider Electric and there are two OUs under SE VM Host
Accounts.
There are no additional policies applied to this OU or the ones under it. This image
shows the details of the Group Policy Inheritance for the SE VM Host Accounts
OU.
B0700HC, Rev D 47
This image shows the details of Group Policy Inheritance for the SE VM Host
Groups OU.
This image shows the details of Group Policy Inheritance for the SE VM Host Users
OU.
SE VM Host Computers
This OU is under Schneider Electric and there is one OU under SE VM Host
Computers.
There are no additional policies applied to this example OU. This image shows details
of Group Policy Inheritance for the SE VM Host Computers OU.
48 B0700HC, Rev D
SE VM Hyper-V Servers
SE Server 2016 Member Server Security Compliance v1.0, Virt Hyper-V Merged
Baseline 2.0, Virt Hyper-V Security Services 2.0, Virt non-SE Restricted Group
Policy for SE CVM Domain v1.0, and VM Host Security Compliance v1.0 policies
are linked to this OU.
This image shows the details of Group Policy Inheritance for SE VM Hyper-V
Servers OU.
Remote Desktop Enabled Hyper-V Servers

This OU is under SE VM Hyper-V Servers. The Virt Hyper-V Security RDP Enabled
2.0 and Virt Remote Access Settings For V91 Host Enabled 2.0 policies are linked
to this OU.
B0700HC, Rev D 49
This image shows the details of Group Policy Inheritance for Remote Desktop
Enabled Hyper-V Servers OU.
NOTE: By default, the remote desktop services are disabled on the CVM Domain
Controllers and the V91 domain hosts. See Appendix G: Enabling Remote
Desktop Services, page 249 for the procedure to enable the remote desktop
services on PDC/SDC and V91 CVM domain clients.
Details of the Organizational Unit (OU) Structure and the

Group Policy Linkage for CVM Domain
The Organizational Unit structure indicates the group policy linkage for the CVM
Domain. The additional images provide the group policy details related to the
structure.
50 B0700HC, Rev D
Schneider Electric
This is the top level OU. The Virt Domain Security Compliance 2.0 and the Virt IE
11 Merged Baseline 2.0 policies are linked to this OU. These policies are applicable
to all the entities underneath this OU. There are two more OUs under it: SE VM Host
Accounts and SE VM Host Computers.
This image shows the details of the Group Policy Inheritance for the Schneider
Electric OU.
B0700HC, Rev D 51
SE VM Host Accounts
This OU is under Schneider Electric and there are two OUs under SE VM Host
Accounts.
There are no additional policies applied to this OU or the ones under it. This image
shows the details of the Group Policy Inheritance for the SE VM Host Accounts
OU.
The previous image shows the details for all three OUs.
SE VM Hyper-V Servers
SE Server 2016 Member Server Security Compliance v1.0, Virt Hyper-V Merged
Baseline 2.0, Virt Hyper-V Security Services 2.0, Virt SE Restricted Group Policy
for SE CVM Domain v1.0, and VM Host Security Compliance v1.0 policies are
linked to this OU.
52 B0700HC, Rev D
This image shows the details of Group Policy Inheritance for SE VM Hyper-V
Servers OU.
Remote Desktop Enabled Hyper-V Servers
This OU is under SE VM Hyper-V Servers. Virt Hyper-V Security RDP Enabled 2.0
and Virt Remote Access Settings For V91 Host Enabled 2.0 policies are linked to
this OU.
This image shows the details of Group Policy Inheritance for Remote Desktop
Enabled Hyper-V Servers OU.
NOTE: By default, the remote desktop services are disabled on the CVM Domain
Controllers and the V91 domain hosts. See Appendix G: Enabling Remote
Desktop Services, page 249 for the procedure to enable the remote desktop
services on PDC/SDC and V91 CVM domain clients.
B0700HC, Rev D 53
Secondary Domain Controller (SDC) Installation and

Configuration on Virtual Windows Server 2016
Preliminary Steps
Before installing the Secondary Domain controller on a different V91 host Server
using the CVM GUI, perform these steps:
1. Create a Windows Server 2016 virtual server machine, see Virtualization for
2. When the CVM VM starts, the system should automatically logon with the
Account1 user. If it does not, log in as Account1 using default Password1 as the
password. Open Hyper-V and start the SDC VM.
3. Configure the DNS for SDC:
a. In the Taskbar, click the Network and right-click Open Network and Sharing
Center.
b. Under the View Your Active Networks field, click the adapter that will be
configured for the CVM Domain.
The adapter (Ethernet) Status appears.
c. Click Properties.
The adapter (Ethernet) Properties appears.
d. Select the Internet Protocol Version 4 (TCP/IPv4) checkbox and click
Properties.
The Internet Protocol Version 4 (TCP/IPv4) Properties appears.
e. Select Use the Following DNS Server Address, enter the PDC IP address
in the Alternate DNS Server field and SDC IP address in the Preferred DNS
Server field. Click OK.
54 B0700HC, Rev D
4. Install Local Group Policy Object for Server 2016, see Local Group Policy
Installation Guide (B0799FA) for more information.
5. Install Self Managed ENS. See Related Documents, page 9 for the latest
McAfee ENS and ePO Installation Guide.
7. Insert the V91 Virtualization Configuration Setup Media DVD into the DVD drive
on the V91 host machine.
8. Copy the ISO image from the DVD drive to either the host V91's hard drive or an
external hard drive.
9. On the CVM VM, from the main menu bar, Click Media > DVD Drive > Insert
Disk to browse for the ISO image from the host’s hard drive or external hard
drive.
10. Browse to the location where you have copied the CVM ISO media and double-
click CVMGui.exe to start the SDC installation and configuration.
NOTE:
• When system reboot is pending and you try to install the CVMGUI.exe, a
message appears. Click OK to reboot the machine. The CVMGUI.exe
installation will start automatically after reboot.
• Verify that only one instance of the CVMGui.exe is running.
B0700HC, Rev D 55
Installing and Configuring a Secondary Domain Controller

1. Browse the DVD-ROM location and double-click CVMGui.exe to start the SDC
installation and configuration. (Generally it takes 3-4 minutes).
2. In the User Account Control window, click Yes.
56 B0700HC, Rev D
3. Select Create Server 2016 Secondary Domain Controller and click Next to
start the SDC installation.
NOTICE
POTENTIAL DATA LOSS
Before proceeding, make sure the computer time matches the time and time
zone on the PDC.
4. In the SecondaryDomainController window , under the Domain Information

field, enter Domain Name, Site Name, Domain Controller Name, Domain User
Name, and Passwords. Click Apply.
NOTE:
• In order to install the SDC, you must have Domain Admin privileges.
Enter the Domain Admin privilege username in the User Name field.
• To verify the site name, perform these steps on the PDC:
◦ Log in as a domain administrator such as VMDomainAdmin.
◦ Open the command prompt.
◦ Execute the command dsquery site. The command result should
show the site name.
B0700HC, Rev D 57
NOTE: You might receive the CVM Installation message. Click OK in the
SecondaryDomainController window again and click Apply. If you receive
the same CVM Installation message continuously even after clicking OK,
verify that you performed the steps correctly.
58 B0700HC, Rev D
5. When the CVM Installation dialog box regarding the SDC installation process
appears, click Yes to proceed.
6. Wait until the Active Directory finishes configuring the installation.
7. When the Active Directory installation is successfully completed, the CVM

Installation dialog box appears indicating that you must restart the server. Click
Yes to reboot the server.
NOTICE
POTENTIAL INSTALLATION FAILURE
It is inadvisable to make changes to the computer time between reboots.
Failure to follow these instructions can result in an installation failure.
8. As the server is rebooting, a notification message appears. Click Close to

continue.
B0700HC, Rev D 59
9. When the Server restarts, log in using the Domain Admin privileged user account.
Addition of a V91 Windows Server 2016 to a CVM Domain

Preliminary Steps
1. On the V91 host that you would like to join to the CVM domain, log on as an
Administrator user.
2. Install Local Group Policy Object for Server 2016 (K0177CB), see Local Group
Policy Installation Guide (B0799GD) for more information.
3. Install Self Managed ENS. See Related Documents, page 9 for the latest McAfee
ENS and ePO Installation Guide.
Configuring DNS for Client/Host

1. In the Taskbar, click the Network and right-click Open Network and Sharing
Center.
60 B0700HC, Rev D
2. From the View Your Active Networks field, click the adapter that will be
configured for the CVM Domain.
The adapter (Ethernet) Status window appears.
3. Click Properties.
The adapter (Ethernet) Properties window appears.
4. Select the Internet Protocol Version 4 (TCP/IPv4) checkbox and click
Properties.
The Internet Protocol Version 4 (TCP/IPv4) Properties window appears.
5. Select Use the Following DNS Server Address, enter the PDC IP address in
the Preferred DNS Server field and SDC IP address in the Alternate DNS
Server field. Click OK.
Adding a V91 Virtual Host running Windows Server 2016 OS to a

domain
In order to add aV91 Virtual Host running Windows Server 2016 OS to a domain,
make sure that your Primary and Secondary domain controllers are already set up as
described in CVM Primary Domain Controller (PDC) Installation and Configuration on
a Virtual Windows Server 2016, page 28 and Secondary Domain Controller (SDC)
B0700HC, Rev D 61
Installation and Configuration on Virtual Windows Server 2016, page 54. Perform
these additional steps to add the Windows Server 2016 server to a domain:
1. Browse the DVD-ROM location and double-click CVMGui.exe to start the
application.
NOTE: Check that only one instance of the CVMGui.exe is running.

2. Select Join This Server 2016 Virtualization Host to Server 2016 Domain and
click Next.
NOTICE
POTENTIAL DATA LOSS
Before proceeding, confirm the computer time matches the time and time zone
on the PDC.
62 B0700HC, Rev D
3. The fields in the Domain Controller Information group are populated with the
default names. Verify that you provide the correct domain name that might have
been specified while installing the PDC: Primary Domain Name, Domain
Administrator User Name, and Password.
4. In the Domain User Name field, specify the user with domain administrator
privileges.
5. Click Apply. It takes a few minutes.
NOTE: The GUI program automatically checks for the time difference
between the Host server and the Domain controller. A system message
appears in the case of a time mismatch. When the time difference is
corrected, click Apply to connect the join.
B0700HC, Rev D 63
6. When the confirmation dialog box appears indicating that the Server 2016
Virtualization Host was joined to the Server 2016 domain successfully, click OK to
complete the installation.
NOTE:
• After a V91 host is joined as a member of the CVM active directory, the
security policy applied on the V91 host restricts the access of untrusted
network devices such as network file servers to help prevent possible
vulnerability. In circumstances where accessing those network drives is
required, the security can be relaxed. See Appendix E: Network Drive
Access, page 243 for the procedure.
• By default, the Performance Counters feature has been disabled on the
V91 hosts. See Appendix F: Performance Counters, page 246 to enable
the Performance Counters feature.
• By default, the Remote Desktop Services are disabled on the CVM
Domain Controllers and the V91 domain hosts. See Appendix G:
Enabling Remote Desktop Services, page 249 for the procedure to
enable the Remote Desktop Services on PDC/SDC and V91 CVM
domain clients.
64 B0700HC, Rev D
Chapter 5: Virtual Machines on Windows Server 2016 Hyper-V 2016 User’s Guide
Chapter 5: Virtual Machines on Windows Server 2016

Hyper-V
To set up the virtual machines using Hyper-V Manager, see Virtualization User's
Guide for Windows Server 2016 (B0700HD).
To complete the process of setting up a Foxboro DCS client, before installing Foxboro
DCS Control Software or Control Software:
1. Install Control Core Services (CCS). For more information, see Related
Documents, page 9 for the appropriate Control Core Services Software
Installation Guide.
2. Install and configure the McAfee ENS Self-Managed or with ePO Managed. See
Related Documents, page 9 for the latest McAfee ENS and ePO Installation
Guide.
Install and Configure the McAfee ENS with ePO

For more information, see Related Documents, page 9 for the latest McAfee ENS and
ePO Installation Guide.
B0700HC, Rev D 65
User’s Guide Chapter 6: Replication Setup and Enabling Process
Chapter 6: Replication Setup and Enabling Process

VM replication setup and enabling involves these tasks:
• Understanding replication configuration
• Replication server setup
• Hyper-V server selection for replication
• Replication configuration tasks (Kerberos usage and certificate based
authorization usage)
• Replication tasks enable
• Planned and unplanned failover of primary VM operations to replica server
NOTE: The Microsoft Hyper-V Replica software automatically provides
scheduled replication across multiple VMs. The replication schedule cannot
be modified by you after initial configuration.
Replication Folder Location Setup

