Install PI AF server components together

Before an AF Server installation, complete the following pre-installation tasks:

• For installations using one of the supported cloud database platforms (Microsoft Azure SQL Database, Microsoft Azure Managed Instance or Amazon RDS for SQL Server): Complete the list of prerequisite tasks for your chosen cloud service. See Pre-install tasks: Cloud database platforms. If you plan to use a user-assigned identity, be prepared to supply the application ID.

• For on-premises versions of SQL Server: Review the SQL Server considerations for PI AF SQL Server database creation in Pre-installation requirements for PI AF and SQL Server requirements for PI AF.

• Download the PI Server install kit, as described in Download the PI Server install kit.

• Important: The PI Server install kit checks if .NET 4.8 is installed, and stops the installation if it is not present. If you do not want to install .NET 4.8, you can manually deploy a PI AF SQL database without using the install kit. See Manual creation of the PI AF SQL Server database.

• For on-premises versions of SQL Server, ensure that the account used to install the PI AF database is granted sysadmin privileges if an SQL administrator is not available.

• Ensure that the required network ports are open. See List of port requirements for PI AF Server.

  Note: To ensure the PI Server install kit can successfully create the SQL database remotely during the default setup, open port 445 inbound on the SQL Server so the local AF servers Windows group can be modified. If port 445 is not open, the installer will fail after selection of the SQL Script Execution feature.

Follow these steps to install the PI AF application service and the PI AF SQL Server or cloud-managed database at the same time. During this procedure you have the following options:

• For on-premises installations: Install both the PI AF application service and the PI AF SQL Server on the local computer or execute scripts that install them remotely.

• For cloud-managed database installations: Install the PI AF application service on the local computer and install the PI AF database remotely on the chosen cloud database platform.

1. Go to the directory where you downloaded the PI Server install kit, and double-click the executable setup file to launch the installation.

   The Welcome page appears.

2. Click Next.

   The Feature Selection page appears.

3. In the Server Roles tab, select AF Server.

   A list of server roles and features to be installed is displayed in the Summary panel.

   

4. Click Next.

   The SQL Server Connection page opens.

5. Optional steps if using Microsoft Azure SQL Database or Microsoft Azure Managed Instance: Follow the steps in this table to set up the PI AF SQL database on Microsoft Azure.

   If you want to...	Take one of these actions...
   Recommended method: Use the PI Server install kit as a managed identity to run the SQL Scripts against an empty Azure AF SQL database.	Prerequisite task: Ensure that the managed identity has 'db_owner' privileges on the existing AF SQL database. If db_owner privileges have not been granted, run the following command to grant the required permissions: CREATE USER <ManagedIdentityName> FROM EXTERNAL PROVIDER; ALTER ROLE db_owner ADD MEMBER <ManagedIdentityName>; Note: The name of the system-assigned service principal is always the same name as the Azure resource it's created for. See Managed Identity Types. In the Server name text box, enter the URL address of the Azure SQL database you created on the Azure portal. Select Microsoft Entra Managed Identity from the Authentication dropdown list. Take one of the following actions: If using a user-assigned managed identity, enter the client ID in the text box. This value is a GUID. If using a system-assigned managed identity, leave the text box blank Skip to step 8. After an AF Server installation, a warning message appears that the db_owner privilege is too much and needs to be revoked. Run the following query to resolve the issue by removing the managed identity from the db_owner role: ALTER ROLE db_owner DROP MEMBER <ManagedIdentityName>;
   Use the PI Server install kit as a managed identity to run the SQL scripts and create the Azure SQL database.	Prerequisite tasks: Assign the managed identity to one of the following roles: The Microsoft Entra Admin role on the Azure SQL Database OR The dbmanager database role on the primary database In the Server name text box, enter the address of the database you created on the Microsoft Azure portal. Select Microsoft Entra Managed Identity from the Authentication dropdown list. Take one of the following actions: If using a user-assigned managed identity, enter the client ID in the User assigned identity text box. Note: The client ID is not the same as the managed identity name. If using a system-assigned managed identity, leave the User assigned identity text box blank. Skip to step 8. After the AF Server installation, a warning message will appear to indicate that the db_owner privilege is too much. Revoke the dbmanager and/or Microsoft Entra Admin role(s) from the managed identity.
   Use a non-managed identity authentication method to create the AF SQL database and run the AF SQL scripts.	On the Features Selection page, select Individual Features, then clear the checkbox next to AF SQL script execution to bypass running the scripts. After installation, make sure to complete the procedures in the Manual creation of the PI AF SQL Server database and Modify the AFService.exe.config file topics to create the AF SQL database and set the SQL connection string.

