SQL2008R2 BPA Whitepaper v10

57
Page 1 SQL Server 2008 (R2) Best Practice Analyzer SQL Server Technical Article Writers: Sylvio Hellmann, Günter Gross, Dana Burnell Technical Reviewers: Oliver Hahn Published: September 2010 Applies to: SQL Server 2008 (R2), SQL Server 2008 (R2) Analysis Services, SQL Server 2008 (R2) Reporting Services, and SQL Server 2008 (R2) Integration Services Summary: The Microsoft SQL Server Best Practices Analyzer is a well know tool in the DBA community to validate if SQL Server installations are adhering with Microsoft recommended best practices. In the new R2 version the SQL BPA introduces advanced capabilities in conjunction with the PowerShell architecture and also raises the bar for prerequisites and cross dependencies. While introducing the new tool to our premier customers in the Banking, Insurance and Productivity field we received strong positive feedback along with some interesting questions that we will discuss further in this paper. Understanding PowerShell, Policy based Management and SQL BPA will empower you to unleash the full potential of the SQL Server 2008 R2 Best Practices Analyzer (BPA).

Transcript of SQL2008R2 BPA Whitepaper v10

Page 1: SQL2008R2 BPA Whitepaper v10

Page 1

SQL Server 2008 (R2) Best Practice Analyzer

SQL Server Technical Article

Writers Sylvio Hellmann Guumlnter Gross Dana Burnell

Technical Reviewers Oliver Hahn

Published September 2010

Applies to SQL Server 2008 (R2) SQL Server 2008 (R2) Analysis Services SQL Server 2008 (R2)

Reporting Services and SQL Server 2008 (R2) Integration Services

Summary

The Microsoft SQL Server Best Practices Analyzer is a well know tool in the DBA community to

validate if SQL Server installations are adhering with Microsoft recommended best practices

In the new R2 version the SQL BPA introduces advanced capabilities in conjunction with the

PowerShell architecture and also raises the bar for prerequisites and cross dependencies

While introducing the new tool to our premier customers in the Banking Insurance and Productivity

field we received strong positive feedback along with some interesting questions that we will discuss

further in this paper

Understanding PowerShell Policy based Management and SQL BPA will empower you to unleash the

full potential of the SQL Server 2008 R2 Best Practices Analyzer (BPA)

Page 2

Table of Contents

1 Introduction 5

11 Architecture and data flow of the BPA 6

12 Microsoft Best Practice Analyzer Universe 7

121 SQL Server BPA (older versions) 7

122 Windows Server 2008 R2 Best Practice Analyzer 7

123 Fix-it 8

124 Microsoft Automated Troubleshooting Service in Windows Server 2008 R2 and Windows 7 8

2 System Requirements 10

21 Required Permissions for Running SQL Server 2008 R2 BPA 10

22 Prerequisites 11

3 Install 12

31 Installing PowerShell 20 and WinRM 12

32 Install MBCA 13

33 Install BPA 14

331 Command line 14

332 GUI 15

333 Port and Firewall restrictions 16

34 Updates 16

35 Uninstall 16

351 BPA 16

352 MBCA 16

353 Reset Powershell settings 16

4 Usage 17

41 Help file 17

42 GUI 17

43 Connect to a remote computer 20

44 Powershell 22

441 Run Scan 22

442 Create Report 23

443 Exporting and opening reports by using Get-MBCAResult 24

444 Report Result Directory 24

5 Troubleshooting 26

51 Application directories 26

Page 3

52 Windows Server 2003 ndash NumberOfLogicalProcessors 26

53 MBCA 27

54 Where can I find the Instance name in result set of the analyzer report 27

55 Memory limit of remote PowerShell process 27

56 Remote connect 27

57 Installation 30

571 Powershell error 30

572 Workgroup or Non-Domain computer 31

573 Kerberos Failure 31

6 Rules 33

61 Engine 35

62 ASRules 37

63 RSRules 38

64 ISRules 38

65 SetupRules 39

66 Replication 39

7 How to Deal With Deviations 40

8 Motivation to use SQL BPA R2 41

9 Additional Information 42

91 Powershell 42

911 Get-MBCAModel 42

912 Invoke-MBCAModel 44

913 Get-MBCAResult 49

914 Set-MBCAResult 54

915 MBCA Model Authoring 56

Page 4

Copyright Information

The information contained in this document represents the current view of Microsoft Corporation on the

issues discussed as of the date of publication Because Microsoft must respond to changing market

conditions it should not be interpreted to be a commitment on the part of Microsoft and Microsoft

cannot guarantee the accuracy of any information presented after the date of publication

This white paper is for informational purposes only MICROSOFT MAKES NO WARRANTIES

EXPRESS IMPLIED OR STATUTORY AS TO THE INFORMATION IN THIS DOCUMENT

Information in this document including URL and other Internet Web site references is subject to

change without notice Unless otherwise noted the companies organizations products domain

names e-mail addresses logos people places and events depicted in examples herein are fictitious

No association with any real company organization product domain name e-mail address logo

person place or event is intended or should be inferred Complying with all applicable copyright laws

is the responsibility of the user Without limiting the rights under copyright no part of this document

may be reproduced stored in or introduced into a retrieval system or transmitted in any form or by any

means (electronic mechanical photocopying recording or otherwise) or for any purpose without the

express written permission of Microsoft Corporation

Microsoft may have patents patent applications trademarks copyrights or other intellectual property

rights covering subject matter in this document Except as expressly provided in any written license

agreement from Microsoft the furnishing of this document does not give you any license to these

patents trademarks copyrights or other intellectual property

copy 2010 Microsoft Corporation All rights reserved

Microsoft and SQL Server are trademarks of the Microsoft group of companies

All other trademarks are property of their respective owners

Page 5

1 INTRODUCTION

The Microsoft SQL Server 2008 R2 Best Practices Analyzer (BPA) is a diagnostic tool that performs

the following functions

Gathers information about a server and an instance of Microsoft SQL Server 2008 or 2008 R2

that is installed on that server

Determines if the configurations are set according to the Microsoft recommended best

practices

Reports on all configurations indicating settings that differ from recommendations

Indicates potential problems in the installed instance of SQL Server

Recommends solutions to potential problems

This tool is used by IT Professionals and Database Administrators to help ensure that their installations

of SQL Server and associated products components are adhering to best practices as determined by

the SQL Server Product Teams and CSS This utility scans the installation of a local or remote

machine gathering system data from WMI log files the Event Log the Windows Registry and SQL

Server metadata and compares the results to predefined standards It then produces a report that

shows the results and points the user to additional information on the web to help them determine

whether they should make changes to their systems

For every configuration the SQL Server 2008 R2 BPA provides the following results

Compliance results are returned when an instance of SQL Server satisfies the conditions of a

Best Practices rule Non-compliance results are returned when an instance of SQL Server

does not satisfy the conditions of a Best Practices rule

Impact of non-compliance

Recommendation

Links to more detailed information and related topics

To assist you and to make your DBA life easier Microsoft includes some of these Best Practices in a

couple of products ndash depending on specific purpose of the Software The following diagram illustrates

the variety of tools available to check best practices for SQL Server 2008 and SQL Server 2008 R2 in

parallel or in combination with BPA

Page 6

The big picture ndash automated Best Practices of SQL Server checks offered in different flavours and

products

So you will find a couple of policies in our monitoring solution

SQL Server 2008 R2 Best Practice Analyzer

within more than 140 rules for database engine and other technologies

System Center Operations Manager (SCOM)

within the SQL Management pack (current version 6131436 release date 08172010)

with more than 300 rules and 50 additional monitors

Policy Based Management in SQL Server 2005 and 2008

with predefined policy collection (50+ policies)

There is a whitepaper about PBM here

System Configuration Checker in the SQL Server 2008 setup wizard

The SQL Risk Assessment Toolset (Premier Organisation best practice flagship) offering more

than 200 rules This offering is meant for Premier customers running the SQL RAP against

their most business critical SQL instances

Note This tool set is only available for Microsoft Premier Customers

11 Architecture and data flow of the BPA

The SQL Server 2008 R2 Best Practices Analyzer is an additional ldquomodelrdquo for the Microsoft Baseline

Configuration Analyzer V20 (MBCA) A model is a set of component files that together comprise the

configuration analysis and reporting output from MBCA

The MBCA is imbedded as a PowerShell cmdlet and consists of two major components the MBCA

Engine and the MBCA UI

The MBCA Engine process itself consists of 2 main activities evaluation and discovery The MBCA

Engine is fed by PowerShell discovery Scripts and XML Schema Files which are used during

CSS Rules Advice

and Manifests

SQL Server 2008 R2 Best

Practice Analyzer

SQL 2008 Setup

Policy Based Management

SCOM SQL MP

SQLRAP

Page 7

discovery The discovery activity interrogates the SQL Server Registry WMI Error- and Event-Logs

etc The output is saved in an XML File which is then used in the evaluation activity Evaluation is

performed using the Schematron file This file run by the MBCA engine contains the logic for

evaluating the best practices The final step following the evaluation process is the report generation ndash

which is shown in the MBCA UI

In the flow chart below you will find the anatomy of the SQL Server 2008 R2 Best Practices Analyzer

12 Microsoft Best Practice Analyzer Universe

Microsoft offers many technologies and utilities to produce best practices recommendations

121 SQL Server BPA (older versions)

Microsoft has also created BP Analyzers for your older SQL Server versions and for Windows

SQL Server 2005 Best Practices Analyzer (August 2008)

SQL Server 2000 Best Practices Analyzer (April 2010)

122 Windows Server 2008 R2 Best Practice Analyzer

In Windows management best practices are guidelines that are considered the ideal way under

typical circumstances to configure a server as defined by experts For example it is considered a best

practice for most server technologies to keep open only those ports required for the technologies to

communicate with other networked computers and block unused ports Although best practice

Page 8

violations even crucial ones are not necessarily problematic they indicate server configurations that

can result in poor performance poor reliability unexpected conflicts increased security risks or other

potential problems

Best Practices Analyzer (BPA) is a server management tool that is available in

Windows Serverreg 2008 R2 BPA can help administrators reduce best practice violations by scanning

one or more roles that are installed on Windows Server 2008 R2 and reporting best practice violations

to the administrator Administrators can filter or exclude results from BPA reports that they do not have

to see Administrators can also perform BPA tasks by using either the Server Manager GUI or

Windows PowerShell cmdlets

BPA can also be used on remote servers that are running Windows Server 2008 R2 by using Server

Manager targeted at a remote server For more information about how to run Server Manager targeted

at a remote server see Remote Management with Server Manager

The following BPA modules are currently available

Best Practices Analyzer for Active Directory Certificate Services

Best Practices Analyzer for Active Directory Domain Services

Best Practices Analyzer for Active Directory Rights Management Services

Best Practices Analyzer for Application Server

Best Practices Analyzer for Domain Name System

Best Practices Analyzer for Dynamic Host Configuration Protocol

Best Practices Analyzer for File Services

Best Practices Analyzer for Hyper-V

Best Practices Analyzer for Internet Information Services

Best Practices Analyzer for Network Policy and Access Services

Best Practices Analyzer for Remote Desktop Services

Best Practices Analyzer for Windows Server Update Services

More Information about Windows BPA look here

123 Fix-it

Currently there exists no link between the SQL Server Best Practice Analyzer and the Fixit webpage

httpsupportmicrosoftcomfixit

Microsoft is working on a solution to combine fixit with specific Best Practice Analyzer

httpfixitcentersupportmicrosoftcomPortal

124 Microsoft Automated Troubleshooting Service in Windows Server

2008 R2 and Windows 7

Troubleshooting in Windows Server 2008 R2 and Windows 7 provides several troubleshooting

programs that can automatically fix some common problems with your computer such as problems

with networking hardware and devices using the web and program compatibility

Go to the Windows website to watch a video about using troubleshooters to fix common problems

(330)

When you run a troubleshooter it might ask you some questions or reset common settings as it works

to fix the problem If the troubleshooter fixed the problem you can close the troubleshooter If it couldnt

fix the problem you can view several options that will take you online to try and find an answer In

either case you can always view a complete list of changes made

Page 9

Notes

If you click the Advanced link on a troubleshooter and then clear the Apply repairs

automatically check box the troubleshooter displays a list of fixes to choose from if any

problems are found

Windows includes several troubleshooters and more are available online when you select the

Get the most up-to-date troubleshooters from the Windows Online Troubleshooting service

check box at the bottom of Troubleshooting

httpsupportmicrosoftcomgpsystem_maintenance_for_windows

Page 10

2 SYSTEM REQUIREMENTS

SQL Server 2008 R2 Best Practices Advisor is supported on the following Operating Systems

1 Windows Vista

2 Windows 7

3 Windows Server 2003

4 Windows Server 2003 R2

5 Windows Server 2008

6 Windows Server 2008 R2

Supported editions of SQL Server

1 SQL Server 2008 all editions except Express

2 SQL Server 2008 R2 all editions except Express

Supported Components of SQL Server

1 Analysis Services

2 Database Engine

3 Integration Services

4 Reporting Services

5 Replication

6 Setup

These components are designed as Submodels for the BPA This means that they will be run

concurrently where possible

21 Required Permissions for Running SQL Server 2008 R2 BPA

Administration Privileges

To run MBCA v20 a user must be a member of the administrators group on the machine being

scanned and on the machine the scan is initiated from If a user is not an administrator on the machine

that is being scanned an appropriate error message displays

SQL Server

To successfully access all of the database properties and SQL Server Configurations a user must be

the Systems Administrator (sysadmin) on the instance of SQL Server

Analysis Services

The user or the administrators group must be member of the server administrator role within an

instance of Microsoft SQL Server Analysis Services have unrestricted access to all Analysis Services

objects and data in that instance

httpmsdnmicrosoftcomen-uslibraryms174561aspx

Integration Services

The user or the administrators group must be members of the sysadmin or db_ssisadmin roles

httpmsdnmicrosoftcomen-uslibraryms141053aspx

Reporting Services

Page 11

The user or the administrators group must be member of the System Administrator and Content

Manager role

22 Prerequisites

The following are required for using SQL Server 2008 R2 Best Practices Analyzer

1 PowerShell V20

Windows PowerShell 20 requires the Microsoft NET Framework 20 with Service Pack 1

2 Microsoft Baseline Configuration Analyzer V20

3 SQL Server Management Tools for SQL Server 2008 or SQL Server 2008 R2

The following table outlines the prerequisite Microsoft utilities components by Operating System

necessary to have on your server prior to installing and running SQL Server 2008 R2 BPA

OS 1Install

WinRM

2Install

PowerShell 20

3Install

MBCA 20

Configure PowerShell1 7 Install SQL2008

or SQL 2008 R2

Management Tools 4Remoting 5Execution

Level

6 MaxShells

PerUser

Win Vista Y Y Y Y Y Y Y

Windows 7 N N Y Y Y Y Y

Windows

Server 2003

Y Y Y Y Y Y Y

Windows

Server 2003

R2

Y Y Y Y Y Y Y

Windows

Server 2008

Y Y Y Y Y Y Y

Windows

Server 2008

R2

N N Y Y Y Y Y

1 These changes will be done from the installation routine of the BPA

Page 12

3 INSTALL

We recommend installing BPA on a workstation or administration server and performing the scan

operation remotely against servers in your SQL Server infrastructure It is also possible to install this

tool on the production SQL Server locally

Installation process

1 InstallConfigure PowerShell and WinRM

2 Microsoft Baseline Configuration Analyzer V20

3 Microsoftreg SQL Serverreg 2008 R2 Best Practices Analyzer

It exists two ways to install the Best Practices Analyzer

With a graphical user interface (setup wizard) or

Command line

31 Installing PowerShell 20 and WinRM

BPA install configures WinRM and PowerShell options by default Most of this section is only needed if

something goes wrong and you need to configure this stuff by hand

Windows Server 2003 R2

WinRM is not installed by default but it is available as the Hardware Management feature through the

AddRemove System Components feature in the Control Panel under Management and Monitoring

Tools Complete installation and information about configuring WinRM using the WINRM command-line

tool is available online in the Hardware Management Introduction which describes the WinRM and the

IPMI features in Windows Server 2003 R2

On Windows Vista Windows Server 2003 and Windows Server 2008

This is installed as part of Windows Management Framework Core The WinRM service starts

automatically on Windows Server 2008 On Windows Vista the service must be started manually

On Windows Server 2008 R2 and Windows 7

This is installed as part of the OS

Note Check for additional information and configuration guidelines for WinRM and for PowerShell

20

SQL Server 2008 R2 BPA is able to scan both the local computer and remote computers Therefore in

both the local and remote cases it required that your PowerShell settings be modified These are done

by the BPA installation

PowerShell Execution Policy

The PowerShell Execution Policy is set to Restricted by default To run SQL Server 2008 R2 BPA

through the PowerShell command Line set the policy to RemoteSigned using the below command

Set-ExecutionPolicy RemoteSigned -f

You can use the command Set-ExecutionPolicy Restricted ndashf to set the execution policy back to

restricted This command is not required when executing the scan through the MBCA GUI

After the installation you must enable the PowerShell remote scripting if you are want to use the BPA

remote to another workgroup machine or a computer that have Kerberos enabled You need to run this

command only once on each computer that will receive commands You do not need to run it on

Page 13

computers that only send commands Because the configuration activates listeners it is prudent to run

it only where it is needed You can do this with the following command line

powershellexe -NoLogo -NoProfile -Noninteractive -Command Enable-

PSRemoting -force

Enable-PSRemoting performs configuration actions to enable this machine for remote management

Includes

1 Runs the Set-WSManQuickConfig cmdlet which performs the following tasks

Starts the WinRM service

Sets the startup type on the WinRM service to Automatic

Creates a listener to accept requests on any IP address

Enables a firewall exception for WS-Management communications

Enables all registered Windows PowerShell session configurations to receive instructions

from a remote computer

Registers the MicrosoftPowerShell session configuration if it is not already registered

Registers the MicrosoftPowerShell32 session configuration on 64-bit computers if it is

not already registered

Removes the Deny Everyone setting from the security descriptor for all the registered

session configurations

Restarts the WinRM service to make the preceding changes effective

2 Configures MaxShellsPerUser using winrm set winrmconfigwinrs

``MaxShellsPerUser=`10``

Specifies the maximum number of concurrent shells that any user can remotely open on

the same computer If this policy setting is enabled the user will not be able to open new

remote shells if the count exceeds the specified limit If this policy setting is disabled or is

not configured the limit will be set to 5 remote shells per user by default and you receive

the following error message

[localhost] Connecting to remote server failed with the following

error message The WS-Management service cannot process the

request This user is allowed a maximum number of 5 concurrent

shells which has been exceeded Close existing shells or raise the

quota for this user For more information see the

about_Remote_Troubleshooting Help topic

+ CategoryInfo OpenError

(SystemManagemehellipRemoteRunspa

ceRemoteRunspace) [] PSRemotingTransportException

+ FullyQualifiedErrorId PSSessionOpenFailed

For more information about PowerShell remoting please see MSDN

32 Install MBCA

Download the edition of MBCA depending on your platform (x86 or x64) before installation

Page 14

Please find below the screenshots demonstrating the visual flow of the MBCA Installation

Welcome screen

License terms

Folder selection

Completion screen

33 Install BPA

Download the correct edition depending on your platform (x86 or x64) before installing If you have

trouble with the installation please section 57 Troubleshooting Installation

331 Command line

Following is an optimized command line setup example

msiexec i SQL2008R2BPA_Setup64msi l log ctempsqlbpa_installlog qn

msiexec parameters

i = package name (SQL2008R2BPA_Setup32msi or SQL2008R2BPA_Setup64msi

depending on your platform)

l = log granularity ldquordquo - Log all information except for v and x options

log = log file

q = display settings (qn ndash no user interface)

SKIPCA=1 (if no domain controller is available Skip Certification Authority)

For information on additional public properties Consult the Windowsreg Installer SDK for documentation

on the command line syntax

Page 15

332 GUI

Please find below the screenshots demonstrating the visual flow of the SQL Server 2008 R2 BPA

Installation

Welcome screen

License terms

System Configuration Changes (see 31 Installing PowerShell 20 and WinRM)

Ready to install decision

Install progress

Completion screen

Page 16

333 Port and Firewall restrictions

For scanning SQL Server or BI instances on an alternate server behind a firewall you must open all

necessary ports

34 Updates

Microsoft is working on quarterly updates of the rule set and tool improvements of the SQL Server

2008 R2 Best Practice Analyzer Please visit the Download site from Microsoft regularly to find new

updates

35 Uninstall

351 BPA

352 MBCA

353 Reset PowerShell settings

After the uninstall of the BPA you may disable the PowerShell remote scripting You can do this with

the following command line

powershellexe -NoLogo -NoProfile -Noninteractive -Command Disable-

PSRemoting -force

Disable-PSRemoting performs configuration actions to enable this machine for remote management

Page 17

4 USAGE

There are two ways to scan a server using MBCA and SQL 2008 R2 BPA They are

Scanning through the local machine

o In this case you are using MBCA and SQL 2008 R2 BPA running on the local machine to

perform the scan

o This scan can be of the local or an alternate server

Scanning through a remote machine

o In this case MBCA is used to connect to a remote server that has MBCA and SQL 2008

R2 BPA installed on it

o This scan is using the local machine to form the connection to the remote machine and is

actually performing the scan through the remote machine

41 Help file

The help file for the SQL Server 2008 R2 Best Practice Analyzer contains very useful information This

help file is available after the installation of BPA and is located at Start-gtAll programs-gtSQL Server

2008 R2 BPA

42 GUI

1 Ensure that MBCA v2 and SQL 2008 R2 BPA are installed on the machine

2 Run the MBCA application from the start menu with elevated user rights

Page 18

3 On the MBCA home page ensure the SQL Server 2008 R2 BPArdquo product is selected

4 Click Start Scan which displays a page to specify parameters as shown below

5 Fill in Alternate_Server_to_Scan with the remote machine you want to scan

ComputerName

IP address nnnn

FQDN (Fully Qualified Domain Name)

Enter ldquordquo localhost or leave this blank if you want to scan the local machine

Page 19

Enter the instance name you want to scan To scan the default instance enter MSSQLSERVER

or leave this as blank Toggle the checkboxes to enabledisable scans for those rule categories

Each of the following six check boxes correspond to the SQL Server categories listed previously

Select at least one category in order to run a successful scan

Analyze_SQL_Analysis_Services

Analyze_SQL_Server_Engine

Analyze_SQL_Integration_Services

Analyze_SQL_Server_Replication

Analyze_SQL_Reporting_Services

Analyze_SQL_Server_Setup

Note Only one SQL Server instance can be scanned at a time through the MBCA GUI

6 Click Start Scan MBCA will start the configured scan and display the below page while in

progress

7 When the scan is complete results will be displayed grouped by Severity as shown below

Page 20

43 Connect to a remote computer

A scan connected to a remote computer is different than scanning an alternate server

ldquoConnect to a Remote Computerrdquo is functionality provided by Microsoft Baseline Configuration Analyzer

and is used to remotely run MBCA against a server from the console of the client The client needs to

have MBCA installed but does not need BPA as it is literally running the copy of MBCA installed on the

server using the BPA installed on the server In this case the copy of MBCA installed on the client is

used only to remotely connect to the copy of MBCA installed on the server

To use this functionality you first start MBCA on the client computer and select ldquoConnect to Another

Computerrdquo

1 In the ldquoConnect to Another Computerrdquo text box you can specify a NetBIOS name a fully qualified

domain name (FQDN) or an IPv4 or IPv6 address If no port number is specified the default port

number is used The following are examples of formats that you can specify in the Connect to

Another Computer text box

ComputerName

Page 21

ComputerNamePortNumber

IP address nnnn

IPv6 address [nnnnnnnn]

IPv4 address with port number nnnnPortNumber

IPv6 address with port number [nnnnnnnn]PortNumber

Note If an administrator has changed the computerrsquos default port number any port other than the

default port must be opened in Windows Firewall to allow incoming connections on that port Port

5985 is opened by default when WinRM is configured All other ports remain blocked until opened

For more information about how to unblock a port in Windows Firewall see the Help for Windows

Firewall For more information about how to configure WinRM in a Command Prompt session type

winrm help and then press Enter

2 Additionally you must supply credentials

3 CredSSP

Windows Remote Management (WinRM) supports the delegation of user credentials across

multiple remote computers The multi-hop support functionality can now use Credential Security

Service Provider (CredSSP) for authentication CredSSP enables an application to delegate the

userrsquos credentials from the client computer to the target server

CredSSP authentication is intended for environments where Kerberos delegation cannot be used

Support for CredSSP was added to allow a user to connect to a remote server and have the ability

to access a second-hop machine such as a file share

Note WinRM clients and servers will support CredSSP authentication only with explicit credentials

Windows XP Windows Server 2003 and earlier CredSSP is not supported

First you must set CredSSP on both the client and the server

Using the Group Policy Editor (gpeditmsc) make sure to enable ldquoAllow Delegating Fresh

Credentialsrdquo and check ldquoConcatenate OS defaults with input aboverdquo

Add the server or domain to the list of servers in the format ldquoWSMANdomainnamecomrdquo

Next enable and configure PowerShell Remoting on both the Client and Server by running the

following commands in a PowerShell command window opened with elevated permissions Note

Page 22

You can configure a single machine as both a client and a server simultaneously so that you can

scan from either computer

Enable PowerShell Remoting

o Enable-psremoting ndashf

Settings for a client

o Enable-WSManCredSSP ndashrole Client ndashDelegateComputer [NetBiosNameOfServer]

or

o Enable-WSManCredSSP ndashrole Client ndashDelegateComputer [FQDN OF SERVER]

Settings for the server

o Enable-WSManCredSSP ndashrole Server

o set-item WSManlocalhostShellMaxMemoryPerShellMB ndashValue 20000

o set-item WSManlocalhostShellMaxShellsPerUser ndashvalue 20

44 PowerShell

Details see 91 PowerShell

To use the functionality of the Microsoft Baseline Configuration Analyzer you must import this module

first

Import-module BaselineConfigurationAnalyzer

You can list the commands of this module with the following syntax

$x=Get-Module BaselineConfigurationAnalyzer

$xExportedCommands

441 Run Scan

To run a full scan of the BPA on the alternate server on a named instance you can use the following

command line

Invoke-MBCAModel -ModelId SQL2008R2BPA -Alternate_Server_to_scan

servername -SQL_Server_Instance_Name instancename -

Analyze_SQL_Server_Engine -Analyze_SQL_Server_Replication -

Page 23

Analyze_SQL_Server_Setup -Analyze_SQL_Analysis_Services -

Analyze_SQL_Integration_Services -Analyze_SQL_Reporting_Services

The result looks like this part

ModelId SQL2008R2BPA

SubModelId

Success True

ScanTime

Success = True is important This is the indicator that your scan was successful

Parameter description

-Alternate_Server_to_scan servername

-SQL_Server_Instance_Name instancename

-Analyze_SQL_Server_Engine

-Analyze_SQL_Server_Replication

-Analyze_SQL_Server_Setup

-Analyze_SQL_Analysis_Services

-Analyze_SQL_Integration_Services

-Analyze_SQL_Reporting_Services

The parameter list is equal the parameter screen in the GUI

The scans of the different services are optional You can remove technologies which you do not need

to scan

The next example starts the scan only for the Analysis Services on the alternate server ldquoservernamerdquo

and for the named instance ldquoinstancerdquo A log file will be written to ldquoctempssastxtrdquo

Invoke-MbcaModel -ModelId SQL2008R2BPA -SubModelId AnalysisServices -

ComputerName servername -SqlServerInstance instance -SSASLogFile

ctempssastxt

Invoke-MbcaModel -ModelId SQL2008R2BPA -SubModelId Engine -ComputerName

computername -SqlServerInstance servername -CurrentLoginName

($EnvUSERDOMAIN + + $EnvUSERNAME)ToString() -EngineLogFile

ctempenginetxt ndashRepositoryPath (CTEMPSQL2008 + (Get-

Date)ToString(yyyyMMdd))ToString()

442 Create Report

model = get-MbcaModel ndashModelId sql2008r2bpa

$scanResult = get-MbcaResult ndashModelId sql2008r2bpa

$collectedConfig = get-MbcaResult ndashModelId sql2008r2bpa ndash

CollectedConfiguration

$model $scanResult $collectedConfig | export-CliXml ctempasxml

Get-MBCAResult -ModelId SQL2008R2BPA -SubModelId AnalysisServices |

ConvertTo-Html | Add-Content -Path ctesthtml

The next command retrieves the results of the most recent BPA scan for the specified model and

saves them in HTML format applying the standard cascading style sheets that are stored in the path

windirsystem32WindowsPowerShellv10ModulesBestPracticesBestPracticesReportFormatc

Page 24

ss If you want to substitute cascading style sheets provide the path to the different cascading style

sheets

Get-MBCAResult -ModelId SQL2008R2BPA | $_Severity -eq Warning -or

$_Severity -eq Error | ConvertTo-Html -As Table -property ResultNumber

SubModelID ComputerName Severity Category Title Problem Impact

Resolution Help -Head lth1gtSQL Server 2008 (R2) Best Practice Analyzer

Reportlth1gtrdquo -Title SQL Server 2008 Best Practice Analyzer -body

(ltpgtReport creation date + (Get-Date)ToString(ddMMyyyy hhmmss) +

ltpgt)toString() -pre ltPgtGenerated by user $envusername on computer

$envcomputernameltPgt -post For details contact Microsoft Premier-

CssUri $env BestPracticesReportFormatcss gt ctempsql2008r2bpahtm

443 Exporting and opening reports by using Get-MBCAResult

You can use the Get-MBCAResult cmdlet to export scan results and configuration data to an XML

report that you can open for viewing in the future either by using Get-MBCAResult or by using the

MBCA GUI Exporting reports allows you to compare older scans with more recent scans to measure

the progress of your best practice compliance

Example of exporting to XML

$results = Get-MBCAResult ltModel Idgt

$collectedconfig = Get-MBCAResult ltModel Idgt -CollectedConfiguration

$results $collectedconfig | Export-CliXml cexportxml

Example of opening archived XML report file

$loadedResults $loadedConfiguration = Import-CliXml cexportxml

444 Report Result Directory

The reporting result path

AppDataMicrosoftBaselineConfigurationAnalyzer

2ReportsSQL2008R2BPAResults

Will be overwritten during each run of the tool or invoke command

Solution save older results before you start the check

copy-item -path ($EnvLocalAppdata +

MicrosoftMicrosoftBaselineConfigurationAnalyzer 2Reports)ToString() -

destination ($EnvLocalAppdata +

MicrosoftMicrosoftBaselineConfigurationAnalyzer 2Reports_ + (Get-

Date)ToString(yyyyMMddhhmmss))ToString() ndashrecurse

Afterwards you can create a report with the following command

$prevrepPath = (Get-ChildItem ($EnvLocalAppdata +

MicrosoftMicrosoftBaselineConfigurationAnalyzer 2)ToString() -exclude

Reports | Sort-Object name -descending)[0]

Get-MBCAResult -ModelId SQL2008R2BPA ndashRepositoryPath ($EnvLocalAppdata +

MicrosoftMicrosoftBaselineConfigurationAnalyzer 2rdquo +

$prevrepPathname)ToString() | ConvertTo-Html -As Table -property

ResultNumberSubModelID ComputerName Severity Category Title Problem

Impact Resolution Help -Head lth1gtSQL Server 2008 (R2) Best Practice

Analyzer Reportlth1gtrdquo -Title SQL Server 2008 Best Practice Analyzer -body

(ltpgtReport creation date + (Get-Date)ToString(ddMMyyyy hhmmss) +

ltpgt)toString() -pre ltPgtGenerated by user $envusername on computer

Page 25

$envcomputernameltPgt -post For details contact Microsoft Premier gt

ctempsql2008r2bpahtm

Page 26

5 TROUBLESHOOTING

51 Application directories

To following directories are used by MBCA

Report output directory localappdataMicrosoftMicrosoftBaselineConfigurationAnalyzer 2ReportsSQL2008R2BPAResults

Model configuration path ProgramdataMicrosoftMicrosoft Baseline Configuration Analyzer 2ModelsSQL2008R2BPA

Temp and log files directory tempSQL2008R2BPASQL2008ltdategt_lttimegt

Registry [HKEY_LOCAL_MACHINESOFTWAREMicrosoftBaselineConfigurationAnalyzer]

Log Files

During Data Discovery SQL Server 2008 R2 BPA creates log files for troubleshooting The log file

contains the following information

Pre-requisite validation

Timestamp finished rules start and end times

Run-time scripting errors and exceptions from Power Shell Traps

Log Files Location

For every scan log files are created in userrsquos Local Temp directory (Temp) and follows the folder

structure SQL2008R2BPAlt Instance Name gtlt datestamp_timestamp gtlt Log files gt

Note In case of a remote scan the category log files are generated on the remote system at the same

path whereas the common log file is generated in the local system

Log Files Structure

A common log file gets generated and contains information about each categorys execution Apart

from this each category has its own log file which details the rule execution The names of the log files

are given below

Common File - ModelLogtxt

Engine Rules - EngineLogtxt

Replication Rules - ReplicationLogtxt

Setup Rules - SetupLogtxt

Analysis Services Rules - AnalysisServicesLogtxt

Reporting Services Rules - ReportingServicesLogtxt

Integration Services Rules - IntegrationServicesLogtxt

52 Windows Server 2003 ndash NumberOfLogicalProcessors

Analysis Services RID2803 and RID2804 ndash NumberOfLogicalProcessors property is unavailable in

Win32_Processor for with Windows Server 2003

Solution The NumberOfLogicalProcessors property does not exist in the WIN32_PROCESSOR object

in Windows Server 2003 It has been implemented in the hotfix

httpsupportmicrosoftcomkb932370

Both of the rules below will function properly if you apply this hotfix For more information look here

Page 27

53 MBCA

This message indicates that on prerequisite is not installed

Please install the version 2 of the MBCA

54 Where can I find the Instance name in result set of the analyzer

report

The instance name is in the collected data option of the analyzer report in the BPA GUI

55 Memory limit of remote PowerShell process

By default remote PowerShell process can consume only 150 MB or less memory This default limit is

significantly small and once this limit is reached there could be a WinRM exception causing and remote

connection immediately terminates Any application or Cmdlet which is involved in PowerShell

remoting should be tested for this memory limit this may cause some of the command to fail for

example site collection creation

Solution Increase the memory limit for the remote shell Use the following command to increase this

limitation to 1000MB This is only necessary if you need to run those commands on that server

Set-Item WSManlocalhostShellMaxMemoryPerShellMB 1000

56 Remote connect

If you try to ldquoConnect to another computerrdquo from MBCA and you receive the following message

Page 28

You should check first if the Hotfix KB968930 is installed

Afterwards validate that the ldquoWindows Remote Managementrdquo service is started

Enable-PSRemoting

If CredSSP is unsupported or unavailable you will see the following message

Page 29

If you have no permission to access the remote server you get the error message

Page 30

57 Installation

571 PowerShell error

After getting through the Pre-Reqs for BPA (PowerShell 20 MBCA NET Framework) you may hit

one of two scenarios when installing BPA

In all of the cases of an install failure you will see the following error

There is a problem with this Windows Installer package A program run as part of the setup did not

finish as expected Contact your support personnel or package vendor

In your Application Event Log for both of these scenarios you will also see the following entry

Log Name Application

Source MsiInstaller

Date 6102010 83818 AM

Event ID 11722

Task Category None

Level Error

Keywords Classic

User ltUsernamegt

Computer ltMachine namegt

Description

Product Microsoft SQL Server 2008 R2 BPA -- Error 1722 There is a problem

with this Windows Installer package A program run as part of the setup did

not finish as expected Contact your support personnel or package

vendor Action EnablePSRemoting location powershellexe command -NoLogo

-NoProfile -Command Enable-PSRemoting ndashforce

Page 31

This is an indicator that PowerShell is not configured You must run the following command

powershellexe -NoLogo -NoProfile -Command Enable-PSRemoting ndashforce

572 Workgroup or Non-Domain computer

In this scenario the Enable-PSRemoting command should execute fine from a PowerShell prompt

The actual error coming back from the PowerShell command within the Installer is ldquoAccess Deniedrdquo

To work around this issue you can do the following

1 Open a command prompt with Administrative Privileges

2 Change to the directory where the msi file resides

3 Type msiexec i ltMSI Namegt SKIPCA=1

4 MSI Name will either be SQL2008R2BPA_Setup32msi or SQL2008R2BPA_Setup64msi

depending on your platform

5 Once BPA is installed open a PowerShell prompt with Administrative Privileges

6 Execute the following commands

a Enable-PSRemoting

b winrm set winrmconfigwinrs ``MaxShellsPerUser=`10``

This should allow BPA to be successfully installed in the workgroup scenario

573 Kerberos Failure

This scenario is that you are failing with the above due to a Kerberos issue This particular issue could

actually show up after you have installed BPA depending on how you have configured your

environment

The issue stems from the fact that the Windows Remoting Windows Service uses the Network Service

account Windows Remoting also uses SOAP calls over HTTP and defaults to using Kerberos As a

result it will be using the HOST Service Principal Name (SPN) that is on the Machine Account as it is

running under that context You may have an HTTP SPN that resides on a different account with that

host name For example if you are running an IIS Web Application such as SharePoint or if you are

using Reporting Services and the service account is set to a Domain User account instead of Network

Service or Local System If your URL of your application matches the machine name then your HTTP

SPN will be the same Thatrsquos where this problem comes in WinRM will stop working at that point and

give you a message similar to the following

Set-WSManQuickConfig WinRM cannot process the request The following error

occured while using Negotiate authentication An unknown security error

occurred

Possible causes are

-The user name or password specified are invalid

-Kerberos is used when no authentication method and no user name are

specified

-Kerberos accepts domain user names but not local user names

-The Service Principal Name (SPN) for the remote computer name and port

does not exist

-The client and remote computers are in different domains and there is no

trust between the two domains

After checking for the above issues try the following

-Check the Event Viewer for events related to authentication

-Change the authentication method add the destination computer to the

WinRM TrustedHosts configuration setting or use HTTPS transport

Note that computers in the TrustedHosts list might not be authenticated

-For more information about WinRM configuration run the following

Page 32

command winrm help config

At line50 char33

+ Set-WSManQuickConfig ltltltlt -force

+ CategoryInfo InvalidOperation () [Set-WSManQuickConfig]

InvalidOperationException

+ FullyQualifiedErrorId

WsManErrorMicrosoftWSManManagementSetWSManQuickConfigCommand

You can get this type of error from WinRM for muliple reasons The one that

we saw in our testing was the HTTP SPN scenario

If you do have an HTTP SPN defined on a Domain Account that is using the name of your machine

you have some options First you can follow the steps mentioned above to get BPA installed The

Enable-PSRemoting command will give you the above error You can temporarily remove the HTTP

SPN to get remoting enabled and then re-add the HTTP SPN

Once BPA is setup you will still not be able to run BPA if you put the HTTP SPN back in place You will

see the following when you attempt to perform a scan

This will occur regardless of which component you try to scan It could be the Engine Setup RS etchellip

One option to perform the scan successfully is to temporarily remove the HTTP SPN again run the

scan and then put the HTTP SPN back in place Another option but one that will probably require

further testing from your applicationrsquos end would be to run the application under a Host Header and

then your HTTP SPN would not include the machine name allowing BPA to run without issue

Page 33

6 RULES

Searching for ldquoSQL Server 20087 R2 BPArdquo at Microsoftcom reveals

Here is an example of one of these articles that talks about a rule to check for a recent ldquocleanrdquo

CHECKDB

Page 34

BPA works by measuring a rolersquos compliance with best practice rules in eight different categories of a

rolersquos effectiveness trustworthiness and reliability Results of measurements can be any of the three

severity levels described in the following table

Severity level Description

Noncompliant Noncompliant results are returned when a role does not satisfy the conditions of a rule

Compliant Compliant results are returned when a role satisfies the conditions of a rule

Warning Warning results are returned when a role is compliant as operating currently but may not satisfy the conditions of a

rule if changes are not made to its configuration or policy settings For example a scan of Remote Desktop Services

might show a warning result if a license server is unavailable to the role because even if no remote connections are

active at the time of the scan not having the license server prevents new remote connections from obtaining valid

client access licenses

Page 35

BPA rule categories

The following table describes the categories of best practice rules against which roles are measured

during a BPA scan

Category Name Description

Security Security rules are applied to measure a rolersquos relative risk for exposure to threats such as unauthorized or malicious

users or loss or theft of confidential or proprietary data

Performance Performance rules are applied to measure a rolersquos ability to process requests and perform its prescribed duties in

the enterprise within expected periods of time given the rolersquos workload

Configuration Configuration rules are applied to identify role settings that might require modification for the role to perform

optimally Configuration rules can help prevent setting conflicts that can result in error messages or prevent the role

from performing its prescribed duties in an enterprise

Policy Policy rules are applied to identify Group Policy or Windows Registry settings that might require modification for the

role to operate optimally and securely

Operation Operation rules are applied to identify possible failures of a role to perform its prescribed tasks in the enterprise

Predeployment Predeployment rules are applied before an installed role is deployed in the enterprise to let administrators to

evaluate whether best practices were satisfied before you use the role in production

Postdeployment Postdeployment rules are applied after all required services have started for a role and the role is running in the

enterprise

BPA Prerequisites BPA Prerequisite rules explain configuration settings policy settings and features that are required for the role

before BPA can apply specific rules from other categories A prerequisite in scan results indicates that an incorrect

setting a missing role role service or feature an incorrectly enabled or disabled policy a registry key setting or

other configuration has prevented BPA from applying one or more rules during a scan A prerequisite result does

not imply compliance or noncompliance It means that a rule could not be applied and therefore is not part of the

scan results

61 Engine Rules

Please find below a summary of the 74 Engine Rules with the links to the rule descriptions These rules

are checking that you have a secure resilient and well performing SQL configuration

Authentication Mode (httpsupportmicrosoftcomkb2028697)

Lightweight Pooling is enabled (httpsupportmicrosoftcomkb2160691)

Locks Configuration Not Dynamic (httpsupportmicrosoftcomkb2199576)

non-default network packet size in use (httpsupportmicrosoftcomkb2157175)

degree of parallelism not set to recommended value (httpsupportmicrosoftcomkb2023536)

Use Database Mail instead of SQL Mail (httpsupportmicrosoftcomkb2028584)

SQL Server Agent Proxy Account (httpsupportmicrosoftcomkb2160741)

SQL Login Password Policy Strength and password expiry

(httpsupportmicrosoftcomkb2028712)

Trustworthy Bit (httpsupportmicrosoftcomkb2183687)

Symmetric Keys Check (httpsupportmicrosoftcomkb2162020)

Asymmetric Keys Check (httpsupportmicrosoftcomkb2162020)

SQL Server installed on PDC BDC (httpsupportmicrosoftcomkb2032911)

Page 36

SQL Server Admin role membership check (httpsupportmicrosoftcomkb2184138)

Windows API calls intercepted (httpsupportmicrosoftcomkb2033238)

unsupported DotNET framework assemblies present (httpsupportmicrosoftcomkb2033344)

Disk partition starting offset may be incorrect (httpsupportmicrosoftcomkb2023571)

non-default max worker threads value configured (httpsupportmicrosoftcomkb2157129)

Guest Permissions (httpsupportmicrosoftcomkb2186935)

Data and Log files on the same volume (httpsupportmicrosoftcomkb2033523)

IO timeouts and IO controller errors detected (httpsupportmicrosoftcomkb2091098)

IO device errors detected (httpsupportmicrosoftcomkb2091098)

IO errors during page faults detected (httpsupportmicrosoftcomkb2091098)

cluster disk corruption encountered (httpsupportmicrosoftcomkb2091098)

disk defragmentation encountered corruption (httpsupportmicrosoftcomkb2091098)

failed IO requests detected (httpsupportmicrosoftcomkb2091098)

IO requests are successful when retried (httpsupportmicrosoftcomkb2015757)

IO Delay Problems reported by SQL Server (httpsupportmicrosoftcomkb2137408)

This system experienced unexpected shutdowns (httpsupportmicrosoftcomkb2091098)

tempdb corruption errors fix missing (httpsupportmicrosoftcomkb960770)

Critical SQL database inconsistency errors found (httpsupportmicrosoftcomkb2152734)

Logical consistency errors detected (httpsupportmicrosoftcomkb2152472)

Database have auto shrink option enabled (httpsupportmicrosoftcomkb2160663)

SQL Server Error logs are very big (httpsupportmicrosoftcomkb2199578)

incorrect affinity mask settings detected httpsupportmicrosoftcomkb2157114

Very low blocked process threshold setting detected httpsupportmicrosoftcomkb2157154

Potential security issue with legacy DTS stored procedures

httpsupportmicrosoftcomkb2202875

Winsock LSP loaded into SQL httpsupportmicrosoftcomkb2033448

Databases using simple recovery model httpsupportmicrosoftcomkb2137539

User database collation different from model httpsupportmicrosoftcomkb2026108

Database files and backups exist on the same volume httpsupportmicrosoftcomkb2027537

Databases have auto close option enabled httpsupportmicrosoftcomkb2160685

LSI SAS drivers needs update httpsupportmicrosoftcomkb2121098

SQL tempdb database not configured optimally httpsupportmicrosoftcomkb2154845

SQL Database file has sparse attribute set httpsupportmicrosoftcomkb2028447

Invalid startup parameters httpsupportmicrosoftcomkb2028433

MSDTC settings not configured optimally httpsupportmicrosoftcomkb2027550

sql incorrect results fix missing httpsupportmicrosoftcomkb971780

File System needs tuning for better FileStream performance

httpsupportmicrosoftcomkb2160002

linked server memory leak fix missing httpsupportmicrosoftcomkb971622EN-US

Windows service pack is not at recommended level httpsupportmicrosoftcomkb2121098

default extended event health session not in expected state

httpsupportmicrosoftcomkb2160570

TcpSysAndChimneyCheck httpsupportmicrosoftcomKB918483

FDHOST Launcher service is not configured properly httpsupportmicrosoftcomkb2160720

Unrecommended SQL Server Agent service account httpsupportmicrosoftcomkb2160720

A required Windows fix to avoid sparse file related problems is missing

httpsupportmicrosoftcomkb2002606

Page 37

Significant Portion of SQL Server Memory Has Been Paged Out

httpsupportmicrosoftcomkb2028324

Server Exception or Hang Detected on Server httpsupportmicrosoftcomkb2028589

Databases exist without CHECKSUM protection httpsupportmicrosoftcomkb2078345

backups outdated for databases httpsupportmicrosoftcomkb2027537

Database consistency check not current httpsupportmicrosoftcomkb2033590

SQL Server Memory settings are incorrect httpsupportmicrosoftcomKB918483EN-US

Autogrow Failed or took a long time httpsupportmicrosoftcomkb2091024

Storport driver fix from KBA 940467 missing httpsupportmicrosoftcomkb2121098

Storport driver fix from KBA 950903 missing httpsupportmicrosoftcomkb2121098

SQLCLR needs additional memory configuration httpsupportmicrosoftcomkb969962EN-US

Operating System files and drivers needs update for working set trimming

httpsupportmicrosoftcomkb2121098

Agent Token Replacement httpsupportmicrosoftcomkb2202637

Auditing Log in failures httpsupportmicrosoftcomkb2187161

Databases with high number of VLF present httpsupportmicrosoftcomkb2028436

Transparent Data Encryption Certificate httpsupportmicrosoftcomkb2201900

Permission on the Binn folder httpsupportmicrosoftcomkb2029023

Index Statistics Are Outdated

Server public permissions httpsupportmicrosoftcomkb2160698

Detected use of older versions of SQLNCLI httpsupportmicrosoftcomkb979779

62 AS Rules

Please find below a summary of the 34 Analysis Server Rules with the links to the rule descriptions

Flight Recorder Enabled for SQL Server Analysis Services

httpsupportmicrosoftcomkb2128005

Excessive amount of memory preallocated to Analysis Services

httpsupportmicrosoftcomkb2027474

Server not configured for optimal concurrent query throughput

httpsupportmicrosoftcomkb2135031

Non standard value detected for Analysis Services memory configuration

httpsupportmicrosoftcomkb2027472

Process Thread Pool Max limit above recommended limit

httpsupportmicrosoftcomkb2134497

Process Thread Pool Minimum is below the recommended limit

httpsupportmicrosoftcomkb2134855

Server is running a build with a known regression httpsupportmicrosoftcomkb2157941

Slice not set on a ROLAP partition or a partition where proactive caching is enabled and

ROLAP storage ay occur httpsupportmicrosoftcomkb2027754

Server is ignoring duplicate key errors httpsupportmicrosoftcomkb2027761

No default member defined for non-aggregatable attribute

httpsupportmicrosoftcomkb2027769

UnknownMember set to hidden httpsupportmicrosoftcomkb2027628

Non-numeric key column for high cardinality attribute httpsupportmicrosoftcomkb2028138

Attribute hiearchy enabled for high cardinality non-key attribute

httpsupportmicrosoftcomkb2028143

ROLAP storage or OnlineMode set to immediate for dimension with custom rollup definition

detected httpsupportmicrosoftcomkb2132742

Page 38

Account or Time attribute types defined in a non-matching dimension type

httpsupportmicrosoftcomkb2157299

An Account or Time dimension has no matching attribute defined

httpsupportmicrosoftcomkb2027418

Dimension has no attribute defined with the same type

httpsupportmicrosoftcomkb2027443

Attribute Dimension type mismatch httpsupportmicrosoftcomkb2157327

Mismatched dimension attribute types detected in dimension

httpsupportmicrosoftcomkb2027459

Possible incorrect order of levels defined in hierarchy httpsupportmicrosoftcomkb2027460

Define attribute relationships as Rigid where possible httpsupportmicrosoftcomkb2027468

Redundant attribute relationships detected httpsupportmicrosoftcomkb2127437

Diamond-shape relationship detected httpsupportmicrosoftcomkb2127570

Non-Standard Attribute Relationship name detected httpsupportmicrosoftcomkb2127862

Proactive Caching set for dimension without a processing query

httpsupportmicrosoftcomkb2027541

No Time dimension detected httpsupportmicrosoftcomkb2027532

More than 3 parent-child dimensions with custom rollups defined

httpsupportmicrosoftcomkb2134431

Encountered a parent-child dimension with more than 500000 members

httpsupportmicrosoftcomkb2131918

Single attribute dimensions detected httpsupportmicrosoftcomkb2141654

Measure groups with zero dimensional overlap detected in cube

httpsupportmicrosoftcomkb2027609

Proactive Caching set for a partition without a processing query

Default measure for perspective not in the perspective

httpsupportmicrosoftcomkb2027603

Use MOLAP storage for dimensions that participate in semi-additive measure groups

httpsupportmicrosoftcomkb2135112

Measure group defined with no partition httpsupportmicrosoftcomkb2027545

63 RS Rules

RSWindowsNegotiate is missing from your configuration

httpsupportmicrosoftcomkb2145506

HTTP Logging is not enabled httpsupportmicrosoftcomkb2145909

Verbose logging is enabled httpsupportmicrosoftcomkb2146315

NTLM authentication may fail for local httpsupportmicrosoftcomkb2146369

Missing extended protection settings httpsupportmicrosoftcomkb2146062

64 IS Rules

Logging task missing for package httpsupportmicrosoftcomkb2027723

ActiveX Script task detected in package httpsupportmicrosoftcomkb2027712

Unrecommended Integration Services service account detected

httpsupportmicrosoftcomkb2027684

Integration Services logging table found in system database master and or msdb

httpsupportmicrosoftcomkb2027706

Integration Services memory dump detected httpsupportmicrosoftcomkb2027727

Page 39

65 Setup Rules

Unsupported Operating System Version Detected httpsupportmicrosoftcomkb2022909

WOW64 not supported for SQL Failover Clustering httpsupportmicrosoftcomkb2157198

Installer cache is missing for the SQL Installation httpsupportmicrosoftcomkb2015100

SQL Server WMI Provider Health Check

66 Replication Rules

Replication Timeout Alerts Type httpsupportmicrosoftcomkb2118349

Replication Pub and Sub out of sync (Data Validation) httpsupportmicrosoftcomkb2118386

Replication Pub and Sub out of sync (Constraint Violations)

httpsupportmicrosoftcomkb2118410

Replication Pub and Sub out of sync (Skipped Transactions)

httpsupportmicrosoftcomkb2194498

Merge Replication Health Check httpsupportmicrosoftcomkb2118445

Subscriptions Approaching Expiration httpgomicrosoftcomfwlinkLinkId=184483

Replication Cleanup and Retention Health Check httpsupportmicrosoftcomkb2118485

Replication Latency Threshold violations httpsupportmicrosoftcomkb2118425

Page 40

7 HOW TO DEAL WITH DEVIATIONS

Deviations from these Best Practices may indicate potential issues and configuration changes may be

necessary Make sure you have tested any intended changes in a test environment before deploying

them to a production environment You could also find deviations from Best Practices that are

acceptable or even necessary for your environment For example

SAP has its special Network Packet Size of 8 KB

Existing Non-Microsoft Clients ndash would require Mixed Mode Authentication

Page 41

8 MOTIVATION TO USE SQL BPA R2

Bob Ward explained in his Article ldquoWhy use SQL Server 2008 R2 BPA Case 1 Missing Updatesrdquo

the common pitfalls during maintenance and operation of SQL Server and how address them by using

the SQL BPA

In brief itrsquos a customer scenario where the customer is facing an issue after a major update to

SQL2008 After some troubleshooting and an update to a certain CU (that is meant to fix the issue) the

problem still occurs Bobs article states the common resulting consequences ndash the involvement of

Microsoft Support and the final solution ndash adding a needed traceflag

The good news in this story is that the customer would not have needed to go to all that effort if they

would have run the SQL BPA It would have told them about the update and instructed them to put the

traceflag in place BPA is a mechanism that proactively advises you and instructs you on dealing with

common known issues

Page 42

9 ADDITIONAL INFORMATION

91 PowerShell

To use the functionality of the Baseline Configuration Analyzer with PowerShell you must import this

module first

Import-module BaselineConfigurationAnalyzer

You can list the commands of this module with the following syntax

$x=Get-Module BaselineConfigurationAnalyzer

$xExportedCommands

The following commands are stored in this module

Get-MbcaModel

Get-MbcaResult

Invoke-MbcaModel

Set-MbcaResult

You get help of this command with the following syntax

Get-help ltcommandgt -full

911 Get-MBCAModel

SYNOPSIS

The Get-MBCAModel cmdlet lets you retrieve and view the list of models that are supported by

Microsoft Baseline Configuration Analyzer (MBCA) and that are installed on a computer

SYNTAX

Get-MBCAModel [[-ModelId] ltstring[]gt] [[-SubModelId] ltstringgt] [ltCommonParametersgt]

DESCRIPTION

The Get-MBCAModel cmdlet lets you retrieve and view the list of models that are supported by

Microsoft Baseline Configuration Analyzer (MBCA) and installed on the computer If no parameter is

specified Get-MBCAModel returns all models that are installed on the computer If a model is specified

by using the -ModelId parameter information about the specified model is returned

You must be a member of the Administrators group on the computer on which you want to run this

cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with

elevated user rights that is Run as Administrator

The results of the Get-MBCAModel cmdlet include the following details about models

1 Branding information (manufacturer or company display names version number) that is found in

the model manifest

2 Dynamic parameters that are included with the model

3 Submodels that are included with the model

PARAMETERS

-ModelId ltstring[]gt

The -ModelId parameter specifies the ID of the MBCA model about which you want to view

details You can obtain valid values for the ModelId parameter by running the Get-MBCAModel

cmdlet with no parameters and targeted at a computer on which MBCA models are installed

Page 43

This parameter supports wild card characters

Required false

Position 2

Default value

Accept pipeline input true (By Value By Property Name)

Accept wildcard characters False

This must be SQL2008R2BPA for SQL Server 2008 R2 Best Practice Analyzer

-SubModelId ltstringgt

The -SubModelId parameter specifies the ID of the submodel of an MBCA model about which you

want to view details You can obtain valid values for the -SubModelId parameter by running the

Get-MBCAModel cmdlet without parameters and targeted at a computer on which MBCA models

are installed Not all models have submodels

The -ModelId parameter is required with the -SubModelId parameter

Required false

Position 3

Default value

Accept pipeline input false

Accept wildcard characters false

ltCommonParametersgt

This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable

WarningAction WarningVariable OutBuffer and OutVariable For more information type get-

help about_commonparameters

Examples

Get-MBCAModel

In the preceding example Get-MBCAModel with no parameters added returns details about all MBCA

models that are installed on the computer

Get-MBCAModel -ModelId SQL2008R2BPA

The preceding example can be used to return details about the MBCA model that is specified in the -

ModelId parameter represented by Model Id

$model= Get-MBCAModel -ModelId SQL2008R2BPA

$modelParameters

In the preceding example Get-MBCAModel returns details about the specified MBCA model that is

represented by Model Id The results of the cmdlet are stored in the variable $model

In the next line of the example the Parameters property of the model details that were stored in the

$model object returns details about which parameters are supported by the model

Get-MBCAModel -ModelId SQL2008R2BPA -SubModelId ltSubModel Idgt

The preceding example can be used to return details about the MBCA sub-model that is specified by

the -SubModelId parameter represented by SubModel Id Note that the -ModelId parameter is

required by the -SubModelId parameter

$model= Get-MBCAModel -ModelId SQL2008R2BPA

Page 44

$modelSubModels

In the preceding example Get-MBCAModel returns details about the specified MBCA model that is

represented by Model Id The results of the cmdlet are stored in the variable $model

In the next line of the example the SubModels property of the model details that were stored in the

$model object returns a list of the submodels of the model specified in the first line

912 Invoke-MBCAModel

SYNOPSIS

The Invoke-MBCAModel cmdlet lets you start a Microsoft Baseline Configuration Analyzer (MBCA)

scan for a specific model that is installed on your computer

SYNTAX

Invoke-MBCAModel [-ModelId] ltstringgt -SubModelId ltstringgt [-Authentication

ltAuthenticationMechanismgt] [-CertificateThumbprint ltstringgt] [-ComputerName

ltstring[]gt] [-ConfigurationName ltstringgt] [-Context ltstringgt] [-Credential

ltstringgt] [-Mode ltModeEnumgt] [-Port ltintgt] [-RepositoryPath ltstringgt] [-

ThrottleLimit ltintgt] [-UseSSL] [ltCommonParametersgt]

DESCRIPTION

The Invoke-MBCAModel cmdlet allows you to start a Microsoft Baseline Configuration Analyzer

(MBCA) scan for a specific model that is installed on your computer The model is specified either by

using the parameter -ModelId or by piping the results of the Get-MBCAModel cmdlet into an Invoke-

MBCAMode cmdlet

After the MBCA scan has been performed the results of the scan are available to be retrieved by Get-

MBCAResult cmdlet

You must be a member of the Administrators group on the computer on which you want to run this

cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with

elevated user rights that is Run as Administrator

PARAMETERS

-Authentication ltAuthenticationMechanismgt

Specifies the authentication mechanism that is used to authenticate the users credentials Valid

values include Default Basic CredSSP Digest Kerberos Negotiate and

NegotiateWithImplicitCredential The default value is Default

For more information about the -Authentication parameter type the following and then press

Enter

Get-Help Invoke-Command -Parameter Authentication

Required false

Position named

Default value Default

Accept pipeline input false

Accept wildcard characters false

-CertificateThumbprint ltstringgt

Page 45

Specifies the digital public key certificate (X509) of a user account that has rights to perform the

cmdlet action The valid value is the certificate thumbprint of the certificate

For more information about this parameter type the following and then press Enter

Get-Help Invoke-Command -Parameter Certificate Thumbprint

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-ComputerName ltstring[]gt

The Invoke-MBCAModel cmdlet lets you run an MBCA scan of a submodel on a specific

computer by adding this parameter Valid values include NETBOS names IP addresses or fully-

qualified domain names of one or more computers in a comma-separated list To specify the local

computer type the computer name or localhost

All formats that are accepted by the -ComputerName parameter in Invoke-Command are

accepted

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-ConfigurationName ltstringgt

Specifies the session configuration that is used for a new PSSession

Enter a configuration name or the fully-qualified resource URI for a session configuration

Session configuration data is found on the remote computer on which you want to run a cmdlet

For more information about this parameter type the following and then press Enter

Get-Help Invoke-Command -Parameter ConfigurationName

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-Context ltstringgt

The -Context parameter lets you run scans on a submodel in the context of a specific model (one

that is different from the parent model of the submodel) For example an administrator might

want to run a scan on the Backend submodel of the SQL model but only those in the context

of a third model a technology that relies upon SQL Server

The -SubModelId parameter is required by the -Context parameter

Page 46

A model ID is the valid value of the -Context parameter

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-Credential ltstringgt

Specifies a user account that has permission to run this cmdlet The default value is the current

user

For more information about this parameter type the following and then press Enter

Get-Help Invoke-Command -Parameter Credential

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-Mode ltModeEnumgt

The -Mode parameter lets you run a scan that is exclusively either analysis of existing discovered

documents or discovery The default is to perform both discovery and analysis or All

If you do not add the -Mode parameter to the Invoke-MBCAModel cmdlet both discovery and

analysis are performed during a scan

Valid values are Discovery Analysis and All

Required false

Position named

Default value All

Accept pipeline input false

Accept wildcard characters false

-ModelId ltstringgt

The -ModelId parameter specifies the ID of the MBCA model that you want to scan You can

obtain valid values for the ModelId parameter by running the Get-MBCAModel cmdlet targeted at

a computer on which MBCA models are installed

Required true

Position 2

Default value

Accept pipeline input true (By Value By Property Name)

Accept wildcard characters False

Page 47

This must be SQL2008R2BPA for SQL Server 2008 R2 Best Practice Analyzer

-Port ltintgt

Specifies the network port on a remote computer on which you want to run a scan The default

value is port 80

For more information on this parameter type the following and then press Enter

Get-Help Invoke-Command -Parameter Port

Required false

Position named

Default value 80

Accept pipeline input false

Accept wildcard characters false

-RepositoryPath ltstringgt

The -RepositoryPath parameter is used to specify a non-default location of the results repository

The valid value for this parameter is a pathname If the parameter is not used the cmdlet writes

results to the default result repository

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-SubModelId ltstringgt

The -SubModelId parameter specifies the ID of the submodel of an MBCA model that you want to

scan You can obtain valid values for the -SubModelId parameter by running the Get-MBCAModel

cmdlet targeted at a computer on which MBCA models are installed Not all models have

submodels

The -ModelId parameter is required with the -SubModelId parameter

Required true

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-ThrottleLimit ltintgt

Specifies the maximum number of concurrent connections that can be established to run the

cmdlet If you omit this parameter or enter a value of 0 the default value of 32 is used

For more information about this parameter type the following and then press Enter

Get-Help Invoke-Command -Parameter ThrottleLimit

Required false

Page 48

Position named

Default value 32

Accept pipeline input false

Accept wildcard characters false

-UseSSL [ltSwitchParametergt]

Uses the Secure Sockets Layer (SSL) protocol to establish a connection on a remote computer

By default SSL is not used

For more information about this parameter type the following and then press Enter

Get-Help Invoke-Command -Parameter UseSSL

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

ltCommonParametersgt

This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable

WarningAction WarningVariable OutBuffer and OutVariable For more information type get-

help about_commonparameters

OUTPUTS

SystemCollectionsGenericListltMicrosoftBestPracticesCoreInterfaceInvokeBpaModelOutputgt

The output object encapsulates the results of the cmdlet that you entered It contains information such

as the MBCA model ID the success or failure of the cmdlet and other details

NOTES

If the cmdlet is used to perform a single-model scan and the cmdlet is cancelled (by using CTRL+C)

before the temporary results file is copied to its final location the temporary file is discarded and any

previous scan results file for the role are preserved The message Processing of Invoke-MBCAModel

cancelled by user is displayed if the command is cancelled before existing scan results files are

overwritten

If the cmdlet is used to perform a scan of multiple models by piping in results from the Get-MBCAModel

cmdlet and the command is cancelled scans that were completed before the cancel command was

entered cannot be cancelled A scan in progress behaves as described above in the single-model scan

cancellation scenario Subsequent scans in the pipeline are cancelled

If a concurrent scan of the same model is attempted the cmdlet returns the following error message

Another scan for this MBCA model is in progress Only one scan is allowed at a time

-------------------------- EXAMPLE 1 --------------------------

Invoke-MBCAModel -ModelId SQL2008R2BPA

Description

The preceding example starts a MBCA scan on the model that is represented by ltModel Idgt

-------------------------- EXAMPLE 2 --------------------------

Page 49

Invoke-MBCAModel -ModelId SQL2008R2BPA -Scope domain -Name

redmondmicrosoftcom

Description

The preceding example starts an MBCA scan on the model ID that is specified by Model Id

The administrator starts the MBCA scan with additional model-specific parameters that are exposed by

the model (For an example of how to obtain model-specific parameters see the examples for the Get-

MBCAModel cmdlet)

For example to scan a model that requires model-specific parameters (such as -Scope and -Name) to

be passed to the command the administrator can specify the values of these model-specific

parameters with the Invoke-MBCAModel cmdlet

-------------------------- EXAMPLE 3 --------------------------

Invoke-MBCAModel -ModelId SQL2008R2BPA -Mode Discovery

Description

The preceding example starts an MBCA scan on the model that is represented by Model Id The

cmdlet is instructed by the -Mode parameter to perform only the discovery -- not the analysis -- portion

of the scan

-------------------------- EXAMPLE 4 --------------------------

Invoke-MBCAModel -ModelId SQL2008R2BPA -Mode Analysis -RepositoryPath

ltRepository Pathgt

Description

The preceding example starts an MBCA scan on the model that is represented by Model Id The -

Mode parameter value of Analysis indicates that the scan will perform analysis -- not discovery -- on

existing documents that are specified in the non-default repository path provided with the -Repository

Path parameter

-------------------------- EXAMPLE 5 --------------------------

Invoke-MBCAModel -Id ltModel Idgt -SubModelId ltSubModel Idgt -ComputerName

ltServergt -Context ltContext Model Idgt -RepositoryPath ltRespository Pathgt -

AsJob -Authentication ltAuthenticatonMechanismgt -Port ltPort Numbergt -UseSSL -

ThrottleLimit ltThrottle Limitgt

Description

The preceding example starts an MBCA scan on the submodel that is represented by SubModel Id

and on the computer that is represented by Server

Because the administrator only wants to see results from the submodel that apply in the context of a

third model the administrator runs the scan within the context of the model ID that is specified in the -

Context parameter The cmdlet results are saved to the non-default repository path that is specified in

the -RepositoryPath parameter

Because the -AsJob parameter is added the scan runs in the background The -AsJob -

Authentication -Port -UseSSL and -ThrottleLimit parameters are passed through for use by the

Invoke-Command cmdlet to perform discovery on a remote computer For more information about

these parameters see the Help for the Invoke-Command cmdlet available in Windows PowerShell V2

913 Get-MBCAResult

SYNOPSIS

Page 50

The Get-MBCAResult cmdlet lets you retrieve and view the results of a Microsoft Baseline

Configuration Analyzer scan on a specific model or the configuration data that was used to run a scan

SYNTAX

Get-MBCAResult [-ModelId] ltstringgt [[-CollectedConfiguration]] -SubModelId

ltstringgt [-ComputerName ltstring[]gt] [-Context ltstringgt] [-Filter

ltFilterEnumgt] [-RepositoryPath ltstringgt] [ltCommonParametersgt]

DESCRIPTION

The Get-MBCAResult cmdlet lets you retrieve and view the results of a Microsoft Baseline

Configuration Analyzer scan on a specific model or the configuration data that was used to run a scan

To use the command add the -ModelId parameter and then specify the model ID for which you want

to view the most recent MBCA scan results or collected configuration data If you want to retrieve the

configuration data collected add the -CollectedConfiguration switch parameter

You must be a member of the Administrators group on the computer on which you want to run this

cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with

elevated user rights that is Run as Administrator

PARAMETERS

-CollectedConfiguration [ltSwitchParametergt]

The -CollectedConfiguration parameter allows you to obtain the configuration data that was

collected for the most recent MBCA scan If this switch parameter is added to Get-MBCAResults

the cmdlet returns only the configuration data that was collected for a scan

Required false

Position 3

Default value

Accept pipeline input false

Accept wildcard characters false

-ComputerName ltstring[]gt

The -ComputerName parameter lets you obtain scan results that were collected for the most

recent MBCA scan of a submodel on a specific computer To specify the local computer type the

computer name or localhost Multiple values for -ComputerName can be separated by

commas

The -SubModelId parameter is required by the -ComputerName parameter

Valid values for the -ComputerName parameter include localhost a NET BIOS name an IP

address or a fully-qualified domain name (FQDN) of one or more computers in a comma-

separated list

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-Context ltstringgt

Page 51

The -Context parameter lets you obtain scan results that were collected for the most recent

MBCA scan of a submodel in the context of a specific model (one that is different from the parent

model of the submodel) For example an administrator might want to display scan results for the

Backend submodel of the SQL model but only those in the context of a third model a

technology that relies upon SQL Server

The -SubModelId parameter is required by the -Context parameter

A model ID is the valid value of the -Context parameter

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-Filter ltFilterEnumgt

The -Filter parameter lets you instruct the Get-MBCAResult cmdlet to return only Compliant

Noncompliant or All results Valid values are Noncompliant Compliant or All The default value

is All

The -Filter parameter is ignored if the -CollectedConfiguration switch parameter is added