Replica virtual machine files must be stored in a default location. Therefore, you
should create a folder under D:\Virtual Machines for the Replica VM files.
For example, this image shows the ReplicaVirtualMachines folder created in D:
\Virtual Machines\ReplicaVirtualMachines.
On the Hyper-V Settings screen, this information is needed.
66 B0700HC, Rev D
Chapter 6: Replication Setup and Enabling Process 2016 User’s Guide
Hyper-V Server Selection for Replication

1. Open Hyper-V Manager and select the server name to be configured.
2. From the list of virtual machines related to the server, select Hyper-V settings
using one of these methods:
• With the server selected, right-click and select Hyper-V Settings from the
menu.
• On the right panel, select Hyper-V Settings.
B0700HC, Rev D 67
68 B0700HC, Rev D
3. On the Hyper-V Settings screen, select Replication Configuration. On the right

panel, the information for replication configuration appears. Select the Enable
this computer as a Replica server checkbox.
Additional settings become active.
B0700HC, Rev D 69
4. With the computer enabled as a Replica server, begin the configuration steps
according to your security requirements:
• See Kerberos (HTTP) Usage, page 70 for non-encrypted network custom or
default port data.
• See Certificate-based Authorization (HTTPS) Usage, page 87 for encrypted
network data.
Kerberos (HTTP) Usage

Usage of Kerberos (HTTP) requires these configuration choices:
• Port Configuration (Custom or Default)
• Inbound Firewall Traffic Rule
Port Configuration (Custom or Default)

To verify that the ports you specify are open in the firewall:
1. From Authentication and Ports section, select the Use Kerberos (HTTP)
checkbox.
70 B0700HC, Rev D
2. In the Specify Port field, the default port is: 80. Change to the desired port
number, for example, 18777.
NOTICE
POTENTIAL SECURITY VULNERABILITY
Port 80 is a well-known port for use with Internet (HTTP) protocols. From an
enhanced security point of view, it is advisable to avoid use of port 80
whenever possible.
Failure to follow these instructions will leave the system accessible to
unauthorized users.
NOTE: If applicable, discuss with the cybersecurity personnel in your

organization to get advice on which alternative port can be used in your
environment. In the previous example, port 18777 is being suggested.
(At the time this document was written, this port was listed as “Unassigned” in
the list maintained by The Internet Assigned Numbers Authority (IANA). For
more information, visit the IANA website.)
3. From the Authorization and Storage section, select Allow replication from the
specified servers.
4. Click Add to add the servers.
B0700HC, Rev D 71
5. In the Add Authorization Entry screen, specify this type of information:

a. Enter the full name of the specific server. For example,
DEVSS12CVMHVHS1.CVMPDC.local.
b. For the default location, enter the folder in which the replica fields from this
server must be stored. For example, D:\Virtual Machines
\ReplicaVirtualMachines\FromDEVSS12CVMHVHS1.CVMPDC.local
c. For the trust group, enter a unique name. For example, CVMPDC.local
72 B0700HC, Rev D
6. After entering information for all of the servers, click Apply.
A system message dialog box appears indicating that the firewall must be
configured to allow inbound traffic.
7. You must configure a rule to check if the inbound TCP exception for your desired
(custom or default) port is enabled in the firewall. See Firewall Inbound Traffic
Rule Configuration, page 74 for how to configure the firewall inbound traffic rule.
B0700HC, Rev D 73
Firewall Inbound Traffic Rule Configuration

To configure the firewall exception rule:
1. From the Control Panel, open the Windows Firewall.
2. In the Windows Firewall screen, click Advanced settings in the left panel.
74 B0700HC, Rev D
3. In the User Account Control dialog box, click Yes.
4. In the Windows Firewall with Advanced Security window, select Inbound

Rules in the left panel.
5. With Inbound Rules selected, click New Rule on the right panel.
B0700HC, Rev D 75
6. The New Inbound Rule Wizard starts. In the left panel, observe the steps related
to the new inbound firewall rule configuration: Rule Type, Program and Ports
(when Port is selected), Action, Profile, and Name.
7. If creating an Inbound Port Rule for a custom port (for example, 18777), see
Custom Port - New Inbound Rule Wizard, page 78 and complete the steps. Then
go to Step 8.
If creating the rule for the default port (port 80), see Default Port - New Inbound
Rule Wizard, page 84 and complete the steps. Then continue to Step 8.
76 B0700HC, Rev D
8. Close all Firewall Setup windows. In the Configure Firewall Settings dialog
box, click OK.
The Hyper-V Settings are now complete for using Kerberos (custom port or
default port).
Repeat the steps in Hyper-V Server Selection for Replication, page 67 to this
point for each Hyper-V Server with virtual machines that need replication with
these settings.
B0700HC, Rev D 77
Custom Port - New Inbound Rule Wizard

1. Select Port and click Next.
2. Enter the custom/desired port number you entered during Authentication and
Ports configuration.
For reference, this image shows an example with the “18777” port being used.
• Click TCP.
• Click Specific local ports and enter 18777 in the text box.
• Click Next.
78 B0700HC, Rev D
3. Verify that the Allow the connection checkbox is selected and click Next.
B0700HC, Rev D 79
4. Selcect all checkboxes (Domain, Private, and Public) and click Next.
5. In the Name field, enter a name for the Inbound Port rule created and a short
description in the Description field.
80 B0700HC, Rev D
6. When the newly created Port Rule appears in the Inbound rules, right-click the
custom port rule and select Properties.
Under the General tab, the configured name and description for the Custom Port
Rule appears as well as the action setting.
B0700HC, Rev D 81
82 B0700HC, Rev D
7. Click the Programs and Services tab and do this:

a. Click This program: and enter SYSTEM in the browse box.
b. Click Apply and then click OK to close the screen.
8. The modified Inbound Rule for the custom port is now visible in the Inbound
Rules window and provides the rule Name, Group, Profile, Enabled, Action,
Override, and Program information.
Skip Default Port - New Inbound Rule Wizard, page 84.
B0700HC, Rev D 83
Default Port - New Inbound Rule Wizard

1. To define the Inbound Rule for port 80, from the New Inbound Rule Wizard
screen, click Predefined. In the left panel, the steps include: Rule Type,
Predefined Rules, and Actions.
2. From the menu, select Hyper-V Replica HTTP. Click Next.
3. On the Predefined Rules screen, select Hyper-V Replica HTTP Listener (TCP-
In) and click Next.
84 B0700HC, Rev D
B0700HC, Rev D 85
4. Select Allow the connection and click Finish. If necessary, click Finish again
and close the dialog box.
The newly created rule is now visible under the Inbound Rules.
The pre-defined Inbound Rule for the default port is now visible in the Inbound
Rules window and provides the rule Name, Group, Profile, Enabled, Action,
Override, and Program information.
86 B0700HC, Rev D
Certificate-based Authorization (HTTPS) Usage

Usage of certificate-based authorization (HTTPS) requires these determinations and
requirements:
• Security certificates of authentication
• Primary server certificate requirements
• Replica server certificate requirements
• certutil validation
Security Certificates
Workgroup Security Model requires a certificate for authentication. If you plan to use
certificate-based authentication (required for the replicated data to be encrypted
during transmission), you will need an appropriate certificate, which can either be local
and self-signed or supplied by a certificate server in your deployment.
NOTE: See Appendix C: Certificate Creation Using the Makecert Tool, page 203
for instructions on how to create and configure certificates using the makecert.
exe utility. See Appendix D: Certificate Creation Using the OpenSSL Tool, page
230 for instructions on how to create and configure certificates using the
OpenSSL utility.
Primary Server Certificate Requirements

To set up a replication relationship, the certificate in the primary server must meet
these conditions:
• Enhanced Key Usage must support both Client and Server authentication.
B0700HC, Rev D 87
• Set the Subject field or the Subject Alternative Name using one of these methods:
◦ Set the Subject field to the primary server name (for example: primary1.
contoso.com). If the primary server is part of a cluster, check that the subject
field is set to the FQDN of the HVR Broker (install this certificate on all the
nodes of the cluster)
◦ Subject field can contain a wildcard (for example: *.department.contoso.com)
◦ For a SAN certificate, set the Subject Alternative Name's DNS Name to the
primary server name (for example, primary1.contoso.com). If the primary
server is part of a cluster, the Subject Alternative Name of the certificate
should contain the FQDN of the HVR Broker (install this certificate on all the
nodes of the cluster).
• Check to see if the root of this certificate is present in the “Trusted Root
Certification Authorities” of the replica server certificate store. See Importing
Certificate to Target Hyper-V Replica Servers, page 219.
Replica Server Certificate Requirements

To enable a server to receive replication traffic, the certificate in the replica server
must meet these conditions:
• Enhanced Key Usage must support both Client and Server authentication
• Set the Subject field or the Subject Alternative Name using one of these methods:
◦ For a SAN certificate, set the Subject Alternative Name's DNS Name to the
replica server name (for example: replica1.contoso.com). If the replica server
is part of a cluster, the Subject Alternative Name of the certificate must contain
the replica server name *and* FQDN of the HVR Broker (install this certificate
on all the nodes of the cluster)
◦ Set the Subject field to the replica server name (for example: replica1.contoso.
com). If the replica server is part of a cluster, check that a certificate with the
subject field set to the FQDN of the HVR Broker is installed on all the nodes of
the cluster
◦ Subject field can contain a wildcard (for example: *.department.contoso.com)
• Check if the root of this certificate is present in the “Trusted Root Certification
Authorities” of the replica server certificate store. See Importing Certificate to
Target Hyper-V Replica Servers, page 219.
certutil Validation
After the certificate is installed, run this command from the command prompt on both
the primary and replica server: certutil -store my
At least one of the certificates in your output should resemble sample output as shown
in this image, such that, the Encryption test (not just Signature) has passed.
88 B0700HC, Rev D
Enable Replication on Hyper-V Server 2016

1. In Server Manager, click Tools. Then, click Hyper-V Manager.
2. In the Actions pane, click Connect to Server (right pane), enter Server Name,
and then click OK or just click the server name, if it is already there.
3. Click Hyper-V Manager.
4. Click Server Name.
5. Click Hyper-V Settings (right pane).
B0700HC, Rev D 89
6. Click Replication Configuration (left pane).
7. Perform these steps:

a. Select the Enable this computer as a Replica server checkbox.
b. Confirm the Use certificate-based Authentication (HTTPS) checkbox is
selected. Specify the port: 443.
c. Click Select Certificate and then, click OK.
90 B0700HC, Rev D
NOTE: When you click Select Certificate, you immediately see this
window with the Certificate details. If you see any detected error
messages, close the wizard and verify whether the correct certificate was
imported. If not, restart the wizard and start again.
d. Under Authorization and Storage, click Allow Replication from any

authenticated server and use the Browse to select the Virtual Machine
Replica folder in which to put the replicas.
Click Apply then click OK.
B0700HC, Rev D 91
8. On the Configure Firewall Settings dialog box, click OK to close the dialog box.
Replication Firewall Rules

Properly configured firewall rules permit replication between the Primary and Replica
servers and sites. To allow any incoming virtual machine replication traffic for
configured replication ports, you must check that an inbound firewall rule is created.
NOTE: Verify that you created the inbound firewall rule on both the Primary and
Replica servers.
To check an inbound firewall rule is created:
1. Click Start and enter Control Panel.
2. Click Control Panel > System and Security > Windows Firewall > Advanced
Settings > Inbound Rules.
92 B0700HC, Rev D
3. Right-click Hyper-V Replica HTTPS Listener (TCP-In) and then select Enable
Rule. Make sure the rule is enabled for the proper network.
4. Close the Control Panel windows.
Enable Replication Tasks

The replication tasks to be enabled include:
• Initial VM replication over the Network
• Initial VM replication via External Drive
Initial Virtual Machine Replication over the Network or via an

External Drive
An initial copy of all your virtual hard disks (VHDs) must be transferred via the network
or external drive to the Replica server (at your Replica site) before using Hyper-V
Replica.
NOTE: If a network drive location is used for the initial virtual machine replication,
you must enable access to network drives. For more information, see Appendix E:
Network Drive Access, page 243.
1. In Hyper-V Manager, select the Virtual Machine you wish to replicate.
B0700HC, Rev D 93
2. In the Task Pane (right pane), select Enable Replication. This is available from
the right-click menu.
94 B0700HC, Rev D
3. The Enable Replication for <selected VM> Wizard appears to configure

replication for the selected virtual machine. Click Next.
4. From the Specify Replica Server screen, enter the Replica server and click
Next.
NOTE: This image shows an example of the name of the destination server
that will receive the replica information from the network.
B0700HC, Rev D 95
5. Based on Hyper-V replication configuration settings, select one of these:

• Use Kerberos Authentication (HTTP)
• Use Certificate-based Authentication (HTTPS)
96 B0700HC, Rev D
6. If Use Certificate-based Authentication (HTTPS) is selected, select the

certificate and click OK. For more information regarding certificates, see
Appendix C: Certificate Creation Using the Makecert Tool, page 203, or Appendix
D: Certificate Creation Using the OpenSSL Tool, page 230.
7. Confirm the Compress the data that is transmitted over the network
checkbox is selected regardless of authentication type selected. Click Next.
8. On the Choose Replication VHDs screen, read the screen information regarding
the use of the checkboxes and enable the desired VHDs that you want to
replicate. Click Next.
B0700HC, Rev D 97
9. On the Configure Replication Frequency screen, select the desired frequency

of replication from the menu. For example, see the frequency set at 30 seconds.
Click Next.
10. On the Configure Additional Recovery Points screen, it is highly

recommended that you select the Create additional hourly recovery points
checkbox. Click Next.
98 B0700HC, Rev D
11. On the Choose Initial Replication Method screen, the settings for replication
enabling are:
a. For network enabling, confirm the defaults, Send initial copy over the
network and Start replication immediately, are selected.
b. For external drive enabling, select Send initial copy using external media
and use Browse to locate the USB storage location to export the initial
replication copy.
Click Next.
B0700HC, Rev D 99
12. On the Completing the Enable Replication screen, review the replication
configuration information for the Replica server.
To enable the replication (via the network or external media) and close the
wizard, click Finish.
If you selected network replication enabling, this information appears on the

Hyper-V Manager with the VM listing screen,
• the status of the primary server appears as:
• the status of the Replica Server appears as:
13. Go to Step 16 to complete the process for network replication enabling.