6. Optional steps if using Amazon RDS for SQL Server: Provide information about the Amazon RDS database where the PI AF SQL database will be created.

   1. In the Server name text box, enter the URL address of the Amazon RDS database you created on the AWS portal.

   2. Select Windows Authentication from the Authentication dropdown list, then skip to step 8.

7. Optional for on-prem versions of SQL Server: Provide information about your on-prem version of SQL Server to create the PI AF SQL database. Skip this step and go to step 8 if you are using one of the supported cloud database platforms.

   If you want to...	Take one of these actions...
   Choose the default instance or a named instance of SQL Server on the local computer.	Accept the default instance shown in the list under SQL Server Connection. Select a different named instance from the list under SQL Server Connection. Provide identifying information for SQL Server using one of the following formats: Server Name Server Name\Named Instance .\Named Instance Providing a named instance is not necessary if you are specifying the default SQL Server instance.
   Specify SQL Server or a named instance of SQL Server on a remote computer.	Provide identifying information for SQL Server using this format: Server Name[\Named Instance] Providing a named instance is not necessary if you are specifying the default SQL Server instance.
   Specify SQL Express on the local computer.	Provide identifying information for SQL Server using one of the following formats: Server Name\SQLEXPRESS .\SQLEXPRESS
   Specify SQL Express on a remote computer.	Provide identifying information for SQL Server using this format: Server Name\SQLEXPRESS

8. On the SQL Server Connection page, ensure that both AF SQL database scripts and AF SQL script execution are selected. The installation will install the AF SQL scripts on the local computer, and then execute the scripts either locally or against a remote computer to create the PI AF SQL Server database.

   Note: The Validate connection to SQL Server and version of the AF SQL database option is only available if AF SQL script execution is selected.

9. Click Next to proceed with the setup.

   A check is performed to see if your user account has the required permissions on the SQL Server and if a PI AF SQL Server database already exists. See SQL Server roles and permissions for PI AF.

10. Optional: If the installation detects an existing PI AF SQL Server database, the SQL Server Rules window appears. The installation will prompt you with an option to back up the existing PI AF SQL Server database and then execute the AF SQL scripts to create the new PI AF SQL Server database.

11. Click Next to proceed with the setup.

    The Certificates Selection page opens.

12. Take one of the following actions:

    • To enable TLS certificates encryption for OIDC, ensure that the Configure certificate for TLS Encryption option is selected.

    Note: If you installed and configured the AVEVA Identity Manager using the PCS for the PI System setup kit and opted to use the PCS-generated certificate, the PCS certificate’s SSL Certificate thumbprint will be selected automatically after selecting Configure certificate for TLS Encryption. This selection configures automatic certificate rotation for AF server. See Certificate management - AVEVA Identity Manager.

    • If you do not plan to use TLS, deselect Configure certificate for TLS Encryption and go to step 15.

      

13. Optional if using TLS encryption: Click Select to choose a new certificate.

    The Select Certificate dialog opens. Any certificate that is already installed and meets certificate requirements will be detected and displayed.

14. Optional if using TLS encryption: Select OK.

    The SSL Certificate thumbprint is displayed in the TLS Certificate section. The TLS certificate thumbprint is required for encryption.

    Important: You can update the AF server's certificate thumbprint used for TLS encryption after installation by using the the AFdiag utility and the /CertificateThumbprint parameter. See AFDiag utility parameters.

15. Select Next.

    The Service Accounts window appears.

16. Specify the service account for the PI AF Application Service:

    Note: Ensure that the accounts you enter match the accounts that were added to the AFServers group and AFQueryEngines group earlier.

17. Click Next to proceed with the setup.

    The Summary page opens with a list of selected features and version numbers selected for the installation.

    Note: Select Save command line to file... to save your AF Server installation selections to a text file that can be used for a silent installation.

18. Click Install to continue with the installation.

    The Installation Progress page opens and then the Complete page opens after installation has completed.

    Note: If you cancel the installation before it is complete, the PI AF cloud SQL database or PI AF SQL Server database might have already been created and you will need to remove the database manually.

19. Take one of the following actions:

    • If you did not select to enable TLS certificates, click Close to exit the setup.

    • If you enabled TLS certificates encryption, ensure the OpenID Connect Authentication requires configuration option is selected and then select Yes to restart now or No to restart later.

    • To bypass running the OpenID Connect Configurator utility, deselect the OpenID Connect Authentication requires configuration option, then select Yes or No.

      See Register PI Server components with the AVEVA Identity Manager if you selected the "Configure certificate for TLS Encryption" option and want to use OIDC for claims-based authentication.

20. Optional step if using Amazon RDS: Follow the instructions in Post-install steps for Amazon RDS.

21. Restart AF server after installation.