Install and run System diagnostics
Important
This content is archived and is not being updated. For the latest documentation, see Microsoft Dynamics 365 product documentation. For the latest release plans, see Dynamics 365 and Microsoft Power Platform release plans.
In Microsoft Dynamics Lifecycle Services, System diagnostics includes an on-premises component that must be installed before you can use the service to discover Microsoft Dynamics AX environments and collect data.
Install the System diagnostics on-premises component
To install the System diagnostics on-premises component, the following is required:
- A service account with specific permissions on the local computer and the Microsoft Dynamics AX business database.
- An X509 certificate . You can either use an existing certificate, or have the installer create one for you. Each X509 certificate is associated with a single project. Diagnostics from an environment can be uploaded to only one project.
- Microsoft .NET 4.5 or 4.5.1
Configure the service account for System diagnostics
This section describes the permissions that are required for the service account that the Lifecycle Services Diagnostic Service (LCSDiagFXService.exe) runs as.
The service account must be a domain account that is a user in Microsoft Dynamics AX and a member of the BusinessConnector role. We strongly recommend that, if possible, the account be the same account used for the .NET Business Connector proxy. For more information, see Specify the .NET Business Connector proxy account and Assign users to security roles.
Note
If you reuse the .NET Business connector proxy account, you must still add it as a member of the BusinessConnector role.
The service account must have read access to specific registry keys in the HKEY_LOCAL_MACHINE hive on all of the computers that run AOS instances and host Microsoft Dynamics AX business databases, so that the Lifecycle Services Diagnostic Service can discover environments and collect data.
The service account must be a member of the Event Log Readers local group on each server in the environment, so that the Lifecycle Services Diagnostic Service can read the Windows event logs.
The service account must have read access to the Microsoft Dynamics AX business database (db_datareader), and must have VIEW SERVER STATE permission for the SQL Server instance, so that Lifecycle Services Diagnostic Service can run default dynamic management views in SQL Server.
Configure read permissions to the registry
On each server in your environment that hosts an AOS instance or Microsoft Dynamics AX SQL Server business database, you must grant read access to a registry key in the HKEY_LOCAL_MACHINE hive to the service account for the System diagnostics.
Caution
The following procedure includes editing the Windows Registry. Editing the registry incorrectly can cause serious problems that may require you to reinstall Windows. Microsoft cannot guarantee that problems resulting from incorrectly editing the registry can be solved. solved. You should make a backup copy of the registry files (System.dat and User.dat) before you edit the registry.
To grant access to collect data from the Windows registry on the server that hosts the SQL Server business database:
- Click Start, click Run, type regedit, and then press Enter.
- Expand HKEY_LOCAL_MACHINE, navigate to the subkey System\CurrentControlSet\Control\PriorityControl, right-click it and select Permissions.
- Add the user that you want to associate with the Lifecycle Services Diagnostic Service.
- Select the user that you added, and then allow read permissions.
- Click Advanced Security Settings, and then ensure that the permissions are inherited by the child objects.
To grant access to collect data from the Windows registry on a server that hosts one or more AOS instances:
- Click Start, click Run, type regedit, and press Enter.
- Expand HKEY_LOCAL_MACHINE, navigate to the subkey System\CurrentControlSet\Services\Dynamics Server\6.0, right-click it and select Permissions.
- Add the user that you want to associate with the Lifecycle Services Diagnostic Service.
- Select the user that you added, and then allow read permissions.
- Click Advanced Security Settings, and then ensure that the permissions are inherited by the child objects.
- Repeat for all AOS instances in each environment that you want to collect data from.
[[!Important] As you are configuring rights in the registry, do not reduce account privileges that already exist. For more information about Advanced security settings, see Windows Server 2012 Access Control and Authorization Overview and Windows Server 2008 R2 Advanced Security Settings Properties Page - Permissions Tab.
Edit the Group Policy on the AOS
You must make the services of the AOS remotely accessible in Group Policy.
- On the computer running the AOS instance, click Start > Run, type gpedit.msc, and then press Enter.
- In the left pane, expand Computer Configuration > Windows settings > Security settings > Local policies > Security options.
- In the right pane, double-click Network access: Remotely accessible registry paths and sub-paths.
- If the following paths are not in the list, add them to the end of the list and then click OK.
- System\CurrentControlSet\Control\PriorityControl
- System\CurrentControlSet\services\Dynamics Server\6.0
Configure Windows event log and WMI permissions
The service account must be able to read the Windows event logs on each server in the environment, and must be able to monitor remote Windows Management Instrumentation connections. For more information, see Add a member to a local group.
- On each server in the environment, add the service account to the Event Log Readers local group, the Distributed COM Users local group and the Performance Monitor Users local group.
Secure the remote Windows Management Instrumentation connections
On each server in your environment that hosts an AOS instance or Microsoft Dynamics AX SQL Server business database, ensure that you secure the remote Windows Management Instrumentation (WMI) connection.
Click Start > Run, type DCOMCNFG, and then click OK.
In the Component Services dialog box, expand Component Services, expand Computers, and then right-click My Computer and click Properties.
In the My Computer Properties dialog box, click the COM Security tab.
Under Launch and Activation Permissions, click Edit Limits.
In the Launch Permission dialog box, follow these steps if your name or your group does not appear in the Groups or user names list:
- In the Launch Permission dialog box, click Add.
- In the Select Users, Computers, or Groups dialog box, in the Enter the object names to select box, type Distributed COM Users, click Check Names, and then click OK.
- Click Add.
- In the Enter the object names to select box, type Performance Monitor Users, click Check Names, and then click OK.
