D365FO On premise. Опыт установки (взято с Linked In)

[sukhanchik]

Выделено в отдельную тему из темы D365FO on-premises - опыт установки

В соседней ветке дали замечательную ссылку (эта первая ссылка подобного плана со скриншотами), за что большое спасибо участнику raz.

Цитата:

Сообщение от raz

https://www.linkedin.com/pulse/how-i...finance-singh/

К сожалению, далеко не все провайдеры дают доступ к Linked In, поэтому я решил перенести эту статью на форум. Выделил я именно эту статью, поэтому обсуждение собственного опыта установки D365 on-premise можно продолжать в исходной ветке, а обсуждение этой статьи можно вести и здесь.

Сам я шаги не проходил, корректность статьи не проверял - только перенес текст и картинки для возможности обсуждения. Так что любые замечания по установке приветствуются в комментариях. Замечания по корректности переноса статьи также приветствуются

Цель переноса статьи - в будущем дать дорожку (или хотя бы направление) тем, кто будет проходить процедуру установки D365 on-premise

[sukhanchik]

How I Successfully Installed Dynamics 365 On Premise Finance and Operations

Dynamics 365 On Premise installation in a Step by Step Process which includes the Hardware Setup, Software Installations, LCS Connectivity and SQL Installations and Configurations. The Steps Provided below are based on Microsoft with more in details for everyone can Install Perspective
Hardware Layout:
The Below provided Hardware specification is for Optimum performance in the Production Environment.

Step 1: Plan your domain name and DNS zones
To Create or Plan your Domain .In the Server Domain go to àAdministrative ToolsàSelect Active Directory Domains and Trusts .Create a New Domain name as Local


Based on the Domain,Now plan the DNS Zones for ax and SF,In our example,it is

• Ax.local.com
• Sf.local.com

Step 2 :Plan your users and service accounts
Now the users has to be created in the Domain Machines based on the Purpose of the users to the applied applications


Step 3 :Create DNS zones and add A records
To Create the Dns Zones and A Records to browse the AOS Application and Service Fabric Clusture
As Planned in the Step 1 we need to Create the A records for ax.local.com and Sf.local.com

ADD DNS ZONE:

1. Sign in to the domain controller machine , select Start, and start DNS Manager by typing dnsmgmt.msc and selecting the dnsmgmt (DNS) application.
2. Right-click the domain controller name in the console tree, and then select New Zone > Next.
3. Select Primary Zone.
4. Leave the Store the zone in Active Directory (available only if the DNS Server is a writeable domain controller check box selected, and then select Next.
5. Select To all DNS Servers running on Domain Controllers in this domain: Local.com, and then select Next.
6. Select Forward Lookup Zone, and then select Next.
7. Enter the zone name for your setup, and then select Next. For example, enter local.com.
8. Select Do not allow dynamic updates, and then select Next.
9. Select Finish.

Set up an A record for AOS
In the new DNS zone, create one A record that is named ax.local.com for eachService Fabric cluster node of the AOSNodeType type. Don't create A records for the other node types.

1. Find the newly created zone under the Forward Lookup Zones folder in DNS Manager.
2. Right-click the new zone, and then select New Host.
3. Enter the name and IP address of the Service Fabric node. .
4. Do not select either check box.

The same Procedure should be follow for remaining ax and SF
ax.local.com for 192.154.138.03
ax.local.com for 192.154.138.03
sf.local.com for 192.154.138.04
sf.local.com for 192.154.138.05
sf.local.com for 192.154.138.06

Step 4:Join VMs to the domain

1. On the Start screen, type Control Panel, and then press ENTER.
2. Navigate to System and Security, and then click System.
3. Under Computer name, domain, and workgroup settings, click Change settings.
4. On the Computer Name tab, click Change.
5. Under Member of, click Domain, type the name of the domain that this computer will join, and then click OK.
6. Click OK, and then restart the Server.