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-ModelId ltstringgt

The -ModelId parameter specifies the ID of the MBCA model for which you want to view scan

results You can obtain valid values for the ModelId parameter by running the Get-MBCAModel

cmdlet targeted at a computer on which MBCA models are installed

Required true

Position 2

Default value

Accept pipeline input true (By Value By Property Name)

Accept wildcard characters False

This must be SQL2008R2BPA for SQL Server 2008 R2 Best Practice Analyzer

-RepositoryPath ltstringgt

The -RepositoryPath parameter is used to specify a non-default location of the results repository

The valid value for this parameter is a path name If the parameter is not used the cmdlet obtains

results from the default result repository

Required false

Position named

Page 52

Default value

Accept pipeline input false

Accept wildcard characters false

-SubModelId ltstringgt

The -SubModelId parameter specifies the ID of the submodel of an MBCA model for which you

want to view scan results You can obtain valid values for the -SubModelId parameter by running

the Get-MBCAModel cmdlet targeted at a computer on which MBCA models are installed Not all

models have submodels

The -ModelId parameter is required with the -SubModelId parameter

Required true

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

ltCommonParametersgt

This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable

WarningAction WarningVariable OutBuffer and OutVariable For more information type get-

help about_commonparameters

OUTPUTS

SystemCollectionsGenericListltMicrosoftBestPracticesCoreInterfaceResultgt OR

SystemXmlXmlDocument (if -CollectedData specified)

If you do not use the -CollectedConfiguration parameter verbose output can be any of the following

1 Initializing MBCA engine for getting MBCA Results

2 Attempting to get MBCA results for Model Id = 0

3 Completed getting MBCA results for Model Id = 0 Number of Results = 1

If you add the -CollectedConfiguration parameter to display configuration data that was used for a

scan verbose output can be any of the following

1 Initializing MBCA engine for getting MBCA Configuration Data

2 Attempting to get MBCA collected configuration data for Model Id = 0

3 Completed getting MBCA collected configuration data for Model Id = 0

NOTES

The Get-MBCAResult cmdlet must be run by a member of the Administrators group and it does not

start a new scan

Cancellation behaviour

Single Model - To cancel this cmdlet you must press Ctrl+C before the ResultCollection is displayed

on the console The operation is cancelled and results are not displayed on the console

Multiple Models or Pipelining - If you cancel this cmdlet while it is retrieving results for multiple models

the cmdlet generates only those results that were displayed on the console before the cancellation

Any subsequent results in the pipeline are cancelled and not displayed

Page 53

-------------------------- EXAMPLE 1 --------------------------

Get-MBCAResult -Id SQL2008R2BPA

Description

The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results

for the model that is represented by Model Id

-------------------------- EXAMPLE 2 --------------------------

Get-MBCAModel | Get-MBCAResult

In the preceding example Get-MBCAModel is used to return a list of all MBCA models that are

installed on the computer The results of the Get-MBCAModel cmdlet are piped to the Get-

MBCAResult cmdlet to retrieve the most recent MBCA scan results for all models that are both

supported by MBCA and installed on the computer at which the cmdlet is targeted

-------------------------- EXAMPLE 3 --------------------------

$result = Get-MBCAResult SQL2008R2BPA -CollectedConfiguration

$resultDiscoveryDocument

Description

In the preceding example configuration data (in XML form) that was collected during the most recent

Microsoft Baseline Configuration Analyzer scan of the model that is represented by Model Id is

retrieved and stored as a property in the variable $result $resultDiscoveryDocument is of type

SystemXmlXmlDocument

-------------------------- EXAMPLE 4 --------------------------

Get-MBCAResult SQL2008R2BPA -Filter Noncompliant

Description

The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results

for the model that is represented by Model Id and then applies a filter to show only Noncompliant

results

------------------------- EXAMPLE 5 --------------------------

Get-MBCAResult SQL2008R2BPA -SubModelId ltSubModel Idgt

Description

The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results

for the submodel that is represented by SubModelId Note that the parent model ID must be specified

to use the -SubModelId parameter

------------------------- EXAMPLE 6 --------------------------

Get-MBCAResult SQL2008R2BPA -SubModelId ltSubModel Idgt -ComputerName ltServergt

-Context ltContext Model Idgt -RepositoryPath ltRepository Pathgt

Description

The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results

for the submodel that is represented by SubModelId The parent model ID is provided as required by

the -SubModelID parameter

The -Context parameter indicates that the administrator wants to see only those scan results that are in

the context of the model that is represented by Context Model Id for example only those results from

a SQL Server scan that specifically apply to another technology such as Web Server (IIS)

Page 54

The scan results are further narrowed to only those from a computer that is specified in the -

ComputerName parameter as Server and only those results found in the non-default results

repository that is represented by Repository Path

914 Set-MBCAResult

SYNOPSIS

The Set-MBCAResult cmdlet lets you exclude or include existing results of a Microsoft Baseline

Configuration Analyzer (MBCA) scan to show you only the scan results that you want to see

SYNTAX

Set-MBCAResult [[-Exclude] ltBooleangt] [-Results] ltResultgtgt [[-

RepostitoryPath] ltstringgt] [ltCommonParametersgt]

DESCRIPTION

The Set-MBCAResult cmdlet lets you exclude or include existing results of a Microsoft Baseline

Configuration Analyzer (MBCA) scan to show you only the scan results that you want to see

The action specified in the cmdlet (Exclude for example) determines how the existing results of an

MBCA scan are updated Set-MBCAResult is typically applied after using the Get-MBCAResult cmdlet

to return a collection of scan results

You can apply filters to results that are returned by the Get-MBCAResult cmdlet and then pipe the

filtered collection of results to the Set-MBCAResult cmdlet specifying either to include or exclude

filtered scan results

You must be a member of the Administrators group on the computer on which you want to run this

cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with

elevated user rights that is Run as Administrator

PARAMETERS

-Exclude ltBooleangt

Excludes scan results from the results collection that were previously obtained by the Get-

MBCAResult command To exclude results by using the -Exclude parameter add the value $true

following the parameter as shown

-Exclude $true

To include results that have been excluded use the $false value for the -Exclude parameter

Required false

Position 2

Default value

Accept pipeline input false

Accept wildcard characters false

-RepostitoryPath ltstringgt

The -RepositoryPath parameter is used to specify a non-default location of the results repository

The valid value for this parameter is a path name If the parameter is not used the cmdlet

modifies results from the default result repository

Required false

Page 55

Position 4

Default value

Accept pipeline input false

Accept wildcard characters false

-Results ltResultgtgt

Specifies the result collection to be updated by the Set-MBCAResult cmdlet The -Results

parameter is typically used to specify a filtered subset of scan results that has already been

stored in a variable the variable name is provided as the valid value for the -Results parameter

For example if you have created a variable $allPerformance to store all the Performance

category results for an MBCA scan of all models on a computer and you want to exclude those

Performance results from the complete collection of scan results you add the parameter -Results

$all Performance to a Set-MBCAResult cmdlet

For a more detailed example see the Examples section of the Help for this cmdlet

Required true

Position 3

Default value

Accept pipeline input true (ByValue)

Accept wildcard characters false

ltCommonParametersgt

This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable

WarningAction WarningVariable OutBuffer and OutVariable For more information type ldquoget-

help about_commonparameters

NOTES

If the Set-MBCAResult command is cancelled before the results are written to a file the operation is

cancelled and the results file is not modified If cancellation occurs after the results file has been

modified the commands actions are carried out and the command cannot be cancelled

-------------------------- EXAMPLE 1 --------------------------

Get-MBCAResult -ModelId SQL2008R2BPA | Where $_Category -eq

Performance | Set-MBCAResult -Exclude $true

Description

The first section of the preceding example to the left of the first pipe character (|) uses the Get-

MBCAResult cmdlet to retrieve Baseline Configuration Analyzer scan results for the model ID that is

represented by Model Id

The second section of the command filters the results of the Get-MBCAResult cmdlet to get only those

scan results for which the category name is equal to Performance

The final section of the example following the second pipe character excludes the Performance

results that were filtered by the previous section of the example

-------------------------- EXAMPLE 2 --------------------------

$rcPolicy = Get-MBCAResult -ModelId SQL2008R2BPA -RepositoryPath

CReposPath | Where $_Category -eq Policy

Page 56

Set-MBCAResult -Exclude $true -RepositoryPath CReposPath -Results

$rcPolicy

Description

The first line of the preceding example to the left of the pipe character (|) instructs the Get-

MBCAResult cmdlet to retrieve Baseline Configuration Analyzer scan results for the model that is

represented by Specified Model Id from the specified non-default repository path

The second section of the example after the pipe character filters the results of the Get-MBCAResult

cmdlet to return only those scan results for which the category name is equal to (note the -eq option)

Policy The variable $rcPolicy is created to store the filtered results of the Get-MBCAResult cmdlet this

variable can be used in subsequent commands to represent those results

The second line of the command uses the Set-MBCAResult cmdlet to exclude the set of results that

are stored in the $rcPolicy variable In this example the -Results parameter is added because the

administrator wants to exclude a specific subset of scan results for that model and has created the

variable $rcPolicy to represent that subset of results The repository root is specified in the second line

because the administrator wants to modify the results in the same non-default repository from which

the data in $rcPolicy was retrieved

915 MBCA Model Authoring

Further information about configuration and usage of MBCA models you can in the

MBCA_ModelAuthoringGuidedocx

Page 57

Did this paper help you Please give us your feedback Tell us on a scale of 1 (poor) to 5 (excellent)

how would you rate this paper and why have you given it this rating For example

Are you rating it high due to having good examples excellent screen shots clear writing or

another reason

Are you rating it low due to poor examples fuzzy screen shots or unclear writing

This feedback will help us improve the quality of white papers we release

Send feedback

Page 2: SQL2008R2 BPA Whitepaper v10

Page 2

Table of Contents

1 Introduction 5

11 Architecture and data flow of the BPA 6

12 Microsoft Best Practice Analyzer Universe 7

121 SQL Server BPA (older versions) 7

122 Windows Server 2008 R2 Best Practice Analyzer 7

123 Fix-it 8

124 Microsoft Automated Troubleshooting Service in Windows Server 2008 R2 and Windows 7 8

2 System Requirements 10

21 Required Permissions for Running SQL Server 2008 R2 BPA 10

22 Prerequisites 11

3 Install 12

31 Installing PowerShell 20 and WinRM 12

32 Install MBCA 13

33 Install BPA 14

331 Command line 14

332 GUI 15

333 Port and Firewall restrictions 16

34 Updates 16

35 Uninstall 16

351 BPA 16

352 MBCA 16

353 Reset Powershell settings 16

4 Usage 17

41 Help file 17

42 GUI 17

43 Connect to a remote computer 20

44 Powershell 22

441 Run Scan 22

442 Create Report 23

443 Exporting and opening reports by using Get-MBCAResult 24

444 Report Result Directory 24

5 Troubleshooting 26

51 Application directories 26

Page 3

52 Windows Server 2003 ndash NumberOfLogicalProcessors 26

53 MBCA 27

54 Where can I find the Instance name in result set of the analyzer report 27

55 Memory limit of remote PowerShell process 27

56 Remote connect 27

57 Installation 30

571 Powershell error 30

572 Workgroup or Non-Domain computer 31

573 Kerberos Failure 31

6 Rules 33

61 Engine 35

62 ASRules 37

63 RSRules 38

64 ISRules 38

65 SetupRules 39

66 Replication 39

7 How to Deal With Deviations 40

8 Motivation to use SQL BPA R2 41

9 Additional Information 42

91 Powershell 42

911 Get-MBCAModel 42

912 Invoke-MBCAModel 44

913 Get-MBCAResult 49

914 Set-MBCAResult 54

915 MBCA Model Authoring 56

Page 4

Copyright Information

The information contained in this document represents the current view of Microsoft Corporation on the

issues discussed as of the date of publication Because Microsoft must respond to changing market

conditions it should not be interpreted to be a commitment on the part of Microsoft and Microsoft

cannot guarantee the accuracy of any information presented after the date of publication

This white paper is for informational purposes only MICROSOFT MAKES NO WARRANTIES

EXPRESS IMPLIED OR STATUTORY AS TO THE INFORMATION IN THIS DOCUMENT

Information in this document including URL and other Internet Web site references is subject to

change without notice Unless otherwise noted the companies organizations products domain

names e-mail addresses logos people places and events depicted in examples herein are fictitious

No association with any real company organization product domain name e-mail address logo

person place or event is intended or should be inferred Complying with all applicable copyright laws

is the responsibility of the user Without limiting the rights under copyright no part of this document

may be reproduced stored in or introduced into a retrieval system or transmitted in any form or by any

means (electronic mechanical photocopying recording or otherwise) or for any purpose without the

express written permission of Microsoft Corporation

Microsoft may have patents patent applications trademarks copyrights or other intellectual property

rights covering subject matter in this document Except as expressly provided in any written license

agreement from Microsoft the furnishing of this document does not give you any license to these

patents trademarks copyrights or other intellectual property

copy 2010 Microsoft Corporation All rights reserved

Microsoft and SQL Server are trademarks of the Microsoft group of companies

All other trademarks are property of their respective owners

Page 5

1 INTRODUCTION

The Microsoft SQL Server 2008 R2 Best Practices Analyzer (BPA) is a diagnostic tool that performs

the following functions

Gathers information about a server and an instance of Microsoft SQL Server 2008 or 2008 R2

that is installed on that server

Determines if the configurations are set according to the Microsoft recommended best

practices

Reports on all configurations indicating settings that differ from recommendations

Indicates potential problems in the installed instance of SQL Server

Recommends solutions to potential problems

This tool is used by IT Professionals and Database Administrators to help ensure that their installations

of SQL Server and associated products components are adhering to best practices as determined by

the SQL Server Product Teams and CSS This utility scans the installation of a local or remote

machine gathering system data from WMI log files the Event Log the Windows Registry and SQL

Server metadata and compares the results to predefined standards It then produces a report that

shows the results and points the user to additional information on the web to help them determine

whether they should make changes to their systems

For every configuration the SQL Server 2008 R2 BPA provides the following results

Compliance results are returned when an instance of SQL Server satisfies the conditions of a

Best Practices rule Non-compliance results are returned when an instance of SQL Server

does not satisfy the conditions of a Best Practices rule

Impact of non-compliance

Recommendation

Links to more detailed information and related topics

To assist you and to make your DBA life easier Microsoft includes some of these Best Practices in a

couple of products ndash depending on specific purpose of the Software The following diagram illustrates

the variety of tools available to check best practices for SQL Server 2008 and SQL Server 2008 R2 in

parallel or in combination with BPA

Page 6

The big picture ndash automated Best Practices of SQL Server checks offered in different flavours and

products

So you will find a couple of policies in our monitoring solution

SQL Server 2008 R2 Best Practice Analyzer

within more than 140 rules for database engine and other technologies

System Center Operations Manager (SCOM)

within the SQL Management pack (current version 6131436 release date 08172010)

with more than 300 rules and 50 additional monitors

Policy Based Management in SQL Server 2005 and 2008

with predefined policy collection (50+ policies)

There is a whitepaper about PBM here

System Configuration Checker in the SQL Server 2008 setup wizard

The SQL Risk Assessment Toolset (Premier Organisation best practice flagship) offering more

than 200 rules This offering is meant for Premier customers running the SQL RAP against

their most business critical SQL instances

Note This tool set is only available for Microsoft Premier Customers

11 Architecture and data flow of the BPA

The SQL Server 2008 R2 Best Practices Analyzer is an additional ldquomodelrdquo for the Microsoft Baseline

Configuration Analyzer V20 (MBCA) A model is a set of component files that together comprise the

configuration analysis and reporting output from MBCA

The MBCA is imbedded as a PowerShell cmdlet and consists of two major components the MBCA

Engine and the MBCA UI

The MBCA Engine process itself consists of 2 main activities evaluation and discovery The MBCA

Engine is fed by PowerShell discovery Scripts and XML Schema Files which are used during

CSS Rules Advice

and Manifests

SQL Server 2008 R2 Best

Practice Analyzer

SQL 2008 Setup

Policy Based Management

SCOM SQL MP

SQLRAP

Page 7

discovery The discovery activity interrogates the SQL Server Registry WMI Error- and Event-Logs

etc The output is saved in an XML File which is then used in the evaluation activity Evaluation is

performed using the Schematron file This file run by the MBCA engine contains the logic for

evaluating the best practices The final step following the evaluation process is the report generation ndash

which is shown in the MBCA UI

In the flow chart below you will find the anatomy of the SQL Server 2008 R2 Best Practices Analyzer

12 Microsoft Best Practice Analyzer Universe

Microsoft offers many technologies and utilities to produce best practices recommendations

121 SQL Server BPA (older versions)

Microsoft has also created BP Analyzers for your older SQL Server versions and for Windows

SQL Server 2005 Best Practices Analyzer (August 2008)

SQL Server 2000 Best Practices Analyzer (April 2010)

122 Windows Server 2008 R2 Best Practice Analyzer

In Windows management best practices are guidelines that are considered the ideal way under

typical circumstances to configure a server as defined by experts For example it is considered a best

practice for most server technologies to keep open only those ports required for the technologies to

communicate with other networked computers and block unused ports Although best practice

Page 8

violations even crucial ones are not necessarily problematic they indicate server configurations that

can result in poor performance poor reliability unexpected conflicts increased security risks or other

potential problems

Best Practices Analyzer (BPA) is a server management tool that is available in

Windows Serverreg 2008 R2 BPA can help administrators reduce best practice violations by scanning

one or more roles that are installed on Windows Server 2008 R2 and reporting best practice violations

to the administrator Administrators can filter or exclude results from BPA reports that they do not have

to see Administrators can also perform BPA tasks by using either the Server Manager GUI or

Windows PowerShell cmdlets

BPA can also be used on remote servers that are running Windows Server 2008 R2 by using Server

Manager targeted at a remote server For more information about how to run Server Manager targeted

at a remote server see Remote Management with Server Manager

The following BPA modules are currently available

Best Practices Analyzer for Active Directory Certificate Services

Best Practices Analyzer for Active Directory Domain Services

Best Practices Analyzer for Active Directory Rights Management Services

Best Practices Analyzer for Application Server

Best Practices Analyzer for Domain Name System

Best Practices Analyzer for Dynamic Host Configuration Protocol

Best Practices Analyzer for File Services

Best Practices Analyzer for Hyper-V

Best Practices Analyzer for Internet Information Services

Best Practices Analyzer for Network Policy and Access Services

Best Practices Analyzer for Remote Desktop Services

Best Practices Analyzer for Windows Server Update Services

More Information about Windows BPA look here

123 Fix-it

Currently there exists no link between the SQL Server Best Practice Analyzer and the Fixit webpage

httpsupportmicrosoftcomfixit

Microsoft is working on a solution to combine fixit with specific Best Practice Analyzer

httpfixitcentersupportmicrosoftcomPortal

124 Microsoft Automated Troubleshooting Service in Windows Server

2008 R2 and Windows 7

Troubleshooting in Windows Server 2008 R2 and Windows 7 provides several troubleshooting

programs that can automatically fix some common problems with your computer such as problems

with networking hardware and devices using the web and program compatibility

Go to the Windows website to watch a video about using troubleshooters to fix common problems

(330)

When you run a troubleshooter it might ask you some questions or reset common settings as it works

to fix the problem If the troubleshooter fixed the problem you can close the troubleshooter If it couldnt

fix the problem you can view several options that will take you online to try and find an answer In

either case you can always view a complete list of changes made

Page 9

Notes

If you click the Advanced link on a troubleshooter and then clear the Apply repairs

automatically check box the troubleshooter displays a list of fixes to choose from if any

problems are found

Windows includes several troubleshooters and more are available online when you select the

Get the most up-to-date troubleshooters from the Windows Online Troubleshooting service

check box at the bottom of Troubleshooting

httpsupportmicrosoftcomgpsystem_maintenance_for_windows

Page 10

2 SYSTEM REQUIREMENTS

SQL Server 2008 R2 Best Practices Advisor is supported on the following Operating Systems

1 Windows Vista

2 Windows 7

3 Windows Server 2003

4 Windows Server 2003 R2

5 Windows Server 2008

6 Windows Server 2008 R2

Supported editions of SQL Server

1 SQL Server 2008 all editions except Express

2 SQL Server 2008 R2 all editions except Express

Supported Components of SQL Server

1 Analysis Services

2 Database Engine

3 Integration Services

4 Reporting Services

5 Replication

6 Setup

These components are designed as Submodels for the BPA This means that they will be run

concurrently where possible

21 Required Permissions for Running SQL Server 2008 R2 BPA

Administration Privileges

To run MBCA v20 a user must be a member of the administrators group on the machine being

scanned and on the machine the scan is initiated from If a user is not an administrator on the machine

that is being scanned an appropriate error message displays

SQL Server

To successfully access all of the database properties and SQL Server Configurations a user must be

the Systems Administrator (sysadmin) on the instance of SQL Server

Analysis Services

The user or the administrators group must be member of the server administrator role within an

instance of Microsoft SQL Server Analysis Services have unrestricted access to all Analysis Services

objects and data in that instance

httpmsdnmicrosoftcomen-uslibraryms174561aspx

Integration Services

The user or the administrators group must be members of the sysadmin or db_ssisadmin roles

httpmsdnmicrosoftcomen-uslibraryms141053aspx

Reporting Services

Page 11

The user or the administrators group must be member of the System Administrator and Content

Manager role

22 Prerequisites

The following are required for using SQL Server 2008 R2 Best Practices Analyzer

1 PowerShell V20

Windows PowerShell 20 requires the Microsoft NET Framework 20 with Service Pack 1

2 Microsoft Baseline Configuration Analyzer V20

3 SQL Server Management Tools for SQL Server 2008 or SQL Server 2008 R2

The following table outlines the prerequisite Microsoft utilities components by Operating System

necessary to have on your server prior to installing and running SQL Server 2008 R2 BPA

OS 1Install

WinRM

2Install

PowerShell 20

3Install

MBCA 20

Configure PowerShell1 7 Install SQL2008

or SQL 2008 R2

Management Tools 4Remoting 5Execution

Level

6 MaxShells

PerUser

Win Vista Y Y Y Y Y Y Y

Windows 7 N N Y Y Y Y Y

Windows

Server 2003

Y Y Y Y Y Y Y

Windows

Server 2003

R2

Y Y Y Y Y Y Y

Windows

Server 2008

Y Y Y Y Y Y Y

Windows

Server 2008

R2

N N Y Y Y Y Y

1 These changes will be done from the installation routine of the BPA

Page 12

3 INSTALL

We recommend installing BPA on a workstation or administration server and performing the scan

operation remotely against servers in your SQL Server infrastructure It is also possible to install this

tool on the production SQL Server locally

Installation process

1 InstallConfigure PowerShell and WinRM

2 Microsoft Baseline Configuration Analyzer V20

3 Microsoftreg SQL Serverreg 2008 R2 Best Practices Analyzer

It exists two ways to install the Best Practices Analyzer

With a graphical user interface (setup wizard) or

Command line

31 Installing PowerShell 20 and WinRM

BPA install configures WinRM and PowerShell options by default Most of this section is only needed if

something goes wrong and you need to configure this stuff by hand

Windows Server 2003 R2

WinRM is not installed by default but it is available as the Hardware Management feature through the

AddRemove System Components feature in the Control Panel under Management and Monitoring

Tools Complete installation and information about configuring WinRM using the WINRM command-line

tool is available online in the Hardware Management Introduction which describes the WinRM and the

IPMI features in Windows Server 2003 R2

On Windows Vista Windows Server 2003 and Windows Server 2008

This is installed as part of Windows Management Framework Core The WinRM service starts

automatically on Windows Server 2008 On Windows Vista the service must be started manually

On Windows Server 2008 R2 and Windows 7

This is installed as part of the OS

Note Check for additional information and configuration guidelines for WinRM and for PowerShell

20

SQL Server 2008 R2 BPA is able to scan both the local computer and remote computers Therefore in

both the local and remote cases it required that your PowerShell settings be modified These are done

by the BPA installation

PowerShell Execution Policy

The PowerShell Execution Policy is set to Restricted by default To run SQL Server 2008 R2 BPA

through the PowerShell command Line set the policy to RemoteSigned using the below command

Set-ExecutionPolicy RemoteSigned -f

You can use the command Set-ExecutionPolicy Restricted ndashf to set the execution policy back to

restricted This command is not required when executing the scan through the MBCA GUI

After the installation you must enable the PowerShell remote scripting if you are want to use the BPA

remote to another workgroup machine or a computer that have Kerberos enabled You need to run this

command only once on each computer that will receive commands You do not need to run it on

Page 13

computers that only send commands Because the configuration activates listeners it is prudent to run

it only where it is needed You can do this with the following command line

powershellexe -NoLogo -NoProfile -Noninteractive -Command Enable-

PSRemoting -force

Enable-PSRemoting performs configuration actions to enable this machine for remote management

Includes

1 Runs the Set-WSManQuickConfig cmdlet which performs the following tasks

Starts the WinRM service

Sets the startup type on the WinRM service to Automatic

Creates a listener to accept requests on any IP address

Enables a firewall exception for WS-Management communications

Enables all registered Windows PowerShell session configurations to receive instructions

from a remote computer

Registers the MicrosoftPowerShell session configuration if it is not already registered

Registers the MicrosoftPowerShell32 session configuration on 64-bit computers if it is

not already registered

Removes the Deny Everyone setting from the security descriptor for all the registered

session configurations

Restarts the WinRM service to make the preceding changes effective

2 Configures MaxShellsPerUser using winrm set winrmconfigwinrs

``MaxShellsPerUser=`10``

Specifies the maximum number of concurrent shells that any user can remotely open on

the same computer If this policy setting is enabled the user will not be able to open new

remote shells if the count exceeds the specified limit If this policy setting is disabled or is

not configured the limit will be set to 5 remote shells per user by default and you receive

the following error message

[localhost] Connecting to remote server failed with the following

error message The WS-Management service cannot process the

request This user is allowed a maximum number of 5 concurrent

shells which has been exceeded Close existing shells or raise the

quota for this user For more information see the

about_Remote_Troubleshooting Help topic

+ CategoryInfo OpenError

(SystemManagemehellipRemoteRunspa

ceRemoteRunspace) [] PSRemotingTransportException

+ FullyQualifiedErrorId PSSessionOpenFailed

For more information about PowerShell remoting please see MSDN

32 Install MBCA

Download the edition of MBCA depending on your platform (x86 or x64) before installation

Page 14

Please find below the screenshots demonstrating the visual flow of the MBCA Installation

Welcome screen

License terms

Folder selection

Completion screen

33 Install BPA

Download the correct edition depending on your platform (x86 or x64) before installing If you have

trouble with the installation please section 57 Troubleshooting Installation

331 Command line

Following is an optimized command line setup example

msiexec i SQL2008R2BPA_Setup64msi l log ctempsqlbpa_installlog qn

msiexec parameters

i = package name (SQL2008R2BPA_Setup32msi or SQL2008R2BPA_Setup64msi

depending on your platform)

l = log granularity ldquordquo - Log all information except for v and x options

log = log file

q = display settings (qn ndash no user interface)

SKIPCA=1 (if no domain controller is available Skip Certification Authority)

For information on additional public properties Consult the Windowsreg Installer SDK for documentation

on the command line syntax

Page 15

332 GUI

Please find below the screenshots demonstrating the visual flow of the SQL Server 2008 R2 BPA

Installation

Welcome screen

License terms

System Configuration Changes (see 31 Installing PowerShell 20 and WinRM)

Ready to install decision

Install progress

Completion screen

Page 16

333 Port and Firewall restrictions

For scanning SQL Server or BI instances on an alternate server behind a firewall you must open all

necessary ports

34 Updates

Microsoft is working on quarterly updates of the rule set and tool improvements of the SQL Server

2008 R2 Best Practice Analyzer Please visit the Download site from Microsoft regularly to find new

updates

35 Uninstall

351 BPA

352 MBCA

353 Reset PowerShell settings

After the uninstall of the BPA you may disable the PowerShell remote scripting You can do this with

the following command line

powershellexe -NoLogo -NoProfile -Noninteractive -Command Disable-

PSRemoting -force

Disable-PSRemoting performs configuration actions to enable this machine for remote management

Page 17

4 USAGE

There are two ways to scan a server using MBCA and SQL 2008 R2 BPA They are

Scanning through the local machine

o In this case you are using MBCA and SQL 2008 R2 BPA running on the local machine to

perform the scan

o This scan can be of the local or an alternate server

Scanning through a remote machine

o In this case MBCA is used to connect to a remote server that has MBCA and SQL 2008

R2 BPA installed on it

o This scan is using the local machine to form the connection to the remote machine and is

actually performing the scan through the remote machine

41 Help file

The help file for the SQL Server 2008 R2 Best Practice Analyzer contains very useful information This

help file is available after the installation of BPA and is located at Start-gtAll programs-gtSQL Server

2008 R2 BPA

42 GUI

1 Ensure that MBCA v2 and SQL 2008 R2 BPA are installed on the machine

2 Run the MBCA application from the start menu with elevated user rights

Page 18

3 On the MBCA home page ensure the SQL Server 2008 R2 BPArdquo product is selected

4 Click Start Scan which displays a page to specify parameters as shown below

5 Fill in Alternate_Server_to_Scan with the remote machine you want to scan

ComputerName

IP address nnnn

FQDN (Fully Qualified Domain Name)

Enter ldquordquo localhost or leave this blank if you want to scan the local machine

Page 19

Enter the instance name you want to scan To scan the default instance enter MSSQLSERVER

or leave this as blank Toggle the checkboxes to enabledisable scans for those rule categories

Each of the following six check boxes correspond to the SQL Server categories listed previously

Select at least one category in order to run a successful scan

Analyze_SQL_Analysis_Services

Analyze_SQL_Server_Engine

Analyze_SQL_Integration_Services

Analyze_SQL_Server_Replication

Analyze_SQL_Reporting_Services

Analyze_SQL_Server_Setup

Note Only one SQL Server instance can be scanned at a time through the MBCA GUI

6 Click Start Scan MBCA will start the configured scan and display the below page while in

progress

7 When the scan is complete results will be displayed grouped by Severity as shown below

Page 20

43 Connect to a remote computer

A scan connected to a remote computer is different than scanning an alternate server

ldquoConnect to a Remote Computerrdquo is functionality provided by Microsoft Baseline Configuration Analyzer

and is used to remotely run MBCA against a server from the console of the client The client needs to

have MBCA installed but does not need BPA as it is literally running the copy of MBCA installed on the

server using the BPA installed on the server In this case the copy of MBCA installed on the client is

used only to remotely connect to the copy of MBCA installed on the server

To use this functionality you first start MBCA on the client computer and select ldquoConnect to Another

Computerrdquo

1 In the ldquoConnect to Another Computerrdquo text box you can specify a NetBIOS name a fully qualified

domain name (FQDN) or an IPv4 or IPv6 address If no port number is specified the default port

number is used The following are examples of formats that you can specify in the Connect to

Another Computer text box

ComputerName

Page 21

ComputerNamePortNumber

IP address nnnn

IPv6 address [nnnnnnnn]

IPv4 address with port number nnnnPortNumber

IPv6 address with port number [nnnnnnnn]PortNumber

Note If an administrator has changed the computerrsquos default port number any port other than the

default port must be opened in Windows Firewall to allow incoming connections on that port Port

5985 is opened by default when WinRM is configured All other ports remain blocked until opened

For more information about how to unblock a port in Windows Firewall see the Help for Windows

Firewall For more information about how to configure WinRM in a Command Prompt session type

winrm help and then press Enter

2 Additionally you must supply credentials

3 CredSSP

Windows Remote Management (WinRM) supports the delegation of user credentials across

multiple remote computers The multi-hop support functionality can now use Credential Security

Service Provider (CredSSP) for authentication CredSSP enables an application to delegate the

userrsquos credentials from the client computer to the target server

CredSSP authentication is intended for environments where Kerberos delegation cannot be used

Support for CredSSP was added to allow a user to connect to a remote server and have the ability

to access a second-hop machine such as a file share

Note WinRM clients and servers will support CredSSP authentication only with explicit credentials

Windows XP Windows Server 2003 and earlier CredSSP is not supported

First you must set CredSSP on both the client and the server

Using the Group Policy Editor (gpeditmsc) make sure to enable ldquoAllow Delegating Fresh

Credentialsrdquo and check ldquoConcatenate OS defaults with input aboverdquo

Add the server or domain to the list of servers in the format ldquoWSMANdomainnamecomrdquo

Next enable and configure PowerShell Remoting on both the Client and Server by running the

following commands in a PowerShell command window opened with elevated permissions Note

Page 22

You can configure a single machine as both a client and a server simultaneously so that you can

scan from either computer

Enable PowerShell Remoting

o Enable-psremoting ndashf

Settings for a client

o Enable-WSManCredSSP ndashrole Client ndashDelegateComputer [NetBiosNameOfServer]

or

o Enable-WSManCredSSP ndashrole Client ndashDelegateComputer [FQDN OF SERVER]

Settings for the server

o Enable-WSManCredSSP ndashrole Server

o set-item WSManlocalhostShellMaxMemoryPerShellMB ndashValue 20000

o set-item WSManlocalhostShellMaxShellsPerUser ndashvalue 20

44 PowerShell

Details see 91 PowerShell

To use the functionality of the Microsoft Baseline Configuration Analyzer you must import this module

first

Import-module BaselineConfigurationAnalyzer

You can list the commands of this module with the following syntax

$x=Get-Module BaselineConfigurationAnalyzer

$xExportedCommands

441 Run Scan

To run a full scan of the BPA on the alternate server on a named instance you can use the following

command line

Invoke-MBCAModel -ModelId SQL2008R2BPA -Alternate_Server_to_scan

servername -SQL_Server_Instance_Name instancename -

Analyze_SQL_Server_Engine -Analyze_SQL_Server_Replication -

Page 23

Analyze_SQL_Server_Setup -Analyze_SQL_Analysis_Services -

Analyze_SQL_Integration_Services -Analyze_SQL_Reporting_Services

The result looks like this part

ModelId SQL2008R2BPA

SubModelId

Success True

ScanTime

Success = True is important This is the indicator that your scan was successful

Parameter description

-Alternate_Server_to_scan servername

-SQL_Server_Instance_Name instancename

-Analyze_SQL_Server_Engine

-Analyze_SQL_Server_Replication

-Analyze_SQL_Server_Setup

-Analyze_SQL_Analysis_Services

-Analyze_SQL_Integration_Services

-Analyze_SQL_Reporting_Services

The parameter list is equal the parameter screen in the GUI

The scans of the different services are optional You can remove technologies which you do not need

to scan

The next example starts the scan only for the Analysis Services on the alternate server ldquoservernamerdquo

and for the named instance ldquoinstancerdquo A log file will be written to ldquoctempssastxtrdquo

Invoke-MbcaModel -ModelId SQL2008R2BPA -SubModelId AnalysisServices -

ComputerName servername -SqlServerInstance instance -SSASLogFile

ctempssastxt

Invoke-MbcaModel -ModelId SQL2008R2BPA -SubModelId Engine -ComputerName

computername -SqlServerInstance servername -CurrentLoginName

($EnvUSERDOMAIN + + $EnvUSERNAME)ToString() -EngineLogFile

ctempenginetxt ndashRepositoryPath (CTEMPSQL2008 + (Get-

Date)ToString(yyyyMMdd))ToString()

442 Create Report

model = get-MbcaModel ndashModelId sql2008r2bpa

$scanResult = get-MbcaResult ndashModelId sql2008r2bpa

$collectedConfig = get-MbcaResult ndashModelId sql2008r2bpa ndash

CollectedConfiguration

$model $scanResult $collectedConfig | export-CliXml ctempasxml

Get-MBCAResult -ModelId SQL2008R2BPA -SubModelId AnalysisServices |

ConvertTo-Html | Add-Content -Path ctesthtml

The next command retrieves the results of the most recent BPA scan for the specified model and

saves them in HTML format applying the standard cascading style sheets that are stored in the path

windirsystem32WindowsPowerShellv10ModulesBestPracticesBestPracticesReportFormatc

Page 24

ss If you want to substitute cascading style sheets provide the path to the different cascading style

sheets

Get-MBCAResult -ModelId SQL2008R2BPA | $_Severity -eq Warning -or

$_Severity -eq Error | ConvertTo-Html -As Table -property ResultNumber

SubModelID ComputerName Severity Category Title Problem Impact

Resolution Help -Head lth1gtSQL Server 2008 (R2) Best Practice Analyzer

Reportlth1gtrdquo -Title SQL Server 2008 Best Practice Analyzer -body

(ltpgtReport creation date + (Get-Date)ToString(ddMMyyyy hhmmss) +

ltpgt)toString() -pre ltPgtGenerated by user $envusername on computer

$envcomputernameltPgt -post For details contact Microsoft Premier-

CssUri $env BestPracticesReportFormatcss gt ctempsql2008r2bpahtm

443 Exporting and opening reports by using Get-MBCAResult

You can use the Get-MBCAResult cmdlet to export scan results and configuration data to an XML

report that you can open for viewing in the future either by using Get-MBCAResult or by using the

MBCA GUI Exporting reports allows you to compare older scans with more recent scans to measure

the progress of your best practice compliance

Example of exporting to XML

$results = Get-MBCAResult ltModel Idgt

$collectedconfig = Get-MBCAResult ltModel Idgt -CollectedConfiguration

$results $collectedconfig | Export-CliXml cexportxml

Example of opening archived XML report file

$loadedResults $loadedConfiguration = Import-CliXml cexportxml

444 Report Result Directory

The reporting result path

AppDataMicrosoftBaselineConfigurationAnalyzer

2ReportsSQL2008R2BPAResults

Will be overwritten during each run of the tool or invoke command

Solution save older results before you start the check

copy-item -path ($EnvLocalAppdata +

MicrosoftMicrosoftBaselineConfigurationAnalyzer 2Reports)ToString() -

destination ($EnvLocalAppdata +

MicrosoftMicrosoftBaselineConfigurationAnalyzer 2Reports_ + (Get-

Date)ToString(yyyyMMddhhmmss))ToString() ndashrecurse

Afterwards you can create a report with the following command

$prevrepPath = (Get-ChildItem ($EnvLocalAppdata +

MicrosoftMicrosoftBaselineConfigurationAnalyzer 2)ToString() -exclude

Reports | Sort-Object name -descending)[0]

Get-MBCAResult -ModelId SQL2008R2BPA ndashRepositoryPath ($EnvLocalAppdata +

MicrosoftMicrosoftBaselineConfigurationAnalyzer 2rdquo +

$prevrepPathname)ToString() | ConvertTo-Html -As Table -property

ResultNumberSubModelID ComputerName Severity Category Title Problem

Impact Resolution Help -Head lth1gtSQL Server 2008 (R2) Best Practice

Analyzer Reportlth1gtrdquo -Title SQL Server 2008 Best Practice Analyzer -body

(ltpgtReport creation date + (Get-Date)ToString(ddMMyyyy hhmmss) +

ltpgt)toString() -pre ltPgtGenerated by user $envusername on computer

Page 25

$envcomputernameltPgt -post For details contact Microsoft Premier gt

ctempsql2008r2bpahtm

Page 26

5 TROUBLESHOOTING

51 Application directories

To following directories are used by MBCA

Report output directory localappdataMicrosoftMicrosoftBaselineConfigurationAnalyzer 2ReportsSQL2008R2BPAResults

Model configuration path ProgramdataMicrosoftMicrosoft Baseline Configuration Analyzer 2ModelsSQL2008R2BPA

Temp and log files directory tempSQL2008R2BPASQL2008ltdategt_lttimegt

Registry [HKEY_LOCAL_MACHINESOFTWAREMicrosoftBaselineConfigurationAnalyzer]

Log Files

During Data Discovery SQL Server 2008 R2 BPA creates log files for troubleshooting The log file

contains the following information

Pre-requisite validation

Timestamp finished rules start and end times

Run-time scripting errors and exceptions from Power Shell Traps

Log Files Location

For every scan log files are created in userrsquos Local Temp directory (Temp) and follows the folder

structure SQL2008R2BPAlt Instance Name gtlt datestamp_timestamp gtlt Log files gt

Note In case of a remote scan the category log files are generated on the remote system at the same

path whereas the common log file is generated in the local system

Log Files Structure

A common log file gets generated and contains information about each categorys execution Apart

from this each category has its own log file which details the rule execution The names of the log files

are given below

Common File - ModelLogtxt

Engine Rules - EngineLogtxt

Replication Rules - ReplicationLogtxt

Setup Rules - SetupLogtxt

Analysis Services Rules - AnalysisServicesLogtxt

Reporting Services Rules - ReportingServicesLogtxt

Integration Services Rules - IntegrationServicesLogtxt

52 Windows Server 2003 ndash NumberOfLogicalProcessors

Analysis Services RID2803 and RID2804 ndash NumberOfLogicalProcessors property is unavailable in

Win32_Processor for with Windows Server 2003

Solution The NumberOfLogicalProcessors property does not exist in the WIN32_PROCESSOR object

in Windows Server 2003 It has been implemented in the hotfix

httpsupportmicrosoftcomkb932370

Both of the rules below will function properly if you apply this hotfix For more information look here

Page 27

53 MBCA

This message indicates that on prerequisite is not installed

Please install the version 2 of the MBCA

54 Where can I find the Instance name in result set of the analyzer

report

The instance name is in the collected data option of the analyzer report in the BPA GUI

55 Memory limit of remote PowerShell process

By default remote PowerShell process can consume only 150 MB or less memory This default limit is

significantly small and once this limit is reached there could be a WinRM exception causing and remote

connection immediately terminates Any application or Cmdlet which is involved in PowerShell

remoting should be tested for this memory limit this may cause some of the command to fail for

example site collection creation

Solution Increase the memory limit for the remote shell Use the following command to increase this

limitation to 1000MB This is only necessary if you need to run those commands on that server

Set-Item WSManlocalhostShellMaxMemoryPerShellMB 1000

56 Remote connect

If you try to ldquoConnect to another computerrdquo from MBCA and you receive the following message

Page 28

You should check first if the Hotfix KB968930 is installed

Afterwards validate that the ldquoWindows Remote Managementrdquo service is started

Enable-PSRemoting

If CredSSP is unsupported or unavailable you will see the following message

Page 29

If you have no permission to access the remote server you get the error message

Page 30

57 Installation

571 PowerShell error

After getting through the Pre-Reqs for BPA (PowerShell 20 MBCA NET Framework) you may hit

one of two scenarios when installing BPA

In all of the cases of an install failure you will see the following error

There is a problem with this Windows Installer package A program run as part of the setup did not

finish as expected Contact your support personnel or package vendor

In your Application Event Log for both of these scenarios you will also see the following entry

Log Name Application

Source MsiInstaller

Date 6102010 83818 AM

Event ID 11722

Task Category None

Level Error

Keywords Classic

User ltUsernamegt

Computer ltMachine namegt

Description

Product Microsoft SQL Server 2008 R2 BPA -- Error 1722 There is a problem

with this Windows Installer package A program run as part of the setup did

not finish as expected Contact your support personnel or package

vendor Action EnablePSRemoting location powershellexe command -NoLogo

-NoProfile -Command Enable-PSRemoting ndashforce

Page 31

This is an indicator that PowerShell is not configured You must run the following command

powershellexe -NoLogo -NoProfile -Command Enable-PSRemoting ndashforce

572 Workgroup or Non-Domain computer

In this scenario the Enable-PSRemoting command should execute fine from a PowerShell prompt

The actual error coming back from the PowerShell command within the Installer is ldquoAccess Deniedrdquo

To work around this issue you can do the following

1 Open a command prompt with Administrative Privileges

2 Change to the directory where the msi file resides

3 Type msiexec i ltMSI Namegt SKIPCA=1

4 MSI Name will either be SQL2008R2BPA_Setup32msi or SQL2008R2BPA_Setup64msi

depending on your platform

5 Once BPA is installed open a PowerShell prompt with Administrative Privileges

6 Execute the following commands

a Enable-PSRemoting

b winrm set winrmconfigwinrs ``MaxShellsPerUser=`10``

This should allow BPA to be successfully installed in the workgroup scenario

573 Kerberos Failure

This scenario is that you are failing with the above due to a Kerberos issue This particular issue could

actually show up after you have installed BPA depending on how you have configured your

environment

The issue stems from the fact that the Windows Remoting Windows Service uses the Network Service

account Windows Remoting also uses SOAP calls over HTTP and defaults to using Kerberos As a

result it will be using the HOST Service Principal Name (SPN) that is on the Machine Account as it is

running under that context You may have an HTTP SPN that resides on a different account with that

host name For example if you are running an IIS Web Application such as SharePoint or if you are

using Reporting Services and the service account is set to a Domain User account instead of Network

Service or Local System If your URL of your application matches the machine name then your HTTP

SPN will be the same Thatrsquos where this problem comes in WinRM will stop working at that point and

give you a message similar to the following

Set-WSManQuickConfig WinRM cannot process the request The following error

occured while using Negotiate authentication An unknown security error

occurred

Possible causes are

-The user name or password specified are invalid

-Kerberos is used when no authentication method and no user name are

specified

-Kerberos accepts domain user names but not local user names

-The Service Principal Name (SPN) for the remote computer name and port

does not exist

-The client and remote computers are in different domains and there is no

trust between the two domains

After checking for the above issues try the following

-Check the Event Viewer for events related to authentication

-Change the authentication method add the destination computer to the

WinRM TrustedHosts configuration setting or use HTTPS transport

Note that computers in the TrustedHosts list might not be authenticated

-For more information about WinRM configuration run the following

Page 32

command winrm help config

At line50 char33

+ Set-WSManQuickConfig ltltltlt -force

+ CategoryInfo InvalidOperation () [Set-WSManQuickConfig]

InvalidOperationException

+ FullyQualifiedErrorId

WsManErrorMicrosoftWSManManagementSetWSManQuickConfigCommand

You can get this type of error from WinRM for muliple reasons The one that

we saw in our testing was the HTTP SPN scenario

If you do have an HTTP SPN defined on a Domain Account that is using the name of your machine

you have some options First you can follow the steps mentioned above to get BPA installed The

Enable-PSRemoting command will give you the above error You can temporarily remove the HTTP

SPN to get remoting enabled and then re-add the HTTP SPN

Once BPA is setup you will still not be able to run BPA if you put the HTTP SPN back in place You will

see the following when you attempt to perform a scan

This will occur regardless of which component you try to scan It could be the Engine Setup RS etchellip

One option to perform the scan successfully is to temporarily remove the HTTP SPN again run the

scan and then put the HTTP SPN back in place Another option but one that will probably require

further testing from your applicationrsquos end would be to run the application under a Host Header and

then your HTTP SPN would not include the machine name allowing BPA to run without issue

Page 33

6 RULES

Searching for ldquoSQL Server 20087 R2 BPArdquo at Microsoftcom reveals

Here is an example of one of these articles that talks about a rule to check for a recent ldquocleanrdquo

CHECKDB

Page 34

BPA works by measuring a rolersquos compliance with best practice rules in eight different categories of a

rolersquos effectiveness trustworthiness and reliability Results of measurements can be any of the three

severity levels described in the following table

Severity level Description

Noncompliant Noncompliant results are returned when a role does not satisfy the conditions of a rule

Compliant Compliant results are returned when a role satisfies the conditions of a rule

Warning Warning results are returned when a role is compliant as operating currently but may not satisfy the conditions of a

rule if changes are not made to its configuration or policy settings For example a scan of Remote Desktop Services

might show a warning result if a license server is unavailable to the role because even if no remote connections are

active at the time of the scan not having the license server prevents new remote connections from obtaining valid

client access licenses

Page 35

BPA rule categories

The following table describes the categories of best practice rules against which roles are measured

during a BPA scan

Category Name Description

Security Security rules are applied to measure a rolersquos relative risk for exposure to threats such as unauthorized or malicious

users or loss or theft of confidential or proprietary data

Performance Performance rules are applied to measure a rolersquos ability to process requests and perform its prescribed duties in

the enterprise within expected periods of time given the rolersquos workload

Configuration Configuration rules are applied to identify role settings that might require modification for the role to perform

optimally Configuration rules can help prevent setting conflicts that can result in error messages or prevent the role

from performing its prescribed duties in an enterprise

Policy Policy rules are applied to identify Group Policy or Windows Registry settings that might require modification for the

role to operate optimally and securely

Operation Operation rules are applied to identify possible failures of a role to perform its prescribed tasks in the enterprise

Predeployment Predeployment rules are applied before an installed role is deployed in the enterprise to let administrators to

evaluate whether best practices were satisfied before you use the role in production

Postdeployment Postdeployment rules are applied after all required services have started for a role and the role is running in the

enterprise

BPA Prerequisites BPA Prerequisite rules explain configuration settings policy settings and features that are required for the role

before BPA can apply specific rules from other categories A prerequisite in scan results indicates that an incorrect

setting a missing role role service or feature an incorrectly enabled or disabled policy a registry key setting or

other configuration has prevented BPA from applying one or more rules during a scan A prerequisite result does

not imply compliance or noncompliance It means that a rule could not be applied and therefore is not part of the

scan results

61 Engine Rules

Please find below a summary of the 74 Engine Rules with the links to the rule descriptions These rules

are checking that you have a secure resilient and well performing SQL configuration

Authentication Mode (httpsupportmicrosoftcomkb2028697)

Lightweight Pooling is enabled (httpsupportmicrosoftcomkb2160691)

Locks Configuration Not Dynamic (httpsupportmicrosoftcomkb2199576)

non-default network packet size in use (httpsupportmicrosoftcomkb2157175)

degree of parallelism not set to recommended value (httpsupportmicrosoftcomkb2023536)

Use Database Mail instead of SQL Mail (httpsupportmicrosoftcomkb2028584)

SQL Server Agent Proxy Account (httpsupportmicrosoftcomkb2160741)

SQL Login Password Policy Strength and password expiry

(httpsupportmicrosoftcomkb2028712)

Trustworthy Bit (httpsupportmicrosoftcomkb2183687)

Symmetric Keys Check (httpsupportmicrosoftcomkb2162020)

Asymmetric Keys Check (httpsupportmicrosoftcomkb2162020)

SQL Server installed on PDC BDC (httpsupportmicrosoftcomkb2032911)

Page 36

SQL Server Admin role membership check (httpsupportmicrosoftcomkb2184138)

Windows API calls intercepted (httpsupportmicrosoftcomkb2033238)

unsupported DotNET framework assemblies present (httpsupportmicrosoftcomkb2033344)

Disk partition starting offset may be incorrect (httpsupportmicrosoftcomkb2023571)

non-default max worker threads value configured (httpsupportmicrosoftcomkb2157129)

Guest Permissions (httpsupportmicrosoftcomkb2186935)

Data and Log files on the same volume (httpsupportmicrosoftcomkb2033523)

IO timeouts and IO controller errors detected (httpsupportmicrosoftcomkb2091098)

IO device errors detected (httpsupportmicrosoftcomkb2091098)

IO errors during page faults detected (httpsupportmicrosoftcomkb2091098)

cluster disk corruption encountered (httpsupportmicrosoftcomkb2091098)

disk defragmentation encountered corruption (httpsupportmicrosoftcomkb2091098)

failed IO requests detected (httpsupportmicrosoftcomkb2091098)

IO requests are successful when retried (httpsupportmicrosoftcomkb2015757)

IO Delay Problems reported by SQL Server (httpsupportmicrosoftcomkb2137408)

This system experienced unexpected shutdowns (httpsupportmicrosoftcomkb2091098)

tempdb corruption errors fix missing (httpsupportmicrosoftcomkb960770)

Critical SQL database inconsistency errors found (httpsupportmicrosoftcomkb2152734)

Logical consistency errors detected (httpsupportmicrosoftcomkb2152472)

Database have auto shrink option enabled (httpsupportmicrosoftcomkb2160663)

SQL Server Error logs are very big (httpsupportmicrosoftcomkb2199578)

incorrect affinity mask settings detected httpsupportmicrosoftcomkb2157114

Very low blocked process threshold setting detected httpsupportmicrosoftcomkb2157154

Potential security issue with legacy DTS stored procedures

httpsupportmicrosoftcomkb2202875

Winsock LSP loaded into SQL httpsupportmicrosoftcomkb2033448

Databases using simple recovery model httpsupportmicrosoftcomkb2137539

User database collation different from model httpsupportmicrosoftcomkb2026108

Database files and backups exist on the same volume httpsupportmicrosoftcomkb2027537

Databases have auto close option enabled httpsupportmicrosoftcomkb2160685

LSI SAS drivers needs update httpsupportmicrosoftcomkb2121098

SQL tempdb database not configured optimally httpsupportmicrosoftcomkb2154845

SQL Database file has sparse attribute set httpsupportmicrosoftcomkb2028447

Invalid startup parameters httpsupportmicrosoftcomkb2028433

MSDTC settings not configured optimally httpsupportmicrosoftcomkb2027550

sql incorrect results fix missing httpsupportmicrosoftcomkb971780

File System needs tuning for better FileStream performance

httpsupportmicrosoftcomkb2160002

linked server memory leak fix missing httpsupportmicrosoftcomkb971622EN-US

Windows service pack is not at recommended level httpsupportmicrosoftcomkb2121098

default extended event health session not in expected state

httpsupportmicrosoftcomkb2160570

TcpSysAndChimneyCheck httpsupportmicrosoftcomKB918483

FDHOST Launcher service is not configured properly httpsupportmicrosoftcomkb2160720

Unrecommended SQL Server Agent service account httpsupportmicrosoftcomkb2160720

A required Windows fix to avoid sparse file related problems is missing

httpsupportmicrosoftcomkb2002606

Page 37

Significant Portion of SQL Server Memory Has Been Paged Out

httpsupportmicrosoftcomkb2028324

Server Exception or Hang Detected on Server httpsupportmicrosoftcomkb2028589

Databases exist without CHECKSUM protection httpsupportmicrosoftcomkb2078345

backups outdated for databases httpsupportmicrosoftcomkb2027537

Database consistency check not current httpsupportmicrosoftcomkb2033590

SQL Server Memory settings are incorrect httpsupportmicrosoftcomKB918483EN-US

Autogrow Failed or took a long time httpsupportmicrosoftcomkb2091024

Storport driver fix from KBA 940467 missing httpsupportmicrosoftcomkb2121098

Storport driver fix from KBA 950903 missing httpsupportmicrosoftcomkb2121098

SQLCLR needs additional memory configuration httpsupportmicrosoftcomkb969962EN-US

Operating System files and drivers needs update for working set trimming

httpsupportmicrosoftcomkb2121098

Agent Token Replacement httpsupportmicrosoftcomkb2202637

Auditing Log in failures httpsupportmicrosoftcomkb2187161

Databases with high number of VLF present httpsupportmicrosoftcomkb2028436

Transparent Data Encryption Certificate httpsupportmicrosoftcomkb2201900

Permission on the Binn folder httpsupportmicrosoftcomkb2029023

Index Statistics Are Outdated

Server public permissions httpsupportmicrosoftcomkb2160698

Detected use of older versions of SQLNCLI httpsupportmicrosoftcomkb979779

62 AS Rules

Please find below a summary of the 34 Analysis Server Rules with the links to the rule descriptions

Flight Recorder Enabled for SQL Server Analysis Services

httpsupportmicrosoftcomkb2128005

Excessive amount of memory preallocated to Analysis Services

httpsupportmicrosoftcomkb2027474

Server not configured for optimal concurrent query throughput

httpsupportmicrosoftcomkb2135031

Non standard value detected for Analysis Services memory configuration

httpsupportmicrosoftcomkb2027472

Process Thread Pool Max limit above recommended limit

httpsupportmicrosoftcomkb2134497

Process Thread Pool Minimum is below the recommended limit

httpsupportmicrosoftcomkb2134855

Server is running a build with a known regression httpsupportmicrosoftcomkb2157941

Slice not set on a ROLAP partition or a partition where proactive caching is enabled and

ROLAP storage ay occur httpsupportmicrosoftcomkb2027754

Server is ignoring duplicate key errors httpsupportmicrosoftcomkb2027761

No default member defined for non-aggregatable attribute

httpsupportmicrosoftcomkb2027769

UnknownMember set to hidden httpsupportmicrosoftcomkb2027628

Non-numeric key column for high cardinality attribute httpsupportmicrosoftcomkb2028138

Attribute hiearchy enabled for high cardinality non-key attribute

httpsupportmicrosoftcomkb2028143

ROLAP storage or OnlineMode set to immediate for dimension with custom rollup definition

detected httpsupportmicrosoftcomkb2132742

Page 38

Account or Time attribute types defined in a non-matching dimension type

httpsupportmicrosoftcomkb2157299

An Account or Time dimension has no matching attribute defined

httpsupportmicrosoftcomkb2027418

Dimension has no attribute defined with the same type

httpsupportmicrosoftcomkb2027443

Attribute Dimension type mismatch httpsupportmicrosoftcomkb2157327

Mismatched dimension attribute types detected in dimension

httpsupportmicrosoftcomkb2027459

Possible incorrect order of levels defined in hierarchy httpsupportmicrosoftcomkb2027460

Define attribute relationships as Rigid where possible httpsupportmicrosoftcomkb2027468

Redundant attribute relationships detected httpsupportmicrosoftcomkb2127437

Diamond-shape relationship detected httpsupportmicrosoftcomkb2127570

Non-Standard Attribute Relationship name detected httpsupportmicrosoftcomkb2127862

Proactive Caching set for dimension without a processing query

httpsupportmicrosoftcomkb2027541

No Time dimension detected httpsupportmicrosoftcomkb2027532

More than 3 parent-child dimensions with custom rollups defined

httpsupportmicrosoftcomkb2134431

Encountered a parent-child dimension with more than 500000 members

httpsupportmicrosoftcomkb2131918

Single attribute dimensions detected httpsupportmicrosoftcomkb2141654

Measure groups with zero dimensional overlap detected in cube

httpsupportmicrosoftcomkb2027609

Proactive Caching set for a partition without a processing query

Default measure for perspective not in the perspective

httpsupportmicrosoftcomkb2027603

Use MOLAP storage for dimensions that participate in semi-additive measure groups

httpsupportmicrosoftcomkb2135112

Measure group defined with no partition httpsupportmicrosoftcomkb2027545

63 RS Rules

RSWindowsNegotiate is missing from your configuration

httpsupportmicrosoftcomkb2145506

HTTP Logging is not enabled httpsupportmicrosoftcomkb2145909

Verbose logging is enabled httpsupportmicrosoftcomkb2146315

NTLM authentication may fail for local httpsupportmicrosoftcomkb2146369

Missing extended protection settings httpsupportmicrosoftcomkb2146062

64 IS Rules

Logging task missing for package httpsupportmicrosoftcomkb2027723

ActiveX Script task detected in package httpsupportmicrosoftcomkb2027712

Unrecommended Integration Services service account detected

httpsupportmicrosoftcomkb2027684

Integration Services logging table found in system database master and or msdb

httpsupportmicrosoftcomkb2027706

Integration Services memory dump detected httpsupportmicrosoftcomkb2027727

Page 39

65 Setup Rules

Unsupported Operating System Version Detected httpsupportmicrosoftcomkb2022909

WOW64 not supported for SQL Failover Clustering httpsupportmicrosoftcomkb2157198

Installer cache is missing for the SQL Installation httpsupportmicrosoftcomkb2015100

SQL Server WMI Provider Health Check

66 Replication Rules

Replication Timeout Alerts Type httpsupportmicrosoftcomkb2118349

Replication Pub and Sub out of sync (Data Validation) httpsupportmicrosoftcomkb2118386

Replication Pub and Sub out of sync (Constraint Violations)

httpsupportmicrosoftcomkb2118410

Replication Pub and Sub out of sync (Skipped Transactions)

httpsupportmicrosoftcomkb2194498

Merge Replication Health Check httpsupportmicrosoftcomkb2118445

Subscriptions Approaching Expiration httpgomicrosoftcomfwlinkLinkId=184483

Replication Cleanup and Retention Health Check httpsupportmicrosoftcomkb2118485

Replication Latency Threshold violations httpsupportmicrosoftcomkb2118425

Page 40

7 HOW TO DEAL WITH DEVIATIONS

Deviations from these Best Practices may indicate potential issues and configuration changes may be

necessary Make sure you have tested any intended changes in a test environment before deploying

them to a production environment You could also find deviations from Best Practices that are

acceptable or even necessary for your environment For example

SAP has its special Network Packet Size of 8 KB

Existing Non-Microsoft Clients ndash would require Mixed Mode Authentication

Page 41

8 MOTIVATION TO USE SQL BPA R2

Bob Ward explained in his Article ldquoWhy use SQL Server 2008 R2 BPA Case 1 Missing Updatesrdquo

the common pitfalls during maintenance and operation of SQL Server and how address them by using

the SQL BPA

In brief itrsquos a customer scenario where the customer is facing an issue after a major update to

SQL2008 After some troubleshooting and an update to a certain CU (that is meant to fix the issue) the

problem still occurs Bobs article states the common resulting consequences ndash the involvement of

Microsoft Support and the final solution ndash adding a needed traceflag

The good news in this story is that the customer would not have needed to go to all that effort if they

would have run the SQL BPA It would have told them about the update and instructed them to put the

traceflag in place BPA is a mechanism that proactively advises you and instructs you on dealing with

common known issues

Page 42

9 ADDITIONAL INFORMATION

91 PowerShell

To use the functionality of the Baseline Configuration Analyzer with PowerShell you must import this

module first

Import-module BaselineConfigurationAnalyzer

You can list the commands of this module with the following syntax

$x=Get-Module BaselineConfigurationAnalyzer

$xExportedCommands

The following commands are stored in this module

Get-MbcaModel

Get-MbcaResult

Invoke-MbcaModel

Set-MbcaResult

You get help of this command with the following syntax

Get-help ltcommandgt -full

911 Get-MBCAModel

SYNOPSIS

The Get-MBCAModel cmdlet lets you retrieve and view the list of models that are supported by

Microsoft Baseline Configuration Analyzer (MBCA) and that are installed on a computer

SYNTAX

Get-MBCAModel [[-ModelId] ltstring[]gt] [[-SubModelId] ltstringgt] [ltCommonParametersgt]

DESCRIPTION

The Get-MBCAModel cmdlet lets you retrieve and view the list of models that are supported by

Microsoft Baseline Configuration Analyzer (MBCA) and installed on the computer If no parameter is

specified Get-MBCAModel returns all models that are installed on the computer If a model is specified

by using the -ModelId parameter information about the specified model is returned

You must be a member of the Administrators group on the computer on which you want to run this

cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with

elevated user rights that is Run as Administrator

The results of the Get-MBCAModel cmdlet include the following details about models

1 Branding information (manufacturer or company display names version number) that is found in

the model manifest

2 Dynamic parameters that are included with the model

3 Submodels that are included with the model

PARAMETERS

-ModelId ltstring[]gt

The -ModelId parameter specifies the ID of the MBCA model about which you want to view

details You can obtain valid values for the ModelId parameter by running the Get-MBCAModel

cmdlet with no parameters and targeted at a computer on which MBCA models are installed

Page 43

This parameter supports wild card characters

Required false

Position 2

Default value

Accept pipeline input true (By Value By Property Name)

Accept wildcard characters False

This must be SQL2008R2BPA for SQL Server 2008 R2 Best Practice Analyzer

-SubModelId ltstringgt

The -SubModelId parameter specifies the ID of the submodel of an MBCA model about which you

want to view details You can obtain valid values for the -SubModelId parameter by running the

Get-MBCAModel cmdlet without parameters and targeted at a computer on which MBCA models

are installed Not all models have submodels

The -ModelId parameter is required with the -SubModelId parameter

Required false

Position 3

Default value

Accept pipeline input false

Accept wildcard characters false

ltCommonParametersgt

This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable

WarningAction WarningVariable OutBuffer and OutVariable For more information type get-

help about_commonparameters

Examples

Get-MBCAModel

In the preceding example Get-MBCAModel with no parameters added returns details about all MBCA

models that are installed on the computer

Get-MBCAModel -ModelId SQL2008R2BPA

The preceding example can be used to return details about the MBCA model that is specified in the -

ModelId parameter represented by Model Id

$model= Get-MBCAModel -ModelId SQL2008R2BPA

$modelParameters

In the preceding example Get-MBCAModel returns details about the specified MBCA model that is

represented by Model Id The results of the cmdlet are stored in the variable $model

In the next line of the example the Parameters property of the model details that were stored in the

$model object returns details about which parameters are supported by the model

Get-MBCAModel -ModelId SQL2008R2BPA -SubModelId ltSubModel Idgt

The preceding example can be used to return details about the MBCA sub-model that is specified by

the -SubModelId parameter represented by SubModel Id Note that the -ModelId parameter is

required by the -SubModelId parameter

$model= Get-MBCAModel -ModelId SQL2008R2BPA

Page 44

$modelSubModels

In the preceding example Get-MBCAModel returns details about the specified MBCA model that is

represented by Model Id The results of the cmdlet are stored in the variable $model

In the next line of the example the SubModels property of the model details that were stored in the

$model object returns a list of the submodels of the model specified in the first line

912 Invoke-MBCAModel

SYNOPSIS

The Invoke-MBCAModel cmdlet lets you start a Microsoft Baseline Configuration Analyzer (MBCA)

scan for a specific model that is installed on your computer

SYNTAX

Invoke-MBCAModel [-ModelId] ltstringgt -SubModelId ltstringgt [-Authentication

ltAuthenticationMechanismgt] [-CertificateThumbprint ltstringgt] [-ComputerName

ltstring[]gt] [-ConfigurationName ltstringgt] [-Context ltstringgt] [-Credential

ltstringgt] [-Mode ltModeEnumgt] [-Port ltintgt] [-RepositoryPath ltstringgt] [-

ThrottleLimit ltintgt] [-UseSSL] [ltCommonParametersgt]

DESCRIPTION

The Invoke-MBCAModel cmdlet allows you to start a Microsoft Baseline Configuration Analyzer

(MBCA) scan for a specific model that is installed on your computer The model is specified either by

using the parameter -ModelId or by piping the results of the Get-MBCAModel cmdlet into an Invoke-

MBCAMode cmdlet

After the MBCA scan has been performed the results of the scan are available to be retrieved by Get-

MBCAResult cmdlet

You must be a member of the Administrators group on the computer on which you want to run this

cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with

elevated user rights that is Run as Administrator

PARAMETERS

-Authentication ltAuthenticationMechanismgt

Specifies the authentication mechanism that is used to authenticate the users credentials Valid

values include Default Basic CredSSP Digest Kerberos Negotiate and

NegotiateWithImplicitCredential The default value is Default

For more information about the -Authentication parameter type the following and then press

Enter

Get-Help Invoke-Command -Parameter Authentication

Required false

Position named

Default value Default

Accept pipeline input false

Accept wildcard characters false

-CertificateThumbprint ltstringgt

Page 45

Specifies the digital public key certificate (X509) of a user account that has rights to perform the

cmdlet action The valid value is the certificate thumbprint of the certificate

For more information about this parameter type the following and then press Enter

Get-Help Invoke-Command -Parameter Certificate Thumbprint

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-ComputerName ltstring[]gt

The Invoke-MBCAModel cmdlet lets you run an MBCA scan of a submodel on a specific

computer by adding this parameter Valid values include NETBOS names IP addresses or fully-

qualified domain names of one or more computers in a comma-separated list To specify the local

computer type the computer name or localhost

All formats that are accepted by the -ComputerName parameter in Invoke-Command are

accepted

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-ConfigurationName ltstringgt

Specifies the session configuration that is used for a new PSSession

Enter a configuration name or the fully-qualified resource URI for a session configuration

Session configuration data is found on the remote computer on which you want to run a cmdlet

For more information about this parameter type the following and then press Enter

Get-Help Invoke-Command -Parameter ConfigurationName

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-Context ltstringgt

The -Context parameter lets you run scans on a submodel in the context of a specific model (one

that is different from the parent model of the submodel) For example an administrator might

want to run a scan on the Backend submodel of the SQL model but only those in the context

of a third model a technology that relies upon SQL Server

The -SubModelId parameter is required by the -Context parameter

Page 46

A model ID is the valid value of the -Context parameter

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-Credential ltstringgt

Specifies a user account that has permission to run this cmdlet The default value is the current

user

For more information about this parameter type the following and then press Enter

Get-Help Invoke-Command -Parameter Credential

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-Mode ltModeEnumgt

The -Mode parameter lets you run a scan that is exclusively either analysis of existing discovered

documents or discovery The default is to perform both discovery and analysis or All

If you do not add the -Mode parameter to the Invoke-MBCAModel cmdlet both discovery and

analysis are performed during a scan

Valid values are Discovery Analysis and All

Required false

Position named

Default value All

Accept pipeline input false

Accept wildcard characters false

-ModelId ltstringgt

The -ModelId parameter specifies the ID of the MBCA model that you want to scan You can

obtain valid values for the ModelId parameter by running the Get-MBCAModel cmdlet targeted at

a computer on which MBCA models are installed

Required true

Position 2

Default value

Accept pipeline input true (By Value By Property Name)

Accept wildcard characters False

Page 47

This must be SQL2008R2BPA for SQL Server 2008 R2 Best Practice Analyzer

-Port ltintgt

Specifies the network port on a remote computer on which you want to run a scan The default

value is port 80

For more information on this parameter type the following and then press Enter

Get-Help Invoke-Command -Parameter Port

Required false

Position named

Default value 80

Accept pipeline input false

Accept wildcard characters false

-RepositoryPath ltstringgt

The -RepositoryPath parameter is used to specify a non-default location of the results repository

