Set up and deploy on-premises environments (Platform update 12)

This topic describes how to plan your deployment, set up the infrastructure, and deploy Microsoft Dynamics 365 for Finance and Operations, Enterprise edition (on-premises), Platform update 12. For details about the setup changes in Platform update 12, see What's new or changed in on-premises deployments with Platform update 12.

Important

This topic applies only to deploying on-premises environments on Platform update 12. For information about deploying to Platform update 8 or Platform update 11 installations, see Set up and deploy on-premises environments (Platform updates 8 and 11).

The Local Business Data Yammer group is now available. You can post questions or feedback you may have about the on-premises deployment there.

If you have questions or feedback about the content in this topic, please post them in the Comments section at the bottom of this page.

Finance and Operations components

The Finance and Operations application consists of three main components:

  • Application Object Server (AOS)
  • Business Intelligence (BI)
  • Financial Reporting/Management Reporter

These components depend on the following system software:

  • Microsoft Windows Server 2016 (only English OS installations are supported)

  • Microsoft SQL Server 2016 SP1, which has the following features:

    • Full-text index search is enabled.

    • SQL Server Reporting Services (SSRS) - This is deployed on BI virtual machines.

    • SQL Server Integration Services (SSIS) - This is deployed on AOS virtual machines.

      Warning

      Full Text Search must be enabled.

  • SQL Server Management Studio

  • Standalone Microsoft Azure Service Fabric

  • Microsoft Windows PowerShell 5.0 or later

  • Active Directory Federation Services (AD FS) on Windows Server 2016

  • Domain controller

    Warning

    The domain controller must be Microsoft Windows Server 2012 R2 or later and must have a domain functional level of 2012 R2 or more. For more information about domain functional levels, see the following topics:

Lifecycle Services

Finance and Operations bits are distributed through Microsoft Dynamics Lifecycle Services (LCS). Before you can deploy, you must purchase license keys through the Enterprise Agreements channel and set up an on-premises project in LCS. Deployments can be initiated only through LCS. For more information about how to set up on-premises projects in LCS, see Create an on-premises project in Lifecycle Services.

Authentication

The on-premises application works with AD FS. To interact with LCS, you must also configure Azure Active Directory (AAD). To complete the deployment and configure the LCS Local agent, you will need AAD. If you do not already have an AAD tenant, you can get one for free by using one of the options provided by AAD. For more information, see How to get an Azure Active Directory tenant.

Standalone Service Fabric

Finance and Operations uses standalone Service Fabric. For more information, see the Service Fabric documentation.

Setup of Finance and Operations will deploy a set of applications inside Service Fabric (SF). During deployment, each node in the cluster will be defined via configuration to have one of the following node types:

  • AOSNodeType - Hosts the application object server (business logic).
  • OrchestratorType - Functions as Service Fabric primary nodes, and hosts deployment- and servicing logic.
  • ReportServerType - Hosts SSRS and reporting logic.
  • MRType - Hosts management reporting logic.

Infrastructure

Finance and Operations is designed to work on a Hyper-V virtualized environment that is based on Windows Servers.

Warning

On-premises deployments of Microsoft Dynamics 365 for Finance and Operations are not supported on any public cloud infrastructure, including Azure.

The hardware configuration includes the following components:

  • Standalone Service Fabric cluster that is based on Windows Server 2016 virtual machines (VMs)
  • Microsoft SQL Server (both Clustered SQL and Always-On are supported)
  • AD FS for authentication
  • Server Message Block (SMB) version 3 file share for storage
  • Optional: Microsoft Office Server 2017

For more information, see System requirements.

Hardware layout

Plan your infrastructure and Service Fabric cluster based on the recommended sizing in Hardware sizing for on-premises environments. For more information about how to plan the Service Fabric cluster, see Plan and prepare your Service Fabric standalone cluster deployment.

The following table shows an example of a hardware layout. This example is used throughout this topic to illustrate the setup. You will need to replace the machine names and IP addresses given in the following instructions with the names and IP addresses for the machines in your environment.

Note

The Primary node of the Service Fabric cluster must have at least three nodes. In this example, OrchestratorType is designated as the Primary node type.

Machine purpose SF Node type Machine name IP address
Domain controller DAX7SQLAODC1 10.179.108.2
AD FS DAX7SQLAOADFS1 10.179.108.3
File server DAX7SQLAOFILE1 10.179.108.4
SQL Always-On cluster DAX7SQLAOSQLA01 10.179.108.5
DAX7SQLAOSQLA02 10.179.108.6
DAX7SQLAOSQLA 10.179.108.9
Client SQLAOCLIENT1 10.179.108.11
AOS 1 AOSNodeType SQLAOSF1AOS1 10.179.108.12
AOS 2 AOSNodeType SQLAOSF1AOS2 10.179.108.13
AOS 3 AOSNodeType SQLAOSF1AOS3 10.179.108.14
Orchestrator 1 OrchestratorType SQLAOSF1ORCH1 10.179.108.15
Orchestrator 2 OrchestratorType SQLAOSF1ORCH2 10.179.108.16
Orchestrator 3 OrchestratorType SQLAOSF1ORCH3 10.179.108.17
Management Reporter node MRType SQLAOSMR1 10.179.108.18
SSRS node ReportServerType SQLAOSFBIN1 10.179.108.10

Setup

Prerequisites

Before you start the setup, the following prerequisites must be in place. The setup of these prerequisites is out of scope for this document.

  • Active Directory Domain Services (AD DS) must be installed and configured in your network.
  • AD FS must be deployed.
  • SQL Server 2016 SP1 must be installed on the SSRS machines.
  • SQL Server Reporting Services 2016 must be installed in Native mode on the SSRS machines.

The following prerequisite software is installed on the VMs by the infrastructure setup scripts downloaded from LCS.

