SQL Server 2008 (R2) Best Practice Analyzer SQL Server Technical Article
Writers: Sylvio Hellmann, Günter Gross, Dana Burnell Technical Reviewers: Oliver Hahn
Published: September 2010 Applies to: SQL Server 2008 (R2), SQL Server 2008 (R2) Analysis Services, SQL Server 2008 (R2) Reporting Services, and SQL Server 2008 (R2) Integration Services Summary: The Microsoft SQL Server Best Practices Analyzer is a well know tool in the DBA community to validate if SQL Server installations are adhering with Microsoft recommended best practices. In the new R2 version the SQL BPA introduces advanced capabilities in conjunction with the PowerShell architecture and also raises the bar for prerequisites and cross dependencies. While introducing the new tool to our premier customers in the Banking, Insurance and Productivity field we received strong positive feedback along with some interesting questions that we will discuss further in this paper. Understanding PowerShell, Policy based Management and SQL BPA will empower you to unleash the full potential of the SQL Server 2008 R2 Best Practices Analyzer (BPA).
Page 1 Table of Contents
The information contained in this document represents the current view of Microsoft Corporation on the issues discussed as of the date of publication. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the date of publication. This white paper is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS DOCUMENT. Information in this document, including URL and other Internet Web site references, is subject to change without notice. Unless otherwise noted, the companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted in examples herein are fictitious. No association with any real company, organization, product, domain name, e-mail address, logo, person, place, or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation. Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.
© 2010 Microsoft Corporation. All rights reserved. Microsoft, and SQL Server are trademarks of the Microsoft group of companies.
All other trademarks are property of their respective owners.
Page 2 1 INTRODUCTION The Microsoft SQL Server 2008 R2 Best Practices Analyzer (BPA) is a diagnostic tool that performs the following functions: Gathers information about a server and an instance of Microsoft SQL Server 2008 or 2008 R2 that is installed on that server Determines if the configurations are set according to the Microsoft recommended best practices Reports on all configurations, indicating settings that differ from recommendations Indicates potential problems in the installed instance of SQL Server Recommends solutions to potential problems This tool is used by IT Professionals and Database Administrators to help ensure that their installations of SQL Server and associated products / components are adhering to best practices as determined by the SQL Server Product Teams and CSS. This utility scans the installation of a local or remote machine gathering system data from WMI, log files, the Event Log, the Windows Registry, and SQL Server metadata and compares the results to predefined standards. It then produces a report that shows the results and points the user to additional information on the web to help them determine whether they should make changes to their systems. For every configuration, the SQL Server 2008 R2 BPA provides the following results: Compliance results are returned when an instance of SQL Server satisfies the conditions of a Best Practices rule. Non-compliance results are returned when an instance of SQL Server does not satisfy the conditions of a Best Practices rule. Impact of non-compliance Recommendation Links to more detailed information and related topics To assist you and to make your DBA life easier Microsoft includes some of these Best Practices in a couple of products – depending on specific purpose of the Software. The following diagram illustrates the variety of tools available to check best practices for SQL Server 2008 and SQL Server 2008 R2 in parallel or in combination with BPA.
Page 3 The big picture – automated Best Practices of SQL Server checks offered in different flavours and products.
So you will find a couple of policies in our monitoring solution SQL Server 2008 R2 Best Practice Analyzer within more than 140 rules for database engine and other technologies System Center Operations Manager (SCOM) within the SQL Management pack (current version 6.1.314.36, release date: 08/17/2010) with more than 300 rules and 50 additional monitors Policy Based Management in SQL Server 2005 and 2008 with predefined policy collection (50+ policies). There is a whitepaper about PBM here. System Configuration Checker in the SQL Server 2008 setup wizard The SQL Risk Assessment Toolset (Premier Organisation best practice flagship) offering more than 200 rules. This offering is meant for Premier customers running the SQL RAP against their most business critical SQL instances. Note: This tool set is only available for Microsoft Premier Customers.
1.1 Architecture and data flow of the BPA The SQL Server 2008 R2 Best Practices Analyzer is an additional “model” for the Microsoft Baseline Configuration Analyzer V2.0 (MBCA). A model is a set of component files that together comprise the configuration analysis and reporting output from MBCA. The MBCA is imbedded as a PowerShell cmdlet, and consists of two major components: the MBCA Engine and the MBCA UI. The MBCA Engine process itself consists of 2 main activities, evaluation and discovery. The MBCA Engine is fed by PowerShell discovery Scripts and XML Schema Files which are used during discovery. The discovery activity interrogates the SQL Server, Registry, WMI, Error- and Event-Logs etc. The output is saved in an XML File which is then used in the evaluation activity. Evaluation is performed using the Schematron file. This file, run by the MBCA engine, contains the logic for evaluating the best practices. The final step following the evaluation process is the report generation – which is shown in the MBCA UI.
Page 4 In the flow chart below you will find the anatomy of the SQL Server 2008 R2 Best Practices Analyzer.
1.2 Microsoft Best Practice Analyzer Universe Microsoft offers many technologies and utilities to produce best practices recommendations. 1.2.1 SQL Server BPA (older versions) Microsoft has also created BP Analyzers for your older SQL Server versions and for Windows: SQL Server 2005 Best Practices Analyzer (August 2008) SQL Server 2000 Best Practices Analyzer (April 2010) 1.2.2 Windows Server 2008 R2 Best Practice Analyzer In Windows management, best practices are guidelines that are considered the ideal way, under typical circumstances, to configure a server as defined by experts. For example, it is considered a best practice for most server technologies to keep open only those ports required for the technologies to communicate with other networked
Page 5 computers, and block unused ports. Although best practice violations, even crucial ones, are not necessarily problematic, they indicate server configurations that can result in poor performance, poor reliability, unexpected conflicts, increased security risks, or other potential problems. Best Practices Analyzer (BPA) is a server management tool that is available in Windows Server® 2008 R2. BPA can help administrators reduce best practice violations by scanning one or more roles that are installed on Windows Server 2008 R2, and reporting best practice violations to the administrator. Administrators can filter or exclude results from BPA reports that they do not have to see. Administrators can also perform BPA tasks by using either the Server Manager GUI, or Windows PowerShell cmdlets. BPA can also be used on remote servers that are running Windows Server 2008 R2, by using Server Manager targeted at a remote server. For more information about how to run Server Manager targeted at a remote server, see Remote Management with Server Manager. The following BPA modules are currently available: Best Practices Analyzer for Active Directory Certificate Services Best Practices Analyzer for Active Directory Domain Services Best Practices Analyzer for Active Directory Rights Management Services Best Practices Analyzer for Application Server Best Practices Analyzer for Domain Name System Best Practices Analyzer for Dynamic Host Configuration Protocol Best Practices Analyzer for File Services Best Practices Analyzer for Hyper-V Best Practices Analyzer for Internet Information Services Best Practices Analyzer for Network Policy and Access Services Best Practices Analyzer for Remote Desktop Services Best Practices Analyzer for Windows Server Update Services More Information about Windows BPA look here. 1.2.3 Fix-it Currently there exists no link between the SQL Server Best Practice Analyzer and the Fixit webpage. http://support.microsoft.com/fixit
Page 6 Microsoft is working on a solution to combine fixit with specific Best Practice Analyzer. http://fixitcenter.support.microsoft.com/Portal 1.2.4 Microsoft Automated Troubleshooting Service in Windows Server 2008 R2 and Windows 7 Troubleshooting in Windows Server 2008 R2 and Windows 7 provides several troubleshooting programs that can automatically fix some common problems with your computer, such as problems with networking, hardware and devices, using the web, and program compatibility. Go to the Windows website to watch a video about using troubleshooters to fix common problems. (3:30) When you run a troubleshooter, it might ask you some questions or reset common settings as it works to fix the problem. If the troubleshooter fixed the problem, you can close the troubleshooter. If it couldn't fix the problem, you can view several options that will take you online to try and find an answer. In either case, you can always view a complete list of changes made. Notes If you click the Advanced link on a troubleshooter and then clear the Apply repairs automatically check box, the troubleshooter displays a list of fixes to choose from, if any problems are found. Windows includes several troubleshooters, and more are available online when you select the Get the most up-to-date troubleshooters from the Windows Online Troubleshooting service check box at the bottom of Troubleshooting. http://support.microsoft.com/gp/system_maintenance_for_windows
Page 7 Page 8 2 SYSTEM REQUIREMENTS SQL Server 2008 R2 Best Practices Advisor is supported on the following Operating Systems: 1. Windows Vista 2. Windows 7 3. Windows Server 2003 4. Windows Server 2003 R2 5. Windows Server 2008 6. Windows Server 2008 R2
3 Supported editions of SQL Server 1. SQL Server 2008, all editions, except Express 2. SQL Server 2008 R2, all editions, except Express
4 Supported Components of SQL Server 1. Analysis Services 2. Database Engine 3. Integration Services 4. Reporting Services 5. Replication 6. Setup These components are designed as Submodels for the BPA. This means that they will be run concurrently where possible.
4.1 Required Permissions for Running SQL Server 2008 R2 BPA Administration Privileges To run MBCA v2.0, a user must be a member of the administrators group on the machine being scanned, and on the machine the scan is initiated from. If a user is not an administrator on the machine that is being scanned, an appropriate error message displays. SQL Server To successfully access all of the database properties and SQL Server Configurations, a user must be the Systems Administrator (sysadmin) on the instance of SQL Server. Analysis Services
Page 9 The user or the administrators group must be member of the server administrator role within an instance of Microsoft SQL Server Analysis Services have unrestricted access to all Analysis Services objects and data in that instance. http://msdn.microsoft.com/en-us/library/ms174561.aspx Integration Services The user or the administrators group must be members of the sysadmin or db_ssisadmin roles. http://msdn.microsoft.com/en-us/library/ms141053.aspx Reporting Services The user or the administrators group must be member of the System Administrator and Content Manager role
4.2 Prerequisites The following are required for using SQL Server 2008 R2 Best Practices Analyzer: 1. PowerShell V2.0 Windows PowerShell 2.0 requires the Microsoft .NET Framework 2.0 with Service Pack 1. 2. Microsoft Baseline Configuration Analyzer V2.0 3. SQL Server Management Tools for SQL Server 2008 or SQL Server 2008 R2 The following table outlines the prerequisite Microsoft utilities / components, by Operating System, necessary to have on your server prior to installing and running SQL Server 2008 R2 BPA. OS 1.Insta 2.Install 3.Install Configure PowerShell1 7. Install ll PowerShell MBCA SQL2008 or 4.Remot 5.Execut 6. WinR 2.0 2.0 SQL 2008 R2 M ing ion MaxShells Management Level PerUser Tools Win Vista Y Y Y Y Y Y Y Windows N N Y Y Y Y Y 7 Windows Y Y Y Y Y Y Y Server 2003 Windows Y Y Y Y Y Y Y Server 2003 R2
1 These changes will be done from the installation routine of the BPA.
Page 10 Windows Y Y Y Y Y Y Y Server 2008 Windows N N Y Y Y Y Y Server 2008 R2
Page 11 5 INSTALL We recommend installing BPA on a workstation or administration server and performing the scan operation remotely against servers in your SQL Server infrastructure. It is also possible to install this tool on the production SQL Server locally. Installation process: 1. Install/Configure PowerShell and WinRM 2. Microsoft Baseline Configuration Analyzer V2.0 3. Microsoft® SQL Server® 2008 R2 Best Practices Analyzer It exists two ways to install the Best Practices Analyzer: With a graphical user interface (setup wizard) or Command line
5.1 Installing PowerShell 2.0 and WinRM BPA install configures WinRM, and PowerShell options by default. Most of this section is only needed if something goes wrong and you need to configure this stuff by hand. Windows Server 2003 R2 WinRM is not installed by default, but it is available as the Hardware Management feature through the Add/Remove System Components feature in the Control Panel under Management and Monitoring Tools. Complete installation and information about configuring WinRM using the WINRM command-line tool is available online in the Hardware Management Introduction, which describes the WinRM and the IPMI features in Windows Server 2003 R2. On Windows Vista, Windows Server 2003 and Windows Server 2008 This is installed as part of Windows Management Framework Core. The WinRM service starts automatically on Windows Server 2008. On Windows Vista, the service must be started manually. On Windows Server 2008 R2 and Windows 7 This is installed as part of the OS. Note: Check for additional information and configuration guidelines for WinRM and for PowerShell 2.0 . SQL Server 2008 R2 BPA is able to scan both the local computer and remote computers. Therefore, in both the local and remote cases, it required that your PowerShell settings be modified. These are done by the BPA installation.
Page 12 PowerShell Execution Policy The PowerShell Execution Policy is set to Restricted by default. To run SQL Server 2008 R2 BPA through the PowerShell command Line, set the policy to RemoteSigned using the below command: Set-ExecutionPolicy RemoteSigned -f You can use the command Set-ExecutionPolicy Restricted –f to set the execution policy back to restricted. This command is not required when executing the scan through the MBCA GUI. After the installation you must enable the PowerShell remote scripting if you are want to use the BPA remote to another workgroup machine or a computer that have Kerberos enabled. You need to run this command only once on each computer that will receive commands. You do not need to run it on computers that only send commands. Because the configuration activates listeners, it is prudent to run it only where it is needed. You can do this with the following command line: powershell.exe -NoLogo -NoProfile -Noninteractive -Command "Enable-PSRemoting -force" Enable-PSRemoting performs configuration actions to enable this machine for remote management. Includes: 1. Runs the Set-WSManQuickConfig cmdlet, which performs the following tasks: Starts the WinRM service Sets the startup type on the WinRM service to Automatic Creates a listener to accept requests on any IP address Enables a firewall exception for WS-Management communications Enables all registered Windows PowerShell session configurations to receive instructions from a remote computer Registers the "Microsoft.PowerShell" session configuration, if it is not already registered Registers the "Microsoft.PowerShell32" session configuration on 64-bit computers, if it is not already registered Removes the "Deny Everyone" setting from the security descriptor for all the registered session configurations Restarts the WinRM service to make the preceding changes effective 2. Configures MaxShellsPerUser using "winrm set winrm/config/winrs `@`{MaxShellsPerUser=`"10`"`}"
Page 13 Specifies the maximum number of concurrent shells that any user can remotely open on the same computer. If this policy setting is enabled, the user will not be able to open new remote shells if the count exceeds the specified limit. If this policy setting is disabled or is not configured, the limit will be set to 5 remote shells per user by default and you receive the following error message: [localhost] Connecting to remote server failed with the following error message : The WS-Management service cannot process the request. This user is allowed a maximum number of 5 concurrent shells, which has been exceeded. Close existing shells or raise the quota for this user. For more information, see the about_Remote_Troubleshooting Help topic. + CategoryInfo : OpenError: (System.Manageme….RemoteRunspa ce:RemoteRunspace) [], PSRemotingTransportException + FullyQualifiedErrorId : PSSessionOpenFailed For more information about PowerShell remoting, please see MSDN.
