Microsoft Dynamics NAV 2009 introduces a new three-tier RoleTailored architecture that improves the security, scalability, and flexibility of Microsoft Dynamics NAV. For details, see RoleTailored Architecture. In this walkthrough, you will install the new architecture in a production environment on three computers:
Computer | Installed operating system and software | Tier |
---|---|---|
NAVSQL |
Server computer running Windows Server 2008 or Windows Server 2003, and Microsoft SQL Server 2008 or SQL Server 2005 |
Database tier |
NAVSERV |
Server computer running Windows Server 2008 or Windows Server 2003 and Microsoft Dynamics NAV Server |
Server (middle) tier |
NAVCLIENT |
Client computer running Windows Vista |
Client tier |
The key characteristic of this walkthrough is that the client, Microsoft Dynamics NAV Server, and SQL Server are installed on separate computers. In a production environment, you may have multiple computers running SQL Server, multiple computers running Microsoft Dynamics NAV Server, and multiple computers running the RoleTailored client. But as long as you do not install multiple Microsoft Dynamics NAV tiers on the same computer, the procedures and issues presented in this walkthrough are relevant.
For information about the steps involved in installing both Microsoft Dynamics NAV Server and SQL Server on a single computer, see Walkthrough: Installing the Three Tiers On Two Computers.
Note |
---|
The content in this walkthrough only applies to Microsoft Dynamics NAV 2009 SP1. For Microsoft Dynamics NAV 2009 content, see Developer and IT Pro Help for Microsoft Dynamics NAV 2009. |
Note |
---|
If after completing this walkthrough you find that your implementation is not working as expected, try using the Best Practices Analyzer for Microsoft Dynamics NAV 2009. Install this diagnostic tool on your Microsoft Dynamics NAV Server computer to identify configuration issues that might be preventing your three-tier deployment of Microsoft Dynamics NAV from working correctly. A PartnerSource login is required. |
Domain User Account vs. Network Service
In this walkthrough, both the SQL Server service and the Microsoft Dynamics NAV Server service use a single domain user account. Using domain user accounts is not a requirement for three-tier-on-three-computer configurations. See the following note for the reason). It is also not a requirement that both the SQL Server service and the Microsoft Dynamics NAV Server service use the same domain user account. It is practical to use the same domain user account, and so that is what is described in this walkthrough.
In the three-tiers-on-two computers walkthrough (Walkthrough: Installing the Three Tiers On Two Computers), the SQL Server service uses a domain user account, but the Microsoft Dynamics NAV Server service uses the default account, which is the Network Service account.
Security Note |
---|
You can use the Network Service account for the Microsoft Dynamics NAV Server service, which is how Setup installs Microsoft Dynamics NAV Server. This alternative is considered less secure because the Network Service account is a shared account that can be used by other unrelated network services. Any users who have rights to this account have rights to all services that are running on this account. Running the Microsoft Dynamics NAV Server service under a dedicated domain user account is more secure but does require additional work by a domain administrator. For more information, see Configuring for a Domain User Account. |
About This Walkthrough
After completing this walkthrough, you will have a functioning three-tier installation on three computers. The installation uses the Microsoft Dynamics NAV Demo database, containing the CRONUS International Ltd. demo company.
This walkthrough illustrates the following tasks:
-
Installing the Microsoft Dynamics NAV database components.
-
Installing Microsoft Dynamics NAV Server.
-
Configuring for a domain user account.
-
Enabling the Object Change Listener.
-
Giving the Domain user account permissions for the server folder.
-
Installing the RoleTailored client.
-
Setting up delegation.
Prerequisites
To complete this walkthrough, you need three computers that are configured as described in the introduction.
For information on installing Microsoft SQL Server, see Installation Considerations for Microsoft SQL Server. (Specific SQL Server configuration issues are, however, covered at the appropriate location in the walkthrough.)
For more information about configuring these computers according to Microsoft Dynamics NAV 2009 security best practices, see the Microsoft Dynamics NAV 2009 Security Hardening Guide.
You must also have the setspn command-line tool installed on your server. In Windows Server 2008, the setspn tool is included if you have installed the Active Directory Domain Services server role. In Windows Server 2003, you must download the Windows Server 2003 Service Pack 2 32-bit Support Tools to get the setspn tool.