Node type Component Details
AOS SNAC – ODBC driver 13 https://www.microsoft.com/en-us/download/details.aspx?id=53339
AOS SNAC – ODBC driver 17 This driver is needed for upgrading to PU15 or higher: https://www.microsoft.com/en-us/download/details.aspx?id=56567
AOS The Microsoft .NET Framework version 2.0–3.5 (CLR 2.0) Windows Features: NET-Framework-Features, NET-Framework-Core, NET-HTTP-Activation, NET-Non-HTTP-Activ
AOS The Microsoft .NET Framework version 4.0–4.6 (CLR 4.0) Windows Features: NET-Framework-45-Features, NET-Framework-45-Core, NET-Framework-45-ASPNET, NET-WCF-Services45, NET-WCF-TCP-PortSharing45
AOS Internet Information Services (IIS) Windows Features: WAS, WAS-Process-Model, WAS-NET-Environment, WAS-Config-APIs, Web-Server, Web-WebServer, Web-Security, Web-Filtering, Web-App-Dev, Web-Net-Ext, Web-Mgmt-Tools, Web-Mgmt-Console
AOS SQL Server Management Studio 17.2 https://go.microsoft.com/fwlink/?linkid=854085
AOS Microsoft Visual C++ Redistributable Packages for Microsoft Visual Studio 2013 https://support.microsoft.com/en-us/help/3179560
AOS Microsoft Access Database Engine 2010 Redistributable https://www.microsoft.com/en-us/download/details.aspx?id=13255
BI .NET Framework version 2.0–3.5 (CLR 2.0) Windows features: NET-Framework-Features, NET-Framework-Core, NET-HTTP-Activation, NET-Non-HTTP-Activ
BI .NET Framework version 4.0–4.6 (CLR 4.0) Windows features: NET-Framework-45-Features, NET-Framework-45-Core, NET-Framework-45-ASPNET, NET-WCF-Services45, NET-WCF-TCP-PortSharing45
BI SQL Server Management Studio 17.2 https://go.microsoft.com/fwlink/?linkid=854085
MR .NET Framework version 2.0–3.5 (CLR 2.0) Windows features: NET-Framework-Features, NET-Framework-Core, NET-HTTP-Activation, NET-Non-HTTP-Activ
MR .NET Framework version 4.0–4.6 (CLR 4.0) Windows features: NET-Framework-45-Features, NET-Framework-45-Core, NET-Framework-45-ASPNET, NET-WCF-Services45, NET-WCF-TCP-PortSharing45
MR Visual C++ Redistributable Packages for Visual Studio 2013 https://support.microsoft.com/en-us/help/3179560

Overview

The following steps must be completed to set up the infrastructure for Finance and Operations. Reading all the steps before you begin will make it easier to plan your setup.

  1. Plan your domain name and DNS zones
  2. Plan and acquire your certificates
  3. Plan your users and service accounts
  4. Create DNS zones, and add A records
  5. Join VMs to the domain
  6. Download setup scripts from LCS
  7. Describe your configuration
  8. Configure certificates
  9. Setup VMs
  10. Set up a standalone Service Fabric cluster
  11. Configure LCS connectivity for the tenant
  12. Set up file storage
  13. Set up SQL Server
  14. Configure the databases
  15. Encrypt credentials
  16. Set up SSIS
  17. Set up SSRS
  18. Configure AD FS
  19. Configure a connector and install an on-premises local agent
  20. Tear down CredSSP, if remoting was used
  21. Deploy your Finance and Operations (on-premises) environment from LCS
  22. Connect to your Finance and Operations (on-premises) environment

1. Plan your domain name and DNS zones

We recommend that you use a publicly registered domain name for your production installation of AOS. In that way, the installation can be accessed outside the network, if outside access is required.

For example, if your company's domain is contoso.com, your zone for Finance and Operations (on-premises) might be d365ffo.onprem.contoso.com, and the host names might be as follows:

  • ax.d365ffo.onprem.contoso.com for AOS machines
  • sf.d365ffo.onprem.contoso.com for the Service Fabric cluster

2. Plan and acquire your certificates

Secure Sockets Layer (SSL) certificates are required in order to secure a Service Fabric cluster and all the applications that are deployed. For your production and sandbox workloads, we recommend that you acquire certificates from a certificate authority (CA) such as DigiCert, Comodo, Symantec, GoDaddy, or GlobalSign. If your domain is set up with Active Directory Certificate Services (AD CS), you can create the certificates through AD CS. Each certificate must contain a private key that was created for key exchange, and it must be exportable to a Personal Information Exchange (.pfx) file.

Self-signed certificates can be used only for testing purposes. For convenience, the setup scripts provided in LCS include scripts that generate and export self-signed certificates. If you are using self-signed scripts, you will be instructed to run the creation scripts in later steps. As we've mentioned, these certificates can be used for testing purposes only.

Purpose Explanation Additional requirements
SQL Server SSL certificate This certificate is used to encrypt data that is transmitted across a network between an instance of SQL Server and a client application. The domain name of the certificate should match the fully-qualified domain name (FQDN) of the SQL Server instance or listener. For example, if the SQL listener is hosted on the machine DAX7SQLAOSQLA, the certificate's DNS name is DAX7SQLAOSQLA.contoso.com.
Service Fabric Server certificate

This certificate is used to help secure the node-to-node communication between the Service Fabric nodes.

This certificate is also used as the Server certificate that is presented to the client that connects to the cluster.

You can use the SSL wild card certificate of your domain. For example, *.contoso.com. Note: The wild card certificate allows you to secure only the first level subdomain of the domain to which it is issued.

In this example, because your service fabric domain is sf.d365ffo.onprem.contoso.com, you must include this as a Subject Alternative Name (SAN) in the certificate. You will need to work with your certificate authority to acquire the additional SANs.

Service Fabric Client certificate This certificate is used by clients to view and manage the Service Fabric cluster.
Encipherment Certificate This certificate is used to encrypt sensitive information such as the SQL Server password and user account passwords.

The certificate must be created by using the provider Microsoft Enhanced Cryptographic Provider v1.0.

The certificate key usage must include Data Encipherment (10) and should not include Server authentication or Client authentication.

For more information, see Managing secrets in Service Fabric applications.

AOS SSL Certificate

This certificate is used as the Server certificate that is presented to the client for the AOS website. It's also used to enable Windows Communication Foundation (WCF)/Simple Object Access Protocol (SOAP) certificates.

You can use the same wild card certificate that you used as the Service Fabric Server certificate.

In this example, the domain name ax.d365ffo.onprem.contoso.com must be added to the Subject Alternative Name (SAN) as in the Service Fabric Server certificate.

Session Authentication certificate This certificate is used by AOS to help secure a user's session information. This certificate is also the File Share certificate that will used at the time of deployment from LCS.
Data Encryption certificate This certificate is used by the AOS to encrypt sensitive information. This must be created using the provider Microsoft Enhanced RSA and AES Cryptographic Provider.
Data Signing certificate This certificate is used by AOS to encrypt sensitive information. This is separate from the Data Encryption certificate and must be created using the provider Microsoft Enhanced RSA and AES Cryptographic Provider.
Financial Reporting client certificate This certificate is used to help secure the communication between the Financial Reporting services and the AOS.
Reporting certificate This certificate is used to help secure the communication between SSRS and the AOS. Do not reuse the Financial Reporting Client certificate.
On-Premise local agent certificate

This certificate is used to help secure the communication between a local agent that is hosted on-premises and on LCS.

