Saturday, November 5, 2011

Installing CRM2011 with precreated AD Groups

Last few weeks, I was working on CRM4.0 to CRM2011 upgrade.  I am doing few blogs to share my experience.  My upgrade involved moving the CRM sever and SQL server to a new severs. SSRS server was installed on the same as new SQL Server.  
I am not doing a step by step installation in this blog. I will be discussing the useful tips and solutions to some of the errors/problems I encounter.  Here are the main steps
1.    Install the CRM2011
2.    Install reporting extension(SSRS Connector) and Report Authoring Extension(Bids extensions)
3.    Backup 4.0 organization databases and restore them on  new SQL Server
4.    Import the organizations into CRM2011 using deployment manager
5.    Install/configure Email router
6.    Testing and fixing the issues.

The installation involved deploying the CRM Server on procreated AD groups.

Install the CRM2011

Installation Account Permissions

The user who is installing Microsoft Dynamics CRM should be a part of Local Administrator group on Microsoft Dynamics CRM server and on SQL Server. For more detail have a look at
The deployment user should also have sysadmin permission on the SQL Server Instance to import the organization (otherwise you will get error message)

Create the AD Groups

Create the following security groups in Active Directory:
•    PrivUserGroup
•    PrivReportingGroup
•    ReportingGroup
•    SQLAccessGroup

Important•    You don’t need to create UserGroup for CRM2011.
•    Use naming conventions for creating the groups for e.g.  OrgEnvironmentNameOfTheGroup (ABCDevPrivUserGroup).
•    Need to know more about permissions on these group, click here

Create configuration xml file for precreated groups

Here is sample of the config file

        <Groups AutoGroupManagementOff="true">
               <PrivUserGroup>CN=PrivUserGroup,OU=Company Name,OU=Company Name,DC=<domain>,DC=<domain_extension></PrivUserGroup>
             <SQLAccessGroup>CN=SQLAccessGroup,OU=Company Name,OU=Company Name, DC=<domain>,DC=<domain_extension></SQLAccessGroup>
                    <ReportingGroup>CN=ReportingGroup,OU=Company Name,OU=Company Name, DC=<domain>,DC=<domain_extension></ReportingGroup>
    <PrivReportingGroup>CN=PrivReportingGroup,OU=Company Name,OU=Company Name, DC=<domain>,DC=<domain_extension></PrivReportingGroup>

Now you need to change highlighted parts of the file to suit your system. If you like to know more about the structure chek the Microsoft article mentioned above in the post.

The easiest way to get the proper CN,OUs,DCs without making any mistakes use the dsquery command. Open the command prompt and Run
            dsquery group -name adgroupprefix* Change adgroupprefix with starting characters of your group
For e.g dsquery group -name ABCDev*


It will display all the information you need to fill the config file.
Just copy that and replace highlighted area in the config file above.
Save the file as config.xml.

Run CRM2011 Install

  • Open the cmd prompt and navigate the crm media  to folder containing ServerSetup.exe.
  • Run ServerSetup.exe /config C:\config.xml
  • Follow the installation wizard instructions.

Install reporting extension (SSRS Connector) and Report Authoring Extension (Bids extensions)

Reporting extension (SSRS Connector)

The deployment needs local administrator permissions to install reporting extension (SSRS Connector). The installation adds the Microsoft SQL Server Reporting Services “service account” for the associated instance of SQL Server to the PrivReportingGroup security group.
Important Reporting extensions must be installed to publish the reports and to import the organization.

Report Authoring Extension

(Bids extensions) is required to write fetchxml based reports.

Second part is coming soon........


  1. I was going thru your blog.
    And i found article.
    So you mean to say if i will rename the groups like "ABC_PrivUserGroup" instead of PrivUserGroup, it shoud work?
    Could you please let me know?
    Also if the groups are present already in the AD for any other purpose, can i create another set of groups?
    Also , if you will see, the groups are binded with some GUIDs, what does this do? and if we will create new groups, do we need to assign GUIDs?

    Waiting for your quick response.

  2. Nice blog. when we add new user to CRM 2011 (installed by pre created AD groups) do we need to add them manually to the reporting group or CRM will take care of it?

    1. Hello Amreek, any update on above question?

    2. if the "AutoGroupManagementOff" is set to true then you have to add the users manually otherwise you don't have to.

  3. If the purpose of doing this is to share one set of AD groups amongst multiple CRM installations, then there is a problem. If you disable a CRM user in one CRM installation, AD group members will be modified, affecting all CRM installations. There will then be a disconnect between the AD group members and the CRM user status in the other CRM installations.