We have a PI system with two Data Archive servers in a collective in Domain A and redundant Interface servers in Domain B. There is no trust between the two domains. Does this mean that we have to consider the Interface servers as they where in a Workgroup instead of a domain?
The Data Archive servers are running Windows Server 2008 R2 SP1 and the Interface servers are running Windows Server 2012 R2.
The Data Archive is version 2016 R2.
In domain A we have administrator accounts (AD accounts) mapped to a PI_ADMIN Identity and service accounts (AD ccounts) mapped for running Interfaces and Buffer subsystem in that domain and they are mapped to a PI Identity PI_INTERFACES_RW.
In Domain B we also have administrator accounts (AD accounts) and they are supposed to be used for configureing the ICU. We also have a service account (AD account) to run the Intercaes and Buffer Subsystem.
We want to avoid using PI Trusts to be able to send data from Interface servers to DA servers. This can be done by using the PI API 2016 and Windows Integrated Security, but we have some questions though we have tried to read and understand the articles AL00309, KB00354 and KB01457:
Which extra local accounts (if any) should be created on Interface servers and/or DA servers and to?
Can Windows Credential be used and how should it be configured?
The questions goes for both administration using the ICU and running Interfaces and Buffer subsystem as services.
If we use PI API 2016 on the Interface servers, how wil it affect the Data Archve servers? Right now some of the Interfaces delivering data to th DA servers are still using trusts