Story
A system implementer wants to install Microsoft Dynamics NAV 2009 to take advantage of the new three-tier architecture. She has already installed SQL Server on one server computer and will install the Microsoft Dynamics NAV database components and the sample database on that same server computer. She will then install Microsoft Dynamics NAV Server on a separate server computer. Finally, she will install the RoleTailored client on a Windows Vista client computer.
Installing the Microsoft Dynamics NAV Database Components
Run Microsoft Dynamics NAV 2009 Setup and select the Database Components option to configure SQL Server to work with Microsoft Dynamics NAV 2009. This option also installs the Microsoft Dynamics NAV demo database, which contains the CRONUS International Ltd. company.
To install the Microsoft Dynamics NAV database components and the demo database
-
Insert the Microsoft Dynamics NAV 2009 DVD in the drive of NAVSQL, which is the server where SQL Server is already installed.
-
On the startup page, under Install, click Microsoft Dynamics NAV.
-
On the Welcome page, click Next.
-
To accept the license terms, click I accept.
-
On the Microsoft Dynamics NAV 2009 Installer page, click Choose an installation option.
-
On the Choose an installation option page, click Database Components.
The demo database is included as part of this option.
-
On the Specify parameters page, click Install.
-
After the installation is complete, click Close to exit Setup.
Installing Microsoft Dynamics NAV Server
The next step is to install Microsoft Dynamics NAV Server on NAVSERV, which is the second server computer. This is a different server computer from the one where you installed SQL Server and the Microsoft Dynamics NAV database components.
To install Microsoft Dynamics NAV Server
-
Insert the Microsoft Dynamics NAV DVD into the drive of NAVSERV.
-
On the startup page, under Install, click Microsoft Dynamics NAV.
-
On the Welcome page, click Next.
-
To accept the license terms, click I accept.
-
On the Microsoft Dynamics NAV 2009 Installer page, click Choose an installation option.
-
On the Choose an installation option page, click Server.
-
On the Specify parameters page, click Server to open the Installation Parameters pane.
-
In the SQL Server field, type NAVSQL, which is the name of the computer running SQL Server.
-
In the SQL Database field, type Demo Database NAV (6-0).
This is the Microsoft Dynamics NAV demo database, which contains the CRONUS International, Ltd., demonstration company.
-
Click Apply to save the Microsoft Dynamics NAV Server settings.
-
Click Install to start installing software.
-
After the installation is complete, click Close to exit Setup.
Configuring for a Domain User Account
The procedures in this section are necessary only when the logon for Microsoft Dynamics NAV Server is a domain user account instead of the Network Service account. You can only perform these actions if you have domain administrator privileges.
The steps that are involved in creating a domain user account by using the Active Directory Users and Computers utility (dsa.msc) are part of the Active Directory documentation, which is included in the Windows Server documentation.
Raising the Domain Functional Level
After you create the domain user account, you must verify that the Domain Functional Level or your domain is at least Windows Server 2003 level.
Caution |
---|
Do not raise the domain functional level if you have or will have any Microsoft Windows NT 4.0 or earlier domain controllers. As soon as the domain functional level is raised to Windows 2000 native or Windows Server 2003, it cannot be changed back to a Windows 2000 mixed domain. |
To determine if the functional level of your domain is at least Windows Server 2003 level and to raise it if it is not, follow these steps:
-
Choose Run from the Start menu in Windows, type dsa.msc, and then press ENTER.
This opens the Active Directory Users and Computers utility. This utility is part of Windows Server 2003 or Windows Server 2008.
-
Right-click the domain where Microsoft Dynamics NAV is installed, and then click Raise Domain Functional Level.
If the level is at least Windows Server 2003, then you can close the utility. Otherwise, continue to the final step.
-
Under Select an available domain functional level, click Windows Server 2003, and then click Raise.
Change the Logon Account for the Microsoft Dynamics NAV Server Service and the SQL Server Service
Change the logon account for the Microsoft Dynamics NAV Server service and the SQL Server service to use your domain user account. For information about how to configure Windows Services, see How to: Configure Windows Services.
Note |
---|
As described in How to: Configure Windows Services, you should actually use different tools to configure the respective services: use the Service tool from Windows Control Panel for the Microsoft Dynamics NAV Server service, and use the SQL Server Configuration Manager tool for the SQL Server service. This assures that that permissions required for the SQL Server service account are granted. |
Enabling the Object Change Listener
The Object Change Listener (OCL) component of Microsoft Dynamics NAV Server monitors the database for changes that are made to application objects, such as adding a new field to a page. If OCL cannot start because of permissions errors, then you cannot connect clients to the server. When you try to start the RoleTailored client, you see the following message:
Cannot connect the Change Listener to SQL Server.