The valid value for this parameter is a pathname If the parameter is not used the cmdlet writes

results to the default result repository

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-SubModelId ltstringgt

The -SubModelId parameter specifies the ID of the submodel of an MBCA model that you want to

scan You can obtain valid values for the -SubModelId parameter by running the Get-MBCAModel

cmdlet targeted at a computer on which MBCA models are installed Not all models have

submodels

The -ModelId parameter is required with the -SubModelId parameter

Required true

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-ThrottleLimit ltintgt

Specifies the maximum number of concurrent connections that can be established to run the

cmdlet If you omit this parameter or enter a value of 0 the default value of 32 is used

For more information about this parameter type the following and then press Enter

Get-Help Invoke-Command -Parameter ThrottleLimit

Required false

Page 48

Position named

Default value 32

Accept pipeline input false

Accept wildcard characters false

-UseSSL [ltSwitchParametergt]

Uses the Secure Sockets Layer (SSL) protocol to establish a connection on a remote computer

By default SSL is not used

For more information about this parameter type the following and then press Enter

Get-Help Invoke-Command -Parameter UseSSL

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

ltCommonParametersgt

This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable

WarningAction WarningVariable OutBuffer and OutVariable For more information type get-

help about_commonparameters

OUTPUTS

SystemCollectionsGenericListltMicrosoftBestPracticesCoreInterfaceInvokeBpaModelOutputgt

The output object encapsulates the results of the cmdlet that you entered It contains information such

as the MBCA model ID the success or failure of the cmdlet and other details

NOTES

If the cmdlet is used to perform a single-model scan and the cmdlet is cancelled (by using CTRL+C)

before the temporary results file is copied to its final location the temporary file is discarded and any

previous scan results file for the role are preserved The message Processing of Invoke-MBCAModel

cancelled by user is displayed if the command is cancelled before existing scan results files are

overwritten

If the cmdlet is used to perform a scan of multiple models by piping in results from the Get-MBCAModel

cmdlet and the command is cancelled scans that were completed before the cancel command was

entered cannot be cancelled A scan in progress behaves as described above in the single-model scan

cancellation scenario Subsequent scans in the pipeline are cancelled

If a concurrent scan of the same model is attempted the cmdlet returns the following error message

Another scan for this MBCA model is in progress Only one scan is allowed at a time

-------------------------- EXAMPLE 1 --------------------------

Invoke-MBCAModel -ModelId SQL2008R2BPA

Description

The preceding example starts a MBCA scan on the model that is represented by ltModel Idgt

-------------------------- EXAMPLE 2 --------------------------

Page 49

Invoke-MBCAModel -ModelId SQL2008R2BPA -Scope domain -Name

redmondmicrosoftcom

Description

The preceding example starts an MBCA scan on the model ID that is specified by Model Id

The administrator starts the MBCA scan with additional model-specific parameters that are exposed by

the model (For an example of how to obtain model-specific parameters see the examples for the Get-

MBCAModel cmdlet)

For example to scan a model that requires model-specific parameters (such as -Scope and -Name) to

be passed to the command the administrator can specify the values of these model-specific

parameters with the Invoke-MBCAModel cmdlet

-------------------------- EXAMPLE 3 --------------------------

Invoke-MBCAModel -ModelId SQL2008R2BPA -Mode Discovery

Description

The preceding example starts an MBCA scan on the model that is represented by Model Id The

cmdlet is instructed by the -Mode parameter to perform only the discovery -- not the analysis -- portion

of the scan

-------------------------- EXAMPLE 4 --------------------------

Invoke-MBCAModel -ModelId SQL2008R2BPA -Mode Analysis -RepositoryPath

ltRepository Pathgt

Description

The preceding example starts an MBCA scan on the model that is represented by Model Id The -

Mode parameter value of Analysis indicates that the scan will perform analysis -- not discovery -- on

existing documents that are specified in the non-default repository path provided with the -Repository

Path parameter

-------------------------- EXAMPLE 5 --------------------------

Invoke-MBCAModel -Id ltModel Idgt -SubModelId ltSubModel Idgt -ComputerName

ltServergt -Context ltContext Model Idgt -RepositoryPath ltRespository Pathgt -

AsJob -Authentication ltAuthenticatonMechanismgt -Port ltPort Numbergt -UseSSL -

ThrottleLimit ltThrottle Limitgt

Description

The preceding example starts an MBCA scan on the submodel that is represented by SubModel Id

and on the computer that is represented by Server

Because the administrator only wants to see results from the submodel that apply in the context of a

third model the administrator runs the scan within the context of the model ID that is specified in the -

Context parameter The cmdlet results are saved to the non-default repository path that is specified in

the -RepositoryPath parameter

Because the -AsJob parameter is added the scan runs in the background The -AsJob -

Authentication -Port -UseSSL and -ThrottleLimit parameters are passed through for use by the

Invoke-Command cmdlet to perform discovery on a remote computer For more information about

these parameters see the Help for the Invoke-Command cmdlet available in Windows PowerShell V2

913 Get-MBCAResult

SYNOPSIS

Page 50

The Get-MBCAResult cmdlet lets you retrieve and view the results of a Microsoft Baseline

Configuration Analyzer scan on a specific model or the configuration data that was used to run a scan

SYNTAX

Get-MBCAResult [-ModelId] ltstringgt [[-CollectedConfiguration]] -SubModelId

ltstringgt [-ComputerName ltstring[]gt] [-Context ltstringgt] [-Filter

ltFilterEnumgt] [-RepositoryPath ltstringgt] [ltCommonParametersgt]

DESCRIPTION

The Get-MBCAResult cmdlet lets you retrieve and view the results of a Microsoft Baseline

Configuration Analyzer scan on a specific model or the configuration data that was used to run a scan

To use the command add the -ModelId parameter and then specify the model ID for which you want

to view the most recent MBCA scan results or collected configuration data If you want to retrieve the

configuration data collected add the -CollectedConfiguration switch parameter

You must be a member of the Administrators group on the computer on which you want to run this

cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with

elevated user rights that is Run as Administrator

PARAMETERS

-CollectedConfiguration [ltSwitchParametergt]

The -CollectedConfiguration parameter allows you to obtain the configuration data that was

collected for the most recent MBCA scan If this switch parameter is added to Get-MBCAResults

the cmdlet returns only the configuration data that was collected for a scan

Required false

Position 3

Default value

Accept pipeline input false

Accept wildcard characters false

-ComputerName ltstring[]gt

The -ComputerName parameter lets you obtain scan results that were collected for the most

recent MBCA scan of a submodel on a specific computer To specify the local computer type the

computer name or localhost Multiple values for -ComputerName can be separated by

commas

The -SubModelId parameter is required by the -ComputerName parameter

Valid values for the -ComputerName parameter include localhost a NET BIOS name an IP

address or a fully-qualified domain name (FQDN) of one or more computers in a comma-

separated list

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-Context ltstringgt

Page 51

The -Context parameter lets you obtain scan results that were collected for the most recent

MBCA scan of a submodel in the context of a specific model (one that is different from the parent

model of the submodel) For example an administrator might want to display scan results for the

Backend submodel of the SQL model but only those in the context of a third model a

technology that relies upon SQL Server

The -SubModelId parameter is required by the -Context parameter

A model ID is the valid value of the -Context parameter

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-Filter ltFilterEnumgt

The -Filter parameter lets you instruct the Get-MBCAResult cmdlet to return only Compliant

Noncompliant or All results Valid values are Noncompliant Compliant or All The default value

is All

The -Filter parameter is ignored if the -CollectedConfiguration switch parameter is added

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-ModelId ltstringgt

The -ModelId parameter specifies the ID of the MBCA model for which you want to view scan

results You can obtain valid values for the ModelId parameter by running the Get-MBCAModel

cmdlet targeted at a computer on which MBCA models are installed

Required true

Position 2

Default value

Accept pipeline input true (By Value By Property Name)

Accept wildcard characters False

This must be SQL2008R2BPA for SQL Server 2008 R2 Best Practice Analyzer

-RepositoryPath ltstringgt

The -RepositoryPath parameter is used to specify a non-default location of the results repository

The valid value for this parameter is a path name If the parameter is not used the cmdlet obtains

results from the default result repository

Required false

Position named

Page 52

Default value

Accept pipeline input false

Accept wildcard characters false

-SubModelId ltstringgt

The -SubModelId parameter specifies the ID of the submodel of an MBCA model for which you

want to view scan results You can obtain valid values for the -SubModelId parameter by running

the Get-MBCAModel cmdlet targeted at a computer on which MBCA models are installed Not all

models have submodels

The -ModelId parameter is required with the -SubModelId parameter

Required true

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

ltCommonParametersgt

This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable

WarningAction WarningVariable OutBuffer and OutVariable For more information type get-

help about_commonparameters

OUTPUTS

SystemCollectionsGenericListltMicrosoftBestPracticesCoreInterfaceResultgt OR

SystemXmlXmlDocument (if -CollectedData specified)

If you do not use the -CollectedConfiguration parameter verbose output can be any of the following

1 Initializing MBCA engine for getting MBCA Results

2 Attempting to get MBCA results for Model Id = 0

3 Completed getting MBCA results for Model Id = 0 Number of Results = 1

If you add the -CollectedConfiguration parameter to display configuration data that was used for a

scan verbose output can be any of the following

1 Initializing MBCA engine for getting MBCA Configuration Data

2 Attempting to get MBCA collected configuration data for Model Id = 0

3 Completed getting MBCA collected configuration data for Model Id = 0

NOTES

The Get-MBCAResult cmdlet must be run by a member of the Administrators group and it does not

start a new scan

Cancellation behaviour

Single Model - To cancel this cmdlet you must press Ctrl+C before the ResultCollection is displayed

on the console The operation is cancelled and results are not displayed on the console

Multiple Models or Pipelining - If you cancel this cmdlet while it is retrieving results for multiple models

the cmdlet generates only those results that were displayed on the console before the cancellation

Any subsequent results in the pipeline are cancelled and not displayed

Page 53

-------------------------- EXAMPLE 1 --------------------------

Get-MBCAResult -Id SQL2008R2BPA

Description

The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results

for the model that is represented by Model Id

-------------------------- EXAMPLE 2 --------------------------

Get-MBCAModel | Get-MBCAResult

In the preceding example Get-MBCAModel is used to return a list of all MBCA models that are

installed on the computer The results of the Get-MBCAModel cmdlet are piped to the Get-

MBCAResult cmdlet to retrieve the most recent MBCA scan results for all models that are both

supported by MBCA and installed on the computer at which the cmdlet is targeted

-------------------------- EXAMPLE 3 --------------------------

$result = Get-MBCAResult SQL2008R2BPA -CollectedConfiguration

$resultDiscoveryDocument

Description

In the preceding example configuration data (in XML form) that was collected during the most recent

Microsoft Baseline Configuration Analyzer scan of the model that is represented by Model Id is

retrieved and stored as a property in the variable $result $resultDiscoveryDocument is of type

SystemXmlXmlDocument

-------------------------- EXAMPLE 4 --------------------------

Get-MBCAResult SQL2008R2BPA -Filter Noncompliant

Description

The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results

for the model that is represented by Model Id and then applies a filter to show only Noncompliant

results

------------------------- EXAMPLE 5 --------------------------

Get-MBCAResult SQL2008R2BPA -SubModelId ltSubModel Idgt

Description

The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results

for the submodel that is represented by SubModelId Note that the parent model ID must be specified

to use the -SubModelId parameter

------------------------- EXAMPLE 6 --------------------------

Get-MBCAResult SQL2008R2BPA -SubModelId ltSubModel Idgt -ComputerName ltServergt

-Context ltContext Model Idgt -RepositoryPath ltRepository Pathgt

Description

The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results

for the submodel that is represented by SubModelId The parent model ID is provided as required by

the -SubModelID parameter

The -Context parameter indicates that the administrator wants to see only those scan results that are in

the context of the model that is represented by Context Model Id for example only those results from

a SQL Server scan that specifically apply to another technology such as Web Server (IIS)

Page 54

The scan results are further narrowed to only those from a computer that is specified in the -

ComputerName parameter as Server and only those results found in the non-default results

repository that is represented by Repository Path

914 Set-MBCAResult

SYNOPSIS

The Set-MBCAResult cmdlet lets you exclude or include existing results of a Microsoft Baseline

Configuration Analyzer (MBCA) scan to show you only the scan results that you want to see

SYNTAX

Set-MBCAResult [[-Exclude] ltBooleangt] [-Results] ltResultgtgt [[-

RepostitoryPath] ltstringgt] [ltCommonParametersgt]

DESCRIPTION

The Set-MBCAResult cmdlet lets you exclude or include existing results of a Microsoft Baseline

Configuration Analyzer (MBCA) scan to show you only the scan results that you want to see

The action specified in the cmdlet (Exclude for example) determines how the existing results of an

MBCA scan are updated Set-MBCAResult is typically applied after using the Get-MBCAResult cmdlet

to return a collection of scan results

You can apply filters to results that are returned by the Get-MBCAResult cmdlet and then pipe the

filtered collection of results to the Set-MBCAResult cmdlet specifying either to include or exclude

filtered scan results

You must be a member of the Administrators group on the computer on which you want to run this

cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with

elevated user rights that is Run as Administrator

PARAMETERS

-Exclude ltBooleangt

Excludes scan results from the results collection that were previously obtained by the Get-

MBCAResult command To exclude results by using the -Exclude parameter add the value $true

following the parameter as shown

-Exclude $true

To include results that have been excluded use the $false value for the -Exclude parameter

Required false

Position 2

Default value

Accept pipeline input false

Accept wildcard characters false

-RepostitoryPath ltstringgt

The -RepositoryPath parameter is used to specify a non-default location of the results repository

The valid value for this parameter is a path name If the parameter is not used the cmdlet

modifies results from the default result repository

Required false

Page 55

Position 4

Default value

Accept pipeline input false

Accept wildcard characters false

-Results ltResultgtgt

Specifies the result collection to be updated by the Set-MBCAResult cmdlet The -Results

parameter is typically used to specify a filtered subset of scan results that has already been

stored in a variable the variable name is provided as the valid value for the -Results parameter

For example if you have created a variable $allPerformance to store all the Performance

category results for an MBCA scan of all models on a computer and you want to exclude those

Performance results from the complete collection of scan results you add the parameter -Results

$all Performance to a Set-MBCAResult cmdlet

For a more detailed example see the Examples section of the Help for this cmdlet

Required true

Position 3

Default value

Accept pipeline input true (ByValue)

Accept wildcard characters false

ltCommonParametersgt

This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable

WarningAction WarningVariable OutBuffer and OutVariable For more information type ldquoget-

help about_commonparameters

NOTES

If the Set-MBCAResult command is cancelled before the results are written to a file the operation is

cancelled and the results file is not modified If cancellation occurs after the results file has been

modified the commands actions are carried out and the command cannot be cancelled

-------------------------- EXAMPLE 1 --------------------------

Get-MBCAResult -ModelId SQL2008R2BPA | Where $_Category -eq

Performance | Set-MBCAResult -Exclude $true

Description

The first section of the preceding example to the left of the first pipe character (|) uses the Get-

MBCAResult cmdlet to retrieve Baseline Configuration Analyzer scan results for the model ID that is

represented by Model Id

The second section of the command filters the results of the Get-MBCAResult cmdlet to get only those

scan results for which the category name is equal to Performance

The final section of the example following the second pipe character excludes the Performance

results that were filtered by the previous section of the example

-------------------------- EXAMPLE 2 --------------------------

$rcPolicy = Get-MBCAResult -ModelId SQL2008R2BPA -RepositoryPath

CReposPath | Where $_Category -eq Policy

Page 56

Set-MBCAResult -Exclude $true -RepositoryPath CReposPath -Results

$rcPolicy

Description

The first line of the preceding example to the left of the pipe character (|) instructs the Get-

MBCAResult cmdlet to retrieve Baseline Configuration Analyzer scan results for the model that is

represented by Specified Model Id from the specified non-default repository path

The second section of the example after the pipe character filters the results of the Get-MBCAResult

cmdlet to return only those scan results for which the category name is equal to (note the -eq option)

Policy The variable $rcPolicy is created to store the filtered results of the Get-MBCAResult cmdlet this

variable can be used in subsequent commands to represent those results

The second line of the command uses the Set-MBCAResult cmdlet to exclude the set of results that

are stored in the $rcPolicy variable In this example the -Results parameter is added because the

administrator wants to exclude a specific subset of scan results for that model and has created the

variable $rcPolicy to represent that subset of results The repository root is specified in the second line

because the administrator wants to modify the results in the same non-default repository from which

the data in $rcPolicy was retrieved

915 MBCA Model Authoring

Further information about configuration and usage of MBCA models you can in the

MBCA_ModelAuthoringGuidedocx

Page 57

Did this paper help you Please give us your feedback Tell us on a scale of 1 (poor) to 5 (excellent)

how would you rate this paper and why have you given it this rating For example

Are you rating it high due to having good examples excellent screen shots clear writing or

another reason

Are you rating it low due to poor examples fuzzy screen shots or unclear writing

This feedback will help us improve the quality of white papers we release

Send feedback

Page 3: SQL2008R2 BPA Whitepaper v10

Page 3

52 Windows Server 2003 ndash NumberOfLogicalProcessors 26

53 MBCA 27

54 Where can I find the Instance name in result set of the analyzer report 27

55 Memory limit of remote PowerShell process 27

56 Remote connect 27

57 Installation 30

571 Powershell error 30

572 Workgroup or Non-Domain computer 31

573 Kerberos Failure 31

6 Rules 33

61 Engine 35

62 ASRules 37

63 RSRules 38

64 ISRules 38

65 SetupRules 39

66 Replication 39

7 How to Deal With Deviations 40

8 Motivation to use SQL BPA R2 41

9 Additional Information 42

91 Powershell 42

911 Get-MBCAModel 42

912 Invoke-MBCAModel 44

913 Get-MBCAResult 49

914 Set-MBCAResult 54

915 MBCA Model Authoring 56

Page 4

Copyright Information

The information contained in this document represents the current view of Microsoft Corporation on the

issues discussed as of the date of publication Because Microsoft must respond to changing market

conditions it should not be interpreted to be a commitment on the part of Microsoft and Microsoft

cannot guarantee the accuracy of any information presented after the date of publication

This white paper is for informational purposes only MICROSOFT MAKES NO WARRANTIES

EXPRESS IMPLIED OR STATUTORY AS TO THE INFORMATION IN THIS DOCUMENT

Information in this document including URL and other Internet Web site references is subject to

change without notice Unless otherwise noted the companies organizations products domain

names e-mail addresses logos people places and events depicted in examples herein are fictitious

No association with any real company organization product domain name e-mail address logo

person place or event is intended or should be inferred Complying with all applicable copyright laws

is the responsibility of the user Without limiting the rights under copyright no part of this document

may be reproduced stored in or introduced into a retrieval system or transmitted in any form or by any

means (electronic mechanical photocopying recording or otherwise) or for any purpose without the

express written permission of Microsoft Corporation

Microsoft may have patents patent applications trademarks copyrights or other intellectual property

rights covering subject matter in this document Except as expressly provided in any written license

agreement from Microsoft the furnishing of this document does not give you any license to these

patents trademarks copyrights or other intellectual property

copy 2010 Microsoft Corporation All rights reserved

Microsoft and SQL Server are trademarks of the Microsoft group of companies

All other trademarks are property of their respective owners

Page 5

1 INTRODUCTION

The Microsoft SQL Server 2008 R2 Best Practices Analyzer (BPA) is a diagnostic tool that performs

the following functions

Gathers information about a server and an instance of Microsoft SQL Server 2008 or 2008 R2

that is installed on that server

Determines if the configurations are set according to the Microsoft recommended best

practices

Reports on all configurations indicating settings that differ from recommendations

Indicates potential problems in the installed instance of SQL Server

Recommends solutions to potential problems

This tool is used by IT Professionals and Database Administrators to help ensure that their installations

of SQL Server and associated products components are adhering to best practices as determined by

the SQL Server Product Teams and CSS This utility scans the installation of a local or remote

machine gathering system data from WMI log files the Event Log the Windows Registry and SQL

Server metadata and compares the results to predefined standards It then produces a report that

shows the results and points the user to additional information on the web to help them determine

whether they should make changes to their systems

For every configuration the SQL Server 2008 R2 BPA provides the following results

Compliance results are returned when an instance of SQL Server satisfies the conditions of a

Best Practices rule Non-compliance results are returned when an instance of SQL Server

does not satisfy the conditions of a Best Practices rule

Impact of non-compliance

Recommendation

Links to more detailed information and related topics

To assist you and to make your DBA life easier Microsoft includes some of these Best Practices in a

couple of products ndash depending on specific purpose of the Software The following diagram illustrates

the variety of tools available to check best practices for SQL Server 2008 and SQL Server 2008 R2 in

parallel or in combination with BPA

Page 6

The big picture ndash automated Best Practices of SQL Server checks offered in different flavours and

products

So you will find a couple of policies in our monitoring solution

SQL Server 2008 R2 Best Practice Analyzer

within more than 140 rules for database engine and other technologies

System Center Operations Manager (SCOM)

within the SQL Management pack (current version 6131436 release date 08172010)

with more than 300 rules and 50 additional monitors

Policy Based Management in SQL Server 2005 and 2008

with predefined policy collection (50+ policies)

There is a whitepaper about PBM here

System Configuration Checker in the SQL Server 2008 setup wizard

The SQL Risk Assessment Toolset (Premier Organisation best practice flagship) offering more

than 200 rules This offering is meant for Premier customers running the SQL RAP against

their most business critical SQL instances

Note This tool set is only available for Microsoft Premier Customers

11 Architecture and data flow of the BPA

The SQL Server 2008 R2 Best Practices Analyzer is an additional ldquomodelrdquo for the Microsoft Baseline

Configuration Analyzer V20 (MBCA) A model is a set of component files that together comprise the

configuration analysis and reporting output from MBCA

The MBCA is imbedded as a PowerShell cmdlet and consists of two major components the MBCA

Engine and the MBCA UI

The MBCA Engine process itself consists of 2 main activities evaluation and discovery The MBCA

Engine is fed by PowerShell discovery Scripts and XML Schema Files which are used during

CSS Rules Advice

and Manifests

SQL Server 2008 R2 Best

Practice Analyzer

SQL 2008 Setup

Policy Based Management

SCOM SQL MP

SQLRAP

Page 7

discovery The discovery activity interrogates the SQL Server Registry WMI Error- and Event-Logs

etc The output is saved in an XML File which is then used in the evaluation activity Evaluation is

performed using the Schematron file This file run by the MBCA engine contains the logic for

evaluating the best practices The final step following the evaluation process is the report generation ndash

which is shown in the MBCA UI

In the flow chart below you will find the anatomy of the SQL Server 2008 R2 Best Practices Analyzer

12 Microsoft Best Practice Analyzer Universe

Microsoft offers many technologies and utilities to produce best practices recommendations

121 SQL Server BPA (older versions)

Microsoft has also created BP Analyzers for your older SQL Server versions and for Windows

SQL Server 2005 Best Practices Analyzer (August 2008)

SQL Server 2000 Best Practices Analyzer (April 2010)

122 Windows Server 2008 R2 Best Practice Analyzer

In Windows management best practices are guidelines that are considered the ideal way under

typical circumstances to configure a server as defined by experts For example it is considered a best

practice for most server technologies to keep open only those ports required for the technologies to

communicate with other networked computers and block unused ports Although best practice

Page 8

violations even crucial ones are not necessarily problematic they indicate server configurations that

can result in poor performance poor reliability unexpected conflicts increased security risks or other

potential problems

Best Practices Analyzer (BPA) is a server management tool that is available in

Windows Serverreg 2008 R2 BPA can help administrators reduce best practice violations by scanning

one or more roles that are installed on Windows Server 2008 R2 and reporting best practice violations

to the administrator Administrators can filter or exclude results from BPA reports that they do not have

to see Administrators can also perform BPA tasks by using either the Server Manager GUI or

Windows PowerShell cmdlets

BPA can also be used on remote servers that are running Windows Server 2008 R2 by using Server

Manager targeted at a remote server For more information about how to run Server Manager targeted

at a remote server see Remote Management with Server Manager

The following BPA modules are currently available

Best Practices Analyzer for Active Directory Certificate Services

Best Practices Analyzer for Active Directory Domain Services

Best Practices Analyzer for Active Directory Rights Management Services

Best Practices Analyzer for Application Server

Best Practices Analyzer for Domain Name System

Best Practices Analyzer for Dynamic Host Configuration Protocol

Best Practices Analyzer for File Services

Best Practices Analyzer for Hyper-V

Best Practices Analyzer for Internet Information Services

Best Practices Analyzer for Network Policy and Access Services

Best Practices Analyzer for Remote Desktop Services

Best Practices Analyzer for Windows Server Update Services

More Information about Windows BPA look here

123 Fix-it

Currently there exists no link between the SQL Server Best Practice Analyzer and the Fixit webpage

httpsupportmicrosoftcomfixit

Microsoft is working on a solution to combine fixit with specific Best Practice Analyzer

httpfixitcentersupportmicrosoftcomPortal

124 Microsoft Automated Troubleshooting Service in Windows Server

2008 R2 and Windows 7

Troubleshooting in Windows Server 2008 R2 and Windows 7 provides several troubleshooting

programs that can automatically fix some common problems with your computer such as problems

with networking hardware and devices using the web and program compatibility

Go to the Windows website to watch a video about using troubleshooters to fix common problems

(330)

When you run a troubleshooter it might ask you some questions or reset common settings as it works

to fix the problem If the troubleshooter fixed the problem you can close the troubleshooter If it couldnt

fix the problem you can view several options that will take you online to try and find an answer In

either case you can always view a complete list of changes made

Page 9

Notes

If you click the Advanced link on a troubleshooter and then clear the Apply repairs

automatically check box the troubleshooter displays a list of fixes to choose from if any

problems are found

Windows includes several troubleshooters and more are available online when you select the

Get the most up-to-date troubleshooters from the Windows Online Troubleshooting service

check box at the bottom of Troubleshooting

httpsupportmicrosoftcomgpsystem_maintenance_for_windows

Page 10

2 SYSTEM REQUIREMENTS

SQL Server 2008 R2 Best Practices Advisor is supported on the following Operating Systems

1 Windows Vista

2 Windows 7

3 Windows Server 2003

4 Windows Server 2003 R2

5 Windows Server 2008

6 Windows Server 2008 R2

Supported editions of SQL Server

1 SQL Server 2008 all editions except Express

2 SQL Server 2008 R2 all editions except Express

Supported Components of SQL Server

1 Analysis Services

2 Database Engine

3 Integration Services

4 Reporting Services

5 Replication

6 Setup

These components are designed as Submodels for the BPA This means that they will be run

concurrently where possible

21 Required Permissions for Running SQL Server 2008 R2 BPA

Administration Privileges

To run MBCA v20 a user must be a member of the administrators group on the machine being

scanned and on the machine the scan is initiated from If a user is not an administrator on the machine

that is being scanned an appropriate error message displays

SQL Server

To successfully access all of the database properties and SQL Server Configurations a user must be

the Systems Administrator (sysadmin) on the instance of SQL Server

Analysis Services

The user or the administrators group must be member of the server administrator role within an

instance of Microsoft SQL Server Analysis Services have unrestricted access to all Analysis Services

objects and data in that instance

httpmsdnmicrosoftcomen-uslibraryms174561aspx

Integration Services

The user or the administrators group must be members of the sysadmin or db_ssisadmin roles

httpmsdnmicrosoftcomen-uslibraryms141053aspx

Reporting Services

Page 11

The user or the administrators group must be member of the System Administrator and Content

Manager role

22 Prerequisites

The following are required for using SQL Server 2008 R2 Best Practices Analyzer

1 PowerShell V20

Windows PowerShell 20 requires the Microsoft NET Framework 20 with Service Pack 1

2 Microsoft Baseline Configuration Analyzer V20

3 SQL Server Management Tools for SQL Server 2008 or SQL Server 2008 R2

The following table outlines the prerequisite Microsoft utilities components by Operating System

necessary to have on your server prior to installing and running SQL Server 2008 R2 BPA

OS 1Install

WinRM

2Install

PowerShell 20

3Install

MBCA 20

Configure PowerShell1 7 Install SQL2008

or SQL 2008 R2

Management Tools 4Remoting 5Execution

Level

6 MaxShells

PerUser

Win Vista Y Y Y Y Y Y Y

Windows 7 N N Y Y Y Y Y

Windows

Server 2003

Y Y Y Y Y Y Y

Windows

Server 2003

R2

Y Y Y Y Y Y Y

Windows

Server 2008

Y Y Y Y Y Y Y

Windows

Server 2008

R2

N N Y Y Y Y Y

1 These changes will be done from the installation routine of the BPA

Page 12

3 INSTALL

We recommend installing BPA on a workstation or administration server and performing the scan

operation remotely against servers in your SQL Server infrastructure It is also possible to install this

tool on the production SQL Server locally

Installation process

1 InstallConfigure PowerShell and WinRM

2 Microsoft Baseline Configuration Analyzer V20

3 Microsoftreg SQL Serverreg 2008 R2 Best Practices Analyzer

It exists two ways to install the Best Practices Analyzer

With a graphical user interface (setup wizard) or

Command line

31 Installing PowerShell 20 and WinRM

BPA install configures WinRM and PowerShell options by default Most of this section is only needed if

something goes wrong and you need to configure this stuff by hand

Windows Server 2003 R2

WinRM is not installed by default but it is available as the Hardware Management feature through the

AddRemove System Components feature in the Control Panel under Management and Monitoring

Tools Complete installation and information about configuring WinRM using the WINRM command-line

tool is available online in the Hardware Management Introduction which describes the WinRM and the

IPMI features in Windows Server 2003 R2

On Windows Vista Windows Server 2003 and Windows Server 2008

This is installed as part of Windows Management Framework Core The WinRM service starts

automatically on Windows Server 2008 On Windows Vista the service must be started manually

On Windows Server 2008 R2 and Windows 7

This is installed as part of the OS

Note Check for additional information and configuration guidelines for WinRM and for PowerShell

20

SQL Server 2008 R2 BPA is able to scan both the local computer and remote computers Therefore in

both the local and remote cases it required that your PowerShell settings be modified These are done

by the BPA installation

PowerShell Execution Policy

The PowerShell Execution Policy is set to Restricted by default To run SQL Server 2008 R2 BPA

through the PowerShell command Line set the policy to RemoteSigned using the below command

Set-ExecutionPolicy RemoteSigned -f

You can use the command Set-ExecutionPolicy Restricted ndashf to set the execution policy back to

restricted This command is not required when executing the scan through the MBCA GUI

After the installation you must enable the PowerShell remote scripting if you are want to use the BPA

remote to another workgroup machine or a computer that have Kerberos enabled You need to run this

command only once on each computer that will receive commands You do not need to run it on

Page 13

computers that only send commands Because the configuration activates listeners it is prudent to run

it only where it is needed You can do this with the following command line

powershellexe -NoLogo -NoProfile -Noninteractive -Command Enable-

PSRemoting -force

Enable-PSRemoting performs configuration actions to enable this machine for remote management

Includes

1 Runs the Set-WSManQuickConfig cmdlet which performs the following tasks

Starts the WinRM service

Sets the startup type on the WinRM service to Automatic

Creates a listener to accept requests on any IP address

Enables a firewall exception for WS-Management communications

Enables all registered Windows PowerShell session configurations to receive instructions

from a remote computer

Registers the MicrosoftPowerShell session configuration if it is not already registered

Registers the MicrosoftPowerShell32 session configuration on 64-bit computers if it is

not already registered

Removes the Deny Everyone setting from the security descriptor for all the registered

session configurations

Restarts the WinRM service to make the preceding changes effective

2 Configures MaxShellsPerUser using winrm set winrmconfigwinrs

``MaxShellsPerUser=`10``

Specifies the maximum number of concurrent shells that any user can remotely open on

the same computer If this policy setting is enabled the user will not be able to open new

remote shells if the count exceeds the specified limit If this policy setting is disabled or is

not configured the limit will be set to 5 remote shells per user by default and you receive

the following error message

[localhost] Connecting to remote server failed with the following

error message The WS-Management service cannot process the

request This user is allowed a maximum number of 5 concurrent

shells which has been exceeded Close existing shells or raise the

quota for this user For more information see the

about_Remote_Troubleshooting Help topic

+ CategoryInfo OpenError

(SystemManagemehellipRemoteRunspa

ceRemoteRunspace) [] PSRemotingTransportException

+ FullyQualifiedErrorId PSSessionOpenFailed

For more information about PowerShell remoting please see MSDN

32 Install MBCA

Download the edition of MBCA depending on your platform (x86 or x64) before installation

Page 14

Please find below the screenshots demonstrating the visual flow of the MBCA Installation

Welcome screen

License terms

Folder selection

Completion screen

33 Install BPA

Download the correct edition depending on your platform (x86 or x64) before installing If you have

trouble with the installation please section 57 Troubleshooting Installation

331 Command line

Following is an optimized command line setup example

msiexec i SQL2008R2BPA_Setup64msi l log ctempsqlbpa_installlog qn

msiexec parameters

i = package name (SQL2008R2BPA_Setup32msi or SQL2008R2BPA_Setup64msi

depending on your platform)

l = log granularity ldquordquo - Log all information except for v and x options

log = log file

q = display settings (qn ndash no user interface)

SKIPCA=1 (if no domain controller is available Skip Certification Authority)

For information on additional public properties Consult the Windowsreg Installer SDK for documentation

on the command line syntax

Page 15

332 GUI

Please find below the screenshots demonstrating the visual flow of the SQL Server 2008 R2 BPA

Installation

Welcome screen

License terms

System Configuration Changes (see 31 Installing PowerShell 20 and WinRM)

Ready to install decision

Install progress

Completion screen

Page 16

333 Port and Firewall restrictions

For scanning SQL Server or BI instances on an alternate server behind a firewall you must open all

necessary ports

34 Updates

Microsoft is working on quarterly updates of the rule set and tool improvements of the SQL Server

2008 R2 Best Practice Analyzer Please visit the Download site from Microsoft regularly to find new

updates

35 Uninstall

351 BPA

352 MBCA

353 Reset PowerShell settings

After the uninstall of the BPA you may disable the PowerShell remote scripting You can do this with

the following command line

powershellexe -NoLogo -NoProfile -Noninteractive -Command Disable-

PSRemoting -force

Disable-PSRemoting performs configuration actions to enable this machine for remote management

Page 17

4 USAGE

There are two ways to scan a server using MBCA and SQL 2008 R2 BPA They are

Scanning through the local machine

o In this case you are using MBCA and SQL 2008 R2 BPA running on the local machine to

perform the scan

o This scan can be of the local or an alternate server

Scanning through a remote machine

o In this case MBCA is used to connect to a remote server that has MBCA and SQL 2008

R2 BPA installed on it

o This scan is using the local machine to form the connection to the remote machine and is

actually performing the scan through the remote machine

41 Help file

The help file for the SQL Server 2008 R2 Best Practice Analyzer contains very useful information This

help file is available after the installation of BPA and is located at Start-gtAll programs-gtSQL Server

2008 R2 BPA

42 GUI

1 Ensure that MBCA v2 and SQL 2008 R2 BPA are installed on the machine

2 Run the MBCA application from the start menu with elevated user rights

Page 18

3 On the MBCA home page ensure the SQL Server 2008 R2 BPArdquo product is selected

4 Click Start Scan which displays a page to specify parameters as shown below

5 Fill in Alternate_Server_to_Scan with the remote machine you want to scan

ComputerName

IP address nnnn

FQDN (Fully Qualified Domain Name)

Enter ldquordquo localhost or leave this blank if you want to scan the local machine

Page 19

Enter the instance name you want to scan To scan the default instance enter MSSQLSERVER

or leave this as blank Toggle the checkboxes to enabledisable scans for those rule categories

Each of the following six check boxes correspond to the SQL Server categories listed previously

Select at least one category in order to run a successful scan

Analyze_SQL_Analysis_Services

Analyze_SQL_Server_Engine

Analyze_SQL_Integration_Services

Analyze_SQL_Server_Replication

Analyze_SQL_Reporting_Services

Analyze_SQL_Server_Setup

Note Only one SQL Server instance can be scanned at a time through the MBCA GUI

6 Click Start Scan MBCA will start the configured scan and display the below page while in

progress

7 When the scan is complete results will be displayed grouped by Severity as shown below

Page 20

43 Connect to a remote computer

A scan connected to a remote computer is different than scanning an alternate server

ldquoConnect to a Remote Computerrdquo is functionality provided by Microsoft Baseline Configuration Analyzer

and is used to remotely run MBCA against a server from the console of the client The client needs to

have MBCA installed but does not need BPA as it is literally running the copy of MBCA installed on the

server using the BPA installed on the server In this case the copy of MBCA installed on the client is

used only to remotely connect to the copy of MBCA installed on the server

To use this functionality you first start MBCA on the client computer and select ldquoConnect to Another

Computerrdquo

1 In the ldquoConnect to Another Computerrdquo text box you can specify a NetBIOS name a fully qualified

domain name (FQDN) or an IPv4 or IPv6 address If no port number is specified the default port

number is used The following are examples of formats that you can specify in the Connect to

Another Computer text box

ComputerName

Page 21

ComputerNamePortNumber

IP address nnnn

IPv6 address [nnnnnnnn]

IPv4 address with port number nnnnPortNumber

IPv6 address with port number [nnnnnnnn]PortNumber

Note If an administrator has changed the computerrsquos default port number any port other than the

default port must be opened in Windows Firewall to allow incoming connections on that port Port

5985 is opened by default when WinRM is configured All other ports remain blocked until opened

For more information about how to unblock a port in Windows Firewall see the Help for Windows

Firewall For more information about how to configure WinRM in a Command Prompt session type

winrm help and then press Enter

2 Additionally you must supply credentials

3 CredSSP

Windows Remote Management (WinRM) supports the delegation of user credentials across

multiple remote computers The multi-hop support functionality can now use Credential Security

Service Provider (CredSSP) for authentication CredSSP enables an application to delegate the

userrsquos credentials from the client computer to the target server

CredSSP authentication is intended for environments where Kerberos delegation cannot be used

Support for CredSSP was added to allow a user to connect to a remote server and have the ability

to access a second-hop machine such as a file share

Note WinRM clients and servers will support CredSSP authentication only with explicit credentials

Windows XP Windows Server 2003 and earlier CredSSP is not supported

First you must set CredSSP on both the client and the server

Using the Group Policy Editor (gpeditmsc) make sure to enable ldquoAllow Delegating Fresh

Credentialsrdquo and check ldquoConcatenate OS defaults with input aboverdquo

Add the server or domain to the list of servers in the format ldquoWSMANdomainnamecomrdquo

Next enable and configure PowerShell Remoting on both the Client and Server by running the

following commands in a PowerShell command window opened with elevated permissions Note

Page 22

You can configure a single machine as both a client and a server simultaneously so that you can

scan from either computer

Enable PowerShell Remoting

o Enable-psremoting ndashf

Settings for a client

o Enable-WSManCredSSP ndashrole Client ndashDelegateComputer [NetBiosNameOfServer]

or

o Enable-WSManCredSSP ndashrole Client ndashDelegateComputer [FQDN OF SERVER]

Settings for the server

o Enable-WSManCredSSP ndashrole Server

o set-item WSManlocalhostShellMaxMemoryPerShellMB ndashValue 20000

o set-item WSManlocalhostShellMaxShellsPerUser ndashvalue 20

44 PowerShell

Details see 91 PowerShell

To use the functionality of the Microsoft Baseline Configuration Analyzer you must import this module

first

Import-module BaselineConfigurationAnalyzer

You can list the commands of this module with the following syntax

$x=Get-Module BaselineConfigurationAnalyzer

$xExportedCommands

441 Run Scan

To run a full scan of the BPA on the alternate server on a named instance you can use the following

command line

Invoke-MBCAModel -ModelId SQL2008R2BPA -Alternate_Server_to_scan

servername -SQL_Server_Instance_Name instancename -

Analyze_SQL_Server_Engine -Analyze_SQL_Server_Replication -

Page 23

Analyze_SQL_Server_Setup -Analyze_SQL_Analysis_Services -

Analyze_SQL_Integration_Services -Analyze_SQL_Reporting_Services

The result looks like this part

ModelId SQL2008R2BPA

SubModelId

Success True

ScanTime

Success = True is important This is the indicator that your scan was successful

Parameter description

-Alternate_Server_to_scan servername

-SQL_Server_Instance_Name instancename

-Analyze_SQL_Server_Engine

-Analyze_SQL_Server_Replication

-Analyze_SQL_Server_Setup

-Analyze_SQL_Analysis_Services

-Analyze_SQL_Integration_Services

-Analyze_SQL_Reporting_Services

The parameter list is equal the parameter screen in the GUI

The scans of the different services are optional You can remove technologies which you do not need

to scan

The next example starts the scan only for the Analysis Services on the alternate server ldquoservernamerdquo

and for the named instance ldquoinstancerdquo A log file will be written to ldquoctempssastxtrdquo

Invoke-MbcaModel -ModelId SQL2008R2BPA -SubModelId AnalysisServices -

ComputerName servername -SqlServerInstance instance -SSASLogFile

ctempssastxt

Invoke-MbcaModel -ModelId SQL2008R2BPA -SubModelId Engine -ComputerName

computername -SqlServerInstance servername -CurrentLoginName

($EnvUSERDOMAIN + + $EnvUSERNAME)ToString() -EngineLogFile

ctempenginetxt ndashRepositoryPath (CTEMPSQL2008 + (Get-

Date)ToString(yyyyMMdd))ToString()

442 Create Report

model = get-MbcaModel ndashModelId sql2008r2bpa

$scanResult = get-MbcaResult ndashModelId sql2008r2bpa

$collectedConfig = get-MbcaResult ndashModelId sql2008r2bpa ndash

CollectedConfiguration

$model $scanResult $collectedConfig | export-CliXml ctempasxml

Get-MBCAResult -ModelId SQL2008R2BPA -SubModelId AnalysisServices |

ConvertTo-Html | Add-Content -Path ctesthtml

The next command retrieves the results of the most recent BPA scan for the specified model and

saves them in HTML format applying the standard cascading style sheets that are stored in the path

windirsystem32WindowsPowerShellv10ModulesBestPracticesBestPracticesReportFormatc

Page 24

ss If you want to substitute cascading style sheets provide the path to the different cascading style

sheets

Get-MBCAResult -ModelId SQL2008R2BPA | $_Severity -eq Warning -or

$_Severity -eq Error | ConvertTo-Html -As Table -property ResultNumber

SubModelID ComputerName Severity Category Title Problem Impact

Resolution Help -Head lth1gtSQL Server 2008 (R2) Best Practice Analyzer

Reportlth1gtrdquo -Title SQL Server 2008 Best Practice Analyzer -body

(ltpgtReport creation date + (Get-Date)ToString(ddMMyyyy hhmmss) +

ltpgt)toString() -pre ltPgtGenerated by user $envusername on computer

$envcomputernameltPgt -post For details contact Microsoft Premier-

CssUri $env BestPracticesReportFormatcss gt ctempsql2008r2bpahtm

443 Exporting and opening reports by using Get-MBCAResult

You can use the Get-MBCAResult cmdlet to export scan results and configuration data to an XML

report that you can open for viewing in the future either by using Get-MBCAResult or by using the

MBCA GUI Exporting reports allows you to compare older scans with more recent scans to measure

the progress of your best practice compliance

Example of exporting to XML

$results = Get-MBCAResult ltModel Idgt

$collectedconfig = Get-MBCAResult ltModel Idgt -CollectedConfiguration

$results $collectedconfig | Export-CliXml cexportxml

Example of opening archived XML report file

$loadedResults $loadedConfiguration = Import-CliXml cexportxml

444 Report Result Directory

The reporting result path

AppDataMicrosoftBaselineConfigurationAnalyzer

2ReportsSQL2008R2BPAResults

Will be overwritten during each run of the tool or invoke command

Solution save older results before you start the check

copy-item -path ($EnvLocalAppdata +

MicrosoftMicrosoftBaselineConfigurationAnalyzer 2Reports)ToString() -

destination ($EnvLocalAppdata +

MicrosoftMicrosoftBaselineConfigurationAnalyzer 2Reports_ + (Get-

Date)ToString(yyyyMMddhhmmss))ToString() ndashrecurse

Afterwards you can create a report with the following command

$prevrepPath = (Get-ChildItem ($EnvLocalAppdata +

MicrosoftMicrosoftBaselineConfigurationAnalyzer 2)ToString() -exclude

Reports | Sort-Object name -descending)[0]

Get-MBCAResult -ModelId SQL2008R2BPA ndashRepositoryPath ($EnvLocalAppdata +

MicrosoftMicrosoftBaselineConfigurationAnalyzer 2rdquo +

$prevrepPathname)ToString() | ConvertTo-Html -As Table -property

ResultNumberSubModelID ComputerName Severity Category Title Problem

Impact Resolution Help -Head lth1gtSQL Server 2008 (R2) Best Practice

Analyzer Reportlth1gtrdquo -Title SQL Server 2008 Best Practice Analyzer -body

(ltpgtReport creation date + (Get-Date)ToString(ddMMyyyy hhmmss) +

ltpgt)toString() -pre ltPgtGenerated by user $envusername on computer

Page 25

$envcomputernameltPgt -post For details contact Microsoft Premier gt

ctempsql2008r2bpahtm

Page 26

5 TROUBLESHOOTING

51 Application directories

To following directories are used by MBCA

Report output directory localappdataMicrosoftMicrosoftBaselineConfigurationAnalyzer 2ReportsSQL2008R2BPAResults

Model configuration path ProgramdataMicrosoftMicrosoft Baseline Configuration Analyzer 2ModelsSQL2008R2BPA

Temp and log files directory tempSQL2008R2BPASQL2008ltdategt_lttimegt

Registry [HKEY_LOCAL_MACHINESOFTWAREMicrosoftBaselineConfigurationAnalyzer]

Log Files

During Data Discovery SQL Server 2008 R2 BPA creates log files for troubleshooting The log file

contains the following information

Pre-requisite validation

Timestamp finished rules start and end times

Run-time scripting errors and exceptions from Power Shell Traps

Log Files Location

For every scan log files are created in userrsquos Local Temp directory (Temp) and follows the folder

structure SQL2008R2BPAlt Instance Name gtlt datestamp_timestamp gtlt Log files gt

Note In case of a remote scan the category log files are generated on the remote system at the same

path whereas the common log file is generated in the local system

Log Files Structure

A common log file gets generated and contains information about each categorys execution Apart

from this each category has its own log file which details the rule execution The names of the log files

are given below

Common File - ModelLogtxt

Engine Rules - EngineLogtxt

Replication Rules - ReplicationLogtxt

Setup Rules - SetupLogtxt

Analysis Services Rules - AnalysisServicesLogtxt

Reporting Services Rules - ReportingServicesLogtxt

Integration Services Rules - IntegrationServicesLogtxt

52 Windows Server 2003 ndash NumberOfLogicalProcessors

Analysis Services RID2803 and RID2804 ndash NumberOfLogicalProcessors property is unavailable in

Win32_Processor for with Windows Server 2003

Solution The NumberOfLogicalProcessors property does not exist in the WIN32_PROCESSOR object

in Windows Server 2003 It has been implemented in the hotfix

httpsupportmicrosoftcomkb932370

Both of the rules below will function properly if you apply this hotfix For more information look here

Page 27

53 MBCA

This message indicates that on prerequisite is not installed

Please install the version 2 of the MBCA

54 Where can I find the Instance name in result set of the analyzer

report

The instance name is in the collected data option of the analyzer report in the BPA GUI

55 Memory limit of remote PowerShell process

By default remote PowerShell process can consume only 150 MB or less memory This default limit is

significantly small and once this limit is reached there could be a WinRM exception causing and remote

connection immediately terminates Any application or Cmdlet which is involved in PowerShell

remoting should be tested for this memory limit this may cause some of the command to fail for

example site collection creation

Solution Increase the memory limit for the remote shell Use the following command to increase this

limitation to 1000MB This is only necessary if you need to run those commands on that server

Set-Item WSManlocalhostShellMaxMemoryPerShellMB 1000

56 Remote connect

If you try to ldquoConnect to another computerrdquo from MBCA and you receive the following message

Page 28

You should check first if the Hotfix KB968930 is installed

Afterwards validate that the ldquoWindows Remote Managementrdquo service is started

Enable-PSRemoting

If CredSSP is unsupported or unavailable you will see the following message

Page 29

If you have no permission to access the remote server you get the error message

Page 30

57 Installation

571 PowerShell error

After getting through the Pre-Reqs for BPA (PowerShell 20 MBCA NET Framework) you may hit

one of two scenarios when installing BPA

In all of the cases of an install failure you will see the following error

There is a problem with this Windows Installer package A program run as part of the setup did not

finish as expected Contact your support personnel or package vendor

In your Application Event Log for both of these scenarios you will also see the following entry

Log Name Application

Source MsiInstaller

Date 6102010 83818 AM

Event ID 11722

Task Category None

Level Error

Keywords Classic

User ltUsernamegt

Computer ltMachine namegt

Description

Product Microsoft SQL Server 2008 R2 BPA -- Error 1722 There is a problem

with this Windows Installer package A program run as part of the setup did

not finish as expected Contact your support personnel or package

vendor Action EnablePSRemoting location powershellexe command -NoLogo

-NoProfile -Command Enable-PSRemoting ndashforce

Page 31

This is an indicator that PowerShell is not configured You must run the following command

powershellexe -NoLogo -NoProfile -Command Enable-PSRemoting ndashforce

572 Workgroup or Non-Domain computer

In this scenario the Enable-PSRemoting command should execute fine from a PowerShell prompt

The actual error coming back from the PowerShell command within the Installer is ldquoAccess Deniedrdquo

To work around this issue you can do the following

1 Open a command prompt with Administrative Privileges

2 Change to the directory where the msi file resides

3 Type msiexec i ltMSI Namegt SKIPCA=1

4 MSI Name will either be SQL2008R2BPA_Setup32msi or SQL2008R2BPA_Setup64msi

depending on your platform

5 Once BPA is installed open a PowerShell prompt with Administrative Privileges

6 Execute the following commands

a Enable-PSRemoting

b winrm set winrmconfigwinrs ``MaxShellsPerUser=`10``

This should allow BPA to be successfully installed in the workgroup scenario

573 Kerberos Failure

This scenario is that you are failing with the above due to a Kerberos issue This particular issue could

actually show up after you have installed BPA depending on how you have configured your

environment

The issue stems from the fact that the Windows Remoting Windows Service uses the Network Service

account Windows Remoting also uses SOAP calls over HTTP and defaults to using Kerberos As a

result it will be using the HOST Service Principal Name (SPN) that is on the Machine Account as it is

running under that context You may have an HTTP SPN that resides on a different account with that

host name For example if you are running an IIS Web Application such as SharePoint or if you are

using Reporting Services and the service account is set to a Domain User account instead of Network

Service or Local System If your URL of your application matches the machine name then your HTTP

SPN will be the same Thatrsquos where this problem comes in WinRM will stop working at that point and

give you a message similar to the following

Set-WSManQuickConfig WinRM cannot process the request The following error

occured while using Negotiate authentication An unknown security error

occurred

Possible causes are

-The user name or password specified are invalid

-Kerberos is used when no authentication method and no user name are

specified

-Kerberos accepts domain user names but not local user names

-The Service Principal Name (SPN) for the remote computer name and port

does not exist

-The client and remote computers are in different domains and there is no

trust between the two domains

After checking for the above issues try the following

-Check the Event Viewer for events related to authentication

-Change the authentication method add the destination computer to the

WinRM TrustedHosts configuration setting or use HTTPS transport

Note that computers in the TrustedHosts list might not be authenticated

-For more information about WinRM configuration run the following

Page 32

command winrm help config

At line50 char33

+ Set-WSManQuickConfig ltltltlt -force

+ CategoryInfo InvalidOperation () [Set-WSManQuickConfig]

InvalidOperationException

+ FullyQualifiedErrorId

WsManErrorMicrosoftWSManManagementSetWSManQuickConfigCommand

You can get this type of error from WinRM for muliple reasons The one that

we saw in our testing was the HTTP SPN scenario

If you do have an HTTP SPN defined on a Domain Account that is using the name of your machine

you have some options First you can follow the steps mentioned above to get BPA installed The

Enable-PSRemoting command will give you the above error You can temporarily remove the HTTP

SPN to get remoting enabled and then re-add the HTTP SPN

Once BPA is setup you will still not be able to run BPA if you put the HTTP SPN back in place You will

see the following when you attempt to perform a scan

This will occur regardless of which component you try to scan It could be the Engine Setup RS etchellip

One option to perform the scan successfully is to temporarily remove the HTTP SPN again run the

scan and then put the HTTP SPN back in place Another option but one that will probably require

further testing from your applicationrsquos end would be to run the application under a Host Header and

then your HTTP SPN would not include the machine name allowing BPA to run without issue

Page 33

6 RULES

Searching for ldquoSQL Server 20087 R2 BPArdquo at Microsoftcom reveals

Here is an example of one of these articles that talks about a rule to check for a recent ldquocleanrdquo

CHECKDB

Page 34

BPA works by measuring a rolersquos compliance with best practice rules in eight different categories of a

rolersquos effectiveness trustworthiness and reliability Results of measurements can be any of the three

severity levels described in the following table

Severity level Description

Noncompliant Noncompliant results are returned when a role does not satisfy the conditions of a rule

Compliant Compliant results are returned when a role satisfies the conditions of a rule

Warning Warning results are returned when a role is compliant as operating currently but may not satisfy the conditions of a

rule if changes are not made to its configuration or policy settings For example a scan of Remote Desktop Services

might show a warning result if a license server is unavailable to the role because even if no remote connections are

active at the time of the scan not having the license server prevents new remote connections from obtaining valid

client access licenses

Page 35

BPA rule categories

The following table describes the categories of best practice rules against which roles are measured

during a BPA scan

Category Name Description

Security Security rules are applied to measure a rolersquos relative risk for exposure to threats such as unauthorized or malicious

users or loss or theft of confidential or proprietary data

Performance Performance rules are applied to measure a rolersquos ability to process requests and perform its prescribed duties in

the enterprise within expected periods of time given the rolersquos workload

Configuration Configuration rules are applied to identify role settings that might require modification for the role to perform

optimally Configuration rules can help prevent setting conflicts that can result in error messages or prevent the role

from performing its prescribed duties in an enterprise

Policy Policy rules are applied to identify Group Policy or Windows Registry settings that might require modification for the

role to operate optimally and securely

Operation Operation rules are applied to identify possible failures of a role to perform its prescribed tasks in the enterprise

Predeployment Predeployment rules are applied before an installed role is deployed in the enterprise to let administrators to

evaluate whether best practices were satisfied before you use the role in production

Postdeployment Postdeployment rules are applied after all required services have started for a role and the role is running in the

enterprise

BPA Prerequisites BPA Prerequisite rules explain configuration settings policy settings and features that are required for the role

before BPA can apply specific rules from other categories A prerequisite in scan results indicates that an incorrect

setting a missing role role service or feature an incorrectly enabled or disabled policy a registry key setting or

other configuration has prevented BPA from applying one or more rules during a scan A prerequisite result does

not imply compliance or noncompliance It means that a rule could not be applied and therefore is not part of the

scan results

61 Engine Rules

Please find below a summary of the 74 Engine Rules with the links to the rule descriptions These rules

are checking that you have a secure resilient and well performing SQL configuration

Authentication Mode (httpsupportmicrosoftcomkb2028697)

Lightweight Pooling is enabled (httpsupportmicrosoftcomkb2160691)

Locks Configuration Not Dynamic (httpsupportmicrosoftcomkb2199576)

non-default network packet size in use (httpsupportmicrosoftcomkb2157175)

degree of parallelism not set to recommended value (httpsupportmicrosoftcomkb2023536)

Use Database Mail instead of SQL Mail (httpsupportmicrosoftcomkb2028584)

SQL Server Agent Proxy Account (httpsupportmicrosoftcomkb2160741)

SQL Login Password Policy Strength and password expiry

(httpsupportmicrosoftcomkb2028712)

Trustworthy Bit (httpsupportmicrosoftcomkb2183687)

Symmetric Keys Check (httpsupportmicrosoftcomkb2162020)

Asymmetric Keys Check (httpsupportmicrosoftcomkb2162020)

SQL Server installed on PDC BDC (httpsupportmicrosoftcomkb2032911)

Page 36

SQL Server Admin role membership check (httpsupportmicrosoftcomkb2184138)

Windows API calls intercepted (httpsupportmicrosoftcomkb2033238)

unsupported DotNET framework assemblies present (httpsupportmicrosoftcomkb2033344)

Disk partition starting offset may be incorrect (httpsupportmicrosoftcomkb2023571)

non-default max worker threads value configured (httpsupportmicrosoftcomkb2157129)

Guest Permissions (httpsupportmicrosoftcomkb2186935)

Data and Log files on the same volume (httpsupportmicrosoftcomkb2033523)

IO timeouts and IO controller errors detected (httpsupportmicrosoftcomkb2091098)

IO device errors detected (httpsupportmicrosoftcomkb2091098)

IO errors during page faults detected (httpsupportmicrosoftcomkb2091098)

cluster disk corruption encountered (httpsupportmicrosoftcomkb2091098)

disk defragmentation encountered corruption (httpsupportmicrosoftcomkb2091098)

failed IO requests detected (httpsupportmicrosoftcomkb2091098)

IO requests are successful when retried (httpsupportmicrosoftcomkb2015757)

IO Delay Problems reported by SQL Server (httpsupportmicrosoftcomkb2137408)

This system experienced unexpected shutdowns (httpsupportmicrosoftcomkb2091098)

tempdb corruption errors fix missing (httpsupportmicrosoftcomkb960770)

Critical SQL database inconsistency errors found (httpsupportmicrosoftcomkb2152734)

Logical consistency errors detected (httpsupportmicrosoftcomkb2152472)

Database have auto shrink option enabled (httpsupportmicrosoftcomkb2160663)

SQL Server Error logs are very big (httpsupportmicrosoftcomkb2199578)

incorrect affinity mask settings detected httpsupportmicrosoftcomkb2157114

Very low blocked process threshold setting detected httpsupportmicrosoftcomkb2157154

Potential security issue with legacy DTS stored procedures

httpsupportmicrosoftcomkb2202875

Winsock LSP loaded into SQL httpsupportmicrosoftcomkb2033448

Databases using simple recovery model httpsupportmicrosoftcomkb2137539

User database collation different from model httpsupportmicrosoftcomkb2026108

Database files and backups exist on the same volume httpsupportmicrosoftcomkb2027537

Databases have auto close option enabled httpsupportmicrosoftcomkb2160685

LSI SAS drivers needs update httpsupportmicrosoftcomkb2121098

SQL tempdb database not configured optimally httpsupportmicrosoftcomkb2154845

SQL Database file has sparse attribute set httpsupportmicrosoftcomkb2028447

Invalid startup parameters httpsupportmicrosoftcomkb2028433

MSDTC settings not configured optimally httpsupportmicrosoftcomkb2027550

sql incorrect results fix missing httpsupportmicrosoftcomkb971780

File System needs tuning for better FileStream performance

httpsupportmicrosoftcomkb2160002

linked server memory leak fix missing httpsupportmicrosoftcomkb971622EN-US

Windows service pack is not at recommended level httpsupportmicrosoftcomkb2121098

default extended event health session not in expected state

httpsupportmicrosoftcomkb2160570

TcpSysAndChimneyCheck httpsupportmicrosoftcomKB918483

FDHOST Launcher service is not configured properly httpsupportmicrosoftcomkb2160720

Unrecommended SQL Server Agent service account httpsupportmicrosoftcomkb2160720

A required Windows fix to avoid sparse file related problems is missing

httpsupportmicrosoftcomkb2002606

Page 37

Significant Portion of SQL Server Memory Has Been Paged Out

httpsupportmicrosoftcomkb2028324

Server Exception or Hang Detected on Server httpsupportmicrosoftcomkb2028589

Databases exist without CHECKSUM protection httpsupportmicrosoftcomkb2078345

backups outdated for databases httpsupportmicrosoftcomkb2027537

Database consistency check not current httpsupportmicrosoftcomkb2033590

SQL Server Memory settings are incorrect httpsupportmicrosoftcomKB918483EN-US

Autogrow Failed or took a long time httpsupportmicrosoftcomkb2091024

Storport driver fix from KBA 940467 missing httpsupportmicrosoftcomkb2121098

Storport driver fix from KBA 950903 missing httpsupportmicrosoftcomkb2121098

SQLCLR needs additional memory configuration httpsupportmicrosoftcomkb969962EN-US

Operating System files and drivers needs update for working set trimming

httpsupportmicrosoftcomkb2121098

Agent Token Replacement httpsupportmicrosoftcomkb2202637

Auditing Log in failures httpsupportmicrosoftcomkb2187161

Databases with high number of VLF present httpsupportmicrosoftcomkb2028436

Transparent Data Encryption Certificate httpsupportmicrosoftcomkb2201900

Permission on the Binn folder httpsupportmicrosoftcomkb2029023

Index Statistics Are Outdated

Server public permissions httpsupportmicrosoftcomkb2160698

Detected use of older versions of SQLNCLI httpsupportmicrosoftcomkb979779

62 AS Rules

Please find below a summary of the 34 Analysis Server Rules with the links to the rule descriptions

Flight Recorder Enabled for SQL Server Analysis Services

httpsupportmicrosoftcomkb2128005

Excessive amount of memory preallocated to Analysis Services

httpsupportmicrosoftcomkb2027474

Server not configured for optimal concurrent query throughput

httpsupportmicrosoftcomkb2135031

Non standard value detected for Analysis Services memory configuration

httpsupportmicrosoftcomkb2027472

Process Thread Pool Max limit above recommended limit

httpsupportmicrosoftcomkb2134497

Process Thread Pool Minimum is below the recommended limit

httpsupportmicrosoftcomkb2134855

Server is running a build with a known regression httpsupportmicrosoftcomkb2157941

Slice not set on a ROLAP partition or a partition where proactive caching is enabled and

ROLAP storage ay occur httpsupportmicrosoftcomkb2027754

Server is ignoring duplicate key errors httpsupportmicrosoftcomkb2027761

No default member defined for non-aggregatable attribute

httpsupportmicrosoftcomkb2027769

UnknownMember set to hidden httpsupportmicrosoftcomkb2027628

Non-numeric key column for high cardinality attribute httpsupportmicrosoftcomkb2028138

Attribute hiearchy enabled for high cardinality non-key attribute

httpsupportmicrosoftcomkb2028143

ROLAP storage or OnlineMode set to immediate for dimension with custom rollup definition

detected httpsupportmicrosoftcomkb2132742

Page 38

Account or Time attribute types defined in a non-matching dimension type

httpsupportmicrosoftcomkb2157299

An Account or Time dimension has no matching attribute defined

httpsupportmicrosoftcomkb2027418

Dimension has no attribute defined with the same type

httpsupportmicrosoftcomkb2027443

Attribute Dimension type mismatch httpsupportmicrosoftcomkb2157327

Mismatched dimension attribute types detected in dimension

httpsupportmicrosoftcomkb2027459

Possible incorrect order of levels defined in hierarchy httpsupportmicrosoftcomkb2027460

Define attribute relationships as Rigid where possible httpsupportmicrosoftcomkb2027468

Redundant attribute relationships detected httpsupportmicrosoftcomkb2127437

Diamond-shape relationship detected httpsupportmicrosoftcomkb2127570

Non-Standard Attribute Relationship name detected httpsupportmicrosoftcomkb2127862

Proactive Caching set for dimension without a processing query

httpsupportmicrosoftcomkb2027541

No Time dimension detected httpsupportmicrosoftcomkb2027532

More than 3 parent-child dimensions with custom rollups defined

httpsupportmicrosoftcomkb2134431

Encountered a parent-child dimension with more than 500000 members

httpsupportmicrosoftcomkb2131918

Single attribute dimensions detected httpsupportmicrosoftcomkb2141654

Measure groups with zero dimensional overlap detected in cube

httpsupportmicrosoftcomkb2027609

Proactive Caching set for a partition without a processing query

Default measure for perspective not in the perspective

httpsupportmicrosoftcomkb2027603

Use MOLAP storage for dimensions that participate in semi-additive measure groups

httpsupportmicrosoftcomkb2135112

Measure group defined with no partition httpsupportmicrosoftcomkb2027545

63 RS Rules

RSWindowsNegotiate is missing from your configuration

httpsupportmicrosoftcomkb2145506

HTTP Logging is not enabled httpsupportmicrosoftcomkb2145909

Verbose logging is enabled httpsupportmicrosoftcomkb2146315

NTLM authentication may fail for local httpsupportmicrosoftcomkb2146369

Missing extended protection settings httpsupportmicrosoftcomkb2146062

64 IS Rules

Logging task missing for package httpsupportmicrosoftcomkb2027723

ActiveX Script task detected in package httpsupportmicrosoftcomkb2027712

Unrecommended Integration Services service account detected

httpsupportmicrosoftcomkb2027684

Integration Services logging table found in system database master and or msdb

httpsupportmicrosoftcomkb2027706

Integration Services memory dump detected httpsupportmicrosoftcomkb2027727

Page 39

65 Setup Rules

Unsupported Operating System Version Detected httpsupportmicrosoftcomkb2022909

WOW64 not supported for SQL Failover Clustering httpsupportmicrosoftcomkb2157198

Installer cache is missing for the SQL Installation httpsupportmicrosoftcomkb2015100

SQL Server WMI Provider Health Check

66 Replication Rules

Replication Timeout Alerts Type httpsupportmicrosoftcomkb2118349

Replication Pub and Sub out of sync (Data Validation) httpsupportmicrosoftcomkb2118386

Replication Pub and Sub out of sync (Constraint Violations)

httpsupportmicrosoftcomkb2118410

Replication Pub and Sub out of sync (Skipped Transactions)

httpsupportmicrosoftcomkb2194498

Merge Replication Health Check httpsupportmicrosoftcomkb2118445

Subscriptions Approaching Expiration httpgomicrosoftcomfwlinkLinkId=184483

Replication Cleanup and Retention Health Check httpsupportmicrosoftcomkb2118485

Replication Latency Threshold violations httpsupportmicrosoftcomkb2118425

Page 40

7 HOW TO DEAL WITH DEVIATIONS

Deviations from these Best Practices may indicate potential issues and configuration changes may be

necessary Make sure you have tested any intended changes in a test environment before deploying

them to a production environment You could also find deviations from Best Practices that are

acceptable or even necessary for your environment For example

SAP has its special Network Packet Size of 8 KB

Existing Non-Microsoft Clients ndash would require Mixed Mode Authentication

Page 41

8 MOTIVATION TO USE SQL BPA R2

Bob Ward explained in his Article ldquoWhy use SQL Server 2008 R2 BPA Case 1 Missing Updatesrdquo

the common pitfalls during maintenance and operation of SQL Server and how address them by using

the SQL BPA

In brief itrsquos a customer scenario where the customer is facing an issue after a major update to

SQL2008 After some troubleshooting and an update to a certain CU (that is meant to fix the issue) the

problem still occurs Bobs article states the common resulting consequences ndash the involvement of

Microsoft Support and the final solution ndash adding a needed traceflag

The good news in this story is that the customer would not have needed to go to all that effort if they

would have run the SQL BPA It would have told them about the update and instructed them to put the

traceflag in place BPA is a mechanism that proactively advises you and instructs you on dealing with

common known issues

Page 42

9 ADDITIONAL INFORMATION

91 PowerShell

To use the functionality of the Baseline Configuration Analyzer with PowerShell you must import this

module first

Import-module BaselineConfigurationAnalyzer

You can list the commands of this module with the following syntax

$x=Get-Module BaselineConfigurationAnalyzer

$xExportedCommands

The following commands are stored in this module

Get-MbcaModel

Get-MbcaResult

Invoke-MbcaModel

Set-MbcaResult

You get help of this command with the following syntax

Get-help ltcommandgt -full

911 Get-MBCAModel

SYNOPSIS

The Get-MBCAModel cmdlet lets you retrieve and view the list of models that are supported by

Microsoft Baseline Configuration Analyzer (MBCA) and that are installed on a computer

SYNTAX

Get-MBCAModel [[-ModelId] ltstring[]gt] [[-SubModelId] ltstringgt] [ltCommonParametersgt]

DESCRIPTION

The Get-MBCAModel cmdlet lets you retrieve and view the list of models that are supported by

Microsoft Baseline Configuration Analyzer (MBCA) and installed on the computer If no parameter is

specified Get-MBCAModel returns all models that are installed on the computer If a model is specified

by using the -ModelId parameter information about the specified model is returned

You must be a member of the Administrators group on the computer on which you want to run this

cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with

elevated user rights that is Run as Administrator

The results of the Get-MBCAModel cmdlet include the following details about models

1 Branding information (manufacturer or company display names version number) that is found in

the model manifest

2 Dynamic parameters that are included with the model

3 Submodels that are included with the model

PARAMETERS

-ModelId ltstring[]gt

The -ModelId parameter specifies the ID of the MBCA model about which you want to view

details You can obtain valid values for the ModelId parameter by running the Get-MBCAModel

cmdlet with no parameters and targeted at a computer on which MBCA models are installed

Page 43

This parameter supports wild card characters

Required false

Position 2

Default value

Accept pipeline input true (By Value By Property Name)

Accept wildcard characters False

This must be SQL2008R2BPA for SQL Server 2008 R2 Best Practice Analyzer

-SubModelId ltstringgt

The -SubModelId parameter specifies the ID of the submodel of an MBCA model about which you

want to view details You can obtain valid values for the -SubModelId parameter by running the

