Thursday, 5 April 2012

Configure MS Dynamics CRM 2011 E-mail Router - part 1

I’ve been getting ready to take the MB2-867 exam: Microsoft Dynamics CRM 2011 Installation and Deployment for the past month or so, and this time I decided that I wanted to earn the certification rather than just pass it. So I installed and configured the E-mail router. Even though, I’ve been using MS Dynamics CRM since version 3.0, I’ve never had the need to use the e-mail router, so this was a bit of a first for me and I thought I would share it here.

I have modeled here the configuration used in our production deployment, where the users are grouped according to their geographical sites, so that there is an OU in AD for each geographical site. Thus, in this example, CRMUsers is meant to represent a single geographical office or site and is a daughter OU of CRM2011. Note, that permissions have deliberately been prevented from cascading as this is company policy here.

  •  MS Dynamics CRM 2011 fully installed (i.e. either in one server or all roles installed in various servers).
  •  MS Exchange 2010 SP1 installed, configured and working
  • Admin access to AD and Exchange.
  • Installed MAPI libraries ( on server that will run the E-mail router (Either a separate server or the MS Dynamics CRM server).
  • Installed E-mail router (no pending reboots).
  • Domain User Account that is member of Domain Users and local Administrators group in server running the E-mail router (ERSA in this case, E-mail Router Service Account).
The installation is very straight forward so I’ve decided not to discuss it here. I have concentrated on the configuration side. The following steps will describe how to configure the E-mail router:
  1. Add user ERSA to MS Dynamics CRM organization.
  2. Give ERSA user the System Administrator role.
  3. Add user ERSA to PrivUserGroup group.
  4. Change user running email router service to user ERSA.
  5. Create mailbox for user ERSA.
  6. Login to OWA or outlook to complete mailbox creation.
  7. Re-start email router service.
  8. Create CRMUSers OU in AD.
  9. Place all MS Dynamics CRM users in this OU (This is really only needed for users that will be sending emails from MS Dynamics CRM 2011).
  10. Add send as permissions for ERSA to the users inside the CRMUSers OU. 

    1. Go to CRMUsers OU | Properties | Security | Advanced | Add.
    2. Type ERSA | Check Names | Click OK.
    3. Ensure settings are as per screenshot below (If you want the permission to cascade down do not tick the check box).

  11.  From the Exchange Management Shell, create a new Management Scope:
  12. New-ManagementScope -Name:"ReportingGroup" -RecipientRestrictionFilter {MemberofGroup -eq "CN=ReportingGroup {b0c96867-26af-446c-8b7de5cd3c89a1bd},OU=CRM2011,DC=dev,DC=org"}
  13. Assign ApplicationImpersonation Role to scope:
    New-ManagementRoleAssignment -Name:"ERSA" -User:"ERSA" -Role:"ApplicationImpersonation" -CustomRecipientWriteScope:"ReportingGroup"
  14. From the E-mail router server; launch E-mail Router Configuration Wizard: 

  15. On the Configuration Profiles tab; select New to create an Incoming Profile.

    Select New to create an Outgoing Profile.

    On the Deployments tab; click New to create a New profile.

    On the Users, Queues and Forward Mailboxes; click Load Data.

    Select any user and click Test Access.

There are two important points to make about step 11: 

The ReportingGroup for each organization, will, by default, contain all users in that organization, so I thought that it was the perfect candidate for this task. Clearly, in multi-tenant situations, multiple management scopes will be needed if this approach is followed. This may or may not be acceptable. The alternative would be to create a new group and make all MS Dynamics CRM Users that need email access members of this group.

The second point is that an OU does not list its membership, so it is not possible to simply try, on step 11, "MemberofGroup -eq "OU=CRMUSers,DC=Dev,DC=org" annoyingly it is a perfectly valid Management Scope, just one that contains no members. So it will be created but will not work.

In part 2, I will show how to configure users to use the email router and the various tracking options.


  1. So do i understand correctly....a vialble alternative too step #11 would be to:

    i. Create a group CRMEmailRouterUsersGroup
    ii. Add users needing email access part of that group
    iii. New-ManagementScope -Name:"CRMEmailRouterUsersGroup" -RecipientRestrictionFilter {MemberofGroup -eq "CN=CRMEmailRouterUsersGroup,OU=CRM2011,DC=dev,DC=org"}

    iv. New-ManagementRoleAssignment -Name:"ERSA" -User:"ERSA" -Role:"ApplicationImpersonation" -CustomRecipientWriteScope:"CRMEmailRouterUsersGroup"