This certificate enables the local agent to act on behalf of your Azure AD tenant, and to communicate with LCS to orchestrate and monitor deployments.

Note: Only 1 on-premise local agent certificate is needed for a tenant.

The following is an example of a Service Fabric Server certificate combined with an AOS SSL certificate.

Subject name

CN = *.d365ffo.onprem.contoso.com

Subject alternative names

DNS Name=ax.d365ffo.onprem.contoso.com
DNS Name=sf.d365ffo.onprem.contoso.com
DNS Name=*.d365ffo.onprem.contoso.com

3. Plan your users and service accounts

You must create several user or service accounts for Finance and Operations (on-premises) to work. You must create a combination of group managed service accounts (gMSAs), domain accounts, and SQL accounts. The following table shows the user accounts, their purpose, and example names that will be used in this topic.

User account Type Purpose User name
Financial Reporting Application Service Account gMSA Contoso\svc-FRAS$
Financial Reporting Process Service Account gMSA Contoso\svc-FRPS$
Financial Reporting Click Once Designer Service Account gMSA Contoso\svc-FRCO$
AOS Service Account gMSA This user should be created for future-proofing. We plan to enable AOS to work with the gMSA in upcoming releases. By creating this user at the time of setup, you will help to ensure a seamless transition to the gMSA. Contoso\svc-AXSF$
AOS Service Account Domain account AOS uses this user in the general availability (GA) release. Contoso\AXServiceUser
AOS SQL DB Admin user SQL user Finance and Operations uses this user to authenticate with SQL*. This user will also be replaced by the gMSA user in upcoming releases. AXDBAdmin
Local Deployment Agent Service Account gMSA This account is used by the local agent to orchestrate the deployment on various nodes. Contoso\Svc-LocalAgent$

* The SQL user name and password for SQL authentication are secured because they are encrypted and stored in the file share.

4. Create DNS zones and add A records

DNS is integrated with AD DS, and lets you organize, manage, and find resources in a network. The following instructions provide steps to create a DNS forward lookup zone and A records for the AOS host name and Service Fabric cluster. In this example setup, the DNS zone name is d365ffo.onprem.contoso.com, and the A records/host names are as follows:

  • ax.d365ffo.onprem.contoso.com for AOS machines
  • sf.d365ffo.onprem.contoso.com for the Service Fabric cluster

Add a DNS zone

Use the following procedure to add a DNS zone.

  1. Sign in to the domain controller machine, select Start, and start DNS Manager by typing dnsmgmt.msc and selecting the dnsmgmt (DNS) application.
  2. Right-click the domain controller name in the console tree, and then select New Zone > Next.
  3. Select Primary Zone.
  4. Leave the Store the zone in Active Directory (available only if the DNS Server is a writeable domain controller check box selected, and then select Next.
  5. Select To all DNS Servers running on Domain Controllers in this domain: Contoso.com, and then select Next.
  6. Select Forward Lookup Zone, and then select Next.
  7. Enter the zone name for your setup, and then select Next. For example, enter d365ffo.onprem.contoso.com.
  8. Select Do not allow dynamic updates, and then select Next.
  9. Select Finish.

Set up an A record for AOS

In the new DNS zone, create one A record that is named ax.d365ffo.onprem.contoso.com for each Service Fabric cluster node of the AOSNodeType type. Don't create A records for the other node types.

  1. Find the newly created zone under the Forward Lookup Zones folder in DNS Manager.
  2. Right-click the new zone, and then select New Host.
  3. Enter the name and IP address of the Service Fabric node. (For example, enter ax as the name and enter 10.179.108.12 as the IP address.) Select Add Host.
  4. Do not select either check box.
  5. Repeat steps 1-4 for each AOS node.

Set up an A record for the orchestrator

In the new DNS zone, create an A record that is named sf.d365ffo.onprem.contoso.com for each Service Fabric cluster node of the OrchestratorType type. Don't create A records for the other node types.

  1. Right-click the new zone, and then select New Host.
  2. Enter the name and IP address of the Service Fabric node. (For example, enter sf as the name and enter 10.179.108.15 as the IP address.) Select Add Host.
  3. Do not select either check box.
  4. Repeat for each Orchestrator node.

5. Join VMs to the domain

Join each VM to the domain by completing the steps in the Join a Computer to a Domain document. Alternatively, use the following Windows PowerShell script.

$domainName = Read-Host -Prompt 'Specify domain name (ex: contoso.com)'
Add-Computer -DomainName $domainName -Credential (Get-Credential -Message 'Enter domain credential')

Important

You must restart the VMs after you join them to the domain.

6. Download setup scripts from LCS

We have provided several scripts to help improve the setup experience. Follow these steps to download the setup scripts from LCS.

Important

The scripts must be executed from a computer in the same domain that the on-premises infrastructure is in.

  1. Sign in to LCS.
  2. On the dashboard, select the Shared asset library tile.
  3. On the Model tab, in the grid, select the Dynamics 365 for Operations on-premises - Deployment scripts row.
  4. Select Versions, and then download the latest version of the zip file for the scripts.

    Note

    If you need the older version for Platform update 8 or Platform update 11, download version 1.

  5. Right-click the zip file, and then select Properties. In the dialog box, select the Unblock check box.
  6. Copy the zip file to the machine that will be used to execute the scripts.
  7. Unzip the files into a folder that is named infrastructure.

Important

Ensure all edits are made to the ConfigTemplate.xml file in this folder.

7. Describe your configuration

The infrastructure setup scripts use the following configuration files to drive the setup.

  • infrastructure\ConfigTemplate.xml
  • infrastructure\D365FO-OP\NodeTopologyDefintion.xml
  • infrastructure\D365FO-OP\DatabaseTopologyDefintion.xml

Note

Configuration files must be updated based on your environment for the setup scripts to work correctly. Be sure to update these files with the proper computer names, IP addresses, service accounts, and domain based on your setup.

infrastructure\ConfigTemplate.xml describes:

  • Service Accounts that are needed for the application to operate

  • Certificates necessary for securing communications

  • Database configuration

  • Service Fabric cluster configuration

    Important

    Make sure that there are three fault domains for OrchestratorType when you configure Service Fabric cluster. Make sure that no more than one type of node is deployed in a single machine when you configure Service Fabric cluster.

