[sukhanchik]

Step 8: Administrator Group addition in VM
Add Local\svc-AXSF$ and Local\AXServiceUser users to the administrator group in each and Every VM
To add to the administrators group follow the below steps
Local\svc-AXSF$ and Local\AXServiceUser


Select Local Users and Group


Click Add to Group to Administrator Group


If you must make changes to accounts or machines, update the ConfigTemplate.xml file in the original infrastructure folder, copy it to this machine and then run the following script.
Update-D365FOGMSAAccounts -ConfigurationFilePath .\ConfigTemplate.xml

Step 9: Self Signed Certificate creations

1. Navigate to the machine that has the infrastructure folder.
2. Run the Below comment to create the Self Signed Certificate:
   .\New-SelfSignedCertificates.ps1 -ConfigurationFilePath .\ConfigTemplate.xml
3. Once the Certificate is created the certificate should be downloaded by running the below script:
   .\Export-PfxFiles.ps1 -ConfigurationFilePath .\ConfigTemplate.xml

Step 10: Setting up the VMs
In order to Setup the VMS for the Service Fabric Cluster Creation, Run the below scripts:
.\Export-Scripts.ps1 -ConfigurationFilePath .\ConfigTemplate.xml


The Script exports VM Machine Folder which has the script which has to Copied to each machine separately

Step 11: Prerequsities Installation:

1. Download the following Microsoft Windows Installers (MSIs) into a file share that is accessible by all VMs.
2. Create a Folder with MSI and Copy all the Requsities Software Folder
   • SNAC – ODBC driver -https://www.microsoft.com/en-us/down....aspx?id=53339
   • Microsoft SQL Server Management Studio 17.5-https://docs.microsoft.com/en-us/sql...nt-studio-ssms
   • Microsoft Visual C++ Redistributable Packages for Microsoft Visual Studio 2013-https://support.microsoft.com/en-us/help/3179560
   • Microsoft Access Database Engine 2010 Redistributable-https://www.microsoft.com/en-us/down....aspx?id=13255
3. Copy the Infrastructure from Folder from Domain Machine to all the Machine VM C folder:
   .\Configure-PreReqs.ps1 -MSIFilePath <path of the MSIs>.
   Replace the Path of the MSI with the Folder path C:\MSI
4. Restart all the VMS after installing the Prerequsities
5. Run the Below Scripts in all VM to set the VM for Service Fabric Cluster.
6. Navigate to C:\InfrastructureScripts-131311\VMs\AOS1 and execute the below comment
   .\Add-GMSAOnVM.ps1
   .\Import-PfxFiles.ps1
   .\Set-CertificateAcls.ps1
7. Once the Powershell Scripts are executed successfully, run the Below script to test whether all the prerequsities are correctly installed and Configured
   
   The script should complete successfully to proceed to the next step.

Step 12 :Set up a standalone Service Fabric cluster

1. Download the Service Fabric standalone installation package onto orch1 Machine. After the zip file is downloaded, unblock it by right-clicking the zip file and then selecting Properties. In the dialog box, select the Unblock check box in the lower right.
2. Unzip the Files to the C:\ Folder
3. Navigate to the infrastructure folder and execute the following command to generate the Service Fabric ClusterConfig.json file.
   .\New-SFClusterConfig.ps1 -ConfigurationFilePath .\ConfigTemplate.xml -TemplateConfig <ServiceFabricStandaloneInstallerPath>\ClusterConfig.X509.MultiMachine.json
4. Copy the generated Clusterconfig.json from the infrastructure folder to the Servicefabric installation extracted Package Folder
5. Now Navigate to the Service fabric and copy the clusterconfig.json file
   
   
6. Navigate to the <ServiceFabricStandaloneInstallerPath> in Windows PowerShell by using elevated privileges. Run the following command to test ClusterConfig.
   .\TestConfiguration.ps1 -ClusterConfigFilePath .\clusterConfig.json
7. Once the test Configuration is successfully executed ,Run the below command to create the Service Fabric Clusture.
   .\CreateServiceFabricCluster.ps1 -ClusterConfigFilePath .\ClusterConfig.json
   
   

Step 13 : Service Fabric cluster Accessibility
After the cluster is created, open the Service Fabric explorer on any client machine to validate the installation.
a. Install the Service Fabric client certificate in CurrentUser\My if it isn't already installed.
b. Go to IE settings > Compatibility Mode, and clear the Display Intranet sites in compatibility mode check box.
c. Go to https://sf.local.com:19080, where sf.local.com is the host name of the Service Fabric cluster that is specified in the zone. If DNS name resolution isn't configured, use the IP address of the machine.
d. Select the client certificate. The Service Fabric explorer page appears.
e. Verify that all nodes are appear as green.

Step 14 : LCS Connectivity for the Tenant

1. Run the below comment to Install AzureRm Module for the LCS connection
   Import-Module AzureRM
   Connect-AzureRmAccount
2. Sign in to the customer's Azure portal to verify that you have the Global Administrator directory role.
3. .\Add-CertToServicePrincipal.ps1 -CertificateThumbprint <OnPremLocalAgent Certificate Thumbprint>
4. Copy the Onpremlocalagent certificate from config template file.

Sometimes the LCS connectivity fails with an error Service Principal not found. This is because I do not have the Microsoft Dynamics ERP application in my Azure Directory. You can activate the trial version for Dynamics 365 for Operations here: Dynamics 365 for Operations Partner Trial.
You need to click on the top right on W ant To add this To existing subscription? - Sign In.

Step 15 : Set Up File Storage
The Purpose of File Storage machine is to download the Installation File from LCS and Store the file in the Share Location to execute.Ideally the Fileshare can be done in the AOS 1 Machine
On the file share machine, run the following command.
Install-WindowsFeature -Name FS-FileServer -IncludeAllSubFeature -IncludeManagementTools.