5.2 Install MBCA Download the edition of MBCA depending on your platform (x86 or x64) before installation. Please find below the screenshots demonstrating the visual flow of the MBCA Installation: Welcome screen License terms Folder selection Completion screen
Page 14 5.3 Install BPA Download the correct edition depending on your platform (x86 or x64) before installing. If you have trouble with the installation please section Installation Troubleshooting Installation 5.3.1 Command line Following is an optimized command line setup example: msiexec /i SQL2008R2BPA_Setup64.msi /l * /log c:\temp\sqlbpa_install.log /qn msiexec parameters: /i = package name (SQL2008R2BPA_Setup32.msi or SQL2008R2BPA_Setup64.msi depending on your platform) /l = log granularity “*” - Log all information, except for v and x options /log = log file /q = display settings (qn – no user interface) SKIPCA=1 (if no domain controller is available; Skip Certification Authority) For information on additional public properties: Consult the Windows® Installer SDK for documentation on the command line syntax. 5.3.2 GUI Please find below the screenshots demonstrating the visual flow of the SQL Server 2008 R2 BPA Installation: Welcome screen License terms System Configuration Changes (see Installing PowerShell 2.0 and WinRM Installing PowerShell 2.0 and WinRM) Ready to install decision Install progress
Page 15 Completion screen
5.3.3 Port and Firewall restrictions For scanning SQL Server or BI instances on an alternate server behind a firewall you must open all necessary ports.
5.4 Updates Microsoft is working on quarterly updates of the rule set and tool improvements of the SQL Server 2008 R2 Best Practice Analyzer. Please visit the Download site from Microsoft regularly to find new updates.
Page 16 5.5 Uninstall 5.5.1 BPA
5.5.2 MBCA
5.5.3 Reset PowerShell settings After the uninstall of the BPA you may disable the PowerShell remote scripting. You can do this with the following command line: powershell.exe -NoLogo -NoProfile -Noninteractive -Command "Disable-PSRemoting -force" Disable-PSRemoting performs configuration actions to enable this machine for remote management.
Page 17 6 USAGE There are two ways to scan a server using MBCA and SQL 2008 R2 BPA. They are: Scanning through the local machine.
o In this case you are using MBCA and SQL 2008 R2 BPA running on the local machine to perform the scan.
o This scan can be of the local or an alternate server.
Scanning through a remote machine.
o In this case MBCA is used to connect to a remote server that has MBCA and SQL 2008 R2 BPA installed on it.
o This scan is using the local machine to form the connection to the remote machine and is actually performing the scan through the remote machine.
6.1 Help file The help file for the SQL Server 2008 R2 Best Practice Analyzer contains very useful information. This help file is available after the installation of BPA, and is located at Start->All programs->SQL Server 2008 R2 BPA.
6.2 GUI 1. Ensure that MBCA v2 and SQL 2008 R2 BPA are installed on the machine.
2. Run the MBCA application from the start menu, with elevated user rights.
Page 18 3. On the MBCA home page, ensure the "SQL Server 2008 R2 BPA” product is selected:
4. Click "Start Scan", which displays a page to specify parameters as shown below:
Page 19 5. Fill in Alternate_Server_to_Scan with the remote machine you want to scan.
ComputerName IP address: n.n.n.n FQDN (Fully Qualified Domain Name) Enter “.”, localhost, or leave this blank if you want to scan the local machine. Enter the instance name you want to scan. To scan the default instance, enter MSSQLSERVER or leave this as blank. Toggle the checkboxes to enable/disable scans for those rule categories.
Each of the following six check boxes correspond to the SQL Server categories listed previously. Select at least one category in order to run a successful scan.
Analyze_SQL_Analysis_Services Analyze_SQL_Server_Engine Analyze_SQL_Integration_Services
Page 20 Analyze_SQL_Server_Replication Analyze_SQL_Reporting_Services Analyze_SQL_Server_Setup Note: Only one SQL Server instance can be scanned at a time through the MBCA GUI. 6. Click "Start Scan". MBCA will start the configured scan and display the below page while in progress:
7. When the scan is complete, results will be displayed grouped by Severity as shown below:
6.3 Connect to a remote computer A scan connected to a remote computer is different than scanning an alternate server.
Page 21 “Connect to a Remote Computer” is functionality provided by Microsoft Baseline Configuration Analyzer and is used to remotely run MBCA against a server, from the console of the client. The client needs to have MBCA installed, but does not need BPA as it is literally running the copy of MBCA installed on the server, using the BPA installed on the server. In this case the copy of MBCA installed on the client is used only to remotely connect to the copy of MBCA installed on the server. To use this functionality you first start MBCA on the client computer and select “Connect to Another Computer.”
1. In the “Connect to Another Computer” text box, you can specify a NetBIOS name, a fully qualified domain name (FQDN), or an IPv4 or IPv6 address. If no port number is specified, the default port number is used. The following are examples of formats that you can specify in the Connect to Another Computer text box.
Page 22 ComputerName ComputerName:PortNumber IP address: n.n.n.n IPv6 address: [n:n:n:n:n:n:n:n] IPv4 address with port number: n.n.n.n:PortNumber IPv6 address with port number: [n:n:n:n:n:n:n:n]:PortNumber Note: If an administrator has changed the computer’s default port number, any port other than the default port must be opened in Windows Firewall to allow incoming connections on that port. Port 5985 is opened by default when WinRM is configured. All other ports remain blocked until opened. For more information about how to unblock a port in Windows Firewall, see the Help for Windows Firewall. For more information about how to configure WinRM, in a Command Prompt session, type winrm help, and then press Enter. 2. Additionally you must supply credentials
3. CredSSP Windows Remote Management (WinRM) supports the delegation of user credentials across multiple remote computers. The multi-hop support functionality can now use Credential Security Service Provider (CredSSP) for authentication. CredSSP enables an application to delegate the user’s credentials from the client computer to the target server. CredSSP authentication is intended for environments where Kerberos delegation cannot be used. Support for CredSSP was added to allow a user to connect to a
Page 23 remote server and have the ability to access a second-hop machine, such as a file share. Note: WinRM clients and servers will support CredSSP authentication only with explicit credentials. Windows XP, Windows Server 2003, and earlier: CredSSP is not supported. First, you must set CredSSP on both the client and the server. Using the Group Policy Editor (gpedit.msc) make sure to enable “Allow Delegating Fresh Credentials” and check “Concatenate OS defaults with input above.” Add the server or domain to the list of servers in the format “WSMAN/*.domainname.com” Next, enable and configure PowerShell Remoting on both the Client and Server by running the following commands in a PowerShell command window opened with elevated permissions. Note: You can configure a single machine as both a client and a server simultaneously so that you can scan from either computer. Enable PowerShell Remoting o Enable-psremoting –f Settings for a client o Enable-WSManCredSSP –role Client –DelegateComputer [NetBiosNameOfServer] or o Enable-WSManCredSSP –role Client –DelegateComputer [FQDN OF SERVER] Settings for the server o Enable-WSManCredSSP –role Server o set-item WSMan:\localhost\Shell\MaxMemoryPerShellMB –Value 20000 o set-item WSMan:\localhost\Shell\MaxShellsPerUser –value 20
Page 24 6.4 PowerShell Details see PowerShell PowerShell To use the functionality of the Microsoft Baseline Configuration Analyzer you must import this module first: Import-module BaselineConfigurationAnalyzer You can list the commands of this module with the following syntax $x=Get-Module BaselineConfigurationAnalyzer $x.ExportedCommands 6.4.1 Run Scan To run a full scan of the BPA on the alternate server on a named instance you can use the following command line: Invoke-MBCAModel -ModelId SQL2008R2BPA -Alternate_Server_to_scan {servername} -SQL_Server_Instance_Name {instancename} -Analyze_SQL_Server_Engine -Analyze_SQL_Server_Replication -Analyze_SQL_Server_Setup -Analyze_SQL_Analysis_Services -Analyze_SQL_Integration_Services -Analyze_SQL_Reporting_Services The result looks like this part: ModelId : SQL2008R2BPA SubModelId : Success : True ScanTime : ...
Page 25 Success = True is important. This is the indicator that your scan was successful. Parameter description: -Alternate_Server_to_scan {servername} -SQL_Server_Instance_Name {instancename} -Analyze_SQL_Server_Engine -Analyze_SQL_Server_Replication -Analyze_SQL_Server_Setup -Analyze_SQL_Analysis_Services -Analyze_SQL_Integration_Services -Analyze_SQL_Reporting_Services The parameter list is equal the parameter screen in the GUI. The scans of the different services are optional. You can remove technologies which you do not need to scan. The next example starts the scan only for the Analysis Services on the alternate server “servername” and for the named instance “instance”. A log file will be written to “c:\temp\ssas.txt”: Invoke-MbcaModel -ModelId SQL2008R2BPA -SubModelId AnalysisServices -ComputerName {servername} -SqlServerInstance {instance} -SSASLogFile c:\temp\ssas.txt
Invoke-MbcaModel -ModelId SQL2008R2BPA -SubModelId Engine -ComputerName {computername} -SqlServerInstance {servername} -CurrentLoginName ($Env:USERDOMAIN + "\" + $Env:USERNAME).ToString() -EngineLogFile c:\temp\engine.txt – RepositoryPath ("C:\TEMP\SQL2008" + (Get- Date).ToString("yyyyMMdd")).ToString() 6.4.2 Create Report model = get-MbcaModel –ModelId sql2008r2bpa $scanResult = get-MbcaResult –ModelId sql2008r2bpa $collectedConfig = get-MbcaResult –ModelId sql2008r2bpa – CollectedConfiguration
$model, $scanResult, $collectedConfig | export-CliXml c:\temp\as.xml
Get-MBCAResult -ModelId SQL2008R2BPA -SubModelId AnalysisServices | ConvertTo-Html | Add-Content -Path c:\test.html
Page 26 The next command retrieves the results of the most recent BPA scan for the specified model, and saves them in HTML format, applying the standard cascading style sheets that are stored in the path windir\system32\WindowsPowerShell\v1.0\Modules\BestPractices\BestPractice sReportFormat.css. If you want to substitute cascading style sheets, provide the path to the different cascading style sheets. Get-MBCAResult -ModelId SQL2008R2BPA | ?{$_.Severity -eq "Warning" -or $_.Severity -eq "Error" } | ConvertTo-Html -As Table -property ResultNumber, SubModelID, ComputerName, Severity, Category, Title, Problem, Impact, Resolution, Help -Head "
SQL Server 2008 (R2) Best Practice Analyzer Report
” -Title "SQL Server 2008 Best Practice Analyzer" -body ("Report creation date: " + (Get- Date).ToString("dd.MM.yyyy hh:mm:ss") + "
").toString() -pre "Generated by user: $env:username on computer: $env:computername
" -post "For details, contact Microsoft Premier."-CssUri $env: BestPracticesReportFormat.css > c:\temp\sql2008r2bpa.htm6.4.3 Exporting and opening reports by using Get-MBCAResult You can use the Get-MBCAResult cmdlet to export scan results and configuration data to an XML report that you can open for viewing in the future, either by using Get- MBCAResult, or by using the MBCA GUI. Exporting reports allows you to compare older scans with more recent scans to measure the progress of your best practice compliance. Example of exporting to XML $results = Get-MBCAResult
Page 27 copy-item -path ($Env:LocalAppdata + "\Microsoft\MicrosoftBaselineConfigurationAnalyzer 2\Reports").ToString() -destination ($Env:LocalAppdata + "\Microsoft\MicrosoftBaselineConfigurationAnalyzer 2\Reports_" + (Get-Date).ToString("yyyyMMddhhmmss")).ToString() –recurse Afterwards you can create a report with the following command: $prevrepPath = (Get-ChildItem ($Env:LocalAppdata + "\Microsoft\MicrosoftBaselineConfigurationAnalyzer 2").ToString() -exclude Reports | Sort-Object name -descending) [0]
Get-MBCAResult -ModelId SQL2008R2BPA –RepositoryPath ($Env:LocalAppdata + "\Microsoft\MicrosoftBaselineConfigurationAnalyzer 2\” + $prevrepPath.name).ToString() | ConvertTo-Html -As Table -property ResultNumber,SubModelID, ComputerName, Severity, Category, Title, Problem, Impact, Resolution, Help -Head "
SQL Server 2008 (R2) Best Practice Analyzer Report
” -Title "SQL Server 2008 Best Practice Analyzer" -body ("Report creation date: " + (Get-Date).ToString("dd.MM.yyyy hh:mm:ss") + "
").toString() -pre "Generated by user: $env:username on computer: $env:computername
" -post "For details, contact Microsoft Premier > c:\temp\sql2008r2bpa.htmPage 28 7 TROUBLESHOOTING
7.1 Application directories To following directories are used by MBCA:
Report output directory %localappdata%\Microsoft\MicrosoftBaselineConfigurationAnalyzer 2\Reports\SQL2008R2BPAResults
Model configuration %Programdata%\Microsoft\Microsoft Baseline Configuration Analyzer path 2\Models\SQL2008R2BPA
Temp and log files %temp%\SQL2008R2BPA\SQL2008\
Registry [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\BaselineConfigurationAnalyzer] Log Files During Data Discovery, SQL Server 2008 R2 BPA creates log files for troubleshooting. The log file contains the following information: Pre-requisite validation Timestamp finished rule's start and end times Run-time scripting errors and exceptions from Power Shell Traps Log Files Location For every scan, log files are created in user’s Local Temp directory (%Temp%) and follows the folder structure: /SQL2008R2BPA/< Instance Name >/< datestamp_timestamp >/< Log files >. Note: In case of a remote scan, the category log files are generated on the remote system at the same path, whereas the common log file is generated in the local system. Log Files Structure A common log file gets generated and contains information about each category's execution. Apart from this, each category has its own log file which details the rule execution. The names of the log files are given below: Common File - ModelLog.txt Engine Rules - EngineLog.txt Replication Rules - ReplicationLog.txt Setup Rules - SetupLog.txt Analysis Services Rules - AnalysisServicesLog.txt
Page 29 Reporting Services Rules - ReportingServicesLog.txt Integration Services Rules - IntegrationServicesLog.txt
7.2 Windows Server 2003 – NumberOfLogicalProcessors Analysis Services RID2803 and RID2804 – NumberOfLogicalProcessors property is unavailable in Win32_Processor for with Windows Server 2003 Solution: The NumberOfLogicalProcessors property does not exist in the WIN32_PROCESSOR object in Windows Server 2003. It has been implemented in the hotfix: http://support.microsoft.com/kb/932370. Both of the rules below will function properly if you apply this hotfix. For more information look here.
