Analysis and Reporting Services, Design and Implementation ...



SQL Server 2008 (R2) Best Practice AnalyzerSQL Server Technical Article Writers: Sylvio Hellmann, Günter Gross, Dana BurnellTechnical Reviewers: Oliver HahnPublished: September 2010Applies to: SQL Server 2008 (R2), SQL Server 2008 (R2) Analysis Services, SQL Server 2008 (R2) Reporting Services, and SQL Server 2008 (R2) Integration ServicesSummary: The Microsoft SQL Server Best Practices Analyzer is a well know tool in the DBA community to validate if SQL Server installations are adhering with Microsoft recommended best practices.In the new R2 version the SQL BPA introduces advanced capabilities in conjunction with the PowerShell architecture and also raises the bar for prerequisites and cross dependencies.While introducing the new tool to our premier customers in the Banking, Insurance and Productivity field we received strong positive feedback along with some interesting questions that we will discuss further in this paper.Understanding PowerShell, Policy based Management and SQL BPA will empower you to unleash the full potential of the SQL Server 2008 R2 Best Practices Analyzer (BPA).Table of Contents TOC \o "1-3" \h \z \t "Heading 9,9,Heading Part,9" 1Introduction PAGEREF _Toc271148515 \h 51.1Architecture and data flow of the BPA PAGEREF _Toc271148516 \h 61.2Microsoft Best Practice Analyzer Universe PAGEREF _Toc271148517 \h 71.2.1SQL Server BPA (older versions) PAGEREF _Toc271148518 \h 71.2.2Windows Server 2008 R2 Best Practice Analyzer PAGEREF _Toc271148519 \h 71.2.3Fix-it PAGEREF _Toc271148520 \h 81.2.4Microsoft Automated Troubleshooting Service in Windows Server 2008 R2 and Windows 7 PAGEREF _Toc271148521 \h 82System Requirements PAGEREF _Toc271148522 \h 102.1Required Permissions for Running SQL Server 2008 R2 BPA PAGEREF _Toc271148523 \h 102.2Prerequisites PAGEREF _Toc271148524 \h 113Install PAGEREF _Toc271148525 \h 123.1Installing PowerShell 2.0 and WinRM PAGEREF _Toc271148526 \h 123.2Install MBCA PAGEREF _Toc271148527 \h 133.3Install BPA PAGEREF _Toc271148528 \h 143.3.1Command line PAGEREF _Toc271148529 \h 143.3.2GUI PAGEREF _Toc271148530 \h 153.3.3Port and Firewall restrictions PAGEREF _Toc271148531 \h 163.4Updates PAGEREF _Toc271148532 \h 163.5Uninstall PAGEREF _Toc271148533 \h 163.5.1BPA PAGEREF _Toc271148534 \h 163.5.2MBCA PAGEREF _Toc271148535 \h 163.5.3Reset Powershell settings PAGEREF _Toc271148536 \h 164Usage PAGEREF _Toc271148537 \h 174.1Help file PAGEREF _Toc271148538 \h 174.2GUI PAGEREF _Toc271148539 \h 174.3Connect to a remote computer PAGEREF _Toc271148540 \h 204.4Powershell PAGEREF _Toc271148541 \h 224.4.1Run Scan PAGEREF _Toc271148542 \h 224.4.2Create Report PAGEREF _Toc271148543 \h 234.4.3Exporting and opening reports by using Get-MBCAResult PAGEREF _Toc271148544 \h 244.4.4Report Result Directory PAGEREF _Toc271148545 \h 245Troubleshooting PAGEREF _Toc271148546 \h 255.1Application directories PAGEREF _Toc271148547 \h 255.2Windows Server 2003 – NumberOfLogicalProcessors PAGEREF _Toc271148548 \h 255.3MBCA PAGEREF _Toc271148549 \h 265.4Where can I find the Instance name in result set of the analyzer report PAGEREF _Toc271148550 \h 265.5Memory limit of remote PowerShell process PAGEREF _Toc271148551 \h 265.6Remote connect PAGEREF _Toc271148552 \h 265.7Installation PAGEREF _Toc271148553 \h 295.7.1Powershell error PAGEREF _Toc271148554 \h 295.7.2Workgroup or Non-Domain computer PAGEREF _Toc271148555 \h 305.7.3Kerberos Failure PAGEREF _Toc271148556 \h 306Rules PAGEREF _Toc271148557 \h 326.1Engine PAGEREF _Toc271148558 \h 346.2ASRules PAGEREF _Toc271148559 \h 366.3RSRules PAGEREF _Toc271148560 \h 376.4ISRules PAGEREF _Toc271148561 \h 376.5SetupRules PAGEREF _Toc271148562 \h 386.6Replication PAGEREF _Toc271148563 \h 387How to Deal With Deviations PAGEREF _Toc271148564 \h 398Motivation to use SQL BPA R2 PAGEREF _Toc271148565 \h 409Additional Information PAGEREF _Toc271148566 \h 419.1Powershell PAGEREF _Toc271148567 \h 419.1.1Get-MBCAModel PAGEREF _Toc271148568 \h 419.1.2Invoke-MBCAModel PAGEREF _Toc271148569 \h 439.1.3Get-MBCAResult PAGEREF _Toc271148570 \h 489.1.4Set-MBCAResult PAGEREF _Toc271148571 \h 539.1.5MBCA Model Authoring PAGEREF _Toc271148572 \h 55Copyright InformationThe information contained in this document represents the current view of Microsoft Corporation on the issues discussed as of the date of publication. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the date of publication.This white paper is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS rmation in this document, including URL and other Internet Web site references, is subject to change without notice. Unless otherwise noted, the companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted in examples herein are fictitious. No association with any real company, organization, product, domain name, e-mail address, logo, person, place, or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation. Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.? 2010 Microsoft Corporation. All rights reserved.Microsoft, and SQL Server are trademarks of the Microsoft group of companies.All other trademarks are property of their respective owners.IntroductionThe Microsoft SQL Server 2008 R2 Best Practices Analyzer (BPA) is a diagnostic tool that performs the following functions:Gathers information about a server and an instance of Microsoft SQL Server 2008 or 2008 R2 that is installed on that serverDetermines if the configurations are set according to the Microsoft recommended best practicesReports on all configurations, indicating settings that differ from recommendationsIndicates potential problems in the installed instance of SQL ServerRecommends solutions to potential problemsThis tool is used by IT Professionals and Database Administrators to help ensure that their installations of SQL Server and associated products / components are adhering to best practices as determined by the SQL Server Product Teams and CSS. This utility scans the installation of a local or remote machine gathering system data from WMI, log files, the Event Log, the Windows Registry, and SQL Server metadata and compares the results to predefined standards. It then produces a report that shows the results and points the user to additional information on the web to help them determine whether they should make changes to their systems.For every configuration, the SQL Server 2008 R2 BPA provides the following results:Compliance results are returned when an instance of SQL Server satisfies the conditions of a Best Practices rule. Non-compliance results are returned when an instance of SQL Server does not satisfy the conditions of a Best Practices rule.Impact of non-complianceRecommendationLinks to more detailed information and related topicsTo assist you and to make your DBA life easier Microsoft includes some of these Best Practices in a couple of products – depending on specific purpose of the Software. The following diagram illustrates the variety of tools available to check best practices for SQL Server 2008 and SQL Server 2008 R2 in parallel or in combination with BPA.The big picture – automated Best Practices of SQL Server checks offered in different flavours and products.So you will find a couple of policies in our monitoring solutionSQL Server 2008 R2 Best Practice Analyzerwithin more than 140 rules for database engine and other technologiesSystem Center Operations Manager (SCOM)within the SQL Management pack (current version 6.1.314.36, release date: 08/17/2010)with more than 300 rules and 50 additional monitorsPolicy Based Management in SQL Server 2005 and 2008with predefined policy collection (50+ policies).There is a whitepaper about PBM here.System Configuration Checker in the SQL Server 2008 setup wizardThe SQL Risk Assessment Toolset (Premier Organisation best practice flagship) offering more than 200 rules. This offering is meant for Premier customers running the SQL RAP against their most business critical SQL instances. Note: This tool set is only available for Microsoft Premier Customers.Architecture and data flow of the BPAThe SQL Server 2008 R2 Best Practices Analyzer is an additional “model” for the Microsoft Baseline Configuration Analyzer V2.0 (MBCA). A model is a set of component files that together comprise the configuration analysis and reporting output from MBCA.The MBCA is imbedded as a PowerShell cmdlet, and consists of two major components: the MBCA Engine and the MBCA UI.The MBCA Engine process itself consists of 2 main activities, evaluation and discovery. The MBCA Engine is fed by PowerShell discovery Scripts and XML Schema Files which are used during discovery. The discovery activity interrogates the SQL Server, Registry, WMI, Error- and Event-Logs etc. The output is saved in an XML File which is then used in the evaluation activity. Evaluation is performed using the Schematron file. This file, run by the MBCA engine, contains the logic for evaluating the best practices. The final step following the evaluation process is the report generation – which is shown in the MBCA UI. In the flow chart below you will find the anatomy of the SQL Server 2008 R2 Best Practices Analyzer. Microsoft Best Practice Analyzer UniverseMicrosoft offers many technologies and utilities to produce best practices recommendations.SQL Server BPA (older versions)Microsoft has also created BP Analyzers for your older SQL Server versions and for Windows:SQL Server 2005 Best Practices Analyzer (August 2008)SQL Server 2000 Best Practices Analyzer (April 2010) HYPERLINK "" Windows Server 2008 R2 Best Practice AnalyzerIn Windows management, best practices are guidelines that are considered the ideal way, under typical circumstances, to configure a server as defined by experts. For example, it is considered a best practice for most server technologies to keep open only those ports required for the technologies to communicate with other networked computers, and block unused ports. Although best practice violations, even crucial ones, are not necessarily problematic, they indicate server configurations that can result in poor performance, poor reliability, unexpected conflicts, increased security risks, or other potential problems.Best Practices Analyzer (BPA) is a server management tool that is available in Windows?Server??2008?R2. BPA can help administrators reduce best practice violations by scanning one or more roles that are installed on Windows Server?2008?R2, and