CRM 2011 RC now allows us to specify service accounts during the setup process. You can specify the service account for the Application Service, Deployment Web Service, Sandbox Service and Asynchronous Service to run as. In a single server environment, you can just use NETWORK SERVICES for the installation. However if you are installing CRM in an enterprise multi server environment, the recommendation is to have a specify service accounts each of the services. For best practices and instructions on how to install CRM in a multi server environment, please refer to the CRM 2011 Implementation Guide.
I would like to share our setup experience with the community just in case you run into a similar situation. During our setup, we didn’t receive all green checks from the System Check wizard. We had several warnings related the Microsoft Dynamics CRM Server User Input so I dig into the warnings with Michael from the Product Group. Thanks for his help, he resolved for us.
The reason that we got the warnings is because the admin is using the installing user account for the service accounts. What happens is when the first organization is created, the installing user is created as the first user in the organization. Since there is a user in the organization with the same credential as the service accounts for the asynchronous service, application service and the sandbox service, all the sudden the “SYSTEM” user is now subject to the same constraints as an actual user which means that the user must be enabled, need a user role and etc…, otherwise the system will stop functioning. A lot of bad things could happen. For example, some grids in CRM are populated with data that is retrieved as SYSTEM, when data is retrieved as SYSTEM, it is retrieve in GMT format. However if the Application Service is running under a service account which is also an user in CRM, when retrieving data the data will return with the users time zone setting instead of GMT. There are more bad things could happen…
If it’s for a non-production environment, you may ignore the warnings and proceed with your installation. But for production environment, this will cause problems later on. The recommendation is to use a different service account for each of those services. However if you preferred not to manage extra service accounts, you may use a same service account for Application Service, Deployment Web Service, Sandbox Processing Service, Asynchronous Process Service as long as the installing account is different than the service account for the services.
If you decided to use a different service account for each of the services, just create the service accounts in your AD. you don’t have to grant any permissions to the accounts, the installation process will take care of the permissions for you! For your reference, here’s a list of accounts and permissions that we used for our installation.
|Account||Application Service Account||Reporting Service Account||Async Service Account||Sandbox Service Account||Installer|
|CRM Server||none||none||none||none||Local Admin|
|SQL Server||none||none||none||none||Local Admin, SQL Admin|
|Reporting Server||none||none||none||none||Local Admin|
If you are running into an error telling you that “This account doesn’t have Performance Counter Permissions”, you need to follow the steps below to resolve the problem.
- Open Server Manager.
- Go to Configuration > Local Users and Groups > Groups.
- Add the service accounts to the Performance Log Users group.
- Install CRM with again.
Anyway, Thanks to Richard and Felix for discovering the problems for me and thanks to Richard for doing the installation for us!