CRM 2013: Install CRM Server and Reporting Extensions With Minimum Permissions and Without Internet

How do we install CRM 2013 Server where the server has no internet access and CRM must be installed with the minimum set of permissions possible? Rather painfully but it can be done! To find out, read on…

Pre-Requisites for CRM 2013 Server Install

While there are many guides on how to install CRM 2013 on a variation of Windows Server Oses/SQL Server setups, some guides commonly assume that you have access to (1) a domain administrator account for the installation and (2) the internet. Although it is much easier to do an install with both available, I have come across scenarios where neither were available for the installation on customer site.

Hence, the purpose of this (very long!) blog post is not to document all the possible ways one can do an on-premise installation of CRM 2013, but to show what you may need to do if you are installing CRM server with the minimum permissions (no cheating using the domain administrator account, folks!) and without internet in one of the more common (non-enterprise) infrastructure setups: one CRM server (a VM in my case) and CRM databases and reports to be installed on another VM with SQL 2012 and SSRS 2012.

As always, the more time spent understanding both the requirements from the Microsoft Dynamics CRM 2013 Implementation Guide (at time of writing, V6.0.1) and the customer’s infrastructure setup, generally the easier and smoother the installation will go.

As always, the key to a successful installation is preparation!

Simple Infrastructure Setup

Let’s take a simple infrastructure example. Assume the following from a customer:

  • VM name: CRM2013Min: This is a new Windows Server 2012 installed ready for CRM 2013 (full deployment)
  • VM name: SQL2012Min: This is a new Windows Server 2012 VM with SQL2012 and reporting service already installed
  • Both VMs have no internet access
  • Both VMs are joined to a test domain e.g. “TSEDOM” so I can log on to both VMs using e.g. a “TSEDOM” domain administrator account
  • Customer requirement for the CRM server install is that CRM server should be installed as full deployment with minimum permissions. This includes the installation account used for CRM!
  • No AD group policies and firewall rules have been implemented in this setup (since all customers are different, let’s keep this discussion simple)

Notice I haven’t included any hardware information required by CRM 2013 and SQL 2012 and Windows Server 2012. Please go check out the pre-requisites from Microsoft for all 3 products.

AD Organisational Unit (OU), Installation Account and Service Accounts For CRM

CRM requires an organisational unit (OU) in the Active Directory that the server is joined to. During the CRM installation, the installation will create groups used by CRM to access SQL and SSRS etc.

A full deployment of CRM server requires 1 installation account and 6 service accounts for the 6 CRM services listed below (to understand what each services do, please refer to the implementation guide). Since this post is about installing CRM with “minimum” permissions, here is a list of extra permissions you must manually grant to each of the 6 (least-privileged) service accounts as well as the permissions for the installation account. Again, many of the requirements below come straight from the Planning Guide in the CRM 2013 Implementation Guide (version 6.0.1 at time of writing).

CRM Installation Account

  • Must be a domain user
  • Once installation is completed, a CRM system administrator account will be created for this Installation User.
  • Be a member of the Administrators group on (1) the local computer where CRM installation setup is running, and (2) the local computer where the instance of SQL Server is located.
  • Have “sysadmin” membership on the SQL Server instance and SSRS. I normally do this by first adding this installation account as a new SQL “login”, grant it “sysadmin” server role and ensure it has rights to connect to this database engine.InstallNoInternet-01
    InstallNoInternet-02InstallNoInternet-03
  • Have organisation and security group creation permission in AD. To have permissions to create AD security groups for a specific OU only, logon to the domain controller and open “Active Directory Users and Computers”. Choose “Delegate Control” for the CRM OU and add the CRM installation account here.Select to delegate the following permissions:
    • Read all user information,
    • Create, delete and Manage Groups,
    • Modify the membership of a group

InstallNoInternet-04

  • Ensure this installation account has “Content Manager role” at the root level, and “System Administrator Role” at the site-wide level in SSRS. To do this, run IE as an administrator and browse to the SSRS reports URL.
  • To endow the CRM installation account with SSRS “System Administrator Role”, go to “Site Settings” > Security. Add the account via the “New Role Assignment” button.
    InstallNoInternet-05
  • To grant CRM installation account the SSRS “Content Manager Role” at the root level, go to “Folder Settings” on the “Home” page, grant the CRM Installation Account the “Content Manager Role” via the “New Role Assignment” button.
    InstallNoInternet-06

