Darren Liu's Blog

Archive for the ‘Installation’ Category

Manually Apply CRM Update Rollup to Single Tenant

leave a comment »

In an enterprise CRM project, you might run into a large number of tenants in an environment since there are multiple teams working on the project. Not all of the teams want to have the patch apply to their tenant due to many reasons… My customer asked me if there’s a way for them to apply the CRM Update Rollup to a single tenant instead of all tenants in an environment.  I am thinking there’s got to be a way since CRM Online applies the patches at the tenant level, so I reach out to my colleagues in PG and Premier and sure there’s a way to do it. Smile

By default, when you install a CRM Update Rollup, it will automatically applies the update to all of the tenants (include database updates). If you want to disable the automatic database update, please execute the following PowerShell script.

add-pssnapin Microsoft.Crm.Powershell 

$itemSetting = new-object 'System.Collections.Generic.KeyValuePair[String,Object]'("AutomaticallyInstallDatabaseUpdates",0) 

$configEntity = New-Object "Microsoft.Xrm.Sdk.Deployment.ConfigurationEntity" 

$configEntity.LogicalName="Deployment" 

$configEntity.Attributes = New-Object "Microsoft.Xrm.Sdk.Deployment.AttributeCollection" 

$configEntity.Attributes.Add($itemSetting) 

Set-CrmAdvancedSetting -Entity $configEntity

After the script is executed, you may go to Deployment Manager and apply the patch to the DB at the tenant level.  Just want to clarify that you are still installing the update rollup bits to the servers, and the above script will disable the updates to the CRM databases. All tenants will get the new UR bits, there are no ways around it, but the bits are backward compatible so they will work with older database schema.

I hope this will help you in your CRM project!

Advertisements

Written by darrenliu

03/26/2014 at 3:48 am

Microsoft Dynamics CRM 2013 Best Practice Analyzer

with one comment

Microsoft releases Microsoft Dynamics CRM 2013 Best Practices Analyzer today. This is a diagnostic tool that gathers information about Microsoft Dynamics CRM 2013 server roles and offers recommendations.

The Microsoft Dynamics CRM 2013 Best Practices Analyzer is a diagnostic tool that performs the following functions:

  • Gathers information about the CRM 2013 server roles that are installed on that server.
  • Determines if the configurations are set according to the recommended best practices.
  • Reports on all configurations, indicating settings that differ from recommendations.
  • Indicates potential problems in the CRM 2013 features installed.
  • Recommends solutions to potential problems.

You may download the CRM 2013 Best Practice Analyzer from the Microsoft download center.

This diagnostic tool requires Microsoft Baseline Configuration Analyzer 2.0. Microsoft Baseline Configuration Analyzer 2.0 (MBCA 2.0) can help you maintain optimal system configuration by analyzing configurations of your computers against a predefined set of best practices, and reporting results of the analyses. You may download the Baseline Configure Analyzer 2.0 from the Microsoft download center as well. 

The tool is pretty easy to install and use. I installed ran the tool in less than 5 minutes on my Azure lab. Sample output below.

1

3

2

Written by darrenliu

11/19/2013 at 9:54 pm

Installing CRM Using SQL Server DNS Alias

leave a comment »

In most enterprise Dynamics CRM project, the customer would like to install CRM using the SQL server DNS alias instead of the server name. One of the reasons for doing it is because they need to support their Disaster Recovery (DR) strategy. 

CRM does not allow you to use the alias because the Environment Diagnosis Wizard (EDW) did not have the ability to check for a SQL DNS alias, therefore it does not allow you to move to the next step even though it’s supported.

You have two options to solve this problem.

  • Option #1: Install CRM using the actual SQL server name.  After the installation is completed, modify the database connection string in the MSCRM registry and the MSCRM_CONFIG database.
  • Option #2: Add the IgnoreChecks key to the MSCRM ([HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSCRM]) registry to by pass the EDW check to continue with the installation.  Make sure that you setup the DWORD value to “1”. If you are going with this option, please make sure all of your other checks passed before adding the IgnoreChecks key.

Hope this helps!

Written by darrenliu

04/10/2012 at 1:55 am

Posted in CRM, Installation, SQL

Tagged with , , ,

SQL Server DNS Alias

with 2 comments

The customer wants to setup DNS for SQL Server because it’s part of their Disaster Recover (DR) plan.  I learned something from the folks in our team and Grant G from the PFE team on how to do it. Posting the step here just in case that I need to do it next time.