Get-MBCAModel cmdlet without parameters and targeted at a computer on which MBCA models

are installed Not all models have submodels

The -ModelId parameter is required with the -SubModelId parameter

Required false

Position 3

Default value

Accept pipeline input false

Accept wildcard characters false

ltCommonParametersgt

This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable

WarningAction WarningVariable OutBuffer and OutVariable For more information type get-

help about_commonparameters

Examples

Get-MBCAModel

In the preceding example Get-MBCAModel with no parameters added returns details about all MBCA

models that are installed on the computer

Get-MBCAModel -ModelId SQL2008R2BPA

The preceding example can be used to return details about the MBCA model that is specified in the -

ModelId parameter represented by Model Id

$model= Get-MBCAModel -ModelId SQL2008R2BPA

$modelParameters

In the preceding example Get-MBCAModel returns details about the specified MBCA model that is

represented by Model Id The results of the cmdlet are stored in the variable $model

In the next line of the example the Parameters property of the model details that were stored in the

$model object returns details about which parameters are supported by the model

Get-MBCAModel -ModelId SQL2008R2BPA -SubModelId ltSubModel Idgt

The preceding example can be used to return details about the MBCA sub-model that is specified by

the -SubModelId parameter represented by SubModel Id Note that the -ModelId parameter is

required by the -SubModelId parameter

$model= Get-MBCAModel -ModelId SQL2008R2BPA

Page 44

$modelSubModels

In the preceding example Get-MBCAModel returns details about the specified MBCA model that is

represented by Model Id The results of the cmdlet are stored in the variable $model

In the next line of the example the SubModels property of the model details that were stored in the

$model object returns a list of the submodels of the model specified in the first line

912 Invoke-MBCAModel

SYNOPSIS

The Invoke-MBCAModel cmdlet lets you start a Microsoft Baseline Configuration Analyzer (MBCA)

scan for a specific model that is installed on your computer

SYNTAX

Invoke-MBCAModel [-ModelId] ltstringgt -SubModelId ltstringgt [-Authentication

ltAuthenticationMechanismgt] [-CertificateThumbprint ltstringgt] [-ComputerName

ltstring[]gt] [-ConfigurationName ltstringgt] [-Context ltstringgt] [-Credential

ltstringgt] [-Mode ltModeEnumgt] [-Port ltintgt] [-RepositoryPath ltstringgt] [-

ThrottleLimit ltintgt] [-UseSSL] [ltCommonParametersgt]

DESCRIPTION

The Invoke-MBCAModel cmdlet allows you to start a Microsoft Baseline Configuration Analyzer

(MBCA) scan for a specific model that is installed on your computer The model is specified either by

using the parameter -ModelId or by piping the results of the Get-MBCAModel cmdlet into an Invoke-

MBCAMode cmdlet

After the MBCA scan has been performed the results of the scan are available to be retrieved by Get-

MBCAResult cmdlet

You must be a member of the Administrators group on the computer on which you want to run this

cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with

elevated user rights that is Run as Administrator

PARAMETERS

-Authentication ltAuthenticationMechanismgt

Specifies the authentication mechanism that is used to authenticate the users credentials Valid

values include Default Basic CredSSP Digest Kerberos Negotiate and

NegotiateWithImplicitCredential The default value is Default

For more information about the -Authentication parameter type the following and then press

Enter

Get-Help Invoke-Command -Parameter Authentication

Required false

Position named

Default value Default

Accept pipeline input false

Accept wildcard characters false

-CertificateThumbprint ltstringgt

Page 45

Specifies the digital public key certificate (X509) of a user account that has rights to perform the

cmdlet action The valid value is the certificate thumbprint of the certificate

For more information about this parameter type the following and then press Enter

Get-Help Invoke-Command -Parameter Certificate Thumbprint

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-ComputerName ltstring[]gt

The Invoke-MBCAModel cmdlet lets you run an MBCA scan of a submodel on a specific

computer by adding this parameter Valid values include NETBOS names IP addresses or fully-

qualified domain names of one or more computers in a comma-separated list To specify the local

computer type the computer name or localhost

All formats that are accepted by the -ComputerName parameter in Invoke-Command are

accepted

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-ConfigurationName ltstringgt

Specifies the session configuration that is used for a new PSSession

Enter a configuration name or the fully-qualified resource URI for a session configuration

Session configuration data is found on the remote computer on which you want to run a cmdlet

For more information about this parameter type the following and then press Enter

Get-Help Invoke-Command -Parameter ConfigurationName

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-Context ltstringgt

The -Context parameter lets you run scans on a submodel in the context of a specific model (one

that is different from the parent model of the submodel) For example an administrator might

want to run a scan on the Backend submodel of the SQL model but only those in the context

of a third model a technology that relies upon SQL Server

The -SubModelId parameter is required by the -Context parameter

Page 46

A model ID is the valid value of the -Context parameter

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-Credential ltstringgt

Specifies a user account that has permission to run this cmdlet The default value is the current

user

For more information about this parameter type the following and then press Enter

Get-Help Invoke-Command -Parameter Credential

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-Mode ltModeEnumgt

The -Mode parameter lets you run a scan that is exclusively either analysis of existing discovered

documents or discovery The default is to perform both discovery and analysis or All

If you do not add the -Mode parameter to the Invoke-MBCAModel cmdlet both discovery and

analysis are performed during a scan

Valid values are Discovery Analysis and All

Required false

Position named

Default value All

Accept pipeline input false

Accept wildcard characters false

-ModelId ltstringgt

The -ModelId parameter specifies the ID of the MBCA model that you want to scan You can

obtain valid values for the ModelId parameter by running the Get-MBCAModel cmdlet targeted at

a computer on which MBCA models are installed

Required true

Position 2

Default value

Accept pipeline input true (By Value By Property Name)

Accept wildcard characters False

Page 47

This must be SQL2008R2BPA for SQL Server 2008 R2 Best Practice Analyzer

-Port ltintgt

Specifies the network port on a remote computer on which you want to run a scan The default

value is port 80

For more information on this parameter type the following and then press Enter

Get-Help Invoke-Command -Parameter Port

Required false

Position named

Default value 80

Accept pipeline input false

Accept wildcard characters false

-RepositoryPath ltstringgt

The -RepositoryPath parameter is used to specify a non-default location of the results repository

The valid value for this parameter is a pathname If the parameter is not used the cmdlet writes

results to the default result repository

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-SubModelId ltstringgt

The -SubModelId parameter specifies the ID of the submodel of an MBCA model that you want to

scan You can obtain valid values for the -SubModelId parameter by running the Get-MBCAModel

cmdlet targeted at a computer on which MBCA models are installed Not all models have

submodels

The -ModelId parameter is required with the -SubModelId parameter

Required true

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-ThrottleLimit ltintgt

Specifies the maximum number of concurrent connections that can be established to run the

cmdlet If you omit this parameter or enter a value of 0 the default value of 32 is used

For more information about this parameter type the following and then press Enter

Get-Help Invoke-Command -Parameter ThrottleLimit

Required false

Page 48

Position named

Default value 32

Accept pipeline input false

Accept wildcard characters false

-UseSSL [ltSwitchParametergt]

Uses the Secure Sockets Layer (SSL) protocol to establish a connection on a remote computer

By default SSL is not used

For more information about this parameter type the following and then press Enter

Get-Help Invoke-Command -Parameter UseSSL

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

ltCommonParametersgt

This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable

WarningAction WarningVariable OutBuffer and OutVariable For more information type get-

help about_commonparameters

OUTPUTS

SystemCollectionsGenericListltMicrosoftBestPracticesCoreInterfaceInvokeBpaModelOutputgt

The output object encapsulates the results of the cmdlet that you entered It contains information such

as the MBCA model ID the success or failure of the cmdlet and other details

NOTES

If the cmdlet is used to perform a single-model scan and the cmdlet is cancelled (by using CTRL+C)

before the temporary results file is copied to its final location the temporary file is discarded and any

previous scan results file for the role are preserved The message Processing of Invoke-MBCAModel

cancelled by user is displayed if the command is cancelled before existing scan results files are

overwritten

If the cmdlet is used to perform a scan of multiple models by piping in results from the Get-MBCAModel

cmdlet and the command is cancelled scans that were completed before the cancel command was

entered cannot be cancelled A scan in progress behaves as described above in the single-model scan

cancellation scenario Subsequent scans in the pipeline are cancelled

If a concurrent scan of the same model is attempted the cmdlet returns the following error message

Another scan for this MBCA model is in progress Only one scan is allowed at a time

-------------------------- EXAMPLE 1 --------------------------

Invoke-MBCAModel -ModelId SQL2008R2BPA

Description

The preceding example starts a MBCA scan on the model that is represented by ltModel Idgt

-------------------------- EXAMPLE 2 --------------------------

Page 49

Invoke-MBCAModel -ModelId SQL2008R2BPA -Scope domain -Name

redmondmicrosoftcom

Description

The preceding example starts an MBCA scan on the model ID that is specified by Model Id

The administrator starts the MBCA scan with additional model-specific parameters that are exposed by

the model (For an example of how to obtain model-specific parameters see the examples for the Get-

MBCAModel cmdlet)

For example to scan a model that requires model-specific parameters (such as -Scope and -Name) to

be passed to the command the administrator can specify the values of these model-specific

parameters with the Invoke-MBCAModel cmdlet

-------------------------- EXAMPLE 3 --------------------------

Invoke-MBCAModel -ModelId SQL2008R2BPA -Mode Discovery

Description

The preceding example starts an MBCA scan on the model that is represented by Model Id The

cmdlet is instructed by the -Mode parameter to perform only the discovery -- not the analysis -- portion

of the scan

-------------------------- EXAMPLE 4 --------------------------

Invoke-MBCAModel -ModelId SQL2008R2BPA -Mode Analysis -RepositoryPath

ltRepository Pathgt

Description

The preceding example starts an MBCA scan on the model that is represented by Model Id The -

Mode parameter value of Analysis indicates that the scan will perform analysis -- not discovery -- on

existing documents that are specified in the non-default repository path provided with the -Repository

Path parameter

-------------------------- EXAMPLE 5 --------------------------

Invoke-MBCAModel -Id ltModel Idgt -SubModelId ltSubModel Idgt -ComputerName

ltServergt -Context ltContext Model Idgt -RepositoryPath ltRespository Pathgt -

AsJob -Authentication ltAuthenticatonMechanismgt -Port ltPort Numbergt -UseSSL -

ThrottleLimit ltThrottle Limitgt

Description

The preceding example starts an MBCA scan on the submodel that is represented by SubModel Id

and on the computer that is represented by Server

Because the administrator only wants to see results from the submodel that apply in the context of a

third model the administrator runs the scan within the context of the model ID that is specified in the -

Context parameter The cmdlet results are saved to the non-default repository path that is specified in

the -RepositoryPath parameter

Because the -AsJob parameter is added the scan runs in the background The -AsJob -

Authentication -Port -UseSSL and -ThrottleLimit parameters are passed through for use by the

Invoke-Command cmdlet to perform discovery on a remote computer For more information about

these parameters see the Help for the Invoke-Command cmdlet available in Windows PowerShell V2

913 Get-MBCAResult

SYNOPSIS

Page 50

The Get-MBCAResult cmdlet lets you retrieve and view the results of a Microsoft Baseline

Configuration Analyzer scan on a specific model or the configuration data that was used to run a scan

SYNTAX

Get-MBCAResult [-ModelId] ltstringgt [[-CollectedConfiguration]] -SubModelId

ltstringgt [-ComputerName ltstring[]gt] [-Context ltstringgt] [-Filter

ltFilterEnumgt] [-RepositoryPath ltstringgt] [ltCommonParametersgt]

DESCRIPTION

The Get-MBCAResult cmdlet lets you retrieve and view the results of a Microsoft Baseline

Configuration Analyzer scan on a specific model or the configuration data that was used to run a scan

To use the command add the -ModelId parameter and then specify the model ID for which you want

to view the most recent MBCA scan results or collected configuration data If you want to retrieve the

configuration data collected add the -CollectedConfiguration switch parameter

You must be a member of the Administrators group on the computer on which you want to run this

cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with

elevated user rights that is Run as Administrator

PARAMETERS

-CollectedConfiguration [ltSwitchParametergt]

The -CollectedConfiguration parameter allows you to obtain the configuration data that was

collected for the most recent MBCA scan If this switch parameter is added to Get-MBCAResults

the cmdlet returns only the configuration data that was collected for a scan

Required false

Position 3

Default value

Accept pipeline input false

Accept wildcard characters false

-ComputerName ltstring[]gt

The -ComputerName parameter lets you obtain scan results that were collected for the most

recent MBCA scan of a submodel on a specific computer To specify the local computer type the

computer name or localhost Multiple values for -ComputerName can be separated by

commas

The -SubModelId parameter is required by the -ComputerName parameter

Valid values for the -ComputerName parameter include localhost a NET BIOS name an IP

address or a fully-qualified domain name (FQDN) of one or more computers in a comma-

separated list

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-Context ltstringgt

Page 51

The -Context parameter lets you obtain scan results that were collected for the most recent

MBCA scan of a submodel in the context of a specific model (one that is different from the parent

model of the submodel) For example an administrator might want to display scan results for the

Backend submodel of the SQL model but only those in the context of a third model a

technology that relies upon SQL Server

The -SubModelId parameter is required by the -Context parameter

A model ID is the valid value of the -Context parameter

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-Filter ltFilterEnumgt

The -Filter parameter lets you instruct the Get-MBCAResult cmdlet to return only Compliant

Noncompliant or All results Valid values are Noncompliant Compliant or All The default value

is All

The -Filter parameter is ignored if the -CollectedConfiguration switch parameter is added

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-ModelId ltstringgt

The -ModelId parameter specifies the ID of the MBCA model for which you want to view scan

results You can obtain valid values for the ModelId parameter by running the Get-MBCAModel

cmdlet targeted at a computer on which MBCA models are installed

Required true

Position 2

Default value

Accept pipeline input true (By Value By Property Name)

Accept wildcard characters False

This must be SQL2008R2BPA for SQL Server 2008 R2 Best Practice Analyzer

-RepositoryPath ltstringgt

The -RepositoryPath parameter is used to specify a non-default location of the results repository

The valid value for this parameter is a path name If the parameter is not used the cmdlet obtains

results from the default result repository

Required false

Position named

Page 52

Default value

Accept pipeline input false

Accept wildcard characters false

-SubModelId ltstringgt

The -SubModelId parameter specifies the ID of the submodel of an MBCA model for which you

want to view scan results You can obtain valid values for the -SubModelId parameter by running

the Get-MBCAModel cmdlet targeted at a computer on which MBCA models are installed Not all

models have submodels

The -ModelId parameter is required with the -SubModelId parameter

Required true

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

ltCommonParametersgt

This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable

WarningAction WarningVariable OutBuffer and OutVariable For more information type get-

help about_commonparameters

OUTPUTS

SystemCollectionsGenericListltMicrosoftBestPracticesCoreInterfaceResultgt OR

SystemXmlXmlDocument (if -CollectedData specified)

If you do not use the -CollectedConfiguration parameter verbose output can be any of the following

1 Initializing MBCA engine for getting MBCA Results

2 Attempting to get MBCA results for Model Id = 0

3 Completed getting MBCA results for Model Id = 0 Number of Results = 1

If you add the -CollectedConfiguration parameter to display configuration data that was used for a

scan verbose output can be any of the following

1 Initializing MBCA engine for getting MBCA Configuration Data

2 Attempting to get MBCA collected configuration data for Model Id = 0

3 Completed getting MBCA collected configuration data for Model Id = 0

NOTES

The Get-MBCAResult cmdlet must be run by a member of the Administrators group and it does not

start a new scan

Cancellation behaviour

Single Model - To cancel this cmdlet you must press Ctrl+C before the ResultCollection is displayed

on the console The operation is cancelled and results are not displayed on the console

Multiple Models or Pipelining - If you cancel this cmdlet while it is retrieving results for multiple models

the cmdlet generates only those results that were displayed on the console before the cancellation

Any subsequent results in the pipeline are cancelled and not displayed

Page 53

-------------------------- EXAMPLE 1 --------------------------

Get-MBCAResult -Id SQL2008R2BPA

Description

The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results

for the model that is represented by Model Id

-------------------------- EXAMPLE 2 --------------------------

Get-MBCAModel | Get-MBCAResult

In the preceding example Get-MBCAModel is used to return a list of all MBCA models that are

installed on the computer The results of the Get-MBCAModel cmdlet are piped to the Get-

MBCAResult cmdlet to retrieve the most recent MBCA scan results for all models that are both

supported by MBCA and installed on the computer at which the cmdlet is targeted

-------------------------- EXAMPLE 3 --------------------------

$result = Get-MBCAResult SQL2008R2BPA -CollectedConfiguration

$resultDiscoveryDocument

Description

In the preceding example configuration data (in XML form) that was collected during the most recent

Microsoft Baseline Configuration Analyzer scan of the model that is represented by Model Id is

retrieved and stored as a property in the variable $result $resultDiscoveryDocument is of type

SystemXmlXmlDocument

-------------------------- EXAMPLE 4 --------------------------

Get-MBCAResult SQL2008R2BPA -Filter Noncompliant

Description

The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results

for the model that is represented by Model Id and then applies a filter to show only Noncompliant

results

------------------------- EXAMPLE 5 --------------------------

Get-MBCAResult SQL2008R2BPA -SubModelId ltSubModel Idgt

Description

The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results

for the submodel that is represented by SubModelId Note that the parent model ID must be specified

to use the -SubModelId parameter

------------------------- EXAMPLE 6 --------------------------

Get-MBCAResult SQL2008R2BPA -SubModelId ltSubModel Idgt -ComputerName ltServergt

-Context ltContext Model Idgt -RepositoryPath ltRepository Pathgt

Description

The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results

for the submodel that is represented by SubModelId The parent model ID is provided as required by

the -SubModelID parameter

The -Context parameter indicates that the administrator wants to see only those scan results that are in

the context of the model that is represented by Context Model Id for example only those results from

a SQL Server scan that specifically apply to another technology such as Web Server (IIS)

Page 54

The scan results are further narrowed to only those from a computer that is specified in the -

ComputerName parameter as Server and only those results found in the non-default results

repository that is represented by Repository Path

914 Set-MBCAResult

SYNOPSIS

The Set-MBCAResult cmdlet lets you exclude or include existing results of a Microsoft Baseline

Configuration Analyzer (MBCA) scan to show you only the scan results that you want to see

SYNTAX

Set-MBCAResult [[-Exclude] ltBooleangt] [-Results] ltResultgtgt [[-

RepostitoryPath] ltstringgt] [ltCommonParametersgt]

DESCRIPTION

The Set-MBCAResult cmdlet lets you exclude or include existing results of a Microsoft Baseline

Configuration Analyzer (MBCA) scan to show you only the scan results that you want to see

The action specified in the cmdlet (Exclude for example) determines how the existing results of an

MBCA scan are updated Set-MBCAResult is typically applied after using the Get-MBCAResult cmdlet

to return a collection of scan results

You can apply filters to results that are returned by the Get-MBCAResult cmdlet and then pipe the

filtered collection of results to the Set-MBCAResult cmdlet specifying either to include or exclude

filtered scan results

You must be a member of the Administrators group on the computer on which you want to run this

cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with

elevated user rights that is Run as Administrator

PARAMETERS

-Exclude ltBooleangt

Excludes scan results from the results collection that were previously obtained by the Get-

MBCAResult command To exclude results by using the -Exclude parameter add the value $true

following the parameter as shown

-Exclude $true

To include results that have been excluded use the $false value for the -Exclude parameter

Required false

Position 2

Default value

Accept pipeline input false

Accept wildcard characters false

-RepostitoryPath ltstringgt

The -RepositoryPath parameter is used to specify a non-default location of the results repository

The valid value for this parameter is a path name If the parameter is not used the cmdlet

modifies results from the default result repository

Required false

Page 55

Position 4

Default value

Accept pipeline input false

Accept wildcard characters false

-Results ltResultgtgt

Specifies the result collection to be updated by the Set-MBCAResult cmdlet The -Results

parameter is typically used to specify a filtered subset of scan results that has already been

stored in a variable the variable name is provided as the valid value for the -Results parameter

For example if you have created a variable $allPerformance to store all the Performance

category results for an MBCA scan of all models on a computer and you want to exclude those

Performance results from the complete collection of scan results you add the parameter -Results

$all Performance to a Set-MBCAResult cmdlet

For a more detailed example see the Examples section of the Help for this cmdlet

Required true

Position 3

Default value

Accept pipeline input true (ByValue)

Accept wildcard characters false

ltCommonParametersgt

This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable

WarningAction WarningVariable OutBuffer and OutVariable For more information type ldquoget-

help about_commonparameters

NOTES

If the Set-MBCAResult command is cancelled before the results are written to a file the operation is

cancelled and the results file is not modified If cancellation occurs after the results file has been

modified the commands actions are carried out and the command cannot be cancelled

-------------------------- EXAMPLE 1 --------------------------

Get-MBCAResult -ModelId SQL2008R2BPA | Where $_Category -eq

Performance | Set-MBCAResult -Exclude $true

Description

The first section of the preceding example to the left of the first pipe character (|) uses the Get-

MBCAResult cmdlet to retrieve Baseline Configuration Analyzer scan results for the model ID that is

represented by Model Id

The second section of the command filters the results of the Get-MBCAResult cmdlet to get only those

scan results for which the category name is equal to Performance

The final section of the example following the second pipe character excludes the Performance

results that were filtered by the previous section of the example

-------------------------- EXAMPLE 2 --------------------------

$rcPolicy = Get-MBCAResult -ModelId SQL2008R2BPA -RepositoryPath

CReposPath | Where $_Category -eq Policy

Page 56

Set-MBCAResult -Exclude $true -RepositoryPath CReposPath -Results

$rcPolicy

Description

The first line of the preceding example to the left of the pipe character (|) instructs the Get-

MBCAResult cmdlet to retrieve Baseline Configuration Analyzer scan results for the model that is

represented by Specified Model Id from the specified non-default repository path

The second section of the example after the pipe character filters the results of the Get-MBCAResult

cmdlet to return only those scan results for which the category name is equal to (note the -eq option)

Policy The variable $rcPolicy is created to store the filtered results of the Get-MBCAResult cmdlet this

variable can be used in subsequent commands to represent those results

The second line of the command uses the Set-MBCAResult cmdlet to exclude the set of results that

are stored in the $rcPolicy variable In this example the -Results parameter is added because the

administrator wants to exclude a specific subset of scan results for that model and has created the

variable $rcPolicy to represent that subset of results The repository root is specified in the second line

because the administrator wants to modify the results in the same non-default repository from which

the data in $rcPolicy was retrieved

915 MBCA Model Authoring

Further information about configuration and usage of MBCA models you can in the

MBCA_ModelAuthoringGuidedocx

Page 57

Did this paper help you Please give us your feedback Tell us on a scale of 1 (poor) to 5 (excellent)

how would you rate this paper and why have you given it this rating For example

Are you rating it high due to having good examples excellent screen shots clear writing or

another reason

Are you rating it low due to poor examples fuzzy screen shots or unclear writing

This feedback will help us improve the quality of white papers we release

Send feedback

Page 4: SQL2008R2 BPA Whitepaper v10

Page 4

Copyright Information

The information contained in this document represents the current view of Microsoft Corporation on the

issues discussed as of the date of publication Because Microsoft must respond to changing market

conditions it should not be interpreted to be a commitment on the part of Microsoft and Microsoft

cannot guarantee the accuracy of any information presented after the date of publication

This white paper is for informational purposes only MICROSOFT MAKES NO WARRANTIES

EXPRESS IMPLIED OR STATUTORY AS TO THE INFORMATION IN THIS DOCUMENT

Information in this document including URL and other Internet Web site references is subject to

change without notice Unless otherwise noted the companies organizations products domain

names e-mail addresses logos people places and events depicted in examples herein are fictitious

No association with any real company organization product domain name e-mail address logo

person place or event is intended or should be inferred Complying with all applicable copyright laws

is the responsibility of the user Without limiting the rights under copyright no part of this document

may be reproduced stored in or introduced into a retrieval system or transmitted in any form or by any

means (electronic mechanical photocopying recording or otherwise) or for any purpose without the

express written permission of Microsoft Corporation

Microsoft may have patents patent applications trademarks copyrights or other intellectual property

rights covering subject matter in this document Except as expressly provided in any written license

agreement from Microsoft the furnishing of this document does not give you any license to these

patents trademarks copyrights or other intellectual property

copy 2010 Microsoft Corporation All rights reserved

Microsoft and SQL Server are trademarks of the Microsoft group of companies

All other trademarks are property of their respective owners

Page 5

1 INTRODUCTION

The Microsoft SQL Server 2008 R2 Best Practices Analyzer (BPA) is a diagnostic tool that performs

the following functions

Gathers information about a server and an instance of Microsoft SQL Server 2008 or 2008 R2

that is installed on that server

Determines if the configurations are set according to the Microsoft recommended best

practices

Reports on all configurations indicating settings that differ from recommendations

Indicates potential problems in the installed instance of SQL Server

Recommends solutions to potential problems

This tool is used by IT Professionals and Database Administrators to help ensure that their installations

of SQL Server and associated products components are adhering to best practices as determined by

the SQL Server Product Teams and CSS This utility scans the installation of a local or remote

machine gathering system data from WMI log files the Event Log the Windows Registry and SQL

Server metadata and compares the results to predefined standards It then produces a report that

shows the results and points the user to additional information on the web to help them determine

whether they should make changes to their systems

For every configuration the SQL Server 2008 R2 BPA provides the following results

Compliance results are returned when an instance of SQL Server satisfies the conditions of a

Best Practices rule Non-compliance results are returned when an instance of SQL Server

does not satisfy the conditions of a Best Practices rule

Impact of non-compliance

Recommendation

Links to more detailed information and related topics

To assist you and to make your DBA life easier Microsoft includes some of these Best Practices in a

couple of products ndash depending on specific purpose of the Software The following diagram illustrates

the variety of tools available to check best practices for SQL Server 2008 and SQL Server 2008 R2 in

parallel or in combination with BPA

Page 6

The big picture ndash automated Best Practices of SQL Server checks offered in different flavours and

products

So you will find a couple of policies in our monitoring solution

SQL Server 2008 R2 Best Practice Analyzer

within more than 140 rules for database engine and other technologies

System Center Operations Manager (SCOM)

within the SQL Management pack (current version 6131436 release date 08172010)

with more than 300 rules and 50 additional monitors

Policy Based Management in SQL Server 2005 and 2008

with predefined policy collection (50+ policies)

There is a whitepaper about PBM here

System Configuration Checker in the SQL Server 2008 setup wizard

The SQL Risk Assessment Toolset (Premier Organisation best practice flagship) offering more

than 200 rules This offering is meant for Premier customers running the SQL RAP against

their most business critical SQL instances

Note This tool set is only available for Microsoft Premier Customers

11 Architecture and data flow of the BPA

The SQL Server 2008 R2 Best Practices Analyzer is an additional ldquomodelrdquo for the Microsoft Baseline

Configuration Analyzer V20 (MBCA) A model is a set of component files that together comprise the

configuration analysis and reporting output from MBCA

The MBCA is imbedded as a PowerShell cmdlet and consists of two major components the MBCA

Engine and the MBCA UI

The MBCA Engine process itself consists of 2 main activities evaluation and discovery The MBCA

Engine is fed by PowerShell discovery Scripts and XML Schema Files which are used during

CSS Rules Advice

and Manifests

SQL Server 2008 R2 Best

Practice Analyzer

SQL 2008 Setup

Policy Based Management

SCOM SQL MP

SQLRAP

Page 7

discovery The discovery activity interrogates the SQL Server Registry WMI Error- and Event-Logs

etc The output is saved in an XML File which is then used in the evaluation activity Evaluation is

performed using the Schematron file This file run by the MBCA engine contains the logic for

evaluating the best practices The final step following the evaluation process is the report generation ndash

which is shown in the MBCA UI

In the flow chart below you will find the anatomy of the SQL Server 2008 R2 Best Practices Analyzer

12 Microsoft Best Practice Analyzer Universe

Microsoft offers many technologies and utilities to produce best practices recommendations

121 SQL Server BPA (older versions)

Microsoft has also created BP Analyzers for your older SQL Server versions and for Windows

SQL Server 2005 Best Practices Analyzer (August 2008)

SQL Server 2000 Best Practices Analyzer (April 2010)

122 Windows Server 2008 R2 Best Practice Analyzer

In Windows management best practices are guidelines that are considered the ideal way under

typical circumstances to configure a server as defined by experts For example it is considered a best

practice for most server technologies to keep open only those ports required for the technologies to

communicate with other networked computers and block unused ports Although best practice

Page 8

violations even crucial ones are not necessarily problematic they indicate server configurations that

can result in poor performance poor reliability unexpected conflicts increased security risks or other

potential problems

Best Practices Analyzer (BPA) is a server management tool that is available in

Windows Serverreg 2008 R2 BPA can help administrators reduce best practice violations by scanning

one or more roles that are installed on Windows Server 2008 R2 and reporting best practice violations

to the administrator Administrators can filter or exclude results from BPA reports that they do not have

to see Administrators can also perform BPA tasks by using either the Server Manager GUI or

Windows PowerShell cmdlets

BPA can also be used on remote servers that are running Windows Server 2008 R2 by using Server

Manager targeted at a remote server For more information about how to run Server Manager targeted

at a remote server see Remote Management with Server Manager

The following BPA modules are currently available

Best Practices Analyzer for Active Directory Certificate Services

Best Practices Analyzer for Active Directory Domain Services

Best Practices Analyzer for Active Directory Rights Management Services

Best Practices Analyzer for Application Server

Best Practices Analyzer for Domain Name System

Best Practices Analyzer for Dynamic Host Configuration Protocol

Best Practices Analyzer for File Services

Best Practices Analyzer for Hyper-V

Best Practices Analyzer for Internet Information Services

Best Practices Analyzer for Network Policy and Access Services

Best Practices Analyzer for Remote Desktop Services

Best Practices Analyzer for Windows Server Update Services

More Information about Windows BPA look here

123 Fix-it

Currently there exists no link between the SQL Server Best Practice Analyzer and the Fixit webpage

httpsupportmicrosoftcomfixit

Microsoft is working on a solution to combine fixit with specific Best Practice Analyzer

httpfixitcentersupportmicrosoftcomPortal

124 Microsoft Automated Troubleshooting Service in Windows Server

2008 R2 and Windows 7

Troubleshooting in Windows Server 2008 R2 and Windows 7 provides several troubleshooting

programs that can automatically fix some common problems with your computer such as problems

with networking hardware and devices using the web and program compatibility

Go to the Windows website to watch a video about using troubleshooters to fix common problems

(330)

When you run a troubleshooter it might ask you some questions or reset common settings as it works

to fix the problem If the troubleshooter fixed the problem you can close the troubleshooter If it couldnt

fix the problem you can view several options that will take you online to try and find an answer In

either case you can always view a complete list of changes made

Page 9

Notes

If you click the Advanced link on a troubleshooter and then clear the Apply repairs

automatically check box the troubleshooter displays a list of fixes to choose from if any

problems are found

Windows includes several troubleshooters and more are available online when you select the

Get the most up-to-date troubleshooters from the Windows Online Troubleshooting service

check box at the bottom of Troubleshooting

httpsupportmicrosoftcomgpsystem_maintenance_for_windows

Page 10

2 SYSTEM REQUIREMENTS

SQL Server 2008 R2 Best Practices Advisor is supported on the following Operating Systems

1 Windows Vista

2 Windows 7

3 Windows Server 2003

4 Windows Server 2003 R2

5 Windows Server 2008

6 Windows Server 2008 R2

Supported editions of SQL Server

1 SQL Server 2008 all editions except Express

2 SQL Server 2008 R2 all editions except Express

Supported Components of SQL Server

1 Analysis Services

2 Database Engine

3 Integration Services

4 Reporting Services

5 Replication

6 Setup

These components are designed as Submodels for the BPA This means that they will be run

concurrently where possible

21 Required Permissions for Running SQL Server 2008 R2 BPA

Administration Privileges

To run MBCA v20 a user must be a member of the administrators group on the machine being

scanned and on the machine the scan is initiated from If a user is not an administrator on the machine

that is being scanned an appropriate error message displays

SQL Server

To successfully access all of the database properties and SQL Server Configurations a user must be

the Systems Administrator (sysadmin) on the instance of SQL Server

Analysis Services

The user or the administrators group must be member of the server administrator role within an

instance of Microsoft SQL Server Analysis Services have unrestricted access to all Analysis Services

objects and data in that instance

httpmsdnmicrosoftcomen-uslibraryms174561aspx

Integration Services

The user or the administrators group must be members of the sysadmin or db_ssisadmin roles

httpmsdnmicrosoftcomen-uslibraryms141053aspx

Reporting Services

Page 11

The user or the administrators group must be member of the System Administrator and Content

Manager role

22 Prerequisites

The following are required for using SQL Server 2008 R2 Best Practices Analyzer

1 PowerShell V20

Windows PowerShell 20 requires the Microsoft NET Framework 20 with Service Pack 1

2 Microsoft Baseline Configuration Analyzer V20

3 SQL Server Management Tools for SQL Server 2008 or SQL Server 2008 R2

The following table outlines the prerequisite Microsoft utilities components by Operating System

necessary to have on your server prior to installing and running SQL Server 2008 R2 BPA

OS 1Install

WinRM

2Install

PowerShell 20

3Install

MBCA 20

Configure PowerShell1 7 Install SQL2008

or SQL 2008 R2

Management Tools 4Remoting 5Execution

Level

6 MaxShells

PerUser

Win Vista Y Y Y Y Y Y Y

Windows 7 N N Y Y Y Y Y

Windows

Server 2003

Y Y Y Y Y Y Y

Windows

Server 2003

R2

Y Y Y Y Y Y Y

Windows

Server 2008

Y Y Y Y Y Y Y

Windows

Server 2008

R2

N N Y Y Y Y Y

1 These changes will be done from the installation routine of the BPA

Page 12

3 INSTALL

We recommend installing BPA on a workstation or administration server and performing the scan

operation remotely against servers in your SQL Server infrastructure It is also possible to install this

tool on the production SQL Server locally

Installation process

1 InstallConfigure PowerShell and WinRM

2 Microsoft Baseline Configuration Analyzer V20

3 Microsoftreg SQL Serverreg 2008 R2 Best Practices Analyzer

It exists two ways to install the Best Practices Analyzer

With a graphical user interface (setup wizard) or

Command line

31 Installing PowerShell 20 and WinRM

BPA install configures WinRM and PowerShell options by default Most of this section is only needed if

something goes wrong and you need to configure this stuff by hand

Windows Server 2003 R2

WinRM is not installed by default but it is available as the Hardware Management feature through the

AddRemove System Components feature in the Control Panel under Management and Monitoring

Tools Complete installation and information about configuring WinRM using the WINRM command-line

tool is available online in the Hardware Management Introduction which describes the WinRM and the

IPMI features in Windows Server 2003 R2

On Windows Vista Windows Server 2003 and Windows Server 2008

This is installed as part of Windows Management Framework Core The WinRM service starts

automatically on Windows Server 2008 On Windows Vista the service must be started manually

On Windows Server 2008 R2 and Windows 7

This is installed as part of the OS

Note Check for additional information and configuration guidelines for WinRM and for PowerShell

20

SQL Server 2008 R2 BPA is able to scan both the local computer and remote computers Therefore in

both the local and remote cases it required that your PowerShell settings be modified These are done

by the BPA installation

PowerShell Execution Policy

The PowerShell Execution Policy is set to Restricted by default To run SQL Server 2008 R2 BPA

through the PowerShell command Line set the policy to RemoteSigned using the below command

Set-ExecutionPolicy RemoteSigned -f

You can use the command Set-ExecutionPolicy Restricted ndashf to set the execution policy back to

restricted This command is not required when executing the scan through the MBCA GUI

After the installation you must enable the PowerShell remote scripting if you are want to use the BPA

remote to another workgroup machine or a computer that have Kerberos enabled You need to run this

command only once on each computer that will receive commands You do not need to run it on

Page 13

computers that only send commands Because the configuration activates listeners it is prudent to run

it only where it is needed You can do this with the following command line

powershellexe -NoLogo -NoProfile -Noninteractive -Command Enable-

PSRemoting -force

Enable-PSRemoting performs configuration actions to enable this machine for remote management

Includes

1 Runs the Set-WSManQuickConfig cmdlet which performs the following tasks

Starts the WinRM service

Sets the startup type on the WinRM service to Automatic

Creates a listener to accept requests on any IP address

Enables a firewall exception for WS-Management communications

Enables all registered Windows PowerShell session configurations to receive instructions

from a remote computer

Registers the MicrosoftPowerShell session configuration if it is not already registered

Registers the MicrosoftPowerShell32 session configuration on 64-bit computers if it is

not already registered

Removes the Deny Everyone setting from the security descriptor for all the registered

session configurations

Restarts the WinRM service to make the preceding changes effective

2 Configures MaxShellsPerUser using winrm set winrmconfigwinrs

``MaxShellsPerUser=`10``

Specifies the maximum number of concurrent shells that any user can remotely open on

the same computer If this policy setting is enabled the user will not be able to open new

remote shells if the count exceeds the specified limit If this policy setting is disabled or is

not configured the limit will be set to 5 remote shells per user by default and you receive

the following error message

[localhost] Connecting to remote server failed with the following

error message The WS-Management service cannot process the

request This user is allowed a maximum number of 5 concurrent

shells which has been exceeded Close existing shells or raise the

quota for this user For more information see the

about_Remote_Troubleshooting Help topic

+ CategoryInfo OpenError

(SystemManagemehellipRemoteRunspa

ceRemoteRunspace) [] PSRemotingTransportException

+ FullyQualifiedErrorId PSSessionOpenFailed

For more information about PowerShell remoting please see MSDN

32 Install MBCA

Download the edition of MBCA depending on your platform (x86 or x64) before installation

Page 14

Please find below the screenshots demonstrating the visual flow of the MBCA Installation

Welcome screen

License terms

Folder selection

Completion screen

33 Install BPA

Download the correct edition depending on your platform (x86 or x64) before installing If you have

trouble with the installation please section 57 Troubleshooting Installation

331 Command line

Following is an optimized command line setup example

msiexec i SQL2008R2BPA_Setup64msi l log ctempsqlbpa_installlog qn

msiexec parameters

i = package name (SQL2008R2BPA_Setup32msi or SQL2008R2BPA_Setup64msi

depending on your platform)

l = log granularity ldquordquo - Log all information except for v and x options

log = log file

q = display settings (qn ndash no user interface)

SKIPCA=1 (if no domain controller is available Skip Certification Authority)

For information on additional public properties Consult the Windowsreg Installer SDK for documentation

on the command line syntax

Page 15

332 GUI

Please find below the screenshots demonstrating the visual flow of the SQL Server 2008 R2 BPA

Installation

Welcome screen

License terms

System Configuration Changes (see 31 Installing PowerShell 20 and WinRM)

Ready to install decision

Install progress

Completion screen

Page 16

333 Port and Firewall restrictions

For scanning SQL Server or BI instances on an alternate server behind a firewall you must open all

necessary ports

34 Updates

Microsoft is working on quarterly updates of the rule set and tool improvements of the SQL Server

2008 R2 Best Practice Analyzer Please visit the Download site from Microsoft regularly to find new

updates

35 Uninstall

351 BPA

352 MBCA

353 Reset PowerShell settings

After the uninstall of the BPA you may disable the PowerShell remote scripting You can do this with

the following command line

powershellexe -NoLogo -NoProfile -Noninteractive -Command Disable-

PSRemoting -force

Disable-PSRemoting performs configuration actions to enable this machine for remote management

Page 17

4 USAGE

There are two ways to scan a server using MBCA and SQL 2008 R2 BPA They are

Scanning through the local machine

o In this case you are using MBCA and SQL 2008 R2 BPA running on the local machine to

perform the scan

o This scan can be of the local or an alternate server

Scanning through a remote machine

o In this case MBCA is used to connect to a remote server that has MBCA and SQL 2008

R2 BPA installed on it

o This scan is using the local machine to form the connection to the remote machine and is

actually performing the scan through the remote machine

41 Help file

The help file for the SQL Server 2008 R2 Best Practice Analyzer contains very useful information This

help file is available after the installation of BPA and is located at Start-gtAll programs-gtSQL Server

2008 R2 BPA

42 GUI

1 Ensure that MBCA v2 and SQL 2008 R2 BPA are installed on the machine

2 Run the MBCA application from the start menu with elevated user rights

Page 18

3 On the MBCA home page ensure the SQL Server 2008 R2 BPArdquo product is selected

4 Click Start Scan which displays a page to specify parameters as shown below

5 Fill in Alternate_Server_to_Scan with the remote machine you want to scan

ComputerName

IP address nnnn

FQDN (Fully Qualified Domain Name)

Enter ldquordquo localhost or leave this blank if you want to scan the local machine

Page 19

Enter the instance name you want to scan To scan the default instance enter MSSQLSERVER

or leave this as blank Toggle the checkboxes to enabledisable scans for those rule categories

Each of the following six check boxes correspond to the SQL Server categories listed previously

Select at least one category in order to run a successful scan

Analyze_SQL_Analysis_Services

Analyze_SQL_Server_Engine

Analyze_SQL_Integration_Services

Analyze_SQL_Server_Replication

Analyze_SQL_Reporting_Services

Analyze_SQL_Server_Setup

Note Only one SQL Server instance can be scanned at a time through the MBCA GUI

6 Click Start Scan MBCA will start the configured scan and display the below page while in

progress

7 When the scan is complete results will be displayed grouped by Severity as shown below

Page 20

43 Connect to a remote computer

A scan connected to a remote computer is different than scanning an alternate server

ldquoConnect to a Remote Computerrdquo is functionality provided by Microsoft Baseline Configuration Analyzer

and is used to remotely run MBCA against a server from the console of the client The client needs to

have MBCA installed but does not need BPA as it is literally running the copy of MBCA installed on the

server using the BPA installed on the server In this case the copy of MBCA installed on the client is

used only to remotely connect to the copy of MBCA installed on the server

To use this functionality you first start MBCA on the client computer and select ldquoConnect to Another

Computerrdquo

1 In the ldquoConnect to Another Computerrdquo text box you can specify a NetBIOS name a fully qualified

domain name (FQDN) or an IPv4 or IPv6 address If no port number is specified the default port

number is used The following are examples of formats that you can specify in the Connect to

Another Computer text box

ComputerName

Page 21

ComputerNamePortNumber

IP address nnnn

IPv6 address [nnnnnnnn]

IPv4 address with port number nnnnPortNumber

IPv6 address with port number [nnnnnnnn]PortNumber

Note If an administrator has changed the computerrsquos default port number any port other than the

default port must be opened in Windows Firewall to allow incoming connections on that port Port

5985 is opened by default when WinRM is configured All other ports remain blocked until opened

For more information about how to unblock a port in Windows Firewall see the Help for Windows

Firewall For more information about how to configure WinRM in a Command Prompt session type

winrm help and then press Enter

2 Additionally you must supply credentials

3 CredSSP

Windows Remote Management (WinRM) supports the delegation of user credentials across

multiple remote computers The multi-hop support functionality can now use Credential Security

Service Provider (CredSSP) for authentication CredSSP enables an application to delegate the

userrsquos credentials from the client computer to the target server

CredSSP authentication is intended for environments where Kerberos delegation cannot be used

Support for CredSSP was added to allow a user to connect to a remote server and have the ability

to access a second-hop machine such as a file share

Note WinRM clients and servers will support CredSSP authentication only with explicit credentials

Windows XP Windows Server 2003 and earlier CredSSP is not supported

First you must set CredSSP on both the client and the server

Using the Group Policy Editor (gpeditmsc) make sure to enable ldquoAllow Delegating Fresh

Credentialsrdquo and check ldquoConcatenate OS defaults with input aboverdquo

Add the server or domain to the list of servers in the format ldquoWSMANdomainnamecomrdquo

Next enable and configure PowerShell Remoting on both the Client and Server by running the

following commands in a PowerShell command window opened with elevated permissions Note

Page 22

You can configure a single machine as both a client and a server simultaneously so that you can

scan from either computer

Enable PowerShell Remoting

o Enable-psremoting ndashf

Settings for a client

o Enable-WSManCredSSP ndashrole Client ndashDelegateComputer [NetBiosNameOfServer]

or

o Enable-WSManCredSSP ndashrole Client ndashDelegateComputer [FQDN OF SERVER]

Settings for the server

o Enable-WSManCredSSP ndashrole Server

o set-item WSManlocalhostShellMaxMemoryPerShellMB ndashValue 20000

o set-item WSManlocalhostShellMaxShellsPerUser ndashvalue 20

44 PowerShell

Details see 91 PowerShell

To use the functionality of the Microsoft Baseline Configuration Analyzer you must import this module

first

Import-module BaselineConfigurationAnalyzer

You can list the commands of this module with the following syntax

$x=Get-Module BaselineConfigurationAnalyzer

$xExportedCommands

441 Run Scan

To run a full scan of the BPA on the alternate server on a named instance you can use the following

command line

Invoke-MBCAModel -ModelId SQL2008R2BPA -Alternate_Server_to_scan

servername -SQL_Server_Instance_Name instancename -

Analyze_SQL_Server_Engine -Analyze_SQL_Server_Replication -

Page 23

Analyze_SQL_Server_Setup -Analyze_SQL_Analysis_Services -

Analyze_SQL_Integration_Services -Analyze_SQL_Reporting_Services

The result looks like this part

ModelId SQL2008R2BPA

SubModelId

Success True

ScanTime

Success = True is important This is the indicator that your scan was successful

Parameter description

-Alternate_Server_to_scan servername

-SQL_Server_Instance_Name instancename

-Analyze_SQL_Server_Engine

-Analyze_SQL_Server_Replication

-Analyze_SQL_Server_Setup

-Analyze_SQL_Analysis_Services

-Analyze_SQL_Integration_Services

-Analyze_SQL_Reporting_Services

The parameter list is equal the parameter screen in the GUI

The scans of the different services are optional You can remove technologies which you do not need

to scan

The next example starts the scan only for the Analysis Services on the alternate server ldquoservernamerdquo

and for the named instance ldquoinstancerdquo A log file will be written to ldquoctempssastxtrdquo

Invoke-MbcaModel -ModelId SQL2008R2BPA -SubModelId AnalysisServices -

ComputerName servername -SqlServerInstance instance -SSASLogFile

ctempssastxt

Invoke-MbcaModel -ModelId SQL2008R2BPA -SubModelId Engine -ComputerName

computername -SqlServerInstance servername -CurrentLoginName

($EnvUSERDOMAIN + + $EnvUSERNAME)ToString() -EngineLogFile

ctempenginetxt ndashRepositoryPath (CTEMPSQL2008 + (Get-

Date)ToString(yyyyMMdd))ToString()

442 Create Report

model = get-MbcaModel ndashModelId sql2008r2bpa

$scanResult = get-MbcaResult ndashModelId sql2008r2bpa

$collectedConfig = get-MbcaResult ndashModelId sql2008r2bpa ndash

CollectedConfiguration

$model $scanResult $collectedConfig | export-CliXml ctempasxml

Get-MBCAResult -ModelId SQL2008R2BPA -SubModelId AnalysisServices |

ConvertTo-Html | Add-Content -Path ctesthtml

The next command retrieves the results of the most recent BPA scan for the specified model and

saves them in HTML format applying the standard cascading style sheets that are stored in the path

windirsystem32WindowsPowerShellv10ModulesBestPracticesBestPracticesReportFormatc

Page 24

ss If you want to substitute cascading style sheets provide the path to the different cascading style

sheets

Get-MBCAResult -ModelId SQL2008R2BPA | $_Severity -eq Warning -or

$_Severity -eq Error | ConvertTo-Html -As Table -property ResultNumber

SubModelID ComputerName Severity Category Title Problem Impact

Resolution Help -Head lth1gtSQL Server 2008 (R2) Best Practice Analyzer

Reportlth1gtrdquo -Title SQL Server 2008 Best Practice Analyzer -body

(ltpgtReport creation date + (Get-Date)ToString(ddMMyyyy hhmmss) +

ltpgt)toString() -pre ltPgtGenerated by user $envusername on computer

$envcomputernameltPgt -post For details contact Microsoft Premier-

CssUri $env BestPracticesReportFormatcss gt ctempsql2008r2bpahtm

443 Exporting and opening reports by using Get-MBCAResult

You can use the Get-MBCAResult cmdlet to export scan results and configuration data to an XML

report that you can open for viewing in the future either by using Get-MBCAResult or by using the

MBCA GUI Exporting reports allows you to compare older scans with more recent scans to measure

the progress of your best practice compliance

Example of exporting to XML

$results = Get-MBCAResult ltModel Idgt

$collectedconfig = Get-MBCAResult ltModel Idgt -CollectedConfiguration

$results $collectedconfig | Export-CliXml cexportxml

Example of opening archived XML report file

$loadedResults $loadedConfiguration = Import-CliXml cexportxml

444 Report Result Directory

The reporting result path

AppDataMicrosoftBaselineConfigurationAnalyzer

2ReportsSQL2008R2BPAResults

Will be overwritten during each run of the tool or invoke command

Solution save older results before you start the check

copy-item -path ($EnvLocalAppdata +

MicrosoftMicrosoftBaselineConfigurationAnalyzer 2Reports)ToString() -

destination ($EnvLocalAppdata +

MicrosoftMicrosoftBaselineConfigurationAnalyzer 2Reports_ + (Get-

Date)ToString(yyyyMMddhhmmss))ToString() ndashrecurse

Afterwards you can create a report with the following command

$prevrepPath = (Get-ChildItem ($EnvLocalAppdata +

MicrosoftMicrosoftBaselineConfigurationAnalyzer 2)ToString() -exclude

Reports | Sort-Object name -descending)[0]

Get-MBCAResult -ModelId SQL2008R2BPA ndashRepositoryPath ($EnvLocalAppdata +

MicrosoftMicrosoftBaselineConfigurationAnalyzer 2rdquo +

$prevrepPathname)ToString() | ConvertTo-Html -As Table -property

ResultNumberSubModelID ComputerName Severity Category Title Problem

Impact Resolution Help -Head lth1gtSQL Server 2008 (R2) Best Practice

Analyzer Reportlth1gtrdquo -Title SQL Server 2008 Best Practice Analyzer -body

(ltpgtReport creation date + (Get-Date)ToString(ddMMyyyy hhmmss) +

ltpgt)toString() -pre ltPgtGenerated by user $envusername on computer

Page 25

$envcomputernameltPgt -post For details contact Microsoft Premier gt

ctempsql2008r2bpahtm

Page 26

5 TROUBLESHOOTING

51 Application directories

To following directories are used by MBCA

Report output directory localappdataMicrosoftMicrosoftBaselineConfigurationAnalyzer 2ReportsSQL2008R2BPAResults

Model configuration path ProgramdataMicrosoftMicrosoft Baseline Configuration Analyzer 2ModelsSQL2008R2BPA

Temp and log files directory tempSQL2008R2BPASQL2008ltdategt_lttimegt

Registry [HKEY_LOCAL_MACHINESOFTWAREMicrosoftBaselineConfigurationAnalyzer]

Log Files

During Data Discovery SQL Server 2008 R2 BPA creates log files for troubleshooting The log file

contains the following information

Pre-requisite validation

Timestamp finished rules start and end times

Run-time scripting errors and exceptions from Power Shell Traps

Log Files Location

For every scan log files are created in userrsquos Local Temp directory (Temp) and follows the folder

structure SQL2008R2BPAlt Instance Name gtlt datestamp_timestamp gtlt Log files gt

Note In case of a remote scan the category log files are generated on the remote system at the same

path whereas the common log file is generated in the local system

Log Files Structure

A common log file gets generated and contains information about each categorys execution Apart

from this each category has its own log file which details the rule execution The names of the log files

are given below

Common File - ModelLogtxt

Engine Rules - EngineLogtxt

Replication Rules - ReplicationLogtxt

Setup Rules - SetupLogtxt

Analysis Services Rules - AnalysisServicesLogtxt

Reporting Services Rules - ReportingServicesLogtxt

Integration Services Rules - IntegrationServicesLogtxt

52 Windows Server 2003 ndash NumberOfLogicalProcessors

Analysis Services RID2803 and RID2804 ndash NumberOfLogicalProcessors property is unavailable in

Win32_Processor for with Windows Server 2003

Solution The NumberOfLogicalProcessors property does not exist in the WIN32_PROCESSOR object

in Windows Server 2003 It has been implemented in the hotfix

httpsupportmicrosoftcomkb932370

Both of the rules below will function properly if you apply this hotfix For more information look here

Page 27

53 MBCA

This message indicates that on prerequisite is not installed

Please install the version 2 of the MBCA

54 Where can I find the Instance name in result set of the analyzer

report

The instance name is in the collected data option of the analyzer report in the BPA GUI

55 Memory limit of remote PowerShell process

By default remote PowerShell process can consume only 150 MB or less memory This default limit is

significantly small and once this limit is reached there could be a WinRM exception causing and remote

connection immediately terminates Any application or Cmdlet which is involved in PowerShell

remoting should be tested for this memory limit this may cause some of the command to fail for

example site collection creation

Solution Increase the memory limit for the remote shell Use the following command to increase this

limitation to 1000MB This is only necessary if you need to run those commands on that server

Set-Item WSManlocalhostShellMaxMemoryPerShellMB 1000

56 Remote connect

If you try to ldquoConnect to another computerrdquo from MBCA and you receive the following message

Page 28

You should check first if the Hotfix KB968930 is installed

Afterwards validate that the ldquoWindows Remote Managementrdquo service is started

Enable-PSRemoting

If CredSSP is unsupported or unavailable you will see the following message

Page 29

If you have no permission to access the remote server you get the error message

Page 30

57 Installation

571 PowerShell error

After getting through the Pre-Reqs for BPA (PowerShell 20 MBCA NET Framework) you may hit

one of two scenarios when installing BPA

In all of the cases of an install failure you will see the following error

There is a problem with this Windows Installer package A program run as part of the setup did not

finish as expected Contact your support personnel or package vendor

In your Application Event Log for both of these scenarios you will also see the following entry

Log Name Application

Source MsiInstaller

Date 6102010 83818 AM

Event ID 11722

Task Category None

Level Error

Keywords Classic

User ltUsernamegt

Computer ltMachine namegt

Description

Product Microsoft SQL Server 2008 R2 BPA -- Error 1722 There is a problem

with this Windows Installer package A program run as part of the setup did

not finish as expected Contact your support personnel or package

vendor Action EnablePSRemoting location powershellexe command -NoLogo

-NoProfile -Command Enable-PSRemoting ndashforce

Page 31

This is an indicator that PowerShell is not configured You must run the following command

powershellexe -NoLogo -NoProfile -Command Enable-PSRemoting ndashforce

572 Workgroup or Non-Domain computer

In this scenario the Enable-PSRemoting command should execute fine from a PowerShell prompt

The actual error coming back from the PowerShell command within the Installer is ldquoAccess Deniedrdquo

To work around this issue you can do the following

1 Open a command prompt with Administrative Privileges

2 Change to the directory where the msi file resides

3 Type msiexec i ltMSI Namegt SKIPCA=1

4 MSI Name will either be SQL2008R2BPA_Setup32msi or SQL2008R2BPA_Setup64msi

depending on your platform

5 Once BPA is installed open a PowerShell prompt with Administrative Privileges

6 Execute the following commands

a Enable-PSRemoting

b winrm set winrmconfigwinrs ``MaxShellsPerUser=`10``

This should allow BPA to be successfully installed in the workgroup scenario

573 Kerberos Failure

This scenario is that you are failing with the above due to a Kerberos issue This particular issue could

actually show up after you have installed BPA depending on how you have configured your

environment

The issue stems from the fact that the Windows Remoting Windows Service uses the Network Service

account Windows Remoting also uses SOAP calls over HTTP and defaults to using Kerberos As a

result it will be using the HOST Service Principal Name (SPN) that is on the Machine Account as it is

running under that context You may have an HTTP SPN that resides on a different account with that

host name For example if you are running an IIS Web Application such as SharePoint or if you are

using Reporting Services and the service account is set to a Domain User account instead of Network

Service or Local System If your URL of your application matches the machine name then your HTTP

SPN will be the same Thatrsquos where this problem comes in WinRM will stop working at that point and

give you a message similar to the following

Set-WSManQuickConfig WinRM cannot process the request The following error

occured while using Negotiate authentication An unknown security error

occurred

Possible causes are

-The user name or password specified are invalid

-Kerberos is used when no authentication method and no user name are

specified

-Kerberos accepts domain user names but not local user names

-The Service Principal Name (SPN) for the remote computer name and port

does not exist

-The client and remote computers are in different domains and there is no

trust between the two domains

After checking for the above issues try the following

-Check the Event Viewer for events related to authentication

-Change the authentication method add the destination computer to the

WinRM TrustedHosts configuration setting or use HTTPS transport

Note that computers in the TrustedHosts list might not be authenticated

-For more information about WinRM configuration run the following

Page 32

command winrm help config

At line50 char33

+ Set-WSManQuickConfig ltltltlt -force

+ CategoryInfo InvalidOperation () [Set-WSManQuickConfig]

InvalidOperationException

+ FullyQualifiedErrorId

WsManErrorMicrosoftWSManManagementSetWSManQuickConfigCommand

You can get this type of error from WinRM for muliple reasons The one that

we saw in our testing was the HTTP SPN scenario

If you do have an HTTP SPN defined on a Domain Account that is using the name of your machine

you have some options First you can follow the steps mentioned above to get BPA installed The

Enable-PSRemoting command will give you the above error You can temporarily remove the HTTP

SPN to get remoting enabled and then re-add the HTTP SPN

Once BPA is setup you will still not be able to run BPA if you put the HTTP SPN back in place You will

see the following when you attempt to perform a scan

This will occur regardless of which component you try to scan It could be the Engine Setup RS etchellip

One option to perform the scan successfully is to temporarily remove the HTTP SPN again run the

scan and then put the HTTP SPN back in place Another option but one that will probably require

further testing from your applicationrsquos end would be to run the application under a Host Header and

then your HTTP SPN would not include the machine name allowing BPA to run without issue

Page 33

6 RULES

Searching for ldquoSQL Server 20087 R2 BPArdquo at Microsoftcom reveals

Here is an example of one of these articles that talks about a rule to check for a recent ldquocleanrdquo

CHECKDB

Page 34

BPA works by measuring a rolersquos compliance with best practice rules in eight different categories of a

rolersquos effectiveness trustworthiness and reliability Results of measurements can be any of the three

severity levels described in the following table

Severity level Description

Noncompliant Noncompliant results are returned when a role does not satisfy the conditions of a rule

Compliant Compliant results are returned when a role satisfies the conditions of a rule

Warning Warning results are returned when a role is compliant as operating currently but may not satisfy the conditions of a

rule if changes are not made to its configuration or policy settings For example a scan of Remote Desktop Services

might show a warning result if a license server is unavailable to the role because even if no remote connections are

active at the time of the scan not having the license server prevents new remote connections from obtaining valid

client access licenses

Page 35

BPA rule categories

The following table describes the categories of best practice rules against which roles are measured

during a BPA scan

Category Name Description

Security Security rules are applied to measure a rolersquos relative risk for exposure to threats such as unauthorized or malicious

users or loss or theft of confidential or proprietary data

Performance Performance rules are applied to measure a rolersquos ability to process requests and perform its prescribed duties in

the enterprise within expected periods of time given the rolersquos workload

Configuration Configuration rules are applied to identify role settings that might require modification for the role to perform

optimally Configuration rules can help prevent setting conflicts that can result in error messages or prevent the role

from performing its prescribed duties in an enterprise

Policy Policy rules are applied to identify Group Policy or Windows Registry settings that might require modification for the

role to operate optimally and securely

Operation Operation rules are applied to identify possible failures of a role to perform its prescribed tasks in the enterprise

Predeployment Predeployment rules are applied before an installed role is deployed in the enterprise to let administrators to

evaluate whether best practices were satisfied before you use the role in production

Postdeployment Postdeployment rules are applied after all required services have started for a role and the role is running in the

enterprise

BPA Prerequisites BPA Prerequisite rules explain configuration settings policy settings and features that are required for the role

before BPA can apply specific rules from other categories A prerequisite in scan results indicates that an incorrect

setting a missing role role service or feature an incorrectly enabled or disabled policy a registry key setting or

other configuration has prevented BPA from applying one or more rules during a scan A prerequisite result does

not imply compliance or noncompliance It means that a rule could not be applied and therefore is not part of the

scan results

61 Engine Rules

Please find below a summary of the 74 Engine Rules with the links to the rule descriptions These rules

are checking that you have a secure resilient and well performing SQL configuration

Authentication Mode (httpsupportmicrosoftcomkb2028697)

Lightweight Pooling is enabled (httpsupportmicrosoftcomkb2160691)

Locks Configuration Not Dynamic (httpsupportmicrosoftcomkb2199576)

non-default network packet size in use (httpsupportmicrosoftcomkb2157175)

degree of parallelism not set to recommended value (httpsupportmicrosoftcomkb2023536)

Use Database Mail instead of SQL Mail (httpsupportmicrosoftcomkb2028584)

SQL Server Agent Proxy Account (httpsupportmicrosoftcomkb2160741)

SQL Login Password Policy Strength and password expiry

(httpsupportmicrosoftcomkb2028712)

Trustworthy Bit (httpsupportmicrosoftcomkb2183687)

Symmetric Keys Check (httpsupportmicrosoftcomkb2162020)

Asymmetric Keys Check (httpsupportmicrosoftcomkb2162020)

SQL Server installed on PDC BDC (httpsupportmicrosoftcomkb2032911)

Page 36

SQL Server Admin role membership check (httpsupportmicrosoftcomkb2184138)

Windows API calls intercepted (httpsupportmicrosoftcomkb2033238)

unsupported DotNET framework assemblies present (httpsupportmicrosoftcomkb2033344)

Disk partition starting offset may be incorrect (httpsupportmicrosoftcomkb2023571)

non-default max worker threads value configured (httpsupportmicrosoftcomkb2157129)

Guest Permissions (httpsupportmicrosoftcomkb2186935)

Data and Log files on the same volume (httpsupportmicrosoftcomkb2033523)

IO timeouts and IO controller errors detected (httpsupportmicrosoftcomkb2091098)

IO device errors detected (httpsupportmicrosoftcomkb2091098)

IO errors during page faults detected (httpsupportmicrosoftcomkb2091098)

cluster disk corruption encountered (httpsupportmicrosoftcomkb2091098)

disk defragmentation encountered corruption (httpsupportmicrosoftcomkb2091098)

failed IO requests detected (httpsupportmicrosoftcomkb2091098)

IO requests are successful when retried (httpsupportmicrosoftcomkb2015757)

IO Delay Problems reported by SQL Server (httpsupportmicrosoftcomkb2137408)

This system experienced unexpected shutdowns (httpsupportmicrosoftcomkb2091098)

tempdb corruption errors fix missing (httpsupportmicrosoftcomkb960770)

Critical SQL database inconsistency errors found (httpsupportmicrosoftcomkb2152734)

Logical consistency errors detected (httpsupportmicrosoftcomkb2152472)

Database have auto shrink option enabled (httpsupportmicrosoftcomkb2160663)

SQL Server Error logs are very big (httpsupportmicrosoftcomkb2199578)

incorrect affinity mask settings detected httpsupportmicrosoftcomkb2157114

Very low blocked process threshold setting detected httpsupportmicrosoftcomkb2157154

Potential security issue with legacy DTS stored procedures

httpsupportmicrosoftcomkb2202875

Winsock LSP loaded into SQL httpsupportmicrosoftcomkb2033448

Databases using simple recovery model httpsupportmicrosoftcomkb2137539

User database collation different from model httpsupportmicrosoftcomkb2026108

Database files and backups exist on the same volume httpsupportmicrosoftcomkb2027537

Databases have auto close option enabled httpsupportmicrosoftcomkb2160685

LSI SAS drivers needs update httpsupportmicrosoftcomkb2121098

SQL tempdb database not configured optimally httpsupportmicrosoftcomkb2154845

SQL Database file has sparse attribute set httpsupportmicrosoftcomkb2028447

Invalid startup parameters httpsupportmicrosoftcomkb2028433

MSDTC settings not configured optimally httpsupportmicrosoftcomkb2027550

sql incorrect results fix missing httpsupportmicrosoftcomkb971780

File System needs tuning for better FileStream performance

httpsupportmicrosoftcomkb2160002

linked server memory leak fix missing httpsupportmicrosoftcomkb971622EN-US

Windows service pack is not at recommended level httpsupportmicrosoftcomkb2121098

default extended event health session not in expected state

httpsupportmicrosoftcomkb2160570

TcpSysAndChimneyCheck httpsupportmicrosoftcomKB918483

FDHOST Launcher service is not configured properly httpsupportmicrosoftcomkb2160720

Unrecommended SQL Server Agent service account httpsupportmicrosoftcomkb2160720

A required Windows fix to avoid sparse file related problems is missing

httpsupportmicrosoftcomkb2002606

Page 37

Significant Portion of SQL Server Memory Has Been Paged Out

httpsupportmicrosoftcomkb2028324

Server Exception or Hang Detected on Server httpsupportmicrosoftcomkb2028589

Databases exist without CHECKSUM protection httpsupportmicrosoftcomkb2078345

backups outdated for databases httpsupportmicrosoftcomkb2027537

Database consistency check not current httpsupportmicrosoftcomkb2033590

SQL Server Memory settings are incorrect httpsupportmicrosoftcomKB918483EN-US

Autogrow Failed or took a long time httpsupportmicrosoftcomkb2091024

Storport driver fix from KBA 940467 missing httpsupportmicrosoftcomkb2121098

Storport driver fix from KBA 950903 missing httpsupportmicrosoftcomkb2121098

SQLCLR needs additional memory configuration httpsupportmicrosoftcomkb969962EN-US

Operating System files and drivers needs update for working set trimming

httpsupportmicrosoftcomkb2121098

Agent Token Replacement httpsupportmicrosoftcomkb2202637

Auditing Log in failures httpsupportmicrosoftcomkb2187161

Databases with high number of VLF present httpsupportmicrosoftcomkb2028436

Transparent Data Encryption Certificate httpsupportmicrosoftcomkb2201900

Permission on the Binn folder httpsupportmicrosoftcomkb2029023

Index Statistics Are Outdated

Server public permissions httpsupportmicrosoftcomkb2160698

Detected use of older versions of SQLNCLI httpsupportmicrosoftcomkb979779

62 AS Rules

Please find below a summary of the 34 Analysis Server Rules with the links to the rule descriptions

Flight Recorder Enabled for SQL Server Analysis Services

httpsupportmicrosoftcomkb2128005

Excessive amount of memory preallocated to Analysis Services

httpsupportmicrosoftcomkb2027474

Server not configured for optimal concurrent query throughput

httpsupportmicrosoftcomkb2135031

Non standard value detected for Analysis Services memory configuration

httpsupportmicrosoftcomkb2027472

Process Thread Pool Max limit above recommended limit

httpsupportmicrosoftcomkb2134497

Process Thread Pool Minimum is below the recommended limit

httpsupportmicrosoftcomkb2134855

Server is running a build with a known regression httpsupportmicrosoftcomkb2157941

Slice not set on a ROLAP partition or a partition where proactive caching is enabled and

ROLAP storage ay occur httpsupportmicrosoftcomkb2027754

Server is ignoring duplicate key errors httpsupportmicrosoftcomkb2027761

No default member defined for non-aggregatable attribute

httpsupportmicrosoftcomkb2027769

UnknownMember set to hidden httpsupportmicrosoftcomkb2027628

Non-numeric key column for high cardinality attribute httpsupportmicrosoftcomkb2028138

Attribute hiearchy enabled for high cardinality non-key attribute

httpsupportmicrosoftcomkb2028143

ROLAP storage or OnlineMode set to immediate for dimension with custom rollup definition

detected httpsupportmicrosoftcomkb2132742

Page 38

Account or Time attribute types defined in a non-matching dimension type

httpsupportmicrosoftcomkb2157299

An Account or Time dimension has no matching attribute defined

httpsupportmicrosoftcomkb2027418

Dimension has no attribute defined with the same type

httpsupportmicrosoftcomkb2027443

Attribute Dimension type mismatch httpsupportmicrosoftcomkb2157327

Mismatched dimension attribute types detected in dimension

httpsupportmicrosoftcomkb2027459

Possible incorrect order of levels defined in hierarchy httpsupportmicrosoftcomkb2027460

Define attribute relationships as Rigid where possible httpsupportmicrosoftcomkb2027468

Redundant attribute relationships detected httpsupportmicrosoftcomkb2127437

Diamond-shape relationship detected httpsupportmicrosoftcomkb2127570

Non-Standard Attribute Relationship name detected httpsupportmicrosoftcomkb2127862

Proactive Caching set for dimension without a processing query

httpsupportmicrosoftcomkb2027541

No Time dimension detected httpsupportmicrosoftcomkb2027532

More than 3 parent-child dimensions with custom rollups defined

httpsupportmicrosoftcomkb2134431

Encountered a parent-child dimension with more than 500000 members

httpsupportmicrosoftcomkb2131918

Single attribute dimensions detected httpsupportmicrosoftcomkb2141654

Measure groups with zero dimensional overlap detected in cube

httpsupportmicrosoftcomkb2027609

Proactive Caching set for a partition without a processing query

Default measure for perspective not in the perspective

httpsupportmicrosoftcomkb2027603

Use MOLAP storage for dimensions that participate in semi-additive measure groups

httpsupportmicrosoftcomkb2135112

Measure group defined with no partition httpsupportmicrosoftcomkb2027545

63 RS Rules

RSWindowsNegotiate is missing from your configuration

httpsupportmicrosoftcomkb2145506

HTTP Logging is not enabled httpsupportmicrosoftcomkb2145909

Verbose logging is enabled httpsupportmicrosoftcomkb2146315

NTLM authentication may fail for local httpsupportmicrosoftcomkb2146369

Missing extended protection settings httpsupportmicrosoftcomkb2146062

64 IS Rules

Logging task missing for package httpsupportmicrosoftcomkb2027723

ActiveX Script task detected in package httpsupportmicrosoftcomkb2027712

Unrecommended Integration Services service account detected

httpsupportmicrosoftcomkb2027684

Integration Services logging table found in system database master and or msdb

httpsupportmicrosoftcomkb2027706

Integration Services memory dump detected httpsupportmicrosoftcomkb2027727

Page 39

65 Setup Rules

Unsupported Operating System Version Detected httpsupportmicrosoftcomkb2022909

WOW64 not supported for SQL Failover Clustering httpsupportmicrosoftcomkb2157198

Installer cache is missing for the SQL Installation httpsupportmicrosoftcomkb2015100