For the below 6 CRM service accounts, each service account must satisfy the following:

  • Must be a domain user
  • Cannot use this AD user credentials to set up a CRM user account
  • Password for this account should never expire
  • Cannot be a Managed Service Account (available in Windows Server 2008 R2 and Windows Server 2012). CRM does not support the running of CRM services by Managed Service Accounts. To find out more about Managed Service Accounts (also called Virtual Accounts, see here)

In addition from the CRM 2013 Implementation Guide (version 6.0.1 at time of writing), each of the CRM service accounts must also satisfy:

Application Service Account (used to run CRMAppPool IIS Application Pool Identity)

  • Member of Performance Log Users group on CRM server
    InstallNoInternet-07
  • If you change service account credentials after CRM installation, you might need to set the following:
    • Folder read and write permission on the “Program Files\Microsoft Dynamics CRM\Trace” folder and the  “Program Files\Microsoft Dynamics CRM\CRMWeb” folder, and user account %AppData% folder on the local computer
    • Read and write permission to the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSCRM and HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\MSCRMSandboxService subkeys in the Windows registry
    • CRM_WPG group membership. This group is used for IIS worker processes, which is granted during CRM Server installation
    • This service account may need an SPN for the URL used to access the website associated with it.

Deployment Web Service Account (used to run CRMDeploymentServiceAppPool application pool identity)

  • Must be granted the “Logon as service” permission in Local Security Policy
  • Local administrator group membership on the computer where the Deployment Web Service is running (for this simple infrastructure setup, this is the VM named “CRM2013Min”)
  • Local administrator group membership on the computer where SQL Server is running (i.e. VM named “SQL2012Min”)
  • “Sysadmin” permission on SQL Server instance
  • In addition, if you change service account credentials after CRM installation, you might need to set the following:
    • Folder read and write permission on the “Program Files\Microsoft Dynamics CRM\Trace” folder and the  “Program Files\Microsoft Dynamics CRM\CRMWeb” folder, and user account %AppData% folder on the local computer
    • Read and write permission to the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSCRM and HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\MSCRMSandboxService subkeys in the Windows registry
    • PrivUserGroup and SQLAccessGroup membership, which are created and membership granted by default during CRM Server installation
    • CRM_WPG group membership. This group is used for IIS worker processes, which is granted during CRM Server installation
    • This service account may need an SPN for the URL used to access the website associated with it.

Sandbox Processing Service Account

  • Must be granted the “Logon as service” permission in Local Security Policy
  • In addition, if you change service account credentials after CRM installation, you might need to set the following:
    • Folder read and write permission on the “Program Files\Microsoft Dynamics CRM\Trace” folder, and user account %AppData% folder on the local computer
    • Read permission to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSCRM subkey in Windows registry
    • This service account may need an SPN for the URL used to access the website associated with it.

VSS Writer Service Account

  • Must be granted “Logon as service” permission in the Local Security Policy
  • In addition, if you change service account credentials after CRM installation, you might need to set the following:
    • Read permission to the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSCRM
    • PrivUserGroup and SQLAccessGroup AD membership, which are created and membership granted by default during CRM Server installation

Asynchronous Processing Service (and Maintenance) Account

  • Performance Log Users membership
  • Must be granted “Logon as service” permission in the Local Security Policy
  • In addition, if you change service account credentials after CRM installation, you might need to set the following:
    • PrivUserGroup and SQLAccessGroup AD membership, which are created and membership granted by default during CRM Server installation
    • Folder read and write permission on the “Program Files\Microsoft Dynamics CRM\Trace” folder, and user account %AppData% folder on the local computer
    • Read and write permission to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSCRM and HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\MSCRMSandboxService subkeys in the Windows registry
    • This service account may need an SPN for the URL used to access the website associated with it.