Otherwise, for external drive replication, proceed to Step 14.
100 B0700HC, Rev D

14. If you selected the external drive replication, open Hyper-V Manger in the Replica
server. Right-click the Replica VM instance and select Import Initial Replica
from the Replication menu.
15. On the Import Initial Replication dialog box, browse to the replication files in the
USB drive. Click Complete Initial Replication.
This image appears indicating the progress of the Import Replication.
B0700HC, Rev D 101

16. Check that the Network Adapter settings are set manually in the Replica Server.
Planned Failover and Unplanned Failover of Primary Virtual

Machine Operations to Replica Server
A primary virtual machine can have a corresponding Replica virtual machine that
provides a replication of the primary virtual machine's information. The replica virtual
machine can take over for the primary in the event of a detected failure. The two types
of virtual machine failovers are:
• A planned failover which occurs when you must perform maintenance or
upgrades on the primary virtual machine. Also, you might be informed in advance
of an impending event that requires taking the primary server offline.
• An unplanned failover which can occur when the primary server has become
unexpectedly unavailable, perhaps as a result of major hardware unavailability or
a natural disaster. In this case, there is the possibility of data loss because there
was no opportunity to transmit changes on the primary virtual machine that might
not have been replicated yet.
Planned Failover
Before proceeding with the planned failover, verify that both the primary VM and the
Replica VM have identical NIC settings and that they are connected to the correct
networks.
For more information on NIC settings, see these sections in Virtualization for Windows
Server 2016 User's Guide (B0700HD):
102 B0700HC, Rev D

• “Configuring Additional Network Interface Cards for Use in Foxboro DCS for a
Virtual Machine Using Hyper-V Manager”
• “Configuring Foxboro DCS Virtual Machine Foxboro DCS Control Network
Connections to be Static”
1. Start the Hyper-V Manager on the primary server and select the virtual machine
to failover. See this image for the primary server and selected virtual machine.
2. Shut down the selected virtual machine in order to schedule the failover by
performing one of these actions:
• Select the virtual machine name in Hyper-V Manager, right-click to access
the menu, and select Shut Down.
• Select Shut Down on the right panel.
• Select Shut Down from the Action menu main menu in the virtual machine
window.
• Select the Power (Shutdown) under the main menu in the virtual machine
window.
B0700HC, Rev D 103

3. In the list of virtual machines associated with the primary server, right-click the
virtual machine to failover, select Replication, and then select Planned Failover.
104 B0700HC, Rev D

4. In the subsequent Planned Failover screens, click Failover to actually transfer

operations to the virtual machine on the Replica server. The next screen has
these checkboxes available to indicate the step(s) to be performed after the
failover:
a. If you select the Start the Replica virtual machine after failover checkbox,
any changes on the primary virtual machine that have not already been
replicated will be replicated, and the Replica virtual machine will be prepared
to start.
b. If you select the Reverse the replication direction after failover checkbox,
the replication direction will reverse to the primary virtual machine after the
failover.
NOTE: Failover does not occur if the prerequisites listed in the screens have
not been met.
B0700HC, Rev D 105

5. After selecting Failover, the prerequisite check and actions are completed and a
confirmation dialog box appears.
Planned failover has successfully completed when you see the success dialog
box.
Unplanned Event in Which Hardware Becomes Unavailable

In an unplanned event in which the hardware becomes unavailable, the primary
server has become unavailable unexpectedly and there is the possibility of data loss;
there was no opportunity to transmit changes to the primary virtual machines that
might not have been replicated yet.
NOTICE
POTENTIAL DATA LOSS
When you are planning to bring your virtual machines back online after an
unplanned hardware unavailability, be sure to consider whether the primary server
is to be brought back online and reverse replication performed.
106 B0700HC, Rev D

Virtual Machine Event in Which Hardware Becomes Unavailable

To get your virtual machine(s) back online after an unplanned event in which the
hardware becomes unavailable:
1. Open Hyper-V Manager and connect to the Replica server. Right-click the name
of the virtual machine you want to use, select Replication and then select
Failover.
B0700HC, Rev D 107

2. In the resulting dialog box, select the recovery snapshot that you want the virtual
machine to recover.
108 B0700HC, Rev D

3. Click Fail Over.
The Replication Status changes to Failed over - waiting completion and the
virtual machine starts using the network parameters you previously configured for
it. This image indicates that the Failover task is in progress.
B0700HC, Rev D 109

4. Failover is complete when the VM state is shown as running and this information
is shown in the lower left of the screen.
For each virtual machine you want to bring back online, repeat Step 1 through
Step 4.
Reverse Replication After Failover
NOTICE
POTENTIAL DATA LOSS
You must shut down the primary VM after it comes back online in order to reverse
the replication.
1. When the previously unavailable server is back online, if the old primary virtual
machine is still running, shut the primary virtual machine down immediately using
one of these methods.
• Click the virtual machine name in Hyper-V Manager and select Shut Down.
110 B0700HC, Rev D

• Click Shut Down on the left panel in the Hyper-V Manager.
2. If a system message appears, click Shut Down in the message.
3. When you are sure that the original (previously unavailable) primary virtual
machine has been shut down, proceed with these steps on the Replica virtual
machine which has undergone the failover process. The status shows that it is
still Replica and failover is complete.
B0700HC, Rev D 111

4. Right-click the VM name and select Replication > Reverse Replication.
112 B0700HC, Rev D

5. Click Next on the Reverse Replication Wizard window.
6. To perform the reverse replication steps that are similar to those in the Enable
Replication Wizard, perform Step 4 through Step 11 in the procedure Initial
Virtual Machine Replication over the Network or via an External Drive, page 93.
NOTE: The Reverse Replication Wizard for <server name> appears on
the title screens in the current Reverse Replication Wizard being used.
7. Review the selections on the Summary screen. Click Finish.
B0700HC, Rev D 113

8. This information appears on the VM screen:

• The replication tab for the VM will change to this information in the bottom left
corner:
• The Status Window indicates this:
• When the initial replication is complete the replication tab indicates this:
114 B0700HC, Rev D

Chapter 7: Live Migration Configuration 2016 User’s Guide
Chapter 7: Live Migration Configuration

Configure Live Migration on Hyper-V Host(s)
Configuring Initial Live Migration Settings
1. Open the Hyper-V Manager:
Click Start and select Administrative Tools > Hyper-V Manager.
B0700HC, Rev D 115

User’s Guide Chapter 7: Live Migration Configuration
2. Select the name of the server you want to configure.
The list of virtual machines associated with the server appears.
116 B0700HC, Rev D

3. With the server selected, right-click and select Hyper-V Settings from the menu
or on the right side panel, select Hyper-V Settings.
4. On the Hyper-V Settings screen, select Live Migrations.
B0700HC, Rev D 117

5. Select the Enable incoming and outgoing live migrations checkbox and select
Use these IP addresses for live migration.
118 B0700HC, Rev D

6. Click Add to access the IP Address dialog box. Enter the IP address for the VM
Host network in use on this server. Click OK.
The IP address for live migration is now configured.
B0700HC, Rev D 119

Configure Live Migration Advanced Features

The Live Migration advanced features include:
• Authentication Protocol
◦ Credential Security Support Provider (CredSSP)
◦ Kerberos
• Performance Options
◦ Compression
Accessing Live Migration Advanced Features

1. To access Advanced Features, expand the Live Migrations selection on the left
panel by clicking the + symbol.
120 B0700HC, Rev D

2. Select Advanced Features.

The Advanced Features include Authentication protocol and Performance
options.
Using Credential Security Support Provider (CredSSP) Authorization Protocol

When using Credential Security Support Provider (CredSSP) as the Authentication
Protocol, you must log on to the server to perform a live migration.
On the Advanced Features screen, to select the CredSSP protocol and performance
option:
1. Select Use Credential Security Support Provider (CredSSP).
NOTE: When CredSSP is selected, a system message might appear at the

bottom of the screen that instructs you to log off and then log back on again to
use the selected authentication protocol. You must do this before continuing.
B0700HC, Rev D 121

2. Under Performance options, confirm the default Compression is selected.
3. Click Apply to apply the Live Migration configuration for the CredSSP
authentication protocol and the compression performance. Click OK.
NOTICE
POTENTIAL MIGRATION FAILURE
The Authentication protocol in use on both the source and destination servers
must match.
Failure to follow these instructions will result in Live Migration failure.
4. Perform the previous steps in this section on both the source and destination
Hyper-V Host.
Using Kerberos Authorization Protocol

When using Kerberos as the Authentication Protocol, this is more secure but it does
require constrained delegation for live migration.
On the Advanced Features screen, to use the Kerberos authorization protocol and
performance option:
1. Select Use Kerberos.
122 B0700HC, Rev D

2. Under Performance options, confirm the default Compression is selected.
3. Click Apply to apply the Live Migration configuration for the Kerberos
authentication protocol and the compression performance. Click OK.
NOTICE
POTENTIAL MIGRATION FAILURE
The Authentication protocol in use on both the source and destination servers
must match.
Failure to follow these instructions will result in Live Migration failure.
4. Perform the previous steps in this section on both the source and destination
Hyper-V Host.
B0700HC, Rev D 123

Additional Steps for Kerberos Authorization Protocol

1. From the CVM Domain controller, perform one of these actions to open Active
Directory Users or Computers:
• From the Server Manager Tools menu, select Active Directory Users or
Computers.
• Under Control Panel, select Administrative Tools and select Active

Directory Users or Computers.
2. In the Active Directory Users and Computers window, double-click the Domain
name in the left panel.
124 B0700HC, Rev D

3. When the Domain selection expands, double-click the Schneider Electric folder to
view the contents: SE VM Host Accounts and SE VM HostComputers.
4. Within the Schneider Electric folder, double-click SE VM Host Computers.
5. Within the SE VM Host Computers folder, click SE VM Hyper-V Servers.
B0700HC, Rev D 125

6. If the Host you need is under the Remote Desktop Enabled Hyper-V servers
folder expand the SE VM Hyper-V Servers folder and select Remote Desktop
Enabled Hyper-V Servers.
7. Select the computer name of the Hyper-V Host in the right panel.
126 B0700HC, Rev D

8. From the selected Host, right-click and select Properties from the menu.
9. In the Properties window, click Delegation.
B0700HC, Rev D 127

10. On the Delegation screen, change the default selection to Trust this computer
for delegation to specified services only as highlighted in this image.
128 B0700HC, Rev D

11. Select Use Kerberos only and click Add.
B0700HC, Rev D 129

12. In the Add Services dialog box, click Users or Computers.
13. In the Select Users or Computers dialog box, click Advanced.
130 B0700HC, Rev D

14. In the Select Users or Computers dialog box, click Object Types.
15. In the Object Types dialog box, confirm only Computers is selected. Click OK.
B0700HC, Rev D 131

16. In the Select Users or Computers dialog box, click Find Now.
17. Select the Destination Hyper-V Host Server name and click OK.
132 B0700HC, Rev D