Step 5 Download setup scripts from LCS

1. Sign in to LCS.
2. On the dashboard, select the Shared asset library tile.
3. On the Model tab, in the grid, select the Dynamics 365 for Operations on-premises - Deployment scripts row.
4. Select Versions, and then download the latest version of the zip file for the scripts.

The Download will get a File with a Name Infrastructure Folder.

1. Right-click the zip file, and then select Properties. In the dialog box, select the Unblock check box.
2. Copy the zip file to the machine that will be used to execute the scripts.
3. Unzip the files into a folder that is named infrastructure.

Step 6: Config Template file configuration:
Once the Infrastructure Folder is download, Copy the File in the C Drive.

1. Update the Domain Name without .Com,.ae etc
2. Update the users for the each purpose with your domain Name

1. In the Second Session update the Certificate Subject Name and add the administrators group for the Domain
2. Update the same for all the Certificates

1. Update the VM Name and the IP Address of the VM
2. It is very Important to have Fault Domain and Update domain Identical

Step 7: Service Accounts and User account Mapping:
Execute the scripts from the Script Folder.Navigate to the Infrastructure Folder and Run the script with powershell administrator Privileages



Script:
Run the below script to import users
Import-Module .\D365FO-OP\D365FO-OP.psd1
New-D365FOGMSAAccounts -ConfigurationFilePath .\ConfigTemplate.xml

[sukhanchik]

Step 8: Administrator Group addition in VM
Add Local\svc-AXSF$ and Local\AXServiceUser users to the administrator group in each and Every VM
To add to the administrators group follow the below steps
Local\svc-AXSF$ and Local\AXServiceUser


Select Local Users and Group


Click Add to Group to Administrator Group


If you must make changes to accounts or machines, update the ConfigTemplate.xml file in the original infrastructure folder, copy it to this machine and then run the following script.
Update-D365FOGMSAAccounts -ConfigurationFilePath .\ConfigTemplate.xml

Step 9: Self Signed Certificate creations

1. Navigate to the machine that has the infrastructure folder.
2. Run the Below comment to create the Self Signed Certificate:
   .\New-SelfSignedCertificates.ps1 -ConfigurationFilePath .\ConfigTemplate.xml
3. Once the Certificate is created the certificate should be downloaded by running the below script:
   .\Export-PfxFiles.ps1 -ConfigurationFilePath .\ConfigTemplate.xml

Step 10: Setting up the VMs
In order to Setup the VMS for the Service Fabric Cluster Creation, Run the below scripts:
.\Export-Scripts.ps1 -ConfigurationFilePath .\ConfigTemplate.xml


The Script exports VM Machine Folder which has the script which has to Copied to each machine separately

Step 11: Prerequsities Installation:

1. Download the following Microsoft Windows Installers (MSIs) into a file share that is accessible by all VMs.
2. Create a Folder with MSI and Copy all the Requsities Software Folder
   • SNAC – ODBC driver -https://www.microsoft.com/en-us/down....aspx?id=53339
   • Microsoft SQL Server Management Studio 17.5-https://docs.microsoft.com/en-us/sql...nt-studio-ssms
   • Microsoft Visual C++ Redistributable Packages for Microsoft Visual Studio 2013-https://support.microsoft.com/en-us/help/3179560
   • Microsoft Access Database Engine 2010 Redistributable-https://www.microsoft.com/en-us/down....aspx?id=13255
3. Copy the Infrastructure from Folder from Domain Machine to all the Machine VM C folder:
   .\Configure-PreReqs.ps1 -MSIFilePath <path of the MSIs>.
   Replace the Path of the MSI with the Folder path C:\MSI
4. Restart all the VMS after installing the Prerequsities
5. Run the Below Scripts in all VM to set the VM for Service Fabric Cluster.
6. Navigate to C:\InfrastructureScripts-131311\VMs\AOS1 and execute the below comment
   .\Add-GMSAOnVM.ps1
   .\Import-PfxFiles.ps1
   .\Set-CertificateAcls.ps1
7. Once the Powershell Scripts are executed successfully, run the Below script to test whether all the prerequsities are correctly installed and Configured
   
   The script should complete successfully to proceed to the next step.