7.3 MBCA This message indicates that on prerequisite is not installed.
Please install the version 2 of the MBCA.
7.4 Where can I find the Instance name in result set of the analyzer report? The instance name is in the collected data option of the analyzer report in the BPA GUI.
7.5 Memory limit of remote PowerShell process By default remote PowerShell process can consume only 150 MB or less memory. This default limit is significantly small and once this limit is reached there could be a WinRM exception causing and remote connection immediately terminates. Any application or Cmdlet which is involved in PowerShell remoting should be tested for this memory limit, this may cause some of the command to fail, for example site collection creation. Solution: Increase the memory limit for the remote shell. Use the following command to increase this limitation to 1000MB. This is only necessary if you need to run those commands on that server.
Page 30 Set-Item WSMan:localhostShellMaxMemoryPerShellMB 1000
7.6 Remote connect If you try to “Connect to another computer” from MBCA and you receive the following message:
You should check first if the Hotfix KB968930 is installed. Afterwards validate that the “Windows Remote Management” service is started:
Enable-PSRemoting
Page 31 If CredSSP is unsupported or unavailable you will see the following message:
If you have no permission to access the remote server you get the error message:
Page 32 7.7 Installation 7.7.1 PowerShell error After getting through the Pre-Reqs for BPA (PowerShell 2.0, MBCA, .NET Framework), you may hit one of two scenarios when installing BPA. In all of the cases of an install failure, you will see the following error: There is a problem with this Windows Installer package. A program run as part of the setup did not finish as expected. Contact your support personnel or package vendor.
Page 33 In your Application Event Log, for both of these scenarios, you will also see the following entry: Log Name: Application Source: MsiInstaller Date: 6/10/2010 8:38:18 AM Event ID: 11722 Task Category: None Level: Error Keywords: Classic User:
Page 34 3. Type msiexec /i
Page 35 -Change the authentication method; add the destination computer to the WinRM TrustedHosts configuration setting or use HTTPS transport. Note that computers in the TrustedHosts list might not be authenticated. -For more information about WinRM configuration, run the following command: winrm help config. At line:50 char:33 + Set-WSManQuickConfig <<<< -force + CategoryInfo : InvalidOperation: (:) [Set- WSManQuickConfig], InvalidOperationException + FullyQualifiedErrorId : WsManError,Microsoft.WSMan.Management.SetWSManQuickConfigComman d You can get this type of error from WinRM for muliple reasons. The one that we saw in our testing was the HTTP SPN scenario. If you do have an HTTP SPN defined on a Domain Account that is using the name of your machine, you have some options. First you can follow the steps mentioned above to get BPA installed. The Enable-PSRemoting command will give you the above error. You can temporarily remove the HTTP SPN to get remoting enabled and then re-add the HTTP SPN. Once BPA is setup, you will still not be able to run BPA if you put the HTTP SPN back in place. You will see the following when you attempt to perform a scan:
This will occur regardless of which component you try to scan. It could be the Engine, Setup, RS, etc… One option to perform the scan successfully is to temporarily remove the HTTP SPN again, run the scan, and then put the HTTP SPN back in place. Another option, but one that will probably require further testing from your application’s end, would be to
Page 36 run the application under a Host Header and then your HTTP SPN would not include the machine name, allowing BPA to run without issue.
Page 37 8 RULES Searching for “SQL Server 20087 R2 BPA” at Microsoft.com reveals:
Here is an example of one of these articles that talks about a rule to check for a recent “clean” CHECKDB:
Page 38 BPA works by measuring a role’s compliance with best practice rules in eight different categories of a role’s effectiveness, trustworthiness, and reliability. Results of measurements can be any of the three severity levels described in the following table.
Severity level Description
Noncomplian Noncompliant results are returned when a role does not satisfy the conditions of a rule. t
Compliant Compliant results are returned when a role satisfies the conditions of a rule.
Warning Warning results are returned when a role is compliant as operating currently, but may not satisfy the conditions of a rule if changes are not made to its configuration or policy settings. For example, a scan of Remote Desktop Services might show a warning result if a license server is unavailable to the role, because even if no remote connections are active at the time of the scan, not having the license server prevents new remote connections from obtaining valid client
Page 39 access licenses.
BPA rule categories The following table describes the categories of best practice rules against which roles are measured during a BPA scan.
Category Name Description
Security Security rules are applied to measure a role’s relative risk for exposure to threats such as unauthorized or malicious users, or loss or theft of confidential or proprietary data.
Performance Performance rules are applied to measure a role’s ability to process requests and perform its prescribed duties in the enterprise, within expected periods of time given the role’s workload.
Configuration Configuration rules are applied to identify role settings that might require modification for the role to perform optimally. Configuration rules can help prevent setting conflicts that can result in error messages or prevent the role from performing its prescribed duties in an enterprise.
Policy Policy rules are applied to identify Group Policy or Windows Registry settings that might require modification for the role to operate optimally and securely.
Operation Operation rules are applied to identify possible failures of a role to perform its prescribed tasks in the enterprise.
Predeployment Predeployment rules are applied before an installed role is deployed in the enterprise, to let administrators to evaluate whether best practices were satisfied before you use the role in production.
Postdeployment Postdeployment rules are applied after all required services have started for a role, and the role is running in the enterprise.
BPA BPA Prerequisite rules explain configuration settings, policy settings, and features that are Prerequisites required for the role before BPA can apply specific rules from other categories. A prerequisite in scan results indicates that an incorrect setting, a missing role, role service, or feature, an incorrectly enabled or disabled policy, a registry key setting, or other configuration has prevented BPA from applying one or more rules during a scan. A prerequisite result does not imply compliance or noncompliance. It means that a rule could not be applied, and therefore is not part of the scan results.