For each Service Fabric node type, infrastructure\D365FO-OP\NodeTopologyDefinition.xml describes:

  • The mapping between each node type and the application, domain and service accounts, and certificates.
  • Whether to enable the UAC.
  • Prerequisites for Windows features and system software.
  • Whether strong name validation should be enabled.
  • List of firewall ports to be opened.

For each database, infrastructure\D365FO-OP\DatabaseTopologyDefinition.xml describes:

  • The database settings.
  • The mappings between users and roles.

Create gMSA and domain user accounts

  1. Navigate to the machine that has the unzipped infrastructure scripts in the infrastructure folder.

  2. Copy the infrastructure folder to the domain controller machine.

  3. Start Windows PowerShell in elevated mode, change the directory to the infrastructure folder, and run the following commands.

    Important

    The following script doesn't create a domain user AxServiceUser for you. You must create it yourself.

    Import-Module .\D365FO-OP\D365FO-OP.psd1
    New-D365FOGMSAAccounts -ConfigurationFilePath .\ConfigTemplate.xml
    
  4. Add the AOS Service Accounts, Contoso\svc-AXSF$ and Contoso\AXServiceUser to the local administrators group for all AOS machines. For more information, see Add a member to local group.

  5. If you must make changes to accounts or machines, update the ConfigTemplate.xml file in the original infrastructure folder, copy it to this machine and then run the following script.

    Update-D365FOGMSAAccounts -ConfigurationFilePath .\ConfigTemplate.xml
    

8. Configure certificates

  1. Navigate to the machine that has the infrastructure folder.

  2. If you must generate self-signed certificates, run the following command. The script will create the certificates, put them in the CurrentUser\My certificate store on the machine, and update the thumbprints in the XML file.

    # Create self-signed certs
    .\New-SelfSignedCertificates.ps1 -ConfigurationFilePath .\ConfigTemplate.xml
    

    If you must reuse any certificates and therefore don't have to generate certificates for them, set the generateSelfSignedCert tag to false.

  3. If you're using SSL certificates that were already generated, skip the Certificate generation and update the thumbprints in the configTemplate.xml file. The certificates need to be installed in the CurrentUser\My store and their private keys must be exportable.

Warning

Because of a leading not-printable special character, which is difficult to determine when present, the cert manager should not be used to copy thumbprints. If the not-printable special character is present, you will get the error, X509 certificate not valid. To retrieve the thumbprints, see results from PowerShell commands or run the following commands in PowerShell.

dir cert:\CurrentUser\My
dir cert:\LocalMachine\My
dir cert:\LocalMachine\Root
  1. Specify a semi-colon separated list of users or groups in the ProtectTo tag for each certificate. Only Active directory users and groups specified in the ProtectTo tag will have permissions to import the certificates that are exported using the scripts. Passwords are not supported by the script to protect the exported certificates

  2. Export the certificates into .pfx files.

    # Exports Pfx files into a directory VMs\<VMName>, all the certs will be written to infrastructure\Certs folder.
    .\Export-PfxFiles.ps1 -ConfigurationFilePath .\ConfigTemplate.xml
    

9. Setup VMs

  1. Export the scripts that must be run on each VM.

    # Exports the script files to be execute on each VM into a directory VMs\<VMName>.
    .\Export-Scripts.ps1 -ConfigurationFilePath .\ConfigTemplate.xml
    
  2. Download the following Microsoft Windows Installers (MSIs) into a file share that is accessible by all VMs.

Component Download link
SNAC – ODBC driver 13 https://www.microsoft.com/en-us/download/details.aspx?id=53339
SNAC – ODBC driver 17 https://www.microsoft.com/en-us/download/details.aspx?id=56567
Microsoft SQL Server Management Studio 17.5 https://docs.microsoft.com/en-us/sql/ssms/download-sql-server-management-studio-ssms
Microsoft Visual C++ Redistributable Packages for Microsoft Visual Studio 2013 https://support.microsoft.com/en-us/help/3179560
Microsoft Access Database Engine 2010 Redistributable https://www.microsoft.com/en-us/download/details.aspx?id=13255

Follow these steps for each VM, or use remoting from a single machine

Note

The following section requires execution on multiple VMs. This process can be eased by using the supplied remoting scripts, which provide the option of running the necessary scripts from a single machine, such as the same machine used to execute .\Export-Scripts.ps1. The remoting scripts, when available, are declared after a "# If Remoting" comment in the PowerShell sections. When the remoting scripts are used, you may not need to execute the remaining scripts in a section, please see the section text for cases such as that. Remoting uses WinRM and requires CredSSP to be enabled in certain cases. The enabling and disabling of CredSSP is handled by the remoting module on a per-execution basis. Keeping CredSSP enabled when it is not in use is not advised, as it introduces security risks in the shape of credential theft. See the Tear down CredSSP section when you are finished setting up.

  1. Copy the contents of each infrastructure\VMs<VMName> folder into the corresponding VM (if remoting scripts are used, they will automatically copy the content to the target VMs), and then run the following scripts as an Administrator.

    # Install pre-req software on the VMs.
    
    # If Remoting, execute
    # .\Configure-PreReqs-AllVMs.ps1 -MSIFilePath <share folder path of the MSIs> -ConfigurationFilePath .\ConfigTemplate.xml
    
    .\Configure-PreReqs.ps1 -MSIFilePath <path of the MSIs>
    

    Important

    1. Each time you are prompted, restart the machine. Make sure that you rerun the .\Configure-PreReqs.ps1 script after each restart until all of the prerequisites are installed. In the case of remoting, rerun the AllVMs script when all of the machines are back online.
    2. When you use the remoting script, ensure that the current user has access to the share folder of MSIs.
    3. When you use the remoting script, ensure no user is accessing the AOSNoteType, MRType, and ReportServerType type machines. Otherwise, the remoting script will fail to restart the computer because of the users being logged on to the computer.
  2. Run the following scripts, if they exist, to complete the VM setup.

