Microsoft KB Archive/870577

= You may experience timeouts or slow performance, you may see that the SecurityDescriptor field values are much longer than 1,000 characters, or you may not be able to work with records that exist in a child business unit in Microsoft CRM 1.2 =

Article ID: 870577

Article Last Modified on 12/20/2005

-

APPLIES TO


 * Microsoft CRM 1.2

-





SYMPTOMS
When you try to access data in Microsoft Business Solutions CRM 1.2, one or more of the following symptoms may occur:
 * You may experience timeouts or slow performance when you try to use a particular view, such as the All Leads view.
 * You may see that the SecurityDescriptor field values of Microsoft CRM records are much longer than 1,000 characters. When the field values are this long, the size of the Microsoft SQL Server database that is used by Microsoft CRM grows significantly.

For more information, see the &quot;Determine the lengths of the SecurityDescriptor field values&quot; section.

Note The SecurityDescriptor field is not visible from the Microsoft CRM client. You can view this field by using SQL Server Enterprise Manager or SQL Query Analyzer.
 * You may not be able to read records or write to records that exist in a child business unit.



CAUSE
Typically, this problem occurs if one or both of the following conditions are true:
 * Changes have been made to the Microsoft CRM security roles.
 * Microsoft CRM business units have been reassigned.

Typically, only Microsoft CRM installations that contain more than 10,000 records experience performance-related symptoms. This problem is also affected by the performance of the computer that is running the Microsoft SQL Server application that hosts the Microsoft CRM databases.



RESOLUTION
Microsoft CRM has a fix for this problem that is part of a cumulative update. The cumulative update information is described in the following Microsoft Knowledge Base article:

904435 Update Rollup 2 is available for Microsoft CRM 1.2



STATUS
Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the &quot;Applies to&quot; section.



MORE INFORMATION
This problem can be avoided if your organization does not have to have custom Microsoft CRM security roles. To avoid the problem, use the Microsoft CRM standard roles. This problem can also be avoided if your organization does not have to reassign business units. To avoid the problem, do not change the business unit structure.

A reassigned child business unit has Domain Local Security Groups that have a name of MSCRM Glbl. is the name of the Microsoft CRM security role. MSCRM Glbl security groups should only exist under the root business unit in the Active Directory directory service for a Microsoft CRM installation.

The root cause of this problem is in every record in the _MSCRM database that contains a value in the SecurityDescriptor column. SecurityDescriptor calculations are based on users' Microsoft CRM security roles and on the Microsoft CRM business units. The Microsoft CRM platform uses SecurityDescriptor fields and the Microsoft CRM Security Service to grant security access to Microsoft CRM records. Because the additional MSCRM Glbl security groups are created, the SecurityDescriptor field grows. If multiple business units are moved so that they have a different parent business unit, the field may grow exponentially.

Determine the lengths of the SecurityDescriptor field values
You can determine the lengths of the SecurityDescriptor field values both before and after you move a business unit. To do this, use SQL Query Analyzer to run the following sample SQL SELECT statement against the _MSCRM database. is the licensed organization name for the Microsoft CRM installation. Run this statement before a business unit is moved, and then run the statement again after the business unit is moved. Then, compare the values to find the difference in the lengths. select min(datalength(securitydescriptor)), avg(datalength(securitydescriptor)), max(datalength(securitydescriptor)) from SystemUserBase This sample SQL SELECT statement shows the minimum length, the average length, and the maximum length of a SecurityDescriptor field value for all the records in the SystemUserBase table. The SystemUserBase table is used because that table always has at least one record in it.

A typical size for the SecurityDescriptor field is 1,000 characters if your Microsoft CRM installation has only a few Microsoft CRM business units and has no custom Microsoft CRM security roles. If you add Microsoft CRM business units and Microsoft CRM security roles, the size of the SecurityDescriptor field value grows. This change is expected functionality.

Note Making SQL Server updates directly to the Microsoft CRM databases is not supported.

For more information about the terminology that is used to describe Microsoft product updates, see the following articles in the Microsoft Knowledge Base:

824684 Description of the standard terminology that is used to describe Microsoft software updates

887283 Microsoft Business Solutions CRM software hotfix and update package naming standards

Additional query words: reparent re-parent move

Keywords: kbbug kbfix kbqfe kbprb kbmbsmigrate KB870577

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.