- Select Allow for each of the permissions (Local Launch, Remote Launch, Local Activation, Remote Activation) for each of these groups, and then click OK.
Apply the WMI control security settings to all namespaces:
- Click Start > Run, type wmimgmt.msc, and then click OK.
- Right-click WMI Control (Local), and then click Properties.
- On the Security tab, click Root, click Security, and then click Add.
- Under Enter the object names to select, type Distributed COM users, click Check Names, and then click OK.
- Click Advanced.
- Select Distributed COM Users and then click Edit.
- Select This namespace and subnamespaces.
- Select Allow for the following permissions: Execute Methods, Enable Account, and Remote Enable, and then click OK.
Repeat step 6 for the Performance Monitor Users group, and then close all windows.
For more information, see Securing a Remote WMI Connection.
Configure SQL Server permissions
The service account must be able to read the data in the Microsoft Dynamics AX business database and must have access to the default dynamic management views in SQL Server.
- Add the service account as a login to the SQL Server instance where the Microsoft Dynamics AX business database is installed. For information about how to perform this step, see Create a Login.
- Add the account as a user of the business database. For information about how to perform this step, see How to: Create a Database User.
- Add the service account to the db_datareader role in the business database. For information about how to perform this step, see Join a Role.
- Grant the service account the VIEW SERVER STATE permission in the SQL Server instance.
- In SQL Server Management Studio, expand Databases, right-click the Microsoft Dynamics AX database, and then click Properties.
- Click Permissions, and then click View server permissions.
- In the Logins or Roles list, click the user to whom you want to grant the permission.
- In the Explicit permissions for user list, select the Grant check box next to View server state permission.
Verify that the .NET Business connector service is running in the environment
The Business Connector service must be running on the host where the Lifecycle Services Diagnostic Service is installed. If more than one environment is to be discovered, the .Net Business Connector proxy account must be the same for each server that is running a Microsoft Dynamics AX Application Object Server (AOS) instance. For more information, see Install the .NET Business Connector.
Install the Microsoft Dynamics Lifecycle Services System diagnostics
To install the on-premises component of System diagnostics, you must be a member of the Administrator group on the local computer.
Open a project and click the System diagnostics tile.
On the Admin page, download the compressed installer (LCSDiagFX_x64.zip.).
Extract the installer to a computer that is running a Microsoft Dynamics AX client. The computer must have network access to all other servers in the environment, and must be running the .NET Business Connector if you are using the NET Business Connector proxy account as a service account.
Important
In a production environment, we recommend that you install the on-premises component on a computer that is running only a client, not on computers that are also running an AOS instance or a SQL Server instance.
Run Setup.exe.
Note
Do not run the .msi file directly.
Accept the license terms.
If you have an existing local X509 certificate, on the Select the certificate type page, click Use existing. If you do not have an X509 certificate, perform the following steps:
- On the Select the certificate type page, click Create new.
- Enter a prefix to be used in the certificate name.
- Click Next to create the certificate.
- Verify that the new certificate has been created in the specified location.
Return to the System diagnostics page, browse to the location of the certificate, and click Upload.
Return to the Upload the new certificate page of the Microsoft Dynamics Lifecycle Services Diagnostic Service Setup Wizard, select Certificate file has been uploaded, and click Next.
On the Select private certificate page, the name of the certificate is displayed. Click Next.
On the Specify service account page, enter the service account and password, and then click Next.
On the Change destination folder page, enter the location where you want to store the logs that were collected by the System diagnostics, and then click Next.
Click OK to install and start the System diagnostics, and then click Finish.
Two executable programs are installed: LCSDiagFXDiscovery.exe and LCSDiagFXCollector.exe.
Discover environments
- Click Start, and then click Microsoft Dynamics AX Lifecycle Services Diagnostic Service Discovery.
- In the Environment Discovery window, enter a name for the environment, the fully-qualified name of the SQL Server instance and database, and then click Discover.
- At the bottom of the Window, click the Test permissions button at the bottom of the page.
- On the Change destination folder page, enter the location where you want to store the logs that were collected by the System diagnostics, and then click Next.
Collect data
You can collect data on demand from the Environment Discovery window. We recommend that you schedule a job to collect data regularly. Data collection typically takes between 5 and 15 minutes. Errors that are encountered during data collection are logged in the Windows Application event log, as well as in a log file in the location that you specified during installation.
- To run an initial data collection in the Environment Discovery window, click Collect now. We recommend that you run an initial collection immediately after discovering an environment for the first time.
- To generate a collection command that you can use to schedule collection jobs, click Generate collection command.
- Copy the generated command to the clipboard.
- Schedule the command to run by using a scheduling engine, such as Windows Task Scheduler. For more information about using Task Scheduler, see Schedule a task.
Use same X509 certificate for all environments
- First time let setup generate certificate as usual
- Run MMC (Microsoft management console) as admin
- File -> "Add or Remove Snap-ins"
- Double click Certificates item and choose computer account then next->finish->ok
- Expand Certificates (Local Computer)->Personal->Certificates:
- Right click on certificate generated on first step -> All tasks -> Export -> Next -> Choose "Yes, export the private key"
- Leave default values in *.pfx export setup
- In security step Use domain account or password for securing your exported file
- Export files in next steps
- Copy exported file to new environment click it and choose Install PFX
- Choose Local Machine
- Click next -> And in following screen make sure that Mark this key as exportable is set. Click next and finish
- Now when running Lifecycle services system diagnostics setup choose on new environment use an existing certificate
- Certificate generated in first step should be present in client certificates lookup choose it and continue as usual.