18. In the Select Users or Computers dialog box, verify that the selected computer
name is listed. Click OK.
19. In the Add Services dialog box, scroll down and select the cifs service for the
previously selected computer name.
Multiple services can be selected for the computer.
NOTE: If selecting more than one user or computer name, click Users or
Computers.
B0700HC, Rev D 133

20. Select the Microsoft Virtual System Migration service. Click OK.
NOTE: To select both services together, press Ctrl.
134 B0700HC, Rev D

21. In the Delegation tab, verify that both cifs and the Microsoft Virtual System
Migration services are listed for the target server. Click Apply.
B0700HC, Rev D 135

22. Review the completed service setting specifications.
23. Repeat Step 17 through Step 22 for all target (destination) servers, if applicable,
so that the constraint delegation properties looks similar to the example in this
image.
136 B0700HC, Rev D

Performing Live Migration to Move a VM from One Hyper-V

Host to Another
The use of Live Migration to move a VM from one Hyper-V Host to another is
recommended only in situations where it is not possible to use planned failover with
the replication feature as described in Planned Failover, page 102. Planned failover
requires that a VM be shutdown; whereas, Live Migration is performed without
shutting down the VM, which is considered a bumpless move.
NOTICE
POTENTIAL DATA LOSS
If Replication is enabled for the VM where Live migration is to be performed,
Replication must be disabled for that VM to perform Live migration. Simultaneous
operations of Replication and Live migration cannot be performed for the same VM.
1. Open the Hyper-V Manager.
B0700HC, Rev D 137

2. Select the server name in the left panel and then select the VM on that server that
you want to move.
138 B0700HC, Rev D

3. Right-click the VM name and select Move or from the right panel select Move.
4. When the Move VM Wizard starts, on the Before You Begin screen, click Next.
B0700HC, Rev D 139

5. On the Choose Move Options screen, select Move the virtual machine’s data
to a single location. Click Next.
6. On the Specify Destination Computer screen, enter the name of the destination
Hyper-V Host server or use Browse to select the destination server. Click Next.
140 B0700HC, Rev D

7. On the Choose Move Options screen, select Move the virtual machine’s data
to a single location. Click Next.
8. On the Choose a New Location for Virtual Machine screen, do one of these:
• Enter the hard drive folder location (on the destination server) where the
virtual machine data must be stored.
• Select a new location for virtual machine data using Browse.
Click Next.
NOTE: This image shows an example of the location of the virtual machine
data on the destination server: X:\LiveMigration\VM97AW
B0700HC, Rev D 141

9. On the Completing Move Wizard screen, verify the summary of the selections.
Click Finish.
142 B0700HC, Rev D

10. The progress of the move appears on the Hyper-V Manager VM listing screen.
B0700HC, Rev D 143

11. To review network utilization during the move operation, view the Ethernet
performance on the Task Manager screen.
144 B0700HC, Rev D

12. If the Move Wizard displays a detected error message during the move
operation, one of these scenarios might have occurred.
a. If using the CredSSP Authentication Protocol, verify the Migration/Move

operation was initiated from the source server.
b. If using the Kerberos Authentication Protocol, confirm the additional steps for
using Kerberos to set up constrained delegation were performed. See
Additional Steps for Kerberos Authorization Protocol, page 124.
B0700HC, Rev D 145

User’s Guide Chapter 8: Centralized Management of Virtual Machines
Chapter 8: Centralized Management of Virtual

Machines
Learn about information related to VM startup and shutdown, state of VMs, setup of
health alerts for both physical and virtual machines, utilization of resources, reboot
and re-initialization of server remotely.
Centralized virtual management provides these capabilities:
• Start and shut down the virtual machines using the Hyper-V Manager
• View the state of the VMs
• Set up health alerts for both physical and virtual machines
• Observe resource utilization for the physical V91 host server and the virtual
machines
• Reboot and re-initialize the server hardware remotely
Hyper-V Manager for Starting and Stopping VMs

Starting and stopping the virtual machines using Hyper-V Managers can be done in
multiple ways. Any of these procedures can either start the virtual machine to bring it
online or shutdown the virtual machine to take it offline.
Starting the VM
To start a virtual machine, there are different methods:
146 B0700HC, Rev D

Chapter 8: Centralized Management of Virtual Machines 2016 User’s Guide
2. Select the virtual machine you want to start.

a. Right-click to access the Main Menu and select Start.
Alternately, right-click to access the Main menu and select Connect....
b. On the VM window, click the Power icon.
Alternately, click Action and select Start.
B0700HC, Rev D 147

Shutting down the VM

To shutdown a virtual machine that is currently running, there are different methods:
2. Select the virtual machine you want to shutdown and perform these steps:
a. Right-click to access the Main Menu and select Shutdown.
Alternately, right-click to access the Main menu and select Connect....
b. On the VM window, click On.
148 B0700HC, Rev D

Alternately, click Action and select Shutdown....
State of Virtual Machines (VM)

When selecting a virtual machine associated with a select server, this information is
available for that virtual machine from the initial screen:
• Name
• Current state (on/off)
• CPU usage
• Assigned memory
• Uptime
• Status
• Replication health
• Additional checkpoint and detail information
B0700HC, Rev D 149

1. Open the Hyper-V Manager and under the Hyper-V Manager in the left panel,
select the server name that you want to observe.
The Name column appears with the list of all the VMs associated with the
selected server and the State column appears indicating the current state of the
virtual machines.
Be advised that these scenarios might occur:
• If the state of the virtual machine is dormant, not active, the VM is in the
shutdown (off) state.
150 B0700HC, Rev D

When you click the desired virtual machine (for example, VDHS61) to view
the details for that VM currently in the Off state, no information is available/
shown in the bottom checkpoint and detail areas.
• If the state of the virtual machine is running or active, the VM will have
information in the Checkpoint and/or Detail areas.
When you click the desired virtual machine (for example, VDRCH9) to view
the details for that VM (currently in the Running state), the bottom checkpoint
and detail panels indicate information.
B0700HC, Rev D 151

2. Within the detail panel, there are folder tabs across the bottom of the screen. To
access additional information regarding the selected VM, select one or more of
these tabs:
• Summary
• Memory
• Networking
• Replication
Setup for Health Alerts for Physical V91s and Virtual

Machines Running on V91s
Health Alerts for Physical V91s
These applications provide the ability to receive health alerts for the physical V91s:
• Server Manager application (single or multiple servers) local direct access or via
Remote Desktop Protocol (RDP)
• HP Home Page application (single local server only) local direct access or via
RDP
This table indicates the access type and the appropriate application to use.
152 B0700HC, Rev D

Table 3 - Alert Applications and Access Types
Access Type Server Manager HP Home Page

Local Access Yes Yes
Remote Access via Server Manager Yes No
(Multiple Servers)
Remote Access via RDP Yes Yes
The Server Manager available selections and information are shown in this image.
The HP Home Page available selections and information are shown in these images.
B0700HC, Rev D 153

Health Alerts for Virtual Machines Running on V91s

These applications provide the ability to receive health alerts for the virtual machines
running on a V91:
• Hyper-V Manager on a physical V91(single or multiple servers) with local direct
access or via Remote Desktop Protocol (RDP).
• After logging into the VM (local to V91 via the virtual machine connection or via
RDP/Thin Client).
• Server Manager is available on the host V91 server while System Manager
applications are only available on stations (VMs or physical) that have IA installed
and are connected to the FDCN network. This is documented in detail in System
Management Displays (B0193JC) and System Manager User’s Guide
(B0750AP).
The Hyper-V Manager on a physical V91 provides columns of status information for
the VM health.
154 B0700HC, Rev D

Viewing Replication Health (Example)

This image shows the current state of the VDRFV8 virtual machine as running.
However, the replication health is shown with a system message in this image.
For more information about this system message, you can access the Replication
dialog box.
Right-click the VM name and select Replication > View Replication Health....
B0700HC, Rev D 155

The Replication health screen appears providing detailed replication health

information.
156 B0700HC, Rev D

Observing Resource Utilization on the Physical V91 Host

Server
To observe the current utilization of the various resources of the physical V91 host
server, you can access these applications to access related resource utilization
information:
• Task Manager Application
• Resource Monitor Application
Task Manager Application

Within the Task Manager application, you have access to these information screens:
• Process
• Performance (access to Resource Monitor application)
• Users
• Details
• Services
Accessing the Task Manager and Information Screens

1. To access the Task Manager application from the physical host server, right-click
Task Bar and select Task Manager.
B0700HC, Rev D 157

2. On Task Manager, click More details (lower left) to access these tabs:
Processes, Performance, Users, Details, and Services.
a. The Task Manager view changes to the Detailed view. Under Processes, for
example, CPU and Memory utilization for applications and background
processes is displayed.
b. For additional column information details related to the present view, right-
click and select the additional information columns required.
158 B0700HC, Rev D

For example, to display PID column information, select PID.
c. Performance provides access to performance information. In addition, the

icon at the bottom of the screen provides access to the Resource Monitor.
For more information regarding the Resource Monitor, see Resource Monitor
to Accessing the Resource Monitor, page 162.
B0700HC, Rev D 159

d. Users provides access to the User information.
160 B0700HC, Rev D

e. Details provides details.
f. Services shows information similar to this image.
B0700HC, Rev D 161

Resource Monitor to Accessing the Resource Monitor

From the Performance screen in the Task Manager application, you have access to
the Resource Monitor application with these related screens:
• Overview
• CPU
• Memory
• Disk
• Network
162 B0700HC, Rev D

1. To access the Resource Monitor application, click the icon at the bottom of the
Performance tab.
The Resource Monitor appears with the folder tabs.
This image indicates an overview of these screens: CPU, Memory, Disk and
Network. Each of these screens can be expanded for additional resource
utilization information.
• CPU shows the Processes information and can be expanded to provide

information regarding the CPU services, associated handles, and associated
modules.
B0700HC, Rev D 163

• Memory provides a list of processes and physical memory information.
• Disk showing Processes with Disk Activity also expands to provide Disk
Activity and Storage information.
164 B0700HC, Rev D

• Network provides a list of processes with Network Activity and can be

expanded to show Network Activity, TCP Connections, and Listening Ports.
B0700HC, Rev D 165

Viewing Resources Utilization of Virtual Machines

1. In the left panel, select Hyper-V Manager and select the physical V91 Server
host of the VM you want to observe.
The virtual machines associated with the physical V91 Server host appear in the
middle panel. The information regarding the selected VM is displayed in these
areas: Virtual Machines, Checkpoints, VM basic identification information.
166 B0700HC, Rev D

2. To expand the view, maximize the window and look at the window marked Virtual
Machines.
The columns in this expanded view provide information about resource utilization
for each of the individual VMs. See this table and image.
Table 4 - VM Information Provided
Column Information Provided

1 Name Name of VM
2 State Current State of VM: Running or Off
3 CPU Usage % of CPU Utilization by the VM
4 Assigned Memory Assigned RAM to the VM
5 Uptime Time VM has been running
6 Status Information of current operations, if any, to the VM. For example, sending
or receiving replication
7 Replication Health Current health of the replication: Normal, Not Applicable, or Any Issue
3. If necessary, you can add or remove columns in the VM view. Select View > Add/
Remove Columns....
B0700HC, Rev D 167

4. From the Add/Remove Columns screen, select the desired column(s) to add or
remove from the screen. Click OK.
168 B0700HC, Rev D

Rebooting/Re-initializing Server Hardware Remotely

1. From any server on the VHN network, do one of these:
• Click Server Manager.
• Click Start and click Server Manager.
B0700HC, Rev D 169

2. In the left panel, select All Servers.
3. Select the Remote Server you want to reboot.
4. Right-click the target remote server where a reboot is desired and select Restart
Server.
170 B0700HC, Rev D

5. On the Server Manager dialog box, select OK. The remote server restarts.
NOTE: The WinRM Service needs to be running on both servers - the

requesting server and the remote server. See Step 6 if a detected error
occurs.
6. After resolving either of these detected issues, repeat Step 1 through Step 5
again to reboot/re-initialize the server remotely.
• If you see a detected error message that WinRM is not running, for a
resolution.
• The WinRM needs to be running on BOTH servers.
B0700HC, Rev D 171

User’s Guide Chapter 9: Troubleshooting
Chapter 9: Troubleshooting
WinRM Is Not Running
Server Manager display shows a detected error message indicating that refresh/
automatic refresh did not succeed because WinRM was not running and could not be
started.
To resolve this condition temporarily, perform Modifying the WinRM Service, page
173.
To resolve this condition permanently, perform Modifying the Group Policy on the
Domain, page 177.
172 B0700HC, Rev D

