Wednesday, July 26, 2017

Microsoft Dynamics 365 for Finance and Operations, Enterprise edition (on-premises) - Installation PART 1

Hi Guys

As you know, Microsoft released D365FO Local Business Data, aka On-Premise release.
Here the link Set up and deploy on-premises environments

I played around and I found the first issues.

During the creation of the group managed service accounts (gMSAs) through the Powershell scripts, "Create gMSAs" section, you can raise the follow error: "Key not found"

In this case you have to create a "KDS root key" using the following commands:

1- Add-KDSRootKey –EffectiveImmediately
2- Add-KdsRootKey –EffectiveTime ((get-date).addhours(-10));


During the ClusterConfig.json file generation, you can raise the following error, “Failed to Download Cluster Configuration Template”, see below error.

In this case you have to download the Service Fabric standalone installation package and copy the "ClusterConfig.X509.MultiMachine.json" file into the LCS InfrastructureScripts folder.
Again run the .\New-SFClusterConfig.ps1 -InputXml .\ConfigTemplate.xml command.

Finally, I test the ClusterConfig file through the command .\TestConfiguration.ps1 -ClusterConfigFilePath .\clusterConfig.json











Next step is Deploy the Cluster!

Till soon!

27 comments:

emiliano incalza said...

Hi Denis,
I'm trying to installa Dun365Fin&Op On Premise.
during the creation gMSAs stage, the genarated powershell script return followig error:

Script
------
New-ADServiceAccount -name svcLocalAgent$ -DnsHostName svcLocalAgent.d365fo.onprem.dyn365dc.local -ServicePrincipalNames http/svcLocalAgent.d365fo.onprem.dyn365dc.local -PrincipalsAllowedToRetrieveManagedPassword orch1$,orch2$,orch3$

Error
-----
...
'PrincipalsAllowedToRetrieveManagedPassword'. Motivo: 'Impossibile trovare un oggetto con identità: 'orch1$' in 'DC=DYN365DC,DC=local'.'.
...

Have you any ideas?
other question is: the ServiceFabric must already be present, before the creation gMSAs stage?


Thanks
Emiliano

Denis Macchinetti said...

Hi Emiliano

Check if the Orchestrator Servers are connected to a Domain Controller 2016 and if exists through the Active Directory Users & Computers, in your case dyn365dc.

Lastly, you have to create the gMSAs accounts before the AppFabric installation.

emiliano incalza said...

Thanks Denis.
I'm trying AllInOneServer Installation...
I did not see then VM list name in Get-NewGMSAInDomainScript.ps1 file.

we change the VM name and now the error is the same of your post "key is not found"

Now we try to apply your suggest.


Thanks
Emiliano

Ford Wilkinson said...

Thanks for the json download fix. I am now running into another issue. It is saying "ConvertFrom-Json : Invalid JSON primitive: ." I have tried using the stock configuration.xml (along with my edited one) and am getting the same thing. Any thoughts

Ford Wilkinson said...

I didn't use the right .json template..

Denis Macchinetti said...

Glad to know.

esponja said...

I am stuck here in the installation OnPrem
LCS connector is in "validation in progress"

I have the following error on the Orchestrator 1

• failed to set security settings to { provider=SSL protection=EncryptAndSign store='LocalMachine/My' findValue='FindByThumbprint:dfca768caff267ec185db90d11f1a04cb8eda8ed' remoteCertThumbprints='dfca768caff267ec185db90d11f1a04cb8eda8ed' certChainFlags=40000000 clientRoleEnabled=false claimBasedClientAuthEnabled=false }: 2148074253

• Unable to acquire ssl credentials: 0x8009030d

• failed to send message GetLSNReply to node a139d1fc66eebba48f4f606996b9aadb:131463321771071291 with error FABRIC_E_TIMEOUT

The customer has been responsible for generating the certificate so I don’t know how to check what is wrong.
Any guidance ?

Mohamed Nowsath said...

Hi Denis,

I can able to install Monitoringagent but receiving error while installing LocalAgent.
when i am exploring in Service fabric cluster receving that
"Error event: SourceId='System.FM', Property='State'.
Partition is in quorum loss.
fabric:/LocalAgent/BridgeService 2 2 ed3ec57b-5d5c-42a0-bf70-3537d51eb82b
P/S RD Orch_152 Down 131487523340358114
S/P RD Orch_148 Up 131487523495424570
(Showing 2 out of 2 replicas. Total available replicas: 1.)"