In order to setup a DNS alias for SQL server/SQL cluster, the first step is make sure DNS alias is in place, SPN is setup correctly.  Once the pre-requisites is setup, following the steps below:

1. Execute the following query.

select @@servername

2. One you’ve verified the server name, execute the following SQL query.

sp_dropserver ‘servername’
go
sp_addserver ‘aliasname\instancename’,’local
go

3. After you execute the above query, stop and start the SQL server.

4. Execute the following query again to make sure SQL server is setup correctly.

select @@servername

The steps above assumes that SQL is listening to the default port of 1433.  To configure SQL listen on different port. Please see the following article on MSDN.

How to: Configure a Server to Listen on a Specific TCP Port (SQL Server Configuration Manager)

Written by darrenliu

04/03/2012 at 2:36 am

Minimum Permissions Required for Dynamics CRM 2011 Setup, Services, and Components

with 5 comments

I have been asked to figure out the minimum permissions required to install CRM 2011.  I dig around and I didn’t realize the product group already put the information in the Implementation Guide (IG).  I found the article below from the CRM 2011 IG, just in case you are looking for it, here you go.

————————————————————-

Microsoft Dynamics CRM is designed so that its components can run under separate identities. By specifying a domain user account that is granted only the permissions necessary to enable a particular component to function, you help secure the system and reduce the likelihood of exploitation.

This topic describes the minimum permissions that are required by the user account for Microsoft Dynamics CRM services and components.

Microsoft Dynamics CRM Server Setup

The user account used to run Microsoft Dynamics CRM Server Setup that includes the creation of databases requires the following minimum permissions:

  • Be a member of the Active Directory Domain Users group. By default, Active Directory Users and Computers adds new users to the Domain Users group.
  • Be a member of the Administrators group on the local computer where Setup is running.
  • Have Local Program Files folder read and write permission.
  • Be a member of the Administrators group on the local computer where the instance of SQL Server is located that will be used to store the Microsoft Dynamics CRM databases.
  • Have sysadmin membership on the instance of SQL Server that will be used to store the Microsoft Dynamics CRM databases.
  • Have organization and security group creation permission in Active Directory directory service. Alternatively, you can use a Setup XML configuration file to install Microsoft Dynamics CRM Server 2011 when security groups have already been created. For more information see Use the Command Prompt to Install Microsoft Dynamics CRM.
  • If Microsoft SQL Server Reporting Services is installed on a different server, you must add the Content Manager role at the root level for the installing user account. You must also add the System Administrator role at the site-wide level for the installing user account.

Services and CRMAppPool IIS application pool identity permissions

The user account that is used for the Microsoft Dynamics CRM services and IIS application pools require the following permissions:

Important
Microsoft Dynamics CRM services and application pool identity accounts must not be configured as a Microsoft Dynamics CRM user. Doing so can cause authentication issues and unexpected behavior in the application for all Microsoft Dynamics CRM users.

Managed service accounts, introduced in Windows Server 2008 R2, are not supported for running Microsoft Dynamics CRM services.

Microsoft Dynamics CRM Sandbox Processing Service

  • Domain User membership.
  • That account must be granted the Logon as service permission in the Local Security Policy.
  • Folder read and write permission on the \Trace, by default located under \Program Files\Microsoft Dynamics CRM\Trace, and user account %AppData% folders on the local computer.
  • Read permission to the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSCRM subkey in the Windows Registry.
  • The service account may need an SPN for the URL used to access the Web site that is associated with it. To set the SPN for the Sandbox Processing Service account, run the following command at a command prompt on the computer where the service is running.

    SETSPN –a MSCRMSandboxService/<ComputerName> <service account>

Microsoft Dynamics CRM Asynchronous Processing Service and Microsoft Dynamics CRM Asynchronous Processing Service (maintenance) services

  • Domain User membership.
  • Performance Log Users membership.
  • That account must be granted the Logon as service permission in the Local Security Policy.
  • Folder read and write permission on the Trace folder, by default located under \Program Files\Microsoft Dynamics CRM\, and user account %AppData% folder on the local computer.
  • Read and write permission to the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSCRM and HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\MSCRMSandboxService subkeys in the Windows Registry.
  • The service account may need an SPN for the URL used to access the Web site that is associated with it.

Deployment Web Service (CRMDeploymentServiceAppPool Application Pool identity)

  • Domain User membership
  • That account must be granted the Logon as service permission in the Local Security Policy.
  • Local administrator group membership on the computer where the Deployment Web Service is running.
  • Local administrator group membership on the computer where SQL Server is running.
  • Sysadmin permission on the instance of SQL Server to be used for the configuration and organization databases.
  • Folder read and write permission on the Trace and CRMWeb folders, by default located under \Program Files\Microsoft Dynamics CRM\, and user account %AppData% folder on the local computer.
  • Read and write permission to the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSCRM and HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\MSCRMSandboxService subkeys in the Windows Registry.
  • CRM_WPG group membership. This group is used for IIS worker processes. The group is created and the membership is added during Microsoft Dynamics CRM Server Setup.
  • The service account may need an SPN for the URL used to access the Web site that is associated with it.