Monitoring Service Account

  • Must be granted “Logon as service” permission in the Local Security Policy
  • In addition, if you change service account credentials after CRM installation, you might need to set the following:
    • Read permission to the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSCRM
    • SQLAccessGroup membership, which is created and membership granted by default during CRM Server installation
    • This service account may need an SPN for the URL used to access the website that is associated with it.

Let’s assume that the customer created one installation account e.g. “TSEDOM\CRM13MinInstallAdmin” and one (least privileged) service account to be used for all 6 CRM services e.g. “TSEDOM\CRM13MinCrmService”. Note that Microsoft recommends service accounts to not be shared, but for the purpose of this post, one service account is enough.

The customer created the accounts in the CRM OU called “CRM2013Min” in the Active Directory and granted the accounts the relevant permissions as above:

InstallNoInternet-08

SQL Server Checks

Prior to installing CRM on the CRM server, I do the following preliminary checks on the SQL/SSRS server (straight from the Planning Guide in the CRM 2013 Implementation Guide, V6.0.1 at time of writing):

For SQL/SSRS Server:

  • SQL Server 2012 installed on this server is x64. CRM 2013 does not support x32 installation.
  • Windows Authentication for SQL Server is a pre-requisite for CRM, it is best to install SQL Server by using windows Authentication.
  • SQL Server Agent Service must be installed and running, and configured to auto start on SQL Server
  • SQL Server full-text indexing must be installed and running on SQL Server
  • The service account SQL Server uses to log on to the network must be either a domain user (recommended) or 1 of the built-in system accounts supported by SQL Server (Network Service, Local Service, or Local System). CRM installation will fail if SQL Server service account is the local administrator.
  • SQL Server service must be started and configured to auto start when server starts
  • SQL Server Reporting Services service must be started and configured to auto start when server starts
  • CRM Server setup requires at least 1 network protocol to be enabled to authenticate by using SQL Server. By default, TCP/IP protocol is enabled when you install SQL Server. You can see this network protocols in SQL Server Configuration Manager
    InstallNoInternet-09

In addition:

  • Check that the SQL Server Reporting Service is NOT running as “NT Service\ReportServer” (from a default SQL installation). CRM does not support the use of this account to run the reporting service. If yes, change this to the “Local System” account via the Reporting Service Configuration Manager.
    InstallNoInternet-10

Also, I recommend doing the following prior to the CRM installation. Logon to the SQL Server as the CRM installation domain user account and check:

  • Can this user access SQL Server instance to host CRM databases via SQL Management Studio?
  • Can this user access Reports and ReportServer URLs given by (run IE as administrator) the Reporting Service Configuration Management?

If yes to both, you’re almost ready to install CRM on the CRM server! If not, go back to the sections before and make sure you grant the installation user all the necessary permissions on SQL and SSRS server!

CRM Server Checks

Prior to installing CRM on the server with Windows Server 2012 as the OS, you’ll need to install the following server roles:

  • Application Server Role
  • Files and Storage Services
  • Web Server (IIS)

With the following features to be installed:

  • .NET Framework 3.5 Features
  • .NET Framework 4.5 Features
  • Windows Identity Foundation 3.5
  • Windows PowerShell
  • Windows Search Service

And the following Application Server Role Services:

  • .NET Framework 4.5
  • Web Server (IIS) Support

Further, I recommend logging on to the CRM Server as the CRM installation domain user account and check again:

  • Can this user access Reports and ReportServer URLs (run IE as administrator) given by the Reporting Service Management? If you can access the URLs on SQL Server but not on CRM Server, check your firewall!

CRM 2013 Server Setup Files

If you have downloaded the CRM 2013 Server setup file “crm2013-Server-ENU-amd64.exe” from the Microsoft download site (when writing this, the CRM server version is 06.00.0000.0809), beware that there are pre-requisite install files that are missing from this package which the installation setup will attempt to download from the internet for you. However, in the scenario where you don’t have internet you will have to download the files yourself before you install CRM.

For detailed instructions, see this MSDN blog post: Install CRM 2013 Without Internet. If you follow the instructions, you should end up with the following folder/file structure, where “Server” folder contains the CRM Server installation file you unpacked from “crm2013-Server-ENU-amd64.exe”.