When I was configuring the service fabric cluster with 1No of Orchestra I was able to install the Local agent successfully but receiving error in Service fabric explorer related with bridge Servicing & Other services in Local Agent.

At the end, configuring the Service fabric cluster with 1No or 2\3Nos are end up with Local agent installation error related with Bridge Servicing.

I will be grateful for any help you can provide.

Thanks,
Nowsath

Denis Macchinetti said...

Hi Esponja

Review the "Configure certificates" and "Setup VMs" sections.
Also, review the Client, Server and Tenant service principle certificates filled through the LCS Configure agent Tab.
Run below powershell command in order to check the Certificates installed on the Orchestrator Nodes and compare with LCS.

Denis Macchinetti said...

Hi Nowsath

The AppFabric Cluster must have at least 3 Orch Nodes.
It's a requirement because the Orch is the Primary Type Node.

Lastly, go through the Orchestrator where you raised the installation and check the Logs:
1- Event Viewer\Applications and Services Logs\Microsoft\Dynamics\AX-LocalAgent\Operational

2. ...\AX-SetupInfrastructureEvents\Operational

3- Event Viewer\Applications and Services Logs\Microsoft-Service Fabric\Admin and Operational

K@shif N@zir said...

Hi Denis, is it mandatory to use SQL Server Always-ON availability groups and SSL certificate for SQL or we can use single SQL Server with SSL certificate ?
Also in my case our customer have only one license for AOS, I believe we can use one AOS by updating config.xml file ?

Need your prompt response please as I am starting deployment today. Have you been able to complete the deployment ?

Denis Macchinetti said...

Hi

For a Sandbox env is enough a single SQL Server box.
About the AOS yes. You can start with 1 AOS and updating the Config file as well.

Lastly, yes I finalize the installation few days ago.

Cheers

K@shif N@zir said...

Thanks for your prompt response. Just one more thing, If single SQL Server box is to be used, I believe we can skip SSL certificate portion of SQL. Please correct me if I am wrong.

Have you prepared any Step by Step document for installation. If yes, can you please share ?

Denis Macchinetti said...

Hi

About Certificates and installation guide, follow the Microsoft link https://docs.microsoft.com/en-us/dynamics365/unified-operations/dev-itpro/deployment/setup-deploy-on-premises-environments?toc=/dynamics365/unified-operations/dev-itpro/toc.json

In the next weeks I will publish new post about the Installation process.

Cheers

K@shif N@zir said...

Hi Denis

I am getting this error while running .\Test-D365FOConfiguration.ps1. Although .\Set-CertificateAcls.ps1 run successfully. Given below is the error

"Unable to find access rules for certificate axdataenciphermentcert for user Domain\AXServiceUser"

Same error is occurring on all machines on different certificates whereever this script is trying to give permission to AXServices and svc-axsf$. Although, If I checked it from mmc console, Read rights are there and I have also give both these user full rights. but issue is same.

Can you please @ your earliest

K@shif N@zir said...

Hi Denis,

Is there any way to check deployment log as my Sandbox deployment is giving message that it is failed. Although LCS agent communication is successful. Also I can see multiple files and folder created in \\Share\agent.

Your prompt response will be much appreciated.

Denis Macchinetti said...

Hi

You tried to check the Event Viewer\Dynamics AX Logs?

K@shif N@zir said...

I can see a long list of folders under Dynamics Logs in Event Viewer of AOS Server but all are without any logs. Is there any other way to troubleshoot ?

K@shif N@zir said...

Getting this error now on Service Fabric Portal:

Replica had multiple failures inAOS_204 API call: IStatelessServiceInstance.Open(); Error = System.ComponentModel.Win32Exception (-2147467259)
The requested operation requires elevation
at System.Diagnostics.Process.StartWithCreateProcess(ProcessStartInfo startInfo)
at Microsoft.Dynamics.AXService.Database.Synchronizer.SyncDB()
at Microsoft.Dynamics.AXService.Database.Synchronizer.Synchronize()
at Microsoft.Dynamics.AXService.AXService.<>c__DisplayClass9_1.<.ctor>b__0()
at Microsoft.PowerApps.Runtime.Common.LatencyRecorder.RecordLatencyEvent(ILogger logger, String eventName, Action action, IDictionary`2 additionalProperties, IDictionary`2 additionalMetrics)
at Microsoft.Dynamics.AXService.AXService..ctor(StatelessServiceContext context, ILogger logger)
at Microsoft.Dynamics.AXService.Program.<>c.b__0_0(StatelessServiceContext context)

emiliano incalza said...

Getting this error now on LocalAgent (BRidgeService):

Message Unexpected error in orchestrator service
Detail System.Data.Entity.Core.EntityException: The underlying provider failed on Open. ---> System.Data.SqlClient.SqlException: Login failed for user 'MYLOCALDOMAIN\svc-LocalAgent$'

Anonymous said...

Hello, I have error at step 11 where i get the following error:

- in powershell: "Application fabric:/Agent-Monitoring is not OK after 5 minutes..."

- in event viewer: multiple warning showing "Error:FABRIC_E_FILE_NOT_FOUND"

- in Service Fabric Explorer: "Partition is below target replica or instance count...."

Yazeed Al-Faqeeh said...

Hi Denis Macchinetti

can i contact you ?

please contact me using this mail if you ok:

y.alfaqeeh@@itisco.com.sa

BR.

rajeev said...

Hi Denis,

How to get all these certificates :
1)Secure Sockets Layer (SSL) certificates
2)SQL Server SSL Certificate
3)Service Fabric Server certificate
4)Service Fabric Client certificate
5)Encipherment Certificate
6)AOS SSL Certificate
7)Session Authentication Certificate
8)Data Encryption and Data Signing Certificate
9)Financial Reporting Client Certificate
10)Reporting Certificate
11)On-Premise local agent certificate

In test if I need to generate .. do I need to generate all certificate in each VM.

rajeev said...

For Step 3 - Plan user and service accounts

Group Managed Service Accounts(gMSAs)
Domain\svc-FRAS$ (Financial Reporting Application Service Account)
Domain\svc-FRPS$ (Financial Reporting Process Service Account)
Domain\svc-FRCO$ ( Financial Reporting Click Once Designer Service Account)
Domain\svc-AXSF$ (AOS Service Account)
Domain\Svc-LocalAgent$ (Local Deployment Agent Service Account)
Domain Accounts
Domain\AXServiceUser (AOS Service Account)
SQL Accounts
AXDBAdmin (AOS SQL DB Admin user)


Can I create as a administrator or I have to run any script, is $ sign mandatory for creating users.

rajeev said...

Hi Denis,

I have create 11 VM
AOS1 - 192.126.128.103
AOS 2 -192.126.128.104
AOS 3 - 192.126.128.105
Orchestrator1 - 192.126.128.106
Orchestrator2 - 192.126.128.107
Orchestrator 3- 192.126.128.108
Management Reporter 1 - 192.126.128.109
Manageement Reporter 2 - 192.126.128.110
SSSRS 192.126.128.111
2 for SQL server

While Creating host for AOS and Orchestrator type it asks for AOSNodeType IP address and ORchestratorNode Type IP address ? which IP address I should Provide , Please help i have given above vm ip and name.

All these vms are created on virtual host using VM WARE.
Will this Work in D365 on Premise Installation.

Does D365 on premise supports VMWare hosted environments ?

Can I create service Fabric Cluster on this ?

rajeev said...

Step -4 ) When I am creating A record after DNS
Set up an A record for AOS
In the new DNS zone, create one A record that is named ax.d365ffo.onprem.Domain.com for each Service Fabric cluster node of the AOSNodeType type
Don't create A records for the other node types.
1.      Right-click the new zone, and then select New Host.
2.      Enter the name and IP address of the Service Fabric node.
(For example, enter 10.179.108.12  as the IP address.) Then select Add Host.
Which IP address to Enter ? of which Virtual Machine.
What is Service Fabric Cluster node of the AOSNodeType Type ?

rajeev said...

Steps 6- Download script from lcs:

Please provide sample configtemplate.xml so that i can understand

Ensure all edits are made to the ConfigTemplate.xml in this folder.

Configuration Needs to be done.
VM List
Node Type
Database Backup File
Certificate
Security User