reporting best practice violations to the administrator. Administrators can filter or exclude results from BPA reports that they do not have to see. Administrators can also perform BPA tasks by using either the Server Manager GUI, or Windows PowerShell cmdlets.BPA can also be used on remote servers that are running Windows Server?2008?R2, by using Server Manager targeted at a remote server. For more information about how to run Server Manager targeted at a remote server, see Remote Management with Server Manager.The following BPA modules are currently available:Best Practices Analyzer for Active Directory Certificate ServicesBest Practices Analyzer for Active Directory Domain ServicesBest Practices Analyzer for Active Directory Rights Management ServicesBest Practices Analyzer for Application ServerBest Practices Analyzer for Domain Name SystemBest Practices Analyzer for Dynamic Host Configuration ProtocolBest Practices Analyzer for File ServicesBest Practices Analyzer for Hyper-VBest Practices Analyzer for Internet Information ServicesBest Practices Analyzer for Network Policy and Access ServicesBest Practices Analyzer for Remote Desktop ServicesBest Practices Analyzer for Windows Server Update ServicesMore Information about Windows BPA look here.Fix-itCurrently there exists no link between the SQL Server Best Practice Analyzer and the Fixit webpage. Microsoft is working on a solution to combine fixit with specific Best Practice Analyzer. Microsoft Automated Troubleshooting Service in Windows Server 2008 R2 and Windows 7Troubleshooting in Windows Server 2008 R2 and Windows 7 provides several troubleshooting programs that can automatically fix some common problems with your computer, such as problems with networking, hardware and devices, using the web, and program compatibility. ? Go to the Windows website to watch a video about using troubleshooters to fix common problems. (3:30)When you run a troubleshooter, it might ask you some questions or reset common settings as it works to fix the problem. If the troubleshooter fixed the problem, you can close the troubleshooter. If it couldn't fix the problem, you can view several options that will take you online to try and find an answer. In either case, you can always view a complete list of changes made. NotesIf you click the Advanced link on a troubleshooter and then clear the Apply repairs automatically check box, the troubleshooter displays a list of fixes to choose from, if any problems are found.Windows includes several troubleshooters, and more are available online when you select the Get the most up-to-date troubleshooters from the Windows Online Troubleshooting service check box at the bottom of Troubleshooting. RequirementsSQL Server 2008 R2 Best Practices Advisor is supported on the following Operating Systems:Windows Vista Windows 7 Windows Server 2003 Windows Server 2003 R2Windows Server 2008 Windows Server 2008 R2Supported editions of SQL ServerSQL Server 2008, all editions, except ExpressSQL Server 2008 R2, all editions, except ExpressSupported Components of SQL ServerAnalysis ServicesDatabase EngineIntegration ServicesReporting ServicesReplicationSetupThese components are designed as Submodels for the BPA. This means that they will be run concurrently where possible.Required Permissions for Running SQL Server 2008 R2 BPAAdministration PrivilegesTo run MBCA v2.0, a user must be a member of the administrators group on the machine being scanned, and on the machine the scan is initiated from. If a user is not an administrator on the machine that is being scanned, an appropriate error message displays.SQL ServerTo successfully access all of the database properties and SQL Server Configurations, a user must be the Systems Administrator (sysadmin) on the instance of SQL Server.Analysis ServicesThe user or the administrators group must be member of the server administrator role within an instance of Microsoft?SQL Server?Analysis Services have unrestricted access to all Analysis Services objects and data in that instance. Integration ServicesThe user or the administrators group must be members of the sysadmin or db_ssisadmin roles. Reporting ServicesThe user or the administrators group must be member of the System Administrator and Content Manager rolePrerequisites The following are required for using SQL Server 2008 R2 Best Practices Analyzer:PowerShell V2.0Windows PowerShell 2.0 requires the Microsoft .NET Framework 2.0 with Service Pack 1.Microsoft Baseline Configuration Analyzer V2.0SQL Server Management Tools for SQL Server 2008 or SQL Server 2008 R2The following table outlines the prerequisite Microsoft utilities / components, by Operating System, necessary to have on your server prior to installing and running SQL Server 2008 R2 BPA.OS1.Install WinRM2.Install PowerShell 2.03.Install MBCA 2.0Configure PowerShell7. Install SQL2008 or SQL 2008 R2 Management Tools4.Remoting5.Execution Level6. MaxShells PerUserWin VistaYYYYYYYWindows 7NNYYYYYWindows Server 2003YYYYYYYWindows Server 2003 R2YYYYYYYWindows Server 2008YYYYYYYWindows Server 2008 R2NNYYYYYInstallWe recommend installing BPA on a workstation or administration server and performing the scan operation remotely against servers in your SQL Server infrastructure. It is also possible to install this tool on the production SQL Server locally.Installation process:Install/Configure PowerShell and WinRMMicrosoft Baseline Configuration Analyzer V2.0Microsoft? SQL Server? 2008 R2 Best Practices AnalyzerIt exists two ways to install the Best Practices Analyzer:With a graphical user interface (setup wizard) orCommand lineInstalling PowerShell 2.0 and WinRMBPA install configures WinRM, and PowerShell options by default. Most of this section is only needed if something goes wrong and you need to configure this stuff by hand.Windows Server 2003 R2 WinRM is not installed by default, but it is available as the Hardware Management feature through the Add/Remove System Components feature in the Control Panel under Management and Monitoring Tools. Complete installation and information about configuring WinRM using the WINRM command-line tool is available online in the Hardware Management Introduction, which describes the WinRM and the IPMI features in Windows Server?2003 R2.On Windows Vista, Windows Server 2003 and Windows Server 2008This is installed as part of Windows Management Framework Core. The WinRM service starts automatically on Windows Server?2008. On Windows?Vista, the service must be started manually.On Windows Server 2008 R2 and Windows 7This is installed as part of the OS.Note: Check for additional information and configuration guidelines for WinRM and for PowerShell 2.0 .SQL Server 2008 R2 BPA is able to scan both the local computer and remote computers. Therefore, in both the local and remote cases, it required that your PowerShell settings be modified. These are done by the BPA installation.PowerShell Execution PolicyThe PowerShell Execution Policy is set to Restricted by default. To run SQL Server 2008 R2 BPA through the PowerShell command Line, set the policy to RemoteSigned using the below command:Set-ExecutionPolicy RemoteSigned -f You can use the command Set-ExecutionPolicy Restricted –f to set the execution policy back to restricted. This command is not required when executing the scan through the MBCA GUI.After the installation you must enable the PowerShell remote scripting if you are want to use the BPA remote to another workgroup machine or a computer that have Kerberos enabled. You need to run this command only once on each computer that will receive commands. You do not need to run it on computers that only send commands. Because the configuration activates listeners, it is prudent to run it only where it is needed. You can do this with the following command line:powershell.exe -NoLogo -NoProfile -Noninteractive -Command "Enable-PSRemoting -force"Enable-PSRemoting performs configuration actions to enable this machine for remote management.Includes:Runs the Set-WSManQuickConfig cmdlet, which performs the following tasks: Starts the WinRM service Sets the startup type on the WinRM service to Automatic Creates a listener to accept requests on any IP address Enables a firewall exception for WS-Management communications Enables all registered Windows PowerShell session configurations to receive instructions from a remote computer Registers the "Microsoft.PowerShell" session configuration, if it is not already registered Registers the "Microsoft.PowerShell32" session configuration on 64-bit computers, if it is not already registered Removes the "Deny Everyone" setting from the security descriptor for all the registered session configurations Restarts the WinRM service to make the preceding changes effectiveConfigures MaxShellsPerUser using "winrm set winrm/config/winrs `@`{MaxShellsPerUser=`"10`"`}" Specifies the maximum number of concurrent shells that any user can remotely open on the same computer. If this policy setting is enabled, the user will not be able to open new remote shells if the count exceeds the specified limit. If this policy setting is disabled or is not configured, the limit will be set to 5 remote shells per user by default and you receive the following error message:[localhost] Connecting to remote server failed with the following error message : The WS-Management service cannot process the request. This user is allowed a maximum number of 5 concurrent shells, which has been exceeded. Close existing shells or raise the quota for this user. For more information, see the about_Remote_Troubleshooting Help topic. ??? + CategoryInfo????????? : OpenError: (System.Manageme….RemoteRunspa ?? ce:RemoteRunspace) [], PSRemotingTransportException ??? + FullyQualifiedErrorId : PSSessionOpenFailedFor more information about PowerShell remoting, please see MSDN.Install MBCADownload the edition of MBCA depending on your platform (x86 or x64) before installation.Please find below the screenshots demonstrating the visual flow of the MBCA Installation: Welcome screenLicense termsFolder selectionCompletion screen Install BPADownload the correct edition depending on your platform (x86 or x64) before installing. If you have trouble with the installation please section REF _Ref270701229 \r \h 5.7 Troubleshooting REF _Ref270701217 \h InstallationCommand lineFollowing is an optimized command line setup example:msiexec /i SQL2008R2BPA_Setup64.msi /l * /log