SQL Server WMI Provider Health Check

66 Replication Rules

Replication Timeout Alerts Type httpsupportmicrosoftcomkb2118349

Replication Pub and Sub out of sync (Data Validation) httpsupportmicrosoftcomkb2118386

Replication Pub and Sub out of sync (Constraint Violations)

httpsupportmicrosoftcomkb2118410

Replication Pub and Sub out of sync (Skipped Transactions)

httpsupportmicrosoftcomkb2194498

Merge Replication Health Check httpsupportmicrosoftcomkb2118445

Subscriptions Approaching Expiration httpgomicrosoftcomfwlinkLinkId=184483

Replication Cleanup and Retention Health Check httpsupportmicrosoftcomkb2118485

Replication Latency Threshold violations httpsupportmicrosoftcomkb2118425

Page 40

7 HOW TO DEAL WITH DEVIATIONS

Deviations from these Best Practices may indicate potential issues and configuration changes may be

necessary Make sure you have tested any intended changes in a test environment before deploying

them to a production environment You could also find deviations from Best Practices that are

acceptable or even necessary for your environment For example

SAP has its special Network Packet Size of 8 KB

Existing Non-Microsoft Clients ndash would require Mixed Mode Authentication

Page 41

8 MOTIVATION TO USE SQL BPA R2

Bob Ward explained in his Article ldquoWhy use SQL Server 2008 R2 BPA Case 1 Missing Updatesrdquo

the common pitfalls during maintenance and operation of SQL Server and how address them by using

the SQL BPA

In brief itrsquos a customer scenario where the customer is facing an issue after a major update to

SQL2008 After some troubleshooting and an update to a certain CU (that is meant to fix the issue) the

problem still occurs Bobs article states the common resulting consequences ndash the involvement of

Microsoft Support and the final solution ndash adding a needed traceflag

The good news in this story is that the customer would not have needed to go to all that effort if they

would have run the SQL BPA It would have told them about the update and instructed them to put the

traceflag in place BPA is a mechanism that proactively advises you and instructs you on dealing with

common known issues

Page 42

9 ADDITIONAL INFORMATION

91 PowerShell

To use the functionality of the Baseline Configuration Analyzer with PowerShell you must import this

module first

Import-module BaselineConfigurationAnalyzer

You can list the commands of this module with the following syntax

$x=Get-Module BaselineConfigurationAnalyzer

$xExportedCommands

The following commands are stored in this module

Get-MbcaModel

Get-MbcaResult

Invoke-MbcaModel

Set-MbcaResult

You get help of this command with the following syntax

Get-help ltcommandgt -full

911 Get-MBCAModel

SYNOPSIS

The Get-MBCAModel cmdlet lets you retrieve and view the list of models that are supported by

Microsoft Baseline Configuration Analyzer (MBCA) and that are installed on a computer

SYNTAX

Get-MBCAModel [[-ModelId] ltstring[]gt] [[-SubModelId] ltstringgt] [ltCommonParametersgt]

DESCRIPTION

The Get-MBCAModel cmdlet lets you retrieve and view the list of models that are supported by

Microsoft Baseline Configuration Analyzer (MBCA) and installed on the computer If no parameter is

specified Get-MBCAModel returns all models that are installed on the computer If a model is specified

by using the -ModelId parameter information about the specified model is returned

You must be a member of the Administrators group on the computer on which you want to run this

cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with

elevated user rights that is Run as Administrator

The results of the Get-MBCAModel cmdlet include the following details about models

1 Branding information (manufacturer or company display names version number) that is found in

the model manifest

2 Dynamic parameters that are included with the model

3 Submodels that are included with the model

PARAMETERS

-ModelId ltstring[]gt

The -ModelId parameter specifies the ID of the MBCA model about which you want to view

details You can obtain valid values for the ModelId parameter by running the Get-MBCAModel

cmdlet with no parameters and targeted at a computer on which MBCA models are installed

Page 43

This parameter supports wild card characters

Required false

Position 2

Default value

Accept pipeline input true (By Value By Property Name)

Accept wildcard characters False

This must be SQL2008R2BPA for SQL Server 2008 R2 Best Practice Analyzer

-SubModelId ltstringgt

The -SubModelId parameter specifies the ID of the submodel of an MBCA model about which you

want to view details You can obtain valid values for the -SubModelId parameter by running the

Get-MBCAModel cmdlet without parameters and targeted at a computer on which MBCA models

are installed Not all models have submodels

The -ModelId parameter is required with the -SubModelId parameter

Required false

Position 3

Default value

Accept pipeline input false

Accept wildcard characters false

ltCommonParametersgt

This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable

WarningAction WarningVariable OutBuffer and OutVariable For more information type get-

help about_commonparameters

Examples

Get-MBCAModel

In the preceding example Get-MBCAModel with no parameters added returns details about all MBCA

models that are installed on the computer

Get-MBCAModel -ModelId SQL2008R2BPA

The preceding example can be used to return details about the MBCA model that is specified in the -

ModelId parameter represented by Model Id

$model= Get-MBCAModel -ModelId SQL2008R2BPA

$modelParameters

In the preceding example Get-MBCAModel returns details about the specified MBCA model that is

represented by Model Id The results of the cmdlet are stored in the variable $model

In the next line of the example the Parameters property of the model details that were stored in the

$model object returns details about which parameters are supported by the model

Get-MBCAModel -ModelId SQL2008R2BPA -SubModelId ltSubModel Idgt

The preceding example can be used to return details about the MBCA sub-model that is specified by

the -SubModelId parameter represented by SubModel Id Note that the -ModelId parameter is

required by the -SubModelId parameter

$model= Get-MBCAModel -ModelId SQL2008R2BPA

Page 44

$modelSubModels

In the preceding example Get-MBCAModel returns details about the specified MBCA model that is

represented by Model Id The results of the cmdlet are stored in the variable $model

In the next line of the example the SubModels property of the model details that were stored in the

$model object returns a list of the submodels of the model specified in the first line

912 Invoke-MBCAModel

SYNOPSIS

The Invoke-MBCAModel cmdlet lets you start a Microsoft Baseline Configuration Analyzer (MBCA)

scan for a specific model that is installed on your computer

SYNTAX

Invoke-MBCAModel [-ModelId] ltstringgt -SubModelId ltstringgt [-Authentication

ltAuthenticationMechanismgt] [-CertificateThumbprint ltstringgt] [-ComputerName

ltstring[]gt] [-ConfigurationName ltstringgt] [-Context ltstringgt] [-Credential

ltstringgt] [-Mode ltModeEnumgt] [-Port ltintgt] [-RepositoryPath ltstringgt] [-

ThrottleLimit ltintgt] [-UseSSL] [ltCommonParametersgt]

DESCRIPTION

The Invoke-MBCAModel cmdlet allows you to start a Microsoft Baseline Configuration Analyzer

(MBCA) scan for a specific model that is installed on your computer The model is specified either by

using the parameter -ModelId or by piping the results of the Get-MBCAModel cmdlet into an Invoke-

MBCAMode cmdlet

After the MBCA scan has been performed the results of the scan are available to be retrieved by Get-

MBCAResult cmdlet

You must be a member of the Administrators group on the computer on which you want to run this

cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with

elevated user rights that is Run as Administrator

PARAMETERS

-Authentication ltAuthenticationMechanismgt

Specifies the authentication mechanism that is used to authenticate the users credentials Valid

values include Default Basic CredSSP Digest Kerberos Negotiate and

NegotiateWithImplicitCredential The default value is Default

For more information about the -Authentication parameter type the following and then press

Enter

Get-Help Invoke-Command -Parameter Authentication

Required false

Position named

Default value Default

Accept pipeline input false

Accept wildcard characters false

-CertificateThumbprint ltstringgt

Page 45

Specifies the digital public key certificate (X509) of a user account that has rights to perform the

cmdlet action The valid value is the certificate thumbprint of the certificate

For more information about this parameter type the following and then press Enter

Get-Help Invoke-Command -Parameter Certificate Thumbprint

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-ComputerName ltstring[]gt

The Invoke-MBCAModel cmdlet lets you run an MBCA scan of a submodel on a specific

computer by adding this parameter Valid values include NETBOS names IP addresses or fully-

qualified domain names of one or more computers in a comma-separated list To specify the local

computer type the computer name or localhost

All formats that are accepted by the -ComputerName parameter in Invoke-Command are

accepted

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-ConfigurationName ltstringgt

Specifies the session configuration that is used for a new PSSession

Enter a configuration name or the fully-qualified resource URI for a session configuration

Session configuration data is found on the remote computer on which you want to run a cmdlet

For more information about this parameter type the following and then press Enter

Get-Help Invoke-Command -Parameter ConfigurationName

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-Context ltstringgt

The -Context parameter lets you run scans on a submodel in the context of a specific model (one

that is different from the parent model of the submodel) For example an administrator might

want to run a scan on the Backend submodel of the SQL model but only those in the context

of a third model a technology that relies upon SQL Server

The -SubModelId parameter is required by the -Context parameter

Page 46

A model ID is the valid value of the -Context parameter

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-Credential ltstringgt

Specifies a user account that has permission to run this cmdlet The default value is the current

user

For more information about this parameter type the following and then press Enter

Get-Help Invoke-Command -Parameter Credential

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-Mode ltModeEnumgt

The -Mode parameter lets you run a scan that is exclusively either analysis of existing discovered

documents or discovery The default is to perform both discovery and analysis or All

If you do not add the -Mode parameter to the Invoke-MBCAModel cmdlet both discovery and

analysis are performed during a scan

Valid values are Discovery Analysis and All

Required false

Position named

Default value All

Accept pipeline input false

Accept wildcard characters false

-ModelId ltstringgt

The -ModelId parameter specifies the ID of the MBCA model that you want to scan You can

obtain valid values for the ModelId parameter by running the Get-MBCAModel cmdlet targeted at

a computer on which MBCA models are installed

Required true

Position 2

Default value

Accept pipeline input true (By Value By Property Name)

Accept wildcard characters False

Page 47

This must be SQL2008R2BPA for SQL Server 2008 R2 Best Practice Analyzer

-Port ltintgt

Specifies the network port on a remote computer on which you want to run a scan The default

value is port 80

For more information on this parameter type the following and then press Enter

Get-Help Invoke-Command -Parameter Port

Required false

Position named

Default value 80

Accept pipeline input false

Accept wildcard characters false

-RepositoryPath ltstringgt

The -RepositoryPath parameter is used to specify a non-default location of the results repository

The valid value for this parameter is a pathname If the parameter is not used the cmdlet writes

results to the default result repository

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-SubModelId ltstringgt

The -SubModelId parameter specifies the ID of the submodel of an MBCA model that you want to

scan You can obtain valid values for the -SubModelId parameter by running the Get-MBCAModel

cmdlet targeted at a computer on which MBCA models are installed Not all models have

submodels

The -ModelId parameter is required with the -SubModelId parameter

Required true

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-ThrottleLimit ltintgt

Specifies the maximum number of concurrent connections that can be established to run the

cmdlet If you omit this parameter or enter a value of 0 the default value of 32 is used

For more information about this parameter type the following and then press Enter

Get-Help Invoke-Command -Parameter ThrottleLimit

Required false

Page 48

Position named

Default value 32

Accept pipeline input false

Accept wildcard characters false

-UseSSL [ltSwitchParametergt]

Uses the Secure Sockets Layer (SSL) protocol to establish a connection on a remote computer

By default SSL is not used

For more information about this parameter type the following and then press Enter

Get-Help Invoke-Command -Parameter UseSSL

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

ltCommonParametersgt

This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable

WarningAction WarningVariable OutBuffer and OutVariable For more information type get-

help about_commonparameters

OUTPUTS

SystemCollectionsGenericListltMicrosoftBestPracticesCoreInterfaceInvokeBpaModelOutputgt

The output object encapsulates the results of the cmdlet that you entered It contains information such

as the MBCA model ID the success or failure of the cmdlet and other details

NOTES

If the cmdlet is used to perform a single-model scan and the cmdlet is cancelled (by using CTRL+C)

before the temporary results file is copied to its final location the temporary file is discarded and any

previous scan results file for the role are preserved The message Processing of Invoke-MBCAModel

cancelled by user is displayed if the command is cancelled before existing scan results files are

overwritten

If the cmdlet is used to perform a scan of multiple models by piping in results from the Get-MBCAModel

cmdlet and the command is cancelled scans that were completed before the cancel command was

entered cannot be cancelled A scan in progress behaves as described above in the single-model scan

cancellation scenario Subsequent scans in the pipeline are cancelled

If a concurrent scan of the same model is attempted the cmdlet returns the following error message

Another scan for this MBCA model is in progress Only one scan is allowed at a time

-------------------------- EXAMPLE 1 --------------------------

Invoke-MBCAModel -ModelId SQL2008R2BPA

Description

The preceding example starts a MBCA scan on the model that is represented by ltModel Idgt

-------------------------- EXAMPLE 2 --------------------------

Page 49

Invoke-MBCAModel -ModelId SQL2008R2BPA -Scope domain -Name

redmondmicrosoftcom

Description

The preceding example starts an MBCA scan on the model ID that is specified by Model Id

The administrator starts the MBCA scan with additional model-specific parameters that are exposed by

the model (For an example of how to obtain model-specific parameters see the examples for the Get-

MBCAModel cmdlet)

For example to scan a model that requires model-specific parameters (such as -Scope and -Name) to

be passed to the command the administrator can specify the values of these model-specific

parameters with the Invoke-MBCAModel cmdlet

-------------------------- EXAMPLE 3 --------------------------

Invoke-MBCAModel -ModelId SQL2008R2BPA -Mode Discovery

Description

The preceding example starts an MBCA scan on the model that is represented by Model Id The

cmdlet is instructed by the -Mode parameter to perform only the discovery -- not the analysis -- portion

of the scan

-------------------------- EXAMPLE 4 --------------------------

Invoke-MBCAModel -ModelId SQL2008R2BPA -Mode Analysis -RepositoryPath

ltRepository Pathgt

Description

The preceding example starts an MBCA scan on the model that is represented by Model Id The -

Mode parameter value of Analysis indicates that the scan will perform analysis -- not discovery -- on

existing documents that are specified in the non-default repository path provided with the -Repository

Path parameter

-------------------------- EXAMPLE 5 --------------------------

Invoke-MBCAModel -Id ltModel Idgt -SubModelId ltSubModel Idgt -ComputerName

ltServergt -Context ltContext Model Idgt -RepositoryPath ltRespository Pathgt -

AsJob -Authentication ltAuthenticatonMechanismgt -Port ltPort Numbergt -UseSSL -

ThrottleLimit ltThrottle Limitgt

Description

The preceding example starts an MBCA scan on the submodel that is represented by SubModel Id

and on the computer that is represented by Server

Because the administrator only wants to see results from the submodel that apply in the context of a

third model the administrator runs the scan within the context of the model ID that is specified in the -

Context parameter The cmdlet results are saved to the non-default repository path that is specified in

the -RepositoryPath parameter

Because the -AsJob parameter is added the scan runs in the background The -AsJob -

Authentication -Port -UseSSL and -ThrottleLimit parameters are passed through for use by the

Invoke-Command cmdlet to perform discovery on a remote computer For more information about

these parameters see the Help for the Invoke-Command cmdlet available in Windows PowerShell V2

913 Get-MBCAResult

SYNOPSIS

Page 50

The Get-MBCAResult cmdlet lets you retrieve and view the results of a Microsoft Baseline

Configuration Analyzer scan on a specific model or the configuration data that was used to run a scan

SYNTAX

Get-MBCAResult [-ModelId] ltstringgt [[-CollectedConfiguration]] -SubModelId

ltstringgt [-ComputerName ltstring[]gt] [-Context ltstringgt] [-Filter

ltFilterEnumgt] [-RepositoryPath ltstringgt] [ltCommonParametersgt]

DESCRIPTION

The Get-MBCAResult cmdlet lets you retrieve and view the results of a Microsoft Baseline

Configuration Analyzer scan on a specific model or the configuration data that was used to run a scan

To use the command add the -ModelId parameter and then specify the model ID for which you want

to view the most recent MBCA scan results or collected configuration data If you want to retrieve the

configuration data collected add the -CollectedConfiguration switch parameter

You must be a member of the Administrators group on the computer on which you want to run this

cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with

elevated user rights that is Run as Administrator

PARAMETERS

-CollectedConfiguration [ltSwitchParametergt]

The -CollectedConfiguration parameter allows you to obtain the configuration data that was

collected for the most recent MBCA scan If this switch parameter is added to Get-MBCAResults

the cmdlet returns only the configuration data that was collected for a scan

Required false

Position 3

Default value

Accept pipeline input false

Accept wildcard characters false

-ComputerName ltstring[]gt

The -ComputerName parameter lets you obtain scan results that were collected for the most

recent MBCA scan of a submodel on a specific computer To specify the local computer type the

computer name or localhost Multiple values for -ComputerName can be separated by

commas

The -SubModelId parameter is required by the -ComputerName parameter

Valid values for the -ComputerName parameter include localhost a NET BIOS name an IP

address or a fully-qualified domain name (FQDN) of one or more computers in a comma-

separated list

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-Context ltstringgt

Page 51

The -Context parameter lets you obtain scan results that were collected for the most recent

MBCA scan of a submodel in the context of a specific model (one that is different from the parent

model of the submodel) For example an administrator might want to display scan results for the

Backend submodel of the SQL model but only those in the context of a third model a

technology that relies upon SQL Server

The -SubModelId parameter is required by the -Context parameter

A model ID is the valid value of the -Context parameter

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-Filter ltFilterEnumgt

The -Filter parameter lets you instruct the Get-MBCAResult cmdlet to return only Compliant

Noncompliant or All results Valid values are Noncompliant Compliant or All The default value

is All

The -Filter parameter is ignored if the -CollectedConfiguration switch parameter is added

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-ModelId ltstringgt

The -ModelId parameter specifies the ID of the MBCA model for which you want to view scan

results You can obtain valid values for the ModelId parameter by running the Get-MBCAModel

cmdlet targeted at a computer on which MBCA models are installed

Required true

Position 2

Default value

Accept pipeline input true (By Value By Property Name)

Accept wildcard characters False

This must be SQL2008R2BPA for SQL Server 2008 R2 Best Practice Analyzer

-RepositoryPath ltstringgt

The -RepositoryPath parameter is used to specify a non-default location of the results repository

The valid value for this parameter is a path name If the parameter is not used the cmdlet obtains

results from the default result repository

Required false

Position named

Page 52

Default value

Accept pipeline input false

Accept wildcard characters false

-SubModelId ltstringgt

The -SubModelId parameter specifies the ID of the submodel of an MBCA model for which you

want to view scan results You can obtain valid values for the -SubModelId parameter by running

the Get-MBCAModel cmdlet targeted at a computer on which MBCA models are installed Not all

models have submodels

The -ModelId parameter is required with the -SubModelId parameter

Required true

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

ltCommonParametersgt

This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable

WarningAction WarningVariable OutBuffer and OutVariable For more information type get-

help about_commonparameters

OUTPUTS

SystemCollectionsGenericListltMicrosoftBestPracticesCoreInterfaceResultgt OR

SystemXmlXmlDocument (if -CollectedData specified)

If you do not use the -CollectedConfiguration parameter verbose output can be any of the following

1 Initializing MBCA engine for getting MBCA Results

2 Attempting to get MBCA results for Model Id = 0

3 Completed getting MBCA results for Model Id = 0 Number of Results = 1

If you add the -CollectedConfiguration parameter to display configuration data that was used for a

scan verbose output can be any of the following

1 Initializing MBCA engine for getting MBCA Configuration Data

2 Attempting to get MBCA collected configuration data for Model Id = 0

3 Completed getting MBCA collected configuration data for Model Id = 0

NOTES

The Get-MBCAResult cmdlet must be run by a member of the Administrators group and it does not

start a new scan

Cancellation behaviour

Single Model - To cancel this cmdlet you must press Ctrl+C before the ResultCollection is displayed

on the console The operation is cancelled and results are not displayed on the console

Multiple Models or Pipelining - If you cancel this cmdlet while it is retrieving results for multiple models

the cmdlet generates only those results that were displayed on the console before the cancellation

Any subsequent results in the pipeline are cancelled and not displayed

Page 53

-------------------------- EXAMPLE 1 --------------------------

Get-MBCAResult -Id SQL2008R2BPA

Description

The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results

for the model that is represented by Model Id

-------------------------- EXAMPLE 2 --------------------------

Get-MBCAModel | Get-MBCAResult

In the preceding example Get-MBCAModel is used to return a list of all MBCA models that are

installed on the computer The results of the Get-MBCAModel cmdlet are piped to the Get-

MBCAResult cmdlet to retrieve the most recent MBCA scan results for all models that are both

supported by MBCA and installed on the computer at which the cmdlet is targeted

-------------------------- EXAMPLE 3 --------------------------

$result = Get-MBCAResult SQL2008R2BPA -CollectedConfiguration

$resultDiscoveryDocument

Description

In the preceding example configuration data (in XML form) that was collected during the most recent

Microsoft Baseline Configuration Analyzer scan of the model that is represented by Model Id is

retrieved and stored as a property in the variable $result $resultDiscoveryDocument is of type

SystemXmlXmlDocument

-------------------------- EXAMPLE 4 --------------------------

Get-MBCAResult SQL2008R2BPA -Filter Noncompliant

Description

The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results

for the model that is represented by Model Id and then applies a filter to show only Noncompliant

results

------------------------- EXAMPLE 5 --------------------------

Get-MBCAResult SQL2008R2BPA -SubModelId ltSubModel Idgt

Description

The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results

for the submodel that is represented by SubModelId Note that the parent model ID must be specified

to use the -SubModelId parameter

------------------------- EXAMPLE 6 --------------------------

Get-MBCAResult SQL2008R2BPA -SubModelId ltSubModel Idgt -ComputerName ltServergt

-Context ltContext Model Idgt -RepositoryPath ltRepository Pathgt

Description

The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results

for the submodel that is represented by SubModelId The parent model ID is provided as required by

the -SubModelID parameter

The -Context parameter indicates that the administrator wants to see only those scan results that are in

the context of the model that is represented by Context Model Id for example only those results from

a SQL Server scan that specifically apply to another technology such as Web Server (IIS)

Page 54

The scan results are further narrowed to only those from a computer that is specified in the -

ComputerName parameter as Server and only those results found in the non-default results

repository that is represented by Repository Path

914 Set-MBCAResult

SYNOPSIS

The Set-MBCAResult cmdlet lets you exclude or include existing results of a Microsoft Baseline

Configuration Analyzer (MBCA) scan to show you only the scan results that you want to see

SYNTAX

Set-MBCAResult [[-Exclude] ltBooleangt] [-Results] ltResultgtgt [[-

RepostitoryPath] ltstringgt] [ltCommonParametersgt]

DESCRIPTION

The Set-MBCAResult cmdlet lets you exclude or include existing results of a Microsoft Baseline

Configuration Analyzer (MBCA) scan to show you only the scan results that you want to see

The action specified in the cmdlet (Exclude for example) determines how the existing results of an

MBCA scan are updated Set-MBCAResult is typically applied after using the Get-MBCAResult cmdlet

to return a collection of scan results

You can apply filters to results that are returned by the Get-MBCAResult cmdlet and then pipe the

filtered collection of results to the Set-MBCAResult cmdlet specifying either to include or exclude

filtered scan results

You must be a member of the Administrators group on the computer on which you want to run this

cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with

elevated user rights that is Run as Administrator

PARAMETERS

-Exclude ltBooleangt

Excludes scan results from the results collection that were previously obtained by the Get-

MBCAResult command To exclude results by using the -Exclude parameter add the value $true

following the parameter as shown

-Exclude $true

To include results that have been excluded use the $false value for the -Exclude parameter

Required false

Position 2

Default value

Accept pipeline input false

Accept wildcard characters false

-RepostitoryPath ltstringgt

The -RepositoryPath parameter is used to specify a non-default location of the results repository

The valid value for this parameter is a path name If the parameter is not used the cmdlet

modifies results from the default result repository

Required false

Page 55

Position 4

Default value

Accept pipeline input false

Accept wildcard characters false

-Results ltResultgtgt

Specifies the result collection to be updated by the Set-MBCAResult cmdlet The -Results

parameter is typically used to specify a filtered subset of scan results that has already been

stored in a variable the variable name is provided as the valid value for the -Results parameter

For example if you have created a variable $allPerformance to store all the Performance

category results for an MBCA scan of all models on a computer and you want to exclude those

Performance results from the complete collection of scan results you add the parameter -Results

$all Performance to a Set-MBCAResult cmdlet

For a more detailed example see the Examples section of the Help for this cmdlet

Required true

Position 3

Default value

Accept pipeline input true (ByValue)

Accept wildcard characters false

ltCommonParametersgt

This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable

WarningAction WarningVariable OutBuffer and OutVariable For more information type ldquoget-

help about_commonparameters

NOTES

If the Set-MBCAResult command is cancelled before the results are written to a file the operation is

cancelled and the results file is not modified If cancellation occurs after the results file has been

modified the commands actions are carried out and the command cannot be cancelled

-------------------------- EXAMPLE 1 --------------------------

Get-MBCAResult -ModelId SQL2008R2BPA | Where $_Category -eq

Performance | Set-MBCAResult -Exclude $true

Description

The first section of the preceding example to the left of the first pipe character (|) uses the Get-

MBCAResult cmdlet to retrieve Baseline Configuration Analyzer scan results for the model ID that is

represented by Model Id

The second section of the command filters the results of the Get-MBCAResult cmdlet to get only those

scan results for which the category name is equal to Performance

The final section of the example following the second pipe character excludes the Performance

results that were filtered by the previous section of the example

-------------------------- EXAMPLE 2 --------------------------

$rcPolicy = Get-MBCAResult -ModelId SQL2008R2BPA -RepositoryPath

CReposPath | Where $_Category -eq Policy

Page 56

Set-MBCAResult -Exclude $true -RepositoryPath CReposPath -Results

$rcPolicy

Description

The first line of the preceding example to the left of the pipe character (|) instructs the Get-

MBCAResult cmdlet to retrieve Baseline Configuration Analyzer scan results for the model that is

represented by Specified Model Id from the specified non-default repository path

The second section of the example after the pipe character filters the results of the Get-MBCAResult

cmdlet to return only those scan results for which the category name is equal to (note the -eq option)

Policy The variable $rcPolicy is created to store the filtered results of the Get-MBCAResult cmdlet this

variable can be used in subsequent commands to represent those results

The second line of the command uses the Set-MBCAResult cmdlet to exclude the set of results that

are stored in the $rcPolicy variable In this example the -Results parameter is added because the

administrator wants to exclude a specific subset of scan results for that model and has created the

variable $rcPolicy to represent that subset of results The repository root is specified in the second line

because the administrator wants to modify the results in the same non-default repository from which

the data in $rcPolicy was retrieved

915 MBCA Model Authoring

Further information about configuration and usage of MBCA models you can in the

MBCA_ModelAuthoringGuidedocx

Page 57

Did this paper help you Please give us your feedback Tell us on a scale of 1 (poor) to 5 (excellent)

how would you rate this paper and why have you given it this rating For example

Are you rating it high due to having good examples excellent screen shots clear writing or

another reason

Are you rating it low due to poor examples fuzzy screen shots or unclear writing

This feedback will help us improve the quality of white papers we release

Send feedback

Page 5: SQL2008R2 BPA Whitepaper v10

Page 5

1 INTRODUCTION

The Microsoft SQL Server 2008 R2 Best Practices Analyzer (BPA) is a diagnostic tool that performs

the following functions

Gathers information about a server and an instance of Microsoft SQL Server 2008 or 2008 R2

that is installed on that server

Determines if the configurations are set according to the Microsoft recommended best

practices

Reports on all configurations indicating settings that differ from recommendations

Indicates potential problems in the installed instance of SQL Server

Recommends solutions to potential problems

This tool is used by IT Professionals and Database Administrators to help ensure that their installations

of SQL Server and associated products components are adhering to best practices as determined by

the SQL Server Product Teams and CSS This utility scans the installation of a local or remote

machine gathering system data from WMI log files the Event Log the Windows Registry and SQL

Server metadata and compares the results to predefined standards It then produces a report that

shows the results and points the user to additional information on the web to help them determine

whether they should make changes to their systems

For every configuration the SQL Server 2008 R2 BPA provides the following results

Compliance results are returned when an instance of SQL Server satisfies the conditions of a

Best Practices rule Non-compliance results are returned when an instance of SQL Server

does not satisfy the conditions of a Best Practices rule

Impact of non-compliance

Recommendation

Links to more detailed information and related topics

To assist you and to make your DBA life easier Microsoft includes some of these Best Practices in a

couple of products ndash depending on specific purpose of the Software The following diagram illustrates

the variety of tools available to check best practices for SQL Server 2008 and SQL Server 2008 R2 in

parallel or in combination with BPA

Page 6

The big picture ndash automated Best Practices of SQL Server checks offered in different flavours and

products

So you will find a couple of policies in our monitoring solution

SQL Server 2008 R2 Best Practice Analyzer

within more than 140 rules for database engine and other technologies

System Center Operations Manager (SCOM)

within the SQL Management pack (current version 6131436 release date 08172010)

with more than 300 rules and 50 additional monitors

Policy Based Management in SQL Server 2005 and 2008

with predefined policy collection (50+ policies)

There is a whitepaper about PBM here

System Configuration Checker in the SQL Server 2008 setup wizard

The SQL Risk Assessment Toolset (Premier Organisation best practice flagship) offering more

than 200 rules This offering is meant for Premier customers running the SQL RAP against

their most business critical SQL instances

Note This tool set is only available for Microsoft Premier Customers

11 Architecture and data flow of the BPA

The SQL Server 2008 R2 Best Practices Analyzer is an additional ldquomodelrdquo for the Microsoft Baseline

Configuration Analyzer V20 (MBCA) A model is a set of component files that together comprise the

configuration analysis and reporting output from MBCA

The MBCA is imbedded as a PowerShell cmdlet and consists of two major components the MBCA

Engine and the MBCA UI

The MBCA Engine process itself consists of 2 main activities evaluation and discovery The MBCA

Engine is fed by PowerShell discovery Scripts and XML Schema Files which are used during

CSS Rules Advice

and Manifests

SQL Server 2008 R2 Best

Practice Analyzer

SQL 2008 Setup

Policy Based Management

SCOM SQL MP

SQLRAP

Page 7

discovery The discovery activity interrogates the SQL Server Registry WMI Error- and Event-Logs

etc The output is saved in an XML File which is then used in the evaluation activity Evaluation is

performed using the Schematron file This file run by the MBCA engine contains the logic for

evaluating the best practices The final step following the evaluation process is the report generation ndash

which is shown in the MBCA UI

In the flow chart below you will find the anatomy of the SQL Server 2008 R2 Best Practices Analyzer

12 Microsoft Best Practice Analyzer Universe

Microsoft offers many technologies and utilities to produce best practices recommendations

121 SQL Server BPA (older versions)

Microsoft has also created BP Analyzers for your older SQL Server versions and for Windows

SQL Server 2005 Best Practices Analyzer (August 2008)

SQL Server 2000 Best Practices Analyzer (April 2010)

122 Windows Server 2008 R2 Best Practice Analyzer

In Windows management best practices are guidelines that are considered the ideal way under

typical circumstances to configure a server as defined by experts For example it is considered a best

practice for most server technologies to keep open only those ports required for the technologies to

communicate with other networked computers and block unused ports Although best practice

Page 8

violations even crucial ones are not necessarily problematic they indicate server configurations that

can result in poor performance poor reliability unexpected conflicts increased security risks or other

potential problems

Best Practices Analyzer (BPA) is a server management tool that is available in

Windows Serverreg 2008 R2 BPA can help administrators reduce best practice violations by scanning

one or more roles that are installed on Windows Server 2008 R2 and reporting best practice violations

to the administrator Administrators can filter or exclude results from BPA reports that they do not have

to see Administrators can also perform BPA tasks by using either the Server Manager GUI or

Windows PowerShell cmdlets

BPA can also be used on remote servers that are running Windows Server 2008 R2 by using Server

Manager targeted at a remote server For more information about how to run Server Manager targeted

at a remote server see Remote Management with Server Manager

The following BPA modules are currently available

Best Practices Analyzer for Active Directory Certificate Services

Best Practices Analyzer for Active Directory Domain Services

Best Practices Analyzer for Active Directory Rights Management Services

Best Practices Analyzer for Application Server

Best Practices Analyzer for Domain Name System

Best Practices Analyzer for Dynamic Host Configuration Protocol

Best Practices Analyzer for File Services

Best Practices Analyzer for Hyper-V

Best Practices Analyzer for Internet Information Services

Best Practices Analyzer for Network Policy and Access Services

Best Practices Analyzer for Remote Desktop Services

Best Practices Analyzer for Windows Server Update Services

More Information about Windows BPA look here

123 Fix-it

Currently there exists no link between the SQL Server Best Practice Analyzer and the Fixit webpage

httpsupportmicrosoftcomfixit

Microsoft is working on a solution to combine fixit with specific Best Practice Analyzer

httpfixitcentersupportmicrosoftcomPortal

124 Microsoft Automated Troubleshooting Service in Windows Server

2008 R2 and Windows 7

Troubleshooting in Windows Server 2008 R2 and Windows 7 provides several troubleshooting

programs that can automatically fix some common problems with your computer such as problems

with networking hardware and devices using the web and program compatibility

Go to the Windows website to watch a video about using troubleshooters to fix common problems

(330)

When you run a troubleshooter it might ask you some questions or reset common settings as it works

to fix the problem If the troubleshooter fixed the problem you can close the troubleshooter If it couldnt

fix the problem you can view several options that will take you online to try and find an answer In

either case you can always view a complete list of changes made

Page 9

Notes

If you click the Advanced link on a troubleshooter and then clear the Apply repairs

automatically check box the troubleshooter displays a list of fixes to choose from if any

problems are found

Windows includes several troubleshooters and more are available online when you select the

Get the most up-to-date troubleshooters from the Windows Online Troubleshooting service

check box at the bottom of Troubleshooting

httpsupportmicrosoftcomgpsystem_maintenance_for_windows

Page 10

2 SYSTEM REQUIREMENTS

SQL Server 2008 R2 Best Practices Advisor is supported on the following Operating Systems

1 Windows Vista

2 Windows 7

3 Windows Server 2003

4 Windows Server 2003 R2

5 Windows Server 2008

6 Windows Server 2008 R2

Supported editions of SQL Server

1 SQL Server 2008 all editions except Express

2 SQL Server 2008 R2 all editions except Express

Supported Components of SQL Server

1 Analysis Services

2 Database Engine

3 Integration Services

4 Reporting Services

5 Replication

6 Setup

These components are designed as Submodels for the BPA This means that they will be run

concurrently where possible

21 Required Permissions for Running SQL Server 2008 R2 BPA

Administration Privileges

To run MBCA v20 a user must be a member of the administrators group on the machine being

scanned and on the machine the scan is initiated from If a user is not an administrator on the machine

that is being scanned an appropriate error message displays

SQL Server

To successfully access all of the database properties and SQL Server Configurations a user must be

the Systems Administrator (sysadmin) on the instance of SQL Server

Analysis Services

The user or the administrators group must be member of the server administrator role within an

instance of Microsoft SQL Server Analysis Services have unrestricted access to all Analysis Services

objects and data in that instance

httpmsdnmicrosoftcomen-uslibraryms174561aspx

Integration Services

The user or the administrators group must be members of the sysadmin or db_ssisadmin roles

httpmsdnmicrosoftcomen-uslibraryms141053aspx

Reporting Services

Page 11

The user or the administrators group must be member of the System Administrator and Content

Manager role

22 Prerequisites

The following are required for using SQL Server 2008 R2 Best Practices Analyzer

1 PowerShell V20

Windows PowerShell 20 requires the Microsoft NET Framework 20 with Service Pack 1

2 Microsoft Baseline Configuration Analyzer V20

3 SQL Server Management Tools for SQL Server 2008 or SQL Server 2008 R2

The following table outlines the prerequisite Microsoft utilities components by Operating System

necessary to have on your server prior to installing and running SQL Server 2008 R2 BPA

OS 1Install

WinRM

2Install

PowerShell 20

3Install

MBCA 20

Configure PowerShell1 7 Install SQL2008

or SQL 2008 R2

Management Tools 4Remoting 5Execution

Level

6 MaxShells

PerUser

Win Vista Y Y Y Y Y Y Y

Windows 7 N N Y Y Y Y Y

Windows

Server 2003

Y Y Y Y Y Y Y

Windows

Server 2003

R2

Y Y Y Y Y Y Y

Windows

Server 2008

Y Y Y Y Y Y Y

Windows

Server 2008

R2

N N Y Y Y Y Y

1 These changes will be done from the installation routine of the BPA

Page 12

3 INSTALL

We recommend installing BPA on a workstation or administration server and performing the scan

operation remotely against servers in your SQL Server infrastructure It is also possible to install this

tool on the production SQL Server locally

Installation process

1 InstallConfigure PowerShell and WinRM

2 Microsoft Baseline Configuration Analyzer V20

3 Microsoftreg SQL Serverreg 2008 R2 Best Practices Analyzer

It exists two ways to install the Best Practices Analyzer

With a graphical user interface (setup wizard) or

Command line

31 Installing PowerShell 20 and WinRM

BPA install configures WinRM and PowerShell options by default Most of this section is only needed if

something goes wrong and you need to configure this stuff by hand

Windows Server 2003 R2

WinRM is not installed by default but it is available as the Hardware Management feature through the

AddRemove System Components feature in the Control Panel under Management and Monitoring

Tools Complete installation and information about configuring WinRM using the WINRM command-line

tool is available online in the Hardware Management Introduction which describes the WinRM and the

IPMI features in Windows Server 2003 R2

On Windows Vista Windows Server 2003 and Windows Server 2008

This is installed as part of Windows Management Framework Core The WinRM service starts

automatically on Windows Server 2008 On Windows Vista the service must be started manually

On Windows Server 2008 R2 and Windows 7

This is installed as part of the OS

Note Check for additional information and configuration guidelines for WinRM and for PowerShell

20

SQL Server 2008 R2 BPA is able to scan both the local computer and remote computers Therefore in

both the local and remote cases it required that your PowerShell settings be modified These are done

by the BPA installation

PowerShell Execution Policy

The PowerShell Execution Policy is set to Restricted by default To run SQL Server 2008 R2 BPA

through the PowerShell command Line set the policy to RemoteSigned using the below command

Set-ExecutionPolicy RemoteSigned -f

You can use the command Set-ExecutionPolicy Restricted ndashf to set the execution policy back to

restricted This command is not required when executing the scan through the MBCA GUI

After the installation you must enable the PowerShell remote scripting if you are want to use the BPA

remote to another workgroup machine or a computer that have Kerberos enabled You need to run this

command only once on each computer that will receive commands You do not need to run it on

Page 13

computers that only send commands Because the configuration activates listeners it is prudent to run

it only where it is needed You can do this with the following command line

powershellexe -NoLogo -NoProfile -Noninteractive -Command Enable-

PSRemoting -force

Enable-PSRemoting performs configuration actions to enable this machine for remote management

Includes

1 Runs the Set-WSManQuickConfig cmdlet which performs the following tasks

Starts the WinRM service

Sets the startup type on the WinRM service to Automatic

Creates a listener to accept requests on any IP address

Enables a firewall exception for WS-Management communications

Enables all registered Windows PowerShell session configurations to receive instructions

from a remote computer

Registers the MicrosoftPowerShell session configuration if it is not already registered

Registers the MicrosoftPowerShell32 session configuration on 64-bit computers if it is

not already registered

Removes the Deny Everyone setting from the security descriptor for all the registered

session configurations

Restarts the WinRM service to make the preceding changes effective

2 Configures MaxShellsPerUser using winrm set winrmconfigwinrs

``MaxShellsPerUser=`10``

Specifies the maximum number of concurrent shells that any user can remotely open on

the same computer If this policy setting is enabled the user will not be able to open new

remote shells if the count exceeds the specified limit If this policy setting is disabled or is

not configured the limit will be set to 5 remote shells per user by default and you receive

the following error message

[localhost] Connecting to remote server failed with the following

error message The WS-Management service cannot process the

request This user is allowed a maximum number of 5 concurrent

shells which has been exceeded Close existing shells or raise the

quota for this user For more information see the

about_Remote_Troubleshooting Help topic

+ CategoryInfo OpenError

(SystemManagemehellipRemoteRunspa

ceRemoteRunspace) [] PSRemotingTransportException

+ FullyQualifiedErrorId PSSessionOpenFailed

For more information about PowerShell remoting please see MSDN

32 Install MBCA

Download the edition of MBCA depending on your platform (x86 or x64) before installation

Page 14

Please find below the screenshots demonstrating the visual flow of the MBCA Installation

Welcome screen

License terms

Folder selection

Completion screen

33 Install BPA

Download the correct edition depending on your platform (x86 or x64) before installing If you have

trouble with the installation please section 57 Troubleshooting Installation

331 Command line

Following is an optimized command line setup example

msiexec i SQL2008R2BPA_Setup64msi l log ctempsqlbpa_installlog qn

msiexec parameters

i = package name (SQL2008R2BPA_Setup32msi or SQL2008R2BPA_Setup64msi

depending on your platform)

l = log granularity ldquordquo - Log all information except for v and x options

log = log file

q = display settings (qn ndash no user interface)

SKIPCA=1 (if no domain controller is available Skip Certification Authority)

For information on additional public properties Consult the Windowsreg Installer SDK for documentation

on the command line syntax

Page 15

332 GUI

Please find below the screenshots demonstrating the visual flow of the SQL Server 2008 R2 BPA

Installation

Welcome screen

License terms

System Configuration Changes (see 31 Installing PowerShell 20 and WinRM)

Ready to install decision

Install progress

Completion screen

Page 16

333 Port and Firewall restrictions

For scanning SQL Server or BI instances on an alternate server behind a firewall you must open all

necessary ports

34 Updates

Microsoft is working on quarterly updates of the rule set and tool improvements of the SQL Server

2008 R2 Best Practice Analyzer Please visit the Download site from Microsoft regularly to find new

updates

35 Uninstall

351 BPA

352 MBCA

353 Reset PowerShell settings

After the uninstall of the BPA you may disable the PowerShell remote scripting You can do this with

the following command line

powershellexe -NoLogo -NoProfile -Noninteractive -Command Disable-

PSRemoting -force

Disable-PSRemoting performs configuration actions to enable this machine for remote management

Page 17

4 USAGE

There are two ways to scan a server using MBCA and SQL 2008 R2 BPA They are

Scanning through the local machine

o In this case you are using MBCA and SQL 2008 R2 BPA running on the local machine to

perform the scan

o This scan can be of the local or an alternate server

Scanning through a remote machine

o In this case MBCA is used to connect to a remote server that has MBCA and SQL 2008

R2 BPA installed on it

o This scan is using the local machine to form the connection to the remote machine and is

actually performing the scan through the remote machine

41 Help file

The help file for the SQL Server 2008 R2 Best Practice Analyzer contains very useful information This

help file is available after the installation of BPA and is located at Start-gtAll programs-gtSQL Server

2008 R2 BPA

42 GUI

1 Ensure that MBCA v2 and SQL 2008 R2 BPA are installed on the machine

2 Run the MBCA application from the start menu with elevated user rights

Page 18

3 On the MBCA home page ensure the SQL Server 2008 R2 BPArdquo product is selected

4 Click Start Scan which displays a page to specify parameters as shown below

5 Fill in Alternate_Server_to_Scan with the remote machine you want to scan

ComputerName

IP address nnnn

FQDN (Fully Qualified Domain Name)

Enter ldquordquo localhost or leave this blank if you want to scan the local machine

Page 19

Enter the instance name you want to scan To scan the default instance enter MSSQLSERVER

or leave this as blank Toggle the checkboxes to enabledisable scans for those rule categories

Each of the following six check boxes correspond to the SQL Server categories listed previously

Select at least one category in order to run a successful scan

Analyze_SQL_Analysis_Services

Analyze_SQL_Server_Engine

Analyze_SQL_Integration_Services

Analyze_SQL_Server_Replication

Analyze_SQL_Reporting_Services

Analyze_SQL_Server_Setup

Note Only one SQL Server instance can be scanned at a time through the MBCA GUI

6 Click Start Scan MBCA will start the configured scan and display the below page while in

progress

7 When the scan is complete results will be displayed grouped by Severity as shown below

Page 20

43 Connect to a remote computer

A scan connected to a remote computer is different than scanning an alternate server

ldquoConnect to a Remote Computerrdquo is functionality provided by Microsoft Baseline Configuration Analyzer

and is used to remotely run MBCA against a server from the console of the client The client needs to

have MBCA installed but does not need BPA as it is literally running the copy of MBCA installed on the

server using the BPA installed on the server In this case the copy of MBCA installed on the client is

used only to remotely connect to the copy of MBCA installed on the server

To use this functionality you first start MBCA on the client computer and select ldquoConnect to Another

Computerrdquo

1 In the ldquoConnect to Another Computerrdquo text box you can specify a NetBIOS name a fully qualified

domain name (FQDN) or an IPv4 or IPv6 address If no port number is specified the default port

number is used The following are examples of formats that you can specify in the Connect to

Another Computer text box

ComputerName

Page 21

ComputerNamePortNumber

IP address nnnn

IPv6 address [nnnnnnnn]

IPv4 address with port number nnnnPortNumber

IPv6 address with port number [nnnnnnnn]PortNumber

Note If an administrator has changed the computerrsquos default port number any port other than the

default port must be opened in Windows Firewall to allow incoming connections on that port Port

5985 is opened by default when WinRM is configured All other ports remain blocked until opened

For more information about how to unblock a port in Windows Firewall see the Help for Windows

Firewall For more information about how to configure WinRM in a Command Prompt session type

winrm help and then press Enter

2 Additionally you must supply credentials

3 CredSSP

Windows Remote Management (WinRM) supports the delegation of user credentials across

multiple remote computers The multi-hop support functionality can now use Credential Security

Service Provider (CredSSP) for authentication CredSSP enables an application to delegate the

userrsquos credentials from the client computer to the target server

CredSSP authentication is intended for environments where Kerberos delegation cannot be used

Support for CredSSP was added to allow a user to connect to a remote server and have the ability

to access a second-hop machine such as a file share

Note WinRM clients and servers will support CredSSP authentication only with explicit credentials

Windows XP Windows Server 2003 and earlier CredSSP is not supported

First you must set CredSSP on both the client and the server

Using the Group Policy Editor (gpeditmsc) make sure to enable ldquoAllow Delegating Fresh

Credentialsrdquo and check ldquoConcatenate OS defaults with input aboverdquo

Add the server or domain to the list of servers in the format ldquoWSMANdomainnamecomrdquo

Next enable and configure PowerShell Remoting on both the Client and Server by running the

following commands in a PowerShell command window opened with elevated permissions Note

Page 22

You can configure a single machine as both a client and a server simultaneously so that you can

scan from either computer

Enable PowerShell Remoting

o Enable-psremoting ndashf

Settings for a client

o Enable-WSManCredSSP ndashrole Client ndashDelegateComputer [NetBiosNameOfServer]

or

o Enable-WSManCredSSP ndashrole Client ndashDelegateComputer [FQDN OF SERVER]

Settings for the server

o Enable-WSManCredSSP ndashrole Server

o set-item WSManlocalhostShellMaxMemoryPerShellMB ndashValue 20000

o set-item WSManlocalhostShellMaxShellsPerUser ndashvalue 20

44 PowerShell

Details see 91 PowerShell

To use the functionality of the Microsoft Baseline Configuration Analyzer you must import this module

first

Import-module BaselineConfigurationAnalyzer

You can list the commands of this module with the following syntax

$x=Get-Module BaselineConfigurationAnalyzer

$xExportedCommands

441 Run Scan

To run a full scan of the BPA on the alternate server on a named instance you can use the following

command line

Invoke-MBCAModel -ModelId SQL2008R2BPA -Alternate_Server_to_scan

servername -SQL_Server_Instance_Name instancename -

Analyze_SQL_Server_Engine -Analyze_SQL_Server_Replication -

Page 23

Analyze_SQL_Server_Setup -Analyze_SQL_Analysis_Services -

Analyze_SQL_Integration_Services -Analyze_SQL_Reporting_Services

The result looks like this part

ModelId SQL2008R2BPA

SubModelId

Success True

ScanTime

Success = True is important This is the indicator that your scan was successful

Parameter description

-Alternate_Server_to_scan servername

-SQL_Server_Instance_Name instancename

-Analyze_SQL_Server_Engine

-Analyze_SQL_Server_Replication

-Analyze_SQL_Server_Setup

-Analyze_SQL_Analysis_Services

-Analyze_SQL_Integration_Services

-Analyze_SQL_Reporting_Services

The parameter list is equal the parameter screen in the GUI

The scans of the different services are optional You can remove technologies which you do not need

to scan

The next example starts the scan only for the Analysis Services on the alternate server ldquoservernamerdquo

and for the named instance ldquoinstancerdquo A log file will be written to ldquoctempssastxtrdquo

Invoke-MbcaModel -ModelId SQL2008R2BPA -SubModelId AnalysisServices -

ComputerName servername -SqlServerInstance instance -SSASLogFile

ctempssastxt

Invoke-MbcaModel -ModelId SQL2008R2BPA -SubModelId Engine -ComputerName

computername -SqlServerInstance servername -CurrentLoginName

($EnvUSERDOMAIN + + $EnvUSERNAME)ToString() -EngineLogFile

ctempenginetxt ndashRepositoryPath (CTEMPSQL2008 + (Get-

Date)ToString(yyyyMMdd))ToString()

442 Create Report

model = get-MbcaModel ndashModelId sql2008r2bpa

$scanResult = get-MbcaResult ndashModelId sql2008r2bpa

$collectedConfig = get-MbcaResult ndashModelId sql2008r2bpa ndash

CollectedConfiguration

$model $scanResult $collectedConfig | export-CliXml ctempasxml

Get-MBCAResult -ModelId SQL2008R2BPA -SubModelId AnalysisServices |

ConvertTo-Html | Add-Content -Path ctesthtml

The next command retrieves the results of the most recent BPA scan for the specified model and

saves them in HTML format applying the standard cascading style sheets that are stored in the path

windirsystem32WindowsPowerShellv10ModulesBestPracticesBestPracticesReportFormatc

Page 24

ss If you want to substitute cascading style sheets provide the path to the different cascading style

sheets

Get-MBCAResult -ModelId SQL2008R2BPA | $_Severity -eq Warning -or

$_Severity -eq Error | ConvertTo-Html -As Table -property ResultNumber

SubModelID ComputerName Severity Category Title Problem Impact

Resolution Help -Head lth1gtSQL Server 2008 (R2) Best Practice Analyzer

Reportlth1gtrdquo -Title SQL Server 2008 Best Practice Analyzer -body

(ltpgtReport creation date + (Get-Date)ToString(ddMMyyyy hhmmss) +

ltpgt)toString() -pre ltPgtGenerated by user $envusername on computer

$envcomputernameltPgt -post For details contact Microsoft Premier-

CssUri $env BestPracticesReportFormatcss gt ctempsql2008r2bpahtm

443 Exporting and opening reports by using Get-MBCAResult

You can use the Get-MBCAResult cmdlet to export scan results and configuration data to an XML

report that you can open for viewing in the future either by using Get-MBCAResult or by using the

MBCA GUI Exporting reports allows you to compare older scans with more recent scans to measure

the progress of your best practice compliance

Example of exporting to XML

$results = Get-MBCAResult ltModel Idgt

$collectedconfig = Get-MBCAResult ltModel Idgt -CollectedConfiguration

$results $collectedconfig | Export-CliXml cexportxml

Example of opening archived XML report file

$loadedResults $loadedConfiguration = Import-CliXml cexportxml

444 Report Result Directory

The reporting result path

AppDataMicrosoftBaselineConfigurationAnalyzer

2ReportsSQL2008R2BPAResults

Will be overwritten during each run of the tool or invoke command

Solution save older results before you start the check

copy-item -path ($EnvLocalAppdata +

MicrosoftMicrosoftBaselineConfigurationAnalyzer 2Reports)ToString() -

destination ($EnvLocalAppdata +

MicrosoftMicrosoftBaselineConfigurationAnalyzer 2Reports_ + (Get-

Date)ToString(yyyyMMddhhmmss))ToString() ndashrecurse

Afterwards you can create a report with the following command

$prevrepPath = (Get-ChildItem ($EnvLocalAppdata +

MicrosoftMicrosoftBaselineConfigurationAnalyzer 2)ToString() -exclude

Reports | Sort-Object name -descending)[0]

Get-MBCAResult -ModelId SQL2008R2BPA ndashRepositoryPath ($EnvLocalAppdata +

MicrosoftMicrosoftBaselineConfigurationAnalyzer 2rdquo +

$prevrepPathname)ToString() | ConvertTo-Html -As Table -property

ResultNumberSubModelID ComputerName Severity Category Title Problem

Impact Resolution Help -Head lth1gtSQL Server 2008 (R2) Best Practice

Analyzer Reportlth1gtrdquo -Title SQL Server 2008 Best Practice Analyzer -body

(ltpgtReport creation date + (Get-Date)ToString(ddMMyyyy hhmmss) +

ltpgt)toString() -pre ltPgtGenerated by user $envusername on computer

Page 25

$envcomputernameltPgt -post For details contact Microsoft Premier gt

ctempsql2008r2bpahtm

Page 26

5 TROUBLESHOOTING

51 Application directories

To following directories are used by MBCA

Report output directory localappdataMicrosoftMicrosoftBaselineConfigurationAnalyzer 2ReportsSQL2008R2BPAResults

Model configuration path ProgramdataMicrosoftMicrosoft Baseline Configuration Analyzer 2ModelsSQL2008R2BPA

Temp and log files directory tempSQL2008R2BPASQL2008ltdategt_lttimegt

Registry [HKEY_LOCAL_MACHINESOFTWAREMicrosoftBaselineConfigurationAnalyzer]

Log Files

During Data Discovery SQL Server 2008 R2 BPA creates log files for troubleshooting The log file

contains the following information

Pre-requisite validation

Timestamp finished rules start and end times

Run-time scripting errors and exceptions from Power Shell Traps

Log Files Location

For every scan log files are created in userrsquos Local Temp directory (Temp) and follows the folder

structure SQL2008R2BPAlt Instance Name gtlt datestamp_timestamp gtlt Log files gt

Note In case of a remote scan the category log files are generated on the remote system at the same

path whereas the common log file is generated in the local system

Log Files Structure

A common log file gets generated and contains information about each categorys execution Apart

from this each category has its own log file which details the rule execution The names of the log files

are given below

Common File - ModelLogtxt

Engine Rules - EngineLogtxt

Replication Rules - ReplicationLogtxt

Setup Rules - SetupLogtxt

Analysis Services Rules - AnalysisServicesLogtxt

Reporting Services Rules - ReportingServicesLogtxt

Integration Services Rules - IntegrationServicesLogtxt

52 Windows Server 2003 ndash NumberOfLogicalProcessors

Analysis Services RID2803 and RID2804 ndash NumberOfLogicalProcessors property is unavailable in

Win32_Processor for with Windows Server 2003

Solution The NumberOfLogicalProcessors property does not exist in the WIN32_PROCESSOR object

in Windows Server 2003 It has been implemented in the hotfix

httpsupportmicrosoftcomkb932370

Both of the rules below will function properly if you apply this hotfix For more information look here

Page 27

53 MBCA

This message indicates that on prerequisite is not installed

Please install the version 2 of the MBCA

54 Where can I find the Instance name in result set of the analyzer

report

The instance name is in the collected data option of the analyzer report in the BPA GUI

55 Memory limit of remote PowerShell process

By default remote PowerShell process can consume only 150 MB or less memory This default limit is

significantly small and once this limit is reached there could be a WinRM exception causing and remote

connection immediately terminates Any application or Cmdlet which is involved in PowerShell

remoting should be tested for this memory limit this may cause some of the command to fail for

example site collection creation

Solution Increase the memory limit for the remote shell Use the following command to increase this

limitation to 1000MB This is only necessary if you need to run those commands on that server

Set-Item WSManlocalhostShellMaxMemoryPerShellMB 1000

56 Remote connect

If you try to ldquoConnect to another computerrdquo from MBCA and you receive the following message

Page 28

You should check first if the Hotfix KB968930 is installed

Afterwards validate that the ldquoWindows Remote Managementrdquo service is started

Enable-PSRemoting

If CredSSP is unsupported or unavailable you will see the following message

Page 29

If you have no permission to access the remote server you get the error message

Page 30

57 Installation

571 PowerShell error

After getting through the Pre-Reqs for BPA (PowerShell 20 MBCA NET Framework) you may hit

one of two scenarios when installing BPA

In all of the cases of an install failure you will see the following error

There is a problem with this Windows Installer package A program run as part of the setup did not

finish as expected Contact your support personnel or package vendor

In your Application Event Log for both of these scenarios you will also see the following entry

Log Name Application

Source MsiInstaller

Date 6102010 83818 AM

Event ID 11722

Task Category None

Level Error

Keywords Classic

User ltUsernamegt

Computer ltMachine namegt

Description

Product Microsoft SQL Server 2008 R2 BPA -- Error 1722 There is a problem

with this Windows Installer package A program run as part of the setup did

not finish as expected Contact your support personnel or package

vendor Action EnablePSRemoting location powershellexe command -NoLogo

-NoProfile -Command Enable-PSRemoting ndashforce

Page 31

This is an indicator that PowerShell is not configured You must run the following command

powershellexe -NoLogo -NoProfile -Command Enable-PSRemoting ndashforce

572 Workgroup or Non-Domain computer

In this scenario the Enable-PSRemoting command should execute fine from a PowerShell prompt

The actual error coming back from the PowerShell command within the Installer is ldquoAccess Deniedrdquo

To work around this issue you can do the following

1 Open a command prompt with Administrative Privileges

2 Change to the directory where the msi file resides

3 Type msiexec i ltMSI Namegt SKIPCA=1

4 MSI Name will either be SQL2008R2BPA_Setup32msi or SQL2008R2BPA_Setup64msi

depending on your platform

5 Once BPA is installed open a PowerShell prompt with Administrative Privileges

6 Execute the following commands

a Enable-PSRemoting

b winrm set winrmconfigwinrs ``MaxShellsPerUser=`10``

This should allow BPA to be successfully installed in the workgroup scenario

573 Kerberos Failure

This scenario is that you are failing with the above due to a Kerberos issue This particular issue could

actually show up after you have installed BPA depending on how you have configured your

environment

The issue stems from the fact that the Windows Remoting Windows Service uses the Network Service

account Windows Remoting also uses SOAP calls over HTTP and defaults to using Kerberos As a

result it will be using the HOST Service Principal Name (SPN) that is on the Machine Account as it is

running under that context You may have an HTTP SPN that resides on a different account with that

host name For example if you are running an IIS Web Application such as SharePoint or if you are

using Reporting Services and the service account is set to a Domain User account instead of Network

Service or Local System If your URL of your application matches the machine name then your HTTP

SPN will be the same Thatrsquos where this problem comes in WinRM will stop working at that point and

give you a message similar to the following

Set-WSManQuickConfig WinRM cannot process the request The following error

occured while using Negotiate authentication An unknown security error

occurred

Possible causes are

-The user name or password specified are invalid

-Kerberos is used when no authentication method and no user name are

specified

-Kerberos accepts domain user names but not local user names

-The Service Principal Name (SPN) for the remote computer name and port

does not exist

-The client and remote computers are in different domains and there is no

trust between the two domains

After checking for the above issues try the following

-Check the Event Viewer for events related to authentication

-Change the authentication method add the destination computer to the

WinRM TrustedHosts configuration setting or use HTTPS transport

Note that computers in the TrustedHosts list might not be authenticated

-For more information about WinRM configuration run the following

Page 32

command winrm help config

At line50 char33

+ Set-WSManQuickConfig ltltltlt -force

+ CategoryInfo InvalidOperation () [Set-WSManQuickConfig]

InvalidOperationException

+ FullyQualifiedErrorId

WsManErrorMicrosoftWSManManagementSetWSManQuickConfigCommand

You can get this type of error from WinRM for muliple reasons The one that

we saw in our testing was the HTTP SPN scenario

If you do have an HTTP SPN defined on a Domain Account that is using the name of your machine

you have some options First you can follow the steps mentioned above to get BPA installed The

Enable-PSRemoting command will give you the above error You can temporarily remove the HTTP

SPN to get remoting enabled and then re-add the HTTP SPN

Once BPA is setup you will still not be able to run BPA if you put the HTTP SPN back in place You will

see the following when you attempt to perform a scan

This will occur regardless of which component you try to scan It could be the Engine Setup RS etchellip

One option to perform the scan successfully is to temporarily remove the HTTP SPN again run the

scan and then put the HTTP SPN back in place Another option but one that will probably require

further testing from your applicationrsquos end would be to run the application under a Host Header and

then your HTTP SPN would not include the machine name allowing BPA to run without issue

Page 33

6 RULES

Searching for ldquoSQL Server 20087 R2 BPArdquo at Microsoftcom reveals

Here is an example of one of these articles that talks about a rule to check for a recent ldquocleanrdquo

CHECKDB

Page 34

BPA works by measuring a rolersquos compliance with best practice rules in eight different categories of a

rolersquos effectiveness trustworthiness and reliability Results of measurements can be any of the three

severity levels described in the following table

Severity level Description

Noncompliant Noncompliant results are returned when a role does not satisfy the conditions of a rule

Compliant Compliant results are returned when a role satisfies the conditions of a rule

Warning Warning results are returned when a role is compliant as operating currently but may not satisfy the conditions of a

rule if changes are not made to its configuration or policy settings For example a scan of Remote Desktop Services

might show a warning result if a license server is unavailable to the role because even if no remote connections are

active at the time of the scan not having the license server prevents new remote connections from obtaining valid

client access licenses

Page 35

BPA rule categories

The following table describes the categories of best practice rules against which roles are measured

during a BPA scan

Category Name Description

Security Security rules are applied to measure a rolersquos relative risk for exposure to threats such as unauthorized or malicious

users or loss or theft of confidential or proprietary data

Performance Performance rules are applied to measure a rolersquos ability to process requests and perform its prescribed duties in

the enterprise within expected periods of time given the rolersquos workload

Configuration Configuration rules are applied to identify role settings that might require modification for the role to perform

optimally Configuration rules can help prevent setting conflicts that can result in error messages or prevent the role

from performing its prescribed duties in an enterprise

Policy Policy rules are applied to identify Group Policy or Windows Registry settings that might require modification for the

role to operate optimally and securely

Operation Operation rules are applied to identify possible failures of a role to perform its prescribed tasks in the enterprise

Predeployment Predeployment rules are applied before an installed role is deployed in the enterprise to let administrators to

evaluate whether best practices were satisfied before you use the role in production

Postdeployment Postdeployment rules are applied after all required services have started for a role and the role is running in the

enterprise

BPA Prerequisites BPA Prerequisite rules explain configuration settings policy settings and features that are required for the role

before BPA can apply specific rules from other categories A prerequisite in scan results indicates that an incorrect

setting a missing role role service or feature an incorrectly enabled or disabled policy a registry key setting or

other configuration has prevented BPA from applying one or more rules during a scan A prerequisite result does

not imply compliance or noncompliance It means that a rule could not be applied and therefore is not part of the

scan results

61 Engine Rules

Please find below a summary of the 74 Engine Rules with the links to the rule descriptions These rules

are checking that you have a secure resilient and well performing SQL configuration

Authentication Mode (httpsupportmicrosoftcomkb2028697)

Lightweight Pooling is enabled (httpsupportmicrosoftcomkb2160691)

Locks Configuration Not Dynamic (httpsupportmicrosoftcomkb2199576)

non-default network packet size in use (httpsupportmicrosoftcomkb2157175)

degree of parallelism not set to recommended value (httpsupportmicrosoftcomkb2023536)

Use Database Mail instead of SQL Mail (httpsupportmicrosoftcomkb2028584)

SQL Server Agent Proxy Account (httpsupportmicrosoftcomkb2160741)

SQL Login Password Policy Strength and password expiry

(httpsupportmicrosoftcomkb2028712)

Trustworthy Bit (httpsupportmicrosoftcomkb2183687)

Symmetric Keys Check (httpsupportmicrosoftcomkb2162020)

Asymmetric Keys Check (httpsupportmicrosoftcomkb2162020)

SQL Server installed on PDC BDC (httpsupportmicrosoftcomkb2032911)

Page 36

SQL Server Admin role membership check (httpsupportmicrosoftcomkb2184138)

Windows API calls intercepted (httpsupportmicrosoftcomkb2033238)

unsupported DotNET framework assemblies present (httpsupportmicrosoftcomkb2033344)

Disk partition starting offset may be incorrect (httpsupportmicrosoftcomkb2023571)

non-default max worker threads value configured (httpsupportmicrosoftcomkb2157129)

Guest Permissions (httpsupportmicrosoftcomkb2186935)

Data and Log files on the same volume (httpsupportmicrosoftcomkb2033523)

IO timeouts and IO controller errors detected (httpsupportmicrosoftcomkb2091098)

IO device errors detected (httpsupportmicrosoftcomkb2091098)

IO errors during page faults detected (httpsupportmicrosoftcomkb2091098)

cluster disk corruption encountered (httpsupportmicrosoftcomkb2091098)

disk defragmentation encountered corruption (httpsupportmicrosoftcomkb2091098)

failed IO requests detected (httpsupportmicrosoftcomkb2091098)

IO requests are successful when retried (httpsupportmicrosoftcomkb2015757)

IO Delay Problems reported by SQL Server (httpsupportmicrosoftcomkb2137408)

This system experienced unexpected shutdowns (httpsupportmicrosoftcomkb2091098)

tempdb corruption errors fix missing (httpsupportmicrosoftcomkb960770)

Critical SQL database inconsistency errors found (httpsupportmicrosoftcomkb2152734)

Logical consistency errors detected (httpsupportmicrosoftcomkb2152472)

Database have auto shrink option enabled (httpsupportmicrosoftcomkb2160663)

SQL Server Error logs are very big (httpsupportmicrosoftcomkb2199578)

incorrect affinity mask settings detected httpsupportmicrosoftcomkb2157114

Very low blocked process threshold setting detected httpsupportmicrosoftcomkb2157154

Potential security issue with legacy DTS stored procedures

httpsupportmicrosoftcomkb2202875

Winsock LSP loaded into SQL httpsupportmicrosoftcomkb2033448

Databases using simple recovery model httpsupportmicrosoftcomkb2137539

User database collation different from model httpsupportmicrosoftcomkb2026108

Database files and backups exist on the same volume httpsupportmicrosoftcomkb2027537

Databases have auto close option enabled httpsupportmicrosoftcomkb2160685

LSI SAS drivers needs update httpsupportmicrosoftcomkb2121098

SQL tempdb database not configured optimally httpsupportmicrosoftcomkb2154845

SQL Database file has sparse attribute set httpsupportmicrosoftcomkb2028447

Invalid startup parameters httpsupportmicrosoftcomkb2028433

MSDTC settings not configured optimally httpsupportmicrosoftcomkb2027550

sql incorrect results fix missing httpsupportmicrosoftcomkb971780

File System needs tuning for better FileStream performance

httpsupportmicrosoftcomkb2160002

linked server memory leak fix missing httpsupportmicrosoftcomkb971622EN-US

Windows service pack is not at recommended level httpsupportmicrosoftcomkb2121098

default extended event health session not in expected state

httpsupportmicrosoftcomkb2160570

TcpSysAndChimneyCheck httpsupportmicrosoftcomKB918483

FDHOST Launcher service is not configured properly httpsupportmicrosoftcomkb2160720

Unrecommended SQL Server Agent service account httpsupportmicrosoftcomkb2160720

A required Windows fix to avoid sparse file related problems is missing

httpsupportmicrosoftcomkb2002606

Page 37

Significant Portion of SQL Server Memory Has Been Paged Out

httpsupportmicrosoftcomkb2028324

Server Exception or Hang Detected on Server httpsupportmicrosoftcomkb2028589

Databases exist without CHECKSUM protection httpsupportmicrosoftcomkb2078345

backups outdated for databases httpsupportmicrosoftcomkb2027537

Database consistency check not current httpsupportmicrosoftcomkb2033590

SQL Server Memory settings are incorrect httpsupportmicrosoftcomKB918483EN-US

Autogrow Failed or took a long time httpsupportmicrosoftcomkb2091024

Storport driver fix from KBA 940467 missing httpsupportmicrosoftcomkb2121098

Storport driver fix from KBA 950903 missing httpsupportmicrosoftcomkb2121098

SQLCLR needs additional memory configuration httpsupportmicrosoftcomkb969962EN-US

Operating System files and drivers needs update for working set trimming

httpsupportmicrosoftcomkb2121098

Agent Token Replacement httpsupportmicrosoftcomkb2202637

Auditing Log in failures httpsupportmicrosoftcomkb2187161

Databases with high number of VLF present httpsupportmicrosoftcomkb2028436

Transparent Data Encryption Certificate httpsupportmicrosoftcomkb2201900

Permission on the Binn folder httpsupportmicrosoftcomkb2029023

Index Statistics Are Outdated

Server public permissions httpsupportmicrosoftcomkb2160698

Detected use of older versions of SQLNCLI httpsupportmicrosoftcomkb979779

62 AS Rules

Please find below a summary of the 34 Analysis Server Rules with the links to the rule descriptions

Flight Recorder Enabled for SQL Server Analysis Services

httpsupportmicrosoftcomkb2128005

Excessive amount of memory preallocated to Analysis Services

httpsupportmicrosoftcomkb2027474

Server not configured for optimal concurrent query throughput

httpsupportmicrosoftcomkb2135031

Non standard value detected for Analysis Services memory configuration

httpsupportmicrosoftcomkb2027472

Process Thread Pool Max limit above recommended limit

httpsupportmicrosoftcomkb2134497

Process Thread Pool Minimum is below the recommended limit

httpsupportmicrosoftcomkb2134855

Server is running a build with a known regression httpsupportmicrosoftcomkb2157941

Slice not set on a ROLAP partition or a partition where proactive caching is enabled and

ROLAP storage ay occur httpsupportmicrosoftcomkb2027754

Server is ignoring duplicate key errors httpsupportmicrosoftcomkb2027761

No default member defined for non-aggregatable attribute

httpsupportmicrosoftcomkb2027769

UnknownMember set to hidden httpsupportmicrosoftcomkb2027628

Non-numeric key column for high cardinality attribute httpsupportmicrosoftcomkb2028138

Attribute hiearchy enabled for high cardinality non-key attribute

httpsupportmicrosoftcomkb2028143

ROLAP storage or OnlineMode set to immediate for dimension with custom rollup definition

detected httpsupportmicrosoftcomkb2132742

Page 38

Account or Time attribute types defined in a non-matching dimension type

httpsupportmicrosoftcomkb2157299

An Account or Time dimension has no matching attribute defined

httpsupportmicrosoftcomkb2027418

Dimension has no attribute defined with the same type

httpsupportmicrosoftcomkb2027443

Attribute Dimension type mismatch httpsupportmicrosoftcomkb2157327

Mismatched dimension attribute types detected in dimension

httpsupportmicrosoftcomkb2027459

Possible incorrect order of levels defined in hierarchy httpsupportmicrosoftcomkb2027460

Define attribute relationships as Rigid where possible httpsupportmicrosoftcomkb2027468

Redundant attribute relationships detected httpsupportmicrosoftcomkb2127437

Diamond-shape relationship detected httpsupportmicrosoftcomkb2127570

Non-Standard Attribute Relationship name detected httpsupportmicrosoftcomkb2127862

Proactive Caching set for dimension without a processing query

httpsupportmicrosoftcomkb2027541

No Time dimension detected httpsupportmicrosoftcomkb2027532

More than 3 parent-child dimensions with custom rollups defined

httpsupportmicrosoftcomkb2134431

Encountered a parent-child dimension with more than 500000 members

httpsupportmicrosoftcomkb2131918

Single attribute dimensions detected httpsupportmicrosoftcomkb2141654

Measure groups with zero dimensional overlap detected in cube

httpsupportmicrosoftcomkb2027609

Proactive Caching set for a partition without a processing query

Default measure for perspective not in the perspective

httpsupportmicrosoftcomkb2027603

Use MOLAP storage for dimensions that participate in semi-additive measure groups

httpsupportmicrosoftcomkb2135112

Measure group defined with no partition httpsupportmicrosoftcomkb2027545

63 RS Rules

RSWindowsNegotiate is missing from your configuration

httpsupportmicrosoftcomkb2145506

HTTP Logging is not enabled httpsupportmicrosoftcomkb2145909

Verbose logging is enabled httpsupportmicrosoftcomkb2146315

NTLM authentication may fail for local httpsupportmicrosoftcomkb2146369

Missing extended protection settings httpsupportmicrosoftcomkb2146062

64 IS Rules

Logging task missing for package httpsupportmicrosoftcomkb2027723

ActiveX Script task detected in package httpsupportmicrosoftcomkb2027712

Unrecommended Integration Services service account detected

httpsupportmicrosoftcomkb2027684

Integration Services logging table found in system database master and or msdb

httpsupportmicrosoftcomkb2027706

Integration Services memory dump detected httpsupportmicrosoftcomkb2027727

Page 39

65 Setup Rules

Unsupported Operating System Version Detected httpsupportmicrosoftcomkb2022909

WOW64 not supported for SQL Failover Clustering httpsupportmicrosoftcomkb2157198

Installer cache is missing for the SQL Installation httpsupportmicrosoftcomkb2015100

SQL Server WMI Provider Health Check

66 Replication Rules

Replication Timeout Alerts Type httpsupportmicrosoftcomkb2118349

Replication Pub and Sub out of sync (Data Validation) httpsupportmicrosoftcomkb2118386

Replication Pub and Sub out of sync (Constraint Violations)

httpsupportmicrosoftcomkb2118410

Replication Pub and Sub out of sync (Skipped Transactions)

httpsupportmicrosoftcomkb2194498

Merge Replication Health Check httpsupportmicrosoftcomkb2118445

Subscriptions Approaching Expiration httpgomicrosoftcomfwlinkLinkId=184483

Replication Cleanup and Retention Health Check httpsupportmicrosoftcomkb2118485

Replication Latency Threshold violations httpsupportmicrosoftcomkb2118425

Page 40

7 HOW TO DEAL WITH DEVIATIONS

Deviations from these Best Practices may indicate potential issues and configuration changes may be

necessary Make sure you have tested any intended changes in a test environment before deploying

them to a production environment You could also find deviations from Best Practices that are

acceptable or even necessary for your environment For example

SAP has its special Network Packet Size of 8 KB

Existing Non-Microsoft Clients ndash would require Mixed Mode Authentication

Page 41

8 MOTIVATION TO USE SQL BPA R2

Bob Ward explained in his Article ldquoWhy use SQL Server 2008 R2 BPA Case 1 Missing Updatesrdquo

the common pitfalls during maintenance and operation of SQL Server and how address them by using

the SQL BPA

In brief itrsquos a customer scenario where the customer is facing an issue after a major update to

SQL2008 After some troubleshooting and an update to a certain CU (that is meant to fix the issue) the

problem still occurs Bobs article states the common resulting consequences ndash the involvement of

Microsoft Support and the final solution ndash adding a needed traceflag

The good news in this story is that the customer would not have needed to go to all that effort if they

would have run the SQL BPA It would have told them about the update and instructed them to put the

traceflag in place BPA is a mechanism that proactively advises you and instructs you on dealing with

common known issues

Page 42

9 ADDITIONAL INFORMATION

91 PowerShell

To use the functionality of the Baseline Configuration Analyzer with PowerShell you must import this

module first

Import-module BaselineConfigurationAnalyzer

You can list the commands of this module with the following syntax

$x=Get-Module BaselineConfigurationAnalyzer

$xExportedCommands

The following commands are stored in this module

Get-MbcaModel

Get-MbcaResult

Invoke-MbcaModel

Set-MbcaResult

You get help of this command with the following syntax

Get-help ltcommandgt -full

911 Get-MBCAModel

SYNOPSIS

The Get-MBCAModel cmdlet lets you retrieve and view the list of models that are supported by

Microsoft Baseline Configuration Analyzer (MBCA) and that are installed on a computer

SYNTAX

Get-MBCAModel [[-ModelId] ltstring[]gt] [[-SubModelId] ltstringgt] [ltCommonParametersgt]

DESCRIPTION

The Get-MBCAModel cmdlet lets you retrieve and view the list of models that are supported by

Microsoft Baseline Configuration Analyzer (MBCA) and installed on the computer If no parameter is

specified Get-MBCAModel returns all models that are installed on the computer If a model is specified

by using the -ModelId parameter information about the specified model is returned

You must be a member of the Administrators group on the computer on which you want to run this

cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with

elevated user rights that is Run as Administrator

The results of the Get-MBCAModel cmdlet include the following details about models

1 Branding information (manufacturer or company display names version number) that is found in

the model manifest

2 Dynamic parameters that are included with the model

3 Submodels that are included with the model

PARAMETERS

-ModelId ltstring[]gt

The -ModelId parameter specifies the ID of the MBCA model about which you want to view

details You can obtain valid values for the ModelId parameter by running the Get-MBCAModel

cmdlet with no parameters and targeted at a computer on which MBCA models are installed

Page 43

This parameter supports wild card characters

Required false

Position 2

Default value

Accept pipeline input true (By Value By Property Name)

Accept wildcard characters False

This must be SQL2008R2BPA for SQL Server 2008 R2 Best Practice Analyzer

-SubModelId ltstringgt

The -SubModelId parameter specifies the ID of the submodel of an MBCA model about which you

want to view details You can obtain valid values for the -SubModelId parameter by running the

Get-MBCAModel cmdlet without parameters and targeted at a computer on which MBCA models

are installed Not all models have submodels

The -ModelId parameter is required with the -SubModelId parameter

Required false

Position 3

Default value

Accept pipeline input false

Accept wildcard characters false

ltCommonParametersgt

This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable

WarningAction WarningVariable OutBuffer and OutVariable For more information type get-

help about_commonparameters

Examples

Get-MBCAModel

In the preceding example Get-MBCAModel with no parameters added returns details about all MBCA

models that are installed on the computer

Get-MBCAModel -ModelId SQL2008R2BPA

The preceding example can be used to return details about the MBCA model that is specified in the -

ModelId parameter represented by Model Id

$model= Get-MBCAModel -ModelId SQL2008R2BPA

$modelParameters

In the preceding example Get-MBCAModel returns details about the specified MBCA model that is

represented by Model Id The results of the cmdlet are stored in the variable $model

In the next line of the example the Parameters property of the model details that were stored in the

$model object returns details about which parameters are supported by the model

Get-MBCAModel -ModelId SQL2008R2BPA -SubModelId ltSubModel Idgt

The preceding example can be used to return details about the MBCA sub-model that is specified by

the -SubModelId parameter represented by SubModel Id Note that the -ModelId parameter is

required by the -SubModelId parameter

$model= Get-MBCAModel -ModelId SQL2008R2BPA

Page 44

$modelSubModels

In the preceding example Get-MBCAModel returns details about the specified MBCA model that is

represented by Model Id The results of the cmdlet are stored in the variable $model

In the next line of the example the SubModels property of the model details that were stored in the

$model object returns a list of the submodels of the model specified in the first line

912 Invoke-MBCAModel

SYNOPSIS

The Invoke-MBCAModel cmdlet lets you start a Microsoft Baseline Configuration Analyzer (MBCA)

scan for a specific model that is installed on your computer

SYNTAX

Invoke-MBCAModel [-ModelId] ltstringgt -SubModelId ltstringgt [-Authentication

ltAuthenticationMechanismgt] [-CertificateThumbprint ltstringgt] [-ComputerName

ltstring[]gt] [-ConfigurationName ltstringgt] [-Context ltstringgt] [-Credential

ltstringgt] [-Mode ltModeEnumgt] [-Port ltintgt] [-RepositoryPath ltstringgt] [-

ThrottleLimit ltintgt] [-UseSSL] [ltCommonParametersgt]

DESCRIPTION

The Invoke-MBCAModel cmdlet allows you to start a Microsoft Baseline Configuration Analyzer

(MBCA) scan for a specific model that is installed on your computer The model is specified either by

using the parameter -ModelId or by piping the results of the Get-MBCAModel cmdlet into an Invoke-

MBCAMode cmdlet

After the MBCA scan has been performed the results of the scan are available to be retrieved by Get-

MBCAResult cmdlet

You must be a member of the Administrators group on the computer on which you want to run this

cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with

elevated user rights that is Run as Administrator

PARAMETERS

-Authentication ltAuthenticationMechanismgt

Specifies the authentication mechanism that is used to authenticate the users credentials Valid

values include Default Basic CredSSP Digest Kerberos Negotiate and

NegotiateWithImplicitCredential The default value is Default

For more information about the -Authentication parameter type the following and then press

Enter

Get-Help Invoke-Command -Parameter Authentication

Required false

Position named

Default value Default

Accept pipeline input false

Accept wildcard characters false

-CertificateThumbprint ltstringgt

Page 45

Specifies the digital public key certificate (X509) of a user account that has rights to perform the

cmdlet action The valid value is the certificate thumbprint of the certificate

For more information about this parameter type the following and then press Enter

Get-Help Invoke-Command -Parameter Certificate Thumbprint

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-ComputerName ltstring[]gt

The Invoke-MBCAModel cmdlet lets you run an MBCA scan of a submodel on a specific

computer by adding this parameter Valid values include NETBOS names IP addresses or fully-

qualified domain names of one or more computers in a comma-separated list To specify the local

computer type the computer name or localhost

All formats that are accepted by the -ComputerName parameter in Invoke-Command are

accepted

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-ConfigurationName ltstringgt

Specifies the session configuration that is used for a new PSSession

Enter a configuration name or the fully-qualified resource URI for a session configuration

Session configuration data is found on the remote computer on which you want to run a cmdlet

For more information about this parameter type the following and then press Enter

Get-Help Invoke-Command -Parameter ConfigurationName

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-Context ltstringgt

The -Context parameter lets you run scans on a submodel in the context of a specific model (one

that is different from the parent model of the submodel) For example an administrator might

want to run a scan on the Backend submodel of the SQL model but only those in the context

of a third model a technology that relies upon SQL Server

The -SubModelId parameter is required by the -Context parameter

Page 46

A model ID is the valid value of the -Context parameter

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-Credential ltstringgt

Specifies a user account that has permission to run this cmdlet The default value is the current

user

For more information about this parameter type the following and then press Enter

Get-Help Invoke-Command -Parameter Credential

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-Mode ltModeEnumgt

The -Mode parameter lets you run a scan that is exclusively either analysis of existing discovered

documents or discovery The default is to perform both discovery and analysis or All

If you do not add the -Mode parameter to the Invoke-MBCAModel cmdlet both discovery and

analysis are performed during a scan

Valid values are Discovery Analysis and All

Required false

Position named

Default value All

Accept pipeline input false

Accept wildcard characters false

-ModelId ltstringgt

The -ModelId parameter specifies the ID of the MBCA model that you want to scan You can

obtain valid values for the ModelId parameter by running the Get-MBCAModel cmdlet targeted at

a computer on which MBCA models are installed

Required true

Position 2

Default value

Accept pipeline input true (By Value By Property Name)

Accept wildcard characters False

Page 47

This must be SQL2008R2BPA for SQL Server 2008 R2 Best Practice Analyzer

-Port ltintgt

Specifies the network port on a remote computer on which you want to run a scan The default

value is port 80

For more information on this parameter type the following and then press Enter

Get-Help Invoke-Command -Parameter Port

Required false

Position named

Default value 80

Accept pipeline input false

Accept wildcard characters false

-RepositoryPath ltstringgt

The -RepositoryPath parameter is used to specify a non-default location of the results repository

The valid value for this parameter is a pathname If the parameter is not used the cmdlet writes

results to the default result repository

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-SubModelId ltstringgt

The -SubModelId parameter specifies the ID of the submodel of an MBCA model that you want to

scan You can obtain valid values for the -SubModelId parameter by running the Get-MBCAModel

cmdlet targeted at a computer on which MBCA models are installed Not all models have

submodels

The -ModelId parameter is required with the -SubModelId parameter

Required true

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-ThrottleLimit ltintgt

Specifies the maximum number of concurrent connections that can be established to run the

cmdlet If you omit this parameter or enter a value of 0 the default value of 32 is used

For more information about this parameter type the following and then press Enter

Get-Help Invoke-Command -Parameter ThrottleLimit

Required false

Page 48

Position named

Default value 32

Accept pipeline input false

Accept wildcard characters false

-UseSSL [ltSwitchParametergt]

Uses the Secure Sockets Layer (SSL) protocol to establish a connection on a remote computer

By default SSL is not used

For more information about this parameter type the following and then press Enter

Get-Help Invoke-Command -Parameter UseSSL

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

ltCommonParametersgt

This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable

WarningAction WarningVariable OutBuffer and OutVariable For more information type get-

help about_commonparameters

OUTPUTS

SystemCollectionsGenericListltMicrosoftBestPracticesCoreInterfaceInvokeBpaModelOutputgt

The output object encapsulates the results of the cmdlet that you entered It contains information such

as the MBCA model ID the success or failure of the cmdlet and other details

NOTES

If the cmdlet is used to perform a single-model scan and the cmdlet is cancelled (by using CTRL+C)

before the temporary results file is copied to its final location the temporary file is discarded and any

previous scan results file for the role are preserved The message Processing of Invoke-MBCAModel

cancelled by user is displayed if the command is cancelled before existing scan results files are

overwritten

If the cmdlet is used to perform a scan of multiple models by piping in results from the Get-MBCAModel

cmdlet and the command is cancelled scans that were completed before the cancel command was

entered cannot be cancelled A scan in progress behaves as described above in the single-model scan

cancellation scenario Subsequent scans in the pipeline are cancelled

If a concurrent scan of the same model is attempted the cmdlet returns the following error message

Another scan for this MBCA model is in progress Only one scan is allowed at a time

-------------------------- EXAMPLE 1 --------------------------

Invoke-MBCAModel -ModelId SQL2008R2BPA

Description

The preceding example starts a MBCA scan on the model that is represented by ltModel Idgt

-------------------------- EXAMPLE 2 --------------------------

Page 49

Invoke-MBCAModel -ModelId SQL2008R2BPA -Scope domain -Name

redmondmicrosoftcom

Description

The preceding example starts an MBCA scan on the model ID that is specified by Model Id

The administrator starts the MBCA scan with additional model-specific parameters that are exposed by

the model (For an example of how to obtain model-specific parameters see the examples for the Get-

MBCAModel cmdlet)

For example to scan a model that requires model-specific parameters (such as -Scope and -Name) to

be passed to the command the administrator can specify the values of these model-specific

parameters with the Invoke-MBCAModel cmdlet

-------------------------- EXAMPLE 3 --------------------------

Invoke-MBCAModel -ModelId SQL2008R2BPA -Mode Discovery

Description

The preceding example starts an MBCA scan on the model that is represented by Model Id The

cmdlet is instructed by the -Mode parameter to perform only the discovery -- not the analysis -- portion

of the scan

-------------------------- EXAMPLE 4 --------------------------

Invoke-MBCAModel -ModelId SQL2008R2BPA -Mode Analysis -RepositoryPath

ltRepository Pathgt

Description

The preceding example starts an MBCA scan on the model that is represented by Model Id The -

Mode parameter value of Analysis indicates that the scan will perform analysis -- not discovery -- on

existing documents that are specified in the non-default repository path provided with the -Repository

Path parameter

-------------------------- EXAMPLE 5 --------------------------

Invoke-MBCAModel -Id ltModel Idgt -SubModelId ltSubModel Idgt -ComputerName

ltServergt -Context ltContext Model Idgt -RepositoryPath ltRespository Pathgt -

AsJob -Authentication ltAuthenticatonMechanismgt -Port ltPort Numbergt -UseSSL -

ThrottleLimit ltThrottle Limitgt

Description

The preceding example starts an MBCA scan on the submodel that is represented by SubModel Id

and on the computer that is represented by Server

Because the administrator only wants to see results from the submodel that apply in the context of a

third model the administrator runs the scan within the context of the model ID that is specified in the -

Context parameter The cmdlet results are saved to the non-default repository path that is specified in

the -RepositoryPath parameter

Because the -AsJob parameter is added the scan runs in the background The -AsJob -

Authentication -Port -UseSSL and -ThrottleLimit parameters are passed through for use by the

Invoke-Command cmdlet to perform discovery on a remote computer For more information about

these parameters see the Help for the Invoke-Command cmdlet available in Windows PowerShell V2

913 Get-MBCAResult

SYNOPSIS

Page 50

The Get-MBCAResult cmdlet lets you retrieve and view the results of a Microsoft Baseline

Configuration Analyzer scan on a specific model or the configuration data that was used to run a scan

SYNTAX

Get-MBCAResult [-ModelId] ltstringgt [[-CollectedConfiguration]] -SubModelId

ltstringgt [-ComputerName ltstring[]gt] [-Context ltstringgt] [-Filter

ltFilterEnumgt] [-RepositoryPath ltstringgt] [ltCommonParametersgt]

DESCRIPTION

The Get-MBCAResult cmdlet lets you retrieve and view the results of a Microsoft Baseline

Configuration Analyzer scan on a specific model or the configuration data that was used to run a scan

To use the command add the -ModelId parameter and then specify the model ID for which you want

to view the most recent MBCA scan results or collected configuration data If you want to retrieve the

configuration data collected add the -CollectedConfiguration switch parameter

You must be a member of the Administrators group on the computer on which you want to run this

cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with

elevated user rights that is Run as Administrator

PARAMETERS

-CollectedConfiguration [ltSwitchParametergt]

The -CollectedConfiguration parameter allows you to obtain the configuration data that was

collected for the most recent MBCA scan If this switch parameter is added to Get-MBCAResults

the cmdlet returns only the configuration data that was collected for a scan

Required false

Position 3

Default value

Accept pipeline input false

Accept wildcard characters false

-ComputerName ltstring[]gt

The -ComputerName parameter lets you obtain scan results that were collected for the most

recent MBCA scan of a submodel on a specific computer To specify the local computer type the

computer name or localhost Multiple values for -ComputerName can be separated by

commas

The -SubModelId parameter is required by the -ComputerName parameter

Valid values for the -ComputerName parameter include localhost a NET BIOS name an IP

address or a fully-qualified domain name (FQDN) of one or more computers in a comma-

separated list

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-Context ltstringgt

Page 51

The -Context parameter lets you obtain scan results that were collected for the most recent

MBCA scan of a submodel in the context of a specific model (one that is different from the parent

model of the submodel) For example an administrator might want to display scan results for the

Backend submodel of the SQL model but only those in the context of a third model a

technology that relies upon SQL Server

The -SubModelId parameter is required by the -Context parameter

A model ID is the valid value of the -Context parameter

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-Filter ltFilterEnumgt

The -Filter parameter lets you instruct the Get-MBCAResult cmdlet to return only Compliant

Noncompliant or All results Valid values are Noncompliant Compliant or All The default value

is All

The -Filter parameter is ignored if the -CollectedConfiguration switch parameter is added

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-ModelId ltstringgt

The -ModelId parameter specifies the ID of the MBCA model for which you want to view scan

results You can obtain valid values for the ModelId parameter by running the Get-MBCAModel

cmdlet targeted at a computer on which MBCA models are installed

Required true

Position 2

Default value

Accept pipeline input true (By Value By Property Name)

Accept wildcard characters False

This must be SQL2008R2BPA for SQL Server 2008 R2 Best Practice Analyzer

-RepositoryPath ltstringgt

The -RepositoryPath parameter is used to specify a non-default location of the results repository

The valid value for this parameter is a path name If the parameter is not used the cmdlet obtains

results from the default result repository

Required false

Position named

Page 52

Default value

Accept pipeline input false

Accept wildcard characters false

-SubModelId ltstringgt

The -SubModelId parameter specifies the ID of the submodel of an MBCA model for which you

want to view scan results You can obtain valid values for the -SubModelId parameter by running

the Get-MBCAModel cmdlet targeted at a computer on which MBCA models are installed Not all

models have submodels

The -ModelId parameter is required with the -SubModelId parameter

Required true

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

ltCommonParametersgt

This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable

WarningAction WarningVariable OutBuffer and OutVariable For more information type get-

help about_commonparameters

OUTPUTS

SystemCollectionsGenericListltMicrosoftBestPracticesCoreInterfaceResultgt OR

SystemXmlXmlDocument (if -CollectedData specified)

If you do not use the -CollectedConfiguration parameter verbose output can be any of the following

1 Initializing MBCA engine for getting MBCA Results

2 Attempting to get MBCA results for Model Id = 0

3 Completed getting MBCA results for Model Id = 0 Number of Results = 1

If you add the -CollectedConfiguration parameter to display configuration data that was used for a

scan verbose output can be any of the following

1 Initializing MBCA engine for getting MBCA Configuration Data

2 Attempting to get MBCA collected configuration data for Model Id = 0

3 Completed getting MBCA collected configuration data for Model Id = 0

NOTES

The Get-MBCAResult cmdlet must be run by a member of the Administrators group and it does not

start a new scan

Cancellation behaviour

Single Model - To cancel this cmdlet you must press Ctrl+C before the ResultCollection is displayed

on the console The operation is cancelled and results are not displayed on the console

Multiple Models or Pipelining - If you cancel this cmdlet while it is retrieving results for multiple models

the cmdlet generates only those results that were displayed on the console before the cancellation

Any subsequent results in the pipeline are cancelled and not displayed

Page 53

-------------------------- EXAMPLE 1 --------------------------

Get-MBCAResult -Id SQL2008R2BPA

Description

The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results

for the model that is represented by Model Id

-------------------------- EXAMPLE 2 --------------------------

Get-MBCAModel | Get-MBCAResult

In the preceding example Get-MBCAModel is used to return a list of all MBCA models that are

installed on the computer The results of the Get-MBCAModel cmdlet are piped to the Get-

MBCAResult cmdlet to retrieve the most recent MBCA scan results for all models that are both

supported by MBCA and installed on the computer at which the cmdlet is targeted

-------------------------- EXAMPLE 3 --------------------------

$result = Get-MBCAResult SQL2008R2BPA -CollectedConfiguration

$resultDiscoveryDocument

Description

In the preceding example configuration data (in XML form) that was collected during the most recent

Microsoft Baseline Configuration Analyzer scan of the model that is represented by Model Id is

retrieved and stored as a property in the variable $result $resultDiscoveryDocument is of type

SystemXmlXmlDocument

-------------------------- EXAMPLE 4 --------------------------

Get-MBCAResult SQL2008R2BPA -Filter Noncompliant

Description

The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results

for the model that is represented by Model Id and then applies a filter to show only Noncompliant

results

------------------------- EXAMPLE 5 --------------------------

Get-MBCAResult SQL2008R2BPA -SubModelId ltSubModel Idgt

Description

The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results

for the submodel that is represented by SubModelId Note that the parent model ID must be specified

to use the -SubModelId parameter

------------------------- EXAMPLE 6 --------------------------

Get-MBCAResult SQL2008R2BPA -SubModelId ltSubModel Idgt -ComputerName ltServergt

-Context ltContext Model Idgt -RepositoryPath ltRepository Pathgt

Description

The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results

for the submodel that is represented by SubModelId The parent model ID is provided as required by

the -SubModelID parameter

The -Context parameter indicates that the administrator wants to see only those scan results that are in

the context of the model that is represented by Context Model Id for example only those results from

a SQL Server scan that specifically apply to another technology such as Web Server (IIS)

Page 54

The scan results are further narrowed to only those from a computer that is specified in the -

ComputerName parameter as Server and only those results found in the non-default results

repository that is represented by Repository Path

914 Set-MBCAResult

SYNOPSIS

The Set-MBCAResult cmdlet lets you exclude or include existing results of a Microsoft Baseline

Configuration Analyzer (MBCA) scan to show you only the scan results that you want to see

SYNTAX

Set-MBCAResult [[-Exclude] ltBooleangt] [-Results] ltResultgtgt [[-

RepostitoryPath] ltstringgt] [ltCommonParametersgt]

DESCRIPTION

The Set-MBCAResult cmdlet lets you exclude or include existing results of a Microsoft Baseline

Configuration Analyzer (MBCA) scan to show you only the scan results that you want to see

The action specified in the cmdlet (Exclude for example) determines how the existing results of an

MBCA scan are updated Set-MBCAResult is typically applied after using the Get-MBCAResult cmdlet

to return a collection of scan results

You can apply filters to results that are returned by the Get-MBCAResult cmdlet and then pipe the

filtered collection of results to the Set-MBCAResult cmdlet specifying either to include or exclude

filtered scan results

You must be a member of the Administrators group on the computer on which you want to run this

cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with

elevated user rights that is Run as Administrator

PARAMETERS

-Exclude ltBooleangt

Excludes scan results from the results collection that were previously obtained by the Get-

MBCAResult command To exclude results by using the -Exclude parameter add the value $true

following the parameter as shown

-Exclude $true

To include results that have been excluded use the $false value for the -Exclude parameter

Required false

Position 2

Default value

Accept pipeline input false

Accept wildcard characters false

-RepostitoryPath ltstringgt

The -RepositoryPath parameter is used to specify a non-default location of the results repository

The valid value for this parameter is a path name If the parameter is not used the cmdlet

modifies results from the default result repository

Required false

Page 55

Position 4

Default value

Accept pipeline input false

Accept wildcard characters false

-Results ltResultgtgt

Specifies the result collection to be updated by the Set-MBCAResult cmdlet The -Results

parameter is typically used to specify a filtered subset of scan results that has already been

stored in a variable the variable name is provided as the valid value for the -Results parameter

For example if you have created a variable $allPerformance to store all the Performance

category results for an MBCA scan of all models on a computer and you want to exclude those

Performance results from the complete collection of scan results you add the parameter -Results

$all Performance to a Set-MBCAResult cmdlet

For a more detailed example see the Examples section of the Help for this cmdlet

Required true

Position 3

Default value

Accept pipeline input true (ByValue)

Accept wildcard characters false

ltCommonParametersgt

This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable

WarningAction WarningVariable OutBuffer and OutVariable For more information type ldquoget-

help about_commonparameters

NOTES

If the Set-MBCAResult command is cancelled before the results are written to a file the operation is

cancelled and the results file is not modified If cancellation occurs after the results file has been

modified the commands actions are carried out and the command cannot be cancelled

-------------------------- EXAMPLE 1 --------------------------

Get-MBCAResult -ModelId SQL2008R2BPA | Where $_Category -eq

Performance | Set-MBCAResult -Exclude $true

Description

The first section of the preceding example to the left of the first pipe character (|) uses the Get-

MBCAResult cmdlet to retrieve Baseline Configuration Analyzer scan results for the model ID that is

represented by Model Id

The second section of the command filters the results of the Get-MBCAResult cmdlet to get only those

scan results for which the category name is equal to Performance

The final section of the example following the second pipe character excludes the Performance

results that were filtered by the previous section of the example

-------------------------- EXAMPLE 2 --------------------------

$rcPolicy = Get-MBCAResult -ModelId SQL2008R2BPA -RepositoryPath

CReposPath | Where $_Category -eq Policy

Page 56

Set-MBCAResult -Exclude $true -RepositoryPath CReposPath -Results

$rcPolicy

Description

The first line of the preceding example to the left of the pipe character (|) instructs the Get-

MBCAResult cmdlet to retrieve Baseline Configuration Analyzer scan results for the model that is

represented by Specified Model Id from the specified non-default repository path

The second section of the example after the pipe character filters the results of the Get-MBCAResult

cmdlet to return only those scan results for which the category name is equal to (note the -eq option)

Policy The variable $rcPolicy is created to store the filtered results of the Get-MBCAResult cmdlet this

variable can be used in subsequent commands to represent those results

The second line of the command uses the Set-MBCAResult cmdlet to exclude the set of results that

are stored in the $rcPolicy variable In this example the -Results parameter is added because the

administrator wants to exclude a specific subset of scan results for that model and has created the

variable $rcPolicy to represent that subset of results The repository root is specified in the second line

because the administrator wants to modify the results in the same non-default repository from which

the data in $rcPolicy was retrieved

915 MBCA Model Authoring

Further information about configuration and usage of MBCA models you can in the

MBCA_ModelAuthoringGuidedocx

Page 57

Did this paper help you Please give us your feedback Tell us on a scale of 1 (poor) to 5 (excellent)

how would you rate this paper and why have you given it this rating For example

Are you rating it high due to having good examples excellent screen shots clear writing or

another reason

Are you rating it low due to poor examples fuzzy screen shots or unclear writing

This feedback will help us improve the quality of white papers we release

Send feedback

Page 6: SQL2008R2 BPA Whitepaper v10

Page 6

The big picture ndash automated Best Practices of SQL Server checks offered in different flavours and

products

So you will find a couple of policies in our monitoring solution

SQL Server 2008 R2 Best Practice Analyzer

within more than 140 rules for database engine and other technologies

System Center Operations Manager (SCOM)

within the SQL Management pack (current version 6131436 release date 08172010)

with more than 300 rules and 50 additional monitors

Policy Based Management in SQL Server 2005 and 2008

with predefined policy collection (50+ policies)

There is a whitepaper about PBM here

System Configuration Checker in the SQL Server 2008 setup wizard

The SQL Risk Assessment Toolset (Premier Organisation best practice flagship) offering more

than 200 rules This offering is meant for Premier customers running the SQL RAP against

their most business critical SQL instances

Note This tool set is only available for Microsoft Premier Customers

11 Architecture and data flow of the BPA

The SQL Server 2008 R2 Best Practices Analyzer is an additional ldquomodelrdquo for the Microsoft Baseline

Configuration Analyzer V20 (MBCA) A model is a set of component files that together comprise the

configuration analysis and reporting output from MBCA

The MBCA is imbedded as a PowerShell cmdlet and consists of two major components the MBCA

Engine and the MBCA UI

The MBCA Engine process itself consists of 2 main activities evaluation and discovery The MBCA

Engine is fed by PowerShell discovery Scripts and XML Schema Files which are used during

CSS Rules Advice

and Manifests

SQL Server 2008 R2 Best

Practice Analyzer

SQL 2008 Setup

Policy Based Management

SCOM SQL MP

SQLRAP

Page 7

discovery The discovery activity interrogates the SQL Server Registry WMI Error- and Event-Logs

etc The output is saved in an XML File which is then used in the evaluation activity Evaluation is

performed using the Schematron file This file run by the MBCA engine contains the logic for

evaluating the best practices The final step following the evaluation process is the report generation ndash

which is shown in the MBCA UI

In the flow chart below you will find the anatomy of the SQL Server 2008 R2 Best Practices Analyzer

12 Microsoft Best Practice Analyzer Universe

Microsoft offers many technologies and utilities to produce best practices recommendations

121 SQL Server BPA (older versions)

Microsoft has also created BP Analyzers for your older SQL Server versions and for Windows

SQL Server 2005 Best Practices Analyzer (August 2008)

SQL Server 2000 Best Practices Analyzer (April 2010)

122 Windows Server 2008 R2 Best Practice Analyzer

In Windows management best practices are guidelines that are considered the ideal way under

typical circumstances to configure a server as defined by experts For example it is considered a best

practice for most server technologies to keep open only those ports required for the technologies to

communicate with other networked computers and block unused ports Although best practice

Page 8

violations even crucial ones are not necessarily problematic they indicate server configurations that

can result in poor performance poor reliability unexpected conflicts increased security risks or other

potential problems

Best Practices Analyzer (BPA) is a server management tool that is available in

Windows Serverreg 2008 R2 BPA can help administrators reduce best practice violations by scanning

one or more roles that are installed on Windows Server 2008 R2 and reporting best practice violations

to the administrator Administrators can filter or exclude results from BPA reports that they do not have

to see Administrators can also perform BPA tasks by using either the Server Manager GUI or

Windows PowerShell cmdlets

BPA can also be used on remote servers that are running Windows Server 2008 R2 by using Server

Manager targeted at a remote server For more information about how to run Server Manager targeted

at a remote server see Remote Management with Server Manager

The following BPA modules are currently available

Best Practices Analyzer for Active Directory Certificate Services

Best Practices Analyzer for Active Directory Domain Services

Best Practices Analyzer for Active Directory Rights Management Services

Best Practices Analyzer for Application Server

Best Practices Analyzer for Domain Name System

Best Practices Analyzer for Dynamic Host Configuration Protocol

Best Practices Analyzer for File Services

Best Practices Analyzer for Hyper-V

Best Practices Analyzer for Internet Information Services

Best Practices Analyzer for Network Policy and Access Services

Best Practices Analyzer for Remote Desktop Services

Best Practices Analyzer for Windows Server Update Services

More Information about Windows BPA look here

123 Fix-it

Currently there exists no link between the SQL Server Best Practice Analyzer and the Fixit webpage

httpsupportmicrosoftcomfixit

Microsoft is working on a solution to combine fixit with specific Best Practice Analyzer

httpfixitcentersupportmicrosoftcomPortal

124 Microsoft Automated Troubleshooting Service in Windows Server

2008 R2 and Windows 7

Troubleshooting in Windows Server 2008 R2 and Windows 7 provides several troubleshooting

programs that can automatically fix some common problems with your computer such as problems

with networking hardware and devices using the web and program compatibility

Go to the Windows website to watch a video about using troubleshooters to fix common problems

(330)

When you run a troubleshooter it might ask you some questions or reset common settings as it works

to fix the problem If the troubleshooter fixed the problem you can close the troubleshooter If it couldnt

fix the problem you can view several options that will take you online to try and find an answer In

either case you can always view a complete list of changes made

Page 9

Notes

If you click the Advanced link on a troubleshooter and then clear the Apply repairs

automatically check box the troubleshooter displays a list of fixes to choose from if any

problems are found

Windows includes several troubleshooters and more are available online when you select the

Get the most up-to-date troubleshooters from the Windows Online Troubleshooting service

check box at the bottom of Troubleshooting

httpsupportmicrosoftcomgpsystem_maintenance_for_windows

Page 10

2 SYSTEM REQUIREMENTS

SQL Server 2008 R2 Best Practices Advisor is supported on the following Operating Systems

1 Windows Vista

2 Windows 7

3 Windows Server 2003

4 Windows Server 2003 R2

5 Windows Server 2008

6 Windows Server 2008 R2

Supported editions of SQL Server

1 SQL Server 2008 all editions except Express

2 SQL Server 2008 R2 all editions except Express

Supported Components of SQL Server

1 Analysis Services

2 Database Engine

3 Integration Services

4 Reporting Services

5 Replication

6 Setup

These components are designed as Submodels for the BPA This means that they will be run

concurrently where possible

21 Required Permissions for Running SQL Server 2008 R2 BPA

Administration Privileges

To run MBCA v20 a user must be a member of the administrators group on the machine being

scanned and on the machine the scan is initiated from If a user is not an administrator on the machine

that is being scanned an appropriate error message displays

SQL Server

To successfully access all of the database properties and SQL Server Configurations a user must be

the Systems Administrator (sysadmin) on the instance of SQL Server

Analysis Services

The user or the administrators group must be member of the server administrator role within an

instance of Microsoft SQL Server Analysis Services have unrestricted access to all Analysis Services

objects and data in that instance

httpmsdnmicrosoftcomen-uslibraryms174561aspx

Integration Services

The user or the administrators group must be members of the sysadmin or db_ssisadmin roles

httpmsdnmicrosoftcomen-uslibraryms141053aspx

Reporting Services

Page 11

The user or the administrators group must be member of the System Administrator and Content

Manager role

22 Prerequisites

The following are required for using SQL Server 2008 R2 Best Practices Analyzer

1 PowerShell V20

Windows PowerShell 20 requires the Microsoft NET Framework 20 with Service Pack 1

2 Microsoft Baseline Configuration Analyzer V20

3 SQL Server Management Tools for SQL Server 2008 or SQL Server 2008 R2

The following table outlines the prerequisite Microsoft utilities components by Operating System

necessary to have on your server prior to installing and running SQL Server 2008 R2 BPA

OS 1Install

WinRM

2Install

PowerShell 20

3Install

MBCA 20

Configure PowerShell1 7 Install SQL2008

or SQL 2008 R2

Management Tools 4Remoting 5Execution

Level

6 MaxShells

PerUser

Win Vista Y Y Y Y Y Y Y

Windows 7 N N Y Y Y Y Y

Windows

Server 2003

Y Y Y Y Y Y Y

Windows

Server 2003

R2

Y Y Y Y Y Y Y

Windows

Server 2008

Y Y Y Y Y Y Y

Windows

Server 2008

R2

N N Y Y Y Y Y

1 These changes will be done from the installation routine of the BPA

Page 12

3 INSTALL

We recommend installing BPA on a workstation or administration server and performing the scan

operation remotely against servers in your SQL Server infrastructure It is also possible to install this

tool on the production SQL Server locally

Installation process

1 InstallConfigure PowerShell and WinRM

2 Microsoft Baseline Configuration Analyzer V20

3 Microsoftreg SQL Serverreg 2008 R2 Best Practices Analyzer

It exists two ways to install the Best Practices Analyzer

With a graphical user interface (setup wizard) or

Command line

31 Installing PowerShell 20 and WinRM

BPA install configures WinRM and PowerShell options by default Most of this section is only needed if

something goes wrong and you need to configure this stuff by hand

Windows Server 2003 R2

WinRM is not installed by default but it is available as the Hardware Management feature through the

AddRemove System Components feature in the Control Panel under Management and Monitoring

Tools Complete installation and information about configuring WinRM using the WINRM command-line

tool is available online in the Hardware Management Introduction which describes the WinRM and the

IPMI features in Windows Server 2003 R2

On Windows Vista Windows Server 2003 and Windows Server 2008

This is installed as part of Windows Management Framework Core The WinRM service starts

automatically on Windows Server 2008 On Windows Vista the service must be started manually

On Windows Server 2008 R2 and Windows 7

This is installed as part of the OS

Note Check for additional information and configuration guidelines for WinRM and for PowerShell

20

SQL Server 2008 R2 BPA is able to scan both the local computer and remote computers Therefore in

both the local and remote cases it required that your PowerShell settings be modified These are done

by the BPA installation

PowerShell Execution Policy

The PowerShell Execution Policy is set to Restricted by default To run SQL Server 2008 R2 BPA

through the PowerShell command Line set the policy to RemoteSigned using the below command

Set-ExecutionPolicy RemoteSigned -f

You can use the command Set-ExecutionPolicy Restricted ndashf to set the execution policy back to

restricted This command is not required when executing the scan through the MBCA GUI

After the installation you must enable the PowerShell remote scripting if you are want to use the BPA

remote to another workgroup machine or a computer that have Kerberos enabled You need to run this

command only once on each computer that will receive commands You do not need to run it on

Page 13

computers that only send commands Because the configuration activates listeners it is prudent to run

it only where it is needed You can do this with the following command line

powershellexe -NoLogo -NoProfile -Noninteractive -Command Enable-

PSRemoting -force

Enable-PSRemoting performs configuration actions to enable this machine for remote management

Includes

1 Runs the Set-WSManQuickConfig cmdlet which performs the following tasks

Starts the WinRM service

Sets the startup type on the WinRM service to Automatic

Creates a listener to accept requests on any IP address

Enables a firewall exception for WS-Management communications

Enables all registered Windows PowerShell session configurations to receive instructions

from a remote computer

Registers the MicrosoftPowerShell session configuration if it is not already registered

Registers the MicrosoftPowerShell32 session configuration on 64-bit computers if it is

not already registered

Removes the Deny Everyone setting from the security descriptor for all the registered

session configurations

Restarts the WinRM service to make the preceding changes effective

2 Configures MaxShellsPerUser using winrm set winrmconfigwinrs

``MaxShellsPerUser=`10``

Specifies the maximum number of concurrent shells that any user can remotely open on

the same computer If this policy setting is enabled the user will not be able to open new

remote shells if the count exceeds the specified limit If this policy setting is disabled or is

not configured the limit will be set to 5 remote shells per user by default and you receive

the following error message

[localhost] Connecting to remote server failed with the following

error message The WS-Management service cannot process the

request This user is allowed a maximum number of 5 concurrent

shells which has been exceeded Close existing shells or raise the

quota for this user For more information see the

about_Remote_Troubleshooting Help topic

+ CategoryInfo OpenError

(SystemManagemehellipRemoteRunspa

ceRemoteRunspace) [] PSRemotingTransportException

+ FullyQualifiedErrorId PSSessionOpenFailed

For more information about PowerShell remoting please see MSDN

32 Install MBCA

Download the edition of MBCA depending on your platform (x86 or x64) before installation

Page 14

Please find below the screenshots demonstrating the visual flow of the MBCA Installation

Welcome screen

License terms

Folder selection

Completion screen

33 Install BPA

Download the correct edition depending on your platform (x86 or x64) before installing If you have

trouble with the installation please section 57 Troubleshooting Installation

331 Command line

Following is an optimized command line setup example

msiexec i SQL2008R2BPA_Setup64msi l log ctempsqlbpa_installlog qn

msiexec parameters

i = package name (SQL2008R2BPA_Setup32msi or SQL2008R2BPA_Setup64msi

depending on your platform)

l = log granularity ldquordquo - Log all information except for v and x options

log = log file

q = display settings (qn ndash no user interface)

SKIPCA=1 (if no domain controller is available Skip Certification Authority)

For information on additional public properties Consult the Windowsreg Installer SDK for documentation

on the command line syntax

Page 15

332 GUI

Please find below the screenshots demonstrating the visual flow of the SQL Server 2008 R2 BPA

Installation

Welcome screen

License terms

System Configuration Changes (see 31 Installing PowerShell 20 and WinRM)

Ready to install decision

Install progress

Completion screen

Page 16

333 Port and Firewall restrictions

For scanning SQL Server or BI instances on an alternate server behind a firewall you must open all

necessary ports

34 Updates

Microsoft is working on quarterly updates of the rule set and tool improvements of the SQL Server

2008 R2 Best Practice Analyzer Please visit the Download site from Microsoft regularly to find new

updates

35 Uninstall

351 BPA

352 MBCA

353 Reset PowerShell settings

After the uninstall of the BPA you may disable the PowerShell remote scripting You can do this with

the following command line

powershellexe -NoLogo -NoProfile -Noninteractive -Command Disable-

PSRemoting -force

Disable-PSRemoting performs configuration actions to enable this machine for remote management

Page 17

4 USAGE

There are two ways to scan a server using MBCA and SQL 2008 R2 BPA They are

Scanning through the local machine

o In this case you are using MBCA and SQL 2008 R2 BPA running on the local machine to

perform the scan

o This scan can be of the local or an alternate server

Scanning through a remote machine

o In this case MBCA is used to connect to a remote server that has MBCA and SQL 2008

R2 BPA installed on it

o This scan is using the local machine to form the connection to the remote machine and is

actually performing the scan through the remote machine

41 Help file

The help file for the SQL Server 2008 R2 Best Practice Analyzer contains very useful information This

help file is available after the installation of BPA and is located at Start-gtAll programs-gtSQL Server

2008 R2 BPA

42 GUI

1 Ensure that MBCA v2 and SQL 2008 R2 BPA are installed on the machine

2 Run the MBCA application from the start menu with elevated user rights

Page 18

3 On the MBCA home page ensure the SQL Server 2008 R2 BPArdquo product is selected

4 Click Start Scan which displays a page to specify parameters as shown below

5 Fill in Alternate_Server_to_Scan with the remote machine you want to scan

ComputerName

IP address nnnn

FQDN (Fully Qualified Domain Name)

Enter ldquordquo localhost or leave this blank if you want to scan the local machine

Page 19

Enter the instance name you want to scan To scan the default instance enter MSSQLSERVER

or leave this as blank Toggle the checkboxes to enabledisable scans for those rule categories

Each of the following six check boxes correspond to the SQL Server categories listed previously

Select at least one category in order to run a successful scan

Analyze_SQL_Analysis_Services

Analyze_SQL_Server_Engine

Analyze_SQL_Integration_Services

Analyze_SQL_Server_Replication

Analyze_SQL_Reporting_Services

Analyze_SQL_Server_Setup

Note Only one SQL Server instance can be scanned at a time through the MBCA GUI

6 Click Start Scan MBCA will start the configured scan and display the below page while in

progress

7 When the scan is complete results will be displayed grouped by Severity as shown below

Page 20

43 Connect to a remote computer

A scan connected to a remote computer is different than scanning an alternate server

ldquoConnect to a Remote Computerrdquo is functionality provided by Microsoft Baseline Configuration Analyzer

and is used to remotely run MBCA against a server from the console of the client The client needs to

have MBCA installed but does not need BPA as it is literally running the copy of MBCA installed on the

server using the BPA installed on the server In this case the copy of MBCA installed on the client is

used only to remotely connect to the copy of MBCA installed on the server

To use this functionality you first start MBCA on the client computer and select ldquoConnect to Another

Computerrdquo

1 In the ldquoConnect to Another Computerrdquo text box you can specify a NetBIOS name a fully qualified

domain name (FQDN) or an IPv4 or IPv6 address If no port number is specified the default port

number is used The following are examples of formats that you can specify in the Connect to

Another Computer text box

ComputerName

Page 21

ComputerNamePortNumber

IP address nnnn

IPv6 address [nnnnnnnn]

IPv4 address with port number nnnnPortNumber

IPv6 address with port number [nnnnnnnn]PortNumber

Note If an administrator has changed the computerrsquos default port number any port other than the

default port must be opened in Windows Firewall to allow incoming connections on that port Port

5985 is opened by default when WinRM is configured All other ports remain blocked until opened

For more information about how to unblock a port in Windows Firewall see the Help for Windows

Firewall For more information about how to configure WinRM in a Command Prompt session type

winrm help and then press Enter

2 Additionally you must supply credentials

3 CredSSP

Windows Remote Management (WinRM) supports the delegation of user credentials across

multiple remote computers The multi-hop support functionality can now use Credential Security

Service Provider (CredSSP) for authentication CredSSP enables an application to delegate the

userrsquos credentials from the client computer to the target server

CredSSP authentication is intended for environments where Kerberos delegation cannot be used

Support for CredSSP was added to allow a user to connect to a remote server and have the ability

to access a second-hop machine such as a file share

Note WinRM clients and servers will support CredSSP authentication only with explicit credentials

Windows XP Windows Server 2003 and earlier CredSSP is not supported

First you must set CredSSP on both the client and the server

Using the Group Policy Editor (gpeditmsc) make sure to enable ldquoAllow Delegating Fresh

Credentialsrdquo and check ldquoConcatenate OS defaults with input aboverdquo

Add the server or domain to the list of servers in the format ldquoWSMANdomainnamecomrdquo

Next enable and configure PowerShell Remoting on both the Client and Server by running the

following commands in a PowerShell command window opened with elevated permissions Note

Page 22

You can configure a single machine as both a client and a server simultaneously so that you can

scan from either computer

Enable PowerShell Remoting

o Enable-psremoting ndashf

Settings for a client

o Enable-WSManCredSSP ndashrole Client ndashDelegateComputer [NetBiosNameOfServer]

or

o Enable-WSManCredSSP ndashrole Client ndashDelegateComputer [FQDN OF SERVER]

Settings for the server

o Enable-WSManCredSSP ndashrole Server

o set-item WSManlocalhostShellMaxMemoryPerShellMB ndashValue 20000

o set-item WSManlocalhostShellMaxShellsPerUser ndashvalue 20

44 PowerShell

Details see 91 PowerShell

To use the functionality of the Microsoft Baseline Configuration Analyzer you must import this module

first

Import-module BaselineConfigurationAnalyzer

You can list the commands of this module with the following syntax

$x=Get-Module BaselineConfigurationAnalyzer

$xExportedCommands

441 Run Scan

To run a full scan of the BPA on the alternate server on a named instance you can use the following

command line

Invoke-MBCAModel -ModelId SQL2008R2BPA -Alternate_Server_to_scan

servername -SQL_Server_Instance_Name instancename -

Analyze_SQL_Server_Engine -Analyze_SQL_Server_Replication -

Page 23

Analyze_SQL_Server_Setup -Analyze_SQL_Analysis_Services -

Analyze_SQL_Integration_Services -Analyze_SQL_Reporting_Services

The result looks like this part

ModelId SQL2008R2BPA

SubModelId

Success True

ScanTime

Success = True is important This is the indicator that your scan was successful

Parameter description

-Alternate_Server_to_scan servername

-SQL_Server_Instance_Name instancename

-Analyze_SQL_Server_Engine

-Analyze_SQL_Server_Replication

-Analyze_SQL_Server_Setup

-Analyze_SQL_Analysis_Services

-Analyze_SQL_Integration_Services

-Analyze_SQL_Reporting_Services

The parameter list is equal the parameter screen in the GUI

The scans of the different services are optional You can remove technologies which you do not need

to scan

The next example starts the scan only for the Analysis Services on the alternate server ldquoservernamerdquo

and for the named instance ldquoinstancerdquo A log file will be written to ldquoctempssastxtrdquo

Invoke-MbcaModel -ModelId SQL2008R2BPA -SubModelId AnalysisServices -

ComputerName servername -SqlServerInstance instance -SSASLogFile

ctempssastxt

Invoke-MbcaModel -ModelId SQL2008R2BPA -SubModelId Engine -ComputerName

computername -SqlServerInstance servername -CurrentLoginName

($EnvUSERDOMAIN + + $EnvUSERNAME)ToString() -EngineLogFile

ctempenginetxt ndashRepositoryPath (CTEMPSQL2008 + (Get-

Date)ToString(yyyyMMdd))ToString()

442 Create Report

model = get-MbcaModel ndashModelId sql2008r2bpa

$scanResult = get-MbcaResult ndashModelId sql2008r2bpa

$collectedConfig = get-MbcaResult ndashModelId sql2008r2bpa ndash

CollectedConfiguration

$model $scanResult $collectedConfig | export-CliXml ctempasxml

Get-MBCAResult -ModelId SQL2008R2BPA -SubModelId AnalysisServices |

ConvertTo-Html | Add-Content -Path ctesthtml

The next command retrieves the results of the most recent BPA scan for the specified model and

saves them in HTML format applying the standard cascading style sheets that are stored in the path

windirsystem32WindowsPowerShellv10ModulesBestPracticesBestPracticesReportFormatc

Page 24

ss If you want to substitute cascading style sheets provide the path to the different cascading style

sheets

Get-MBCAResult -ModelId SQL2008R2BPA | $_Severity -eq Warning -or

$_Severity -eq Error | ConvertTo-Html -As Table -property ResultNumber

SubModelID ComputerName Severity Category Title Problem Impact

Resolution Help -Head lth1gtSQL Server 2008 (R2) Best Practice Analyzer

Reportlth1gtrdquo -Title SQL Server 2008 Best Practice Analyzer -body

(ltpgtReport creation date + (Get-Date)ToString(ddMMyyyy hhmmss) +

ltpgt)toString() -pre ltPgtGenerated by user $envusername on computer

$envcomputernameltPgt -post For details contact Microsoft Premier-

CssUri $env BestPracticesReportFormatcss gt ctempsql2008r2bpahtm

443 Exporting and opening reports by using Get-MBCAResult

You can use the Get-MBCAResult cmdlet to export scan results and configuration data to an XML

report that you can open for viewing in the future either by using Get-MBCAResult or by using the

MBCA GUI Exporting reports allows you to compare older scans with more recent scans to measure

the progress of your best practice compliance

Example of exporting to XML

$results = Get-MBCAResult ltModel Idgt

$collectedconfig = Get-MBCAResult ltModel Idgt -CollectedConfiguration

$results $collectedconfig | Export-CliXml cexportxml

Example of opening archived XML report file

$loadedResults $loadedConfiguration = Import-CliXml cexportxml

444 Report Result Directory

The reporting result path

AppDataMicrosoftBaselineConfigurationAnalyzer

2ReportsSQL2008R2BPAResults

Will be overwritten during each run of the tool or invoke command

Solution save older results before you start the check

copy-item -path ($EnvLocalAppdata +

MicrosoftMicrosoftBaselineConfigurationAnalyzer 2Reports)ToString() -

destination ($EnvLocalAppdata +

MicrosoftMicrosoftBaselineConfigurationAnalyzer 2Reports_ + (Get-

Date)ToString(yyyyMMddhhmmss))ToString() ndashrecurse

Afterwards you can create a report with the following command

$prevrepPath = (Get-ChildItem ($EnvLocalAppdata +

MicrosoftMicrosoftBaselineConfigurationAnalyzer 2)ToString() -exclude

Reports | Sort-Object name -descending)[0]

Get-MBCAResult -ModelId SQL2008R2BPA ndashRepositoryPath ($EnvLocalAppdata +

MicrosoftMicrosoftBaselineConfigurationAnalyzer 2rdquo +

$prevrepPathname)ToString() | ConvertTo-Html -As Table -property

ResultNumberSubModelID ComputerName Severity Category Title Problem

Impact Resolution Help -Head lth1gtSQL Server 2008 (R2) Best Practice

Analyzer Reportlth1gtrdquo -Title SQL Server 2008 Best Practice Analyzer -body

(ltpgtReport creation date + (Get-Date)ToString(ddMMyyyy hhmmss) +

ltpgt)toString() -pre ltPgtGenerated by user $envusername on computer

Page 25

$envcomputernameltPgt -post For details contact Microsoft Premier gt

ctempsql2008r2bpahtm

Page 26

5 TROUBLESHOOTING

51 Application directories

To following directories are used by MBCA

Report output directory localappdataMicrosoftMicrosoftBaselineConfigurationAnalyzer 2ReportsSQL2008R2BPAResults

Model configuration path ProgramdataMicrosoftMicrosoft Baseline Configuration Analyzer 2ModelsSQL2008R2BPA

Temp and log files directory tempSQL2008R2BPASQL2008ltdategt_lttimegt

Registry [HKEY_LOCAL_MACHINESOFTWAREMicrosoftBaselineConfigurationAnalyzer]

Log Files

During Data Discovery SQL Server 2008 R2 BPA creates log files for troubleshooting The log file

contains the following information

Pre-requisite validation

Timestamp finished rules start and end times

Run-time scripting errors and exceptions from Power Shell Traps

Log Files Location

For every scan log files are created in userrsquos Local Temp directory (Temp) and follows the folder

structure SQL2008R2BPAlt Instance Name gtlt datestamp_timestamp gtlt Log files gt

Note In case of a remote scan the category log files are generated on the remote system at the same

path whereas the common log file is generated in the local system

Log Files Structure

A common log file gets generated and contains information about each categorys execution Apart

from this each category has its own log file which details the rule execution The names of the log files

are given below

Common File - ModelLogtxt

Engine Rules - EngineLogtxt

Replication Rules - ReplicationLogtxt

Setup Rules - SetupLogtxt

Analysis Services Rules - AnalysisServicesLogtxt

Reporting Services Rules - ReportingServicesLogtxt

Integration Services Rules - IntegrationServicesLogtxt

52 Windows Server 2003 ndash NumberOfLogicalProcessors

Analysis Services RID2803 and RID2804 ndash NumberOfLogicalProcessors property is unavailable in

Win32_Processor for with Windows Server 2003

Solution The NumberOfLogicalProcessors property does not exist in the WIN32_PROCESSOR object

in Windows Server 2003 It has been implemented in the hotfix

httpsupportmicrosoftcomkb932370

Both of the rules below will function properly if you apply this hotfix For more information look here

Page 27

53 MBCA

This message indicates that on prerequisite is not installed

Please install the version 2 of the MBCA

54 Where can I find the Instance name in result set of the analyzer

report

The instance name is in the collected data option of the analyzer report in the BPA GUI

55 Memory limit of remote PowerShell process

By default remote PowerShell process can consume only 150 MB or less memory This default limit is

significantly small and once this limit is reached there could be a WinRM exception causing and remote

connection immediately terminates Any application or Cmdlet which is involved in PowerShell

remoting should be tested for this memory limit this may cause some of the command to fail for

example site collection creation

Solution Increase the memory limit for the remote shell Use the following command to increase this

limitation to 1000MB This is only necessary if you need to run those commands on that server

Set-Item WSManlocalhostShellMaxMemoryPerShellMB 1000

56 Remote connect

If you try to ldquoConnect to another computerrdquo from MBCA and you receive the following message

Page 28

You should check first if the Hotfix KB968930 is installed

Afterwards validate that the ldquoWindows Remote Managementrdquo service is started

Enable-PSRemoting

If CredSSP is unsupported or unavailable you will see the following message

Page 29

If you have no permission to access the remote server you get the error message

Page 30

57 Installation

571 PowerShell error

After getting through the Pre-Reqs for BPA (PowerShell 20 MBCA NET Framework) you may hit

one of two scenarios when installing BPA

In all of the cases of an install failure you will see the following error

There is a problem with this Windows Installer package A program run as part of the setup did not

finish as expected Contact your support personnel or package vendor

In your Application Event Log for both of these scenarios you will also see the following entry

Log Name Application

Source MsiInstaller

Date 6102010 83818 AM

Event ID 11722

Task Category None

Level Error

Keywords Classic

User ltUsernamegt

Computer ltMachine namegt

Description

Product Microsoft SQL Server 2008 R2 BPA -- Error 1722 There is a problem

with this Windows Installer package A program run as part of the setup did

not finish as expected Contact your support personnel or package

vendor Action EnablePSRemoting location powershellexe command -NoLogo

-NoProfile -Command Enable-PSRemoting ndashforce

Page 31

This is an indicator that PowerShell is not configured You must run the following command

powershellexe -NoLogo -NoProfile -Command Enable-PSRemoting ndashforce

572 Workgroup or Non-Domain computer

In this scenario the Enable-PSRemoting command should execute fine from a PowerShell prompt

The actual error coming back from the PowerShell command within the Installer is ldquoAccess Deniedrdquo

To work around this issue you can do the following

1 Open a command prompt with Administrative Privileges

2 Change to the directory where the msi file resides

3 Type msiexec i ltMSI Namegt SKIPCA=1

4 MSI Name will either be SQL2008R2BPA_Setup32msi or SQL2008R2BPA_Setup64msi

depending on your platform

5 Once BPA is installed open a PowerShell prompt with Administrative Privileges

6 Execute the following commands

a Enable-PSRemoting

b winrm set winrmconfigwinrs ``MaxShellsPerUser=`10``

This should allow BPA to be successfully installed in the workgroup scenario

573 Kerberos Failure

This scenario is that you are failing with the above due to a Kerberos issue This particular issue could

actually show up after you have installed BPA depending on how you have configured your

environment

The issue stems from the fact that the Windows Remoting Windows Service uses the Network Service

account Windows Remoting also uses SOAP calls over HTTP and defaults to using Kerberos As a

result it will be using the HOST Service Principal Name (SPN) that is on the Machine Account as it is

running under that context You may have an HTTP SPN that resides on a different account with that

host name For example if you are running an IIS Web Application such as SharePoint or if you are

using Reporting Services and the service account is set to a Domain User account instead of Network

Service or Local System If your URL of your application matches the machine name then your HTTP

SPN will be the same Thatrsquos where this problem comes in WinRM will stop working at that point and

give you a message similar to the following

Set-WSManQuickConfig WinRM cannot process the request The following error

occured while using Negotiate authentication An unknown security error

occurred

Possible causes are

-The user name or password specified are invalid

-Kerberos is used when no authentication method and no user name are

specified

-Kerberos accepts domain user names but not local user names

-The Service Principal Name (SPN) for the remote computer name and port

does not exist

-The client and remote computers are in different domains and there is no

trust between the two domains

After checking for the above issues try the following

-Check the Event Viewer for events related to authentication

-Change the authentication method add the destination computer to the

WinRM TrustedHosts configuration setting or use HTTPS transport

Note that computers in the TrustedHosts list might not be authenticated

-For more information about WinRM configuration run the following

Page 32

command winrm help config

At line50 char33

+ Set-WSManQuickConfig ltltltlt -force

+ CategoryInfo InvalidOperation () [Set-WSManQuickConfig]

InvalidOperationException

+ FullyQualifiedErrorId

WsManErrorMicrosoftWSManManagementSetWSManQuickConfigCommand

You can get this type of error from WinRM for muliple reasons The one that

we saw in our testing was the HTTP SPN scenario

If you do have an HTTP SPN defined on a Domain Account that is using the name of your machine

you have some options First you can follow the steps mentioned above to get BPA installed The

Enable-PSRemoting command will give you the above error You can temporarily remove the HTTP

SPN to get remoting enabled and then re-add the HTTP SPN

Once BPA is setup you will still not be able to run BPA if you put the HTTP SPN back in place You will

see the following when you attempt to perform a scan

This will occur regardless of which component you try to scan It could be the Engine Setup RS etchellip

One option to perform the scan successfully is to temporarily remove the HTTP SPN again run the

scan and then put the HTTP SPN back in place Another option but one that will probably require

further testing from your applicationrsquos end would be to run the application under a Host Header and

then your HTTP SPN would not include the machine name allowing BPA to run without issue

Page 33

6 RULES

Searching for ldquoSQL Server 20087 R2 BPArdquo at Microsoftcom reveals

Here is an example of one of these articles that talks about a rule to check for a recent ldquocleanrdquo

CHECKDB

Page 34

BPA works by measuring a rolersquos compliance with best practice rules in eight different categories of a

rolersquos effectiveness trustworthiness and reliability Results of measurements can be any of the three

severity levels described in the following table

Severity level Description

Noncompliant Noncompliant results are returned when a role does not satisfy the conditions of a rule

Compliant Compliant results are returned when a role satisfies the conditions of a rule

Warning Warning results are returned when a role is compliant as operating currently but may not satisfy the conditions of a

rule if changes are not made to its configuration or policy settings For example a scan of Remote Desktop Services

might show a warning result if a license server is unavailable to the role because even if no remote connections are

active at the time of the scan not having the license server prevents new remote connections from obtaining valid

client access licenses

Page 35

BPA rule categories

The following table describes the categories of best practice rules against which roles are measured

during a BPA scan

Category Name Description

Security Security rules are applied to measure a rolersquos relative risk for exposure to threats such as unauthorized or malicious

users or loss or theft of confidential or proprietary data

Performance Performance rules are applied to measure a rolersquos ability to process requests and perform its prescribed duties in

the enterprise within expected periods of time given the rolersquos workload

Configuration Configuration rules are applied to identify role settings that might require modification for the role to perform

optimally Configuration rules can help prevent setting conflicts that can result in error messages or prevent the role

from performing its prescribed duties in an enterprise

Policy Policy rules are applied to identify Group Policy or Windows Registry settings that might require modification for the

role to operate optimally and securely

Operation Operation rules are applied to identify possible failures of a role to perform its prescribed tasks in the enterprise

Predeployment Predeployment rules are applied before an installed role is deployed in the enterprise to let administrators to

evaluate whether best practices were satisfied before you use the role in production

Postdeployment Postdeployment rules are applied after all required services have started for a role and the role is running in the

enterprise

BPA Prerequisites BPA Prerequisite rules explain configuration settings policy settings and features that are required for the role

before BPA can apply specific rules from other categories A prerequisite in scan results indicates that an incorrect

setting a missing role role service or feature an incorrectly enabled or disabled policy a registry key setting or

other configuration has prevented BPA from applying one or more rules during a scan A prerequisite result does

not imply compliance or noncompliance It means that a rule could not be applied and therefore is not part of the

scan results

61 Engine Rules

Please find below a summary of the 74 Engine Rules with the links to the rule descriptions These rules

are checking that you have a secure resilient and well performing SQL configuration

Authentication Mode (httpsupportmicrosoftcomkb2028697)

Lightweight Pooling is enabled (httpsupportmicrosoftcomkb2160691)

Locks Configuration Not Dynamic (httpsupportmicrosoftcomkb2199576)

non-default network packet size in use (httpsupportmicrosoftcomkb2157175)

degree of parallelism not set to recommended value (httpsupportmicrosoftcomkb2023536)

Use Database Mail instead of SQL Mail (httpsupportmicrosoftcomkb2028584)

SQL Server Agent Proxy Account (httpsupportmicrosoftcomkb2160741)

SQL Login Password Policy Strength and password expiry

(httpsupportmicrosoftcomkb2028712)

Trustworthy Bit (httpsupportmicrosoftcomkb2183687)

Symmetric Keys Check (httpsupportmicrosoftcomkb2162020)

Asymmetric Keys Check (httpsupportmicrosoftcomkb2162020)

SQL Server installed on PDC BDC (httpsupportmicrosoftcomkb2032911)

Page 36

SQL Server Admin role membership check (httpsupportmicrosoftcomkb2184138)

Windows API calls intercepted (httpsupportmicrosoftcomkb2033238)

unsupported DotNET framework assemblies present (httpsupportmicrosoftcomkb2033344)

Disk partition starting offset may be incorrect (httpsupportmicrosoftcomkb2023571)

non-default max worker threads value configured (httpsupportmicrosoftcomkb2157129)

Guest Permissions (httpsupportmicrosoftcomkb2186935)

Data and Log files on the same volume (httpsupportmicrosoftcomkb2033523)

IO timeouts and IO controller errors detected (httpsupportmicrosoftcomkb2091098)

IO device errors detected (httpsupportmicrosoftcomkb2091098)

IO errors during page faults detected (httpsupportmicrosoftcomkb2091098)

cluster disk corruption encountered (httpsupportmicrosoftcomkb2091098)

disk defragmentation encountered corruption (httpsupportmicrosoftcomkb2091098)

failed IO requests detected (httpsupportmicrosoftcomkb2091098)

IO requests are successful when retried (httpsupportmicrosoftcomkb2015757)

IO Delay Problems reported by SQL Server (httpsupportmicrosoftcomkb2137408)

This system experienced unexpected shutdowns (httpsupportmicrosoftcomkb2091098)

tempdb corruption errors fix missing (httpsupportmicrosoftcomkb960770)

Critical SQL database inconsistency errors found (httpsupportmicrosoftcomkb2152734)

Logical consistency errors detected (httpsupportmicrosoftcomkb2152472)

Database have auto shrink option enabled (httpsupportmicrosoftcomkb2160663)

SQL Server Error logs are very big (httpsupportmicrosoftcomkb2199578)

incorrect affinity mask settings detected httpsupportmicrosoftcomkb2157114

Very low blocked process threshold setting detected httpsupportmicrosoftcomkb2157154