8.1 Engine Rules Please find below a summary of the 74 Engine Rules with the links to the rule descriptions. These rules are checking that you have a secure, resilient and well performing SQL configuration. Authentication Mode (http://support.microsoft.com/kb/2028697) Lightweight Pooling is enabled (http://support.microsoft.com/kb/2160691) Locks Configuration Not Dynamic (http://support.microsoft.com/kb/2199576) non-default network packet size in use (http://support.microsoft.com/kb/2157175)
Page 40 degree of parallelism not set to recommended value (http://support.microsoft.com/kb/2023536) Use Database Mail instead of SQL Mail (http://support.microsoft.com/kb/2028584) SQL Server Agent Proxy Account (http://support.microsoft.com/kb/2160741) SQL Login Password Policy Strength and password expiry (http://support.microsoft.com/kb/2028712) Trustworthy Bit (http://support.microsoft.com/kb/2183687) Symmetric Keys Check (http://support.microsoft.com/kb/2162020) Asymmetric Keys Check (http://support.microsoft.com/kb/2162020) SQL Server installed on PDC BDC (http://support.microsoft.com/kb/2032911) SQL Server Admin role membership check (http://support.microsoft.com/kb/2184138) Windows API calls intercepted (http://support.microsoft.com/kb/2033238) unsupported DotNET framework assemblies present (http://support.microsoft.com/kb/2033344) Disk partition starting offset may be incorrect (http://support.microsoft.com/kb/2023571) non-default max worker threads value configured (http://support.microsoft.com/kb/2157129) Guest Permissions (http://support.microsoft.com/kb/2186935) Data and Log files on the same volume (http://support.microsoft.com/kb/2033523) IO timeouts and IO controller errors detected (http://support.microsoft.com/kb/2091098) IO device errors detected (http://support.microsoft.com/kb/2091098) IO errors during page faults detected (http://support.microsoft.com/kb/2091098) cluster disk corruption encountered (http://support.microsoft.com/kb/2091098) disk defragmentation encountered corruption (http://support.microsoft.com/kb/2091098) failed IO requests detected (http://support.microsoft.com/kb/2091098) IO requests are successful when retried (http://support.microsoft.com/kb/2015757)
Page 41 IO Delay Problems reported by SQL Server (http://support.microsoft.com/kb/2137408) This system experienced unexpected shutdowns (http://support.microsoft.com/kb/2091098) tempdb corruption errors fix missing (http://support.microsoft.com/kb/960770) Critical SQL database inconsistency errors found (http://support.microsoft.com/kb/2152734) Logical consistency errors detected (http://support.microsoft.com/kb/2152472) Database have auto shrink option enabled (http://support.microsoft.com/kb/2160663) SQL Server Error logs are very big (http://support.microsoft.com/kb/2199578) incorrect affinity mask settings detected http://support.microsoft.com/kb/2157114 Very low blocked process threshold setting detected http://support.microsoft.com/kb/2157154 Potential security issue with legacy DTS stored procedures http://support.microsoft.com/kb/2202875 Winsock LSP loaded into SQL http://support.microsoft.com/kb/2033448 Databases using simple recovery model http://support.microsoft.com/kb/2137539 User database collation different from model http://support.microsoft.com/kb/2026108 Database files and backups exist on the same volume http://support.microsoft.com/kb/2027537 Databases have auto close option enabled http://support.microsoft.com/kb/2160685 LSI SAS drivers needs update http://support.microsoft.com/kb/2121098 SQL tempdb database not configured optimally http://support.microsoft.com/kb/2154845 SQL Database file has sparse attribute set http://support.microsoft.com/kb/2028447 Invalid startup parameters http://support.microsoft.com/kb/2028433 MSDTC settings not configured optimally http://support.microsoft.com/kb/2027550 sql incorrect results fix missing http://support.microsoft.com/kb/971780
Page 42 File System needs tuning for better FileStream performance http://support.microsoft.com/kb/2160002 linked server memory leak fix missing http://support.microsoft.com/kb/971622/EN-US Windows service pack is not at recommended level http://support.microsoft.com/kb/2121098 default extended event health session not in expected state http://support.microsoft.com/kb/2160570 TcpSysAndChimneyCheck http://support.microsoft.com/KB/918483 FDHOST Launcher service is not configured properly http://support.microsoft.com/kb/2160720 Unrecommended SQL Server Agent service account http://support.microsoft.com/kb/2160720 A required Windows fix to avoid sparse file related problems is missing http://support.microsoft.com/kb/2002606 Significant Portion of SQL Server Memory Has Been Paged Out http://support.microsoft.com/kb/2028324 Server Exception or Hang Detected on Server http://support.microsoft.com/kb/2028589 Databases exist without CHECKSUM protection http://support.microsoft.com/kb/2078345 backups outdated for databases http://support.microsoft.com/kb/2027537 Database consistency check not current http://support.microsoft.com/kb/2033590 SQL Server Memory settings are incorrect http://support.microsoft.com/KB/918483/EN-US Autogrow Failed or took a long time http://support.microsoft.com/kb/2091024 Storport driver fix from KBA 940467 missing http://support.microsoft.com/kb/2121098 Storport driver fix from KBA 950903 missing http://support.microsoft.com/kb/2121098 SQLCLR needs additional memory configuration http://support.microsoft.com/kb/969962/EN-US Operating System files and drivers needs update for working set trimming http://support.microsoft.com/kb/2121098
Page 43 Agent Token Replacement http://support.microsoft.com/kb/2202637 Auditing Log in failures http://support.microsoft.com/kb/2187161 Databases with high number of VLF present http://support.microsoft.com/kb/2028436 Transparent Data Encryption Certificate http://support.microsoft.com/kb/2201900 Permission on the Binn folder http://support.microsoft.com/kb/2029023 Index Statistics Are Outdated Server public permissions http://support.microsoft.com/kb/2160698 Detected use of older versions of SQLNCLI http://support.microsoft.com/kb/979779
