Just to make sure, which version of PI Coresight do you have?
PI Coresight 2014 can support high availability at the Coresight server level, so it is possible to point two Coresight servers to the same SQL database. It's recommended to use a network load balancer if two Coresight servers are used in production, but for a migration, it should be fine to go without it. I believe Coresight 2013 also supports application server HA-like features but isn't in the official documentation.
Regarding Kerberos, it will depend on the application pool identities used by the new Coresight server. If the new server uses the same domain accounts (and not Network Service for example), then AD settings should already be in place but you may need to create a SPN to tie the app pool account to the new machine.
Another consideration for PI Coresight 2014 is that the PI Web API and Indexed Search Crawler will be installed on the new machine as well. If the new PI Web API runs as the default NT Service\piwebapi account, then Kerberos delegation needs to be enabled for the machine in AD. Let us know what version you have though so we can provide further details regarding the security configuration.
Thanks, Barry. We are running Coresight 2013 with the patch (OSIsoft.PISystemSearch version 184.108.40.206). We plan to migrate to 2014 soon, though, because we need the ability to do Asset parameter switching. (Coresight 2013 does not support this.)
We are basically trying to free up space/performance on the existing server and move Coresight off to a separate server. It IS set to the Network Service account presently, but we do have another account with full access to AF.
Thanks for the info. Assuming that Network Service will be used for the new Coresight server, then here are the things to check:
- Configure SQL access for the new machine. A SQL login will need to be created and that login should be mapped to the "DVService" user mapping in the Coresight SQL DB. You can set this via SSMS>Security>Logins>%new server name%>Right-click Properties>User Mapping>. Then, in the Coresight DB entry, set the "User" column to DVService.
- Configure AF Server access for the new machine account. See AF Object Security for details.
- Configure PI Server access via mappings (if Kerberos will be used).
- Trust machine for delegation in Active Directory.
- Depending on if "Kernel-mode authentication" is enabled in IIS (default) and/or if custom HTTP bindings are used, then SPN's may need to be created. Assuming the defaults (Kernel-mode enabled, website accessed via http://servername:80), then no SPN needs to be created. If you need to create one, you can use "setspn -s HTTP/servername domain\servername$" and "setspn -s HTTP/domain.servername.com domain\servername$"
Many of these steps will be similar if a custom account is used as well. Please don't hesitate to open a call with Technical Support if you need further details on any of these steps as the Kerberos part can be a bit tricky!