Tuesday 1 July 2014

Change CRM Application Pool Identity


Server Inventory:

2 WEB Server (CRM2011): web01.testdomain.local and web02.testdomain.local

1 APP Server + Backend Server (CRM2011): app01.testdomain.local

1 SQL Server: sql01.testdomain.local

1 AD Server with DC: ad01.testdomain.local
 
Organization Name: testorg

Apppool Identity of CRM application: testdomain\crmapppool1
Task: Change CRM app pool identity from testdomain\crmapppool1 to testdomain\crmapppool2 with least privilege.
 
Steps:
AD Level:
1.       Check testdomain\crmapppool2 account is present in AD.
2.       Password should set to “no expire” (As per service account policy of organization)
3.       Add testdomain\crmapppool2 account in following AD group of CRM OU:
PrivUserGroup
                        SQLAccessGroup
CRM Web Server Level:
1.       Add this domain account with Read access on following Sub Key of web01.testdomain.local and web02.testdomain.local Servers:
 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSCRM 
2.       Provide read and write permission to testdomain\crmapppool2 account on the Trace Folder by default located under \Program Files\Microsoft Dynamics CRM on the web01.testdomain.local and web02.testdomain.local Servers.
 
3.       Add testdomain\crmapppool2 account as member of web01.testdomain.local and web02.testdomain.local Servers following groups:
CRM_WPG
                           IIS_Users
 
CRM App Server and Backend Server Level:
                No Action required.
CRM SQL Server Level:
                No Action required. SQL level permission will take care by AD group mentioned in section “AD Level” point 3. So don’t worry about new app pool account access in DB.
Next Steps:
*Permissions and Access level have been setup for new app pool account, now we can change app pool identity.
*Login to Web Server web01.testdomain.local and web02.testdomain.local on by one and go to IIS and change the app pool identity of CRM application with new account testdomain\crmapppool2.
*Once you change to new identity testdomain\crmapppool2 account will automatically add in local group policy “logon as service” of web servers. If you getting any error then login to web server by admin access and go to local group policy (you can use local secpol.msc command from run ) and add testdomain\crmapppool2 account in “LOGON AS SERVICE” section.
* Activity completed. Try to access the http://mscrminternal.testdomain.com/testorg application.
Thanks please put your comments if you are facing any difficulties.