    # If Remoting, only execute
    # .\Complete-PreReqs-AllVMs.ps1 -ConfigurationFilePath .\ConfigTemplate.xml
    
    .\Add-GMSAOnVM.ps1
    .\Import-PfxFiles.ps1
    .\Set-CertificateAcls.ps1
    
  3. Run the following script to validate the VM setup.

    # If Remoting, execute
    # .\Test-D365FOConfiguration-AllVMs.ps1 -ConfigurationFilePath .\ConfigTemplate.xml
    
    .\Test-D365FOConfiguration.ps1 
    

Important

If remoting was used, be sure to execute the clean up steps when the setup is complete. See the 20. Tear down CredSSP section.

10. Set up a standalone Service Fabric cluster

  1. Download the Service Fabric standalone installation package onto one of your Service Fabric nodes. After the zip file is downloaded, unblock it by right-clicking the zip file and then selecting Properties. In the dialog box, select the Unblock check box in the lower right.

  2. Copy the zip file to one of the nodes in the Service Fabric cluster, and unzip it. Ensure the infrastructure folder has access to this folder.

  3. Navigate to the infrastructure folder and execute the following command to generate the Service Fabric ClusterConfig.json file.

    .\New-SFClusterConfig.ps1 -ConfigurationFilePath .\ConfigTemplate.xml -TemplateConfig <ServiceFabricStandaloneInstallerPath>\ClusterConfig.X509.MultiMachine.json
    
  4. Additional modifications to your cluster configuration may be necessary based on your environment. For more information, see, Step 1B: Create a multi-machine cluster, Secure a standalone cluster on Windows using X.509 certificates, and Create a standalone cluster running on Windows Server.

  5. Copy the generated ClusterConfig.json file to the <ServiceFabricStandaloneInstallerPath>.

  6. Navigate to the <ServiceFabricStandaloneInstallerPath> in Windows PowerShell by using elevated privileges. Run the following command to test ClusterConfig.

    .\TestConfiguration.ps1 -ClusterConfigFilePath .\clusterConfig.json
    
  7. If the test is successful, run the following command to deploy the cluster.

    .\CreateServiceFabricCluster.ps1 -ClusterConfigFilePath .\ClusterConfig.json
    
  8. After the cluster is created, open the Service Fabric explorer on any client machine to validate the installation.

    1. Install the Service Fabric client certificate in CurrentUser\My if it isn't already installed.
    2. Go to IE settings > Compatibility Mode, and clear the Display Intranet sites in compatibility mode check box.
    3. Go to https://sf.d365ffo.onprem.contoso.com:19080, where sf.d365ffo.onprem.contoso.com is the host name of the Service Fabric cluster that is specified in the zone. If DNS name resolution isn't configured, use the IP address of the machine.
    4. Select the client certificate. The Service Fabric explorer page appears.
    5. Verify that all nodes are appear as green.

    Important

    If your client machine is a server machine like Windows Server 2016, you must turn off the IE Enhanced Security Configuration when you access the Service Fabric explorer page. If any antivirus software is installed, ensure you set exclusion following the guidance in the Service Fabric documentation.

11. Configure LCS connectivity for the tenant

Deployment and servicing of Finance and Operations is orchestrated through LCS by using an on-premises local agent. To establish connectivity from LCS to the Finance and Operations tenant, you must configure a certificate that enables the local agent to act on behalf on your Azure AD tenant (for example, Contoso.onmicrosoft.com).

Use the on-premises agent certificate that you acquired from a certificate authority or the self-signed certificate that you generated by using scripts.

The on-premises agent certificate can be reused across multiple sandbox and production environments per tenant.

Only user accounts that have the Global Administrator directory role can add certificates to authorize LCS. By default, the person who signs up for Microsoft Office 365 for your organization is the global administrator for the directory.

Important

You must configure the certificate exactly one time per tenant. All on-premises environments can use the same certificate to connect with LCS. If you run this in a server machine like Windows Server 2016, you must turn off the IE Enhanced Security Configuration temporarily. If you don't, the Azure login window content will be blocked.

  1. Download and install the latest version of Azure PowerShell on a client machine. For more information, see Install and configure Azure PowerShell.
  2. Sign in to the customer's Azure portal to verify that you have the Global Administrator directory role.
  3. Run the following script from the Infrastructure folder.
    .\Add-CertToServicePrincipal.ps1 -CertificateThumbprint <OnPremLocalAgent Certificate Thumbprint>
    

12. Set up file storage

You must set up the following SMB 3.0 file shares:

  • A file share that stores user documents that are uploaded to AOS (for example, \\DAX7SQLAOFILE1\aos-storage).

  • A file share that stores the latest build and configuration files to orchestrate the deployment (for example, \\DAX7SQLAOFILE1\agent).

    Warning

    Keep this file share path as short as possible to avoid exceeding the maximum path length on the files that will be put in the share.

For information about how to enable SMB 3.0, see SMB Security Enhancements.

Important

  • Secure dialect negotiation can't detect or prevent downgrades from SMB 2.0 or 3.0 to SMB 1.0. Therefore, we strongly recommend that you disable the SMB 1.0 server. By disabling the SMB 1.0 server, you can take advantage of the full capabilities of SMB encryption.
  • To help ensure that your data is protected while it's at rest in your environment, BitLocker Drive Encryption must be enabled on every machine. For information about how to enable BitLocker, see BitLocker: How to deploy on Windows Server 2012 and later.
  1. On the file share machine, run the following command.

    Install-WindowsFeature -Name FS-FileServer -IncludeAllSubFeature -IncludeManagementTools
    
  2. Follow these steps to set up the \\DAX7SQLAOFILE1\aos-storage file share:

    1. In Server Manager, select File and Storage Services > Shares.

    2. Select Tasks > New Share to create a new share. Name the share aos-storage.

    3. Leave Allow caching of share selected.

    4. Check Encrypt data access.

    5. Grant Modify permissions for every machine in the Service Fabric cluster except OrchestratorType.

    6. Grant Modify permissions for the user AOS domain user (contoso\AXServiceUser) and the gMSA user (contoso\svc-AXSF$).

      Note

      You may need to enable Computers under Object Types to add machines or enable Service Accounts under Object Types to add service accounts.

  3. Follow these steps to set up the \\DAX7SQLAOFILE1\agent file share:

    1. In Server Manager, select File and Storage Services > Shares.
    2. Select Tasks > New Share to create a new share. Name the share agent.
    3. Grant Full-Control permissions to the gMSA user for the local deployment agent (contoso\svc-LocalAgent$).

13. Set up SQL Server

  1. Install SQL Server 2016 SP1 with high availability. (Unless you're deploying in a sandbox environment, where one instance of SQL Server is sufficient. You may want to install SQL Server with high availability in sandbox environments to test high-availability scenarios.)