Step 12 :Set up a standalone Service Fabric cluster

1. Download the Service Fabric standalone installation package onto orch1 Machine. After the zip file is downloaded, unblock it by right-clicking the zip file and then selecting Properties. In the dialog box, select the Unblock check box in the lower right.
2. Unzip the Files to the C:\ Folder
3. Navigate to the infrastructure folder and execute the following command to generate the Service Fabric ClusterConfig.json file.
   .\New-SFClusterConfig.ps1 -ConfigurationFilePath .\ConfigTemplate.xml -TemplateConfig <ServiceFabricStandaloneInstallerPath>\ClusterConfig.X509.MultiMachine.json
4. Copy the generated Clusterconfig.json from the infrastructure folder to the Servicefabric installation extracted Package Folder
5. Now Navigate to the Service fabric and copy the clusterconfig.json file
   
   
6. Navigate to the <ServiceFabricStandaloneInstallerPath> in Windows PowerShell by using elevated privileges. Run the following command to test ClusterConfig.
   .\TestConfiguration.ps1 -ClusterConfigFilePath .\clusterConfig.json
7. Once the test Configuration is successfully executed ,Run the below command to create the Service Fabric Clusture.
   .\CreateServiceFabricCluster.ps1 -ClusterConfigFilePath .\ClusterConfig.json
   
   

Step 13 : Service Fabric cluster Accessibility
After the cluster is created, open the Service Fabric explorer on any client machine to validate the installation.
a. Install the Service Fabric client certificate in CurrentUser\My if it isn't already installed.
b. Go to IE settings > Compatibility Mode, and clear the Display Intranet sites in compatibility mode check box.
c. Go to https://sf.local.com:19080, where sf.local.com is the host name of the Service Fabric cluster that is specified in the zone. If DNS name resolution isn't configured, use the IP address of the machine.
d. Select the client certificate. The Service Fabric explorer page appears.
e. Verify that all nodes are appear as green.

Step 14 : LCS Connectivity for the Tenant

1. Run the below comment to Install AzureRm Module for the LCS connection
   Import-Module AzureRM
   Connect-AzureRmAccount
2. Sign in to the customer's Azure portal to verify that you have the Global Administrator directory role.
3. .\Add-CertToServicePrincipal.ps1 -CertificateThumbprint <OnPremLocalAgent Certificate Thumbprint>
4. Copy the Onpremlocalagent certificate from config template file.

Sometimes the LCS connectivity fails with an error Service Principal not found. This is because I do not have the Microsoft Dynamics ERP application in my Azure Directory. You can activate the trial version for Dynamics 365 for Operations here: Dynamics 365 for Operations Partner Trial.
You need to click on the top right on W ant To add this To existing subscription? - Sign In.

Step 15 : Set Up File Storage
The Purpose of File Storage machine is to download the Installation File from LCS and Store the file in the Share Location to execute.Ideally the Fileshare can be done in the AOS 1 Machine
On the file share machine, run the following command.
Install-WindowsFeature -Name FS-FileServer -IncludeAllSubFeature -IncludeManagementTools.

AOS Storage
a. In Server Manager, select File and Storage Services > Shares.
b. Select Tasks > New Share to create a new share. Name the share aos-storage.
c. Leave Allow caching of share selected.
d. Check Encrypt data access.
e. Grant Modify permissions for every machine in the Service Fabric cluster except OrchestratorType.
f. Grant Modify permissions for the user AOS domain user (Local\AXServiceUser) and the gMSA user (Local\svc-AXSF$).

Agent
a. In Server Manager, select File and Storage Services > Shares.
b. Select Tasks > New Share to create a new share. Name the share agent.
c. Grant Full-Control permissions to the gMSA user for the local deployment agent (Local\svc-LocalAgent$).


Step 16 : Set Up SQL Server.

