In our previous part we’ve installed our Domain Controller and not to say the least one of the most vital servers within our to set up Server Environment.

This post will mainly focus on setting up the Active Directory Accounts which will be used throughout the other upcoming parts.

So let’s get started.

Planning security groups, user accounts and service accounts

Like every installation and configuration it is essential to have an overview of the things you would like to accomplish before implementing them, well the same rules apply here; therefore below an overview of the required Security groups, user accounts and service accounts.

Security Groups

    • BizTalk Application Users
  • BizTalk Isolated Host Users
  • BizTalk Server Administrators
  • BizTalk Server B2B Operators
  • BizTalk Server Operators
  • BizTalk Bam Portal Users
  • SSO Administrators
  • SSO Affiliate Administrators
  • IIS_IUSRS

 

Service Accounts

  • srvc-bts-trusted [Service account used to run BizTalk Isolated host instance (HTTP/SOAP)]
  • srvc-bts-untrusted [Service account used to run BizTalk In-Process host instance which access In-Process BizTalk host instance (BTNTSVC)]
  • srvc-bts-sso [Service account used to run Enterprise Single Sign-On Service which accesses the SSO database]
  • srvc-bts-rule-engine [Service account used to run Rule Engine Update Service which receives notifications to deployment/undeployment policies from the Rule engine database]
  • srvc-bts-bam-ns [Service account used to run BAM Notification Services which accesses the BAM databases]
  • srvc-bts-bam-ap [Application pool account for BAMAppPool which hosts BAM Portal Web site]
  • srvc-sql-agent
  • srvc-sql-engine
  • srvc-sql-analysis
  • srvc-sql-reporting
  • srvc-sql-integration

 

User Accounts

  • usr-bts-install
  • usr-bts-bam
  • usr-bts-admin
  • usr-bts-operator
  • usr-bts-b2b-operator
  • usr-bts-sso-admin
  • usr-bts-sso-affiliate

 

Accounts – Security Group mapping

BizTalk Application Users

Contains service accounts for the BizTalk In-Process host instance in the host that the BizTalk Host Group is designated for.

Accounts
  • srvc-bts-untrusted

BizTalk Isolated Host Users

Contains service accounts for the BizTalk Isolated host instance in the host that the Isolated BizTalk Host Group is designated for.

Accounts
  • srvc-bts-trusted

 

BizTalk Server Administrators

Contains users/groups that need to be able to configure and administer BizTalk Server.

Accounts
  • Domain Admin
  • usr-bts-admin

 

BizTalk Server B2B Operators

Contains user/groups that will perform all party management operations

Accounts
  • Domain Admin
  • usr-bts-b2b-operator

 

BizTalk Server Operators

Contains user/groups that will monitor solutions.

Accounts
  • Domain Admin
  • usr-bts-operator

 

BizTalk Bam Portal Users

Everyone group is used for this role by default.

Accounts
  • Domain Users

SSO Administrators

Contains service accounts for Enterprise Single Sign-On service.

Contains users/groups that need to be able to configure and administer BizTalk Server and SSO service.

Contains accounts used to run BizTalk Configuration Manager when configuring SSO master secret server.

Accounts
  • Domain Admin
  • srvc-bts-sso
  • usr-bts-sso-admin

 

SSO Affiliate Administrators

Contains account used for BizTalk Server Administrators

Accounts
  • Domain Admin
  • usr-bts-sso-affiliate

 

IIS_IUSRS

This built-in group has access to all the necessary file and system resources so that an account, when added to this group, can seamlessly act as an application pool identity.

Accounts
  • srvc-bts-trusted
  • srvc-bts-bam
  • srvc-bts-bam-ap

 

Adding security groups, user accounts and service accounts

Now that we have a clear overview of all the required security groups, user and service accounts it´s time to actually add them to our Active Directory.

Fire up your Domain Controller Server, and in your Server Manager open up “Roles” –> “Active Directory Users and Computers” and click on your domain

image

Setting up BizTalk Organizational Unit

Add a new Organizational Unit and name called “BizTalk”, do this by “right clicking” on your domain –> “New” –> “Organizational Unit”

image

Enter the name of the new ‘Organizational Unit Object”, ensure to check “Protect container from accidental deletion” and press “OK”

image

Select the just created “Organizational Unit BizTalk” and a new group, do this by “right clicking” your “BizTalk Organizational Unit” –> “New” –> Group

image

Enter the name of the group, ensure the “Group Scope” is “Global” and the “Group Type” is “Security”. Once done press “OK”

image

Now add the following Security Groups, by repeating the 2 previous mentioned steps:

  • BizTalk Isolated Host Users
  • BizTalk Server Administrators
  • BizTalk Server B2B Operators
  • BizTalk Server Operators
  • BizTalk Bam Portal Users
  • SSO Administrators
  • SSO Affiliate Administrators

 

You should end up with the following groups within your “BizTalk Organizational Unit”

image

Now select the just created “Organizational Unit BizTalk” and two new “Organizational Units” named:

  • Service Accounts
  • User Accounts

 

Do this by “right clicking” your “BizTalk Organizational Unit” –> “New” –> “Group” and filling out the required details (ensure to check “Protect container from accidental deletion”). You should end up with the following 2 new “Organization Units” within the “BizTalk” Organizational Unit”

image

Now select the just created “Organizational Unit Service Accounts” and add the following “Users”