8.2 AS Rules Please find below a summary of the 34 Analysis Server Rules with the links to the rule descriptions. Flight Recorder Enabled for SQL Server Analysis Services http://support.microsoft.com/kb/2128005 Excessive amount of memory preallocated to Analysis Services http://support.microsoft.com/kb/2027474 Server not configured for optimal concurrent query throughput http://support.microsoft.com/kb/2135031 Non standard value detected for Analysis Services memory configuration http://support.microsoft.com/kb/2027472 Process Thread Pool Max limit above recommended limit http://support.microsoft.com/kb/2134497 Process Thread Pool Minimum is below the recommended limit http://support.microsoft.com/kb/2134855 Server is running a build with a known regression http://support.microsoft.com/kb/2157941 Slice not set on a ROLAP partition or a partition where proactive caching is enabled and ROLAP storage ay occur http://support.microsoft.com/kb/2027754 Server is ignoring duplicate key errors http://support.microsoft.com/kb/2027761 No default member defined for non-aggregatable attribute http://support.microsoft.com/kb/2027769 UnknownMember set to hidden http://support.microsoft.com/kb/2027628
Page 44 Non-numeric key column for high cardinality attribute http://support.microsoft.com/kb/2028138 Attribute hiearchy enabled for high cardinality non-key attribute http://support.microsoft.com/kb/2028143 ROLAP storage or OnlineMode set to immediate for dimension with custom rollup definition detected http://support.microsoft.com/kb/2132742 Account or Time attribute types defined in a non-matching dimension type http://support.microsoft.com/kb/2157299 An Account or Time dimension has no matching attribute defined http://support.microsoft.com/kb/2027418 Dimension has no attribute defined with the same type http://support.microsoft.com/kb/2027443 Attribute Dimension type mismatch http://support.microsoft.com/kb/2157327 Mismatched dimension attribute types detected in dimension http://support.microsoft.com/kb/2027459 Possible incorrect order of levels defined in hierarchy http://support.microsoft.com/kb/2027460 Define attribute relationships as Rigid where possible http://support.microsoft.com/kb/2027468 Redundant attribute relationships detected http://support.microsoft.com/kb/2127437 Diamond-shape relationship detected http://support.microsoft.com/kb/2127570 Non-Standard Attribute Relationship name detected http://support.microsoft.com/kb/2127862 Proactive Caching set for dimension without a processing query http://support.microsoft.com/kb/2027541 No Time dimension detected http://support.microsoft.com/kb/2027532 More than 3 parent-child dimensions with custom rollups defined http://support.microsoft.com/kb/2134431 Encountered a parent-child dimension with more than 500000 members http://support.microsoft.com/kb/2131918 Single attribute dimensions detected http://support.microsoft.com/kb/2141654 Measure groups with zero dimensional overlap detected in cube http://support.microsoft.com/kb/2027609
Page 45 Proactive Caching set for a partition without a processing query Default measure for perspective not in the perspective http://support.microsoft.com/kb/2027603 Use MOLAP storage for dimensions that participate in semi-additive measure groups http://support.microsoft.com/kb/2135112 Measure group defined with no partition http://support.microsoft.com/kb/2027545
8.3 RS Rules RSWindowsNegotiate is missing from your configuration http://support.microsoft.com/kb/2145506 HTTP Logging is not enabled http://support.microsoft.com/kb/2145909 Verbose logging is enabled http://support.microsoft.com/kb/2146315 NTLM authentication may fail for local http://support.microsoft.com/kb/2146369 Missing extended protection settings http://support.microsoft.com/kb/2146062
8.4 IS Rules Logging task missing for package http://support.microsoft.com/kb/2027723 ActiveX Script task detected in package http://support.microsoft.com/kb/2027712 Unrecommended Integration Services service account detected http://support.microsoft.com/kb/2027684 Integration Services logging table found in system database master and or msdb http://support.microsoft.com/kb/2027706 Integration Services memory dump detected http://support.microsoft.com/kb/2027727
8.5 Setup Rules Unsupported Operating System Version Detected http://support.microsoft.com/kb/2022909 WOW64 not supported for SQL Failover Clustering http://support.microsoft.com/kb/2157198 Installer cache is missing for the SQL Installation http://support.microsoft.com/kb/2015100 SQL Server WMI Provider Health Check
Page 46 8.6 Replication Rules Replication Timeout Alerts Type http://support.microsoft.com/kb/2118349 Replication Pub and Sub out of sync (Data Validation) http://support.microsoft.com/kb/2118386 Replication Pub and Sub out of sync (Constraint Violations) http://support.microsoft.com/kb/2118410 Replication Pub and Sub out of sync (Skipped Transactions) http://support.microsoft.com/kb/2194498 Merge Replication Health Check http://support.microsoft.com/kb/2118445 Subscriptions Approaching Expiration http://go.microsoft.com/fwlink/? LinkId=184483 Replication Cleanup and Retention Health Check http://support.microsoft.com/kb/2118485 Replication Latency Threshold violations http://support.microsoft.com/kb/2118425
Page 47 9 HOW TO DEAL WITH DEVIATIONS Deviations from these Best Practices may indicate potential issues, and configuration changes may be necessary. Make sure you have tested any intended changes in a test environment before deploying them to a production environment. You could also find deviations from Best Practices that are acceptable or even necessary for your environment. For example: SAP has its special Network Packet Size of 8 KB Existing Non-Microsoft Clients – would require Mixed Mode Authentication
Page 48 10 MOTIVATION TO USE SQL BPA R2 Bob Ward explained in his Article “Why use SQL Server 2008 R2 BPA? Case 1: Missing Updates...” the common pitfalls during maintenance and operation of SQL Server and how address them by using the SQL BPA. In brief it’s a customer scenario where the customer is facing an issue after a major update to SQL2008. After some troubleshooting and an update to a certain CU (that is meant to fix the issue) the problem still occurs. Bobs article states the common resulting consequences – the involvement of Microsoft Support, and the final solution – adding a needed traceflag. The good news in this story is that the customer would not have needed to go to all that effort, if they would have run the SQL BPA. It would have told them about the update and instructed them to put the traceflag in place. BPA is a mechanism that proactively advises you and instructs you on dealing with common known issues.