Potential security issue with legacy DTS stored procedures

httpsupportmicrosoftcomkb2202875

Winsock LSP loaded into SQL httpsupportmicrosoftcomkb2033448

Databases using simple recovery model httpsupportmicrosoftcomkb2137539

User database collation different from model httpsupportmicrosoftcomkb2026108

Database files and backups exist on the same volume httpsupportmicrosoftcomkb2027537

Databases have auto close option enabled httpsupportmicrosoftcomkb2160685

LSI SAS drivers needs update httpsupportmicrosoftcomkb2121098

SQL tempdb database not configured optimally httpsupportmicrosoftcomkb2154845

SQL Database file has sparse attribute set httpsupportmicrosoftcomkb2028447

Invalid startup parameters httpsupportmicrosoftcomkb2028433

MSDTC settings not configured optimally httpsupportmicrosoftcomkb2027550

sql incorrect results fix missing httpsupportmicrosoftcomkb971780

File System needs tuning for better FileStream performance

httpsupportmicrosoftcomkb2160002

linked server memory leak fix missing httpsupportmicrosoftcomkb971622EN-US

Windows service pack is not at recommended level httpsupportmicrosoftcomkb2121098

default extended event health session not in expected state

httpsupportmicrosoftcomkb2160570

TcpSysAndChimneyCheck httpsupportmicrosoftcomKB918483

FDHOST Launcher service is not configured properly httpsupportmicrosoftcomkb2160720

Unrecommended SQL Server Agent service account httpsupportmicrosoftcomkb2160720

A required Windows fix to avoid sparse file related problems is missing

httpsupportmicrosoftcomkb2002606

Page 37

Significant Portion of SQL Server Memory Has Been Paged Out

httpsupportmicrosoftcomkb2028324

Server Exception or Hang Detected on Server httpsupportmicrosoftcomkb2028589

Databases exist without CHECKSUM protection httpsupportmicrosoftcomkb2078345

backups outdated for databases httpsupportmicrosoftcomkb2027537

Database consistency check not current httpsupportmicrosoftcomkb2033590

SQL Server Memory settings are incorrect httpsupportmicrosoftcomKB918483EN-US

Autogrow Failed or took a long time httpsupportmicrosoftcomkb2091024

Storport driver fix from KBA 940467 missing httpsupportmicrosoftcomkb2121098

Storport driver fix from KBA 950903 missing httpsupportmicrosoftcomkb2121098

SQLCLR needs additional memory configuration httpsupportmicrosoftcomkb969962EN-US

Operating System files and drivers needs update for working set trimming

httpsupportmicrosoftcomkb2121098

Agent Token Replacement httpsupportmicrosoftcomkb2202637

Auditing Log in failures httpsupportmicrosoftcomkb2187161

Databases with high number of VLF present httpsupportmicrosoftcomkb2028436

Transparent Data Encryption Certificate httpsupportmicrosoftcomkb2201900

Permission on the Binn folder httpsupportmicrosoftcomkb2029023

Index Statistics Are Outdated

Server public permissions httpsupportmicrosoftcomkb2160698

Detected use of older versions of SQLNCLI httpsupportmicrosoftcomkb979779

62 AS Rules

Please find below a summary of the 34 Analysis Server Rules with the links to the rule descriptions

Flight Recorder Enabled for SQL Server Analysis Services

httpsupportmicrosoftcomkb2128005

Excessive amount of memory preallocated to Analysis Services

httpsupportmicrosoftcomkb2027474

Server not configured for optimal concurrent query throughput

httpsupportmicrosoftcomkb2135031

Non standard value detected for Analysis Services memory configuration

httpsupportmicrosoftcomkb2027472

Process Thread Pool Max limit above recommended limit

httpsupportmicrosoftcomkb2134497

Process Thread Pool Minimum is below the recommended limit

httpsupportmicrosoftcomkb2134855

Server is running a build with a known regression httpsupportmicrosoftcomkb2157941

Slice not set on a ROLAP partition or a partition where proactive caching is enabled and

ROLAP storage ay occur httpsupportmicrosoftcomkb2027754

Server is ignoring duplicate key errors httpsupportmicrosoftcomkb2027761

No default member defined for non-aggregatable attribute

httpsupportmicrosoftcomkb2027769

UnknownMember set to hidden httpsupportmicrosoftcomkb2027628

Non-numeric key column for high cardinality attribute httpsupportmicrosoftcomkb2028138

Attribute hiearchy enabled for high cardinality non-key attribute

httpsupportmicrosoftcomkb2028143

ROLAP storage or OnlineMode set to immediate for dimension with custom rollup definition

detected httpsupportmicrosoftcomkb2132742

Page 38

Account or Time attribute types defined in a non-matching dimension type

httpsupportmicrosoftcomkb2157299

An Account or Time dimension has no matching attribute defined

httpsupportmicrosoftcomkb2027418

Dimension has no attribute defined with the same type

httpsupportmicrosoftcomkb2027443

Attribute Dimension type mismatch httpsupportmicrosoftcomkb2157327

Mismatched dimension attribute types detected in dimension

httpsupportmicrosoftcomkb2027459

Possible incorrect order of levels defined in hierarchy httpsupportmicrosoftcomkb2027460

Define attribute relationships as Rigid where possible httpsupportmicrosoftcomkb2027468

Redundant attribute relationships detected httpsupportmicrosoftcomkb2127437

Diamond-shape relationship detected httpsupportmicrosoftcomkb2127570

Non-Standard Attribute Relationship name detected httpsupportmicrosoftcomkb2127862

Proactive Caching set for dimension without a processing query

httpsupportmicrosoftcomkb2027541

No Time dimension detected httpsupportmicrosoftcomkb2027532

More than 3 parent-child dimensions with custom rollups defined

httpsupportmicrosoftcomkb2134431

Encountered a parent-child dimension with more than 500000 members

httpsupportmicrosoftcomkb2131918

Single attribute dimensions detected httpsupportmicrosoftcomkb2141654

Measure groups with zero dimensional overlap detected in cube

httpsupportmicrosoftcomkb2027609

Proactive Caching set for a partition without a processing query

Default measure for perspective not in the perspective

httpsupportmicrosoftcomkb2027603

Use MOLAP storage for dimensions that participate in semi-additive measure groups

httpsupportmicrosoftcomkb2135112

Measure group defined with no partition httpsupportmicrosoftcomkb2027545

63 RS Rules

RSWindowsNegotiate is missing from your configuration

httpsupportmicrosoftcomkb2145506

HTTP Logging is not enabled httpsupportmicrosoftcomkb2145909

Verbose logging is enabled httpsupportmicrosoftcomkb2146315

NTLM authentication may fail for local httpsupportmicrosoftcomkb2146369

Missing extended protection settings httpsupportmicrosoftcomkb2146062

64 IS Rules

Logging task missing for package httpsupportmicrosoftcomkb2027723

ActiveX Script task detected in package httpsupportmicrosoftcomkb2027712

Unrecommended Integration Services service account detected

httpsupportmicrosoftcomkb2027684

Integration Services logging table found in system database master and or msdb

httpsupportmicrosoftcomkb2027706

Integration Services memory dump detected httpsupportmicrosoftcomkb2027727

Page 39

65 Setup Rules

Unsupported Operating System Version Detected httpsupportmicrosoftcomkb2022909

WOW64 not supported for SQL Failover Clustering httpsupportmicrosoftcomkb2157198

Installer cache is missing for the SQL Installation httpsupportmicrosoftcomkb2015100

SQL Server WMI Provider Health Check

66 Replication Rules

Replication Timeout Alerts Type httpsupportmicrosoftcomkb2118349

Replication Pub and Sub out of sync (Data Validation) httpsupportmicrosoftcomkb2118386

Replication Pub and Sub out of sync (Constraint Violations)

httpsupportmicrosoftcomkb2118410

Replication Pub and Sub out of sync (Skipped Transactions)

httpsupportmicrosoftcomkb2194498

Merge Replication Health Check httpsupportmicrosoftcomkb2118445

Subscriptions Approaching Expiration httpgomicrosoftcomfwlinkLinkId=184483

Replication Cleanup and Retention Health Check httpsupportmicrosoftcomkb2118485

Replication Latency Threshold violations httpsupportmicrosoftcomkb2118425

Page 40

7 HOW TO DEAL WITH DEVIATIONS

Deviations from these Best Practices may indicate potential issues and configuration changes may be

necessary Make sure you have tested any intended changes in a test environment before deploying

them to a production environment You could also find deviations from Best Practices that are

acceptable or even necessary for your environment For example

SAP has its special Network Packet Size of 8 KB

Existing Non-Microsoft Clients ndash would require Mixed Mode Authentication

Page 41

8 MOTIVATION TO USE SQL BPA R2

Bob Ward explained in his Article ldquoWhy use SQL Server 2008 R2 BPA Case 1 Missing Updatesrdquo

the common pitfalls during maintenance and operation of SQL Server and how address them by using

the SQL BPA

In brief itrsquos a customer scenario where the customer is facing an issue after a major update to

SQL2008 After some troubleshooting and an update to a certain CU (that is meant to fix the issue) the

problem still occurs Bobs article states the common resulting consequences ndash the involvement of

Microsoft Support and the final solution ndash adding a needed traceflag

The good news in this story is that the customer would not have needed to go to all that effort if they

would have run the SQL BPA It would have told them about the update and instructed them to put the

traceflag in place BPA is a mechanism that proactively advises you and instructs you on dealing with

common known issues

Page 42

9 ADDITIONAL INFORMATION

91 PowerShell

To use the functionality of the Baseline Configuration Analyzer with PowerShell you must import this

module first

Import-module BaselineConfigurationAnalyzer

You can list the commands of this module with the following syntax

$x=Get-Module BaselineConfigurationAnalyzer

$xExportedCommands

The following commands are stored in this module

Get-MbcaModel

Get-MbcaResult

Invoke-MbcaModel

Set-MbcaResult

You get help of this command with the following syntax

Get-help ltcommandgt -full

911 Get-MBCAModel

SYNOPSIS

The Get-MBCAModel cmdlet lets you retrieve and view the list of models that are supported by

Microsoft Baseline Configuration Analyzer (MBCA) and that are installed on a computer

SYNTAX

Get-MBCAModel [[-ModelId] ltstring[]gt] [[-SubModelId] ltstringgt] [ltCommonParametersgt]

DESCRIPTION

The Get-MBCAModel cmdlet lets you retrieve and view the list of models that are supported by

Microsoft Baseline Configuration Analyzer (MBCA) and installed on the computer If no parameter is

specified Get-MBCAModel returns all models that are installed on the computer If a model is specified

by using the -ModelId parameter information about the specified model is returned

You must be a member of the Administrators group on the computer on which you want to run this

cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with

elevated user rights that is Run as Administrator

The results of the Get-MBCAModel cmdlet include the following details about models

1 Branding information (manufacturer or company display names version number) that is found in

the model manifest

2 Dynamic parameters that are included with the model

3 Submodels that are included with the model

PARAMETERS

-ModelId ltstring[]gt

The -ModelId parameter specifies the ID of the MBCA model about which you want to view

details You can obtain valid values for the ModelId parameter by running the Get-MBCAModel

cmdlet with no parameters and targeted at a computer on which MBCA models are installed

Page 43

This parameter supports wild card characters

Required false

Position 2

Default value

Accept pipeline input true (By Value By Property Name)

Accept wildcard characters False

This must be SQL2008R2BPA for SQL Server 2008 R2 Best Practice Analyzer

-SubModelId ltstringgt

The -SubModelId parameter specifies the ID of the submodel of an MBCA model about which you

want to view details You can obtain valid values for the -SubModelId parameter by running the

Get-MBCAModel cmdlet without parameters and targeted at a computer on which MBCA models

are installed Not all models have submodels

The -ModelId parameter is required with the -SubModelId parameter

Required false

Position 3

Default value

Accept pipeline input false

Accept wildcard characters false

ltCommonParametersgt

This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable

WarningAction WarningVariable OutBuffer and OutVariable For more information type get-

help about_commonparameters

Examples

Get-MBCAModel

In the preceding example Get-MBCAModel with no parameters added returns details about all MBCA

models that are installed on the computer

Get-MBCAModel -ModelId SQL2008R2BPA

The preceding example can be used to return details about the MBCA model that is specified in the -

ModelId parameter represented by Model Id

$model= Get-MBCAModel -ModelId SQL2008R2BPA

$modelParameters

In the preceding example Get-MBCAModel returns details about the specified MBCA model that is

represented by Model Id The results of the cmdlet are stored in the variable $model

In the next line of the example the Parameters property of the model details that were stored in the

$model object returns details about which parameters are supported by the model

Get-MBCAModel -ModelId SQL2008R2BPA -SubModelId ltSubModel Idgt

The preceding example can be used to return details about the MBCA sub-model that is specified by

the -SubModelId parameter represented by SubModel Id Note that the -ModelId parameter is

required by the -SubModelId parameter

$model= Get-MBCAModel -ModelId SQL2008R2BPA

Page 44

$modelSubModels

In the preceding example Get-MBCAModel returns details about the specified MBCA model that is

represented by Model Id The results of the cmdlet are stored in the variable $model

In the next line of the example the SubModels property of the model details that were stored in the

$model object returns a list of the submodels of the model specified in the first line

912 Invoke-MBCAModel

SYNOPSIS

The Invoke-MBCAModel cmdlet lets you start a Microsoft Baseline Configuration Analyzer (MBCA)

scan for a specific model that is installed on your computer

SYNTAX

Invoke-MBCAModel [-ModelId] ltstringgt -SubModelId ltstringgt [-Authentication

ltAuthenticationMechanismgt] [-CertificateThumbprint ltstringgt] [-ComputerName

ltstring[]gt] [-ConfigurationName ltstringgt] [-Context ltstringgt] [-Credential

ltstringgt] [-Mode ltModeEnumgt] [-Port ltintgt] [-RepositoryPath ltstringgt] [-

ThrottleLimit ltintgt] [-UseSSL] [ltCommonParametersgt]

DESCRIPTION

The Invoke-MBCAModel cmdlet allows you to start a Microsoft Baseline Configuration Analyzer

(MBCA) scan for a specific model that is installed on your computer The model is specified either by

using the parameter -ModelId or by piping the results of the Get-MBCAModel cmdlet into an Invoke-

MBCAMode cmdlet

After the MBCA scan has been performed the results of the scan are available to be retrieved by Get-

MBCAResult cmdlet

You must be a member of the Administrators group on the computer on which you want to run this

cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with

elevated user rights that is Run as Administrator

PARAMETERS

-Authentication ltAuthenticationMechanismgt

Specifies the authentication mechanism that is used to authenticate the users credentials Valid

values include Default Basic CredSSP Digest Kerberos Negotiate and

NegotiateWithImplicitCredential The default value is Default

For more information about the -Authentication parameter type the following and then press

Enter

Get-Help Invoke-Command -Parameter Authentication

Required false

Position named

Default value Default

Accept pipeline input false

Accept wildcard characters false

-CertificateThumbprint ltstringgt

Page 45

Specifies the digital public key certificate (X509) of a user account that has rights to perform the

cmdlet action The valid value is the certificate thumbprint of the certificate

For more information about this parameter type the following and then press Enter

Get-Help Invoke-Command -Parameter Certificate Thumbprint

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-ComputerName ltstring[]gt

The Invoke-MBCAModel cmdlet lets you run an MBCA scan of a submodel on a specific

computer by adding this parameter Valid values include NETBOS names IP addresses or fully-

qualified domain names of one or more computers in a comma-separated list To specify the local

computer type the computer name or localhost

All formats that are accepted by the -ComputerName parameter in Invoke-Command are

accepted

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-ConfigurationName ltstringgt

Specifies the session configuration that is used for a new PSSession

Enter a configuration name or the fully-qualified resource URI for a session configuration

Session configuration data is found on the remote computer on which you want to run a cmdlet

For more information about this parameter type the following and then press Enter

Get-Help Invoke-Command -Parameter ConfigurationName

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-Context ltstringgt

The -Context parameter lets you run scans on a submodel in the context of a specific model (one

that is different from the parent model of the submodel) For example an administrator might

want to run a scan on the Backend submodel of the SQL model but only those in the context

of a third model a technology that relies upon SQL Server

The -SubModelId parameter is required by the -Context parameter

Page 46

A model ID is the valid value of the -Context parameter

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-Credential ltstringgt

Specifies a user account that has permission to run this cmdlet The default value is the current

user

For more information about this parameter type the following and then press Enter

Get-Help Invoke-Command -Parameter Credential

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-Mode ltModeEnumgt

The -Mode parameter lets you run a scan that is exclusively either analysis of existing discovered

documents or discovery The default is to perform both discovery and analysis or All

If you do not add the -Mode parameter to the Invoke-MBCAModel cmdlet both discovery and

analysis are performed during a scan

Valid values are Discovery Analysis and All

Required false

Position named

Default value All

Accept pipeline input false

Accept wildcard characters false

-ModelId ltstringgt

The -ModelId parameter specifies the ID of the MBCA model that you want to scan You can

obtain valid values for the ModelId parameter by running the Get-MBCAModel cmdlet targeted at

a computer on which MBCA models are installed

Required true

Position 2

Default value

Accept pipeline input true (By Value By Property Name)

Accept wildcard characters False

Page 47

This must be SQL2008R2BPA for SQL Server 2008 R2 Best Practice Analyzer

-Port ltintgt

Specifies the network port on a remote computer on which you want to run a scan The default

value is port 80

For more information on this parameter type the following and then press Enter

Get-Help Invoke-Command -Parameter Port

Required false

Position named

Default value 80

Accept pipeline input false

Accept wildcard characters false

-RepositoryPath ltstringgt

The -RepositoryPath parameter is used to specify a non-default location of the results repository

The valid value for this parameter is a pathname If the parameter is not used the cmdlet writes

results to the default result repository

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-SubModelId ltstringgt

The -SubModelId parameter specifies the ID of the submodel of an MBCA model that you want to

scan You can obtain valid values for the -SubModelId parameter by running the Get-MBCAModel

cmdlet targeted at a computer on which MBCA models are installed Not all models have

submodels

The -ModelId parameter is required with the -SubModelId parameter

Required true

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-ThrottleLimit ltintgt

Specifies the maximum number of concurrent connections that can be established to run the

cmdlet If you omit this parameter or enter a value of 0 the default value of 32 is used

For more information about this parameter type the following and then press Enter

Get-Help Invoke-Command -Parameter ThrottleLimit

Required false

Page 48

Position named

Default value 32

Accept pipeline input false

Accept wildcard characters false

-UseSSL [ltSwitchParametergt]

Uses the Secure Sockets Layer (SSL) protocol to establish a connection on a remote computer

By default SSL is not used

For more information about this parameter type the following and then press Enter

Get-Help Invoke-Command -Parameter UseSSL

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

ltCommonParametersgt

This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable

WarningAction WarningVariable OutBuffer and OutVariable For more information type get-

help about_commonparameters

OUTPUTS

SystemCollectionsGenericListltMicrosoftBestPracticesCoreInterfaceInvokeBpaModelOutputgt

The output object encapsulates the results of the cmdlet that you entered It contains information such

as the MBCA model ID the success or failure of the cmdlet and other details

NOTES

If the cmdlet is used to perform a single-model scan and the cmdlet is cancelled (by using CTRL+C)

before the temporary results file is copied to its final location the temporary file is discarded and any

previous scan results file for the role are preserved The message Processing of Invoke-MBCAModel

cancelled by user is displayed if the command is cancelled before existing scan results files are

overwritten

If the cmdlet is used to perform a scan of multiple models by piping in results from the Get-MBCAModel

cmdlet and the command is cancelled scans that were completed before the cancel command was

entered cannot be cancelled A scan in progress behaves as described above in the single-model scan

cancellation scenario Subsequent scans in the pipeline are cancelled

If a concurrent scan of the same model is attempted the cmdlet returns the following error message

Another scan for this MBCA model is in progress Only one scan is allowed at a time

-------------------------- EXAMPLE 1 --------------------------

Invoke-MBCAModel -ModelId SQL2008R2BPA

Description

The preceding example starts a MBCA scan on the model that is represented by ltModel Idgt

-------------------------- EXAMPLE 2 --------------------------

Page 49

Invoke-MBCAModel -ModelId SQL2008R2BPA -Scope domain -Name

redmondmicrosoftcom

Description

The preceding example starts an MBCA scan on the model ID that is specified by Model Id

The administrator starts the MBCA scan with additional model-specific parameters that are exposed by

the model (For an example of how to obtain model-specific parameters see the examples for the Get-

MBCAModel cmdlet)

For example to scan a model that requires model-specific parameters (such as -Scope and -Name) to

be passed to the command the administrator can specify the values of these model-specific

parameters with the Invoke-MBCAModel cmdlet

-------------------------- EXAMPLE 3 --------------------------

Invoke-MBCAModel -ModelId SQL2008R2BPA -Mode Discovery

Description

The preceding example starts an MBCA scan on the model that is represented by Model Id The

cmdlet is instructed by the -Mode parameter to perform only the discovery -- not the analysis -- portion

of the scan

-------------------------- EXAMPLE 4 --------------------------

Invoke-MBCAModel -ModelId SQL2008R2BPA -Mode Analysis -RepositoryPath

ltRepository Pathgt

Description

The preceding example starts an MBCA scan on the model that is represented by Model Id The -

Mode parameter value of Analysis indicates that the scan will perform analysis -- not discovery -- on

existing documents that are specified in the non-default repository path provided with the -Repository

Path parameter

-------------------------- EXAMPLE 5 --------------------------

Invoke-MBCAModel -Id ltModel Idgt -SubModelId ltSubModel Idgt -ComputerName

ltServergt -Context ltContext Model Idgt -RepositoryPath ltRespository Pathgt -

AsJob -Authentication ltAuthenticatonMechanismgt -Port ltPort Numbergt -UseSSL -

ThrottleLimit ltThrottle Limitgt

Description

The preceding example starts an MBCA scan on the submodel that is represented by SubModel Id

and on the computer that is represented by Server

Because the administrator only wants to see results from the submodel that apply in the context of a

third model the administrator runs the scan within the context of the model ID that is specified in the -

Context parameter The cmdlet results are saved to the non-default repository path that is specified in

the -RepositoryPath parameter

Because the -AsJob parameter is added the scan runs in the background The -AsJob -

Authentication -Port -UseSSL and -ThrottleLimit parameters are passed through for use by the

Invoke-Command cmdlet to perform discovery on a remote computer For more information about

these parameters see the Help for the Invoke-Command cmdlet available in Windows PowerShell V2

913 Get-MBCAResult

SYNOPSIS

Page 50

The Get-MBCAResult cmdlet lets you retrieve and view the results of a Microsoft Baseline

Configuration Analyzer scan on a specific model or the configuration data that was used to run a scan

SYNTAX

Get-MBCAResult [-ModelId] ltstringgt [[-CollectedConfiguration]] -SubModelId

ltstringgt [-ComputerName ltstring[]gt] [-Context ltstringgt] [-Filter

ltFilterEnumgt] [-RepositoryPath ltstringgt] [ltCommonParametersgt]

DESCRIPTION

The Get-MBCAResult cmdlet lets you retrieve and view the results of a Microsoft Baseline

Configuration Analyzer scan on a specific model or the configuration data that was used to run a scan

To use the command add the -ModelId parameter and then specify the model ID for which you want

to view the most recent MBCA scan results or collected configuration data If you want to retrieve the

configuration data collected add the -CollectedConfiguration switch parameter

You must be a member of the Administrators group on the computer on which you want to run this

cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with

elevated user rights that is Run as Administrator

PARAMETERS

-CollectedConfiguration [ltSwitchParametergt]

The -CollectedConfiguration parameter allows you to obtain the configuration data that was

collected for the most recent MBCA scan If this switch parameter is added to Get-MBCAResults

the cmdlet returns only the configuration data that was collected for a scan

Required false

Position 3

Default value

Accept pipeline input false

Accept wildcard characters false

-ComputerName ltstring[]gt

The -ComputerName parameter lets you obtain scan results that were collected for the most

recent MBCA scan of a submodel on a specific computer To specify the local computer type the

computer name or localhost Multiple values for -ComputerName can be separated by

commas

The -SubModelId parameter is required by the -ComputerName parameter

Valid values for the -ComputerName parameter include localhost a NET BIOS name an IP

address or a fully-qualified domain name (FQDN) of one or more computers in a comma-

separated list

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-Context ltstringgt

Page 51

The -Context parameter lets you obtain scan results that were collected for the most recent

MBCA scan of a submodel in the context of a specific model (one that is different from the parent

model of the submodel) For example an administrator might want to display scan results for the

Backend submodel of the SQL model but only those in the context of a third model a

technology that relies upon SQL Server

The -SubModelId parameter is required by the -Context parameter

A model ID is the valid value of the -Context parameter

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-Filter ltFilterEnumgt

The -Filter parameter lets you instruct the Get-MBCAResult cmdlet to return only Compliant

Noncompliant or All results Valid values are Noncompliant Compliant or All The default value

is All

The -Filter parameter is ignored if the -CollectedConfiguration switch parameter is added

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-ModelId ltstringgt

The -ModelId parameter specifies the ID of the MBCA model for which you want to view scan

results You can obtain valid values for the ModelId parameter by running the Get-MBCAModel

cmdlet targeted at a computer on which MBCA models are installed

Required true

Position 2

Default value

Accept pipeline input true (By Value By Property Name)

Accept wildcard characters False

This must be SQL2008R2BPA for SQL Server 2008 R2 Best Practice Analyzer

-RepositoryPath ltstringgt

The -RepositoryPath parameter is used to specify a non-default location of the results repository

The valid value for this parameter is a path name If the parameter is not used the cmdlet obtains

results from the default result repository

Required false

Position named

Page 52

Default value

Accept pipeline input false

Accept wildcard characters false

-SubModelId ltstringgt

The -SubModelId parameter specifies the ID of the submodel of an MBCA model for which you

want to view scan results You can obtain valid values for the -SubModelId parameter by running

the Get-MBCAModel cmdlet targeted at a computer on which MBCA models are installed Not all

models have submodels

The -ModelId parameter is required with the -SubModelId parameter

Required true

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

ltCommonParametersgt

This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable

WarningAction WarningVariable OutBuffer and OutVariable For more information type get-

help about_commonparameters

OUTPUTS

SystemCollectionsGenericListltMicrosoftBestPracticesCoreInterfaceResultgt OR

SystemXmlXmlDocument (if -CollectedData specified)

If you do not use the -CollectedConfiguration parameter verbose output can be any of the following

1 Initializing MBCA engine for getting MBCA Results

2 Attempting to get MBCA results for Model Id = 0

3 Completed getting MBCA results for Model Id = 0 Number of Results = 1

If you add the -CollectedConfiguration parameter to display configuration data that was used for a

scan verbose output can be any of the following

1 Initializing MBCA engine for getting MBCA Configuration Data

2 Attempting to get MBCA collected configuration data for Model Id = 0

3 Completed getting MBCA collected configuration data for Model Id = 0

NOTES

The Get-MBCAResult cmdlet must be run by a member of the Administrators group and it does not

start a new scan

Cancellation behaviour

Single Model - To cancel this cmdlet you must press Ctrl+C before the ResultCollection is displayed

on the console The operation is cancelled and results are not displayed on the console

Multiple Models or Pipelining - If you cancel this cmdlet while it is retrieving results for multiple models

the cmdlet generates only those results that were displayed on the console before the cancellation

Any subsequent results in the pipeline are cancelled and not displayed

Page 53

-------------------------- EXAMPLE 1 --------------------------

Get-MBCAResult -Id SQL2008R2BPA

Description

The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results

for the model that is represented by Model Id

-------------------------- EXAMPLE 2 --------------------------

Get-MBCAModel | Get-MBCAResult

In the preceding example Get-MBCAModel is used to return a list of all MBCA models that are

installed on the computer The results of the Get-MBCAModel cmdlet are piped to the Get-

MBCAResult cmdlet to retrieve the most recent MBCA scan results for all models that are both

supported by MBCA and installed on the computer at which the cmdlet is targeted

-------------------------- EXAMPLE 3 --------------------------

$result = Get-MBCAResult SQL2008R2BPA -CollectedConfiguration

$resultDiscoveryDocument

Description

In the preceding example configuration data (in XML form) that was collected during the most recent

Microsoft Baseline Configuration Analyzer scan of the model that is represented by Model Id is

retrieved and stored as a property in the variable $result $resultDiscoveryDocument is of type

SystemXmlXmlDocument

-------------------------- EXAMPLE 4 --------------------------

Get-MBCAResult SQL2008R2BPA -Filter Noncompliant

Description

The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results

for the model that is represented by Model Id and then applies a filter to show only Noncompliant

results

------------------------- EXAMPLE 5 --------------------------

Get-MBCAResult SQL2008R2BPA -SubModelId ltSubModel Idgt

Description

The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results

for the submodel that is represented by SubModelId Note that the parent model ID must be specified

to use the -SubModelId parameter

------------------------- EXAMPLE 6 --------------------------

Get-MBCAResult SQL2008R2BPA -SubModelId ltSubModel Idgt -ComputerName ltServergt

-Context ltContext Model Idgt -RepositoryPath ltRepository Pathgt

Description

The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results

for the submodel that is represented by SubModelId The parent model ID is provided as required by

the -SubModelID parameter

The -Context parameter indicates that the administrator wants to see only those scan results that are in

the context of the model that is represented by Context Model Id for example only those results from

a SQL Server scan that specifically apply to another technology such as Web Server (IIS)

Page 54

The scan results are further narrowed to only those from a computer that is specified in the -

ComputerName parameter as Server and only those results found in the non-default results

repository that is represented by Repository Path

914 Set-MBCAResult

SYNOPSIS

The Set-MBCAResult cmdlet lets you exclude or include existing results of a Microsoft Baseline

Configuration Analyzer (MBCA) scan to show you only the scan results that you want to see

SYNTAX

Set-MBCAResult [[-Exclude] ltBooleangt] [-Results] ltResultgtgt [[-

RepostitoryPath] ltstringgt] [ltCommonParametersgt]

DESCRIPTION

The Set-MBCAResult cmdlet lets you exclude or include existing results of a Microsoft Baseline

Configuration Analyzer (MBCA) scan to show you only the scan results that you want to see

The action specified in the cmdlet (Exclude for example) determines how the existing results of an

MBCA scan are updated Set-MBCAResult is typically applied after using the Get-MBCAResult cmdlet

to return a collection of scan results

You can apply filters to results that are returned by the Get-MBCAResult cmdlet and then pipe the

filtered collection of results to the Set-MBCAResult cmdlet specifying either to include or exclude

filtered scan results

You must be a member of the Administrators group on the computer on which you want to run this

cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with

elevated user rights that is Run as Administrator

PARAMETERS

-Exclude ltBooleangt

Excludes scan results from the results collection that were previously obtained by the Get-

MBCAResult command To exclude results by using the -Exclude parameter add the value $true

following the parameter as shown

-Exclude $true

To include results that have been excluded use the $false value for the -Exclude parameter

Required false

Position 2

Default value

Accept pipeline input false

Accept wildcard characters false

-RepostitoryPath ltstringgt

The -RepositoryPath parameter is used to specify a non-default location of the results repository

The valid value for this parameter is a path name If the parameter is not used the cmdlet

modifies results from the default result repository

Required false

Page 55

Position 4

Default value

Accept pipeline input false

Accept wildcard characters false

-Results ltResultgtgt

Specifies the result collection to be updated by the Set-MBCAResult cmdlet The -Results

parameter is typically used to specify a filtered subset of scan results that has already been

stored in a variable the variable name is provided as the valid value for the -Results parameter

For example if you have created a variable $allPerformance to store all the Performance

category results for an MBCA scan of all models on a computer and you want to exclude those

Performance results from the complete collection of scan results you add the parameter -Results

$all Performance to a Set-MBCAResult cmdlet

For a more detailed example see the Examples section of the Help for this cmdlet

Required true

Position 3

Default value

Accept pipeline input true (ByValue)

Accept wildcard characters false

ltCommonParametersgt

This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable

WarningAction WarningVariable OutBuffer and OutVariable For more information type ldquoget-

help about_commonparameters

NOTES

If the Set-MBCAResult command is cancelled before the results are written to a file the operation is

cancelled and the results file is not modified If cancellation occurs after the results file has been

modified the commands actions are carried out and the command cannot be cancelled

-------------------------- EXAMPLE 1 --------------------------

Get-MBCAResult -ModelId SQL2008R2BPA | Where $_Category -eq

Performance | Set-MBCAResult -Exclude $true

Description

The first section of the preceding example to the left of the first pipe character (|) uses the Get-

MBCAResult cmdlet to retrieve Baseline Configuration Analyzer scan results for the model ID that is

represented by Model Id

The second section of the command filters the results of the Get-MBCAResult cmdlet to get only those

scan results for which the category name is equal to Performance

The final section of the example following the second pipe character excludes the Performance

results that were filtered by the previous section of the example

-------------------------- EXAMPLE 2 --------------------------

$rcPolicy = Get-MBCAResult -ModelId SQL2008R2BPA -RepositoryPath

CReposPath | Where $_Category -eq Policy

Page 56

Set-MBCAResult -Exclude $true -RepositoryPath CReposPath -Results

$rcPolicy

Description

The first line of the preceding example to the left of the pipe character (|) instructs the Get-

MBCAResult cmdlet to retrieve Baseline Configuration Analyzer scan results for the model that is

represented by Specified Model Id from the specified non-default repository path

The second section of the example after the pipe character filters the results of the Get-MBCAResult

cmdlet to return only those scan results for which the category name is equal to (note the -eq option)

Policy The variable $rcPolicy is created to store the filtered results of the Get-MBCAResult cmdlet this

variable can be used in subsequent commands to represent those results

The second line of the command uses the Set-MBCAResult cmdlet to exclude the set of results that

are stored in the $rcPolicy variable In this example the -Results parameter is added because the

administrator wants to exclude a specific subset of scan results for that model and has created the

variable $rcPolicy to represent that subset of results The repository root is specified in the second line

because the administrator wants to modify the results in the same non-default repository from which

the data in $rcPolicy was retrieved

915 MBCA Model Authoring

Further information about configuration and usage of MBCA models you can in the

MBCA_ModelAuthoringGuidedocx

Page 57

Did this paper help you Please give us your feedback Tell us on a scale of 1 (poor) to 5 (excellent)

how would you rate this paper and why have you given it this rating For example

Are you rating it high due to having good examples excellent screen shots clear writing or

another reason

Are you rating it low due to poor examples fuzzy screen shots or unclear writing

This feedback will help us improve the quality of white papers we release

Send feedback

Page 7: SQL2008R2 BPA Whitepaper v10

Page 7

discovery The discovery activity interrogates the SQL Server Registry WMI Error- and Event-Logs

etc The output is saved in an XML File which is then used in the evaluation activity Evaluation is

performed using the Schematron file This file run by the MBCA engine contains the logic for

evaluating the best practices The final step following the evaluation process is the report generation ndash

which is shown in the MBCA UI

In the flow chart below you will find the anatomy of the SQL Server 2008 R2 Best Practices Analyzer

12 Microsoft Best Practice Analyzer Universe

Microsoft offers many technologies and utilities to produce best practices recommendations

121 SQL Server BPA (older versions)

Microsoft has also created BP Analyzers for your older SQL Server versions and for Windows

SQL Server 2005 Best Practices Analyzer (August 2008)

SQL Server 2000 Best Practices Analyzer (April 2010)

122 Windows Server 2008 R2 Best Practice Analyzer

In Windows management best practices are guidelines that are considered the ideal way under

typical circumstances to configure a server as defined by experts For example it is considered a best

practice for most server technologies to keep open only those ports required for the technologies to

communicate with other networked computers and block unused ports Although best practice

Page 8

violations even crucial ones are not necessarily problematic they indicate server configurations that

can result in poor performance poor reliability unexpected conflicts increased security risks or other

potential problems

Best Practices Analyzer (BPA) is a server management tool that is available in

Windows Serverreg 2008 R2 BPA can help administrators reduce best practice violations by scanning

one or more roles that are installed on Windows Server 2008 R2 and reporting best practice violations

to the administrator Administrators can filter or exclude results from BPA reports that they do not have

to see Administrators can also perform BPA tasks by using either the Server Manager GUI or

Windows PowerShell cmdlets

BPA can also be used on remote servers that are running Windows Server 2008 R2 by using Server

Manager targeted at a remote server For more information about how to run Server Manager targeted

at a remote server see Remote Management with Server Manager

The following BPA modules are currently available

Best Practices Analyzer for Active Directory Certificate Services

Best Practices Analyzer for Active Directory Domain Services

Best Practices Analyzer for Active Directory Rights Management Services

Best Practices Analyzer for Application Server

Best Practices Analyzer for Domain Name System

Best Practices Analyzer for Dynamic Host Configuration Protocol

Best Practices Analyzer for File Services

Best Practices Analyzer for Hyper-V

Best Practices Analyzer for Internet Information Services

Best Practices Analyzer for Network Policy and Access Services

Best Practices Analyzer for Remote Desktop Services

Best Practices Analyzer for Windows Server Update Services

More Information about Windows BPA look here

123 Fix-it

Currently there exists no link between the SQL Server Best Practice Analyzer and the Fixit webpage

httpsupportmicrosoftcomfixit

Microsoft is working on a solution to combine fixit with specific Best Practice Analyzer

httpfixitcentersupportmicrosoftcomPortal

124 Microsoft Automated Troubleshooting Service in Windows Server

2008 R2 and Windows 7

Troubleshooting in Windows Server 2008 R2 and Windows 7 provides several troubleshooting

programs that can automatically fix some common problems with your computer such as problems

with networking hardware and devices using the web and program compatibility

Go to the Windows website to watch a video about using troubleshooters to fix common problems

(330)

When you run a troubleshooter it might ask you some questions or reset common settings as it works

to fix the problem If the troubleshooter fixed the problem you can close the troubleshooter If it couldnt

fix the problem you can view several options that will take you online to try and find an answer In

either case you can always view a complete list of changes made

Page 9

Notes

If you click the Advanced link on a troubleshooter and then clear the Apply repairs

automatically check box the troubleshooter displays a list of fixes to choose from if any

problems are found

Windows includes several troubleshooters and more are available online when you select the

Get the most up-to-date troubleshooters from the Windows Online Troubleshooting service

check box at the bottom of Troubleshooting

httpsupportmicrosoftcomgpsystem_maintenance_for_windows

Page 10

2 SYSTEM REQUIREMENTS

SQL Server 2008 R2 Best Practices Advisor is supported on the following Operating Systems

1 Windows Vista

2 Windows 7

3 Windows Server 2003

4 Windows Server 2003 R2

5 Windows Server 2008

6 Windows Server 2008 R2

Supported editions of SQL Server

1 SQL Server 2008 all editions except Express

2 SQL Server 2008 R2 all editions except Express

Supported Components of SQL Server

1 Analysis Services

2 Database Engine

3 Integration Services

4 Reporting Services

5 Replication

6 Setup

These components are designed as Submodels for the BPA This means that they will be run

concurrently where possible

21 Required Permissions for Running SQL Server 2008 R2 BPA

Administration Privileges

To run MBCA v20 a user must be a member of the administrators group on the machine being

scanned and on the machine the scan is initiated from If a user is not an administrator on the machine

that is being scanned an appropriate error message displays

SQL Server

To successfully access all of the database properties and SQL Server Configurations a user must be

the Systems Administrator (sysadmin) on the instance of SQL Server

Analysis Services

The user or the administrators group must be member of the server administrator role within an

instance of Microsoft SQL Server Analysis Services have unrestricted access to all Analysis Services

objects and data in that instance

httpmsdnmicrosoftcomen-uslibraryms174561aspx

Integration Services

The user or the administrators group must be members of the sysadmin or db_ssisadmin roles

httpmsdnmicrosoftcomen-uslibraryms141053aspx

Reporting Services

Page 11

The user or the administrators group must be member of the System Administrator and Content

Manager role

22 Prerequisites

The following are required for using SQL Server 2008 R2 Best Practices Analyzer

1 PowerShell V20

Windows PowerShell 20 requires the Microsoft NET Framework 20 with Service Pack 1

2 Microsoft Baseline Configuration Analyzer V20

3 SQL Server Management Tools for SQL Server 2008 or SQL Server 2008 R2

The following table outlines the prerequisite Microsoft utilities components by Operating System

necessary to have on your server prior to installing and running SQL Server 2008 R2 BPA

OS 1Install

WinRM

2Install

PowerShell 20

3Install

MBCA 20

Configure PowerShell1 7 Install SQL2008

or SQL 2008 R2

Management Tools 4Remoting 5Execution

Level

6 MaxShells

PerUser

Win Vista Y Y Y Y Y Y Y

Windows 7 N N Y Y Y Y Y

Windows

Server 2003

Y Y Y Y Y Y Y

Windows

Server 2003

R2

Y Y Y Y Y Y Y

Windows

Server 2008

Y Y Y Y Y Y Y

Windows

Server 2008

R2

N N Y Y Y Y Y

1 These changes will be done from the installation routine of the BPA

Page 12

3 INSTALL

We recommend installing BPA on a workstation or administration server and performing the scan

operation remotely against servers in your SQL Server infrastructure It is also possible to install this

tool on the production SQL Server locally

Installation process

1 InstallConfigure PowerShell and WinRM

2 Microsoft Baseline Configuration Analyzer V20

3 Microsoftreg SQL Serverreg 2008 R2 Best Practices Analyzer

It exists two ways to install the Best Practices Analyzer

With a graphical user interface (setup wizard) or

Command line

31 Installing PowerShell 20 and WinRM

BPA install configures WinRM and PowerShell options by default Most of this section is only needed if

something goes wrong and you need to configure this stuff by hand

Windows Server 2003 R2

WinRM is not installed by default but it is available as the Hardware Management feature through the

AddRemove System Components feature in the Control Panel under Management and Monitoring

Tools Complete installation and information about configuring WinRM using the WINRM command-line

tool is available online in the Hardware Management Introduction which describes the WinRM and the

IPMI features in Windows Server 2003 R2

On Windows Vista Windows Server 2003 and Windows Server 2008

This is installed as part of Windows Management Framework Core The WinRM service starts

automatically on Windows Server 2008 On Windows Vista the service must be started manually

On Windows Server 2008 R2 and Windows 7

This is installed as part of the OS

Note Check for additional information and configuration guidelines for WinRM and for PowerShell

20

SQL Server 2008 R2 BPA is able to scan both the local computer and remote computers Therefore in

both the local and remote cases it required that your PowerShell settings be modified These are done

by the BPA installation

PowerShell Execution Policy

The PowerShell Execution Policy is set to Restricted by default To run SQL Server 2008 R2 BPA

through the PowerShell command Line set the policy to RemoteSigned using the below command

Set-ExecutionPolicy RemoteSigned -f

You can use the command Set-ExecutionPolicy Restricted ndashf to set the execution policy back to

restricted This command is not required when executing the scan through the MBCA GUI

After the installation you must enable the PowerShell remote scripting if you are want to use the BPA

remote to another workgroup machine or a computer that have Kerberos enabled You need to run this

command only once on each computer that will receive commands You do not need to run it on

Page 13

computers that only send commands Because the configuration activates listeners it is prudent to run

it only where it is needed You can do this with the following command line

powershellexe -NoLogo -NoProfile -Noninteractive -Command Enable-

PSRemoting -force

Enable-PSRemoting performs configuration actions to enable this machine for remote management

Includes

1 Runs the Set-WSManQuickConfig cmdlet which performs the following tasks

Starts the WinRM service

Sets the startup type on the WinRM service to Automatic

Creates a listener to accept requests on any IP address

Enables a firewall exception for WS-Management communications

Enables all registered Windows PowerShell session configurations to receive instructions

from a remote computer

Registers the MicrosoftPowerShell session configuration if it is not already registered

Registers the MicrosoftPowerShell32 session configuration on 64-bit computers if it is

not already registered

Removes the Deny Everyone setting from the security descriptor for all the registered

session configurations

Restarts the WinRM service to make the preceding changes effective

2 Configures MaxShellsPerUser using winrm set winrmconfigwinrs

``MaxShellsPerUser=`10``

Specifies the maximum number of concurrent shells that any user can remotely open on

the same computer If this policy setting is enabled the user will not be able to open new

remote shells if the count exceeds the specified limit If this policy setting is disabled or is

not configured the limit will be set to 5 remote shells per user by default and you receive

the following error message

[localhost] Connecting to remote server failed with the following

error message The WS-Management service cannot process the

request This user is allowed a maximum number of 5 concurrent

shells which has been exceeded Close existing shells or raise the

quota for this user For more information see the

about_Remote_Troubleshooting Help topic

+ CategoryInfo OpenError

(SystemManagemehellipRemoteRunspa

ceRemoteRunspace) [] PSRemotingTransportException

+ FullyQualifiedErrorId PSSessionOpenFailed

For more information about PowerShell remoting please see MSDN

32 Install MBCA

Download the edition of MBCA depending on your platform (x86 or x64) before installation

Page 14

Please find below the screenshots demonstrating the visual flow of the MBCA Installation

Welcome screen

License terms

Folder selection

Completion screen

33 Install BPA

Download the correct edition depending on your platform (x86 or x64) before installing If you have

trouble with the installation please section 57 Troubleshooting Installation

331 Command line

Following is an optimized command line setup example

msiexec i SQL2008R2BPA_Setup64msi l log ctempsqlbpa_installlog qn

msiexec parameters

i = package name (SQL2008R2BPA_Setup32msi or SQL2008R2BPA_Setup64msi

depending on your platform)

l = log granularity ldquordquo - Log all information except for v and x options

log = log file

q = display settings (qn ndash no user interface)

SKIPCA=1 (if no domain controller is available Skip Certification Authority)

For information on additional public properties Consult the Windowsreg Installer SDK for documentation

on the command line syntax

Page 15

332 GUI

Please find below the screenshots demonstrating the visual flow of the SQL Server 2008 R2 BPA

Installation

Welcome screen

License terms

System Configuration Changes (see 31 Installing PowerShell 20 and WinRM)

Ready to install decision

Install progress

Completion screen

Page 16

333 Port and Firewall restrictions

For scanning SQL Server or BI instances on an alternate server behind a firewall you must open all

necessary ports

34 Updates

Microsoft is working on quarterly updates of the rule set and tool improvements of the SQL Server

2008 R2 Best Practice Analyzer Please visit the Download site from Microsoft regularly to find new

updates

35 Uninstall

351 BPA

352 MBCA

353 Reset PowerShell settings

After the uninstall of the BPA you may disable the PowerShell remote scripting You can do this with

the following command line

powershellexe -NoLogo -NoProfile -Noninteractive -Command Disable-

PSRemoting -force

Disable-PSRemoting performs configuration actions to enable this machine for remote management

Page 17

4 USAGE

There are two ways to scan a server using MBCA and SQL 2008 R2 BPA They are

Scanning through the local machine

o In this case you are using MBCA and SQL 2008 R2 BPA running on the local machine to

perform the scan

o This scan can be of the local or an alternate server

Scanning through a remote machine

o In this case MBCA is used to connect to a remote server that has MBCA and SQL 2008

R2 BPA installed on it

o This scan is using the local machine to form the connection to the remote machine and is

actually performing the scan through the remote machine

41 Help file

The help file for the SQL Server 2008 R2 Best Practice Analyzer contains very useful information This

help file is available after the installation of BPA and is located at Start-gtAll programs-gtSQL Server

2008 R2 BPA

42 GUI

1 Ensure that MBCA v2 and SQL 2008 R2 BPA are installed on the machine

2 Run the MBCA application from the start menu with elevated user rights

Page 18

3 On the MBCA home page ensure the SQL Server 2008 R2 BPArdquo product is selected

4 Click Start Scan which displays a page to specify parameters as shown below

5 Fill in Alternate_Server_to_Scan with the remote machine you want to scan

ComputerName

IP address nnnn

FQDN (Fully Qualified Domain Name)

Enter ldquordquo localhost or leave this blank if you want to scan the local machine

Page 19

Enter the instance name you want to scan To scan the default instance enter MSSQLSERVER

or leave this as blank Toggle the checkboxes to enabledisable scans for those rule categories

Each of the following six check boxes correspond to the SQL Server categories listed previously

Select at least one category in order to run a successful scan

Analyze_SQL_Analysis_Services

Analyze_SQL_Server_Engine

Analyze_SQL_Integration_Services

Analyze_SQL_Server_Replication

Analyze_SQL_Reporting_Services

Analyze_SQL_Server_Setup

Note Only one SQL Server instance can be scanned at a time through the MBCA GUI

6 Click Start Scan MBCA will start the configured scan and display the below page while in

progress

7 When the scan is complete results will be displayed grouped by Severity as shown below

Page 20

43 Connect to a remote computer

A scan connected to a remote computer is different than scanning an alternate server

ldquoConnect to a Remote Computerrdquo is functionality provided by Microsoft Baseline Configuration Analyzer

and is used to remotely run MBCA against a server from the console of the client The client needs to

have MBCA installed but does not need BPA as it is literally running the copy of MBCA installed on the

server using the BPA installed on the server In this case the copy of MBCA installed on the client is

used only to remotely connect to the copy of MBCA installed on the server

To use this functionality you first start MBCA on the client computer and select ldquoConnect to Another

Computerrdquo

1 In the ldquoConnect to Another Computerrdquo text box you can specify a NetBIOS name a fully qualified

domain name (FQDN) or an IPv4 or IPv6 address If no port number is specified the default port

number is used The following are examples of formats that you can specify in the Connect to

Another Computer text box

ComputerName

Page 21

ComputerNamePortNumber

IP address nnnn

IPv6 address [nnnnnnnn]

IPv4 address with port number nnnnPortNumber

IPv6 address with port number [nnnnnnnn]PortNumber

Note If an administrator has changed the computerrsquos default port number any port other than the

default port must be opened in Windows Firewall to allow incoming connections on that port Port

5985 is opened by default when WinRM is configured All other ports remain blocked until opened

For more information about how to unblock a port in Windows Firewall see the Help for Windows

Firewall For more information about how to configure WinRM in a Command Prompt session type

winrm help and then press Enter

2 Additionally you must supply credentials

3 CredSSP

Windows Remote Management (WinRM) supports the delegation of user credentials across

multiple remote computers The multi-hop support functionality can now use Credential Security

Service Provider (CredSSP) for authentication CredSSP enables an application to delegate the

userrsquos credentials from the client computer to the target server

CredSSP authentication is intended for environments where Kerberos delegation cannot be used

Support for CredSSP was added to allow a user to connect to a remote server and have the ability

to access a second-hop machine such as a file share

Note WinRM clients and servers will support CredSSP authentication only with explicit credentials

Windows XP Windows Server 2003 and earlier CredSSP is not supported

First you must set CredSSP on both the client and the server

Using the Group Policy Editor (gpeditmsc) make sure to enable ldquoAllow Delegating Fresh

Credentialsrdquo and check ldquoConcatenate OS defaults with input aboverdquo

Add the server or domain to the list of servers in the format ldquoWSMANdomainnamecomrdquo

Next enable and configure PowerShell Remoting on both the Client and Server by running the

following commands in a PowerShell command window opened with elevated permissions Note

Page 22

You can configure a single machine as both a client and a server simultaneously so that you can

scan from either computer

Enable PowerShell Remoting

o Enable-psremoting ndashf

Settings for a client

o Enable-WSManCredSSP ndashrole Client ndashDelegateComputer [NetBiosNameOfServer]

or

o Enable-WSManCredSSP ndashrole Client ndashDelegateComputer [FQDN OF SERVER]

Settings for the server

o Enable-WSManCredSSP ndashrole Server

o set-item WSManlocalhostShellMaxMemoryPerShellMB ndashValue 20000

o set-item WSManlocalhostShellMaxShellsPerUser ndashvalue 20

44 PowerShell

Details see 91 PowerShell

To use the functionality of the Microsoft Baseline Configuration Analyzer you must import this module

first

Import-module BaselineConfigurationAnalyzer

You can list the commands of this module with the following syntax

$x=Get-Module BaselineConfigurationAnalyzer

$xExportedCommands

441 Run Scan

To run a full scan of the BPA on the alternate server on a named instance you can use the following

command line

Invoke-MBCAModel -ModelId SQL2008R2BPA -Alternate_Server_to_scan

servername -SQL_Server_Instance_Name instancename -

Analyze_SQL_Server_Engine -Analyze_SQL_Server_Replication -

Page 23

Analyze_SQL_Server_Setup -Analyze_SQL_Analysis_Services -

Analyze_SQL_Integration_Services -Analyze_SQL_Reporting_Services

The result looks like this part

ModelId SQL2008R2BPA

SubModelId

Success True

ScanTime

Success = True is important This is the indicator that your scan was successful

Parameter description

-Alternate_Server_to_scan servername

-SQL_Server_Instance_Name instancename

-Analyze_SQL_Server_Engine

-Analyze_SQL_Server_Replication

-Analyze_SQL_Server_Setup

-Analyze_SQL_Analysis_Services

-Analyze_SQL_Integration_Services

-Analyze_SQL_Reporting_Services

The parameter list is equal the parameter screen in the GUI

The scans of the different services are optional You can remove technologies which you do not need

to scan

The next example starts the scan only for the Analysis Services on the alternate server ldquoservernamerdquo

and for the named instance ldquoinstancerdquo A log file will be written to ldquoctempssastxtrdquo

Invoke-MbcaModel -ModelId SQL2008R2BPA -SubModelId AnalysisServices -

ComputerName servername -SqlServerInstance instance -SSASLogFile

ctempssastxt

Invoke-MbcaModel -ModelId SQL2008R2BPA -SubModelId Engine -ComputerName

computername -SqlServerInstance servername -CurrentLoginName

($EnvUSERDOMAIN + + $EnvUSERNAME)ToString() -EngineLogFile

ctempenginetxt ndashRepositoryPath (CTEMPSQL2008 + (Get-

Date)ToString(yyyyMMdd))ToString()

442 Create Report

model = get-MbcaModel ndashModelId sql2008r2bpa

$scanResult = get-MbcaResult ndashModelId sql2008r2bpa

$collectedConfig = get-MbcaResult ndashModelId sql2008r2bpa ndash

CollectedConfiguration

$model $scanResult $collectedConfig | export-CliXml ctempasxml

Get-MBCAResult -ModelId SQL2008R2BPA -SubModelId AnalysisServices |

ConvertTo-Html | Add-Content -Path ctesthtml

The next command retrieves the results of the most recent BPA scan for the specified model and

saves them in HTML format applying the standard cascading style sheets that are stored in the path

windirsystem32WindowsPowerShellv10ModulesBestPracticesBestPracticesReportFormatc

Page 24

ss If you want to substitute cascading style sheets provide the path to the different cascading style

sheets

Get-MBCAResult -ModelId SQL2008R2BPA | $_Severity -eq Warning -or

$_Severity -eq Error | ConvertTo-Html -As Table -property ResultNumber

SubModelID ComputerName Severity Category Title Problem Impact

Resolution Help -Head lth1gtSQL Server 2008 (R2) Best Practice Analyzer

Reportlth1gtrdquo -Title SQL Server 2008 Best Practice Analyzer -body

(ltpgtReport creation date + (Get-Date)ToString(ddMMyyyy hhmmss) +

ltpgt)toString() -pre ltPgtGenerated by user $envusername on computer

$envcomputernameltPgt -post For details contact Microsoft Premier-

CssUri $env BestPracticesReportFormatcss gt ctempsql2008r2bpahtm

443 Exporting and opening reports by using Get-MBCAResult

You can use the Get-MBCAResult cmdlet to export scan results and configuration data to an XML

report that you can open for viewing in the future either by using Get-MBCAResult or by using the

MBCA GUI Exporting reports allows you to compare older scans with more recent scans to measure

the progress of your best practice compliance

Example of exporting to XML

$results = Get-MBCAResult ltModel Idgt

$collectedconfig = Get-MBCAResult ltModel Idgt -CollectedConfiguration

$results $collectedconfig | Export-CliXml cexportxml

Example of opening archived XML report file

$loadedResults $loadedConfiguration = Import-CliXml cexportxml

444 Report Result Directory

The reporting result path

AppDataMicrosoftBaselineConfigurationAnalyzer

2ReportsSQL2008R2BPAResults

Will be overwritten during each run of the tool or invoke command

Solution save older results before you start the check

copy-item -path ($EnvLocalAppdata +

MicrosoftMicrosoftBaselineConfigurationAnalyzer 2Reports)ToString() -

destination ($EnvLocalAppdata +

MicrosoftMicrosoftBaselineConfigurationAnalyzer 2Reports_ + (Get-

Date)ToString(yyyyMMddhhmmss))ToString() ndashrecurse

Afterwards you can create a report with the following command

$prevrepPath = (Get-ChildItem ($EnvLocalAppdata +

MicrosoftMicrosoftBaselineConfigurationAnalyzer 2)ToString() -exclude

Reports | Sort-Object name -descending)[0]

Get-MBCAResult -ModelId SQL2008R2BPA ndashRepositoryPath ($EnvLocalAppdata +

MicrosoftMicrosoftBaselineConfigurationAnalyzer 2rdquo +

$prevrepPathname)ToString() | ConvertTo-Html -As Table -property

ResultNumberSubModelID ComputerName Severity Category Title Problem

Impact Resolution Help -Head lth1gtSQL Server 2008 (R2) Best Practice

Analyzer Reportlth1gtrdquo -Title SQL Server 2008 Best Practice Analyzer -body

(ltpgtReport creation date + (Get-Date)ToString(ddMMyyyy hhmmss) +

ltpgt)toString() -pre ltPgtGenerated by user $envusername on computer

Page 25

$envcomputernameltPgt -post For details contact Microsoft Premier gt

ctempsql2008r2bpahtm

Page 26

5 TROUBLESHOOTING

51 Application directories

To following directories are used by MBCA

Report output directory localappdataMicrosoftMicrosoftBaselineConfigurationAnalyzer 2ReportsSQL2008R2BPAResults

Model configuration path ProgramdataMicrosoftMicrosoft Baseline Configuration Analyzer 2ModelsSQL2008R2BPA

Temp and log files directory tempSQL2008R2BPASQL2008ltdategt_lttimegt

Registry [HKEY_LOCAL_MACHINESOFTWAREMicrosoftBaselineConfigurationAnalyzer]

Log Files

During Data Discovery SQL Server 2008 R2 BPA creates log files for troubleshooting The log file

contains the following information

Pre-requisite validation

Timestamp finished rules start and end times

Run-time scripting errors and exceptions from Power Shell Traps

Log Files Location

For every scan log files are created in userrsquos Local Temp directory (Temp) and follows the folder

structure SQL2008R2BPAlt Instance Name gtlt datestamp_timestamp gtlt Log files gt

Note In case of a remote scan the category log files are generated on the remote system at the same

path whereas the common log file is generated in the local system

Log Files Structure

A common log file gets generated and contains information about each categorys execution Apart

from this each category has its own log file which details the rule execution The names of the log files

are given below

Common File - ModelLogtxt

Engine Rules - EngineLogtxt

Replication Rules - ReplicationLogtxt

Setup Rules - SetupLogtxt

Analysis Services Rules - AnalysisServicesLogtxt

Reporting Services Rules - ReportingServicesLogtxt

Integration Services Rules - IntegrationServicesLogtxt

52 Windows Server 2003 ndash NumberOfLogicalProcessors

Analysis Services RID2803 and RID2804 ndash NumberOfLogicalProcessors property is unavailable in

Win32_Processor for with Windows Server 2003

Solution The NumberOfLogicalProcessors property does not exist in the WIN32_PROCESSOR object

in Windows Server 2003 It has been implemented in the hotfix

httpsupportmicrosoftcomkb932370

Both of the rules below will function properly if you apply this hotfix For more information look here

Page 27

53 MBCA

This message indicates that on prerequisite is not installed

Please install the version 2 of the MBCA

54 Where can I find the Instance name in result set of the analyzer

report

The instance name is in the collected data option of the analyzer report in the BPA GUI

55 Memory limit of remote PowerShell process

By default remote PowerShell process can consume only 150 MB or less memory This default limit is

significantly small and once this limit is reached there could be a WinRM exception causing and remote

connection immediately terminates Any application or Cmdlet which is involved in PowerShell

remoting should be tested for this memory limit this may cause some of the command to fail for

example site collection creation

Solution Increase the memory limit for the remote shell Use the following command to increase this

limitation to 1000MB This is only necessary if you need to run those commands on that server

Set-Item WSManlocalhostShellMaxMemoryPerShellMB 1000

56 Remote connect

If you try to ldquoConnect to another computerrdquo from MBCA and you receive the following message

Page 28

You should check first if the Hotfix KB968930 is installed

Afterwards validate that the ldquoWindows Remote Managementrdquo service is started

Enable-PSRemoting

If CredSSP is unsupported or unavailable you will see the following message

Page 29

If you have no permission to access the remote server you get the error message

Page 30

57 Installation

571 PowerShell error

After getting through the Pre-Reqs for BPA (PowerShell 20 MBCA NET Framework) you may hit

one of two scenarios when installing BPA

In all of the cases of an install failure you will see the following error

There is a problem with this Windows Installer package A program run as part of the setup did not

finish as expected Contact your support personnel or package vendor

In your Application Event Log for both of these scenarios you will also see the following entry

Log Name Application

Source MsiInstaller

Date 6102010 83818 AM

Event ID 11722

Task Category None

Level Error

Keywords Classic

User ltUsernamegt

Computer ltMachine namegt

Description

Product Microsoft SQL Server 2008 R2 BPA -- Error 1722 There is a problem

with this Windows Installer package A program run as part of the setup did

not finish as expected Contact your support personnel or package

vendor Action EnablePSRemoting location powershellexe command -NoLogo

-NoProfile -Command Enable-PSRemoting ndashforce

Page 31

This is an indicator that PowerShell is not configured You must run the following command

powershellexe -NoLogo -NoProfile -Command Enable-PSRemoting ndashforce

572 Workgroup or Non-Domain computer

In this scenario the Enable-PSRemoting command should execute fine from a PowerShell prompt

The actual error coming back from the PowerShell command within the Installer is ldquoAccess Deniedrdquo

To work around this issue you can do the following

1 Open a command prompt with Administrative Privileges

2 Change to the directory where the msi file resides

3 Type msiexec i ltMSI Namegt SKIPCA=1

4 MSI Name will either be SQL2008R2BPA_Setup32msi or SQL2008R2BPA_Setup64msi

depending on your platform

5 Once BPA is installed open a PowerShell prompt with Administrative Privileges

6 Execute the following commands

a Enable-PSRemoting

b winrm set winrmconfigwinrs ``MaxShellsPerUser=`10``

This should allow BPA to be successfully installed in the workgroup scenario

573 Kerberos Failure

This scenario is that you are failing with the above due to a Kerberos issue This particular issue could

actually show up after you have installed BPA depending on how you have configured your

environment

The issue stems from the fact that the Windows Remoting Windows Service uses the Network Service

account Windows Remoting also uses SOAP calls over HTTP and defaults to using Kerberos As a

result it will be using the HOST Service Principal Name (SPN) that is on the Machine Account as it is

running under that context You may have an HTTP SPN that resides on a different account with that

host name For example if you are running an IIS Web Application such as SharePoint or if you are

using Reporting Services and the service account is set to a Domain User account instead of Network

Service or Local System If your URL of your application matches the machine name then your HTTP

SPN will be the same Thatrsquos where this problem comes in WinRM will stop working at that point and

give you a message similar to the following

Set-WSManQuickConfig WinRM cannot process the request The following error

occured while using Negotiate authentication An unknown security error

occurred

Possible causes are

-The user name or password specified are invalid

-Kerberos is used when no authentication method and no user name are

specified

-Kerberos accepts domain user names but not local user names

-The Service Principal Name (SPN) for the remote computer name and port

does not exist

-The client and remote computers are in different domains and there is no

trust between the two domains

After checking for the above issues try the following

-Check the Event Viewer for events related to authentication

-Change the authentication method add the destination computer to the

WinRM TrustedHosts configuration setting or use HTTPS transport

Note that computers in the TrustedHosts list might not be authenticated

-For more information about WinRM configuration run the following

Page 32

command winrm help config

At line50 char33

+ Set-WSManQuickConfig ltltltlt -force

+ CategoryInfo InvalidOperation () [Set-WSManQuickConfig]

InvalidOperationException

+ FullyQualifiedErrorId

WsManErrorMicrosoftWSManManagementSetWSManQuickConfigCommand

You can get this type of error from WinRM for muliple reasons The one that

we saw in our testing was the HTTP SPN scenario

If you do have an HTTP SPN defined on a Domain Account that is using the name of your machine

you have some options First you can follow the steps mentioned above to get BPA installed The

Enable-PSRemoting command will give you the above error You can temporarily remove the HTTP

SPN to get remoting enabled and then re-add the HTTP SPN

Once BPA is setup you will still not be able to run BPA if you put the HTTP SPN back in place You will

see the following when you attempt to perform a scan

This will occur regardless of which component you try to scan It could be the Engine Setup RS etchellip

One option to perform the scan successfully is to temporarily remove the HTTP SPN again run the

scan and then put the HTTP SPN back in place Another option but one that will probably require

further testing from your applicationrsquos end would be to run the application under a Host Header and

then your HTTP SPN would not include the machine name allowing BPA to run without issue

Page 33

6 RULES

Searching for ldquoSQL Server 20087 R2 BPArdquo at Microsoftcom reveals

Here is an example of one of these articles that talks about a rule to check for a recent ldquocleanrdquo

CHECKDB

Page 34

BPA works by measuring a rolersquos compliance with best practice rules in eight different categories of a

rolersquos effectiveness trustworthiness and reliability Results of measurements can be any of the three

severity levels described in the following table

Severity level Description

Noncompliant Noncompliant results are returned when a role does not satisfy the conditions of a rule

Compliant Compliant results are returned when a role satisfies the conditions of a rule

Warning Warning results are returned when a role is compliant as operating currently but may not satisfy the conditions of a

rule if changes are not made to its configuration or policy settings For example a scan of Remote Desktop Services

might show a warning result if a license server is unavailable to the role because even if no remote connections are

active at the time of the scan not having the license server prevents new remote connections from obtaining valid

client access licenses

Page 35

BPA rule categories

The following table describes the categories of best practice rules against which roles are measured

during a BPA scan

Category Name Description

Security Security rules are applied to measure a rolersquos relative risk for exposure to threats such as unauthorized or malicious

users or loss or theft of confidential or proprietary data

Performance Performance rules are applied to measure a rolersquos ability to process requests and perform its prescribed duties in

the enterprise within expected periods of time given the rolersquos workload

Configuration Configuration rules are applied to identify role settings that might require modification for the role to perform

optimally Configuration rules can help prevent setting conflicts that can result in error messages or prevent the role

from performing its prescribed duties in an enterprise

Policy Policy rules are applied to identify Group Policy or Windows Registry settings that might require modification for the

role to operate optimally and securely

Operation Operation rules are applied to identify possible failures of a role to perform its prescribed tasks in the enterprise

Predeployment Predeployment rules are applied before an installed role is deployed in the enterprise to let administrators to

evaluate whether best practices were satisfied before you use the role in production

Postdeployment Postdeployment rules are applied after all required services have started for a role and the role is running in the

enterprise

BPA Prerequisites BPA Prerequisite rules explain configuration settings policy settings and features that are required for the role

before BPA can apply specific rules from other categories A prerequisite in scan results indicates that an incorrect

setting a missing role role service or feature an incorrectly enabled or disabled policy a registry key setting or

other configuration has prevented BPA from applying one or more rules during a scan A prerequisite result does

not imply compliance or noncompliance It means that a rule could not be applied and therefore is not part of the

scan results

61 Engine Rules

Please find below a summary of the 74 Engine Rules with the links to the rule descriptions These rules

are checking that you have a secure resilient and well performing SQL configuration

Authentication Mode (httpsupportmicrosoftcomkb2028697)

Lightweight Pooling is enabled (httpsupportmicrosoftcomkb2160691)

Locks Configuration Not Dynamic (httpsupportmicrosoftcomkb2199576)

non-default network packet size in use (httpsupportmicrosoftcomkb2157175)

degree of parallelism not set to recommended value (httpsupportmicrosoftcomkb2023536)

Use Database Mail instead of SQL Mail (httpsupportmicrosoftcomkb2028584)

SQL Server Agent Proxy Account (httpsupportmicrosoftcomkb2160741)

SQL Login Password Policy Strength and password expiry

(httpsupportmicrosoftcomkb2028712)

Trustworthy Bit (httpsupportmicrosoftcomkb2183687)

Symmetric Keys Check (httpsupportmicrosoftcomkb2162020)

Asymmetric Keys Check (httpsupportmicrosoftcomkb2162020)

SQL Server installed on PDC BDC (httpsupportmicrosoftcomkb2032911)

Page 36

SQL Server Admin role membership check (httpsupportmicrosoftcomkb2184138)

Windows API calls intercepted (httpsupportmicrosoftcomkb2033238)

unsupported DotNET framework assemblies present (httpsupportmicrosoftcomkb2033344)

Disk partition starting offset may be incorrect (httpsupportmicrosoftcomkb2023571)

non-default max worker threads value configured (httpsupportmicrosoftcomkb2157129)

Guest Permissions (httpsupportmicrosoftcomkb2186935)

Data and Log files on the same volume (httpsupportmicrosoftcomkb2033523)

IO timeouts and IO controller errors detected (httpsupportmicrosoftcomkb2091098)

IO device errors detected (httpsupportmicrosoftcomkb2091098)