Chapter 9: Troubleshooting 2016 User’s Guide
Modifying the WinRM Service

1. On the Tools menu in Server Manager, select Services to open the Services
window.
Alternately, click Control Panel > All Control Panel Items > Administrative
Tools and then select Services.
B0700HC, Rev D 173

2. If prompted, click Yes on the User Account Control dialog box.
174 B0700HC, Rev D

3. Locate the service named “Windows Remote Management (WS-Management)”.

This service is shown as unavailable.
4. Right-click Windows Remote Management and select Properties.
B0700HC, Rev D 175

5. In the General tab, in the Startup Type: menu, select Automatic. Click Apply.
176 B0700HC, Rev D

6. Click Start to start the selected service. Then click OK.
7. Repeat each of these steps for each of the Servers to resolve the condition
(temporarily).
Modifying the Group Policy on the Domain

NOTE: The CVM configuration program provides multiple Group policy objects
and links them. Some of these policies are optional and not required for all
situations, hence they are not linked by default. These steps provide information
on how to link Virt Windows Remote Management Service enabled to the desired
OU.
B0700HC, Rev D 177

1. Log on to the Domain Controller and open Group Policy Management by

performing one of these actions:
• Under Administrative Tools, select Group Policy Management
• Select Tools on the Server Manager and then select Group Policy
Management.
178 B0700HC, Rev D

2. Under Group Policy Objects, verify Virt Windows Remote Management

Service enabled 2.0 is available.
3. You can do either of these steps to correct the condition permanently:

• Link to a pre-existing Organizational Unit (OU). For example, link this policy
object to Remote Desktop Enabled Hyper-V Servers OU.
• Link to a newly created custom Organizational Unit. For example, create a
custom OU and link the policy to it.
B0700HC, Rev D 179

4. If creating your own custom OU, go directly to Step 5.

Otherwise, to link to a pre-existing OU, perform these steps:
a. Under Schneider Electric, expand the OUs under SE VM Host Computers.
Under the SE VM Hyper-V Servers, right-click Remote Desktop Enabled
Hyper-V Servers to access the menu and select Link an Existing GPO....
b. When the Select GPO window opens, select Virt Windows Remote
Management Service enabled 2.0. Click OK.
180 B0700HC, Rev D

c. This linked policy shows up in the Linked Group Policy Objects.
d. To change the order of the linked policy, you can click the Up/Down arrow
icons. Go directly to Step 6 to move the Server computer object to the
modified OU.
B0700HC, Rev D 181

5. To create your own custom Organizational Unit and link a policy to it, review these
steps in this example:
a. Right-click SE VM Hyper-V Servers OU or where ever the new OU must be
created. Select New Organizational Unit.
b. Enter the name of the new organizational unit. Click OK.
c. When the new OU is created, right-click the name of the OU. Then select
Link an Existing GPO....
182 B0700HC, Rev D

d. When the Select GPO window opens, select Virt Windows Remote
Management Service enabled 2.0. Click OK.
This linked policy shows up in Linked Group Policy Objects.
B0700HC, Rev D 183

e. You can link multiple policies to this custom OU. To change the order of the
linked policy, you can click the Up/Down arrow icons.
184 B0700HC, Rev D

6. After the policy link is created, you must move the Server computer object to the
modified OU. This example indicates how to move Computer objects from the SE
VM Hyper-V Servers OU to the Remote Desktop Enabled Hyper-V Servers OU.
Open Active Directory Users and Computers by performing one of these actions:
• In Administrative Tools, select Active Directory Users and Computers
• In the Tools menu on Server Manager, select Active Directory Users and
Computers.
7. In the Active Directory Users and Computers window, under Schneider

Electric expand the SE VM Host Computers and select the SE VM Hyper-V
Servers OU to view the computers currently under this OU in the right panel.
B0700HC, Rev D 185

8. Select the computer you want to move and perform one of these actions:
• Drag and drop that computer to the destination OU. If, for example, you are
moving to Remote Desktop Enabled Hosts, you might see a dialog box
informing you regarding the move. Click Yes.
• Alternately, select the computer to move and right-click to access the menu.
Select Move.
In the Move window, select Schneider Electric > SE VM Host Computers

> SE VM Hyper-V Servers > Remote Desktop Enabled Hyper-V Servers
OU.
186 B0700HC, Rev D

9. Verify the moved computers are under the Remote Desktop Enabled Hyper-V
Servers OU.
10. After the computers are in the correct OU, you must update the Group Policy for
these computers. Using the Administrator command prompt, run gpupdate /force
to update the group policy.
B0700HC, Rev D 187

11. Check the WinRM service to verify it is running and set to automatic.
Viewing Security Certificate Condition on the HP HomePage

1. Open the HP HomePage application, Continue to This Website is available.
NOTE: In order for the HP System Management home page to open in
Internet Explorer, you are required to run the utility in administrator mode
(Run as Administrator) and provide the administrator credentials.
2. Select Continue to this website (not recommended). The System
Management Homepage application starts.
Pinging between V91 Servers Results in Timeout

Even when Server Manager and Hyper-V Manager continue to function fine and are
able to manage V91 Servers, pinging between V91 servers times out.
To resolve the issue, see Creating Custom Firewall Rule, page 189.
188 B0700HC, Rev D

Creating Custom Firewall Rule

You must create a Custom Windows Firewall rule to allow for ping communication.
1. From the Control Panel, open the Windows Firewall (to set firewall security
options to help protect your computer from hackers and malicious software).
B0700HC, Rev D 189

2. In the Windows Firewall, click Advanced settings in the left panel.
190 B0700HC, Rev D

3. On User Account Control, click Yes to allow changes to this computer.
4. On the Windows Firewall with Advanced Security screen, in the left panel,
click Inbound Rules.
B0700HC, Rev D 191

5. With Inbound Rules selected in the left panel and the current rules listed as
shown in this image, click New Rule... in the right panel.
192 B0700HC, Rev D

6. The New Inbound Rule Wizard starts. The wizard provides the steps required in
the left-panel which correspond to the screens.
7. Rule Type: Select Custom and click Next.
8. Program: Select All Programs and click Next.
B0700HC, Rev D 193

9. Protocol and Ports: On the Protocol and Ports screen, expand the Protocol
type menu.
194 B0700HC, Rev D

10. Select the protocol type ICMPv4 and click Next.
11. Scope: With Any IP address still selected, click Next.
B0700HC, Rev D 195

12. Action: With the Allow the connection selected, click Next.
13. Profile: With all the profiles selected to indicate when the rule applies, click Next.
196 B0700HC, Rev D

14. Name: For the Name field, enter Allow_Ping and for the Description field enter
This custom rule allows ICMPv4 protocol communication so that Ping
command can work. Click Finish.
15. The new inbound rule appears.
16. Close the windows. The ping command is now successful.
B0700HC, Rev D 197

Certificate Creation Using the OpenSSL Tool

When an error is detected such as “Unable to load number from ./serial.txt” as shown
in this image, set an initial value like “1000” in the serial file and rerun the cmd.
After that, OpenSSL will increment the value each time a new certificate is generated.
198 B0700HC, Rev D

Appendix A: NIC Teaming in Combination with Various NIC Centralized Virtualization Management for Windows Server
Selections Available with V91 2016 User’s Guide
Appendix A: NIC Teaming in Combination with

Various NIC Selections Available with V91
You can use NIC teaming with the V91 NIC selections that are available.
The NIC part numbers are listed in the model code table in Model V91 Server
Virtualization Host (HP DL380 Gen9) for Windows Server 2016 User's Guide
(B0700HE).
Scenario 1: Four RJ-45 Cu Integrated Network Interface

Ports
NIC teaming is optional for this selection, that is, if desired, integrated Cu NICs 1, 2, 3
or 4 can be used to create a NIC team for Virtualization Host Network.
Figure 6 - Four RJ-45 Cu Integrated Network Onboard Ports
4th Position Foxboro Control Network Ethernet Interfaces Selection 1 and

5th Position Additional Ethernet Interfaces with Second Riser Selection 1
Onboard only NICs : Four RJ-45 Cu Integrated Network Interface Ports
Graphics Card
On Board NICs
1 2 3 4
On Board NICs are not to be used for Control Network Connections
Virtualization Host Network
Scenario 2: Two Single Port FDCN NICs + Four RJ-45 Cu

Integrated NICs
NIC teaming is optional for this selection, that is, if desired, onboard RJ-45 Cu
Integrated NICs 1, 2, 3 or 4 can be used to create NIC teams for Host and DCS ACN
Network.
Figure 7 - Two Single Port FDCN NICs + Four RJ-45 Cu Integrated NICs
B0700HC, Rev D 199

Centralized Virtualization Management for Windows Server 2016 Appendix A: NIC Teaming in Combination with Various NIC
User’s Guide Selections Available with V91
An additional NIC teaming example shows DCS ACN NIC Team with onboard RJ-45
Cu Integrated NIC 1 and 2 and Virtualization Host Network Team with onboard RJ-45
Cu Integrated NIC 3 and 4.
Figure 8 - DCS ACN NIC Team with Onboard RJ-45 Cu Integrated NIC 1 & 2 and
Virtualization Host Network Team with Onboard RJ-45 Cu Integrated NIC 3 & 4
4th Position Foxboro Control Network Ethernet Interfaces selection 2 or 3 and
5th Position Additional Ethernet Interfaces with Second Riser selection 1
Two Single Port RJ-45 Cu/ PCIe NICs + Four RJ-45 Cu Integrated NICs
or Two Single Port Fiber LC Multi-mode Fiber PCIe NICs + Four RJ-45 Integrated NICs
Graphics Card
Single Port : P0924FD or P0928JN
Single Port : P0924FD or P0928JN

On Board NICs
1 2 3 4
On Board NICs are not to be used

for Control Network Connections Optional NIC Teams
Control Network DCS ACN Virtualization Host Network
Scenario 3: Two Dual Port FDCN NICs + Four RJ-45 Cu

Integrated NICs
The suggested NIC teaming shown in this image is:
• DCS ACN Team with one of the ports on dual port RJ-45 PCIe NIC and one
onboard RJ-45 Cu Integrated NIC.
• Virtualization Host Network Team with one of the ports on dual port RJ-45 PCIe
NIC and one onboard RJ-45 Cu Integrated NIC.
Figure 9 - Two Dual Port Control Network NICs + Four RJ-45 Cu Integrated NICs
4th Position Foxboro Control Network Ethernet Interfaces selection 4 or 5 and

5th Position Additional Ethernet Interfaces with Second Riser selection 1
Two Dual Port RJ-45 Cu/ PCIe NICs + Four RJ-45 Cu Integrated NICs
or Two Dual Port Fiber LC Multi-mode Fiber PCIe NICs + Four RJ-45 Integrated NICs
Graphics Card
2P RH103AQ or RH103AS
1 2 3 4
On Board NICs
On Board NICs are not to be used
for Control Network Connections
Control Network DCS ACN Virtualization Host Network
Scenario 4: Two single port FDCN NICs + Two single port

RJ-45 PCIe NIC + 4 RJ-45 Integrated NICs
• DCS ACN Team with one single port RJ-45 PCIe NIC and one on board RJ-45 Cu
Integrated NIC.
200 B0700HC, Rev D

Appendix A: NIC Teaming in Combination with Various NIC Centralized Virtualization Management for Windows Server
Selections Available with V91 2016 User’s Guide
• Virtualization Host Network Team with one single port RJ-45 PCIe NIC and one
on board RJ-45 Cu Integrated NIC.
Optionally, onboard RJ-45 Cu Integrated NICs 2 and 3 can be used as additional NICs
for Virtualization Host Network Team to provide additional network bandwidth.
Figure 10 - Two Single Port Control Network NICs + Two Single Port RJ-45 PCIe
NIC + 4 RJ-45 Integrated NICs
4th Position FOXBORO CONTROL NETWORK ETHERNET INTERFACES selection 2 or 3
and 5th Position ADDITIONAL ETHERNET INTERFACES WITH SECOND RISER selection 2 or 3
Two single port RJ-45 PCIe NICs + Two single port RJ-45 PCIe NIC + 4 RJ-45 Integrated NICs
Or
Two single port fiber LC Multi-mode Fiber PCIe NICs + two single port fiber LC Multi-mode Fiber PCIe NICs + Four RJ-45 Integrated NICs
2nd CPU Required
Graphics Card Optional slot not used
Single Port: P0924FD or P0928JN Single Port: P0924FD or P0928JN
Single Port: P0924FD or P0928JN Single Port: P0924FD or P0928JN
1 2 3 4
On Board NICs are not to be used On Board NICs
for Control Network Connecons
Control Network DCS ACN Virtualizaon Host Network
Scenario 5: Two Dual Port FDCN NICs + Two Dual Port