c:\temp\sqlbpa_install.log /qnmsiexec parameters:/i = package name (SQL2008R2BPA_Setup32.msi or SQL2008R2BPA_Setup64.msi depending on your platform)/l = log granularity “*” - Log all information, except for v and x options/log = log file/q = display settings (qn – no user interface)SKIPCA=1 (if no domain controller is available; Skip Certification Authority)For information on additional public properties: Consult the Windows? Installer SDK for documentation on the command line syntax.GUIPlease find below the screenshots demonstrating the visual flow of the SQL Server 2008 R2 BPA Installation:Welcome screenLicense termsSystem Configuration Changes (see REF _Ref267428059 \r \h 3.1 REF _Ref267428059 \h Installing PowerShell 2.0 and WinRM)Ready to install decisionInstall progressCompletion screenPort and Firewall restrictionsFor scanning SQL Server or BI instances on an alternate server behind a firewall you must open all necessary ports.UpdatesMicrosoft is working on quarterly updates of the rule set and tool improvements of the SQL Server 2008 R2 Best Practice Analyzer. Please visit the Download site from Microsoft regularly to find new updates.UninstallBPAMBCAReset PowerShell settingsAfter the uninstall of the BPA you may disable the PowerShell remote scripting. You can do this with the following command line:powershell.exe -NoLogo -NoProfile -Noninteractive -Command "Disable-PSRemoting -force"Disable-PSRemoting performs configuration actions to enable this machine for remote management.UsageThere are two ways to scan a server using MBCA and SQL 2008 R2 BPA. They are:Scanning through the local machine.In this case you are using MBCA and SQL 2008 R2 BPA running on the local machine to perform the scan.This scan can be of the local or an alternate server.Scanning through a remote machine.In this case MBCA is used to connect to a remote server that has MBCA and SQL 2008 R2 BPA installed on it.This scan is using the local machine to form the connection to the remote machine and is actually performing the scan through the remote machine.Help fileThe help file for the SQL Server 2008 R2 Best Practice Analyzer contains very useful information. This help file is available after the installation of BPA, and is located at Start->All programs->SQL Server 2008 R2 BPA.GUIEnsure that MBCA v2 and SQL 2008 R2 BPA are installed on the machine.Run the MBCA application from the start menu, with elevated user rights.On the MBCA home page, ensure the "SQL Server 2008 R2 BPA” product is selected:Click "Start Scan", which displays a page to specify parameters as shown below:Fill in Alternate_Server_to_Scan with the remote machine you want to scan. ComputerName IP address: n.n.n.nFQDN (Fully Qualified Domain Name)Enter “.”, localhost, or leave this blank if you want to scan the local machine.Enter the instance name you want to scan. To scan the default instance, enter MSSQLSERVER or leave this as blank. Toggle the checkboxes to enable/disable scans for those rule categories.Each of the following six check boxes correspond to the SQL Server categories listed previously. Select at least one category in order to run a successful scan. Analyze_SQL_Analysis_ServicesAnalyze_SQL_Server_EngineAnalyze_SQL_Integration_ServicesAnalyze_SQL_Server_ReplicationAnalyze_SQL_Reporting_ServicesAnalyze_SQL_Server_SetupNote: Only one SQL Server instance can be scanned at a time through the MBCA GUI.Click "Start Scan". MBCA will start the configured scan and display the below page while in progress:When the scan is complete, results will be displayed grouped by Severity as shown below:Connect to a remote computerA scan connected to a remote computer is different than scanning an alternate server.“Connect to a Remote Computer” is functionality provided by Microsoft Baseline Configuration Analyzer and is used to remotely run MBCA against a server, from the console of the client. The client needs to have MBCA installed, but does not need BPA as it is literally running the copy of MBCA installed on the server, using the BPA installed on the server. In this case the copy of MBCA installed on the client is used only to remotely connect to the copy of MBCA installed on the server.To use this functionality you first start MBCA on the client computer and select “Connect to Another Computer.”In the “Connect to Another Computer” text box, you can specify a NetBIOS name, a fully qualified domain name (FQDN), or an IPv4 or IPv6 address. If no port number is specified, the default port number is used. The following are examples of formats that you can specify in the Connect to Another Computer text puterName ComputerName:PortNumber IP address: n.n.n.nIPv6 address: [n:n:n:n:n:n:n:n]IPv4 address with port number: n.n.n.n:PortNumberIPv6 address with port number: [n:n:n:n:n:n:n:n]:PortNumberNote: If an administrator has changed the computer’s default port number, any port other than the default port must be opened in Windows Firewall to allow incoming connections on that port. Port 5985 is opened by default when WinRM is configured. All other ports remain blocked until opened. For more information about how to unblock a port in Windows Firewall, see the Help for Windows Firewall. For more information about how to configure WinRM, in a Command Prompt session, type winrm help, and then press Enter.Additionally you must supply credentialsCredSSPWindows Remote Management (WinRM) supports the delegation of user credentials across multiple remote computers. The multi-hop support functionality can now use Credential Security Service Provider (CredSSP) for authentication. CredSSP enables an application to delegate the user’s credentials from the client computer to the target server. CredSSP authentication is intended for environments where Kerberos delegation cannot be used. Support for CredSSP was added to allow a user to connect to a remote server and have the ability to access a second-hop machine, such as a file share. Note:?WinRM clients and servers will support CredSSP authentication only with explicit credentials. Windows?XP, Windows Server?2003, and earlier:?CredSSP is not supported.First, you must set CredSSP on both the client and the server.Using the Group Policy Editor (gpedit.msc) make sure to enable “Allow Delegating Fresh Credentials” and check “Concatenate OS defaults with input above.”Add the server or domain to the list of servers in the format “WSMAN/*.”Next, enable and configure PowerShell Remoting on both the Client and Server by running the following commands in a PowerShell?command window opened with elevated permissions. Note: You can configure a single machine as both a client and a server simultaneously so that?you can scan from either computer.Enable PowerShell RemotingEnable-psremoting –fSettings for a clientEnable-WSManCredSSP –role Client –DelegateComputer [NetBiosNameOfServer] orEnable-WSManCredSSP –role Client –DelegateComputer [FQDN OF SERVER]Settings for the serverEnable-WSManCredSSP –role Serverset-item WSMan:\localhost\Shell\MaxMemoryPerShellMB –Value 20000set-item WSMan:\localhost\Shell\MaxShellsPerUser –value 20PowerShellDetails see REF _Ref266979392 \r \h 8.1 REF _Ref266979396 \h PowerShellTo use the functionality of the Microsoft Baseline Configuration Analyzer you must import this module first:Import-module BaselineConfigurationAnalyzerYou can list the commands of this module with the following syntax$x=Get-Module BaselineConfigurationAnalyzer$x.ExportedCommandsRun ScanTo run a full scan of the BPA on the alternate server on a named instance you can use the following command line:Invoke-MBCAModel -ModelId SQL2008R2BPA -Alternate_Server_to_scan {servername} -SQL_Server_Instance_Name {instancename} -Analyze_SQL_Server_Engine -Analyze_SQL_Server_Replication -Analyze_SQL_Server_Setup -Analyze_SQL_Analysis_Services -Analyze_SQL_Integration_Services -Analyze_SQL_Reporting_ServicesThe result looks like this part:ModelId : SQL2008R2BPASubModelId :Success : TrueScanTime : ...Success = True is important. This is the indicator that your scan was successful. Parameter description:-Alternate_Server_to_scan {servername} -SQL_Server_Instance_Name {instancename} -Analyze_SQL_Server_Engine -Analyze_SQL_Server_Replication -Analyze_SQL_Server_Setup -Analyze_SQL_Analysis_Services -Analyze_SQL_Integration_Services -Analyze_SQL_Reporting_ServicesThe parameter list is equal the parameter screen in the GUI.The scans of the different services are optional. You can remove technologies which you do not need to scan.The next example starts the scan only for the Analysis Services on the alternate server “servername” and for the named instance “instance”. A log file will be written to “c:\temp\ssas.txt”:Invoke-MbcaModel -ModelId SQL2008R2BPA -SubModelId AnalysisServices -ComputerName {servername} -SqlServerInstance {instance} -SSASLogFile c:\temp\ssas.txtInvoke-MbcaModel -ModelId SQL2008R2BPA -SubModelId Engine -ComputerName {computername} -SqlServerInstance {servername} -CurrentLoginName ($Env:USERDOMAIN + "\" + $Env:USERNAME).ToString() -EngineLogFile c:\temp\engine.txt –RepositoryPath ("C:\TEMP\SQL2008" + (Get-Date).ToString("yyyyMMdd")).ToString()Create Reportmodel = get-MbcaModel –ModelId sql2008r2bpa$scanResult = get-MbcaResult –ModelId sql2008r2bpa$collectedConfig = get-MbcaResult –ModelId sql2008r2bpa –CollectedConfiguration$model, $scanResult, $collectedConfig | export-CliXml c:\temp\as.xmlGet-MBCAResult -ModelId SQL2008R2BPA -SubModelId AnalysisServices | ConvertTo-Html | Add-Content -Path c:\test.htmlThe next command retrieves the results of the most recent BPA scan for the specified model, and saves them in HTML format, applying the standard cascading style sheets that are stored in the path windir\system32\WindowsPowerShell\v1.0\Modules\BestPractices\BestPracticesReportFormat.css. If you want to substitute cascading style sheets, provide the path to the different cascading style sheets.Get-MBCAResult -ModelId SQL2008R2BPA | ?{$_.Severity -eq "Warning" -or $_.Severity -eq "Error" } | ConvertTo-Html -As Table -property ResultNumber, SubModelID, ComputerName, Severity, Category, Title, Problem, Impact, Resolution, Help -Head "<h1>SQL Server 2008 (R2) Best Practice Analyzer Report</h1>” -Title "SQL Server 2008 Best Practice Analyzer" -body ("<p>Report creation date: " + (Get-Date).ToString("dd.MM.yyyy hh:mm:ss") + "</p>").toString() -pre "<P>Generated by user: $env:username on computer: $env:computername</P>" -post "For details, contact Microsoft Premier."