  • srvc-bts-trusted
  • srvc-bts-untrusted
  • srvc-bts-sso
  • srvc-bts-rule-engine
  • srvc-bts-bam
  • srvc-bts-bam-ns
  • srvc-bts-bam-ap

 

[Repeat the following steps for each new “User” mentioned above] Do this by “right clicking” your “Service Accounts Organizational Unit” –> “New” –> “User”

image

Fill out the “First Name”, “Full Name”, “User logon name” and press “next”

image

Assign a “Password”, ensure to uncheck “User must change password at next logon” and ensure to check “User cannot change password” and check “Password never expires”. Once done select “Next” and “Finish”

image

Eventually you should end up with the following users within your “Service Accounts Organizational Unit”

image

Now select the “Organizational Unit User Accounts” and add the following “Users”

    • usr-bts-install
    • usr-bts-admin
    • usr-bts-operator
    • usr-bts-b2b-operator
    • usr-bts-sso-admin
    • usr-bts-sso-affiliate

 

[Repeat the following steps for each new “User” mentioned above] Do this by “right clicking” your “User Accounts Organizational Unit” –> “New” –> “User”

image

Fill out the “First Name”, “Full Name”, “User logon name” and press “next”

image

Assign a “Password”, ensure to uncheck “User must change password at next logon” and ensure to check “User cannot change password” and check “Password never expires”. Once done select “Next” and “Finish”

image

Eventually you should end up with the following users within your “User Accounts Organizational Unit”

image

Setting up Sql Server Organizational Unit

Now it’s time to set up the SQL Server Organizational Unit; this will be done exactly the same way as mentioned in “Setting up BizTalk Server Organizational Unit”. Below I will summarize what to create.

Add new organizational unit “Sql Server”

image

Within the “SQL Server” organizational unit add new organizational unit named “Service Accounts”

image

Add the following user accounts to the Organizational unit “Service Accounts”

    • srvc-sql-agent
    • srvc-sql-engine
    • srvc-sql-analysis
    • srvc-sql-reporting
    • srvc-sql-integration

image

Adding users to designated security groups

Well we are almost there. Next thing on our list is to assign the created users to the correct Security group. For this you will need to open your previously created “BizTalk Organizational Unit”.

image

Further instructions on how to achieve this, are listed below; sorted by Security Group

Group: BizTalk Application Users

Right click on the “Biztalk Application Users group” and select properties, select the “members tab” and then press “Add…”

image

Now select “Advanced…”

image

Ensure that your location is set to your domain, and in the “Common Queries” section add the value “srvc-bts” in the “Name starts with” textbox and select “Find Now”

image

Select the following account “srvc-bts-untrusted” and press “OK”

image

Select “OK”

image

Select “OK”

image

Group: BizTalk Isolated Host Users

Repeat the steps as mentioned in “Group: BizTalk Application Users”, but this time you will select the “srvc-bts-trusted” account.

image

Group: BizTalk Server Administrators

Repeat the steps as mentioned in “Group: BizTalk Application Users”, but this time you will select the following accounts (note; leave the common Queries Filter blank, this way you will see all accounts)

  • “Domain Admins” group
  • usr-bts-admin “user account”

image

Group: BizTalk Server B2B Operators

Repeat the steps as mentioned in “Group: BizTalk Application Users”, but this time you will select the following accounts (note; leave the common Queries Filter blank, this way you will see all accounts)

  • “Domain Admins” group
  • usr-bts-b2b-operator “user account”

image

Group: BizTalk Server Operators

Repeat the steps as mentioned in “Group: BizTalk Application Users”, but this time you will select the following accounts (note; leave the common Queries Filter blank, this way you will see all accounts)

  • “Domain Admins” group
  • usr-bts-operator “user account”

image

Group: BizTalk Bam Portal Users

Repeat the steps as mentioned in “Group: BizTalk Application Users”, but this time you will select the following accounts (note; leave the common Queries Filter blank, this way you will see all accounts)

  • “Domain Users” group

image

Group: SSO Administrators

Repeat the steps as mentioned in “Group: BizTalk Application Users”, but this time you will select the following accounts (note; leave the common Queries Filter blank, this way you will see all accounts)

  • “Domain Admins” group
  • srvc-bts-sso  “service account”
  • usr-bts-sso-admin “user account”

image

Group: SSO Affiliate Administrators

Repeat the steps as mentioned in “Group: BizTalk Application Users”, but this time you will select the following accounts (note; leave the common Queries Filter blank, this way you will see all accounts)

  • “Domain Admins” group
  • usr-bts-sso-affiliate “user account”

image

Group: IIS_IUSRS

Open op the “Builtin Organizational Unit” and double click on the “IIS_IUSRS” group

image

Select the “Members” tab and press “Add…”

image

Add following accounts (note; leave the common Queries Filter blank, this way you will see all accounts)

  • “Domain Admins” group
  • “BizTalk Isolated Host Users” group
  • srvc-bts-bam “service account”
  • srvc-bts-bam-ap “service account”

image

Closing Note

This sums up part 3 SQL & BizTalk Active Directory Accounts, in part 4 we will make the necessary preparations for the SQL en BizTalk failover Cluster set ups, which will include:

  • Installing the required Roles and Features
  • Setting up the File Server and assigning storage to the SQL & BizTalk Clusters.

 

Until next time

Cheers

René