Monday 18 March 2013

Dynamics CRM 2011 recover deleted Active Directory user accounts

Some times user accounts in CRM get out-of-synch with Active Directory and this could be related with:
  • AD account deleted and re-created
  • AD restores
  • Or anything else that would change the objectGUID in AD
The most common is deleted accounts in Active directory. E.g. people returning to the same company, which previously used CRM and the account has been disabled, AD admins deleted the account and now create a new account with the same details in AD; if you try to enable the user account in CRM, you will get an error because CRM can't find the same AD GUID:

External Error - No such Object on Server
















If you haven't disabled the account, you don't have to follow the next instructions, simply change the username field to a random test account and save, and change it back again to the user account you want to configure and save, this will update the user GUID and the AD SID in CRM. However if you have disabled the account you need to do the following steps.

Building the LDAP Query
The process is simple and it involves finding out the new objectGUID and objectSID in AD with an LDAP query and update the CRM database manually.

You can use any LDAP tool, for simplicity I find LDP tool simple to use and also available with windows 2008 R2 servers.

Simply search for ldp on the windows search box, or type on the command prompt c:\ldp and press enter

1. With the tool open go to the menu Connection and select connect, type the LDAP/DC server














2. When connected, you need to bind the session to a user account, to perform the search under that user context. Go to the Menu Connection > Bind











3. I've used the currently logged on user, but you can specify any account you want.















4. When you bind the session to an account you should get a successful message like the below message:

0 = ldap_set_option(ld, LDAP_OPT_ENCRYPT, 1)
res = ldap_bind_s(ld, NULL, &NtAuthIdentity, NEGOTIATE (1158)); // v.3
{NtAuthIdentity: User='NULL'; Pwd=; domain = 'NULL'}
Authenticated as: 'DOMAIN\your_account'.

5. Now that you connected, go to Browse > Search















6. On the Search window, you type the Base DN (Distinguish Name) which is the location of the account in AD, select the scope: Base, and the most important select the attributes you want to view, in this case you only need:

objectGUID
objectSID













7. Click Run and the below screenshot shows the account new GUID and SID.

























Compare the results with CRM
Compare these values with the ones in the CRM database:


select DISTINCT sub.fullname, sub.ActiveDirectoryGuid, sua.AuthInfo, sua.UserId
from SystemUserbase sub
inner join MSCRM_CONFIG.dbo.SystemUserOrganizations suo ON
        suo.CrmUserId = sub.SystemUserID
inner join MSCRM_CONFIG.dbo.SystemUserAuthentication sua ON
        sua.UserId = suo.UserId
where sub.DomainName = 'domain\username'






























Update CRM database
From the screenshots above, we can see the information match with what it's in CRM and in AD. if the AD object changes in AD e.g. account deleted and re-created; the GUID and SID would be different in the LDAP results; with the results provided from the LDAP query, update the CRM database manually:





Conclusion
The above process applies to most scenarios when an account had the objectGUID and objectSID updated in AD and CRM becomes out-of-sync with AD, however if you didn't disable the account you are in a better position to simply change the domain username to a dummy account and revert it back, but when you disable accounts you can't enable it back again, you can then use the above process to recover the CRM accounts.

Hope this helps and please leave your feedback.

Wednesday 6 March 2013

Dynamics CRM 2011 Multiple organizations Asychronous Service Optimization

On a multi tenant environment where organisations are used as a way of isolating data e.g. sales team vs IT staff; the Asynchronous services will not balance workload across organizations evenly; if you have one organisation generating more workflows than others, it's likely to have an impact on the other organisations Asynchronous jobs; e.g. taking longer to execute workflows, or data imports.

The below diagram illustrates the Asynchronous service workload on this scenario:




On the above diagram the bottleneck it's on the Sales Organization taking 59% of the Asynchronous processing time delaying the execution of the IT staff Organization workflows.

To avoid these type of bottlenecks we can limit the number of system jobs the Async service picks up per organization by setting the AsyncSelectMaxItems with the following PowerShell commands:

add-pssnapin Microsoft.Crm.Powershell
$itemSetting = new-object 'System.Collections.Generic.KeyValuePair[String,Object]'("AsyncSelectMaxItems",100)
$configEntity = New-Object "Microsoft.Xrm.Sdk.Deployment.ConfigurationEntity"
$configEntity.LogicalName="Deployment"
$configEntity.Attributes = New-Object "Microsoft.Xrm.Sdk.Deployment.AttributeCollection"
$configEntity.Attributes.Add($itemSetting)
Set-CrmAdvancedSetting -Entity $configEntity

The following diagram illustrates how the asynchronous service would balance the system jobs per organization: