CRM 2011 Server Setup Commonly Asked Questions

As customers are starting to plan for CRM 2011 installations and upgrades, we’ve begun to see questions regarding environment setups.  Here’s a list of the questions I’ve seen thus far:


Q: Are the CRM 2011 Report Extensions (commonly referred to as the “report connector”) an optional component?

A: All installations now require the CRM 2011 Report Extensions to be installed and configured on the SQL Reporting Server.  If it is not installed, certain features will not work properly: reporting will not function, creating new organizations, and organization imports will be blocked until the extensions are installed and configured.


Q: Do I need to install the CRM 2011 Reporting Extensions prior to installing CRM?

A: No, these should be installed after you install the CRM 2011 Server components.


Q: When installing CRM server roles on different servers (ex: install front-end and deployment components on server1 and back-end components on server2) I am not prompted to install the reporting extensions, why is this?

A: When the CRM server roles are installed separately (without first installing a CRM full-server) you’ll notice that no organizations are created by default.  Once the servers are all setup and configured, the first step to setup CRM is to launch deployment manager and create an organization.  It is at that time you will be required to input a reporting server that has the CRM 2011 Reporting Extensions installed.


Q: On CRM 4.0, as long as the report extensions were not installed, a Reporting Server (or scaled out reporting server farm) could host reports for multiple CRM installations/deployments.  How has this changed in CRM 2011?

A: In CRM 2011 the Reporting Extensions are now required, which means each Reporting server (or scaled out reporting server farm) with the report extensions installed may only host reports for a single CRM 2011 Deployment.  NOTE: The Reporting Server (or scaled out reporting server farm) can host reports for multiple tenants (organizations) in the deployment.


Q: If I were to run all CRM servers services under different service accounts how many service accounts do I need and what CRM groups should each service account belong to?

A: There are numerous configurations you could use to accomplish this, but if you were to separate everything here is a table explaining what group membership is required– I’ve also included SSRS and SQL server: 










Perf. Log 


CRM User?

Deployment Services SvcAcct




Application Service (CRMAppPool)





Async service SvcAcct





Sandbox services SvcAcct





SQL Server SvcAcct

SQL Reporting Services SvcAcct




Email router account**



Comments (40)

  1. Donna Edwards says:

    Great article, thank you!!

  2. Ian says:

    I am installing 2011 with multiple servers as a front – end and back – end layout.  What is the best practice for install sequence?

    back – end then front – end? or vice versa? Does it matter?

    thanks in advance,


  3. Sean says:

    Hi Ian – The installation sequence really doesn't matter.  If you choose to split roles you will not get a default org as part of your installation, thus all roles must first be installed (including the report connector) before you can create your first organization.  I will also warn you that out of the three server role groups, two require IIS – if you want to seperate out your IIS servers from non-IIS servers you should put the Front-end server role group and Deployment Tools server role group on the same servers and keep the back-end role group seperate.  You can also keep your deployment tools role group completely seperate if required – but just know both Front-End and Deployment Tools require IIS.  I hope that helps!


  4. Paulo says:

    Sean, thanks for the great post, it has helped me to solve a couple issues we've had.

    I just have one issue left with the deployment service. In setting up our development environment we have all of the services running off of one box pointing to a database server on a separate box.  Each service is running under a separate domain account with the privileges you have defined above. We've also given the deployment service user local admin on the DB box and sysadmin in the database instance itself.

    When I try to create an organization against the deployment service I get an error stating that the call failed a validation check. In the trace log I get this line:

    >SqlServerAgentValidator,  result: Level=Error, Description=SQLSERVERAGENT (SQLSERVERAGENT) service is not running on the server CRMSQLDEVEL.

    When I log onto the db the server agent is up and running, the only issue that I can see that might be associated with that is that we have two database instances on that server, one for crm4 and one for crm2011.

    Can you think of any other possible issues before I go and rip the crm4 instance off the server?

  5. Paulo says:

    Ok, so I removed the crm4 instance as we weren't using it and this hasn't resolved the issue, so there's definitely something else I'm missing.

  6. Sean says:

    Paulo – is the instance you're pointing deployment manager to in the SQL server selection box?  For instance, if my instance name is "CRM2011" and my servername is CRMServer, the SQL Server name to type in is: "CRMServerCRM2011".  I recently had a customer with this very same issue and this ended up being the cause.  Another potential issue is a firewall between the servers or in some cases the service isn't running.  

  7. Balaji says:

    I need to have multiple CRM sites on the same box. I mean the IIS on a win2k8 server box will have 3 Dynamics CRM 2011 sites, one for dev, qa and uat. Is that possible and if so how?

  8. Sean says:

    Balaji, this is not possible.  Your dev, qa, and UAT environments should be completely seperate environments with the exception of active directory (meaning different CRM server, SQL Server, and report server).

  9. bok says:

    Sean, is it possible to install the back-end server group onto multiple servers? If so, should they be load balanced?



