Gareth Tucker: Installing a 2-server CRM 2011 with Service Accounts and Minimum Permissions

[Blog bot]

Источник: http://gtcrm.wordpress.com/2011/11/1...m-permissions/
==============

Recently for a proof of concept I needed to supply a CRM installation installed to Microsoft’s best practices – i.e. a 2 server environment, SSL (HTTPS) and each service running under a separate service account.   Here are some notes on what was required to make this work.

If you miss some of these steps the common symptoms are:

• Can only access CRM directly on the CRM server
• CRM Reports don’t work
• Outlook Client does not Configure
• Authentication prompts appear as you try and access CRM

Environment: VirtualBox

• Machine 1 = Domain Controller and SQL Server,
• Machine 2 = CRM Server

Steps:

1. Install Windows Server 2008 R2 64-bit on both Machines, create C and D drive partitions (install all application software on the D drive)
2. Promote Machine 1 to be a Domain Controller
3. Create service accounts for SQL Server and SSRS
4. Install SQL and SSRS on Machine 1
5. Add Machine 2 to the domain
6. Create an installer account:  crmadmin
7. Create service accounts:  crmservice, crmdeploy, crmemail, crmasync, crmsandbox
8. Grant minimum permissions per the CRM Implementation Guide’s instructions
9. Logon as the installer account and install CRM Server on Machine 2
10.   Test CRM access over HTTP via Internet Explorer on Machine 2
11.   Install CRM SSRS Data Connector on Machine 1
12.   Install latest rollup packs for CRM Server and SSRS Data Connector
13.   Create a self signed certificate on Machine 2 (in IIS)
14.   Go into CRM Deployment Manager, go to Servers, disable the CRM Server
15.   Go to IIS and edit the Bindings for the CRM Web Site, enable HTTPS, disable HTTP
16.   Back in CRM Deployment Manager, right-click on “Microsoft Dynamics CRM” and select Properties, then on the Web Address tab select HTTPS and enter the URLs
17.   Re-enable the CRM server in Deployment Manager
18.   Test CRM access over HTTPS via Internet Explorer on Machine 2
19.   Create an SPN for the CRM service account (the identity running the CRM app pool)     (e.g. setspn –A HTTP/VBOXCRM gtdomain\crmservice) (command should always be HTTP even when HTTPS is enabled, computer name should be in capitals)
20.   In Active Directory Users & Computer grant the Trust for Delegation permission to the CRM service account and the CRM server Computer Name (you need to do a Run As Administrator in order for the Delegation tab to appear when editing the properties of the Computer account)
21.   Shutdown Machine 2, reboot Machine 1, restart Machine 2
22.   Test CRM access over HTTPS via Internet Explorer on Machines 1 and 2
23.   Test CRM Reports on Machines 1 and 2
24.   Test the CRM Async Service by creating and triggering a simple workflow
25.   Test the Deployment Service by creating a second CRM Organisation
26.   Install the CRM Email Router and its Rollup Pack, configure and test
27.   Machine 1, istall Outlook and then the CRM Outlook Client and its Rollup Pack, configure and test

Done




Источник: http://gtcrm.wordpress.com/2011/11/1...m-permissions/