AOS Storage
a. In Server Manager, select File and Storage Services > Shares.
b. Select Tasks > New Share to create a new share. Name the share aos-storage.
c. Leave Allow caching of share selected.
d. Check Encrypt data access.
e. Grant Modify permissions for every machine in the Service Fabric cluster except OrchestratorType.
f. Grant Modify permissions for the user AOS domain user (Local\AXServiceUser) and the gMSA user (Local\svc-AXSF$).

Agent
a. In Server Manager, select File and Storage Services > Shares.
b. Select Tasks > New Share to create a new share. Name the share agent.
c. Grant Full-Control permissions to the gMSA user for the local deployment agent (Local\svc-LocalAgent$).


Step 16 : Set Up SQL Server.

1. Install SQL Server 2016 SP1 with high availability. (Unless you're deploying in a sandbox environment, where one instance of SQL Server is sufficient. You may want to install SQL Server with high availability in sandbox environments to test high-availability scenarios.)
2. SQL Server Version should be SQL Server 2016 SP1 or SP2 and other versions will not support and we have tested with 2017 version also which didn’t support for our deployment
3. SQL Server should be installed in Cluster Always-On SQL instance for the Performance
4. Run the SQL service as a domain user.

Self-signed certificate for a Single SQL instance
New-SelfSignedCertificate -CertStoreLocation "cert:\CurrentUser\My" -DnsName "SQL1.Local.com" -Provider "Microsoft Enhanced RSA and AES Cryptographic Provider" -Subject "SQL1.Local.com"

Self-signed certificate for an Always-On SQL instance
.\Create-SQLTestCert-AllVMs.ps1 -ConfigurationFilePath .\ConfigTemplate.xml `
-SqlMachineNames SQL1, SQL2 `
-SqlListenerName SQL.LSNR

STEP 17: Enabling SSL Encryption for SQL
Refer the below link for SSL Encryption for SQL
https://support.microsoft.com/en-us/...er-by-using-mi

STEP 18: SQL Configurations
For each node of the SQL cluster, follow these steps. Make sure that you make the changes on the non-active node, and that you fail over to it after changes are made.

1. Import the certificate into LocalMachine\My, unless you are setting up Always-On, in which case the certificate already exists on the node.
2. Grant certificate permissions to the service account that is used to run the SQL service. In Microsoft Management Console (MMC), right-click the certificate (certlm.msc), and then select Tasks > Manage Private Keys
3. Add the certificate thumbprint to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft SQL Server\MSSQL.x\MSSQLServer\SuperSocketNetLib\Certificate.
   For example, with SQL Server 2016 SP1: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft SQL Server\MSSQL13.MSSQLSERVER\MSSQLServer\SuperSocketNetLib\Certificate
4. From the start menu, type regedit, then select regedit to open the registry editor. Navigate to the certificate, right-click Modify, then replace the value with the certificate thumbprint.
5. In Microsoft SQL Server Configuration Manager, set ForceEncryption to Yes.
6. SQL Server Configuration Manager, expand SQL Server Network Configuration, right-click Protocols for [server instance], and then select Properties.
7. In the Protocols for [instance name] Properties dialog box, on the Certificate tab, select the desired certificate from the drop-down menu for the Certificate box, and then click OK.
8. On the Flags tab, in the ForceEncryption box, select Yes, and then click OK
9. Restart the SQL Server service.
10. Export the public key of the certificate (the .cer file), and install it in the trusted root of each Service Fabric node.

STEP 19: Creation of Databases
1. Sign in to LCS.
2. On the dashboard, select the Shared asset library tile.
3. On the Model tab, select the demo data for the release that you want and download the zip file.
4. The zip file contains empty and demo data .bak files. Select the .bak file, based on your requirements. For example, if you require demo data, download the AxBootstrapDB_Demodata.bak file.

5.Once the File is downloaded ,Copy the database on a separate folder in the SQL Machine.
6.Update the Config template file with the file Location of the downloaded Bak file

Copy the infrastructure folder to the SQL Server machine and navigate to it in a PowerShell window with elevate privileges.

Step20: Configure the OrchestratorData database
Execute the following script.
.\Initialize-Database.ps1 -ConfigurationFilePath .\ConfigTemplate.xml -ComponentName Orchestrator
This Scripts creates the Orchestrator database for the Purpose of deploying all the applications in the Server Fabric

Main Purpose of Orchestrator Database

• Create an empty database named OrchestratorData. This database is used by the on-premises local agent to orchestrate deployments.
• Grant the local agent gMSA (svc-LocalAgent$) db_owner permissions on the database.

Step21: Configure the Finance and Operations database
Execute the Following Script
.\Initialize-Database.ps1 -ConfigurationFilePath .\ConfigTemplate.xml -ComponentName AOS
.\Configure-Database.ps1 -ConfigurationFilePath .\ConfigTemplate.xml -ComponentName AOS

The Initialize-Database.ps1 script will do the following:
a. Restore the database from the specified backup file.
b. Create a new user that has SQL authentication enabled (axdbadmin).
c. Map users to database roles based on the following table for AXDB.

d. Map users to database roles based on the following table for TempDB.


The Configure-Database.ps1 script will do the following:
a. Set READ_COMMITTED_SNAPSHOT ON
b. Set ALLOW_SNAPSHOT_ISOLATION ON
c. Set the specified database file and log settings
d. GRANT VIEW SERVER STATE TO axdbadmin
e. GRANT VIEW SERVER STATE TO [Local\svc-AXSF$]

Run the following command to reset the database users.
.\Reset-DatabaseUsers.ps1 -DatabaseServer SQL.LSNR.Local -DatabaseName AXDB