As customers are starting to plan for CRM 2011 installations and upgrades, we’ve begun to see questions regarding environment setups. Here’s a list of the questions I’ve seen thus far:
Q: Are the CRM 2011 Report Extensions (commonly referred to as the “report connector”) an optional component?
A: All installations now require the CRM 2011 Report Extensions to be installed and configured on the SQL Reporting Server. If it is not installed, certain features will not work properly: reporting will not function, creating new organizations, and organization imports will be blocked until the extensions are installed and configured.
Q: Do I need to install the CRM 2011 Reporting Extensions prior to installing CRM?
A: No, these should be installed after you install the CRM 2011 Server components.
Q: When installing CRM server roles on different servers (ex: install front-end and deployment components on server1 and back-end components on server2) I am not prompted to install the reporting extensions, why is this?
A: When the CRM server roles are installed separately (without first installing a CRM full-server) you’ll notice that no organizations are created by default. Once the servers are all setup and configured, the first step to setup CRM is to launch deployment manager and create an organization. It is at that time you will be required to input a reporting server that has the CRM 2011 Reporting Extensions installed.
Q: On CRM 4.0, as long as the report extensions were not installed, a Reporting Server (or scaled out reporting server farm) could host reports for multiple CRM installations/deployments. How has this changed in CRM 2011?
A: In CRM 2011 the Reporting Extensions are now required, which means each Reporting server (or scaled out reporting server farm) with the report extensions installed may only host reports for a single CRM 2011 Deployment. NOTE: The Reporting Server (or scaled out reporting server farm) can host reports for multiple tenants (organizations) in the deployment.
Q: If I were to run all CRM servers services under different service accounts how many service accounts do I need and what CRM groups should each service account belong to?
A: There are numerous configurations you could use to accomplish this, but if you were to separate everything here is a table explaining what group membership is required-- I’ve also included SSRS and SQL server:
Deployment Services SvcAcct
Application Service (CRMAppPool)
Async service SvcAcct
Sandbox services SvcAcct
SQL Server SvcAcct
SQL Reporting Services SvcAcct
Email router account**
User accounts in CRM
* The performance log user group is a local group on each server and not a domain group
** Email router will run as local system
*** The Installing user should be a separate service account, but it should not be used to run any services.
IMPORTANT: If any of the service accounts are created as users in CRM, you may encounter various problems, some of which are potential security issues.
Q: I am concerned when it comes to security and want to be sure I limit my attack surface whenever possible. What Windows Server Roles and Features are required for each CRM Server role?
A: Below is a table broken down by the 8 different server roles CRM installs.
IIS Web Server Role
.NET HTTP Activation
File Server Indexing Services
NOTE: The IIS Web Server will also install the following role services:
Q: If I want to split up my roles between a CRM Front-End Server and a CRM Back-End Server, but I don’t want to have a third server just for the purpose of hosting the deployment tools. Is there a best practice or preferred placement given the two choices?
A: The deployment tools can live on either server. As you see in the chart above, the IIS Windows Web Server Role is required for both the Front-End Server services as well as the Deployment tools. If you have a goal of minimizing your attack surface and want to limit your installations of IIS, the best location for the Deployment Tools role would be on the Front-End Server as all web services would be hosted on your Front-End Server and the Back-End Server would be hosting non-IIS based components.
Q: How does the CRM Front-End Server Roles contact the CRM Sandbox and Async Services and do I need to set anything up or allow for any firewall exceptions?
A: The CRM Async service is not called directly by any of the other services. The async service operates out of the AsyncOperations queue and will process records as they’re place into the queue. However, the Sandbox service operates differently. When work is handed off to the Sandbox service it is done so over a TCP channel (port 808 by default). In the case of a synchronous plugin, the web application server will contact the sandbox service; in the case of an asynchronous plugin, the async service will contact the sandbox service. Also, note: if you are: A) Running the sandbox service on a dedicated server (not installing the full server role) and B) running the sandbox service as a service account identity, and not as network service, a dedicated SPN is required in active directory. The SPN would be homed under the service account running the sandbox service and would look like this: MSCRMSandboxService/<SandboxServerName>. For example: if my sandbox server was named “CRMSandboxSrv01” and my sandbox service ran under CRM_Sandbox_SvcAcct my SPN would look like: MSCRMSandboxService/CrmSandboxSrv01 and the SPN would live under the CRM_Sandbox_SvcAcct user object in Active Directory.
Q: If I want to manage my CRM deployment via PowerShell are there any specific recommendations or “gotcha’s”?