Page 49 11 ADDITIONAL INFORMATION
11.1 PowerShell To use the functionality of the Baseline Configuration Analyzer with PowerShell you must import this module first: Import-module BaselineConfigurationAnalyzer You can list the commands of this module with the following syntax $x=Get-Module BaselineConfigurationAnalyzer $x.ExportedCommands The following commands are stored in this module: Get-MbcaModel Get-MbcaResult Invoke-MbcaModel Set-MbcaResult You get help of this command with the following syntax: Get-help
Page 50 The results of the Get-MBCAModel cmdlet include the following details about models: 1. Branding information (manufacturer or company, display names, version number), that is found in the model manifest 2. Dynamic parameters that are included with the model 3. Submodels that are included with the model PARAMETERS -ModelId
Page 51 This cmdlet supports the common parameters: Verbose, Debug, ErrorAction, ErrorVariable, WarningAction, WarningVariable, OutBuffer and OutVariable. For more information, type, "get-help about_commonparameters". Examples Get-MBCAModel In the preceding example, Get-MBCAModel, with no parameters added, returns details about all MBCA models that are installed on the computer. Get-MBCAModel -ModelId SQL2008R2BPA The preceding example can be used to return details about the MBCA model that is specified in the -ModelId parameter, represented by "Model Id." $model= Get-MBCAModel -ModelId SQL2008R2BPA $model.Parameters In the preceding example, Get-MBCAModel returns details about the specified MBCA model that is represented by "Model Id." The results of the cmdlet are stored in the variable $model. In the next line of the example, the "Parameters" property of the model details that were stored in the $model object returns details about which parameters are supported by the model. Get-MBCAModel -ModelId SQL2008R2BPA -SubModelId
Page 52 CertificateThumbprint
Page 53 Required? false Position? named Default value Accept pipeline input? false Accept wildcard characters? false -ComputerName
Page 54 The -Context parameter lets you run scans on a submodel in the context of a specific model (one that is different from the parent model of the submodel). For example, an administrator might want to run a scan on the "Backend" submodel of the "SQL" model, but only those in the context of a third model, a technology that relies upon SQL Server. The -SubModelId parameter is required by the -Context parameter. A model ID is the valid value of the -Context parameter. Required? false Position? named Default value Accept pipeline input? false Accept wildcard characters? false -Credential
Page 55 Accept pipeline input? false Accept wildcard characters? false -ModelId
Page 56 The -SubModelId parameter specifies the ID of the submodel of an MBCA model that you want to scan. You can obtain valid values for the -SubModelId parameter by running the Get-MBCAModel cmdlet targeted at a computer on which MBCA models are installed. Not all models have submodels. The -ModelId parameter is required with the -SubModelId parameter. Required? true Position? named Default value Accept pipeline input? false Accept wildcard characters? false -ThrottleLimit
Page 57
Page 58 The administrator starts the MBCA scan with additional model-specific parameters that are exposed by the model. (For an example of how to obtain model-specific parameters, see the examples for the Get-MBCAModel cmdlet.) For example, to scan a model that requires model-specific parameters (such as -Scope and -Name) to be passed to the command, the administrator can specify the values of these model-specific parameters with the Invoke-MBCAModel cmdlet. ------EXAMPLE 3 ------Invoke-MBCAModel -ModelId SQL2008R2BPA -Mode Discovery Description The preceding example starts an MBCA scan on the model that is represented by "Model Id." The cmdlet is instructed by the -Mode parameter to perform only the discovery -- not the analysis -- portion of the scan. ------EXAMPLE 4 ------Invoke-MBCAModel -ModelId SQL2008R2BPA -Mode Analysis -RepositoryPath
Page 59 11.1.3 Get-MBCAResult SYNOPSIS The Get-MBCAResult cmdlet lets you retrieve and view the results of a Microsoft Baseline Configuration Analyzer scan on a specific model, or the configuration data that was used to run a scan. SYNTAX Get-MBCAResult [-ModelId]
Page 60 the local computer, type the computer name, or "localhost." Multiple values for -ComputerName can be separated by commas. The -SubModelId parameter is required by the -ComputerName parameter. Valid values for the -ComputerName parameter include "localhost," a NET BIOS name, an IP address, or a fully-qualified domain name (FQDN) of one or more computers, in a comma-separated list. Required? false Position? named Default value Accept pipeline input? false Accept wildcard characters? false -Context
Page 61 Accept pipeline input? false Accept wildcard characters? false -ModelId
Page 62 Accept wildcard characters? false
Page 63 ------EXAMPLE 2 ------Get-MBCAModel | Get-MBCAResult In the preceding example, Get-MBCAModel is used to return a list of all MBCA models that are installed on the computer. The results of the Get-MBCAModel cmdlet are piped to the Get-MBCAResult cmdlet to retrieve the most recent MBCA scan results for all models that are both supported by MBCA and installed on the computer at which the cmdlet is targeted. ------EXAMPLE 3 ------$result = Get-MBCAResult SQL2008R2BPA -CollectedConfiguration $result.DiscoveryDocument Description In the preceding example, configuration data (in XML form) that was collected during the most recent Microsoft Baseline Configuration Analyzer scan of the model that is represented by "Model Id" is retrieved and stored as a property in the variable $result. $result.DiscoveryDocument is of type System.Xml.XmlDocument ------EXAMPLE 4 ------Get-MBCAResult SQL2008R2BPA -Filter Noncompliant Description The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results for the model that is represented by "Model Id," and then applies a filter to show only Noncompliant results. ------EXAMPLE 5 ------Get-MBCAResult SQL2008R2BPA -SubModelId
Page 64 for example, only those results from a SQL Server scan that specifically apply to another technology, such as Web Server (IIS). The scan results are further narrowed to only those from a computer that is specified in the -ComputerName parameter as "Server," and only those results found in the non-default results repository that is represented by "Repository Path". 11.1.4 Set-MBCAResult SYNOPSIS The Set-MBCAResult cmdlet lets you exclude or include existing results of a Microsoft Baseline Configuration Analyzer (MBCA) scan to show you only the scan results that you want to see. SYNTAX Set-MBCAResult [[-Exclude]
Page 65 Position? 2 Default value Accept pipeline input? false Accept wildcard characters? false -RepostitoryPath
Page 66 This cmdlet supports the common parameters: Verbose, Debug, ErrorAction, ErrorVariable, WarningAction, WarningVariable, OutBuffer and OutVariable. For more information, type, “get-help about_commonparameters". NOTES If the Set-MBCAResult command is cancelled before the results are written to a file, the operation is cancelled and the results file is not modified. If cancellation occurs after the results file has been modified, the command's actions are carried out, and the command cannot be cancelled. ------EXAMPLE 1 ------Get-MBCAResult -ModelId SQL2008R2BPA | Where { $_.Category -eq "Performance" } | Set-MBCAResult -Exclude $true Description The first section of the preceding example, to the left of the first pipe character (|), uses the Get-MBCAResult cmdlet to retrieve Baseline Configuration Analyzer scan results for the model ID that is represented by "Model Id." The second section of the command filters the results of the Get-MBCAResult cmdlet to get only those scan results for which the category name is equal to "Performance." The final section of the example, following the second pipe character, excludes the Performance results that were filtered by the previous section of the example. ------EXAMPLE 2 ------$rcPolicy = Get-MBCAResult -ModelId SQL2008R2BPA -RepositoryPath "C:\ReposPath | Where { $_.Category -eq "Policy" } Set-MBCAResult -Exclude $true -RepositoryPath "C:\ReposPath" -Results $rcPolicy Description The first line of the preceding example, to the left of the pipe character (|), instructs the Get-MBCAResult cmdlet to retrieve Baseline Configuration Analyzer scan results for the model that is represented by "Specified Model Id." from the specified non- default repository path The second section of the example, after the pipe character, filters the results of the Get-MBCAResult cmdlet to return only those scan results for which the category name is equal to (note the -eq option) Policy. The variable $rcPolicy is created to store the filtered results of the Get-MBCAResult cmdlet; this variable can be used in subsequent commands to represent those results. The second line of the command uses the Set-MBCAResult cmdlet to exclude the set of results that are stored in the $rcPolicy variable. In this example, the -Results parameter is added because the administrator wants to exclude a specific subset of
Page 67 scan results for that model, and has created the variable $rcPolicy to represent that subset of results. The repository root is specified in the second line, because the administrator wants to modify the results in the same non-default repository from which the data in $rcPolicy was retrieved. 11.1.5 MBCA Model Authoring Further information about configuration and usage of MBCA models you can in the MBCA_ModelAuthoringGuide.docx
Page 68 Did this paper help you? Please give us your feedback. Tell us on a scale of 1 (poor) to 5 (excellent), how would you rate this paper and why have you given it this rating? For example: Are you rating it high due to having good examples, excellent screen shots, clear writing, or another reason?
Are you rating it low due to poor examples, fuzzy screen shots, or unclear writing?
This feedback will help us improve the quality of white papers we release. Send feedback.
Page 69