1. Install SQL Server 2016 SP1 with high availability. (Unless you're deploying in a sandbox environment, where one instance of SQL Server is sufficient. You may want to install SQL Server with high availability in sandbox environments to test high-availability scenarios.)
2. SQL Server Version should be SQL Server 2016 SP1 or SP2 and other versions will not support and we have tested with 2017 version also which didn’t support for our deployment
3. SQL Server should be installed in Cluster Always-On SQL instance for the Performance
4. Run the SQL service as a domain user.

Self-signed certificate for a Single SQL instance
New-SelfSignedCertificate -CertStoreLocation "cert:\CurrentUser\My" -DnsName "SQL1.Local.com" -Provider "Microsoft Enhanced RSA and AES Cryptographic Provider" -Subject "SQL1.Local.com"

Self-signed certificate for an Always-On SQL instance
.\Create-SQLTestCert-AllVMs.ps1 -ConfigurationFilePath .\ConfigTemplate.xml `
-SqlMachineNames SQL1, SQL2 `
-SqlListenerName SQL.LSNR

STEP 17: Enabling SSL Encryption for SQL
Refer the below link for SSL Encryption for SQL
https://support.microsoft.com/en-us/...er-by-using-mi

STEP 18: SQL Configurations
For each node of the SQL cluster, follow these steps. Make sure that you make the changes on the non-active node, and that you fail over to it after changes are made.

1. Import the certificate into LocalMachine\My, unless you are setting up Always-On, in which case the certificate already exists on the node.
2. Grant certificate permissions to the service account that is used to run the SQL service. In Microsoft Management Console (MMC), right-click the certificate (certlm.msc), and then select Tasks > Manage Private Keys
3. Add the certificate thumbprint to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft SQL Server\MSSQL.x\MSSQLServer\SuperSocketNetLib\Certificate.
   For example, with SQL Server 2016 SP1: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft SQL Server\MSSQL13.MSSQLSERVER\MSSQLServer\SuperSocketNetLib\Certificate
4. From the start menu, type regedit, then select regedit to open the registry editor. Navigate to the certificate, right-click Modify, then replace the value with the certificate thumbprint.
5. In Microsoft SQL Server Configuration Manager, set ForceEncryption to Yes.
6. SQL Server Configuration Manager, expand SQL Server Network Configuration, right-click Protocols for [server instance], and then select Properties.
7. In the Protocols for [instance name] Properties dialog box, on the Certificate tab, select the desired certificate from the drop-down menu for the Certificate box, and then click OK.
8. On the Flags tab, in the ForceEncryption box, select Yes, and then click OK
9. Restart the SQL Server service.
10. Export the public key of the certificate (the .cer file), and install it in the trusted root of each Service Fabric node.

STEP 19: Creation of Databases
1. Sign in to LCS.
2. On the dashboard, select the Shared asset library tile.
3. On the Model tab, select the demo data for the release that you want and download the zip file.
4. The zip file contains empty and demo data .bak files. Select the .bak file, based on your requirements. For example, if you require demo data, download the AxBootstrapDB_Demodata.bak file.

5.Once the File is downloaded ,Copy the database on a separate folder in the SQL Machine.
6.Update the Config template file with the file Location of the downloaded Bak file

Copy the infrastructure folder to the SQL Server machine and navigate to it in a PowerShell window with elevate privileges.

Step20: Configure the OrchestratorData database
Execute the following script.
.\Initialize-Database.ps1 -ConfigurationFilePath .\ConfigTemplate.xml -ComponentName Orchestrator
This Scripts creates the Orchestrator database for the Purpose of deploying all the applications in the Server Fabric

Main Purpose of Orchestrator Database

• Create an empty database named OrchestratorData. This database is used by the on-premises local agent to orchestrate deployments.
• Grant the local agent gMSA (svc-LocalAgent$) db_owner permissions on the database.