  10. Julian says:

    We're a small company working to deploy a single CRM 2011 server.  I had a question about front-end and back-end servers vs IFD.

    The company would like ot have CRM available to external employees without VPN connectivity.  Does IFD have to be configured using AD FS in order for this to work?

    Mainly the employees will be using the Outlook CRM client.  We had it working for about a week without IFD, but for some reason it's stopped working.  The website is available, but it looks like the client is trying to connect to the internal hostname now.

    Any insight to this would be very helpful.

  11. Hi Julian –

    Yes to allow users to login via IFD claims must be enabled.  You bring up a good point though, while IFD requires Claims, Claims does not require IFD (so you can enable claims and not enable IFD).  And, in your situation you would want to deploy an instance of ADFS so that claims can be configured and IFD can be enabled.  Also, be aware that you'll want to purchase a public SSL certificate.

    Let me know if you have any more questions. Thanks!

  12. JJY says:

    Does CRM 2011 support an installation having one back-end and several front-end servers?

    The front-end servers would be located in several continents. All servers are in one AD.

  13. Rhett Clinton says:

    JJY, Of course this wll work though you will face a number of problems, for example if you use the client side script function get ServerUrl(), this will return the server url held in the Deployment properties and can only be a single server or load balanced url. This alone will give you cross domain issues.

    You will be better off looking to have seperate deployments and share data across them or alternatively host all your Front end servers in the most viable location with a NLB.

    As long as you have a good pipe to your office in each country then it you should have a good experience, You can use the diag.aspx tool that ships with Rollup 5 to test bandwidth and latency from your seperate locations to test this.



  14. Manish says:

    hey, now a days i am using crm sdk 5.0, i am new to crm tech,

    could anyone tell me about the crm discovery server?

  15. Savio says:

    Can i install CRM 2011 front end server on standalaone server ?or do i require to be memnber of internal domain controller?

    I am planning to install CRM 2011 in DMZ as front end along with ADFS 2 .So question is do my CRM 2011 FE should be part of domain?

  16. @Savio – I'd recommend taking a look at the CRM implementation guide for the details, but all CRM servers and server roles (including SQL & SSRS) must all be on the same domain, including the front end servers.  

    Thanks for reading!


  17. Ravi says:

    Sean, where do i find some more info about IIS role service.

    Actually i want to know more about IIS settings related to CRM 2011 just like URL Rewrite etc.

  18. Hi Ravi,

    I don't have any specifics on how we're using URL re-write nor are there any settings that are exposed for that, but I can tell you that we have recently covered some IIS Settings that will probably interest you.  Check out a recent posting on Kerb auth:  Specifically, take a look at the IIS settings under item #3 and #3.1.  Additionally check out our article on wcf compression for CRM:



  19. gianni says:

    Hi Sean

    can I install two different frontend, one for the IFD and the other for internal use?

  20. Hi Gianni, IFD is a deployment wide setting and the CRM servers will respond as configured no matter which organization, in this case.  Keep in mind that IFD does allow for an 'internal' address configuration so users authenticate with ADFS (your STS) using their browser/corporate credentials thus avoiding the STS sign in page if they’re on your network.  If they're on the internet, they would see the STS sign in page and only after providing credential would they pass through to CRM.  Does that help?

  21. Tao Zhang says:

    Sean, I've got a question on sandbox service, essentially the same question bok asked but had no answer

    "the Sandbox service operates differently.  When work is handed off to the Sandbox service it is done so over a TCP channel (port 808 by default). In the case of a synchronous plugin, the web application server will contact the sandbox service;"

    We've looked up and down through many documents about setting up multiple back end servers that are running the sandbox service. Nothing suggests it will need load balancing. We even engaged with Microsoft Consulting and they simply quoting the same documents we've been reading. You information is the most specific info we have in this area. Can you explain how multiple server nodes running the same sandbox service work without load balancing? When requests are sent over the TCP channel 808, how are they distributed across multiple servers?

  22. Hi Tao, check out my Kerberos blog in the comments where I explained how it works with a little more depth.  Let me know if you still have any questions. Here is the URL:…/kerberos-in-load-balanced-environments.aspx



  23. Javed Jamali says:

    I need to install CRM 2011 using ADFS. I have only server for eveything (CRM 2011+ SQLServer 2008 +ADFS 2.0)having Windows Server 2008 Standered Oerating system. I have installed SQL Server 2008 R2. Now how should I proceed?

    Do i need to install CRM 2001 first & the configure ADFS or need to set up ADFS then install CRM 2011? When should i install CRM Deployment Manager?

    I have got a lot data on How to configure but I need to get it ready before that.

    Thanks in advancs.

  24. Hi Javed, thanks for your comment & question!  It just so happens, Kim, from the below videos is now on our team and we do have some information around ADFS configuration.  As far as order of operations, ADFS can be setup before or after CRM is setup & configured.  Basically CRM will be initially configured as AD authentication first, then once ADFS is ready or you're ready to use ADFS then you would approach the configuration.  Here are the videos currently published which should answer your questions:

    End to end config video:

    Further Detailed config videos:

    1. Implementing Claims and IFD: Part 1:

    2. pt2: install & config ADFS:

    3. pt3: Config CRM Server for ADFS:

    4. pt4: Config IFD:

    5. pt5: Enable claims for external domains:

    6. pt6: Troubleshooting:

    Thx for reading!


