As customers are starting to plan for CRM 2011 installations and upgrades, we’ve begun to see questions regarding environment setups. Here’s a list of the questions I’ve seen thus far:
Q: Are the CRM 2011 Report Extensions (commonly referred to as the “report connector”) an optional component?
A: All installations now require the CRM 2011 Report Extensions to be installed and configured on the SQL Reporting Server. If it is not installed, certain features will not work properly: reporting will not function, creating new organizations, and organization imports will be blocked until the extensions are installed and configured.
Q: Do I need to install the CRM 2011 Reporting Extensions prior to installing CRM?
A: No, these should be installed after you install the CRM 2011 Server components.
Q: When installing CRM server roles on different servers (ex: install front-end and deployment components on server1 and back-end components on server2) I am not prompted to install the reporting extensions, why is this?
A: When the CRM server roles are installed separately (without first installing a CRM full-server) you’ll notice that no organizations are created by default. Once the servers are all setup and configured, the first step to setup CRM is to launch deployment manager and create an organization. It is at that time you will be required to input a reporting server that has the CRM 2011 Reporting Extensions installed.
Q: On CRM 4.0, as long as the report extensions were not installed, a Reporting Server (or scaled out reporting server farm) could host reports for multiple CRM installations/deployments. How has this changed in CRM 2011?
A: In CRM 2011 the Reporting Extensions are now required, which means each Reporting server (or scaled out reporting server farm) with the report extensions installed may only host reports for a single CRM 2011 Deployment. NOTE: The Reporting Server (or scaled out reporting server farm) can host reports for multiple tenants (organizations) in the deployment.
Q: If I were to run all CRM servers services under different service accounts how many service accounts do I need and what CRM groups should each service account belong to?
A: There are numerous configurations you could use to accomplish this, but if you were to separate everything here is a table explaining what group membership is required-- I’ve also included SSRS and SQL server:
Deployment Services SvcAcct
Application Service (CRMAppPool)
Async service SvcAcct
Sandbox services SvcAcct
SQL Server SvcAcct
SQL Reporting Services SvcAcct
Email router account**
User accounts in CRM
* The performance log user group is a local group on each server and not a domain group
** Email router will run as local system
*** The Installing user should be a separate service account, but it should not be used to run any services.
IMPORTANT: If any of the service accounts are created as users in CRM, you may encounter various problems, some of which are potential security issues.
Q: I am concerned when it comes to security and want to be sure I limit my attack surface whenever possible. What Windows Server Roles and Features are required for each CRM Server role?
A: Below is a table broken down by the 8 different server roles CRM installs.
IIS Web Server Role
.NET HTTP Activation
File Server Indexing Services
NOTE: The IIS Web Server will also install the following role services:
Q: If I want to split up my roles between a CRM Front-End Server and a CRM Back-End Server, but I don’t want to have a third server just for the purpose of hosting the deployment tools. Is there a best practice or preferred placement given the two choices?
A: The deployment tools can live on either server. As you see in the chart above, the IIS Windows Web Server Role is required for both the Front-End Server services as well as the Deployment tools. If you have a goal of minimizing your attack surface and want to limit your installations of IIS, the best location for the Deployment Tools role would be on the Front-End Server as all web services would be hosted on your Front-End Server and the Back-End Server would be hosting non-IIS based components.
Q: How does the CRM Front-End Server Roles contact the CRM Sandbox and Async Services and do I need to set anything up or allow for any firewall exceptions?
A: The CRM Async service is not called directly by any of the other services. The async service operates out of the AsyncOperations queue and will process records as they’re place into the queue. However, the Sandbox service operates differently. When work is handed off to the Sandbox service it is done so over a TCP channel (port 808 by default). In the case of a synchronous plugin, the web application server will contact the sandbox service; in the case of an asynchronous plugin, the async service will contact the sandbox service. Also, note: if you are: A) Running the sandbox service on a dedicated server (not installing the full server role) and B) running the sandbox service as a service account identity, and not as network service, a dedicated SPN is required in active directory. The SPN would be homed under the service account running the sandbox service and would look like this: MSCRMSandboxService/<SandboxServerName>. For example: if my sandbox server was named “CRMSandboxSrv01” and my sandbox service ran under CRM_Sandbox_SvcAcct my SPN would look like: MSCRMSandboxService/CrmSandboxSrv01 and the SPN would live under the CRM_Sandbox_SvcAcct user object in Active Directory.
Q: If I want to manage my CRM deployment via PowerShell are there any specific recommendations or “gotcha’s”?
A: Currently, if you wish to manage your CRM deployment via PowerShell, the Deployment Web Services must be running as a service account identity and not as Network Service. If you run the deployment web services as Network Service, certain functions of the CRM PowerShell add-in will return a security error.