Copy the entire set of folders to the CRM and SQL Servers.

InstallNoInternet-11

Install CRM 2013 Server With Minimum Permissions

Log on to the CRM server as the installation account you set up earlier (i.e. in my case it is “TSEDOM\crm13mininstalladmin”), run Setup.exe in Server folder as administrator.

Go into the “Server” folder containing your CRM Server installation files, run as administrator on the file “SetupServer.exe”. This will start the CRM installation wizard.

When the wizard starts up, choose the option “Do not get update” for the installation files as we have no internet connection. Continue to next screen.

Enter your CRM server license and accept the license agreement and continue to next screen.

At this point, if CRM Server is missing one or more CRM pre-requisites, the following error will be shown (with no internet connection) and you must exit out of the install wizard, fix the problem, and try again:

Download of one or more missing prerequisite components failed. Ensure your internet connection is working, then try again“.

The important point to note is that you can have a look at the generated log for more detail.

InstallNoInternet-12

Hopefully you won’t see the above error and instead, be presented with a screen showing a list of pre-requisite components to be installed. Note that because we have no internet connection, the installation will start from the extra files we downloaded in the “Redist” directory. If you do have internet connection, click install with allow CRM to download directly from Microsoft and install them. Once finished, hit “Next” for the next screen to begin the CRM Server installation.

The next screen asks for the “CRM Installation Location”, you can usually leave as default e.g. “C:\Program Files\Microsoft Dynamics CRM”. Proceed to the next screen.

For a full deployment of CRM 2013 server, choose all the CRM server roles to install.

InstallNoInternet-13

The next screen asks about deployment options. This is where we specify our SQL Server for this full deployment.

InstallNoInternet-14

The Organizational Unit screen asks for the location of the Organizational Unit (OU) you created earlier. You should be able to find this OU by browsing through the AD structure.

InstallNoInternet-15

The next screen asks for your 6 CRM Service Accounts. Enter them in “domain\username” format and hit “Next”.

InstallNoInternet-16

The next screen asks for the website information. Typically the easiest way is to allow CRM to create a “NEW” website with port 5555. That is, CRM will be on URL http://<servername>:5555. But if you would like to use a particular URL with SSL say, you really should go and create this website FIRST in IIS before installing CRM (ideal opportunity to sort out your SSL certificates if you’re using HTTPS binding!). This is because it is not easy to change the URL used once CRM is installed.

For this simple scenario, I shall allow CRM to create a new website for me.

InstallNoInternet-17

The Email Router screen asks for your Email Router server name. If you plan to install the CRM Email Router and you know which server it will be installed on, provide this server name here. Otherwise, leave it blank and click “Next”.

The next screen is the organization setting screen. You must supply the name of the CRM organization (e.g. “CRM2013Vanilla”). Once it’s installed, you can’t change the name so be careful!

InstallNoInternet-18

The next screen is about supplying the Report Server URL. If you have granted the above minimum permissions to the CRM installation user account and have checked that you can access this ReportServer URL from the CRM Server as this user, you should have no problem with this screen and can proceed to the next.

InstallNoInternet-19

On the “Microsoft Update Preference” screen, since we have no internet connection, choose “I do not want to use Microsoft update”.

The next screen is a system check. This is the “make or break” screen because this screen will flag up any missing permissions or connectivity issues. Notice that it flagged 3 warnings (which you should definitely fix for a production environment!).

The first 2 warnings are expected because I took a shortcut in this simple scenario and created only 1 CRM service account for all 6 CRM services. You shouldn’t do this for a production environment!

The third warning is to notify you that you should copy out your CRM encryption key and store it in a safe place. If you don’t know what the fuss is all about here, see an earlier post on CRM 2013 and SQL encryption.

For now, we can safely ignore the 3 warnings and proceed with the install.

InstallNoInternet-20

Leave both CRM and SQL servers alone while CRM is installing…. (time for a cup of tea!)

InstallNoInternet-21

Eventually, if you see the following screen, CRM server installation is completed. Yey!

