The title is not very CRMish, is it? Well I am sure my peers who are deeply involved in the infrastructural aspects of Microsoft Dynamics CRM 4.0 will disagree. Especially the ones who are managing a large enterprise client or a public sector client. Usually these customers have very stringent policies that govern the IT infrastructure. These typically range from:

  • Minimum access to domain or database servers
  • Application Installation process to be very restrictive
  • Disable any automatic updates to Domain server during installation processes
  • Specific naming conventions to be followed for various objects like Security groups on Active Directory

One of the steps during CRM installation is creation of security groups within the CRM Organization Unit on the domain server. The default names given to the security groups are as follows:

  • PrivUserGroup
  • SQLAccessGroup
  • ReportingGroup
  • PrivUserReportingGroup
  • UserGroup

Post installation, CRM Adminitsrative tasks include user creation within CRM. When a user is created in CRM, the process automatically adds the newly created user to these security groups that the install process creates.  This process requires certain level of privileges on the Domain Server. As we discussed in the begining, many organizations do not allow any such access to domain server and they also follow naming conventions for Security groups. This necessitates the need for a process to allow installation of CRM with minimum rights and pre created custom named security groups. This post os meant to provide these details. While some of this information is available in the well written Implementation Guide released by our Product Group, each customer is unique and the guide does not cover this specific scenario in detail.

The following needs to be done ahead of CRM installation:

  • Creation of Organization Unit (OU) within the Active Directory
  • Creation of 5 custom named security groups within this OU

Now we are all set to proceed with the installation tasks.

  1. Add the user account of the user who is installing Microsoft Dynamics CRM as a member of the Local Administrator group. You must complete this step on the computer that is running the Microsoft Dynamics CRM server and on the computer that is running SQL Server.
  2. If SQL Server Reporting Services (SSRS) is installed on a server other than the server on which you added permissions in step 1, you must add the Content Manager role at the root level for the installing user account. And, you must add the System Administrator role at the site-wide level for the installing user account. To do this, follow these steps on the Reporting Services server:

·         Start Windows Internet Explorer, and then locate the following site:

o     http://srsserver/reports 

·      On the Properties tab, click New Role AssignmentIn the Group or user name box, type the user name of the user who is installing Microsoft Dynamics  CRM, click to select the Content Manager check box, and then click OK. 

·       Click Site Settings

·       Under Security, click Configure site-wide security, and then click New Role Assignment. 

·       In the Group or user name text box, type the user name of the user who is installing Microsoft Dynamics CRM, click to select the System Administrator check box, and then click OK. 

  1. To use the pre-created Active Directory security groups, create a configuration file to point to Microsoft Dynamics CRM. To do this, create an XML configuration file that uses the syntax that is in the following example. Modify the variables as appropriate. The list that follows the sample code describes how to modify the variables that are in this example. In the following sample code, the XML file is named Config_precreate.xml. The domain name is contoso.com, application OU is crmapp and the OU name is CRMOU. These names represent the actual names that you use. The Active Directory hierarchy is as follows:

·         root domain

o    Application OU

          • Company Name OU

Sample Code

<CRMSetup>

<Server>

<Groups AutoGroupManagementOff="true">

<PrivUserGroup>CN=CRMPrivUserGroup,OU=ApplicationOU=crmapp,OU=CRMOU,DC=contoso,DC=com</PrivUserGroup>   

<SQLAccessGroup>CN=CRMSQLAccessGroup,OU=ApplicationOU=crmapp,OU=CRMOU,DC=contoso,DC=com</SQLAccessGroup>          

<UserGroup>CN=CRMUserGroup,OU=ApplicationOU=crmapp,OU=CRMOU,DC=contoso,DC=com</UserGroup>          

<ReportingGroup>CN=CRMReportingGroup,OU=ApplicationOU=crmapp,OU=CRMOU,DC=contoso,DC=com</ReportingGroup>          

<PrivReportingGroup>CN=CRMPrivReportingGroup,OU=ApplicationOU=crmapp,OU=CRMOU,DC=contoso,DC=com</PrivReportingGroup>

 </Groups>

 </Server>

</CRMSetup>

Modify the parameters in the example by using the following replacement values:

·         PrivUserGroup: The name of the PrivUserGroup security group

·        SQLAccessGroup: The name of the SQLAccessGroup security group

·      UserGroup: The name of the UserGroup security group

·      ReportingGroup: The name of the ReportingGroup security group

·      PrivReportingGroup: The name of the ReportingGroup security group

·      OU: The name of the organization unit

·        domain: The domain name

·       domain_extension: The domain extension 

  1. Run the Microsoft Dynamics CRM server installation. To do this, click Start, click Run, type <CRM installation media drive>:\ServerSetup.exe /config C:\configprecreate.xml in the Open box, and then click OK.
  2. Add the appropriate user accounts and the appropriate computer accounts as members of the following groups.  

·         PrivUserGroup

o    The account that the CRMAppPool application pool uses

o    The account that the ASP.NET process model uses

o     The user account that runs the Microsoft Dynamics CRM installation

o     The computer account on which the Microsoft Dynamics CRM-Exchange E-mail Router will be installed

·         ReportingGroup

o    All Microsoft Dynamics CRM user accounts (this includes the user who is installing Microsoft Dynamics CRM)

·         UserGroup

o    All Microsoft Dynamics CRM user accounts (this includes the user who is installing Microsoft Dynamics CRM)

·         SQLAccessGroup

o    The account that the CRMAppPool application pool uses

o    The account that the ASP.NET process model uses UserGroup

o    All Microsoft Dynamics CRM user accounts (this includes the user who is installing Microsoft Dynamics CRM)

·         PrivReportingGroup

o    The computer account on which the Microsoft Dynamics CRM Data Connector for Microsoft SQL Server Reporting Services will be installed

 

  1. To verify which account the CRMAppPool application pool uses, follow these steps on the computer that is running the Microsoft Dynamics CRM server:

·         Click Start, click Administrative Tools, and then click Internet Information Services (IIS) Manager.

·         Expand the computer name & Application Pools

·         Right-click CRMAppPool, click Properties, and then click the Identity tab. The NetworkService account and the LocalSystem account are both represented by the "domainname\computername $" account. Therefore, if you must add the NetworkService account or the LocalSystem account to a security group, you must add the "domainname\computername $" account. If the Configurable option is selected, you must add the specified user account to the security group. The specified user account appears in a text box.

  1. To verify the account that the ASP.NET process model uses, follow these steps on the Microsoft Dynamics CRM server:

·         In Windows Explorer, open the following folder: C:\WINNT\Microsoft.NET\Framework\v1.1.4322\CONFIG

·      Right-click Machine.config, click Open With, and then click Notepad. Search for the word "username" in the text. The file contains multiple instances of the word. Locate the fifth instance of "username" that is in the text. The value for the fifth instance of "username" is the account that the ASP.NET process model uses. The SYSTEM account and the computer account are both represented by the "domainname\computername $" account. Therefore, if you must add the SYSTEM account or the computer account to a security group, you must add the "domainname\computername $" account. If a user name is specified in the Machine.config file, you must add the specified user account to the security group. 

These are the simple steps that need to be followed for a successful installation of CRM in an environment with strict server administration policies and custom named pre created security groups. As I mentioned in the begining, this information is available but scattered. My intent is to bring all the necessary steps together in this kind of a scenario.