다음을 통해 공유


Microsoft Dynamics CRM 2011 – Installation & Design

logo_dynamicscrm_2011 Over the past couple of months I had to spend some time learning about Microsoft Dynamics CRM 2011 Infrastructure and components, and I have brought together this article which will hopefully help out other people who are looking at implementing this product from Microsoft within there organization. I am by far not a Microsoft Dynamics CRM expert and I have written this blog post from memory and have added some screen shots that i took along the way and so I would recommend that you also view the Technical Literature that I may refer to through-out this post. If you do see something that i may have missed, it would be appreciated if you could send me a message and I will update the post accordingly.

This article will cover the following:

  • Dynamics CRM 2011 Infrastructure Components
  • Active Directory Federation Services
  • SSL Certificates
  • Errors found along the way, and how to fix them!

I am going to create a video for a much simpler deployment of Dynamics CRM, Single Server which will hopefully help further. This post is written with High Availability taken into account and I couldn’t take a snap shot of all the steps i took to complete this.

To start off I thought I would show you the following Visio drawing that i have put together for the purpose of this article:

Dynamics_CRM_2011_Topology

In this environment we have the following:

  • 2x Dynamics CRM 2011 Front End Servers located in the DMZ Network
  • 2x Dynamics CRM 2011 Front End Servers located In the Server Network
  • 2x Dynamics CRM 2011 Back End Servers located in the Server Network
  • 1x Email Router located in the Server Network
  • 3x SQL 2012 Database Servers located in the Server Network (One in DR Site)
  • 1x SQL Reporting Services Server
  • Active Directory Federation Services Proxy Server located in the DMZ Network
  • 2x Active Directory Federation Services Server located in the Server Network
  • 2x Domain Controllers

The Following Service Accounts should be created with the lowest security permissions. and they must be a member of the Performance Log Security Group on the Local Server:

  • Application Service - This service runs the Microsoft Dynamics CRM web application that is used to connect users to CRM data.
  • Deployment Web Service - Manages the deployment by using the methods described in the Microsoft Dynamics CRM 2011 Deployment Software Development Kit, such as create an organization or remove a Deployment Administrator role from a user.
  • Sandbox Processing Service - Enables an isolated environment to allow for the execution of custom code, such as plug-ins. This isolated environment reduces the possibility of custom code affecting the operation of the organizations in the Microsoft Dynamics CRM deployment.
  • Asynchronous Processing Service - Processes queued asynchronous events, such as bulk Email or data import

SQL Server 2012 Configuration:

I am not going to cover the Full SQL Server Configuration in this article, you can find out further information in the articles i will mention below but I just wanted to point out some best practices:

  • Lock pages in memory security policy setting for the SQL Service Account
  • Perform volume maintenance tasks security policy setting for the SQL Service Account
  • Optimize for ad-hoc workloads SQL Server Setting
  • Trace flag 1222 Enabled

I used SQL Server 2012 Always On Availability group to manage the failover of the Dynamics CRM 2011 SQL Server databases. In your deployment you should see the following databases:

  1. ORGNAME_MSCRM
  2. MSCRM_CONFIG

Create & Configuration AlwaysOn Availability Group: https://technet.microsoft.com/en-us/library/ff878265.aspx

You will need to ensure that you have a reporting services instance setup, and the Dynamics CRM 2011 Reporting Extensions Installed and from experience of when i did this due to pre-requisites clashing between Dynamics CRM 2011 Reporting Extensions and SQL 2012 I had to install SQL Server Reporting Services onto a Standalone Server.

Dynamics CRM 2011 Back End Server Installation:

  1. Accept the License Agreement
  2. Install the Required Components
  3. Choose Installation Directory
  4. Select Back End Server Roles
  5. Specify the name of the Server where you want to install the Dynamics CRM Databases *1
  6. Select the Organizational Unit where the Microsoft Dynamics Security Groups are created
  7. Specify the Service Accounts as per the above (Sandbox Processing Service / Asynchronous Processing Service)
  8. Check for Updates
  9. and then click on Install

Further information about installing these roles can be found in this MSDN Article

*1 – If you are using SQL 2012 Availability Groups, The CRM Installation will not allow you to use the AG Listener Name, Use the Primary SQL Server name and then make the changes mentioned in the final part of this article.

Dynamics CRM 2011 Front End Server Installation:

Once you have prepared your Front End Servers go ahead and Launch the Dynamics CRM 2011 Installation, and perform the following steps

  1. Accept the License Agreement
  2. Install the Required Components
  3. Choose Installation Directory
  4. Select Front End Server & Deployment Administration Server Roles
  5. Select the Organization Unit where the Microsoft Dynamics Security Groups are created
  6. Specify the Service Accounts per the above (Application Service / Deployment Web Service)
  7. Create a New Website, and use the default port 5555
  8. You can specify the email router server name at this stage if you have installed the components, if not then you can configure this at a later date.
  9. System Checks will now be completed to ensure everything is okay
  10. and then Click on Install

Further information about installing these roles can be found in this MSDN Article

Creating the Dynamics CRM Organization:

On  your Front End Server you will remember that we installed the Deployment Administration Server Role, This will allow you to launch the CRM Deployment Manager on your Front End Server, Go ahead and do this.

Right Click on Organizations, and then select New Organization and Completed the Wizard accordingly. *2

*2 – Ensure that the Organization Name is appropriately used, as this will become a sub-domain at a later date.

Active Directory Federation Services Configuration:

The following steps will guide you through the process to configure Active Directory Federation Services on your Servers, If you have already done this then scroll down to setting up Claims Based Authentication & Internet Facing Deployment options. I am using Windows Server 2008 R2 for the purpose of this article, if you are using Windows Server 2012 or 2012 R2 then you can install the ADFS Role using Server Manager.

Install AD FS Primary Server

  • Download AD FS 2.0 from: https://www.microsoft.com/en-us/download/details.aspx?id=10909
  • The AD FS Installation will install the AD FS Pre-Reqs (Windows Powershell, .NET Framework 3.5 SP1, Internet Information Services (IIS) & Windows Identity Foundation.
  • Generate SSL Certificate for adfs.domain.tld
  • Submit Request to Public CA (GoDaddy)
  • Import CA Response to complete certificate request
  • Export Certificate & Private Key for Backup & Other Servers
  • Launch AD FS Management Snap-In
  • Launch AD FS 2.0 Configuration Wizard
  • Create a New Federation Service
  • Select Single Server or Farm
  • Enter Federation Server Name
  • Service Account Credentials
  • Launch Active Directory Users and Computers
  • Create a New AD Account to be used as AD FS Service Account (General User, No Special Permissions)
  • Complete ADFS Installation

 

Add Secondary Server to ADFS Farm

  • Import SSL Certificate *PFX* into Local Certificate Store
  • Download AD FS 2.0 from: https://www.microsoft.com/en-us/download/details.aspx?id=10909
  • Launch AD FS Snap-In once installation of ADFS is complete
  • Launch AD FS 2.0 Configuration Wizard
  • Connect to Existing Farm
  • Type in Server Address of Primary ADFS Server
  • Type in Service Account Details for ADFS
  • Complete ADFS Configuration

Add an AD FS Proxy Server

  • Import SSL Certificate *PFX* into Local Certificate Store
  • Download AD FS 2.0 from: https://www.microsoft.com/en-us/download/details.aspx?id=10909
  • Select Federation Server Proxy
  • Launch AD FS Snap-In once installation of ADFS is complete
  • Launch AD FS 2.0 Configuration Wizard
  • Enter Federation Service Name (Test Connection)
  • Type in the Service Account Details for AD FS
  • Complete AD FS Configuration

Once you have completed the AD FS Configuration, You need to Export your AD FS Signing Certificate as this will need to be added to your CRM Front End Servers. To do this do the following:

  1. Launch AD FS Management Console
  2. Expand Service > Certificates
  3. Double Click on Signing Certificate, and then Select the Details Tab
  4. Click on Copy to File, Select Next and Leave the settings as they are and save it in a location that you can access later.

Import SSL Certificates onto CRM Front End Servers

  1. Click Start > Run > Type MMC
  2. File > Add / Remove Snap In, and then select Certificates Click Add
  3. Manage Certificates for Local Computer
  4. Import the Wildcard SSL Certificate into the ‘Personal’ Store
  5. Import the ADFS Signing Certificate into the ‘Trusted Root Certificate Authority’ Store

Claims Based Authentication & Internet Facing Deployments

Once you have setup your Active Directory Federation Services Servers, You will now need to make some changes to the Dynamics CRM 2011 Organization.

  1. Launch Microsoft Dynamics CRM 2011 Deployment Manager
  2. Right Click on ‘Microsoft Dynamics CRM’ and Select Properties and then Click on the Web Address Tab. Change Binding Type to HTTPS and click ok
  3. From the Overview Page, Select ‘Configure Claims Based Authentication’ and then click on Next
  4. Type on your Federation Metadata URL https://adfs.domain.co.uk/FederationMetadata/2007-06/FederationMetadata.xml and Click Next,
  5. Select the uploaded SSL Certificate (It is recommended that you use a Wildcard SSL Certificate)
  6. Click Next, the Wizard will now run some system checks, these should come back ok and then click on Next and then Click on Apply

That is Claims Based Authentication now configured, so we can now go ahead and configure iFD.