    Important

    You must enable the SQL Server and Windows Authentication mode.

    You can install SQL Server with high availability either as SQL clusters that include a Storage Area Network (SAN) or in an Always-On configuration. Verify that the Database Engine, SSRS, Full-Text Search, and Management Tools are already installed.

    Note

    Make sure that Always-On is set up as described in Select Initial Data Synchronization Page (Always On Availability Group Wizards), and follow the instructions in To Prepare Secondary Databases Manually.

  2. Run the SQL service as a domain user.

  3. Get an SSL certificate from a certificate authority to configure Finance and Operations. For testing purposes, you can create and use a self-signed certificate. You will need to replace the computer name and domain name in the following example.

    Self-signed certificate for a Clustered SQL instance

    New-SelfSignedCertificate -CertStoreLocation "cert:\CurrentUser\My" -DnsName "DAX7SQLAOSQLA.contoso.com" -Provider "Microsoft Enhanced RSA and AES Cryptographic Provider" -Subject "DAX7SQLAOSQLA.contoso.com"
    

    Self-signed certificate for an Always-On SQL instance

    If setting up testing certificates for Always-On, you can use the following remoting script, which will perform the same as the following manual script and steps 4., 5., and 6..

    .\Create-SQLTestCert-AllVMs.ps1 -ConfigurationFilePath .\ConfigTemplate.xml `
        -SqlMachineNames DAX7SQLAOSQLA01, DAX7SQLAOSQLA02 `
        -SqlListenerName dax7sqlaosqla
    

    Manual creation of test certificates.

    # https://www.derekseaman.com/2014/11/sql-2014-alwayson-ag-pt-13-ssl.html
    
    # Manually create certificate for each SQL Node (i.e. 2 nodes = 2 certificates)
    # Run script on each node
    $computerName = $env:COMPUTERNAME.ToLower()
    $domain = $env:USERDNSDOMAIN.ToLower()
    $listenerName = 'dax7sqlaosqla'
    $cert = New-SelfSignedCertificate -Subject "$computerName.$domain" -DnsName "$listenerName.$domain", $listenerName, $computerName -Provider 'Microsoft Enhanced RSA and AES Cryptographic Provider'
    
  4. Use the certificate(s) to configure SSL on SQL Server. Follow the steps in How to enable SSL encryption for an instance of SQL Server by using Microsoft Management Console.

  5. For each node of the SQL cluster, follow these steps. Make sure that you make the changes on the non-active node, and that you fail over to it after changes are made.

    1. Import the certificate into LocalMachine\My, unless you are setting up Always-On, in which case the certificate already exists on the node.
    2. Grant certificate permissions to the service account that is used to run the SQL service. In Microsoft Management Console (MMC), right-click the certificate (certlm.msc), and then select Tasks > Manage Private Keys.
    3. Add the certificate thumbprint to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft SQL Server\MSSQL.x\MSSQLServer\SuperSocketNetLib\Certificate. For example, with SQL Server 2016 SP1: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft SQL Server\MSSQL13.MSSQLSERVER\MSSQLServer\SuperSocketNetLib\Certificate
      1. From the start menu, type regedit, then select regedit to open the registry editor.
      2. Navigate to the certificate, right-click Modify, then replace the value with the certificate thumbprint.
    4. In Microsoft SQL Server Configuration Manager, set ForceEncryption to Yes.
      1. In SQL Server Configuration Manager, expand SQL Server Network Configuration, right-click Protocols for [server instance], and then select Properties.
      2. In the Protocols for [instance name] Properties dialog box, on the Certificate tab, select the desired certificate from the drop-down menu for the Certificate box, and then click OK.
      3. On the Flags tab, in the ForceEncryption box, select Yes, and then click OK
      4. Restart the SQL Server service.
  6. Export the public key of the certificate (the .cer file), and install it in the trusted root of each Service Fabric node.

Important

If remoting was used, be sure to execute the clean up steps when the setup is complete. See the 20. Tear down CredSSP section for more information.

14. Configure the databases

  1. Sign in to LCS.

  2. On the dashboard, select the Shared asset library tile.

  3. On the Model tab, select the demo data for the release that you want and download the zip file.

Release Demo data
On-premises General Availability (GA) release Dynamics 365 for Operations on-premises - Demo data
On-premises Platform Update 11 Nov 2017 release Dynamics 365 for Operations on-premises, Enterprise edition - Update 11 Demo data
On-premises Platform Update 12 Mar 2018 release Dynamics 365 for Operations on-premises, Enterprise edition - Update 12 Demo data
  1. The zip file contains empty and demo data .bak files. Select the .bak file, based on your requirements. For example, if you require demo data, download the AxBootstrapDB_Demodata.bak file.

  2. Ensure the database section in the infrastructure\ConfigTempate.xml is configured correctly with the following:

    1. The database name.
    2. The db file and log settings. The db settings should not be lower than the defaults specified.
    3. The path to the backup file downloaded from LCS Shared Asset library. The default name for the Finance and Operations database is AXDB.

    Warning

    • The user running the SQL service and the user running the scripts should have READ access on the folder or share where the backup file is located.

    • If a database with the same name exists, the database will be reused.

  3. Copy the infrastructure folder to the SQL Server machine and navigate to it in a PowerShell window with elevate privileges.

Configure the OrchestratorData database

  1. Execute the following script.

    .\Initialize-Database.ps1 -ConfigurationFilePath .\ConfigTemplate.xml -ComponentName Orchestrator
    

    The script will do the following:

    • Create an empty database named OrchestratorData. This database is used by the on-premises local agent to orchestrate deployments.
    • Grant the local agent gMSA (svc-LocalAgent$) db_owner permissions on the database.

Configure the Finance and Operations database

  1. Execute the following scripts.

    .\Initialize-Database.ps1 -ConfigurationFilePath .\ConfigTemplate.xml -ComponentName AOS
    .\Configure-Database.ps1 -ConfigurationFilePath .\ConfigTemplate.xml -ComponentName AOS
    

    The Initialize-Database.ps1 script will do the following:

    1. Restore the database from the specified backup file.

    2. Create a new user that has SQL authentication enabled (axdbadmin).

    3. Map users to database roles based on the following table for AXDB.

      User Type Database role
      svc-AXSF$ gMSA db_owner
      svc-LocalAgent$ gMSA db_owner
      svc-FRPS$ gMSA db_owner
      svc-FRAS$ gMSA db_owner
      axdbadmin SqlUser db_owner
    4. Map users to database roles based on the following table for TempDB.