  25. Kapil says:

    Can i add multiple organisation on single Dynamic CRM Server?

  26. @Kapil – yes CRM is multi-tenant.

  27. Bill Soranno says:

    Sean, good article. We are currently dealing with some issues and want to move the Asysnc services and the Email Router to separate servers. It this possible and how do we configure them.

    We have CRM 2011; Sql Server 2012 SP1

  28. Thanks Bill!  It's absolutely possible, just run the installation on the new servers and install only the async service role.  Additionally, on the servers you no longer wish to have async installed to and run add remove programs, then uncheck the async service role from the configuration wizard.  And as far as email, uninstall the router from the source server, and re-install it to the new server.

    I hope that helps!


  29. Config XML - Patch Update says:

    I'm tying to automate the deployment of our test servers and was hoping to silently run the CRM 2011 (or 2013) install. The problem is, part of our process is to always check for updates to the setup files. Using <Patch update="true"></Patch> seems to only work if you already have the updated MSP downloaded to a shared or local drive. Is this the case? Or is there a way to have the install silently check online for updates to the setup files?

  30. @ConfigXML – I suspect you may already have this figured out 🙂 but make sure the node is exactly: <Patch update="true"></Patch> with not spaces or characters in between the brackets.



  31. Ali says:

    While installing CRM trial instance in the precheck list page. I am getting the following error have given all the permissions mentioned in the planning guide but still the setup fails.

    In the event vierwer I have seen two audit failures :

    Please advise accordingly:

    14:38:03|  Error| Check AspNetServiceAccountCanMonitorPerfCountersValidator : Failure: Logon failure: unknown user name or bad password.

    14:38:03|  Error| Check AsyncServiceAccountCanMonitorPerfCountersValidator : Failure: Logon failure: unknown user name or bad password.

  32. Ali says:

    While installing CRM trial instance in the precheck list page. I am getting the following error have given all the permissions mentioned in the planning guide but still the setup fails.

    In the event vierwer I have seen two audit failures :

    Please advise accordingly:

    14:38:03|  Error| Check AspNetServiceAccountCanMonitorPerfCountersValidator : Failure: Logon failure: unknown user name or bad password.

    14:38:03|  Error| Check AsyncServiceAccountCanMonitorPerfCountersValidator : Failure: Logon failure: unknown user name or bad password.

  33. @Ali – make sure your installing user (running the installation) is a local admin.  Also be sure both the website account as well as the async account are members of the local perf log users group on the CRM Server.  

  34. CVerrier says:

    We run CR< 2011, and I'm installing an evaluation CRM 2013 system on it's own server.  Is there any issue specifying the existing AD OU for the CRM System Groups?

  35. Shawn Dieken says:

    @CVerrier – No, that's not an issue to have 2011 and 2013 AD security groups in the same OU.  It's preferred to have a sub OU just to keep things clean, but it's not required.  You may want to save this link for if you ever need to identify and clean up groups later.…/how-to-find-which-active-directory-security-groups-belong-to-your-crm-deployment.aspx



  36. CVerrier says:

    Many thanks – that's great reassurance.

  37. Ram says:

    HI Sean,

    Thank You.

    We are trying to deploy CRM 2015 IFD version.   From what I understood Front End servers need to be in DMZ network so that CRM instance can be accessed through mobile apps and remaining back end and SQL will be on the internal network of the company.  But from your comments I understand all servers need be on same domain.  Does that mean for IFD all servers need to be in DMZ network?



  38. Yashwant Vishwakarma | says:

    Hi Sean,

    I am facing the issue with deployment manager when trying to create new organisation entry. It is giving error " SQL server is unavailable. Below is the brief of my problem:

    Earlier application & CRM database was on same server & it was working perfectly fine.

    But when we migrated the Database on another server, application was able to connect to database.

    but we are not able to add new entry in organiser. When we are trying this it was saying that "SQL Server is unavailable." ( But SQL Server is running fine.)

    Note: Firewall is turned off

    There is no network issue

    SQL Services are running fine

    Any help on this would be appreciable.

    Thanks in advance

  39. Hi Yashwant,

    This could be a permissions issue of the user creating the organization database.  Try opening up the ODBC manager on the server you're running from and make sure you can connect via TCP and Named pipes.  Also, the user creating this should be a sysadmin on SQL. This is something our support team can also help with, feel free to open a case if this is a time sensitive issue as well. Thanks for reading!


  40. Ali says:

    Hi Sean,

    Is it possible to install MS CRM Reporting Extensions to be installed on a ssrs web farm (two nodes). Because official documentation doesn't cover that topic.

    Appreciate if you can provide the high level steps to setup the same.


Skip to main content