  1. From the Overview Page, Select ‘Configure Internet Facing Deployment’
  2. Click Next, and Enter the domains for the server roles
    1. Web Application Service Domain = DOMAIN.CO.UK
    2. Organization Web Service Domain = DOMAIN.CO.UK
    3. Discovery Web Service Domain = DEV.DOMAIN.CO.UK
  3. Click Next, Enter External Domain which I chose to be AUTH.DOMAIN.CO.UK
  4. Click Next, The wizard will now run some system checks, these should come back ok and then click on Apply.

It is recommended to launch IIS and check that the SSL Certificate has been bind to your CRM Website Instance.

IIS_Config

Configure Relying Party Trust – ADFS

  1. Launch the ADFS Management Console
  2. Expand Trust Relationships, and click on Relying Party Trusts
  3. Add Relying Party Trust, Click on Start and then type in the Federation Metadata URL: https://AUTH.DOMAIN.CO.UK/FederationMetadata/2007-06/FederationMetadata.xml
  4. Click Next, Enter a Display Name
  5. Click Next, Permit All Users
  6. Click Next, and then Finish

You will notice that under the Identifiers Tab, You will need to ensure that all of those records point to your CRM Published Public IP Address. The one that people always forget about is the Organization DNS Entry. This is pre-fixed on to your domain. All Organizations that you create within Dynamics CRM 2011 will each have their own pre-fix which is why it is recommended to use a Wildcard SSL Certificate for the Front End Web Servers.

Once you have created the Relying Party Trust, You need to setup some Claims as follows:

  • Pass Through UPN
  • Pass Through Primary SID
  • Transform Windows Account Name to Name

Edit_Claim_Rules

 

DNS Records

Ensure you have the following DNS Records Created in Public DNS

Domain Name IP Address
ORG.DOMAIN.CO.UK CRM Published IP Address
AUTH.DOMAIN.CO.UK CRM Published IP Address
DEV.DOMAIN.CO.UK CRM Published IP Address
ADFS.DOMAIN.CO.UK ADFS Published IP Address

Once you have completed all of these steps, you should now have a Dynamics CRM 2011 Installation that is accessible via the Internet & Local Network.

Dynamics_CRM_2011

Errors – Points to Remember

SSL Certificate Private Key Security

It is important to remember that you need to provide the Application Service Account FULL Access to your SSL Certificates Private Key, I found this out and after much digging came across the solution. You will find that not much comes up with the error that you are given around the internet and so it’s something to always try and remember. You will notice a symptom of when logging into Dynamics CRM will be prompted with a BASIC Authentication Window when the browser contacts AUTH.DOMAIN.CO.UK which will keep failing to authenticate.

Open up certificates using the MMC, Browse to Personal Store and Right Click on your Wildcard SSL Certificate > All Tasks > Manage Private Keys. Add your Application Service User Account to the security list and give it Full Control.

private_key

Unable to use SQL Always On Availability Group Listener Name During Dynamics CRM 2011 Installation

Due to your AG Listener Name not matching an SQL Server Host Name for obvious reasons, this causes the Dynamics CRM Setup Wizard to fail and so you are forced to point it to your primary SQL Server host name, of course we would want to change this and so you will need to edit the following registry string on the Front End Servers.

  1. Launch REGEDIT
  2. Browse to the following key: HKEY_LOCAL_MACHINESOFTWAREMicrosoftMSCRM
  3. Edit the String Called ‘configdb’
      1. Data Source =<INSERT_AG_Listener_Name>; Initial Catalog=MSCRM_CONFIG;Connection Timeout=60;Integrated Security=SSPI

Change Dynamics CRM Organization Name

Say for instance, you used the wrong name for your Organization and now your left with a Public DNS Record that you would rather not use as it contains a Organization Name that you do not want to be publically seen and so you want to change the Organization Name. It’s not quite so simple! :-) You need to do the following:

  1. From CRM Deployment Manager
    1. Disable the organization.
    2. Select Edit Organization and change the Display name to <NewName>.
    3. Delete the organization.
  2. From SQL Server Management Studio
    1. To prevent the database being locked, take the organization database offline (Tasks –> Take offline) then bring it back online (Tasks –> Bring online).
    2. Rename the database to the new name
      1. NEWORG_MSCRM.
  3. From CRM Deployment Manager
    1. Choose import organization and select the newly renamed database. Follow the wizard and your done!

If you are using an Always On Availability Group, The Rename will fail and so you will need to take the servers out of the AG, Rename the Database and then Re-Configure AlwaysOn Availability Groups.

If you have any questions regarding this post, or would like to provide any feedback both good or bad please be sure to contact me.

Many Thanks,

James.