If additional questions come up feel free to leave them as comments and we’ll do our best to address them in some way, shape, or form. I hope this helps clear up the confusion around some of the more complex environment configurations and what operating system features and roles are required for various CRM Server Roles.
Thanks for reading!
@Savio - I'd recommend taking a look at the CRM implementation guide for the details, but all CRM servers and server roles (including SQL & SSRS) must all be on the same domain, including the front end servers.
Sean, where do i find some more info about IIS role service.
Actually i want to know more about IIS settings related to CRM 2011 just like URL Rewrite etc.
I don't have any specifics on how we're using URL re-write nor are there any settings that are exposed for that, but I can tell you that we have recently covered some IIS Settings that will probably interest you. Check out a recent posting on Kerb auth: http://bit.ly/QOEvLF Specifically, take a look at the IIS settings under item #3 and #3.1. Additionally check out our article on wcf compression for CRM: http://aka.ms/may2aj
can I install two different frontend, one for the IFD and the other for internal use?
Hi Gianni, IFD is a deployment wide setting and the CRM servers will respond as configured no matter which organization, in this case. Keep in mind that IFD does allow for an 'internal' address configuration so users authenticate with ADFS (your STS) using their browser/corporate credentials thus avoiding the STS sign in page if they’re on your network. If they're on the internet, they would see the STS sign in page and only after providing credential would they pass through to CRM. Does that help?
Sean, I've got a question on sandbox service, essentially the same question bok asked but had no answer
"the Sandbox service operates differently. When work is handed off to the Sandbox service it is done so over a TCP channel (port 808 by default). In the case of a synchronous plugin, the web application server will contact the sandbox service;"
We've looked up and down through many documents about setting up multiple back end servers that are running the sandbox service. Nothing suggests it will need load balancing. We even engaged with Microsoft Consulting and they simply quoting the same documents we've been reading. You information is the most specific info we have in this area. Can you explain how multiple server nodes running the same sandbox service work without load balancing? When requests are sent over the TCP channel 808, how are they distributed across multiple servers?
Hi Tao, check out my Kerberos blog in the comments where I explained how it works with a little more depth. Let me know if you still have any questions. Here is the URL: blogs.msdn.com/.../kerberos-in-load-balanced-environments.aspx
I need to install CRM 2011 using ADFS. I have only server for eveything (CRM 2011+ SQLServer 2008 +ADFS 2.0)having Windows Server 2008 Standered Oerating system. I have installed SQL Server 2008 R2. Now how should I proceed?
Do i need to install CRM 2001 first & the configure ADFS or need to set up ADFS then install CRM 2011? When should i install CRM Deployment Manager?
I have got a lot data on How to configure but I need to get it ready before that.
Thanks in advancs.
Hi Javed, thanks for your comment & question! It just so happens, Kim, from the below videos is now on our team and we do have some information around ADFS configuration. As far as order of operations, ADFS can be setup before or after CRM is setup & configured. Basically CRM will be initially configured as AD authentication first, then once ADFS is ready or you're ready to use ADFS then you would approach the configuration. Here are the videos currently published which should answer your questions:
End to end config video: www.youtube.com/watch
Further Detailed config videos:
1. Implementing Claims and IFD: Part 1: www.youtube.com/watch
2. pt2: install & config ADFS: www.youtube.com/watch
3. pt3: Config CRM Server for ADFS: www.youtube.com/watch
4. pt4: Config IFD: www.youtube.com/watch
5. pt5: Enable claims for external domains: www.youtube.com/watch
6. pt6: Troubleshooting: www.youtube.com/watch
Thx for reading!
Can i add multiple organisation on single Dynamic CRM Server?
@Kapil - yes CRM is multi-tenant.
Sean, good article. We are currently dealing with some issues and want to move the Asysnc services and the Email Router to separate servers. It this possible and how do we configure them.
We have CRM 2011; Sql Server 2012 SP1
Thanks Bill! It's absolutely possible, just run the installation on the new servers and install only the async service role. Additionally, on the servers you no longer wish to have async installed to and run add remove programs, then uncheck the async service role from the configuration wizard. And as far as email, uninstall the router from the source server, and re-install it to the new server.
I hope that helps!
I'm tying to automate the deployment of our test servers and was hoping to silently run the CRM 2011 (or 2013) install. The problem is, part of our process is to always check for updates to the setup files. Using <Patch update="true"></Patch> seems to only work if you already have the updated MSP downloaded to a shared or local drive. Is this the case? Or is there a way to have the install silently check online for updates to the setup files?
@ConfigXML - I suspect you may already have this figured out :) but make sure the node is exactly: <Patch update="true"></Patch> with not spaces or characters in between the brackets.