Additional NICs + 4 RJ-45 Cu Integrated NICs
• DCS ACN Team with one port each from the two dual port FDCN NICs (Foxboro
part no: RH103AQ or RH103AS).
• Virtualization Host Network Team with all ports on two dual port Additional NIC's
(Foxboro part no: RH103AQ or RH103AS or RH103AT).
Figure 11 - Two Dual Port Control Network NICs + Two Dual Port Additional NICs
+ 4 RJ-45 Cu Integrated NICs
4th Position FOXBORO CONTROL NETWORK ETHERNET INTERFACES selection 4 or 5
and 5th Position ADDITIONAL ETHERNET INTERFACES WITH SECOND RISER selection 4 5 or 6
Two dual port RJ-45 PCIe NICs + Two dual port RJ-45 PCIe NIC + 4 RJ-45 Integrated NICs
Or
Two dual port fiber LC Multi-mode Fiber PCIe NICs + two dual port fiber LC Multi-mode Fiber PCIe NICs + Four RJ-45 Integrated NICs
Two dual port fiber LC Multi-mode Fiber PCIe NICs + two dual port fiber LC Single-mode Fiber PCIe NICs + Four RJ-45 Integrated NICs
2nd CPU Required
Graphics Card Optional slot not used
RH103AQ or RH103AS or Rh103AT

2P RH103AQ or RH103AS RH103AQ or RH103AS or Rh103AT
1 2 3 4
On Board NICs are not to be used On Board NICs
for Control Network Connecons
Control Network DCS ACN Virtualizaon Host Network
B0700HC, Rev D 201

User’s Guide Appendix B: IP Address Schemes
Appendix B: IP Address Schemes

This IP address scheme is recommended for the DCS Auxiliary Communications
Network (ACN). This scheme is only designed to provide guidance and in the case
that a similar scheme is already in use on any existing network, it should be modified
to confirm that all the IP addresses are unique and there are no address conflicts.
For a virtual machine on a V91 server virtualization host with Control Core Services
software or the Control Software:
• For a station with a Foxboro DCS IP address such as 151.128.X.Y, use 172.17.X.
Y. Change only the first two quadrants from 151.128 to 172.17. For example, on a
station with a Foxboro DCS IP address of 151.128.152.169, its corresponding IP
address for the DCS ACN would be 172.17.152.169.
• For subnet mask, use 255.255.0.0.
For remote clients, as well as virtual machines used to provide off-Control Network
functionality, such as an off-Control Network PDC:
• Use an IP address range of 172.17.24.1 to 172.17.63.254 and for subnet mask,
use 255.255.0.0.
For the Virtualization host network:
• Use an IP address range of 172.20.150.1 to 172.20.150.254 and for subnet
mask, use 255.255.255.0.
202 B0700HC, Rev D

Appendix C: Certificate Creation Using the Makecert Tool 2016 User’s Guide
Appendix C: Certificate Creation Using the Makecert

Tool
You can use the Makecert Certification tool for creating certifications for testing
replication.
These steps allow you to create and distribute certifications for replication testing
purposes:
• Download the certification creation tool
• Create certifications for test purposes
• Verify/view certifications
• Export certification to VM Host Manager
• Import certification to target Hyper-V replica servers
Download/Extract Makecert.exe from Microsoft Windows

SDK for Windows 10 and .NET Framework 4
Links to Makecert.exe (Certificate Creation Tool)
Information about the MakeCert tool is available at these links:
• https://docs.microsoft.com/en-us/windows-hardware/drivers/devtest/makecert
• https://msdn.microsoft.com/en-us/library/windows/desktop/aa386968(v=vs.85).
aspx
Additionally, the tool is available at this link:
• Web-based installer for “Microsoft Windows SDK for Windows 10 and .NET
Framework 4” which includes MakeCert tool is available at:
https://developer.microsoft.com/en-us/windows/downloads/windows-10-sdk
• ISO installer for “Microsoft Windows SDK for Windows 10 and .NET Framework 4
(ISO)” which includes MakeCert tool is available at:
https://www.microsoft.com/en-us/download/details.aspx?id=8442
Download Certificate Creation Tool

Downloading Microsoft Windows 10 SDK for Windows 10 and .NET
Framework 4
Using the appropriate link, download the Microsoft Windows SDK for Windows 10 and
.NET Framework 4 which includes the MakeCert tool:
B0700HC, Rev D 203

User’s Guide Appendix C: Certificate Creation Using the Makecert Tool
1. At the download screen, select the download you want.
2. After downloading the ISO file or the web installer, double-click the ISO file to
install Microsoft Windows SDK for Windows 10 and .NET Framework 4 on a
Windows computer with 64-bit operating system.
NOTICE
POTENTIAL DATA LOSS
This Microsoft Windows SDK installation should be done on any of the
Windows 10, and Windows Server 2016 operating system machines and
targeting .Net Framework version 4 and lower to version 2.0. Perform steps for
the procedure Installing Microsoft Windows SDK for Windows 10 and .NET
Framework 4, page 204 to install Microsoft Windows SDK on any of the
aforementioned operating systems. After the installation of SDK, follow the
procedure Creating Certificates Using makecert.exe, page 208 to create the
certificate on the “Required “server using “makecert.exe”.
Installing Microsoft Windows SDK for Windows 10 and .NET Framework 4

1. Browse to the DVD/ISO file and double-click WinSDKsetup.
204 B0700HC, Rev D

2. In the Specify Location window, click Next.
3. In the Windows Kits Privacy, select No, and click Next.
B0700HC, Rev D 205

4. Click Accept on License Agreement.
5. On Select the Features you Want to Install, click Install.
206 B0700HC, Rev D

6. After installation, the Windows Software Development Kit window appears with
a message. Click Close.
7. After installation, locate the makecert.exe file in the C:\Program Files (x86)
\Windows Kits\10\bin\10.0.17134.0\x64. This makecert.exe file must
be copied and used on the primary server where the certificates are made.
Continue to the next section Creating Certificates Using makecert.exe, page 208
to create the certificates.
B0700HC, Rev D 207

Creating Certificates Using makecert.exe

1. Create a folder on the C:\ drive with MakeCert name on your Primary server.
Then copy the makecert.exe tool to that MakeCert folder. The makeacert file
detailed properties.
2. Open the command prompt with Run As Administrator. Change the path to C:
\MakeCert.
208 B0700HC, Rev D

3. To create the test root certificate, run this command, which creates a self-signed
root authority certificate. The command also installs a test certificate in the root
store of the local machine and is saved as a file locally.
<makecert -pe -n "CN=MyMSCRTRootCA" -ss root -sr
LocalMachine -sky signature -r "MyMSCRTRootCA.cer">
NOTE: Perform Step 4 on the Primary Server only.

4. Run the following command from the primary V91 server once for each host
server in the CVM domain from an elevated command prompt, changing the
server name each time, to create the new certificate(s) signed by the test root
authority certificate.
NOTE:
• Verify that you specify the comma “,” between the number series
1.3.6.1.5.5.7.3.1 and 1.3.6.1.5.5.7.3.2 after the -eku token.
• The bold fields (V90DRP1S1, V90DRP1S2) should be replaced with
Primary V91 and Secondary V91 server names along with domain name.
For example, if the server name is SERVER1 and its domain is
CVMPDC.local, it should be updated with “SERVER1.CVMPDC.local”.
makecert -pe -n "CN=V90DRP1S1" -ss my -sr LocalMachine -sky
exchange -eku 1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2 -in
"MyMSCRTRootCA" -is root -ir LocalMachine -sp "Microsoft
RSA SChannel Cryptographic Provider" -sy 12 V90DRP1S1.cer
makecert -pe -n "CN=V90DRP1S2" -ss my -sr LocalMachine -sky

exchange -eku 1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2 -in
"MyMSCRTRootCA" -is root -ir LocalMachine -sp "Microsoft
RSA SChannel Cryptographic Provider" -sy 12 V90DRP1S2.cer
B0700HC, Rev D 209

5. Perform these steps to view the certificates:

mmc > File > Add/Remove Snap in… > Certificates > Add > Computer
Account > Next > Finish > OK
a. Open Run and enter MMC and click OK.
The Console window appears.
b. From File, click Add/Remove Snap-in....
c. Select Certificates and then click Add.
210 B0700HC, Rev D

d. Select Computer account and then click Next.
e. Confirm the Local computer (the computer this console is running on)
default is selected. Click Finish.
B0700HC, Rev D 211

f. When the Add or Remove Snap-ins wizard returns, click OK.
212 B0700HC, Rev D

6. The Personal certificate (with the machine names) and the Root certificate
(MyMSCRTRootCA) are in the highlighted folders.
7. Export the ReplicaServer certificate with the private key. From the console, right-
click the certificate associated with the replica server All Tasks > Export... to
access the Certificate Export Wizard.
B0700HC, Rev D 213

Exporting Certificate to VM Host Manager

1. After reviewing the Welcome screen information, click Next.
214 B0700HC, Rev D

2. In the Export Private Key screen, select Yes, export the private key. Click
Next.
B0700HC, Rev D 215

3. In the Export File Format screen, select Personal Information Exchange -

PKCS #12 (.PFX). Confirm the Include all certificates in the certification path,
if possible checkbox is selected. Click Next.
216 B0700HC, Rev D

4. On the Security screen, select the Password: checkbox and enter the private
key password to be used and confirm the password. Click Next.
B0700HC, Rev D 217

5. On the File to Export screen, click Browse... to access the C:\MakeCert to

export the private key. Select a name for the .pfx file and click Save on the Save
As screen. Click Next.
218 B0700HC, Rev D

6. The Completion screen indicates the specified settings. Click Finish.
7. On the Export Success dialog box, click OK.
Importing Certificate to Target Hyper-V Replica Servers

1. Copy the C:\MakeCert folder to the target Hyper-V Replica servers in the same
respective directory location.
B0700HC, Rev D 219

2. Open an administrator command prompt and navigate to c:/makecert. Run

this command.
<certutil -addstore -f Root "MyMSCRTRootCA.cer">
Repeat Step 2 through Step 4 for each Hyper-V Replica server.
3. Import the certificates to the personal certificates as follows:

a. Open Run and enter MMC. Click OK.
b. In the User Account Control, click Yes.
220 B0700HC, Rev D

The Console window appears.
c. From File, click Add/Remove Snap-in.
B0700HC, Rev D 221

d. Select Certificates and then click Add.
e. Select Computer account and then click Next.
222 B0700HC, Rev D

f. Confirm the Local computer (the computer this console is running on)
default is selected. Click Finish.
g. Select Certificates on the left panel and verify the Console Root certificates.
When the Add or Remove Snap-ins Wizard returns, click OK.
B0700HC, Rev D 223

h. Under Certificates in the left panel, right-click Personal and select All tasks
and then Import....
i. On Certificate Import Wizard, click Next.
224 B0700HC, Rev D

j. From the File to Import window, select Browse... to locate the MakeCert
folder.
B0700HC, Rev D 225

k. Click All Files in the file list. Select the private key (.pfx file) and click Open.
l. With the File path/name to import shown under File name:, click Next.
m. On the Private Key Protection screen, enter the password for the private
key. Then click Next.
226 B0700HC, Rev D

n. On the Certificate Store screen, select Place all certificates in the

following store. Use Browse... to select the Personal store. Click Next.
B0700HC, Rev D 227

o. The Completion screen indicates the specified settings. After verification,

click Finish.
p. On the Import Success dialog box, click OK.
4. Create this registry key on both Primary as well as Replica servers using the
Administrator command prompt:
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion
\Virtualization\Replication" /v DisableCertRevocationCheck
/d 1 /t REG_DWORD /f
228 B0700HC, Rev D

5. Verify that the created Root Certificate such as MyMSCRTRootCA is present

under the “Trusted Root Certification Authority” in the certificate store MMC. See
of this section to open the MMC.
6. Perform the certutil Validation. For more information, see certutil Validation, page
88.
B0700HC, Rev D 229

User’s Guide Appendix D: Certificate Creation Using the OpenSSL Tool
Appendix D: Certificate Creation Using the OpenSSL

Tool
Create Certifications Using OpenSSL
The OpenSSL tool must be installed on the system in order to create the required
configuration and batch files necessary to create the root certificate authority and the
client certificates.
Download OpenSSL Installation Files

• OpenSSL installation files can be downloaded for Windows x64 machines.
Installing OpenSSL Setups