For more information, see Enabling the Object Change Listener.
To enable and assign minimum permissions for the Object Change Listener
-
Open SQL Server Management Studio, and then connect to your SQL Server instance.
-
On the File menu, point to New, and then click Query with Current Connection.
-
Type the following SQL statements.
Copy Code USE MASTER CREATE LOGIN [ReplaceWithNAVServerAccount] FROM WINDOWS; GO
-
Highlight the lines that you typed, and then on the Query menu, click Execute.
-
Type these lines after the existing lines.
Copy Code USE [ReplaceWithYourDatabaseName] CREATE USER [ReplaceWithNAVServerAccount] FOR LOGIN [ReplaceWithNAVServerAccount];
-
Highlight the lines that you just typed, and then on the Query menu, click Execute.
-
Type these lines after the existing lines.
Copy Code CREATE SCHEMA [$ndo$navlistener] AUTHORIZATION [ReplaceWithNAVServerAccount]; GO
-
Highlight the lines that you just typed, and then on the Query menu, click Execute.
You may see an error stating that the schema in question already exists. You can ignore this error.
-
Type these lines after the existing lines.
Copy Code ALTER USER [ReplaceWithNAVServerAccount] WITH DEFAULT_SCHEMA = [$ndo$navlistener]; GRANT SELECT ON [Object Tracking] TO [ReplaceWithNAVServerAccount]; GO
-
Highlight the lines that you just typed, and then on the Query menu, click Execute.
Note The Object Tracking table name may be in a different language than English. If it is, then replace "Object Tracking" with the actual table name from your database.
-
Save your query to keep a record of these actions.
You can use these commands again when you create a new database or change the account that you use to run Microsoft Dynamics NAV Server.
Giving the Domain User Account Permissions for the Server Folder
The next step is to give the domain user account full permissions for the Microsoft Dynamics NAV Server folder on the computer where you installed Microsoft Dynamics NAV Server.
To grant the domain user account permissions on the Microsoft Dynamics NAV Server folder
-
In Windows Explorer, navigate to the Microsoft Dynamics NAV Server folder on the computer where you have installed Microsoft Dynamics NAV Server. On Windows Server 2003, the default location is:
Documents and Settings\All Users\Application Data\Microsoft\Microsoft Dynamics NAV\60
On Windows Server 2008 or Windows Vista, the default location is:
ProgramData\Microsoft\Microsoft Dynamics NAV\60\
-
Right-click the Service folder, and then click Properties to open the Service Properties dialog box.
-
Click the Security tab.
-
Select the domain user account from the list in the top half of the dialog box, and then, in the Permissions for section in the bottom half, select Allow next to the Full Control permission.
This grants the domain user account full control of the folder.
-
Select the NETWORK SERVICE account in the top half, and then clear the Allow field next to the Full control permission in the bottom half.
This revokes permissions on the folder for the Network Service account. No account other than your domain user account should have access to the server folder.
-
Click OK to close the Service Properties dialog box.
Installing the RoleTailored Client
The third and final tier is the client tier. The first task is to install the RoleTailored client to a workstation computer.
To install the RoleTailored client
-
Insert the Microsoft Dynamics NAV DVD into the drive of NAVCLIENT, which is your Microsoft Dynamics NAV client computer.
-
On the startup page, under Install, click Microsoft Dynamics NAV.
-
On the Welcome page, click Next.
-
To accept the license terms, click I accept.
-
On the Microsoft Dynamics NAV 2009 Installer page, click Choose an installation option.
-
On the Choose an installation option page, click Client to install the RoleTailored client.
-
On the Specify parameters page, click RoleTailored client to configure the component.
-
In the Installation Parameters dialog box, type NAVSERV, which is the name of the computer running Microsoft Dynamics NAV Server, in the Server Name field.
You should fully qualify the domain name in this field (in the form YourServer.YourDomain.YourCompany.com).
-
Click Apply, and then click Apply on the Specify parameters page to start installing software.
-
After installation is complete, click Close to exit.