-CssUri $env: BestPracticesReportFormat.css > c:\temp\sql2008r2bpa.htmExporting and opening reports by using Get-MBCAResultYou can use the Get-MBCAResult cmdlet to export scan results and configuration data to an XML report that you can open for viewing in the future, either by using Get-MBCAResult, or by using the MBCA GUI. Exporting reports allows you to compare older scans with more recent scans to measure the progress of your best practice compliance.Example of exporting to XML$results = Get-MBCAResult <Model Id>$collectedconfig = Get-MBCAResult <Model Id> -CollectedConfiguration$results, $collectedconfig | Export-CliXml c:\export.xmlExample of opening archived XML report file$loadedResults, $loadedConfiguration = Import-CliXml c:\export.xmlReport Result DirectoryThe reporting result path%AppData%\MicrosoftBaselineConfigurationAnalyzer 2\Reports\SQL2008R2BPAResultsWill be overwritten during each run of the tool or invoke command.Solution: save older results before you start the checkcopy-item -path ($Env:LocalAppdata + "\Microsoft\MicrosoftBaselineConfigurationAnalyzer 2\Reports").ToString() -destination ($Env:LocalAppdata + "\Microsoft\MicrosoftBaselineConfigurationAnalyzer 2\Reports_" + (Get-Date).ToString("yyyyMMddhhmmss")).ToString() –recurseAfterwards you can create a report with the following command:$prevrepPath = (Get-ChildItem ($Env:LocalAppdata + "\Microsoft\MicrosoftBaselineConfigurationAnalyzer 2").ToString() -exclude Reports | Sort-Object name -descending)[0]Get-MBCAResult -ModelId SQL2008R2BPA –RepositoryPath ($Env:LocalAppdata + "\Microsoft\MicrosoftBaselineConfigurationAnalyzer 2\” + $prevrepPath.name).ToString() | ConvertTo-Html -As Table -property ResultNumber,SubModelID, ComputerName, Severity, Category, Title, Problem, Impact, Resolution, Help -Head "<h1>SQL Server 2008 (R2) Best Practice Analyzer Report</h1>” -Title "SQL Server 2008 Best Practice Analyzer" -body ("<p>Report creation date: " + (Get-Date).ToString("dd.MM.yyyy hh:mm:ss") + "</p>").toString() -pre "<P>Generated by user: $env:username on computer: $env:computername</P>" -post "For details, contact Microsoft Premier > c:\temp\sql2008r2bpa.htmTroubleshootingApplication directoriesTo following directories are used by MBCA:Report output directory%localappdata%\Microsoft\MicrosoftBaselineConfigurationAnalyzer 2\Reports\SQL2008R2BPAResultsModel configuration path%Programdata%\Microsoft\Microsoft Baseline Configuration Analyzer 2\Models\SQL2008R2BPATemp and log files directory%temp%\SQL2008R2BPA\SQL2008\<date>_<time>Registry[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\BaselineConfigurationAnalyzer]Log Files During Data Discovery, SQL Server 2008 R2 BPA creates log files for troubleshooting. The log file contains the following information:Pre-requisite validationTimestamp finished rule's start and end timesRun-time scripting errors and exceptions from Power Shell TrapsLog Files LocationFor every scan, log files are created in user’s Local Temp directory (%Temp%) and follows the folder structure: /SQL2008R2BPA/< Instance Name >/< datestamp_timestamp >/< Log files >. Note: In case of a remote scan, the category log files are generated on the remote system at the same path, whereas the common log file is generated in the local system.Log Files StructureA common log file gets generated and contains information about each category's execution. Apart from this, each category has its own log file which details the rule execution. The names of the log files are given below: Common File - ModelLog.txtEngine Rules - EngineLog.txtReplication Rules - ReplicationLog.txtSetup Rules - SetupLog.txtAnalysis Services Rules - AnalysisServicesLog.txtReporting Services Rules - ReportingServicesLog.txtIntegration Services Rules - IntegrationServicesLog.txtWindows Server 2003 – NumberOfLogicalProcessorsAnalysis Services RID2803 and RID2804 – NumberOfLogicalProcessors property is unavailable in Win32_Processor for with Windows Server 2003Solution: The NumberOfLogicalProcessors property does not exist in the WIN32_PROCESSOR object in Windows Server 2003. It has been implemented in the hotfix: . Both of the rules below will function properly if you apply this hotfix. For more information look here.MBCAThis message indicates that on prerequisite is not installed.Please install the version 2 of the MBCA.Where can I find the Instance name in result set of the analyzer report?The instance name is in the collected data option of the analyzer report in the BPA GUI.Memory limit of remote PowerShell processBy default remote PowerShell process can consume only 150 MB or less memory. This default limit is significantly small and once this limit is reached there could be a WinRM exception causing and remote connection immediately terminates. Any application or Cmdlet which is involved in PowerShell remoting should be tested for this memory limit, this may cause some of the command to fail, for example site collection creation.Solution: Increase the memory limit for the remote shell. Use the following command to increase this limitation to 1000MB. This is only necessary if you need to run those commands on that server.Set-Item WSMan:localhostShellMaxMemoryPerShellMB 1000Remote connectIf you try to “Connect to another computer” from MBCA and you receive the following message:You should check first if the Hotfix KB968930 is installed.Afterwards validate that the “Windows Remote Management” service is started:Enable-PSRemotingIf CredSSP is unsupported or unavailable you will see the following message:If you have no permission to access the remote server you get the error message:InstallationPowerShell errorAfter getting through the Pre-Reqs for BPA (PowerShell 2.0, MBCA, .NET Framework), you may hit one of two scenarios when installing BPA.In all of the cases of an install failure, you will see the following error:There is a problem with this Windows Installer package.? A program run as part of the setup did not finish as expected.? Contact your support personnel or package vendor.In your Application Event Log, for both of these scenarios, you will also see the following entry:Log Name:????? Application Source:??????? MsiInstaller Date:????????? 6/10/2010 8:38:18 AM Event ID:????? 11722 Task Category: None Level:???????? Error Keywords:????? Classic User:????????? <Username> Computer:????? <Machine name> Description: Product: Microsoft SQL Server 2008 R2 BPA -- Error 1722. There is a problem with this Windows Installer package. A program run as part of the setup did not finish as expected. Contact your support personnel or package vendor.? Action EnablePSRemoting, location: powershell.exe, command: -NoLogo -NoProfile -Command Enable-PSRemoting –forceThis is an indicator that PowerShell is not configured. You must run the following command:powershell.exe -NoLogo -NoProfile -Command Enable-PSRemoting –forceWorkgroup or Non-Domain computerIn this scenario, the Enable-PSRemoting command should execute fine from a PowerShell prompt. The actual error coming back from the PowerShell command within the Installer is “Access Denied”.To work around this issue you can do the following:Open a command prompt with Administrative Privileges Change to the directory where the .msi file resides Type msiexec /i <MSI Name> SKIPCA=1 MSI Name will either be SQL2008R2BPA_Setup32.msi or SQL2008R2BPA_Setup64.msi depending on your platform Once BPA is installed, open a PowerShell prompt with Administrative Privileges Execute the following commands Enable-PSRemoting winrm set winrm/config/winrs `@`{MaxShellsPerUser=`"10`"`} This should allow BPA to be successfully installed in the workgroup scenario.Kerberos FailureThis scenario is that you are failing with the above due to a Kerberos issue. This particular issue could actually show up after you have installed BPA depending on how you have configured your environment.The issue stems from the fact that the Windows Remoting Windows Service uses the Network Service account. Windows Remoting also uses SOAP calls over HTTP and defaults to using Kerberos. As a result, it will be using the HOST Service Principal Name (SPN) that is on the Machine Account as it is running under that context. You may have an HTTP SPN that resides on a different account with that host name. For example, if you are running an IIS Web Application such as SharePoint, or if you are using Reporting Services and the service account is set to a Domain User account instead of Network Service or Local System. If your URL of your application matches the machine name, then your HTTP SPN will be the same. That’s where this problem comes in. WinRM will stop working at that point and give you a message similar to the following.Set-WSManQuickConfig : WinRM cannot process the request. The following error occured while using Negotiate authentication: An unknown security error occurred. Possible causes are: ? -The user name or password specified are invalid. ? -Kerberos is used when no authentication method and no user name are specified. ? -Kerberos accepts domain user names, but not local user names. ? -The Service Principal Name (SPN) for the remote computer name and port does not exist. ? -The client and remote computers are in different domains and there is no trust between the two domains. After checking for the above issues, try the following: ? -Check the Event Viewer for events related to authentication. ? -Change the authentication method; add the destination computer to the WinRM TrustedHosts configuration setting or use HTTPS transport. Note that computers in the TrustedHosts list might not be authenticated. ?? -For more information about WinRM configuration, run the following command: winrm help config. At line:50 char:33 +???????????? Set-WSManQuickConfig <<<<? -force ??? + CategoryInfo????????? : InvalidOperation: (:) [Set-WSManQuickConfig], InvalidOperationException ??? + FullyQualifiedErrorId : WsManError,Microsoft.WSMan.Management.SetWSManQuickConfigCommandYou can get this type of error from WinRM for muliple reasons.? The one that we saw in our testing was the HTTP SPN scenario.If you do have an HTTP SPN defined on a Domain Account that is using the name of your machine, you have some options. First you can follow the steps mentioned above to get BPA installed. The Enable-PSRemoting command will give you the above error. You can temporarily remove the HTTP SPN to get remoting enabled and then re-add the HTTP SPN.Once BPA