1. Double-click this executable file: Win64OpenSSL-<latest version>.exe
NOTE: The executable file used should be the latest available from the
website. At the time of testing, version 1_0_2o was used.
2. On the Welcome to the OpenSSL (64-bit) Setup Wizard, click Next to continue
the installation.
230 B0700HC, Rev D

Appendix D: Certificate Creation Using the OpenSSL Tool 2016 User’s Guide
3. Select I accept the agreement on the License Agreement screen. Click Next.
4. Confirm the default destination location is selected and click Next.
B0700HC, Rev D 231

5. Click Next to select the Start Menu folder.
6. Confirm The Windows system directory is selected. Click Next.
232 B0700HC, Rev D

7. On the Ready to Install screen, click Install to install OpenSSL on your

computer.
8. Click Finish to complete the OpenSSL installation.
B0700HC, Rev D 233

Modify Environment Variable Path to OpenSSL Executable from

Any Path
Environment variables can be created using System Properties as shown in this
image.
Modify the environment variable path to add C:\OpenSSl-Win64\bin to execute
openssl.exe from any path.
Creating Configuration Files for Use with OpenSSL

Configuration files are needed to create the two types of OpenSSL certificates
needed:
• Root certification authority certificate (root certificate) which is the main certificate
and is common for all the servers
• Device certificates (Server Certificates) which are the certificates for individual
Host Servers
Configuration files (<File Name>.Conf extension) are needed for each certificate.
NOTE: It is necessary to create these empty text files: index.txt and serial.txt.
Root Certificate - one possible example configuration file/parameters needed for the
Root certificate is shown here and in the image:
"
[ ca ]
default_ca =
[ req ]
234 B0700HC, Rev D

commonName = MyOSSLRootCA
default_bits = 2048
default_days = 3650
default_md = sha1
encrypt_key = no
extendedKeyUsage = serverAuth, clientAuth
prompt = no
distinguished_name = root_ca_distinguished_name
[ root_ca_distinguished_name ]
commonName = MyOSSLRootCA
[ device_cert_extensions ]
[ device_cert_policy ]
commonName = supplied
stateOrProvinceName = optional
countryName = optional
emailAddress = optional
organizationName = optional
organizationalUnitName = optional
"
This image shows one example root certificate configuration file/parameters. The
highlighted sections must be reviewed.
Device Certificate - one possible example configuration file/ parameters needed for
the Device certificate is as shown here and in the image.
NOTE: For each Hyper-V Host Server, you need a separate configuration file.
"
[ ca ]
default_ca = root_ca
[ root_ca ]
copy_extensions = copy
private_key = OSSLRootCA.key
certificate = OSSLRootCA.crt
B0700HC, Rev D 235

new_certs_dir = .
database = ./index.txt
default_md = sha1
policy = device_cert_policy
serial = ./serial.txt
default_days = 3600
x509_extensions = device_cert_extensions
[ req ]
commonName = DEVS12CVMHVHS1.CVMPDC.Local
default_bits = 2048
default_days = 3600
default_md = sha1
encrypt_key = no
prompt = no
distinguished_name = device_cert_distinguished_
name
x509_extensions = device_cert_extensions
[ device_cert_distinguished_name ]
commonName = DEVS12CVMHVHS1.CVMPDC.Local
[ device_cert_extensions ]
[ device_cert_policy ]
commonName = supplied
stateOrProvinceName = optional
countryName = optional
emailAddress = optional
organizationName = optional
organizationalUnitName = optional
"
236 B0700HC, Rev D

Creating Batch Script Files

In addition to configuration files, batch files simplify certification creation.
Root Certificate - one possible example batch file/ parameters needed for the Root
certificate is shown here and in the image:
"
@echo off
echo Creating OSSL Root certificate.
set OPENSSL_CONF=.\OSSL_Root.cnf
openssl genrsa -out OSSLRootCA.key 2048 -des3
openssl req -x509 -new -nodes -key OSSLRootCA.key -days 1024
-out OSSLRootCA.crt
"
B0700HC, Rev D 237

Device Certificate - one possible example batch file/ parameters needed for the
Device certificate is shown here and in the image:
NOTE: S12CVMHVHS1.CVMPDC.Local and S12CVMHVHS2.CVMPDC.Local
are the machine names used for example only.
“
@echo off
echo Creating Server 1 OSSL device certificate.
set OPENSSL_CONF=.\Server_1_OSSL_device.cnf
openssl genrsa -out S12CVMHVHS1.CVMPDC.Local_OSSL_device.key
2048
openssl req -new -key S12CVMHVHS1.CVMPDC.Local_OSSL_device.key
-out S12CVMHVHS1.CVMPDC.Local_OSSL_device.csr
openssl ca -key S12CVMHVHS1.CVMPDC.Local_OSSL_device.key -in
S12CVMHVHS1.CVMPDC.Local_OSSL_device.csr
RENAME *.pem S122CVMHVHS1.CVMPDC.Local_OSSL_device.crt
openssl pkcs12 -export -in S12CVMHVHS1.CVMPDC.Local_OSSL_
device.crt -inkey S12CVMHVHS1.CVMPDC.Local_OSSL_device.key
-name "OSSL S12CVMHVHS2.CVMPDC.Local Cert" -out S12CVMHVHS1.
CVMPDC.Local_OSSL_device.pfx -rand 1.rnd -passout pass:Passw0rd
“
To simplify certificate creation, a common top level batch file can also be created
which calls the Root certificate batch file and then all Device certificate batch files. An
example of such a batch file is shown here and in the image.
"
@echo off
echo Create OSSL root certificate.
call .\Make_OSSL_root_cert.bat
echo Create Server 1 OSSL device certificate.
call .\Make_Server_1_OSSL_device_cert.bat
echo Create Server 2 OSSL device certificate.
call .\Make_Server_2_OSSL_device_cert.bat
"
238 B0700HC, Rev D

Creation of Root CA (Certificate Authority) and Client

Certificates
After completing the Configuration and batch script files, you cannot create the Root
and Client certificates using this process.
Creating the Root CA

1. Open the command prompt with Run As Administrator.
2. Navigate to the configuration files folder, where the Root CA and Client
configuration files were created using the CD command.
3. Run the Make_OSSL_Root_Cert.bat script.
After the batch script execution is successful, you can see the RootCA.key and
the RootCA.CRT files in the configuration files folder.
Creating and Signing Certificates

1. Open the command prompt with Run As Administrator.
2. Navigate to the Top Level Bat file script using the CD command.
B0700HC, Rev D 239

3. Run the Top Level Batch file script. See these images for the procedure.
4. When you press Enter to execute the batch file command, a Yes / No prompt
appears. Enter Y and press Enter. This must be repeated once for each client
certificate.
240 B0700HC, Rev D

5. After you begin certificate creation and the script executes successfully, you can
see the ‘.pfx’ files.
NOTE: Each .pfx file should have the Key icon if the certificate is successfully
created. If the Key icon does not exist, you must rerun the script after
resolving the issues.
If a detected error message such as “Unable to load number from ./serial.txt”

appears, Certificate Creation Using the OpenSSL Tool, page 198see for
information on how to resolve.
Installing Certificates on Clients

With everything in place, you are ready to install the certificates for the Hyper-V
Servers.
B0700HC, Rev D 241

• Using the Certificates Management console, install the Root CA into the Hyper-V
servers Trusted Root Certificate Authorities folder and install client certificate
to the Personal Certificates folder.
Create the Registry Key

• Using Administrator: Command Prompt, enter this command:
reg add “HKLM\SOFTARE\Microsoft\Windows NT\CurrentVersion
\Virtualization\Replication” /v DisableCertRevocationCheck
/d 1 /t REG_DWORD /f
242 B0700HC, Rev D

Appendix E: Network Drive Access 2016 User’s Guide
Appendix E: Network Drive Access

In order to protect the V91 host from network related vulnerabilities, the access to
untrusted network devices such as network file servers has been restricted. In
circumstances where accessing those network drives is required, you can perform
these steps.
You can access the network drives when CVM policies do not allow the V91 to
connect to the network drive.
Editing CVM PDC Settings

1. On the CVM PDC, login as the domain administrator such as VMDomainAdmin.
2. Right-click Windows and select Run.
3. Enter gpmc.msc and click OK.
4. In the User Access Control dialog box, click Yes, the Group Policy Management
editor appears.
5. Expand [Forest] > Domains > [Domain Name] > Group Policy Objects node.
6. To edit the Virt Hyper-V Merged Baseline 2.0 GPO:
a. Right-click the Virt Hyper-V Merged Baseline 2.0 GPO and select open
Edit….
B0700HC, Rev D 243

User’s Guide Appendix E: Network Drive Access
The Group Policy Management Editor for this GPO appears.

b. Navigate to Computer Configuration > Policies > Windows Settings >
Security Settings > Local Policies > Security Options node.
c. In the right pane, double-click the Microsoft network client: Digitally sign
communication (Always) setting and select Disabled. Click OK.
d. Close the Group Policy Management Editor.
7. To edit the SE Server 2016 Member Server Security Compliance v1.0 GPO:
a. Right-click the SE Server 2016 Member Server Security Compliance 1.0
GPO and select Edit....

b. Navigate to Computer Configuration > Policies > Administrative
Templates > Network > Lanman Workstation node.
244 B0700HC, Rev D

Appendix E: Network Drive Access 2016 User’s Guide
c. In the right pane, double-click the Enable insecure guest logons setting,
and select Enabled. Click OK.
d. Close the Group Policy Management Editor.
Updating Policy Settings on V91 Host

1. Log on to the V91 host where the network access is needed as VMHostAdmin or
VMDomainAdmin.
2. Right-click Windows, select Command Prompt (Admin), and enter the
VMHostAdmin credentials.
3. Enter gpupdate /force and press Enter. At this time, the network drive should be
accessible.
NOTE: After using the network drive, we strongly recommend resetting these
two settings to their original values to bring the V91 security back to the
original state. These are the factory settings:
a. Computer Configuration > Policies > Windows Settings > Security
Settings > Local Policies > Security Options
Microsoft network client: Digitally sign communication (Always) - Enabled
b. Computer Configuration > Administrative Templates > Network >
Lanman Workstation Enable insecure guest logons – Disabled
B0700HC, Rev D 245

User’s Guide Appendix F: Performance Counters
Appendix F: Performance Counters

In order to keep the V91 host more secure, by default, the Performance Counters
feature has been unavailable on the V91 hosts. In circumstances, where this feature
is required, follow this procedure to enable this feature.
Editing CVM PDC Settings

1. On the CVM PDC, log on as the domain administrator such as VMDomainAdmin.
2. Right-click Windows and select Run.
3. Enter gpmc.msc and click OK.
4. In the User Access Control dialog box, click Yes to open the Group Policy
Management Editor.
5. Expand [Forest] > Domains > [Domain Name] > Group Policy Objects node.
246 B0700HC, Rev D

Appendix F: Performance Counters 2016 User’s Guide
6. Right-click the Virt Hyper-V Security Services 2.0 GPO and select Edit….

7. Navigate to Computer Configuration > Policies > Windows Settings >
Security Settings > System Services node.
B0700HC, Rev D 247

User’s Guide Appendix F: Performance Counters
8. In the right pane, right-click the Performance Logs & Alerts setting and select
Manual, click OK.
9. Close the Group Policy Management Editor.
Monitoring Performance Counters on the V91 Host

1. Log on to the V91 host for which the performance counters are to be monitored
as VMHostAdmin user.
2. Right-click the Windows menu, select Command Prompt (Admin), and enter
the VMHostAdmin credentials.
3. Enter gpupdate /force and press Enter.
4. At this point, the Performance Counters can be run from the Server Manager or
the Performance Monitor application.
248 B0700HC, Rev D

Appendix G: Enabling Remote Desktop Services 2016 User’s Guide
Appendix G: Enabling Remote Desktop Services

You can perform these steps to enable the Remote Desktop (RDP) on CVM PDC:
NOTE: To perform these operations, you must be a part of the Domain Admins
group.
1. Click Windows and select Windows Administrative tools > Active Directory
Users and Computers. You might need to scroll down to see this menu
selection.
2. Select Domain Controllers OU and then select the PDC computer.
B0700HC, Rev D 249

User’s Guide Appendix G: Enabling Remote Desktop Services
3. Right-click the PDC computers and click Properties. The Properties dialog box
appears.
4. Click Member of and then click Add. The Select Groups dialog box appears.
250 B0700HC, Rev D

5. Under the Enter the Object Names to Select field, enter RDP and click Check
Names.
6. Click OK.
B0700HC, Rev D 251

User’s Guide Appendix G: Enabling Remote Desktop Services
7. The Domain Controller Properties window appears. Click OK and click OK

again.
8. Click OK to close the window.