      User Type Database role
      svc-AXSF$ gMSA db_datareader, db_datawriter, db_ddladmin
      axdbadmin SqlUser db_datareader, db_datawriter, db_ddladmin

    The Configure-Database.ps1 script will do the following:

    1. Set READ_COMMITTED_SNAPSHOT ON
    2. Set ALLOW_SNAPSHOT_ISOLATION ON
    3. Set the specified database file and log settings
    4. GRANT VIEW SERVER STATE TO axdbadmin
    5. GRANT VIEW SERVER STATE TO [contoso\svc-AXSF$]
  2. Run the following command to reset the database users.

    .\Reset-DatabaseUsers.ps1 -DatabaseServer '<FQDN of the SQL server>' -DatabaseName '<AX database name>'
    

Configure the Financial Reporting database

  1. Execute the following script.

    .\Initialize-Database.ps1 -ConfigurationFilePath .\ConfigTemplate.xml -ComponentName MR
    

    The script will do the following:

    1. Create an empty database named FinancialReporting.

    2. Map the users to database roles based on the following table.

      User Type Database role
      svc-LocalAgent$ gMSA db_owner
      svc-FRPS$ gMSA db_owner
      svc-FRAS$ gMSA db_owner

15. Encrypt credentials

  1. On any client machine, install the encipherment certificate in the LocalMachine\My certificate store.

  2. Grant the current user read access to the private key of this certificate.

  3. Create the Credentials.json file, as shown here.

    {
        "AosPrincipal": {
            "AccountPassword": "<encryptedDomainUserPassword>"
        },
        "AosSqlAuth": {
            "SqlUser": "<encryptedSqlUser>",
            "SqlPwd": "<encryptedSqlPassword>"
        }
    }
    
    • AccountPassword is the encrypted domain user password for the AOS domain user (contoso\axserviceuser).
    • SqlUser is the encrypted SQL user (axdbadmin) that has access to the Finance and Operations database (AXDB), and SqlPassword is the encrypted SQL password.
  4. Copy the .json file to the SMB file share, \\AX7SQLAOFILE1\agent\Credentials\Credentials.json.

  5. Update the Credentials.json file with encrypted values.

    # Service fabric API to encrypt text and copy it to the clipboard.
    Invoke-ServiceFabricEncryptText -Text '<textToEncrypt>' -CertThumbprint '<DataEncipherment Thumbprint>' -CertStore -StoreLocation LocalMachine -StoreName My | Set-Clipboard
    

    Important

    Before you can invoke Invoke-ServiceFabricEncryptText, you need to install Microsoft Azure Service Fabric SDK. If you encounter the following error, "Invoke-ServiceFabricEncryptText is not recognized command" after you install the Azure Service Fabric SDK, restart the computer and retry.

16. Set up SSIS

To enable Data management and Integration workloads, SSIS must be installed on each of the AOS virtual machines. Complete the following steps on each AOS virtual machine.

  1. Verify that the machine has access to the SSIS installation and open the SSIS Setup Wizard.
  2. In the Feature Selection window, in the Features pane, select the Integration Services and SQL Client Connectivity SDK check boxes.
  3. Complete the setup and verify that the installation was successful.

For more information, see Install integration services.

17. Set up SSRS

  1. Before you begin, make sure that the prerequisites that are listed at the beginning of this topic are installed.
  2. Follow the steps in Configure SQL Server Reporting Services for an on-premises deployment.

    Important

    You must install then database engine when you install SSRS.

18. Configure AD FS

Before you can complete this procedure, AD FS must be deployed on Windows Server 2016. For information about how to deploy AD FS, see Deployment Guide Windows Server 2016 and 2012 R2 AD FS Deployment Guide.

Finance and Operations requires additional configuration beyond the default out-of-box configuration of AD FS. For the following steps, Windows PowerShell runs on a machine where the AD FS role service is installed. The user account must have enough permissions to administer AD FS. For example, the user must have a domain administrator account.

  1. Configure the AD FS identifier so that it matches the AD FS token issuer.

    $adfsProperties = Get-AdfsProperties
    Set-AdfsProperties -Identifier $adfsProperties.IdTokenIssuer
    
  2. You should disable Windows Integrated Authentication (WIA) for intranet authentication connections, unless you've configured AD FS for mixed environments. For more information about how to configure WIA so that it can be used with AD FS, see Configure browsers to use Windows Integrated Authentication (WIA) with AD FS.

    Set-AdfsGlobalAuthenticationPolicy -PrimaryIntranetAuthenticationProvider FormsAuthentication, MicrosoftPassportAuthentication
    
  3. For sign-in, the user's email address must be an acceptable authentication input.

    Add-Type -AssemblyName System.Net
    $fqdn = ([System.Net.Dns]::GetHostEntry('localhost').HostName).ToLower()
    $domainName = $fqdn.Substring($fqdn.IndexOf('.')+1)
    Set-AdfsClaimsProviderTrust -TargetIdentifier 'AD AUTHORITY' -AlternateLoginID mail -LookupForests $domainName
    

In order for AD FS to trust Finance and Operations for the exchange of authentication, various application entries must be registered in AD FS under an AD FS application group. To speed up the setup process and help reduce errors, you can use the following script for registration. Copy the Publish-ADFSApplicationGroup.ps1 script and D365FO-OP directory to a machine where the AD FS role service is installed. Then run the script by using a user account that has enough permissions to administer AD FS. (For example, use an administrator account.)

For more information about how to use the script, see the documentation that is listed in the script. Make a note of the client IDs that are specified in the output, because you will need this information in LCS in a later step. Should you lose the client IDs, log in to the machine which has AD FS installed, open Server Manager > Tools > AD FS Management > Application Groups > Microsoft Dynamics 365 for Operations On-premises and find the client IDs under the native applications.

# Host URL is your DNS record\host name for accessing the AOS
.\Publish-ADFSApplicationGroup.ps1 -HostUrl 'https://ax.d365ffo.onprem.contoso.com'

Application group properties

Finally, make sure that you can access the AD FS OpenID Configuration URL on a Service Fabric node of the AOSNodeType type. To perform this check, try to open https://<adfs-dns-name>/adfs/.well-known/openid-configuration in a web browser. If you receive a message that states that the site isn't secure, you haven't added your AD FS SSL certificate to the Trusted Root Certification Authorities store. This step is described in the AD FS deployment guide, and if you are using remoting, you can use the following script to install the certificate on all nodes in the Service Fabric cluster:

# If remoting, execute
.\Install-ADFSCert-AllVMs.ps1 -ConfigurationFilePath .\ConfigTemplate.xml

If you successfully access the URL, a JavaScript Object Notation (JSON) file is returned that contains your AD FS configuration, and you will see that your AD FS URL is trusted.

