Configuring certificates for D365 On-premises installation

If you are generating certificates using PowerShell script, and you are looking to generate certificate with more than 1 years of validity period, you may want to modify PowerShell script named as New-SelfSignedCertificates.ps1. This is located under infrastructure folder of LCS Scripts that you downloaded initially.

To do this, you can add one line of code in the given PS script. It will be around line 117 as following.

$commandArgs["NotAfter"] = (Get-Date).AddYears(5).ToString('dd-MM-yyyy')

Add this line just above the FriendlyName Parameter.

Please remember to change two values as per need

1. Number of years such as I am giving 5 in my example i.e. add 5 years in today's date. You can add here any value of your need. Also you can add days or months etc. instead of adding Years.
2. Keep date format as per need. I am not in USA so I wouldn’t keep Month before the day.

Once you are done with the changes, just save these and you should be ready to execute the PS Script, resulting in certificates with your needed expiry date.

Please note that you may want to grab certificates form a well-approved vendor as specified by Microsoft for your production system.

https://community.dynamics.com/365/financeandoperations/b/microsoftdynamicsaxextensions/archive/2018/01/26/configuring-certificates-for-d365-on-perm-installation

Unable to remove the service fabric due to there are 2 primary nodes.

Config validation: There should be exactly one NodeType marked as primary. Currently there are Best Practices Analyzer determined evironment has an issue. Please see additional BPA log output RemoveCluster Exception: System.Fabric.FabricValidationException: Cluster Setup cancelled due to analyzer. Inspect details in DeploymentTrace

Error at Publish-ADFSApplicationGroup.ps1 when publish ADFS

Error at Publish-ADFSApplicationGroup.ps1

Failed at step 18. Configure ADFS:

https://docs.microsoft.com/en-us/dynamics365/unified-operations/dev-itpro/deployment/setup-deploy-on-premises-pu12#configureadfs

There is only 2 applications have been installed in the Application Group:

Grant-AdfsApplicationPermission : MSIS7628: Scope names should be a valid Scope Description name in AD FS configuration.
At \\dc\Share\InfrastructureScripts-367323\D365FO-OP-ADFSAppliationGrouppsm1: 204 char:5

Solution: 

In ADFS Management
ADFS >> Service >> Scope Descriptions >> Add new
allAtClaims >> OK

Delete Application and publish it again.

Error at .\Add-CertToServicePrincipal.ps1 : Update to existing credential with KeyId 'xxx' is not allowed.

Error at .\Add-CertToServicePrincipal.ps1 -CertificateThumprint ...


New-AzureRmADSpCredential : Update to existing credential with KeyId 'xxx' is not allowed.
At \

Solution:

Remove-AzureRmADSpCredential -ServicePrincipalName "00000015-0000-0000-c000-000000000000" -KeyId xxx

Error at Test-D365CFOConfiguration.ps1 on AOS1: Regkeys haven't been added

Error at Test-D365CFOConfiguration.ps1 on AOS1:

Stop-D365FOServies: The following services still need to be stopped/disabled: [WAS], [W3SVC]
At \\dc\Share\InfrastructureScripts-367323\VMs\aos1\Configure-PreReqs.ps1:236 char:2
.
.
.
Register0D365FOStrongName : The following RegKeys haven't been added in order to disable strong name verification: [HKLM:\SOFTWARE\Microsoft\StrongName\Verification\*,a7cf325ee2c8a9ff]

SOLUTION:
.\Configure-PreReqs.ps1 -MSIFilePath \\DC\share\Tools
Then restart the VM >> TestConfiguration again.

Removing AzureCredential keeps looping

For some reason, you might have more than 1 Credentials.

Error: When you tried to Remove Credential A, system will return an error saying that cannot update the Credential B. Then if you try to remove Credential B, another error says Cannot Remove

Message: Update to existing credential with KeyId 'xxx' is not allowed.



Solution: This script will remove your all current certificates from a particular Service Principal

Remove-AzureRmADSpCredential -ServicePrincipalName "00000015-0000-0000-c000-000000000000"

https://docs.microsoft.com/en-us/powershell/module/azurerm.resources/remove-azurermadspcredential?view=azurermps-6.13.0

Deployment failed due to FinancialReporting Issue

Message: Module FinancialReporting failed

Detail:

System.InvalidOperationException: An error was encountered. Details may be found in the deployment logs at 'C:\ProgramData\Microsoft Dynamics ERP\Management Reporter\Logs' System.ServiceModel.FaultException 1 [Microsoft.Dynamics.Performance.Common.Contract.Reporting.ServiceFault]: (Faul Detail is equal to Microsoft.Dynamics.Performance.Common.Contract.Reporting.ServiceFault). at Microsoft.Dynamics.Performance.Deployment.FinancialReportingDeployer.Program.Main(String[]args) at System.AppDomain._nExecuteAssembly(RuntimeAssembly assembly, String[] args) at System.AppDomain.ExecuteAssembly(String assemblyFile, String[] args) at System.AppDomain.ExecuteAssembly(String  assemblyFile, String[] args) at SetupCore.SetupManager.LaunchProcessInAppDomain(String startupExe, String workingDir, StringcurrentFolder, String[] moduleArgs) at SetupCore.Setupmanager.<>c_DisplayClass12_1.<InvokeModules>b__6()

ErrorCode: 0

MemberName: ErrorPrettify

SourceFile E:\Work\131\s\Source\LocalAgentEvents\LocalAgentEventSource.cs 

SourceLineNumber: 79

Solution

Check the FinancialReporting database if there are reports not checked out: 

  

select * from reporting.ControlReport where CheckedOutTo is not null 

If the query returns something then we can run those scripts for FinancialReporting: 

update Reporting.ControlReport 

set CheckedOutTo = null 

update Reporting.ControlRowMaster 

set CheckedOutTo = null 

update Reporting.ControlColumnMaster 

set CheckedOutTo = null 

update Reporting.ControlTreeMaster 
set CheckedOutTo = null