is setup, you will still not be able to run BPA if you put the HTTP SPN back in place. You will see the following when you attempt to perform a scan:This will occur regardless of which component you try to scan. It could be the Engine, Setup, RS, etc…One option to perform the scan successfully is to temporarily remove the HTTP SPN again, run the scan, and then put the HTTP SPN back in place. Another option, but one that will probably require further testing from your application’s end, would be to run the application under a Host Header and then your HTTP SPN would not include the machine name, allowing BPA to run without issue.RulesSearching for “SQL Server 20087 R2 BPA” at reveals:Here is an example of one of these articles that talks about a rule to check for a recent “clean” CHECKDB:BPA works by measuring a role’s compliance with best practice rules in eight different categories of a role’s effectiveness, trustworthiness, and reliability. Results of measurements can be any of the three severity levels described in the following table.Severity level Description NoncompliantNoncompliant results are returned when a role does not satisfy the conditions of a pliantCompliant results are returned when a role satisfies the conditions of a rule.WarningWarning results are returned when a role is compliant as operating currently, but may not satisfy the conditions of a rule if changes are not made to its configuration or policy settings. For example, a scan of Remote Desktop Services might show a warning result if a license server is unavailable to the role, because even if no remote connections are active at the time of the scan, not having the license server prevents new remote connections from obtaining valid client access licenses.BPA rule categoriesThe following table describes the categories of best practice rules against which roles are measured during a BPA scan.Category Name Description SecuritySecurity rules are applied to measure a role’s relative risk for exposure to threats such as unauthorized or malicious users, or loss or theft of confidential or proprietary data.PerformancePerformance rules are applied to measure a role’s ability to process requests and perform its prescribed duties in the enterprise, within expected periods of time given the role’s workload.ConfigurationConfiguration rules are applied to identify role settings that might require modification for the role to perform optimally. Configuration rules can help prevent setting conflicts that can result in error messages or prevent the role from performing its prescribed duties in an enterprise.PolicyPolicy rules are applied to identify Group Policy or Windows Registry settings that might require modification for the role to operate optimally and securely.OperationOperation rules are applied to identify possible failures of a role to perform its prescribed tasks in the enterprise.PredeploymentPredeployment rules are applied before an installed role is deployed in the enterprise, to let administrators to evaluate whether best practices were satisfied before you use the role in production.PostdeploymentPostdeployment rules are applied after all required services have started for a role, and the role is running in the enterprise.BPA PrerequisitesBPA Prerequisite rules explain configuration settings, policy settings, and features that are required for the role before BPA can apply specific rules from other categories. A prerequisite in scan results indicates that an incorrect setting, a missing role, role service, or feature, an incorrectly enabled or disabled policy, a registry key setting, or other configuration has prevented BPA from applying one or more rules during a scan. A prerequisite result does not imply compliance or noncompliance. It means that a rule could not be applied, and therefore is not part of the scan results.Engine RulesPlease find below a summary of the 74 Engine Rules with the links to the rule descriptions. These rules are checking that you have a secure, resilient and well performing SQL configuration. Authentication Mode ()Lightweight Pooling is enabled ()Locks Configuration Not Dynamic ()non-default network packet size in use ()degree of parallelism not set to recommended value ()Use Database Mail instead of SQL Mail ()SQL Server Agent Proxy Account ()SQL Login Password Policy Strength and password expiry ()Trustworthy Bit ()Symmetric Keys Check ()Asymmetric Keys Check ()SQL Server installed on PDC BDC ()SQL Server Admin role membership check ()Windows API calls intercepted ()unsupported DotNET framework assemblies present ()Disk partition starting offset may be incorrect ()non-default max worker threads value configured ()Guest Permissions ()Data and Log files on the same volume ()IO timeouts and IO controller errors detected ()IO device errors detected ()IO errors during page faults detected ()cluster disk corruption encountered ()disk defragmentation encountered corruption ()failed IO requests detected ()IO requests are successful when retried ()IO Delay Problems reported by SQL Server ()This system experienced unexpected shutdowns ()tempdb corruption errors fix missing ()Critical SQL database inconsistency errors found ()Logical consistency errors detected ()Database have auto shrink option enabled ()SQL Server Error logs are very big ()incorrect affinity mask settings detected low blocked process threshold setting detected security issue with legacy DTS stored procedures LSP loaded into SQL using simple recovery model database collation different from model files and backups exist on the same volume have auto close option enabled SAS drivers needs update tempdb database not configured optimally Database file has sparse attribute set startup parameters settings not configured optimally incorrect results fix missing System needs tuning for better FileStream performance server memory leak fix missing service pack is not at recommended level extended event health session not in expected state Launcher service is not configured properly SQL Server Agent service account required Windows fix to avoid sparse file related problems is missing Portion of SQL Server Memory Has Been Paged Out Exception or Hang Detected on Server exist without CHECKSUM protection outdated for databases consistency check not current Server Memory settings are incorrect Failed or took a long time driver fix from KBA 940467 missing driver fix from KBA 950903 missing needs additional memory configuration System files and drivers needs update for working set trimming Token Replacement Log in failures with high number of VLF present Data Encryption Certificate on the Binn folder Statistics Are OutdatedServer public permissions use of older versions of SQLNCLI RulesPlease find below a summary of the 34 Analysis Server Rules with the links to the rule descriptions.Flight Recorder Enabled for SQL Server Analysis Services Excessive amount of memory preallocated to Analysis Services not configured for optimal concurrent query throughput standard value detected for Analysis Services memory configuration Process Thread Pool Max limit above recommended limit Process Thread Pool Minimum is below the recommended limit is running a build with a known regression not set on a ROLAP partition or a partition where proactive caching is enabled and ROLAP storage ay occur is ignoring duplicate key errors default member defined for non-aggregatable attribute set to hidden key column for high cardinality attribute hiearchy enabled for high cardinality non-key attribute storage or OnlineMode set to immediate for dimension with custom rollup definition detected or Time attribute types defined in a non-matching dimension type Account or Time dimension has no matching attribute defined has no attribute defined with the same type Dimension type mismatch dimension attribute types detected in dimension incorrect order of levels defined in hierarchy attribute relationships as Rigid where possible attribute relationships detected relationship detected Attribute Relationship name detected Caching set for dimension without a processing query Time dimension detected than 3 parent-child dimensions with custom rollups defined a parent-child dimension with more than 500000 members attribute dimensions detected groups with zero dimensional overlap detected in cube Caching set for a partition without a processing query Default measure for perspective not in the perspective MOLAP storage for dimensions that participate in semi-additive measure groups group defined with no partition RulesRSWindowsNegotiate is missing from your configuration Logging is not enabled logging is enabled authentication may fail for local extended protection settings RulesLogging task missing for package Script task detected in package Integration Services service account detected Services logging table found in system database master and or msdb Services memory dump detected RulesUnsupported Operating System Version Detected not supported for SQL Failover Clustering cache is missing for the SQL Installation Server WMI Provider Health CheckReplication RulesReplication Timeout Alerts Type Pub and Sub out of sync (Data Validation) Pub and Sub out of sync (Constraint Violations) Pub and Sub out of sync (Skipped Transactions) Replication Health Check Approaching Expiration Cleanup and Retention Health Check Latency Threshold violations to Deal With DeviationsDeviations from these Best Practices may indicate potential issues, and configuration changes may be necessary. Make sure you have tested any intended changes in a test environment before deploying them to a production environment. You could also find deviations from Best Practices that are acceptable or even necessary for your environment. For example:SAP has its special Network Packet Size of 8 KBExisting Non-Microsoft Clients – would require Mixed Mode AuthenticationMotivation to use SQL BPA R2Bob Ward explained in his Article “Why use SQL Server 2008 R2 BPA? Case 1: Missing Updates...” the common pitfalls during maintenance and operation of SQL Server and how address them by using the SQL BPA.In brief it’s a customer scenario where the customer is facing an issue after a major update to SQL2008. After some troubleshooting and an update to a certain CU (that is meant to fix the issue) the problem still occurs. Bobs article states the common resulting consequences – the involvement of Microsoft Support, and the final solution – adding a needed traceflag. The good news in this story is that the customer would not have needed to go to all that effort, if they would have run the SQL BPA. It would have told them about the update and instructed them to put the traceflag in place. BPA is a mechanism that proactively advises you and instructs you on dealing with common known issues.Additional InformationPowerShellTo use the functionality of the Baseline Configuration Analyzer with PowerShell you must import this module first:Import-module BaselineConfigurationAnalyzerYou can list the commands of this module with the following syntax$x=Get-Module BaselineConfigurationAnalyzer$x.ExportedCommandsThe following commands are stored in this module:Get-MbcaModelGet-MbcaResult Invoke-MbcaModelSet-MbcaResultYou get help of this command with the following syntax:Get-help <command> -fullGet-MBCAModel SYNOPSISThe Get-MBCAModel cmdlet lets you retrieve and view the list of models that are supported by Microsoft Baseline Configuration Analyzer (MBCA), and that are installed on a computer.SYNTAXGet-MBCAModel [[-ModelId] <string[]>] [[-SubModelId] <string>] [<CommonParameters>]DESCRIPTIONThe Get-MBCAModel cmdlet lets you retrieve and view the list of models that are supported by Microsoft Baseline Configuration Analyzer (MBCA) and installed on the computer. If no parameter is specified, Get-MBCAModel returns all models that are installed on the computer. If a model is specified by using the -ModelId parameter, information about the specified model is returned.You must be a member of the Administrators group on the computer on which you want to run this cmdlet, and you must run the cmdlet in a Windows PowerShell session that has been opened with elevated user rights; that is, "Run as Administrator."The results of the Get-MBCAModel cmdlet include the following details about models:Branding information (manufacturer or company, display names, version number), that is found in the model manifestDynamic parameters that are included with the modelSubmodels that are included with the modelPARAMETERS-ModelId <string[]>The -ModelId parameter specifies the ID of the MBCA model about which you want to view details. You can obtain valid values for the ModelId parameter by running the Get-MBCAModel cmdlet with no parameters, and targeted at a computer on which MBCA models are installed.This parameter supports wild card characters.Required?falsePosition?2Default value Accept pipeline input?true (By Value, By Property Name)Accept wildcard characters?FalseThis must be SQL2008R2BPA for SQL Server 2008 R2 Best Practice Analyzer.-SubModelId <string>The -SubModelId parameter specifies the ID of the submodel of an MBCA model about which you want to view details. You can obtain valid values for the -SubModelId parameter by running the Get-MBCAModel cmdlet without parameters, and targeted at a computer on which MBCA models are installed. Not all models have submodels.The -ModelId parameter is required with the -SubModelId parameter.Required?falsePosition?3Default value Accept pipeline input?falseAccept wildcard characters?false<CommonParameters>This cmdlet supports the common parameters: Verbose, Debug, ErrorAction, ErrorVariable, WarningAction, WarningVariable, OutBuffer and OutVariable. For more information, type, "get-help about_commonparameters".ExamplesGet-MBCAModelIn the preceding example, Get-MBCAModel, with no parameters added, returns details about all MBCA models that are installed on the computer.Get-MBCAModel -ModelId SQL2008R2BPAThe preceding example can be used to return details about the MBCA model that is specified in the -ModelId parameter, represented by "Model Id."$model= Get-MBCAModel -ModelId SQL2008R2BPA$model.ParametersIn the preceding example, Get-MBCAModel returns details about the specified MBCA model that is represented by "Model Id." The results of the cmdlet are stored in the variable $model.In the next line of the example, the "Parameters" property of the model details that were stored in the $model object returns details about which parameters are supported by the model.Get-MBCAModel -ModelId SQL2008R2BPA -SubModelId <SubModel Id>The preceding example can be used to return details about the MBCA sub-model that is specified by the -SubModelId parameter, represented by "SubModel Id". Note that the -ModelId parameter is required by the -SubModelId parameter.$model= Get-MBCAModel -ModelId SQL2008R2BPA$model.SubModelsIn the preceding example, Get-MBCAModel returns details about the specified MBCA model that is represented by "Model Id." The results of the cmdlet are stored in the variable $model.In the next line of the example, the "SubModels" property of the model details that were stored in the $model object returns a list of the submodels of the model specified in the first line.Invoke-MBCAModel SYNOPSISThe Invoke-MBCAModel cmdlet lets you start a Microsoft Baseline Configuration Analyzer (MBCA) scan for a specific model that is installed on your computer.SYNTAXInvoke-MBCAModel [-ModelId] <string> -SubModelId <string> [-Authentication <AuthenticationMechanism>] [-CertificateThumbprint <string>] [-ComputerName <string[]>] [-ConfigurationName <string>] [-Context <string>] [-Credential <string>] [-Mode <ModeEnum>] [-Port <int>] [-RepositoryPath <string>] [-ThrottleLimit <int>] [-UseSSL] [<CommonParameters>]DESCRIPTIONThe Invoke-MBCAModel cmdlet allows you to start a Microsoft Baseline Configuration Analyzer (MBCA) scan for a specific model that is installed on your computer. The model is specified either by using the parameter -ModelId, or by piping the results of the Get-MBCAModel cmdlet into an Invoke-MBCAMode cmdlet.After the MBCA scan has been performed, the results of the scan are available to be retrieved by Get-MBCAResult cmdlet.You must be a member of the Administrators group on the computer on which you want to run this cmdlet, and you must run the cmdlet in a Windows PowerShell session that has been opened with elevated user rights; that is, "Run as Administrator."PARAMETERS-Authentication <AuthenticationMechanism>Specifies the authentication mechanism that is used to authenticate the user's credentials. Valid values include Default, Basic, CredSSP, Digest, Kerberos, Negotiate, and NegotiateWithImplicitCredential. The default value is Default.For more information about the -Authentication parameter, type the following, and then press Enter.Get-Help Invoke-Command -Parameter AuthenticationRequired?falsePosition?namedDefault valueDefaultAccept pipeline input?falseAccept wildcard characters?false-CertificateThumbprint <string>Specifies the digital public key certificate (X509) of a user account that has rights to perform the cmdlet action. The valid value is the certificate thumbprint of the certificate.For more information about this parameter, type the following, and then press Enter:Get-Help Invoke-Command -Parameter Certificate ThumbprintRequired?falsePosition?namedDefault valueAccept pipeline input?falseAccept wildcard characters?false-ComputerName <string[]>The Invoke-MBCAModel cmdlet lets you run an MBCA scan of a submodel on a specific computer by adding this parameter. Valid values include NETBOS names, IP addresses, or fully-qualified domain names of one or more computers in a comma-separated list. To specify the local computer, type the computer name, or "localhost".All formats that are accepted by the -ComputerName parameter in Invoke-Command are accepted.Required?falsePosition?namedDefault valueAccept pipeline input?falseAccept wildcard characters?false-ConfigurationName <string>Specifies the session configuration that is used for a new PSSession.Enter a configuration name, or the fully-qualified resource URI for a session configuration. Session configuration data is found on the remote computer on which you want to run a cmdlet.For more information about this parameter, type the following, and then press Enter.Get-Help Invoke-Command -Parameter ConfigurationNameRequired?falsePosition?namedDefault valueAccept pipeline input?falseAccept wildcard characters?false-Context <string>The -Context parameter lets you run scans on a submodel in the context of a specific model (one that is different from the parent model of the submodel). For example, an administrator might want to run a scan on the "Backend" submodel of the "SQL" model, but only those in the context of a third model, a technology that relies upon SQL Server.The -SubModelId parameter is required by the -Context parameter.A model ID is the valid value of the -Context parameter.Required?falsePosition?namedDefault valueAccept pipeline input?falseAccept wildcard characters?false-Credential <string>Specifies a user account that has permission to run this cmdlet. The default value is the current user.For more information about this parameter, type the following, and then press Enter.Get-Help Invoke-Command -Parameter CredentialRequired?falsePosition?namedDefault valueAccept pipeline input?falseAccept wildcard characters?false-Mode <ModeEnum>The -Mode parameter lets you run a scan that is exclusively either analysis of existing discovered documents, or discovery. The default is to perform both discovery and analysis, or All.If you do not add the -Mode parameter to the Invoke-MBCAModel cmdlet, both discovery and analysis are performed during a scan.Valid values are Discovery, Analysis, and All.Required?falsePosition?namedDefault valueAllAccept pipeline input?falseAccept wildcard characters?false-ModelId <string>The -ModelId parameter specifies the ID of the MBCA model that you want to scan. You can obtain valid values for the ModelId parameter by running the Get-MBCAModel cmdlet targeted at a computer on which MBCA models are installed.Required?truePosition?2Default valueAccept pipeline input?true (By Value, By Property Name)Accept wildcard characters?FalseThis must be SQL2008R2BPA for SQL Server 2008 R2 Best Practice Analyzer.