Step21: Configure the Finance and Operations database
Execute the Following Script
.\Initialize-Database.ps1 -ConfigurationFilePath .\ConfigTemplate.xml -ComponentName AOS
.\Configure-Database.ps1 -ConfigurationFilePath .\ConfigTemplate.xml -ComponentName AOS

The Initialize-Database.ps1 script will do the following:
a. Restore the database from the specified backup file.
b. Create a new user that has SQL authentication enabled (axdbadmin).
c. Map users to database roles based on the following table for AXDB.

d. Map users to database roles based on the following table for TempDB.


The Configure-Database.ps1 script will do the following:
a. Set READ_COMMITTED_SNAPSHOT ON
b. Set ALLOW_SNAPSHOT_ISOLATION ON
c. Set the specified database file and log settings
d. GRANT VIEW SERVER STATE TO axdbadmin
e. GRANT VIEW SERVER STATE TO [Local\svc-AXSF$]

Run the following command to reset the database users.
.\Reset-DatabaseUsers.ps1 -DatabaseServer SQL.LSNR.Local -DatabaseName AXDB

[sukhanchik]

Step 22: Configure the Financial Reporting database
Execute the following Script
.\Initialize-Database.ps1 -ConfigurationFilePath .\ConfigTemplate.xml -ComponentName MR
The script will do the following:
a. Create an empty database named FinancialReporting.
b. Map the users to database roles based on the following table.


Step 23: Encrypt Credentials:
On any client machine, install the encipherment certificate in the LocalMachine\My certificate store.


Grant the current user read access to the private key of this certificate.

Create the Credentials.json file, as shown here.
{
"AosPrincipal": {
"AccountPassword": "Dynamo@123"
},
"AosSqlAuth": {
"SqlUser": "axdbadmin",
"SqlPwd": "Dynamo@123"
}
}
Dynamo@123 is the encrypted domain user password for the AOS domain user (local\axserviceuser).
SqlUser is the encrypted SQL user (axdbadmin) that has access to the Finance and Operations database (AXDB), and Dynamo@123 is the encrypted SQL password.
Copy the .json file to the SMB file share, \\AOS1\agent\Credentials\Credentials.json.
Why this accounts and Password has to be encrypted? While deploying the Application from LCS ,the script checks the encrypted Passwords and Users.If this step is not executed Properly,the deployment will fail.
Install Install the Microsoft Azure Service Fabric SDK before executing script
Execute the below script to get encrypted Values.The Script has to executed 3 times to get the Value

For AccountPassword
Invoke-ServiceFabricEncryptText -Text Dynamo@123 -CertThumbprint 9A5A0A92E7C62CA65FF14E6F9C9ECE9F6B76FA1A -CertStore -StoreLocation LocalMachine -StoreName My | Set-Clipboard

Execute the Script and open a notepad and ctrl+V to paste the encrypted Value

For SQL USER
Invoke-ServiceFabricEncryptText -Text axdbadmin -CertThumbprint 9A5A0A92E7C62CA65FF14E6F9C9ECE9F6B76FA1A -CertStore -StoreLocation LocalMachine -StoreName My | Set-Clipboard

Execute the Script and open a notepad and ctrl+V to paste the encrypted Value

For SQLPassword
Invoke-ServiceFabricEncryptText -Text Dynamo@123 -CertThumbprint 9A5A0A92E7C62CA65FF14E6F9C9ECE9F6B76FA1A -CertStore -StoreLocation LocalMachine -StoreName My | Set-Clipboard

Execute the Script and open a notepad and ctrl+V to paste the encrypted Value
Now Update the 3 encrypted values in the Credentials.Json file


Step 24:Setup SSIS
To enable Data management and Integration workloads, SSIS must be installed on each of the AOS virtual machines. Complete the following steps on each AOS virtual machine.

1. Verify that the machine has access to the SSIS installation and open the SSIS Setup Wizard.
2. In the Feature Selection window, in the Features pane, select the Integration Services and SQL Client Connectivity SDK check boxes.
3. Complete the setup and verify that the installation was successful.