A: Currently, if you wish to manage your CRM deployment via PowerShell, the Deployment Web Services must be running as a service account identity and not as Network Service. If you run the deployment web services as Network Service, certain functions of the CRM PowerShell add-in will return a security error.
If additional questions come up feel free to leave them as comments and we’ll do our best to address them in some way, shape, or form. I hope this helps clear up the confusion around some of the more complex environment configurations and what operating system features and roles are required for various CRM Server Roles.
Thanks for reading!
Great article, thank you!!
I am installing 2011 with multiple servers as a front - end and back - end layout. What is the best practice for install sequence?
back - end then front - end? or vice versa? Does it matter?
thanks in advance,
Hi Ian - The installation sequence really doesn't matter. If you choose to split roles you will not get a default org as part of your installation, thus all roles must first be installed (including the report connector) before you can create your first organization. I will also warn you that out of the three server role groups, two require IIS - if you want to seperate out your IIS servers from non-IIS servers you should put the Front-end server role group and Deployment Tools server role group on the same servers and keep the back-end role group seperate. You can also keep your deployment tools role group completely seperate if required - but just know both Front-End and Deployment Tools require IIS. I hope that helps!
Sean, thanks for the great post, it has helped me to solve a couple issues we've had.
I just have one issue left with the deployment service. In setting up our development environment we have all of the services running off of one box pointing to a database server on a separate box. Each service is running under a separate domain account with the privileges you have defined above. We've also given the deployment service user local admin on the DB box and sysadmin in the database instance itself.
When I try to create an organization against the deployment service I get an error stating that the call failed a validation check. In the trace log I get this line:
>SqlServerAgentValidator, result: Level=Error, Description=SQLSERVERAGENT (SQLSERVERAGENT) service is not running on the server CRMSQLDEVEL.
When I log onto the db the server agent is up and running, the only issue that I can see that might be associated with that is that we have two database instances on that server, one for crm4 and one for crm2011.
Can you think of any other possible issues before I go and rip the crm4 instance off the server?
Ok, so I removed the crm4 instance as we weren't using it and this hasn't resolved the issue, so there's definitely something else I'm missing.
Paulo - is the instance you're pointing deployment manager to in the SQL server selection box? For instance, if my instance name is "CRM2011" and my servername is CRMServer, the SQL Server name to type in is: "CRMServer\CRM2011". I recently had a customer with this very same issue and this ended up being the cause. Another potential issue is a firewall between the servers or in some cases the service isn't running.
I need to have multiple CRM sites on the same box. I mean the IIS on a win2k8 server box will have 3 Dynamics CRM 2011 sites, one for dev, qa and uat. Is that possible and if so how?
Balaji, this is not possible. Your dev, qa, and UAT environments should be completely seperate environments with the exception of active directory (meaning different CRM server, SQL Server, and report server).
Sean, is it possible to install the back-end server group onto multiple servers? If so, should they be load balanced?
We're a small company working to deploy a single CRM 2011 server. I had a question about front-end and back-end servers vs IFD.
The company would like ot have CRM available to external employees without VPN connectivity. Does IFD have to be configured using AD FS in order for this to work?
Mainly the employees will be using the Outlook CRM client. We had it working for about a week without IFD, but for some reason it's stopped working. The website is available, but it looks like the client is trying to connect to the internal hostname now.
Any insight to this would be very helpful.
Hi Julian -
Yes to allow users to login via IFD claims must be enabled. You bring up a good point though, while IFD requires Claims, Claims does not require IFD (so you can enable claims and not enable IFD). And, in your situation you would want to deploy an instance of ADFS so that claims can be configured and IFD can be enabled. Also, be aware that you'll want to purchase a public SSL certificate.
Let me know if you have any more questions. Thanks!
Does CRM 2011 support an installation having one back-end and several front-end servers?
The front-end servers would be located in several continents. All servers are in one AD.
JJY, Of course this wll work though you will face a number of problems, for example if you use the client side script function get ServerUrl(), this will return the server url held in the Deployment properties and can only be a single server or load balanced url. This alone will give you cross domain issues.
You will be better off looking to have seperate deployments and share data across them or alternatively host all your Front end servers in the most viable location with a NLB.
As long as you have a good pipe to your office in each country then it you should have a good experience, You can use the diag.aspx tool that ships with Rollup 5 to test bandwidth and latency from your seperate locations to test this.
hey, now a days i am using crm sdk 5.0, i am new to crm tech,
could anyone tell me about the crm discovery server?
Can i install CRM 2011 front end server on standalaone server ?or do i require to be memnber of internal domain controller?
I am planning to install CRM 2011 in DMZ as front end along with ADFS 2 .So question is do my CRM 2011 FE should be part of domain?