-Port <int>Specifies the network port on a remote computer on which you want to run a scan. The default value is port 80.For more information on this parameter, type the following, and then press Enter.Get-Help Invoke-Command -Parameter PortRequired?falsePosition?namedDefault value80Accept pipeline input?falseAccept wildcard characters?false-RepositoryPath <string>The -RepositoryPath parameter is used to specify a non-default location of the results repository. The valid value for this parameter is a pathname. If the parameter is not used, the cmdlet writes results to the default result repository.Required?falsePosition?namedDefault valueAccept pipeline input?falseAccept wildcard characters?false-SubModelId <string>The -SubModelId parameter specifies the ID of the submodel of an MBCA model that you want to scan. You can obtain valid values for the -SubModelId parameter by running the Get-MBCAModel cmdlet targeted at a computer on which MBCA models are installed. Not all models have submodels.The -ModelId parameter is required with the -SubModelId parameter.Required?truePosition?namedDefault valueAccept pipeline input?falseAccept wildcard characters?false-ThrottleLimit <int>Specifies the maximum number of concurrent connections that can be established to run the cmdlet. If you omit this parameter, or enter a value of 0, the default value of 32 is used.For more information about this parameter, type the following, and then press Enter:Get-Help Invoke-Command -Parameter ThrottleLimitRequired?falsePosition?namedDefault value32Accept pipeline input?falseAccept wildcard characters?false-UseSSL [<SwitchParameter>]Uses the Secure Sockets Layer (SSL) protocol to establish a connection on a remote computer. By default, SSL is not used.For more information about this parameter, type the following, and then press Enter:Get-Help Invoke-Command -Parameter UseSSLRequired?falsePosition?namedDefault valueAccept pipeline input?falseAccept wildcard characters?false<CommonParameters>This cmdlet supports the common parameters: Verbose, Debug, ErrorAction, ErrorVariable, WarningAction, WarningVariable, OutBuffer and OutVariable. For more information, type, "get-help about_commonparameters".OUTPUTSSystem.Collections.Generic.List<Microsoft.BestPractices.CoreInterface.InvokeBpaModelOutput>The output object encapsulates the results of the cmdlet that you entered. It contains information such as the MBCA model ID, the success or failure of the cmdlet, and other details.NOTESIf the cmdlet is used to perform a single-model scan, and the cmdlet is cancelled (by using CTRL+C) before the temporary results file is copied to its final location, the temporary file is discarded, and any previous scan results file for the role are preserved. The message "Processing of Invoke-MBCAModel cancelled by user" is displayed, if the command is cancelled before existing scan results files are overwritten.If the cmdlet is used to perform a scan of multiple models by piping in results from the Get-MBCAModel cmdlet, and the command is cancelled, scans that were completed before the cancel command was entered cannot be cancelled. A scan in progress behaves as described above in the single-model scan cancellation scenario. Subsequent scans in the pipeline are cancelled.If a concurrent scan of the same model is attempted, the cmdlet returns the following error message: "Another scan for this MBCA model is in progress. Only one scan is allowed at a time."-------------------------- EXAMPLE 1 --------------------------Invoke-MBCAModel -ModelId SQL2008R2BPADescriptionThe preceding example starts a MBCA scan on the model that is represented by <Model Id>.-------------------------- EXAMPLE 2 --------------------------Invoke-MBCAModel -ModelId SQL2008R2BPA -Scope domain -Name redmond.DescriptionThe preceding example starts an MBCA scan on the model ID that is specified by "Model Id.The administrator starts the MBCA scan with additional model-specific parameters that are exposed by the model. (For an example of how to obtain model-specific parameters, see the examples for the Get-MBCAModel cmdlet.)For example, to scan a model that requires model-specific parameters (such as -Scope and -Name) to be passed to the command, the administrator can specify the values of these model-specific parameters with the Invoke-MBCAModel cmdlet.-------------------------- EXAMPLE 3 --------------------------Invoke-MBCAModel -ModelId SQL2008R2BPA -Mode DiscoveryDescriptionThe preceding example starts an MBCA scan on the model that is represented by "Model Id." The cmdlet is instructed by the -Mode parameter to perform only the discovery -- not the analysis -- portion of the scan.-------------------------- EXAMPLE 4 --------------------------Invoke-MBCAModel -ModelId SQL2008R2BPA -Mode Analysis -RepositoryPath <Repository Path>DescriptionThe preceding example starts an MBCA scan on the model that is represented by "Model Id." The -Mode parameter value of "Analysis" indicates that the scan will perform analysis -- not discovery -- on existing documents that are specified in the non-default repository path provided with the -Repository Path parameter.-------------------------- EXAMPLE 5 --------------------------Invoke-MBCAModel -Id <Model Id> -SubModelId <SubModel Id> -ComputerName <Server> -Context <Context Model Id> -RepositoryPath <Respository Path> -AsJob -Authentication <AuthenticatonMechanism> -Port <Port Number> -UseSSL -ThrottleLimit <Throttle Limit>DescriptionThe preceding example starts an MBCA scan on the submodel that is represented by "SubModel Id," and on the computer that is represented by "Server."Because the administrator only wants to see results from the submodel that apply in the context of a third model, the administrator runs the scan within the context of the model ID that is specified in the -Context parameter. The cmdlet results are saved to the non-default repository path that is specified in the -RepositoryPath parameterBecause the -AsJob parameter is added, the scan runs in the background. The -AsJob, -Authentication, -Port, -UseSSL and -ThrottleLimit parameters are passed through for use by the Invoke-Command cmdlet, to perform discovery on a remote computer. For more information about these parameters, see the Help for the Invoke-Command cmdlet, available in Windows PowerShell V2.Get-MBCAResultSYNOPSISThe Get-MBCAResult cmdlet lets you retrieve and view the results of a Microsoft Baseline Configuration Analyzer scan on a specific model, or the configuration data that was used to run a scan.SYNTAXGet-MBCAResult [-ModelId] <string> [[-CollectedConfiguration]] -SubModelId <string> [-ComputerName <string[]>] [-Context <string>] [-Filter <FilterEnum>] [-RepositoryPath <string>] [<CommonParameters>]DESCRIPTIONThe Get-MBCAResult cmdlet lets you retrieve and view the results of a Microsoft Baseline Configuration Analyzer scan on a specific model, or the configuration data that was used to run a scan. To use the command, add the -ModelId parameter, and then specify the model ID for which you want to view the most recent MBCA scan results or collected configuration data. If you want to retrieve the configuration data collected, add the -CollectedConfiguration switch parameter.You must be a member of the Administrators group on the computer on which you want to run this cmdlet, and you must run the cmdlet in a Windows PowerShell session that has been opened with elevated user rights; that is, "Run as Administrator."PARAMETERS-CollectedConfiguration [<SwitchParameter>]The -CollectedConfiguration parameter allows you to obtain the configuration data that was collected for the most recent MBCA scan. If this switch parameter is added to Get-MBCAResults, the cmdlet returns only the configuration data that was collected for a scan.Required?falsePosition?3Default valueAccept pipeline input?falseAccept wildcard characters?false-ComputerName <string[]>The -ComputerName parameter lets you obtain scan results that were collected for the most recent MBCA scan of a submodel on a specific computer. To specify the local computer, type the computer name, or "localhost." Multiple values for -ComputerName can be separated by commas.The -SubModelId parameter is required by the -ComputerName parameter.Valid values for the -ComputerName parameter include "localhost," a NET BIOS name, an IP address, or a fully-qualified domain name (FQDN) of one or more computers, in a comma-separated list.Required?falsePosition?namedDefault valueAccept pipeline input?falseAccept wildcard characters?false-Context <string>The -Context parameter lets you obtain scan results that were collected for the most recent MBCA scan of a submodel in the context of a specific model (one that is different from the parent model of the submodel). For example, an administrator might want to display scan results for the "Backend" submodel of the "SQL" model, but only those in the context of a third model, a technology that relies upon SQL Server.The -SubModelId parameter is required by the -Context parameter.A model ID is the valid value of the -Context parameter.Required?falsePosition?namedDefault valueAccept pipeline input?falseAccept wildcard characters?false-Filter <FilterEnum>The -Filter parameter lets you instruct the Get-MBCAResult cmdlet to return only Compliant, Noncompliant, or All results. Valid values are Noncompliant, Compliant, or All. The default value is All.The -Filter parameter is ignored if the -CollectedConfiguration switch parameter is added.Required?falsePosition?namedDefault valueAccept pipeline input?falseAccept wildcard characters?false-ModelId <string>The -ModelId parameter specifies the ID of the MBCA model for which you want to view scan results. You can obtain valid values for the ModelId parameter by running the Get-MBCAModel cmdlet targeted at a computer on which MBCA models are installed.Required?truePosition?2Default valueAccept pipeline input?true (By Value, By Property Name)Accept wildcard characters?FalseThis must be SQL2008R2BPA for SQL Server 2008 R2 Best Practice Analyzer.