Step 25:Setup SSRS
To Setup the SSRS Machine refer the MS Document below
https://docs.microsoft.com/en-us/dyn...rs-on-premises

Step26 :Configure ADFS

• Open the ADFS Server and add the ADFS feature addition from Server Manger Roles and Features
• Configure the AD FS identifier so that it matches the AD FS token issuer.
  Execute the Below code in Adfs machine in Powershell
  $adfsProperties = Get-AdfsProperties
  Set-AdfsProperties -Identifier $adfsProperties.IdTokenIssuer
  Set-AdfsGlobalAuthenticationPolicy -PrimaryIntranetAuthenticationProvider FormsAuthentication, MicrosoftPassportAuthentication

For sign-in, the user's email address must be an acceptable authentication input.

Add-Type -AssemblyName System.Net
$fqdn = ([System.Net.Dns]::GetHostEntry('localhost').HostName).ToLower()
$domainName = $fqdn.Substring($fqdn.IndexOf('.')+1)
Set-AdfsClaimsProviderTrust -TargetIdentifier 'AD AUTHORITY' -AlternateLoginID mail -LookupForests $domainName

Once after the ADFS necessary scripts are executed ,Application group script should be execute
.\Publish-ADFSApplicationGroup.ps1 -HostUrl https://ax.Local.com

Now after successfully deployed the ADFS ,access the url in AOStype node
https://adfs.local.com/adfs/.well-kn...-configuration

This step is highly important to complete is successfully since the Dynamics on premise user access page opens based on the ADFS redirection Configuration.
You successfully access the URL, a JavaScript Object Notation (JSON) file is returned that contains your AD FS configuration, and you will see that your AD FS URL is trusted.

Step 27: Configure a connector and install an on-premises local agent
Sign in to LCS, and open the on-premises implementation project.
Select the Project Setting Tab


Create a On Premise Connector and Edit the Configuration Details

Download the Agent Installer and Verify that the zip file is unblocked. Right-click the file, and then select Properties. In the dialog box, select Unblock.
Unzip the agent installer on one of the Service Fabric nodes of the OrchestratorType type.

Enter the Configuration Details

Execute the below script to get the configurations details
.\Get-AgentConfiguration.ps1 -ConfigurationFilePath .\ConfigTemplate.xml



Download the Configuration file and copy the file to the local agent folder

In a Command Prompt window, run the following command by navigating to the folder that contains the agent installer.
The user who runs this command must have db_owner permissions on the OrchestratorData database.
LocalAgentCLI.exe Install C:\InfrastructureScripts\Local\LocalAgent-163366\LocalAgent-163366\localagent-config.json

After the Local agent is successfully executed ,which will create 2 applications in Service Fabric

On the Validate setup tab, select Message agent to test for LCS connectivity to your local agent. When a connection is successfully established, the page will resemble the following illustration.

[sukhanchik]

Step 28:Actual Ax/Dynamics 365 FO Environment deployment starts here




.\Get-DeploymentSettings.ps1 -ConfigurationFilePath .\ConfigTemplate.xml

Click the Advanced Settings










Huff Successfully installed OMG Goosebumps after seeing this Screen

[KiselevSA]

Постарался свести все шаги в один документ с мелкими корректировками стилей, орфографии и пунктуации (сильно не бейте, читаю с трудом и перевожу и того хуже )
Из-за ограничений на размер пришлось выложи на яндекс - https://yadi.sk/i/XCdKNPZehGi2zg

[sukhanchik]

А еще можно эту страничку с AxForum сохранить в Internet Explorer, как mht-файл. Получается неплохая альтернатива документу в Word

[user_ax]

Очень и очень полезно получилось. Благодарю вас, sukhanchik за проделанную работу!
Ещё бы найти информацию сродни этой чтобы было более понятно как добавлять\удалять ноды для уже установленного приложения.
Ну и как плюсом - апгрейд с более ранней версии до более поздней, 10.0.16, например