9. Open Command Prompt as Administrator and enter Gpupdate /force.
10. Click Start > Run . Enter services.msc and then click OK.
252 B0700HC, Rev D

11. Verify that the status of Remote Desktop Services is “Running”.
12. Confirm that the status of Remote Desktop Configuration is “Running”.
NOTE: If the services are Disabled, change Startup Type to Manual and
start the services.
13. Now configure the Remote desktop connection from the client or host, and log in
as VMDomainAdmin user.
B0700HC, Rev D 253

Centralized Virtualization Management for Windows Server 2016 Appendix H: Creating VMHostAdmin Users in the Active
User’s Guide Directory
Appendix H: Creating VMHostAdmin Users in the

Active Directory
You can create VMHostAdmin Users in the Active Directory.
You must perform these steps to create a VMHostAdmin user account in the Active
Directory on the PDC VM:
1. Click the Windows icon key and select Windows Administrative tools > Active
Directory Users and Computers. You might need to scroll down to see this
menu selection.
254 B0700HC, Rev D

Appendix H: Creating VMHostAdmin Users in the Active Centralized Virtualization Management for Windows Server
Directory 2016 User’s Guide
2. Under Schneider Electric \ SE VM Host Accounts, right-click SE VM Host

Users, and select New > User.
3. The New Object - User dialog box appears. Enter the First name, Full name,
and User logon name (for example, VMHostuser).
NOTE: All three values you enter must be identical. See this image for an
example.
4. Click Next.
B0700HC, Rev D 255

5. In the New Object User window, enter a password and confirm the new
password. Clear the User Must Change Password at Next Logon checkbox.
Verify that the User Cannot Change Password, Password Never Expires, and
Account is Disabled checkboxes are also cleared. Click Next.
6. Click Finish to create the object.
256 B0700HC, Rev D

7. Right-click the new username in the Active Directory Users and Computers
dialog box to open the Properties dialog box.
B0700HC, Rev D 257

8. Click Member Of and then click Add.
9. Under the Enter the Object Name to Select field, enter VMHost and click
Check Names.
258 B0700HC, Rev D

10. Click OK to close the Select Groups dialog box.
11. The newly created user is now added to the VMHostAdmins group. Click OK to
close the Properties dialog box.
B0700HC, Rev D 259

n k
Bla
ef t
y L
all
io n
n t
Inte
ge
P a
h i s
T
User’s Guide
Glossary
A
AD: Active Domain
C
CAL: Client Access License
Centralized Virtualization Management (CVM) : Provides the ability to monitor and

maintain virtual machines on multiple V91 Virtualization Host servers from a single
console seat or a remote location.
COA: Certificate of Authenticity
Control Core Services (CCS): Core software environment, formerly known as “I/A
(Intelligent Automation) Series software”.
Control Editors (CE): Control software engineering and configuration tools built on
the ArchestrA® Integrated Development Environment in Foxboro DCS. Formerly
known as “FCS Configuration Tools”, “InFusion Engineering Environment”, and “IEE”.
Control HMI (CHMI): The collection of windows and related configuration files that
make up the HMI as viewed within InTouch software in Foxboro DCS. Formerly
known as the “FCS InTouch Application”.
Control Network: A switch network that facilitates communications among Foxboro

DCS workstations/servers and other stations. Formerly known as “The MESH Control
Network”.
Control Software (CS): Packages built on the ArchestrA Integrated Development

Environment (IDE) that provide expanded functionality to the Foxboro DCS Control
Core Services. Formerly known as “Foxboro Control Software”.
CredSSP: Credential Security Support Provider
D
DCS ACN: DCS Auxiliary Communications Network. 1Gb network that cannot share
any of the same network hardware (switches) with the control network. Foxboro DCS
control communication cannot occur over the DCS ACN.
DCS: Distributed Control System. Overall term used to refer to a control system in
which the safety control components are distributed, with each component controlled
by one or more controllers.
DSRM: Directory Services Remote Mode
F
FDCN: Foxboro DCS Control Network
G
Gb: Gigabit
GB: Gigabyte
GPO: Group Policy Object
B0700HC, Rev D 261

User’s Guide
H
HTTP: HyperText Transfer Protocol
HTTPS: Hypertext Transfer Protocol Secure
Hyper-V Host Domain: Foxboro DCS Hyper-V Host Domain (for example,
FEHVHOST), a dedicated Server 2016-based client for V91 servers only.
I
ISO: the International Organization for Standardization (ISO), a worldwide federation
of national standards bodies (ISO members) that promulgates standards affecting
international commerce and communications.
L
LGPO: Local Group Policy Object
N
NIC: Network Interface Card
O
OU: Organizational Unit
P
PDC: Primary Domain Controller
Physical Machine/Physical Station: A traditional workstation (example: H92) or

server (example: H90).
POSE: Physical Operating System Environment
R
RDP: Remote Desktop Protocol. Provides remote display and input capabilities over
network connections for Windows-based applications running on a server.
RDS CAL: Remote Desktop Services Client Access License
RDS: Remote Desktop Services. Provides functionality similar to a terminal-based,

centralized host, or mainframe environment in which multiple terminals connect to a
host computer. Formerly known as “Terminal Services”.
Remote Client: Either:

• A thin client
• Computer using Microsoft Remote Desktop Services (formally known as
Terminal Services) Client to establish a remote session connection to a remote
server
Remote Server: A virtual machine running on a V91 Server Virtualization Host or an
H90 server (physical machine) running Microsoft Windows Server 2016 Standard
Remote Desktop Services (formally known as Terminal Services).
S
SDC: Secondary Domain Controller
262 B0700HC, Rev D

User’s Guide
System Definition (SysDef): A system configurator.
System Manager (SM): Current user interface for equipment status and change
actions.
T
TCP/IP: Transport Control Protocol/Internet Protocol, the global standard
communication protocol for the Internet. Can also be used for private networks such
as corporate intranets and distributed control systems.
TCP/IP is a routable protocol, which means that all messages contain not only the
address of the destination station, but the address of a destination network. This
allows TCP/IP messages to be sent to multiple networks in an organization or around
the world, hence its use in the Internet.
TC: Thin Client. A physical hardware terminal with a compact form factor which
operates software via a remote session to a remote server.
V
V91: Model V91 Server Virtualization Host. The only hardware supported by Schneider
Electric for Control Core Services and/or the Control Software virtual machines. V91
hardware is described in Model V91 Virtualization Host Server (HP DL380 Gen10) for
Windows Server 2016 User’s Guide (B0700HQ).
VHD: Virtual Hard Disk
VHN: Virtual Host Network
VM: Virtual Machine. A virtualized station running a supported Windows Server

operating system.
VOSE: Virtual Operating System Environment
B0700HC, Rev D 263

n k
Bla
ef t
y L
all
io n
n t
Inte
ge
P a
h i s
T
User’s Guide
Index J
join to domain ..........................................................60
A
AD structures
K
add to existing Server 2012 R2 domain ..................60 Kerberos .................................................................70
add to existing Server 2012 R2 domain......................60 Kerberos (HTTP)......................................................74
Kerberos (HTTP) usage............................................70
C
Central Virtualization Management
L
features ............................................................. 146 live migration ......................................................... 137
introduction ..........................................................12 configuration ...................................................... 115
certificate requirements for replica server...................88
certificate-based Authorization (HTTPS) Usage..........87
certification tool...................................................... 203 M
certutil validation ......................................................88
configuration.......................................................... 115 move VM between Hyper-V hosts
configuration tasks ...................................................67 live migration ...................................................... 137
create......................................................................20
N
E network ...................................................................93
enable.....................................................................89 server configuration ..............................................13
enable VM replication NIC teaming ............................................................20
network................................................................93 create ..................................................................20
V91 NIC Selections............................................. 199
F O
failover
planned.............................................................. 102 OpenSSL certification tool .........230, 243, 246, 249, 254
unplanned .......................................................... 106 Organizational Unit (OU)...........................................50
features................................................................. 146
firewall inbound traffic rule
Kerberos (HTTP) ..................................................74 P
firewall rules ............................................................92 planned ................................................................. 102
Foxboro DCS Hyper-V host domain...........................14 port configuration (custom or default)
Kerberos ..............................................................70
Primary Domain Controller
G verification............................................................40
group policy linkage............................................ 45, 50
R
H remote reboot of server .......................................... 169
health alerts........................................................... 154 replica vm file folder setup ........................................66
Hyper-V...................................................................65 replication
install ...................................................................65 configuration tasks................................................67
Hyper-V installation ..................................................65 firewall rules .........................................................92
Hyper-V Manager Hyper-V server configuration .................................67
VM start and stop................................................ 146 replica vm file folder setup .....................................66
Hyper-V server 2012 replication configuration............................................67
enable .................................................................89 replication testing
replication configuration ........................................67 certification tool .................................................. 203
Hyper-V server configuration.....................................67 resource utilization ................................................. 166
V91 host server .................................................. 157
virtual machines.................................................. 166
I
install ......................................................................65 S
Hyper-V ...............................................................65
introduction..............................................................12 server configuration..................................................13
state, detailed information ....................................... 149
B0700HC, Rev D 265
User’s Guide
T
troubleshooting ...................................................... 172
U
unplanned ............................................................. 106
V
V91 host server...................................................... 157
V91 NIC Selections ................................................ 199
verification ...............................................................40
Virtual Host Network (VHN)
NIC teaming .........................................................20
virtual machine
health alerts ....................................................... 154
resource utilization.............................................. 166
state, detailed information.................................... 149
virtual machines ..................................................... 166
virtualized system
with CVM functionality ...........................................12
VM start and stop ................................................... 146
W
Windows Server 2016 Standard Server host
join to domain .......................................................60
with CVM functionality ..............................................12
266 B0700HC, Rev D

Schneider Electric Systems USA, Inc.
70 Mechanic Street
Foxboro, Massachusetts 02035–2040
United States of America
Global Customer Support: https://pasupport.schneider-electric.com
As standards, specifications, and design change from time to time,

please ask for confirmation of the information given in this publication.
© 2018–2022 Schneider Electric. All rights reserved.

B0700HC, Rev D

b0700hc D

Uploaded by

Copyright:

Available Formats

You might also like

b0700hc D

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

b0700hc D

Uploaded by

Copyright:

Available Formats

Foxboro™ DCS

Centralized Virtualization Management for Windows

Preliminary Steps .....................................................................................54

Viewing Resources Utilization of Virtual Machines .......................................... 166

Monitoring Performance Counters on the V91 Host......................................... 248

Important Safety Instructions

The addition of this symbol to a “Danger” or “Warning” safety message

Throughout • Updated documentation references.

• Framer and Alarm Management User’s Guide (B0750AR)

Schneider Electric Products Mentioned in this Document

Global Customer Support

We Welcome Your Comments

Chapter 1: Overview of Virtualization

1Gbps DCS Auxiliary Communications Network (ACN) 1Gbps 1Gbps

Control Control Control Control

ePO - McAfee ePolicy Orchestrator (Can be installed PDC or SDC)

Introduction to Central Virtualization Management (CVM)

Two Server Configuration

CVM Domain as VM Two Servers VM-16

No Replication for Domain Virtual Machines (PDC or SDC)

Three Server Configuration

CVM Domain as VM Three Servers VM-16

V91-3 VM Host 2016

No Replication for Domain Virtual Machines (PDC or SDC)

Virtualization Host Network

Virtualization Host Network (VHN)

Table 1 - Bandwidth Requirements

No. Type of VM Bandwidth Required

Table 2 - Network Latency

Maximum Network Latency for Successful

Foxboro DCS Hyper-V Host Domain

• Monitor all connected V91 servers from a single location. Configuration

Chapter 2: Physical V91 Server Setup

Set Up the Physical V91 Server

This chapter provides this information:

Figure 4 - Flowchart for Creating Virtual Machines on a V91 Server

Gather information on how

Gather information on what Is host OS

Install Antivirus software

Install Server 2016 OS and Setup the Physical NIC

Setup preferred Anti-Virus

VM ready for use Ready to start creating

Configuring CVM Functionality

Figure 5 - Process Flow

On Hosts Servers On CVM PDC and SDC On Foxboro VMs

Create a VM and install Create VM and

Install latest 2016

Install ENS (Self-

Add VHN adapters

Install McAfee Endpoint Security (Self-Managed)

Chapter 3: Virtualization Host Network Connection

Virtualization Host Network on the V91 Server

Creating NIC Teaming When Using More Than on Network NIC

2. On the TASKS menu, click New Team.

4. Close all windows.

Creating the Virtual Switch for the Virtualization Host

4. If this message appears, click Yes.

6. Right-click this network name and select Properties.