-RepositoryPath <string>The -RepositoryPath parameter is used to specify a non-default location of the results repository. The valid value for this parameter is a path name. If the parameter is not used, the cmdlet obtains results from the default result repository.Required?falsePosition?namedDefault valueAccept pipeline input?falseAccept wildcard characters?false-SubModelId <string>The -SubModelId parameter specifies the ID of the submodel of an MBCA model for which you want to view scan results. You can obtain valid values for the -SubModelId parameter by running the Get-MBCAModel cmdlet targeted at a computer on which MBCA models are installed. Not all models have submodels.The -ModelId parameter is required with the -SubModelId parameter.Required?truePosition?namedDefault valueAccept pipeline input?falseAccept wildcard characters?false<CommonParameters>This cmdlet supports the common parameters: Verbose, Debug, ErrorAction, ErrorVariable, WarningAction, WarningVariable, OutBuffer and OutVariable. For more information, type, "get-help about_commonparameters".OUTPUTSSystem.Collections.Generic.List<Microsoft.BestPractices.CoreInterface.Result> OR System.Xml.XmlDocument (if -CollectedData specified)If you do not use the -CollectedConfiguration parameter, /verbose output can be any of the following:Initializing MBCA engine for getting MBCA ResultsAttempting to get MBCA results for Model Id = {0}Completed getting MBCA results for Model Id = {0}, Number of Results = {1}If you add the -CollectedConfiguration parameter to display configuration data that was used for a scan, /verbose output can be any of the following:Initializing MBCA engine for getting MBCA Configuration DataAttempting to get MBCA collected configuration data for Model Id = {0}Completed getting MBCA collected configuration data for Model Id = {0}NOTESThe Get-MBCAResult cmdlet must be run by a member of the Administrators group, and it does not start a new scan.Cancellation behaviourSingle Model - To cancel this cmdlet, you must press Ctrl+C before the ResultCollection is displayed on the console. The operation is cancelled, and results are not displayed on the console.Multiple Models, or Pipelining - If you cancel this cmdlet while it is retrieving results for multiple models, the cmdlet generates only those results that were displayed on the console before the cancellation. Any subsequent results in the pipeline are cancelled and not displayed. -------------------------- EXAMPLE 1 --------------------------Get-MBCAResult -Id SQL2008R2BPADescriptionThe preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results for the model that is represented by "Model Id."-------------------------- EXAMPLE 2 --------------------------Get-MBCAModel | Get-MBCAResultIn the preceding example, Get-MBCAModel is used to return a list of all MBCA models that are installed on the computer. The results of the Get-MBCAModel cmdlet are piped to the Get-MBCAResult cmdlet to retrieve the most recent MBCA scan results for all models that are both supported by MBCA and installed on the computer at which the cmdlet is targeted.-------------------------- EXAMPLE 3 --------------------------$result = Get-MBCAResult SQL2008R2BPA -CollectedConfiguration$result.DiscoveryDocumentDescriptionIn the preceding example, configuration data (in XML form) that was collected during the most recent Microsoft Baseline Configuration Analyzer scan of the model that is represented by "Model Id" is retrieved and stored as a property in the variable $result. $result.DiscoveryDocument is of type System.Xml.XmlDocument-------------------------- EXAMPLE 4 --------------------------Get-MBCAResult SQL2008R2BPA -Filter NoncompliantDescriptionThe preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results for the model that is represented by "Model Id," and then applies a filter to show only Noncompliant results.------------------------- EXAMPLE 5 --------------------------Get-MBCAResult SQL2008R2BPA -SubModelId <SubModel Id>DescriptionThe preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results for the submodel that is represented by "SubModelId." Note that the parent model ID must be specified to use the -SubModelId parameter.------------------------- EXAMPLE 6 --------------------------Get-MBCAResult SQL2008R2BPA -SubModelId <SubModel Id> -ComputerName <Server> -Context <Context Model Id> -RepositoryPath <Repository Path>DescriptionThe preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results for the submodel that is represented by "SubModelId." The parent model ID is provided, as required by the -SubModelID parameter.The -Context parameter indicates that the administrator wants to see only those scan results that are in the context of the model that is represented by "Context Model Id;" for example, only those results from a SQL Server scan that specifically apply to another technology, such as Web Server (IIS).The scan results are further narrowed to only those from a computer that is specified in the -ComputerName parameter as "Server," and only those results found in the non-default results repository that is represented by "Repository Path".Set-MBCAResult SYNOPSISThe Set-MBCAResult cmdlet lets you exclude or include existing results of a Microsoft Baseline Configuration Analyzer (MBCA) scan to show you only the scan results that you want to see.SYNTAXSet-MBCAResult [[-Exclude] <Boolean>] [-Results] <Result>> [[-RepostitoryPath] <string>] [<CommonParameters>]DESCRIPTIONThe Set-MBCAResult cmdlet lets you exclude or include existing results of a Microsoft Baseline Configuration Analyzer (MBCA) scan to show you only the scan results that you want to see.The action specified in the cmdlet (Exclude, for example) determines how the existing results of an MBCA scan are updated. Set-MBCAResult is typically applied after using the Get-MBCAResult cmdlet to return a collection of scan results.You can apply filters to results that are returned by the Get-MBCAResult cmdlet, and then pipe the filtered collection of results to the Set-MBCAResult cmdlet, specifying either to include or exclude filtered scan results.You must be a member of the Administrators group on the computer on which you want to run this cmdlet, and you must run the cmdlet in a Windows PowerShell session that has been opened with elevated user rights; that is, "Run as Administrator."PARAMETERS-Exclude <Boolean>Excludes scan results from the results collection that were previously obtained by the Get-MBCAResult command. To exclude results by using the -Exclude parameter, add the value $true following the parameter, as shown:-Exclude $trueTo include results that have been excluded, use the $false value for the -Exclude parameter.Required?falsePosition?2Default valueAccept pipeline input?falseAccept wildcard characters?false-RepostitoryPath <string>The -RepositoryPath parameter is used to specify a non-default location of the results repository. The valid value for this parameter is a path name. If the parameter is not used, the cmdlet modifies results from the default result repository.Required?falsePosition?4Default valueAccept pipeline input?falseAccept wildcard characters?false-Results <Result>>Specifies the result collection to be updated by the Set-MBCAResult cmdlet. The -Results parameter is typically used to specify a filtered subset of scan results that has already been stored in a variable; the variable name is provided as the valid value for the -Results parameter.For example, if you have created a variable $allPerformance to store all the Performance category results for an MBCA scan of all models on a computer, and you want to exclude those Performance results from the complete collection of scan results, you add the parameter -Results $all Performance to a Set-MBCAResult cmdlet.For a more detailed example, see the Examples section of the Help for this cmdlet.Required?truePosition?3Default valueAccept pipeline input?true (ByValue)Accept wildcard characters?false<CommonParameters>This cmdlet supports the common parameters: Verbose, Debug, ErrorAction, ErrorVariable, WarningAction, WarningVariable, OutBuffer and OutVariable. For more information, type, “get-help about_commonparameters".NOTESIf the Set-MBCAResult command is cancelled before the results are written to a file, the operation is cancelled and the results file is not modified. If cancellation occurs after the results file has been modified, the command's actions are carried out, and the command cannot be cancelled.-------------------------- EXAMPLE 1 --------------------------Get-MBCAResult -ModelId SQL2008R2BPA | Where { $_.Category -eq "Performance" } | Set-MBCAResult -Exclude $trueDescriptionThe first section of the preceding example, to the left of the first pipe character (|), uses the Get-MBCAResult cmdlet to retrieve Baseline Configuration Analyzer scan results for the model ID that is represented by "Model Id."The second section of the command filters the results of the Get-MBCAResult cmdlet to get only those scan results for which the category name is equal to "Performance."The final section of the example, following the second pipe character, excludes the Performance results that were filtered by the previous section of the example.-------------------------- EXAMPLE 2 --------------------------$rcPolicy = Get-MBCAResult -ModelId SQL2008R2BPA -RepositoryPath "C:\ReposPath | Where { $_.Category -eq "Policy" }Set-MBCAResult -Exclude $true -RepositoryPath "C:\ReposPath" -Results $rcPolicyDescriptionThe first line of the preceding example, to the left of the pipe character (|), instructs the Get-MBCAResult cmdlet to retrieve Baseline Configuration Analyzer scan results for the model that is represented by "Specified Model Id." from the specified non-default repository pathThe second section of the example, after the pipe character, filters the results of the Get-MBCAResult cmdlet to return only those scan results for which the category name is equal to (note the -eq option) Policy. The variable $rcPolicy is created to store the filtered results of the Get-MBCAResult cmdlet; this variable can be used in subsequent commands to represent those results.The second line of the command uses the Set-MBCAResult cmdlet to exclude the set of results that are stored in the $rcPolicy variable. In this example, the -Results parameter is added because the administrator wants to exclude a specific subset of scan results for that model, and has created the variable $rcPolicy to represent that subset of results. The repository root is specified in the second line, because the administrator wants to modify the results in the same non-default repository from which the data in $rcPolicy was retrieved.MBCA Model AuthoringFurther information about configuration and usage of MBCA models you can in the MBCA_ModelAuthoringGuide.docxDid this paper help you? Please give us your feedback. Tell us on a scale of 1 (poor) to 5 (excellent), how would you rate this paper and why have you given it this rating? For example:Are you rating it high due to having good examples, excellent screen shots, clear writing, or another reason? Are you rating it low due to poor examples, fuzzy screen shots, or unclear writing?This feedback will help us improve the quality of white papers we release. Send feedback. ................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download