InstallNoInternet-22

If you look back at the OU group for this CRM deployment in Active Directory, you will see that the installation has actually created 4 new security groups within this OU. This is why the CRM installation user requires permission to create/modify objects in this OU (as mentioned in Section “AD Organisational Unit (OU), Installation Account and Service Accounts For CRM”). For more information about what each security group does, refer to the Installation Guide of the CRM 2013 Implementation Guide.

InstallNoInternet-23

Looking at SQL Server Management Studio, you will see 2 new databases created by the installation: “MSCRM_Config” and “<organisationname>_MSCRM”.

InstallNoInternet-24

Install CRM 2013 Reporting Extensions With Minimum Permissions

Once CRM 2013 Server is installed, you should be able to browse to CRM with a supported browser as the CRM installation user. This user will be the first CRM user granted with the CRM system administrator security role.

InstallNoInternet-25

If you plan to run reports in CRM, you will now need to install the CRM 2013 Reporting Extensions (also called the “SRS Connector”) on the server where SSRS is installed. In my simple infrastructure example here, Reporting Extensions needs to be installed on my SQL Server VM (e.g. SQL2012Min). If you don’t, you see any empty “Reports” tab in CRM:

InstallNoInternet-26

Logon to SQL Server as the CRM installation account. Go to the CRM installation file directory, browse to “Server” folder and “SrsDataConnector” subfolder. Run as administrator on the setup file called “SetupSrsDataConnector” to start the installation wizard.

When the wizard starts up, choose the option “Do not get update” for the installation files as we have no internet connection. Continue to next screen.

Accept the license agreement and the next screen again will show any pre-requisite components not already installed on the server where Reporting Service is running. Again, because there is no internet, the installation wizard will look for the missing components’ installation file in the “Redist” directory we prepared earlier.

The next screen asks you to specify the Configuration database server database instance where SSRS is installed. For this simple scenario, it is on the SQL Server named “SQL2012Min”.

InstallNoInternet-27

The next screen asks for SSRS Instance Name. My install has a default instance so the wizard picked up “MSSQLSERVER” automatically.

InstallNoInternet-28

For “Microsoft Update Preference”, again due to lack of internet connection, I chose “I don’t want to use Microsoft Update”.

The next screen asks you to check the Installation directory. By default, the reporting extensions will be installed in the following location: “C:\Program Files\Microsoft Dynamics CRM Reporting Extensions “.

System Checks is the next step and hopefully you’ll see no warnings or errors. Leave the wizard alone to complete the installation.

InstallNoInternet-29

Once the wizard completes the reporting extensions installation, browse back to CRM “Reports” and you should now see all the default reports just installed.

InstallNoInternet-30

If you browse to the SSRS Reports URL, you will see the same list of reports installed under “Home > SharedReports”.

InstallNoInternet-31

This means you have now successfully completed the installation of CRM 2013 Server and Reporting Extensions!

Phew!

Advertisements

10 thoughts on “CRM 2013: Install CRM Server and Reporting Extensions With Minimum Permissions and Without Internet

  1. Hi – great article. Where you say “The next screen asks you to specify the Configuration database server where SSRS is installed” I think you mean “The next screen asks you to specify the database instance where the Dynamics Configuration DB is installed”?

  2. Hi,

    Thanks for the detailed guide. One question regarding MDAC for CRM 2013

    According to Microsoft CRM 2013 planning guide, one of the software component prerequisite is Windows Data Access Components (MDAC) 6.0. I’m installing CRM 2013 on Windows Server 2012 R2, and when I run the Component Checker Tool (http://support.microsoft.com/kb/301202) to check the MDAC version, it does not detect MDAC version. Yet, I’m still able to install and run CRM 2013. So I would like to clarify if it really is a necessary component.

    Thanks for your help!

  3. Thanks for this post! I have an error “ActiveDirectoryRightsValidator.Failure.Groups PrivReportingGroup”. I installed CRM 2013 with existing groups with a XML config file. The account I am using to install CRM is the member of the group PrivReportingGroup. Please help.

    Thanks in advance.

    Bob

  4. Hi Priscilla,

    Great article. Thanks for the detailed guide. I have an error after CRM 2015 installation. When I click accounts or users I get an generic error. I didn’t find any solutions. Please help.

    Thanks,

    Gokhan

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s