Application Service (CRMAppPool IIS Application Pool identity)

  • Member of the Active Directory Domain Users group.
  • Member of the Active Directory Performance Log Users group.
  • Administrators local group membership on the computer where SQL Server is running.
  • Administrators local group membership on the computer where the Microsoft Dynamics CRM Web site is installed.
  • Folder read and write permission on the Trace and CRMWeb folders, by default located under \Program Files\Microsoft Dynamics CRM\, and user account %AppData% folder on the local computer.
  • Read and write permission to the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSCRM and HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\MSCRMSandboxService subkeys in the Windows Registry.
  • CRM_WPG group membership. This group is used for IIS worker processes. The group is created and the membership is added during Microsoft Dynamics CRM Server Setup.
  • The service account may need an SPN for the URL used to access the Web site that is associated with it.

IIS Application Pool identities running under Kernel-Mode authentication and SPNs

By default, Internet Information Services (IIS) 7.0 and later versions Web sites are configured to use Kernel-Mode authentication. When you run the Microsoft Dynamics CRM Web site by using Kernel-Mode authentication, you may not need configure additional Service Principal Names (SPNs) for the Microsoft Dynamics CRM Application Pool identities.

To determine whether your IIS deployment requires SPNs, see Service Principal Name (SPN) checklist for Kerberos authentication with IIS 7.0/7.5.

Written by darrenliu

04/27/2011 at 5:52 pm

Posted in CRM, Installation, Permission

Tagged with ,

New! CRM 2011 Installation–Specify Service Accounts

leave a comment »

CRM 2011 RC now allows us to specify service accounts during the setup process.  You can specify the service account for the Application Service, Deployment Web Service, Sandbox Service and Asynchronous Service to run as.  In a single server environment, you can just use NETWORK SERVICES for the installation.  However if you are installing CRM in an enterprise multi server environment, the recommendation is to have a specify service accounts each of the services.  For best practices and instructions on how to install CRM in a multi server environment, please refer to the CRM 2011 Implementation Guide.

image

I would like to share our setup experience with the community just in case you run into a similar situation.  During our setup, we didn’t receive all green checks from the System Check wizard.  We had several warnings related the Microsoft Dynamics CRM Server User Input so I dig into the warnings with Michael from the Product Group.  Thanks for his help, he resolved for us. 

image

Problem

The reason that we got the warnings is because the admin is using the installing user account for the service accounts.  What happens is when the first organization is created, the installing user is created as the first user in the organization.  Since there is a user in the organization with the same credential as the service accounts for the asynchronous service, application service and the sandbox service, all the sudden the “SYSTEM” user is now subject to the same constraints as an actual user which means that the user must be enabled, need a user role and etc…, otherwise the system will stop functioning.  A lot of bad things could happen.  For example, some grids in CRM are populated with data that is retrieved as SYSTEM, when data is retrieved as SYSTEM, it is retrieve in GMT format. However if the Application Service is running under a service account which is also an user in CRM, when retrieving data the data will return with the users time zone setting instead of GMT.  There are more bad things could happen…

Solution

If it’s for a non-production environment, you may ignore the warnings and proceed with your installation.  But for production environment, this will cause problems later on.  The recommendation is to use a different service account for each of those services.  However if you preferred not to manage extra service accounts, you may use a same service account for Application Service, Deployment Web Service, Sandbox Processing Service, Asynchronous Process Service as long as the installing account is different than the service account for the services. 

If you decided to use a different service account for each of the services, just create the service accounts in your AD. you don’t have to grant any permissions to the accounts, the installation process will take care of the permissions for you!  For your reference, here’s a list of accounts and permissions that we used for our installation.

Account Application Service Account Reporting Service Account Async Service Account Sandbox Service Account Installer
CRM Server none none none none Local Admin
SQL Server none none none none Local Admin, SQL Admin
Reporting Server none none none none Local Admin
AD none none none none Group Admin

Gotchas

If you are running into an error telling you that “This account doesn’t have Performance Counter Permissions”, you need to follow the steps below to resolve the problem.

  1. Open Server Manager.
  2. Go to Configuration > Local Users and Groups > Groups.
  3. Add the service accounts to the Performance Log Users group.
  4. Install CRM with again.

Anyway, Thanks to Richard and Felix for discovering the problems for me and thanks to Richard for doing the installation for us!

Written by darrenliu

02/03/2011 at 2:51 am

Posted in CRM, Installation

Tagged with , ,