You've now completed the setup of the infrastructure. The following sections describe how to navigate to LCS to set up your connector and deploy your Finance and Operations environment.

19. Configure a connector and install an on-premises local agent

  1. Sign in to LCS, and open the on-premises implementation project.

  2. On the hamburger menu, select Project settings.

    Project settings command

  3. Select On-premises connectors.

  4. Select Add to create a new connector.

  5. On the Setup host infrastructure tab, download the agent installer.

    Download agent installer button on the Setup host infrastructure tab

  6. Verify that the zip file is unblocked. Right-click the file, and then select Properties. In the dialog box, select Unblock.

  7. Unzip the agent installer on one of the Service Fabric nodes of the OrchestratorType type.

  8. On the Configure agent tab, enter the configuration settings. Execute the following script on any machine with access to it and the configuration file, to get the needed values.

    .\Get-AgentConfiguration.ps1 -ConfigurationFilePath .\ConfigTemplate.xml
    
  9. Save the configuration, and then select Download configurations to download the localagent-config.json configuration file.

    Download configurations button on the Configure agent tab

  10. Copy the localagent-config.json file to the machine where the agent installer package is located.

  11. In a Command Prompt window, run the following command by navigating to the folder that contains the agent installer.

    LocalAgentCLI.exe Install <path of config.json>
    

    Note

    The user who runs this command must have db_owner permissions on the OrchestratorData database.

  12. After the local agent is successfully installed, navigate back to your on-premises connector in LCS.

  13. On the Validate setup tab, select Message agent to test for LCS connectivity to your local agent. When a connection is successfully established, the page will resemble the following illustration.

    Validate the agent

20. Tear down CredSSP, if remoting was used

If any of the remoting scripts were used during setup, be sure to execute the following script when there are breaks in the setup process, or the setup has finished.

.\Disable-CredSSP-AllVMs.ps1 -ConfigurationFilePath .\ConfigTemplate.xml

If the previous remoting PowerShell window was accidentally closed and CredSSP was left enabled, the script will disable it on all the machines specified in the configuration file.

21. Deploy your Finance and Operations (on-premises) environment from LCS

  1. In LCS, navigate to your on-premises project, go to Environment > Sandbox, and then select Configure. Execute the following script on the primary domain controller VM, which must have access to ADFS and the DNS server settings, to get the needed values.

    .\Get-DeploymentSettings.ps1 -ConfigurationFilePath .\ConfigTemplate.xml
    
  2. For new deployments, select your environment topology, and then complete the wizard to start your deployment.

Deploy

  1. If you have an existing Platform update 8 or Platform update 11 deployment:
  2. LCS will assemble the Service Fabric application packages for your environment during the preparation phase. It then sends a message to the local agent to start deployment. You will notice the Preparing status as below.

Preparing

Click Full details to take you to the environment details page, as shown below.

Details_Preparing

  1. The local agent will now pick up the deployment request, start the deployment, and communicate back to LCS when the environment is ready. When deployment starts, the status will change to Deploying, as shown.

Deploying

Details_Deploying

If the deployment fails, the Reconfigure button will become available for your environment in LCS, as shown below. Fix the underlying issue, click Reconfigure, update any configuration changes, and click Deploy to retry the deployment.

Failed

See the Reconfigure your environment topic for details about how to reconfigure. The following graphic shows a successful deployment. Deployed

22. Connect to your Finance and Operations (on-premises) environment

In your browser, navigate to https://[yourD365FOdomain]/namespaces/AXSF, where yourD365FOdomain is the domain name that you defined in the Plan your domain name and DNS zones section of this topic.

Known issues

Error "Key does not exist" when running the New-D365FOGMSAAccounts cmdlet

If this is your first time creating and generating group Managed Service Account passwords in your domain, you need to first create the Key Distribution Services KDS Root Key. For more information, see Create the Key Distribution Services KDS Root Key.

Error "The WinRM client cannot process the request" when running the remoting script Configure-Prereqs-AllVms cmdlet

You need to follow the instructions in the error message to enable the computer policy Allow delegation fresh credentials in all machines of Service Fabirc cluster.

Error "Not process argument transformation on parameter 'Test'. Cannot convert value "System.String" to type "System.Management.Automation.SwitchParameter" when running the Config-Prereqs-AllVms cmdlet

To work around this error, remove "-Test:$Test" in line 56 of Config-Prereqs-AllVms.ps1, which is found under the Infrastructure folder.

Error "Not process argument transformation on parameter 'Test'. Cannot convert value "System.String" to type "System.Management.Automation.SwitchParameter" when running the Complete-Prereqs-AllVms cmdlet

To work around this error, remove "-Test:$Test" in line 56, 61 and 66 of Complete-Prereqs-AllVms.ps1 which is found under the Infrastructure folder.

Error "Install-WindowsFeature: The request to add or remove features on the specified server failed" when running Configure-Prereqs on MRType and ReportServerTyoe servers

.NET Framework 3.5 is required in MRType and ReportServerType servers. By default however, .NET Framework 3.5 source files aren't included in your Windows Server 2016 installation. To work around this error, install it and specify the source files using the source option when you manually add new features by server manager.

Error "MSIS7628: Scope names should be a valid Scope description name in AD FS configuration" when running the Publish-ADFSApplicationGroup cmdlet

This error occurs because of an OpenID scope allatclaims that is required by the D365FO-OP-ADFSApplicationGroup, but it might be missing in some Windows Server 2016 installation. To work around this error, add the scope description allatclaims through AD FS Management\Service\Scope Descriptions.

Error "ADMIN0077: Access control policy does not exist: Permit everyone" when running the Publish-ADFSApplicationGroup cmdlet

When your AD FS is installed with a non-English version of Windows Server 2016, the permit everyone access control policy is created with your local language. Invoke the cmdlet by specifying AccessControlPolicyName parameter as: .\Publish-ADFSApplicationGroup.ps1 -HostUrl 'https://ax.d365ffo.onprem.contoso.com' -AccessControlPolicyName ''.

Additional resources