Setting Up Delegation
When the RoleTailored client, Microsoft Dynamics NAV Server, and SQL Server are installed on separate computers, the client interacts with the database through an intermediate computer, which is running Microsoft Dynamics NAV Server. The server is performing actions on the client's behalf. This process is known as impersonation.
Delegation is when a front-end service forwards the client’s request to a back-end service so that the back-end service can also impersonate the client. Complete the procedures in this section to set up delegation on your Microsoft Dynamics NAV installation. For more information on delegation, see How To: Set Up Delegation.
Create Service Principal Names
The first step in setting up delegation is to create service principal names (SPN). To make delegation more secure, Active Directory uses Kerberos to authenticate services. An SPN is the name by which a client uniquely identifies an instance of a service, using the account under which the service runs. You must create one SPN for the Microsoft Dynamics NAV Server service and one SPN for the SQL Server service to make delegation work.
To create service principal names
-
Open an elevated command prompt. To do this, click Start, and then in the search window, type Command Prompt. Right-click Command Prompt, and then click Run as administrator.
-
At the command prompt, create an SPN for the Microsoft Dynamics NAV Server service. The syntax is:
Copy Code setspn -A InstanceName/FullyQualifiedDomainNameOfServer:Port Domain\User
Using NAVSERV, which is the computer running Microsoft Dynamics NAV Server, and DynamicsNAV, which is the default instance name for Microsoft Dynamics NAV Server, the actual command has the following format:
Copy Code setspn -A DynamicsNAV/NAVSERV.yourDomain.yourCompany.com:7046 yourDomain\yourUser
Replace "yourDomain," "yourCompany," and "yourUser" with the appropriate values.
-
Create an SPN for the SQL Server service. This service runs on the NAVSQL computer with a default instance name of MSSQLSvc. Type the following command:
Copy Code setspn -A MSSQLSvc/NAVSQL.yourDomain.yourCompany.com:1433 yourDomain\yourUser
Again, replace "yourDomain," "yourCompany," and "yourUser" with the appropriate values.
Delegating Access to the SQL Server Service
Configuring delegation means explicitly configuring the Microsoft Dynamics NAV Server service on NAVSERV to delegate its access to the database server on behalf of the RoleTailored client. To make the access more secure, you specify delegation to a specific service on a specific server. In this walkthrough, you specify delegation on the SQL Server database service (MSSQLSERVER). This is known as constrained delegation.
You must run the following procedure on a computer where the Active Directory Users and Computers utility (dsa.msc) is available.
To delegate access to the SQL Server service
-
Click Start, and then click Run.
-
In the Open field, type dsa.msc.
This opens the Active Directory Users and Computers utility.
-
Right-click the node for the domain where you have installed Microsoft Dynamics NAV, and then click Find.
-
In the Find Users, Contacts, and Group dialog box, type the name of the domain user in the Name field, and then press ENTER.
-
In the Search results area, right-click the domain user, and then click Properties.
-
On the Delegation tab, click Trust this user for delegation to specified services only, and then click Use Kerberos only.
There is also the option to not restrict authorization to Kerberos, although the environment is not as secure when you are less restrictive. Your decision must be reflected in the value that you assign to the AllowNtlm setting in the RoleTailored client configuration file (ClientUserSettings.config). For details, see Configuring the RoleTailored Client.
-
Click Add to open the Add Services dialog box.
-
Click Users or Computers, and then specify the domain user.
-
In the list of services for the domain user, click MSSQLSvc, which is the SQL Server service.
-
Click OK to close the Add Services dialog box. Continue clicking OK to close all open dialog boxes.
Delegation from the domain user to the SQL Server service on a separate computer is now enabled.
Establishing a Connection
The configuration is now complete. You should be able to start the RoleTailored client and see it connect to the CRONUS International Ltd. demo database immediately.
If you are cannot connect the RoleTailored client to Microsoft Dynamics NAV Server after completing this procedure, the problem may be that Microsoft Dynamics NAV Server is not able to connect to SQL Server. For more information, see Troubleshooting SQL Server Connection Problems.
Next Steps
You have now installed all Microsoft Dynamics NAV software. When you start the RoleTailored client, it connects to Microsoft Dynamics NAV Server and to CRONUS International Ltd., which is the fictional company that is associated with the demo database.
The next steps are to upload your license, create users, and integrate them into the Microsoft Dynamics NAV security system. For more information, see How to: Activate the License File and Security in the RoleTailored Environment.
See Also
© 2010 Microsoft Corporation. All rights reserved.