IO errors during page faults detected (httpsupportmicrosoftcomkb2091098)

cluster disk corruption encountered (httpsupportmicrosoftcomkb2091098)

disk defragmentation encountered corruption (httpsupportmicrosoftcomkb2091098)

failed IO requests detected (httpsupportmicrosoftcomkb2091098)

IO requests are successful when retried (httpsupportmicrosoftcomkb2015757)

IO Delay Problems reported by SQL Server (httpsupportmicrosoftcomkb2137408)

This system experienced unexpected shutdowns (httpsupportmicrosoftcomkb2091098)

tempdb corruption errors fix missing (httpsupportmicrosoftcomkb960770)

Critical SQL database inconsistency errors found (httpsupportmicrosoftcomkb2152734)

Logical consistency errors detected (httpsupportmicrosoftcomkb2152472)

Database have auto shrink option enabled (httpsupportmicrosoftcomkb2160663)

SQL Server Error logs are very big (httpsupportmicrosoftcomkb2199578)

incorrect affinity mask settings detected httpsupportmicrosoftcomkb2157114

Very low blocked process threshold setting detected httpsupportmicrosoftcomkb2157154

Potential security issue with legacy DTS stored procedures

httpsupportmicrosoftcomkb2202875

Winsock LSP loaded into SQL httpsupportmicrosoftcomkb2033448

Databases using simple recovery model httpsupportmicrosoftcomkb2137539

User database collation different from model httpsupportmicrosoftcomkb2026108

Database files and backups exist on the same volume httpsupportmicrosoftcomkb2027537

Databases have auto close option enabled httpsupportmicrosoftcomkb2160685

LSI SAS drivers needs update httpsupportmicrosoftcomkb2121098

SQL tempdb database not configured optimally httpsupportmicrosoftcomkb2154845

SQL Database file has sparse attribute set httpsupportmicrosoftcomkb2028447

Invalid startup parameters httpsupportmicrosoftcomkb2028433

MSDTC settings not configured optimally httpsupportmicrosoftcomkb2027550

sql incorrect results fix missing httpsupportmicrosoftcomkb971780

File System needs tuning for better FileStream performance

httpsupportmicrosoftcomkb2160002

linked server memory leak fix missing httpsupportmicrosoftcomkb971622EN-US

Windows service pack is not at recommended level httpsupportmicrosoftcomkb2121098

default extended event health session not in expected state

httpsupportmicrosoftcomkb2160570

TcpSysAndChimneyCheck httpsupportmicrosoftcomKB918483

FDHOST Launcher service is not configured properly httpsupportmicrosoftcomkb2160720

Unrecommended SQL Server Agent service account httpsupportmicrosoftcomkb2160720

A required Windows fix to avoid sparse file related problems is missing

httpsupportmicrosoftcomkb2002606

Page 37

Significant Portion of SQL Server Memory Has Been Paged Out

httpsupportmicrosoftcomkb2028324

Server Exception or Hang Detected on Server httpsupportmicrosoftcomkb2028589

Databases exist without CHECKSUM protection httpsupportmicrosoftcomkb2078345

backups outdated for databases httpsupportmicrosoftcomkb2027537

Database consistency check not current httpsupportmicrosoftcomkb2033590

SQL Server Memory settings are incorrect httpsupportmicrosoftcomKB918483EN-US

Autogrow Failed or took a long time httpsupportmicrosoftcomkb2091024

Storport driver fix from KBA 940467 missing httpsupportmicrosoftcomkb2121098

Storport driver fix from KBA 950903 missing httpsupportmicrosoftcomkb2121098

SQLCLR needs additional memory configuration httpsupportmicrosoftcomkb969962EN-US

Operating System files and drivers needs update for working set trimming

httpsupportmicrosoftcomkb2121098

Agent Token Replacement httpsupportmicrosoftcomkb2202637

Auditing Log in failures httpsupportmicrosoftcomkb2187161

Databases with high number of VLF present httpsupportmicrosoftcomkb2028436

Transparent Data Encryption Certificate httpsupportmicrosoftcomkb2201900

Permission on the Binn folder httpsupportmicrosoftcomkb2029023

Index Statistics Are Outdated

Server public permissions httpsupportmicrosoftcomkb2160698

Detected use of older versions of SQLNCLI httpsupportmicrosoftcomkb979779

62 AS Rules

Please find below a summary of the 34 Analysis Server Rules with the links to the rule descriptions

Flight Recorder Enabled for SQL Server Analysis Services

httpsupportmicrosoftcomkb2128005

Excessive amount of memory preallocated to Analysis Services

httpsupportmicrosoftcomkb2027474

Server not configured for optimal concurrent query throughput

httpsupportmicrosoftcomkb2135031

Non standard value detected for Analysis Services memory configuration

httpsupportmicrosoftcomkb2027472

Process Thread Pool Max limit above recommended limit

httpsupportmicrosoftcomkb2134497

Process Thread Pool Minimum is below the recommended limit

httpsupportmicrosoftcomkb2134855

Server is running a build with a known regression httpsupportmicrosoftcomkb2157941

Slice not set on a ROLAP partition or a partition where proactive caching is enabled and

ROLAP storage ay occur httpsupportmicrosoftcomkb2027754

Server is ignoring duplicate key errors httpsupportmicrosoftcomkb2027761

No default member defined for non-aggregatable attribute

httpsupportmicrosoftcomkb2027769

UnknownMember set to hidden httpsupportmicrosoftcomkb2027628

Non-numeric key column for high cardinality attribute httpsupportmicrosoftcomkb2028138

Attribute hiearchy enabled for high cardinality non-key attribute

httpsupportmicrosoftcomkb2028143

ROLAP storage or OnlineMode set to immediate for dimension with custom rollup definition

detected httpsupportmicrosoftcomkb2132742

Page 38

Account or Time attribute types defined in a non-matching dimension type

httpsupportmicrosoftcomkb2157299

An Account or Time dimension has no matching attribute defined

httpsupportmicrosoftcomkb2027418

Dimension has no attribute defined with the same type

httpsupportmicrosoftcomkb2027443

Attribute Dimension type mismatch httpsupportmicrosoftcomkb2157327

Mismatched dimension attribute types detected in dimension

httpsupportmicrosoftcomkb2027459

Possible incorrect order of levels defined in hierarchy httpsupportmicrosoftcomkb2027460

Define attribute relationships as Rigid where possible httpsupportmicrosoftcomkb2027468

Redundant attribute relationships detected httpsupportmicrosoftcomkb2127437

Diamond-shape relationship detected httpsupportmicrosoftcomkb2127570

Non-Standard Attribute Relationship name detected httpsupportmicrosoftcomkb2127862

Proactive Caching set for dimension without a processing query

httpsupportmicrosoftcomkb2027541

No Time dimension detected httpsupportmicrosoftcomkb2027532

More than 3 parent-child dimensions with custom rollups defined

httpsupportmicrosoftcomkb2134431

Encountered a parent-child dimension with more than 500000 members

httpsupportmicrosoftcomkb2131918

Single attribute dimensions detected httpsupportmicrosoftcomkb2141654

Measure groups with zero dimensional overlap detected in cube

httpsupportmicrosoftcomkb2027609

Proactive Caching set for a partition without a processing query

Default measure for perspective not in the perspective

httpsupportmicrosoftcomkb2027603

Use MOLAP storage for dimensions that participate in semi-additive measure groups

httpsupportmicrosoftcomkb2135112

Measure group defined with no partition httpsupportmicrosoftcomkb2027545

63 RS Rules

RSWindowsNegotiate is missing from your configuration

httpsupportmicrosoftcomkb2145506

HTTP Logging is not enabled httpsupportmicrosoftcomkb2145909

Verbose logging is enabled httpsupportmicrosoftcomkb2146315

NTLM authentication may fail for local httpsupportmicrosoftcomkb2146369

Missing extended protection settings httpsupportmicrosoftcomkb2146062

64 IS Rules

Logging task missing for package httpsupportmicrosoftcomkb2027723

ActiveX Script task detected in package httpsupportmicrosoftcomkb2027712

Unrecommended Integration Services service account detected

httpsupportmicrosoftcomkb2027684

Integration Services logging table found in system database master and or msdb

httpsupportmicrosoftcomkb2027706

Integration Services memory dump detected httpsupportmicrosoftcomkb2027727

Page 39

65 Setup Rules

Unsupported Operating System Version Detected httpsupportmicrosoftcomkb2022909

WOW64 not supported for SQL Failover Clustering httpsupportmicrosoftcomkb2157198

Installer cache is missing for the SQL Installation httpsupportmicrosoftcomkb2015100

SQL Server WMI Provider Health Check

66 Replication Rules

Replication Timeout Alerts Type httpsupportmicrosoftcomkb2118349

Replication Pub and Sub out of sync (Data Validation) httpsupportmicrosoftcomkb2118386

Replication Pub and Sub out of sync (Constraint Violations)

httpsupportmicrosoftcomkb2118410

Replication Pub and Sub out of sync (Skipped Transactions)

httpsupportmicrosoftcomkb2194498

Merge Replication Health Check httpsupportmicrosoftcomkb2118445

Subscriptions Approaching Expiration httpgomicrosoftcomfwlinkLinkId=184483

Replication Cleanup and Retention Health Check httpsupportmicrosoftcomkb2118485

Replication Latency Threshold violations httpsupportmicrosoftcomkb2118425

Page 40

7 HOW TO DEAL WITH DEVIATIONS

Deviations from these Best Practices may indicate potential issues and configuration changes may be

necessary Make sure you have tested any intended changes in a test environment before deploying

them to a production environment You could also find deviations from Best Practices that are

acceptable or even necessary for your environment For example

SAP has its special Network Packet Size of 8 KB

Existing Non-Microsoft Clients ndash would require Mixed Mode Authentication

Page 41

8 MOTIVATION TO USE SQL BPA R2

Bob Ward explained in his Article ldquoWhy use SQL Server 2008 R2 BPA Case 1 Missing Updatesrdquo

the common pitfalls during maintenance and operation of SQL Server and how address them by using

the SQL BPA

In brief itrsquos a customer scenario where the customer is facing an issue after a major update to

SQL2008 After some troubleshooting and an update to a certain CU (that is meant to fix the issue) the

problem still occurs Bobs article states the common resulting consequences ndash the involvement of

Microsoft Support and the final solution ndash adding a needed traceflag

The good news in this story is that the customer would not have needed to go to all that effort if they

would have run the SQL BPA It would have told them about the update and instructed them to put the

traceflag in place BPA is a mechanism that proactively advises you and instructs you on dealing with

common known issues

Page 42

9 ADDITIONAL INFORMATION

91 PowerShell

To use the functionality of the Baseline Configuration Analyzer with PowerShell you must import this

module first

Import-module BaselineConfigurationAnalyzer

You can list the commands of this module with the following syntax

$x=Get-Module BaselineConfigurationAnalyzer

$xExportedCommands

The following commands are stored in this module

Get-MbcaModel

Get-MbcaResult

Invoke-MbcaModel

Set-MbcaResult

You get help of this command with the following syntax

Get-help ltcommandgt -full

911 Get-MBCAModel

SYNOPSIS

The Get-MBCAModel cmdlet lets you retrieve and view the list of models that are supported by

Microsoft Baseline Configuration Analyzer (MBCA) and that are installed on a computer

SYNTAX

Get-MBCAModel [[-ModelId] ltstring[]gt] [[-SubModelId] ltstringgt] [ltCommonParametersgt]

DESCRIPTION

The Get-MBCAModel cmdlet lets you retrieve and view the list of models that are supported by

Microsoft Baseline Configuration Analyzer (MBCA) and installed on the computer If no parameter is

specified Get-MBCAModel returns all models that are installed on the computer If a model is specified

by using the -ModelId parameter information about the specified model is returned

You must be a member of the Administrators group on the computer on which you want to run this

cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with

elevated user rights that is Run as Administrator

The results of the Get-MBCAModel cmdlet include the following details about models

1 Branding information (manufacturer or company display names version number) that is found in

the model manifest

2 Dynamic parameters that are included with the model

3 Submodels that are included with the model

PARAMETERS

-ModelId ltstring[]gt

The -ModelId parameter specifies the ID of the MBCA model about which you want to view

details You can obtain valid values for the ModelId parameter by running the Get-MBCAModel

cmdlet with no parameters and targeted at a computer on which MBCA models are installed

Page 43

This parameter supports wild card characters

Required false

Position 2

Default value

Accept pipeline input true (By Value By Property Name)

Accept wildcard characters False

This must be SQL2008R2BPA for SQL Server 2008 R2 Best Practice Analyzer

-SubModelId ltstringgt

The -SubModelId parameter specifies the ID of the submodel of an MBCA model about which you

want to view details You can obtain valid values for the -SubModelId parameter by running the

Get-MBCAModel cmdlet without parameters and targeted at a computer on which MBCA models

are installed Not all models have submodels

The -ModelId parameter is required with the -SubModelId parameter

Required false

Position 3

Default value

Accept pipeline input false

Accept wildcard characters false

ltCommonParametersgt

This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable

WarningAction WarningVariable OutBuffer and OutVariable For more information type get-

help about_commonparameters

Examples

Get-MBCAModel

In the preceding example Get-MBCAModel with no parameters added returns details about all MBCA

models that are installed on the computer

Get-MBCAModel -ModelId SQL2008R2BPA

The preceding example can be used to return details about the MBCA model that is specified in the -

ModelId parameter represented by Model Id

$model= Get-MBCAModel -ModelId SQL2008R2BPA

$modelParameters

In the preceding example Get-MBCAModel returns details about the specified MBCA model that is

represented by Model Id The results of the cmdlet are stored in the variable $model

In the next line of the example the Parameters property of the model details that were stored in the

$model object returns details about which parameters are supported by the model

Get-MBCAModel -ModelId SQL2008R2BPA -SubModelId ltSubModel Idgt

The preceding example can be used to return details about the MBCA sub-model that is specified by

the -SubModelId parameter represented by SubModel Id Note that the -ModelId parameter is

required by the -SubModelId parameter

$model= Get-MBCAModel -ModelId SQL2008R2BPA

Page 44

$modelSubModels

In the preceding example Get-MBCAModel returns details about the specified MBCA model that is

represented by Model Id The results of the cmdlet are stored in the variable $model

In the next line of the example the SubModels property of the model details that were stored in the

$model object returns a list of the submodels of the model specified in the first line

912 Invoke-MBCAModel

SYNOPSIS

The Invoke-MBCAModel cmdlet lets you start a Microsoft Baseline Configuration Analyzer (MBCA)

scan for a specific model that is installed on your computer

SYNTAX

Invoke-MBCAModel [-ModelId] ltstringgt -SubModelId ltstringgt [-Authentication

ltAuthenticationMechanismgt] [-CertificateThumbprint ltstringgt] [-ComputerName

ltstring[]gt] [-ConfigurationName ltstringgt] [-Context ltstringgt] [-Credential

ltstringgt] [-Mode ltModeEnumgt] [-Port ltintgt] [-RepositoryPath ltstringgt] [-

ThrottleLimit ltintgt] [-UseSSL] [ltCommonParametersgt]

DESCRIPTION

The Invoke-MBCAModel cmdlet allows you to start a Microsoft Baseline Configuration Analyzer

(MBCA) scan for a specific model that is installed on your computer The model is specified either by

using the parameter -ModelId or by piping the results of the Get-MBCAModel cmdlet into an Invoke-

MBCAMode cmdlet

After the MBCA scan has been performed the results of the scan are available to be retrieved by Get-

MBCAResult cmdlet

You must be a member of the Administrators group on the computer on which you want to run this

cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with

elevated user rights that is Run as Administrator

PARAMETERS

-Authentication ltAuthenticationMechanismgt

Specifies the authentication mechanism that is used to authenticate the users credentials Valid

values include Default Basic CredSSP Digest Kerberos Negotiate and

NegotiateWithImplicitCredential The default value is Default

For more information about the -Authentication parameter type the following and then press

Enter

Get-Help Invoke-Command -Parameter Authentication

Required false

Position named

Default value Default

Accept pipeline input false

Accept wildcard characters false

-CertificateThumbprint ltstringgt

Page 45

Specifies the digital public key certificate (X509) of a user account that has rights to perform the

cmdlet action The valid value is the certificate thumbprint of the certificate

For more information about this parameter type the following and then press Enter

Get-Help Invoke-Command -Parameter Certificate Thumbprint

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-ComputerName ltstring[]gt

The Invoke-MBCAModel cmdlet lets you run an MBCA scan of a submodel on a specific

computer by adding this parameter Valid values include NETBOS names IP addresses or fully-

qualified domain names of one or more computers in a comma-separated list To specify the local

computer type the computer name or localhost

All formats that are accepted by the -ComputerName parameter in Invoke-Command are

accepted

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-ConfigurationName ltstringgt

Specifies the session configuration that is used for a new PSSession

Enter a configuration name or the fully-qualified resource URI for a session configuration

Session configuration data is found on the remote computer on which you want to run a cmdlet

For more information about this parameter type the following and then press Enter

Get-Help Invoke-Command -Parameter ConfigurationName

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-Context ltstringgt

The -Context parameter lets you run scans on a submodel in the context of a specific model (one

that is different from the parent model of the submodel) For example an administrator might

want to run a scan on the Backend submodel of the SQL model but only those in the context

of a third model a technology that relies upon SQL Server

The -SubModelId parameter is required by the -Context parameter

Page 46

A model ID is the valid value of the -Context parameter

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-Credential ltstringgt

Specifies a user account that has permission to run this cmdlet The default value is the current

user

For more information about this parameter type the following and then press Enter

Get-Help Invoke-Command -Parameter Credential

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-Mode ltModeEnumgt

The -Mode parameter lets you run a scan that is exclusively either analysis of existing discovered

documents or discovery The default is to perform both discovery and analysis or All

If you do not add the -Mode parameter to the Invoke-MBCAModel cmdlet both discovery and

analysis are performed during a scan

Valid values are Discovery Analysis and All

Required false

Position named

Default value All

Accept pipeline input false

Accept wildcard characters false

-ModelId ltstringgt

The -ModelId parameter specifies the ID of the MBCA model that you want to scan You can

obtain valid values for the ModelId parameter by running the Get-MBCAModel cmdlet targeted at

a computer on which MBCA models are installed

Required true

Position 2

Default value

Accept pipeline input true (By Value By Property Name)

Accept wildcard characters False

Page 47

This must be SQL2008R2BPA for SQL Server 2008 R2 Best Practice Analyzer

-Port ltintgt

Specifies the network port on a remote computer on which you want to run a scan The default

value is port 80

For more information on this parameter type the following and then press Enter

Get-Help Invoke-Command -Parameter Port

Required false

Position named

Default value 80

Accept pipeline input false

Accept wildcard characters false

-RepositoryPath ltstringgt

The -RepositoryPath parameter is used to specify a non-default location of the results repository

The valid value for this parameter is a pathname If the parameter is not used the cmdlet writes

results to the default result repository

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-SubModelId ltstringgt

The -SubModelId parameter specifies the ID of the submodel of an MBCA model that you want to

scan You can obtain valid values for the -SubModelId parameter by running the Get-MBCAModel

cmdlet targeted at a computer on which MBCA models are installed Not all models have

submodels

The -ModelId parameter is required with the -SubModelId parameter

Required true

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-ThrottleLimit ltintgt

Specifies the maximum number of concurrent connections that can be established to run the

cmdlet If you omit this parameter or enter a value of 0 the default value of 32 is used

For more information about this parameter type the following and then press Enter

Get-Help Invoke-Command -Parameter ThrottleLimit

Required false

Page 48

Position named

Default value 32

Accept pipeline input false

Accept wildcard characters false

-UseSSL [ltSwitchParametergt]

Uses the Secure Sockets Layer (SSL) protocol to establish a connection on a remote computer

By default SSL is not used

For more information about this parameter type the following and then press Enter

Get-Help Invoke-Command -Parameter UseSSL

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

ltCommonParametersgt

This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable

WarningAction WarningVariable OutBuffer and OutVariable For more information type get-

help about_commonparameters

OUTPUTS

SystemCollectionsGenericListltMicrosoftBestPracticesCoreInterfaceInvokeBpaModelOutputgt

The output object encapsulates the results of the cmdlet that you entered It contains information such

as the MBCA model ID the success or failure of the cmdlet and other details

NOTES

If the cmdlet is used to perform a single-model scan and the cmdlet is cancelled (by using CTRL+C)

before the temporary results file is copied to its final location the temporary file is discarded and any

previous scan results file for the role are preserved The message Processing of Invoke-MBCAModel

cancelled by user is displayed if the command is cancelled before existing scan results files are

overwritten

If the cmdlet is used to perform a scan of multiple models by piping in results from the Get-MBCAModel

cmdlet and the command is cancelled scans that were completed before the cancel command was

entered cannot be cancelled A scan in progress behaves as described above in the single-model scan

cancellation scenario Subsequent scans in the pipeline are cancelled

If a concurrent scan of the same model is attempted the cmdlet returns the following error message

Another scan for this MBCA model is in progress Only one scan is allowed at a time

-------------------------- EXAMPLE 1 --------------------------

Invoke-MBCAModel -ModelId SQL2008R2BPA

Description

The preceding example starts a MBCA scan on the model that is represented by ltModel Idgt

-------------------------- EXAMPLE 2 --------------------------

Page 49

Invoke-MBCAModel -ModelId SQL2008R2BPA -Scope domain -Name

redmondmicrosoftcom

Description

The preceding example starts an MBCA scan on the model ID that is specified by Model Id

The administrator starts the MBCA scan with additional model-specific parameters that are exposed by

the model (For an example of how to obtain model-specific parameters see the examples for the Get-

MBCAModel cmdlet)

For example to scan a model that requires model-specific parameters (such as -Scope and -Name) to

be passed to the command the administrator can specify the values of these model-specific

parameters with the Invoke-MBCAModel cmdlet

-------------------------- EXAMPLE 3 --------------------------

Invoke-MBCAModel -ModelId SQL2008R2BPA -Mode Discovery

Description

The preceding example starts an MBCA scan on the model that is represented by Model Id The

cmdlet is instructed by the -Mode parameter to perform only the discovery -- not the analysis -- portion

of the scan

-------------------------- EXAMPLE 4 --------------------------

Invoke-MBCAModel -ModelId SQL2008R2BPA -Mode Analysis -RepositoryPath

ltRepository Pathgt

Description

The preceding example starts an MBCA scan on the model that is represented by Model Id The -

Mode parameter value of Analysis indicates that the scan will perform analysis -- not discovery -- on

existing documents that are specified in the non-default repository path provided with the -Repository

Path parameter

-------------------------- EXAMPLE 5 --------------------------

Invoke-MBCAModel -Id ltModel Idgt -SubModelId ltSubModel Idgt -ComputerName

ltServergt -Context ltContext Model Idgt -RepositoryPath ltRespository Pathgt -

AsJob -Authentication ltAuthenticatonMechanismgt -Port ltPort Numbergt -UseSSL -

ThrottleLimit ltThrottle Limitgt

Description

The preceding example starts an MBCA scan on the submodel that is represented by SubModel Id

and on the computer that is represented by Server

Because the administrator only wants to see results from the submodel that apply in the context of a

third model the administrator runs the scan within the context of the model ID that is specified in the -

Context parameter The cmdlet results are saved to the non-default repository path that is specified in

the -RepositoryPath parameter

Because the -AsJob parameter is added the scan runs in the background The -AsJob -

Authentication -Port -UseSSL and -ThrottleLimit parameters are passed through for use by the

Invoke-Command cmdlet to perform discovery on a remote computer For more information about

these parameters see the Help for the Invoke-Command cmdlet available in Windows PowerShell V2

913 Get-MBCAResult

SYNOPSIS

Page 50

The Get-MBCAResult cmdlet lets you retrieve and view the results of a Microsoft Baseline

Configuration Analyzer scan on a specific model or the configuration data that was used to run a scan

SYNTAX

Get-MBCAResult [-ModelId] ltstringgt [[-CollectedConfiguration]] -SubModelId

ltstringgt [-ComputerName ltstring[]gt] [-Context ltstringgt] [-Filter

ltFilterEnumgt] [-RepositoryPath ltstringgt] [ltCommonParametersgt]

DESCRIPTION

The Get-MBCAResult cmdlet lets you retrieve and view the results of a Microsoft Baseline

Configuration Analyzer scan on a specific model or the configuration data that was used to run a scan

To use the command add the -ModelId parameter and then specify the model ID for which you want

to view the most recent MBCA scan results or collected configuration data If you want to retrieve the

configuration data collected add the -CollectedConfiguration switch parameter

You must be a member of the Administrators group on the computer on which you want to run this

cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with

elevated user rights that is Run as Administrator

PARAMETERS

-CollectedConfiguration [ltSwitchParametergt]

The -CollectedConfiguration parameter allows you to obtain the configuration data that was

collected for the most recent MBCA scan If this switch parameter is added to Get-MBCAResults

the cmdlet returns only the configuration data that was collected for a scan

Required false

Position 3

Default value

Accept pipeline input false

Accept wildcard characters false

-ComputerName ltstring[]gt

The -ComputerName parameter lets you obtain scan results that were collected for the most

recent MBCA scan of a submodel on a specific computer To specify the local computer type the

computer name or localhost Multiple values for -ComputerName can be separated by

commas

The -SubModelId parameter is required by the -ComputerName parameter

Valid values for the -ComputerName parameter include localhost a NET BIOS name an IP

address or a fully-qualified domain name (FQDN) of one or more computers in a comma-

separated list

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-Context ltstringgt

Page 51

The -Context parameter lets you obtain scan results that were collected for the most recent

MBCA scan of a submodel in the context of a specific model (one that is different from the parent

model of the submodel) For example an administrator might want to display scan results for the

Backend submodel of the SQL model but only those in the context of a third model a

technology that relies upon SQL Server

The -SubModelId parameter is required by the -Context parameter

A model ID is the valid value of the -Context parameter

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-Filter ltFilterEnumgt

The -Filter parameter lets you instruct the Get-MBCAResult cmdlet to return only Compliant

Noncompliant or All results Valid values are Noncompliant Compliant or All The default value

is All

The -Filter parameter is ignored if the -CollectedConfiguration switch parameter is added

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-ModelId ltstringgt

The -ModelId parameter specifies the ID of the MBCA model for which you want to view scan

results You can obtain valid values for the ModelId parameter by running the Get-MBCAModel

cmdlet targeted at a computer on which MBCA models are installed

Required true

Position 2

Default value

Accept pipeline input true (By Value By Property Name)

Accept wildcard characters False

This must be SQL2008R2BPA for SQL Server 2008 R2 Best Practice Analyzer

-RepositoryPath ltstringgt

The -RepositoryPath parameter is used to specify a non-default location of the results repository

The valid value for this parameter is a path name If the parameter is not used the cmdlet obtains

results from the default result repository

Required false

Position named

Page 52

Default value

Accept pipeline input false

Accept wildcard characters false

-SubModelId ltstringgt

The -SubModelId parameter specifies the ID of the submodel of an MBCA model for which you

want to view scan results You can obtain valid values for the -SubModelId parameter by running

the Get-MBCAModel cmdlet targeted at a computer on which MBCA models are installed Not all

models have submodels

The -ModelId parameter is required with the -SubModelId parameter

Required true

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

ltCommonParametersgt

This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable

WarningAction WarningVariable OutBuffer and OutVariable For more information type get-

help about_commonparameters

OUTPUTS

SystemCollectionsGenericListltMicrosoftBestPracticesCoreInterfaceResultgt OR

SystemXmlXmlDocument (if -CollectedData specified)

If you do not use the -CollectedConfiguration parameter verbose output can be any of the following

1 Initializing MBCA engine for getting MBCA Results

2 Attempting to get MBCA results for Model Id = 0

3 Completed getting MBCA results for Model Id = 0 Number of Results = 1

If you add the -CollectedConfiguration parameter to display configuration data that was used for a

scan verbose output can be any of the following

1 Initializing MBCA engine for getting MBCA Configuration Data

2 Attempting to get MBCA collected configuration data for Model Id = 0

3 Completed getting MBCA collected configuration data for Model Id = 0

NOTES

The Get-MBCAResult cmdlet must be run by a member of the Administrators group and it does not

start a new scan

Cancellation behaviour

Single Model - To cancel this cmdlet you must press Ctrl+C before the ResultCollection is displayed

on the console The operation is cancelled and results are not displayed on the console

Multiple Models or Pipelining - If you cancel this cmdlet while it is retrieving results for multiple models

the cmdlet generates only those results that were displayed on the console before the cancellation

Any subsequent results in the pipeline are cancelled and not displayed

Page 53

-------------------------- EXAMPLE 1 --------------------------

Get-MBCAResult -Id SQL2008R2BPA

Description

The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results

for the model that is represented by Model Id

-------------------------- EXAMPLE 2 --------------------------

Get-MBCAModel | Get-MBCAResult

In the preceding example Get-MBCAModel is used to return a list of all MBCA models that are

installed on the computer The results of the Get-MBCAModel cmdlet are piped to the Get-

MBCAResult cmdlet to retrieve the most recent MBCA scan results for all models that are both

supported by MBCA and installed on the computer at which the cmdlet is targeted

-------------------------- EXAMPLE 3 --------------------------

$result = Get-MBCAResult SQL2008R2BPA -CollectedConfiguration

$resultDiscoveryDocument

Description

In the preceding example configuration data (in XML form) that was collected during the most recent

Microsoft Baseline Configuration Analyzer scan of the model that is represented by Model Id is

retrieved and stored as a property in the variable $result $resultDiscoveryDocument is of type

SystemXmlXmlDocument

-------------------------- EXAMPLE 4 --------------------------

Get-MBCAResult SQL2008R2BPA -Filter Noncompliant

Description

The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results

for the model that is represented by Model Id and then applies a filter to show only Noncompliant

results

------------------------- EXAMPLE 5 --------------------------

Get-MBCAResult SQL2008R2BPA -SubModelId ltSubModel Idgt

Description

The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results

for the submodel that is represented by SubModelId Note that the parent model ID must be specified

to use the -SubModelId parameter

------------------------- EXAMPLE 6 --------------------------

Get-MBCAResult SQL2008R2BPA -SubModelId ltSubModel Idgt -ComputerName ltServergt

-Context ltContext Model Idgt -RepositoryPath ltRepository Pathgt

Description

The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results

for the submodel that is represented by SubModelId The parent model ID is provided as required by

the -SubModelID parameter

The -Context parameter indicates that the administrator wants to see only those scan results that are in

the context of the model that is represented by Context Model Id for example only those results from

a SQL Server scan that specifically apply to another technology such as Web Server (IIS)

Page 54

The scan results are further narrowed to only those from a computer that is specified in the -

ComputerName parameter as Server and only those results found in the non-default results

repository that is represented by Repository Path

914 Set-MBCAResult

SYNOPSIS

The Set-MBCAResult cmdlet lets you exclude or include existing results of a Microsoft Baseline

Configuration Analyzer (MBCA) scan to show you only the scan results that you want to see

SYNTAX

Set-MBCAResult [[-Exclude] ltBooleangt] [-Results] ltResultgtgt [[-

RepostitoryPath] ltstringgt] [ltCommonParametersgt]

DESCRIPTION

The Set-MBCAResult cmdlet lets you exclude or include existing results of a Microsoft Baseline

Configuration Analyzer (MBCA) scan to show you only the scan results that you want to see

The action specified in the cmdlet (Exclude for example) determines how the existing results of an

MBCA scan are updated Set-MBCAResult is typically applied after using the Get-MBCAResult cmdlet

to return a collection of scan results

You can apply filters to results that are returned by the Get-MBCAResult cmdlet and then pipe the

filtered collection of results to the Set-MBCAResult cmdlet specifying either to include or exclude

filtered scan results

You must be a member of the Administrators group on the computer on which you want to run this

cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with

elevated user rights that is Run as Administrator

PARAMETERS

-Exclude ltBooleangt

Excludes scan results from the results collection that were previously obtained by the Get-

MBCAResult command To exclude results by using the -Exclude parameter add the value $true

following the parameter as shown

-Exclude $true

To include results that have been excluded use the $false value for the -Exclude parameter

Required false

Position 2

Default value

Accept pipeline input false

Accept wildcard characters false

-RepostitoryPath ltstringgt

The -RepositoryPath parameter is used to specify a non-default location of the results repository

The valid value for this parameter is a path name If the parameter is not used the cmdlet

modifies results from the default result repository

Required false

Page 55

Position 4

Default value

Accept pipeline input false

Accept wildcard characters false

-Results ltResultgtgt

Specifies the result collection to be updated by the Set-MBCAResult cmdlet The -Results

parameter is typically used to specify a filtered subset of scan results that has already been

stored in a variable the variable name is provided as the valid value for the -Results parameter

For example if you have created a variable $allPerformance to store all the Performance

category results for an MBCA scan of all models on a computer and you want to exclude those

Performance results from the complete collection of scan results you add the parameter -Results

$all Performance to a Set-MBCAResult cmdlet

For a more detailed example see the Examples section of the Help for this cmdlet

Required true

Position 3

Default value

Accept pipeline input true (ByValue)

Accept wildcard characters false

ltCommonParametersgt

This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable

WarningAction WarningVariable OutBuffer and OutVariable For more information type ldquoget-

help about_commonparameters

NOTES

If the Set-MBCAResult command is cancelled before the results are written to a file the operation is

cancelled and the results file is not modified If cancellation occurs after the results file has been

modified the commands actions are carried out and the command cannot be cancelled

-------------------------- EXAMPLE 1 --------------------------

Get-MBCAResult -ModelId SQL2008R2BPA | Where $_Category -eq

Performance | Set-MBCAResult -Exclude $true

Description

The first section of the preceding example to the left of the first pipe character (|) uses the Get-

MBCAResult cmdlet to retrieve Baseline Configuration Analyzer scan results for the model ID that is

represented by Model Id

The second section of the command filters the results of the Get-MBCAResult cmdlet to get only those

scan results for which the category name is equal to Performance

The final section of the example following the second pipe character excludes the Performance

results that were filtered by the previous section of the example

-------------------------- EXAMPLE 2 --------------------------

$rcPolicy = Get-MBCAResult -ModelId SQL2008R2BPA -RepositoryPath

CReposPath | Where $_Category -eq Policy

Page 56

Set-MBCAResult -Exclude $true -RepositoryPath CReposPath -Results

$rcPolicy

Description

The first line of the preceding example to the left of the pipe character (|) instructs the Get-

MBCAResult cmdlet to retrieve Baseline Configuration Analyzer scan results for the model that is

represented by Specified Model Id from the specified non-default repository path

The second section of the example after the pipe character filters the results of the Get-MBCAResult

cmdlet to return only those scan results for which the category name is equal to (note the -eq option)

Policy The variable $rcPolicy is created to store the filtered results of the Get-MBCAResult cmdlet this

variable can be used in subsequent commands to represent those results

The second line of the command uses the Set-MBCAResult cmdlet to exclude the set of results that

are stored in the $rcPolicy variable In this example the -Results parameter is added because the

administrator wants to exclude a specific subset of scan results for that model and has created the

variable $rcPolicy to represent that subset of results The repository root is specified in the second line

because the administrator wants to modify the results in the same non-default repository from which

the data in $rcPolicy was retrieved

915 MBCA Model Authoring

Further information about configuration and usage of MBCA models you can in the

MBCA_ModelAuthoringGuidedocx

Page 57

Did this paper help you Please give us your feedback Tell us on a scale of 1 (poor) to 5 (excellent)

how would you rate this paper and why have you given it this rating For example

Are you rating it high due to having good examples excellent screen shots clear writing or

another reason

Are you rating it low due to poor examples fuzzy screen shots or unclear writing

This feedback will help us improve the quality of white papers we release

Send feedback

Page 8: SQL2008R2 BPA Whitepaper v10

Page 8

violations even crucial ones are not necessarily problematic they indicate server configurations that

can result in poor performance poor reliability unexpected conflicts increased security risks or other

potential problems

Best Practices Analyzer (BPA) is a server management tool that is available in

Windows Serverreg 2008 R2 BPA can help administrators reduce best practice violations by scanning

one or more roles that are installed on Windows Server 2008 R2 and reporting best practice violations

to the administrator Administrators can filter or exclude results from BPA reports that they do not have

to see Administrators can also perform BPA tasks by using either the Server Manager GUI or

Windows PowerShell cmdlets

BPA can also be used on remote servers that are running Windows Server 2008 R2 by using Server

Manager targeted at a remote server For more information about how to run Server Manager targeted

at a remote server see Remote Management with Server Manager

The following BPA modules are currently available

Best Practices Analyzer for Active Directory Certificate Services

Best Practices Analyzer for Active Directory Domain Services

Best Practices Analyzer for Active Directory Rights Management Services

Best Practices Analyzer for Application Server

Best Practices Analyzer for Domain Name System

Best Practices Analyzer for Dynamic Host Configuration Protocol

Best Practices Analyzer for File Services

Best Practices Analyzer for Hyper-V

Best Practices Analyzer for Internet Information Services

Best Practices Analyzer for Network Policy and Access Services

Best Practices Analyzer for Remote Desktop Services

Best Practices Analyzer for Windows Server Update Services

More Information about Windows BPA look here

123 Fix-it

Currently there exists no link between the SQL Server Best Practice Analyzer and the Fixit webpage

httpsupportmicrosoftcomfixit

Microsoft is working on a solution to combine fixit with specific Best Practice Analyzer

httpfixitcentersupportmicrosoftcomPortal

124 Microsoft Automated Troubleshooting Service in Windows Server

2008 R2 and Windows 7

Troubleshooting in Windows Server 2008 R2 and Windows 7 provides several troubleshooting

programs that can automatically fix some common problems with your computer such as problems

with networking hardware and devices using the web and program compatibility

Go to the Windows website to watch a video about using troubleshooters to fix common problems

(330)

When you run a troubleshooter it might ask you some questions or reset common settings as it works

to fix the problem If the troubleshooter fixed the problem you can close the troubleshooter If it couldnt

fix the problem you can view several options that will take you online to try and find an answer In

either case you can always view a complete list of changes made

Page 9

Notes

If you click the Advanced link on a troubleshooter and then clear the Apply repairs

automatically check box the troubleshooter displays a list of fixes to choose from if any

problems are found

Windows includes several troubleshooters and more are available online when you select the

Get the most up-to-date troubleshooters from the Windows Online Troubleshooting service

check box at the bottom of Troubleshooting

httpsupportmicrosoftcomgpsystem_maintenance_for_windows

Page 10

2 SYSTEM REQUIREMENTS

SQL Server 2008 R2 Best Practices Advisor is supported on the following Operating Systems

1 Windows Vista

2 Windows 7

3 Windows Server 2003

4 Windows Server 2003 R2

5 Windows Server 2008

6 Windows Server 2008 R2

Supported editions of SQL Server

1 SQL Server 2008 all editions except Express

2 SQL Server 2008 R2 all editions except Express

Supported Components of SQL Server

1 Analysis Services

2 Database Engine

3 Integration Services

4 Reporting Services

5 Replication

6 Setup

These components are designed as Submodels for the BPA This means that they will be run

concurrently where possible

21 Required Permissions for Running SQL Server 2008 R2 BPA

Administration Privileges

To run MBCA v20 a user must be a member of the administrators group on the machine being

scanned and on the machine the scan is initiated from If a user is not an administrator on the machine

that is being scanned an appropriate error message displays

SQL Server

To successfully access all of the database properties and SQL Server Configurations a user must be

the Systems Administrator (sysadmin) on the instance of SQL Server

Analysis Services

The user or the administrators group must be member of the server administrator role within an

instance of Microsoft SQL Server Analysis Services have unrestricted access to all Analysis Services

objects and data in that instance

httpmsdnmicrosoftcomen-uslibraryms174561aspx

Integration Services

The user or the administrators group must be members of the sysadmin or db_ssisadmin roles

httpmsdnmicrosoftcomen-uslibraryms141053aspx

Reporting Services

Page 11

The user or the administrators group must be member of the System Administrator and Content

Manager role

22 Prerequisites

The following are required for using SQL Server 2008 R2 Best Practices Analyzer

1 PowerShell V20

Windows PowerShell 20 requires the Microsoft NET Framework 20 with Service Pack 1

2 Microsoft Baseline Configuration Analyzer V20

3 SQL Server Management Tools for SQL Server 2008 or SQL Server 2008 R2

The following table outlines the prerequisite Microsoft utilities components by Operating System

necessary to have on your server prior to installing and running SQL Server 2008 R2 BPA

OS 1Install

WinRM

2Install

PowerShell 20

3Install

MBCA 20

Configure PowerShell1 7 Install SQL2008

or SQL 2008 R2

Management Tools 4Remoting 5Execution

Level

6 MaxShells

PerUser

Win Vista Y Y Y Y Y Y Y

Windows 7 N N Y Y Y Y Y

Windows

Server 2003

Y Y Y Y Y Y Y

Windows

Server 2003

R2

Y Y Y Y Y Y Y

Windows

Server 2008

Y Y Y Y Y Y Y

Windows

Server 2008

R2

N N Y Y Y Y Y

1 These changes will be done from the installation routine of the BPA

Page 12

3 INSTALL

We recommend installing BPA on a workstation or administration server and performing the scan

operation remotely against servers in your SQL Server infrastructure It is also possible to install this

tool on the production SQL Server locally

Installation process

1 InstallConfigure PowerShell and WinRM

2 Microsoft Baseline Configuration Analyzer V20

3 Microsoftreg SQL Serverreg 2008 R2 Best Practices Analyzer

It exists two ways to install the Best Practices Analyzer

With a graphical user interface (setup wizard) or

Command line

31 Installing PowerShell 20 and WinRM

BPA install configures WinRM and PowerShell options by default Most of this section is only needed if

something goes wrong and you need to configure this stuff by hand

Windows Server 2003 R2

WinRM is not installed by default but it is available as the Hardware Management feature through the

AddRemove System Components feature in the Control Panel under Management and Monitoring

Tools Complete installation and information about configuring WinRM using the WINRM command-line

tool is available online in the Hardware Management Introduction which describes the WinRM and the

IPMI features in Windows Server 2003 R2

On Windows Vista Windows Server 2003 and Windows Server 2008

This is installed as part of Windows Management Framework Core The WinRM service starts

automatically on Windows Server 2008 On Windows Vista the service must be started manually

On Windows Server 2008 R2 and Windows 7

This is installed as part of the OS

Note Check for additional information and configuration guidelines for WinRM and for PowerShell

20

SQL Server 2008 R2 BPA is able to scan both the local computer and remote computers Therefore in

both the local and remote cases it required that your PowerShell settings be modified These are done

by the BPA installation

PowerShell Execution Policy

The PowerShell Execution Policy is set to Restricted by default To run SQL Server 2008 R2 BPA

through the PowerShell command Line set the policy to RemoteSigned using the below command

Set-ExecutionPolicy RemoteSigned -f

You can use the command Set-ExecutionPolicy Restricted ndashf to set the execution policy back to

restricted This command is not required when executing the scan through the MBCA GUI

After the installation you must enable the PowerShell remote scripting if you are want to use the BPA

remote to another workgroup machine or a computer that have Kerberos enabled You need to run this

command only once on each computer that will receive commands You do not need to run it on

Page 13

computers that only send commands Because the configuration activates listeners it is prudent to run

it only where it is needed You can do this with the following command line

powershellexe -NoLogo -NoProfile -Noninteractive -Command Enable-

PSRemoting -force

Enable-PSRemoting performs configuration actions to enable this machine for remote management

Includes

1 Runs the Set-WSManQuickConfig cmdlet which performs the following tasks

Starts the WinRM service

Sets the startup type on the WinRM service to Automatic

Creates a listener to accept requests on any IP address

Enables a firewall exception for WS-Management communications

Enables all registered Windows PowerShell session configurations to receive instructions

from a remote computer

Registers the MicrosoftPowerShell session configuration if it is not already registered

Registers the MicrosoftPowerShell32 session configuration on 64-bit computers if it is

not already registered

Removes the Deny Everyone setting from the security descriptor for all the registered

session configurations

Restarts the WinRM service to make the preceding changes effective

2 Configures MaxShellsPerUser using winrm set winrmconfigwinrs

``MaxShellsPerUser=`10``

Specifies the maximum number of concurrent shells that any user can remotely open on

the same computer If this policy setting is enabled the user will not be able to open new

remote shells if the count exceeds the specified limit If this policy setting is disabled or is

not configured the limit will be set to 5 remote shells per user by default and you receive

the following error message

[localhost] Connecting to remote server failed with the following

error message The WS-Management service cannot process the

request This user is allowed a maximum number of 5 concurrent

shells which has been exceeded Close existing shells or raise the

quota for this user For more information see the

about_Remote_Troubleshooting Help topic

+ CategoryInfo OpenError

(SystemManagemehellipRemoteRunspa

ceRemoteRunspace) [] PSRemotingTransportException

+ FullyQualifiedErrorId PSSessionOpenFailed

For more information about PowerShell remoting please see MSDN

32 Install MBCA

Download the edition of MBCA depending on your platform (x86 or x64) before installation

Page 14

Please find below the screenshots demonstrating the visual flow of the MBCA Installation

Welcome screen

License terms

Folder selection

Completion screen

33 Install BPA

Download the correct edition depending on your platform (x86 or x64) before installing If you have

trouble with the installation please section 57 Troubleshooting Installation

331 Command line

Following is an optimized command line setup example

msiexec i SQL2008R2BPA_Setup64msi l log ctempsqlbpa_installlog qn

msiexec parameters

i = package name (SQL2008R2BPA_Setup32msi or SQL2008R2BPA_Setup64msi

depending on your platform)

l = log granularity ldquordquo - Log all information except for v and x options

log = log file

q = display settings (qn ndash no user interface)

SKIPCA=1 (if no domain controller is available Skip Certification Authority)

For information on additional public properties Consult the Windowsreg Installer SDK for documentation

on the command line syntax

Page 15

332 GUI

Please find below the screenshots demonstrating the visual flow of the SQL Server 2008 R2 BPA

Installation

Welcome screen

License terms

System Configuration Changes (see 31 Installing PowerShell 20 and WinRM)

Ready to install decision

Install progress

Completion screen

Page 16

333 Port and Firewall restrictions

For scanning SQL Server or BI instances on an alternate server behind a firewall you must open all

necessary ports

34 Updates

Microsoft is working on quarterly updates of the rule set and tool improvements of the SQL Server

2008 R2 Best Practice Analyzer Please visit the Download site from Microsoft regularly to find new

updates

35 Uninstall

351 BPA

352 MBCA

353 Reset PowerShell settings

After the uninstall of the BPA you may disable the PowerShell remote scripting You can do this with

the following command line

powershellexe -NoLogo -NoProfile -Noninteractive -Command Disable-

PSRemoting -force

Disable-PSRemoting performs configuration actions to enable this machine for remote management

Page 17

4 USAGE

There are two ways to scan a server using MBCA and SQL 2008 R2 BPA They are

Scanning through the local machine

o In this case you are using MBCA and SQL 2008 R2 BPA running on the local machine to

perform the scan

o This scan can be of the local or an alternate server

Scanning through a remote machine

o In this case MBCA is used to connect to a remote server that has MBCA and SQL 2008

R2 BPA installed on it

o This scan is using the local machine to form the connection to the remote machine and is

actually performing the scan through the remote machine

41 Help file

The help file for the SQL Server 2008 R2 Best Practice Analyzer contains very useful information This

help file is available after the installation of BPA and is located at Start-gtAll programs-gtSQL Server

2008 R2 BPA

42 GUI

1 Ensure that MBCA v2 and SQL 2008 R2 BPA are installed on the machine

2 Run the MBCA application from the start menu with elevated user rights

Page 18

3 On the MBCA home page ensure the SQL Server 2008 R2 BPArdquo product is selected

4 Click Start Scan which displays a page to specify parameters as shown below

5 Fill in Alternate_Server_to_Scan with the remote machine you want to scan

ComputerName

IP address nnnn

FQDN (Fully Qualified Domain Name)

Enter ldquordquo localhost or leave this blank if you want to scan the local machine

Page 19

Enter the instance name you want to scan To scan the default instance enter MSSQLSERVER

or leave this as blank Toggle the checkboxes to enabledisable scans for those rule categories

Each of the following six check boxes correspond to the SQL Server categories listed previously

Select at least one category in order to run a successful scan

Analyze_SQL_Analysis_Services

Analyze_SQL_Server_Engine

Analyze_SQL_Integration_Services

Analyze_SQL_Server_Replication

Analyze_SQL_Reporting_Services

Analyze_SQL_Server_Setup

Note Only one SQL Server instance can be scanned at a time through the MBCA GUI

6 Click Start Scan MBCA will start the configured scan and display the below page while in

progress

7 When the scan is complete results will be displayed grouped by Severity as shown below

Page 20

43 Connect to a remote computer

A scan connected to a remote computer is different than scanning an alternate server

ldquoConnect to a Remote Computerrdquo is functionality provided by Microsoft Baseline Configuration Analyzer

and is used to remotely run MBCA against a server from the console of the client The client needs to

have MBCA installed but does not need BPA as it is literally running the copy of MBCA installed on the

server using the BPA installed on the server In this case the copy of MBCA installed on the client is

used only to remotely connect to the copy of MBCA installed on the server

To use this functionality you first start MBCA on the client computer and select ldquoConnect to Another

Computerrdquo

1 In the ldquoConnect to Another Computerrdquo text box you can specify a NetBIOS name a fully qualified

domain name (FQDN) or an IPv4 or IPv6 address If no port number is specified the default port

number is used The following are examples of formats that you can specify in the Connect to

Another Computer text box

ComputerName

Page 21

ComputerNamePortNumber

IP address nnnn

IPv6 address [nnnnnnnn]

IPv4 address with port number nnnnPortNumber

IPv6 address with port number [nnnnnnnn]PortNumber

Note If an administrator has changed the computerrsquos default port number any port other than the

default port must be opened in Windows Firewall to allow incoming connections on that port Port

5985 is opened by default when WinRM is configured All other ports remain blocked until opened

For more information about how to unblock a port in Windows Firewall see the Help for Windows

Firewall For more information about how to configure WinRM in a Command Prompt session type

winrm help and then press Enter

2 Additionally you must supply credentials

3 CredSSP

Windows Remote Management (WinRM) supports the delegation of user credentials across

multiple remote computers The multi-hop support functionality can now use Credential Security

Service Provider (CredSSP) for authentication CredSSP enables an application to delegate the

userrsquos credentials from the client computer to the target server

CredSSP authentication is intended for environments where Kerberos delegation cannot be used

Support for CredSSP was added to allow a user to connect to a remote server and have the ability

to access a second-hop machine such as a file share

Note WinRM clients and servers will support CredSSP authentication only with explicit credentials

Windows XP Windows Server 2003 and earlier CredSSP is not supported

First you must set CredSSP on both the client and the server

Using the Group Policy Editor (gpeditmsc) make sure to enable ldquoAllow Delegating Fresh

Credentialsrdquo and check ldquoConcatenate OS defaults with input aboverdquo

Add the server or domain to the list of servers in the format ldquoWSMANdomainnamecomrdquo

Next enable and configure PowerShell Remoting on both the Client and Server by running the

following commands in a PowerShell command window opened with elevated permissions Note

Page 22

You can configure a single machine as both a client and a server simultaneously so that you can

scan from either computer

Enable PowerShell Remoting

o Enable-psremoting ndashf

Settings for a client

o Enable-WSManCredSSP ndashrole Client ndashDelegateComputer [NetBiosNameOfServer]

or

o Enable-WSManCredSSP ndashrole Client ndashDelegateComputer [FQDN OF SERVER]

Settings for the server

o Enable-WSManCredSSP ndashrole Server

o set-item WSManlocalhostShellMaxMemoryPerShellMB ndashValue 20000

o set-item WSManlocalhostShellMaxShellsPerUser ndashvalue 20

44 PowerShell

Details see 91 PowerShell

To use the functionality of the Microsoft Baseline Configuration Analyzer you must import this module

first

Import-module BaselineConfigurationAnalyzer

You can list the commands of this module with the following syntax

$x=Get-Module BaselineConfigurationAnalyzer

$xExportedCommands

441 Run Scan

To run a full scan of the BPA on the alternate server on a named instance you can use the following

command line

Invoke-MBCAModel -ModelId SQL2008R2BPA -Alternate_Server_to_scan

servername -SQL_Server_Instance_Name instancename -

Analyze_SQL_Server_Engine -Analyze_SQL_Server_Replication -

Page 23

Analyze_SQL_Server_Setup -Analyze_SQL_Analysis_Services -

Analyze_SQL_Integration_Services -Analyze_SQL_Reporting_Services

The result looks like this part

ModelId SQL2008R2BPA

SubModelId

Success True

ScanTime

Success = True is important This is the indicator that your scan was successful

Parameter description

-Alternate_Server_to_scan servername

-SQL_Server_Instance_Name instancename

-Analyze_SQL_Server_Engine

-Analyze_SQL_Server_Replication

-Analyze_SQL_Server_Setup

-Analyze_SQL_Analysis_Services

-Analyze_SQL_Integration_Services

-Analyze_SQL_Reporting_Services

The parameter list is equal the parameter screen in the GUI

The scans of the different services are optional You can remove technologies which you do not need

to scan

The next example starts the scan only for the Analysis Services on the alternate server ldquoservernamerdquo

and for the named instance ldquoinstancerdquo A log file will be written to ldquoctempssastxtrdquo

Invoke-MbcaModel -ModelId SQL2008R2BPA -SubModelId AnalysisServices -

ComputerName servername -SqlServerInstance instance -SSASLogFile

ctempssastxt

Invoke-MbcaModel -ModelId SQL2008R2BPA -SubModelId Engine -ComputerName

computername -SqlServerInstance servername -CurrentLoginName

($EnvUSERDOMAIN + + $EnvUSERNAME)ToString() -EngineLogFile

ctempenginetxt ndashRepositoryPath (CTEMPSQL2008 + (Get-

Date)ToString(yyyyMMdd))ToString()

442 Create Report

model = get-MbcaModel ndashModelId sql2008r2bpa

$scanResult = get-MbcaResult ndashModelId sql2008r2bpa

$collectedConfig = get-MbcaResult ndashModelId sql2008r2bpa ndash

CollectedConfiguration

$model $scanResult $collectedConfig | export-CliXml ctempasxml

Get-MBCAResult -ModelId SQL2008R2BPA -SubModelId AnalysisServices |

ConvertTo-Html | Add-Content -Path ctesthtml

The next command retrieves the results of the most recent BPA scan for the specified model and

saves them in HTML format applying the standard cascading style sheets that are stored in the path

windirsystem32WindowsPowerShellv10ModulesBestPracticesBestPracticesReportFormatc

Page 24

ss If you want to substitute cascading style sheets provide the path to the different cascading style

sheets

Get-MBCAResult -ModelId SQL2008R2BPA | $_Severity -eq Warning -or

$_Severity -eq Error | ConvertTo-Html -As Table -property ResultNumber

SubModelID ComputerName Severity Category Title Problem Impact

Resolution Help -Head lth1gtSQL Server 2008 (R2) Best Practice Analyzer

Reportlth1gtrdquo -Title SQL Server 2008 Best Practice Analyzer -body

(ltpgtReport creation date + (Get-Date)ToString(ddMMyyyy hhmmss) +

ltpgt)toString() -pre ltPgtGenerated by user $envusername on computer

$envcomputernameltPgt -post For details contact Microsoft Premier-

CssUri $env BestPracticesReportFormatcss gt ctempsql2008r2bpahtm

443 Exporting and opening reports by using Get-MBCAResult

You can use the Get-MBCAResult cmdlet to export scan results and configuration data to an XML

report that you can open for viewing in the future either by using Get-MBCAResult or by using the

MBCA GUI Exporting reports allows you to compare older scans with more recent scans to measure

the progress of your best practice compliance

Example of exporting to XML

$results = Get-MBCAResult ltModel Idgt

$collectedconfig = Get-MBCAResult ltModel Idgt -CollectedConfiguration

$results $collectedconfig | Export-CliXml cexportxml

Example of opening archived XML report file

$loadedResults $loadedConfiguration = Import-CliXml cexportxml

444 Report Result Directory

The reporting result path

AppDataMicrosoftBaselineConfigurationAnalyzer

2ReportsSQL2008R2BPAResults

Will be overwritten during each run of the tool or invoke command

Solution save older results before you start the check

copy-item -path ($EnvLocalAppdata +

MicrosoftMicrosoftBaselineConfigurationAnalyzer 2Reports)ToString() -

destination ($EnvLocalAppdata +

MicrosoftMicrosoftBaselineConfigurationAnalyzer 2Reports_ + (Get-

Date)ToString(yyyyMMddhhmmss))ToString() ndashrecurse

Afterwards you can create a report with the following command

$prevrepPath = (Get-ChildItem ($EnvLocalAppdata +

MicrosoftMicrosoftBaselineConfigurationAnalyzer 2)ToString() -exclude

Reports | Sort-Object name -descending)[0]

Get-MBCAResult -ModelId SQL2008R2BPA ndashRepositoryPath ($EnvLocalAppdata +

MicrosoftMicrosoftBaselineConfigurationAnalyzer 2rdquo +

$prevrepPathname)ToString() | ConvertTo-Html -As Table -property

ResultNumberSubModelID ComputerName Severity Category Title Problem

Impact Resolution Help -Head lth1gtSQL Server 2008 (R2) Best Practice

Analyzer Reportlth1gtrdquo -Title SQL Server 2008 Best Practice Analyzer -body

(ltpgtReport creation date + (Get-Date)ToString(ddMMyyyy hhmmss) +

ltpgt)toString() -pre ltPgtGenerated by user $envusername on computer

Page 25

$envcomputernameltPgt -post For details contact Microsoft Premier gt

ctempsql2008r2bpahtm

Page 26

5 TROUBLESHOOTING

51 Application directories

To following directories are used by MBCA

Report output directory localappdataMicrosoftMicrosoftBaselineConfigurationAnalyzer 2ReportsSQL2008R2BPAResults

Model configuration path ProgramdataMicrosoftMicrosoft Baseline Configuration Analyzer 2ModelsSQL2008R2BPA

Temp and log files directory tempSQL2008R2BPASQL2008ltdategt_lttimegt

Registry [HKEY_LOCAL_MACHINESOFTWAREMicrosoftBaselineConfigurationAnalyzer]

Log Files

During Data Discovery SQL Server 2008 R2 BPA creates log files for troubleshooting The log file

contains the following information

Pre-requisite validation

Timestamp finished rules start and end times

Run-time scripting errors and exceptions from Power Shell Traps

Log Files Location

For every scan log files are created in userrsquos Local Temp directory (Temp) and follows the folder

structure SQL2008R2BPAlt Instance Name gtlt datestamp_timestamp gtlt Log files gt

Note In case of a remote scan the category log files are generated on the remote system at the same

path whereas the common log file is generated in the local system

Log Files Structure

A common log file gets generated and contains information about each categorys execution Apart

from this each category has its own log file which details the rule execution The names of the log files

are given below

Common File - ModelLogtxt

Engine Rules - EngineLogtxt

Replication Rules - ReplicationLogtxt

Setup Rules - SetupLogtxt

Analysis Services Rules - AnalysisServicesLogtxt

Reporting Services Rules - ReportingServicesLogtxt

Integration Services Rules - IntegrationServicesLogtxt

52 Windows Server 2003 ndash NumberOfLogicalProcessors

Analysis Services RID2803 and RID2804 ndash NumberOfLogicalProcessors property is unavailable in

Win32_Processor for with Windows Server 2003

Solution The NumberOfLogicalProcessors property does not exist in the WIN32_PROCESSOR object

in Windows Server 2003 It has been implemented in the hotfix

httpsupportmicrosoftcomkb932370

Both of the rules below will function properly if you apply this hotfix For more information look here

Page 27

53 MBCA

This message indicates that on prerequisite is not installed

Please install the version 2 of the MBCA

54 Where can I find the Instance name in result set of the analyzer

report

The instance name is in the collected data option of the analyzer report in the BPA GUI

55 Memory limit of remote PowerShell process

By default remote PowerShell process can consume only 150 MB or less memory This default limit is

significantly small and once this limit is reached there could be a WinRM exception causing and remote

connection immediately terminates Any application or Cmdlet which is involved in PowerShell

remoting should be tested for this memory limit this may cause some of the command to fail for

example site collection creation

Solution Increase the memory limit for the remote shell Use the following command to increase this

limitation to 1000MB This is only necessary if you need to run those commands on that server

Set-Item WSManlocalhostShellMaxMemoryPerShellMB 1000

56 Remote connect

If you try to ldquoConnect to another computerrdquo from MBCA and you receive the following message

Page 28

You should check first if the Hotfix KB968930 is installed

Afterwards validate that the ldquoWindows Remote Managementrdquo service is started

Enable-PSRemoting

If CredSSP is unsupported or unavailable you will see the following message

Page 29

If you have no permission to access the remote server you get the error message

Page 30

57 Installation

571 PowerShell error

After getting through the Pre-Reqs for BPA (PowerShell 20 MBCA NET Framework) you may hit

one of two scenarios when installing BPA

In all of the cases of an install failure you will see the following error

There is a problem with this Windows Installer package A program run as part of the setup did not

finish as expected Contact your support personnel or package vendor

In your Application Event Log for both of these scenarios you will also see the following entry

Log Name Application

Source MsiInstaller

Date 6102010 83818 AM

Event ID 11722

Task Category None

Level Error

Keywords Classic

User ltUsernamegt

Computer ltMachine namegt

Description

Product Microsoft SQL Server 2008 R2 BPA -- Error 1722 There is a problem

with this Windows Installer package A program run as part of the setup did

not finish as expected Contact your support personnel or package

vendor Action EnablePSRemoting location powershellexe command -NoLogo

-NoProfile -Command Enable-PSRemoting ndashforce

Page 31

This is an indicator that PowerShell is not configured You must run the following command

powershellexe -NoLogo -NoProfile -Command Enable-PSRemoting ndashforce

572 Workgroup or Non-Domain computer

In this scenario the Enable-PSRemoting command should execute fine from a PowerShell prompt

The actual error coming back from the PowerShell command within the Installer is ldquoAccess Deniedrdquo

To work around this issue you can do the following

1 Open a command prompt with Administrative Privileges

2 Change to the directory where the msi file resides

3 Type msiexec i ltMSI Namegt SKIPCA=1

4 MSI Name will either be SQL2008R2BPA_Setup32msi or SQL2008R2BPA_Setup64msi

depending on your platform

5 Once BPA is installed open a PowerShell prompt with Administrative Privileges

6 Execute the following commands

a Enable-PSRemoting

b winrm set winrmconfigwinrs ``MaxShellsPerUser=`10``

This should allow BPA to be successfully installed in the workgroup scenario

573 Kerberos Failure

This scenario is that you are failing with the above due to a Kerberos issue This particular issue could

actually show up after you have installed BPA depending on how you have configured your

environment

The issue stems from the fact that the Windows Remoting Windows Service uses the Network Service

account Windows Remoting also uses SOAP calls over HTTP and defaults to using Kerberos As a

result it will be using the HOST Service Principal Name (SPN) that is on the Machine Account as it is

running under that context You may have an HTTP SPN that resides on a different account with that

host name For example if you are running an IIS Web Application such as SharePoint or if you are

using Reporting Services and the service account is set to a Domain User account instead of Network

Service or Local System If your URL of your application matches the machine name then your HTTP

SPN will be the same Thatrsquos where this problem comes in WinRM will stop working at that point and

give you a message similar to the following

Set-WSManQuickConfig WinRM cannot process the request The following error

occured while using Negotiate authentication An unknown security error

occurred

Possible causes are

-The user name or password specified are invalid

-Kerberos is used when no authentication method and no user name are

specified

-Kerberos accepts domain user names but not local user names

-The Service Principal Name (SPN) for the remote computer name and port

does not exist

-The client and remote computers are in different domains and there is no

trust between the two domains

After checking for the above issues try the following

-Check the Event Viewer for events related to authentication

-Change the authentication method add the destination computer to the

WinRM TrustedHosts configuration setting or use HTTPS transport

Note that computers in the TrustedHosts list might not be authenticated

-For more information about WinRM configuration run the following

Page 32

command winrm help config

At line50 char33

+ Set-WSManQuickConfig ltltltlt -force

+ CategoryInfo InvalidOperation () [Set-WSManQuickConfig]

InvalidOperationException

+ FullyQualifiedErrorId

WsManErrorMicrosoftWSManManagementSetWSManQuickConfigCommand

You can get this type of error from WinRM for muliple reasons The one that

we saw in our testing was the HTTP SPN scenario

If you do have an HTTP SPN defined on a Domain Account that is using the name of your machine

you have some options First you can follow the steps mentioned above to get BPA installed The

Enable-PSRemoting command will give you the above error You can temporarily remove the HTTP

SPN to get remoting enabled and then re-add the HTTP SPN

Once BPA is setup you will still not be able to run BPA if you put the HTTP SPN back in place You will

see the following when you attempt to perform a scan

This will occur regardless of which component you try to scan It could be the Engine Setup RS etchellip

One option to perform the scan successfully is to temporarily remove the HTTP SPN again run the

scan and then put the HTTP SPN back in place Another option but one that will probably require

further testing from your applicationrsquos end would be to run the application under a Host Header and

then your HTTP SPN would not include the machine name allowing BPA to run without issue

Page 33

6 RULES

Searching for ldquoSQL Server 20087 R2 BPArdquo at Microsoftcom reveals

Here is an example of one of these articles that talks about a rule to check for a recent ldquocleanrdquo

CHECKDB

Page 34

BPA works by measuring a rolersquos compliance with best practice rules in eight different categories of a

rolersquos effectiveness trustworthiness and reliability Results of measurements can be any of the three

severity levels described in the following table

Severity level Description

Noncompliant Noncompliant results are returned when a role does not satisfy the conditions of a rule

Compliant Compliant results are returned when a role satisfies the conditions of a rule

Warning Warning results are returned when a role is compliant as operating currently but may not satisfy the conditions of a

rule if changes are not made to its configuration or policy settings For example a scan of Remote Desktop Services

might show a warning result if a license server is unavailable to the role because even if no remote connections are

active at the time of the scan not having the license server prevents new remote connections from obtaining valid

client access licenses

Page 35

BPA rule categories

The following table describes the categories of best practice rules against which roles are measured

during a BPA scan

Category Name Description

Security Security rules are applied to measure a rolersquos relative risk for exposure to threats such as unauthorized or malicious

users or loss or theft of confidential or proprietary data

Performance Performance rules are applied to measure a rolersquos ability to process requests and perform its prescribed duties in

the enterprise within expected periods of time given the rolersquos workload

Configuration Configuration rules are applied to identify role settings that might require modification for the role to perform

optimally Configuration rules can help prevent setting conflicts that can result in error messages or prevent the role

from performing its prescribed duties in an enterprise

Policy Policy rules are applied to identify Group Policy or Windows Registry settings that might require modification for the

role to operate optimally and securely

Operation Operation rules are applied to identify possible failures of a role to perform its prescribed tasks in the enterprise

Predeployment Predeployment rules are applied before an installed role is deployed in the enterprise to let administrators to

evaluate whether best practices were satisfied before you use the role in production

Postdeployment Postdeployment rules are applied after all required services have started for a role and the role is running in the

enterprise

BPA Prerequisites BPA Prerequisite rules explain configuration settings policy settings and features that are required for the role

before BPA can apply specific rules from other categories A prerequisite in scan results indicates that an incorrect

setting a missing role role service or feature an incorrectly enabled or disabled policy a registry key setting or

other configuration has prevented BPA from applying one or more rules during a scan A prerequisite result does

not imply compliance or noncompliance It means that a rule could not be applied and therefore is not part of the

scan results

61 Engine Rules

Please find below a summary of the 74 Engine Rules with the links to the rule descriptions These rules

are checking that you have a secure resilient and well performing SQL configuration

Authentication Mode (httpsupportmicrosoftcomkb2028697)

Lightweight Pooling is enabled (httpsupportmicrosoftcomkb2160691)

Locks Configuration Not Dynamic (httpsupportmicrosoftcomkb2199576)

non-default network packet size in use (httpsupportmicrosoftcomkb2157175)

degree of parallelism not set to recommended value (httpsupportmicrosoftcomkb2023536)

Use Database Mail instead of SQL Mail (httpsupportmicrosoftcomkb2028584)

SQL Server Agent Proxy Account (httpsupportmicrosoftcomkb2160741)

SQL Login Password Policy Strength and password expiry

(httpsupportmicrosoftcomkb2028712)

Trustworthy Bit (httpsupportmicrosoftcomkb2183687)

Symmetric Keys Check (httpsupportmicrosoftcomkb2162020)

Asymmetric Keys Check (httpsupportmicrosoftcomkb2162020)

SQL Server installed on PDC BDC (httpsupportmicrosoftcomkb2032911)

Page 36

SQL Server Admin role membership check (httpsupportmicrosoftcomkb2184138)

Windows API calls intercepted (httpsupportmicrosoftcomkb2033238)

unsupported DotNET framework assemblies present (httpsupportmicrosoftcomkb2033344)

Disk partition starting offset may be incorrect (httpsupportmicrosoftcomkb2023571)

non-default max worker threads value configured (httpsupportmicrosoftcomkb2157129)

Guest Permissions (httpsupportmicrosoftcomkb2186935)

Data and Log files on the same volume (httpsupportmicrosoftcomkb2033523)

IO timeouts and IO controller errors detected (httpsupportmicrosoftcomkb2091098)

IO device errors detected (httpsupportmicrosoftcomkb2091098)

IO errors during page faults detected (httpsupportmicrosoftcomkb2091098)

cluster disk corruption encountered (httpsupportmicrosoftcomkb2091098)

disk defragmentation encountered corruption (httpsupportmicrosoftcomkb2091098)

failed IO requests detected (httpsupportmicrosoftcomkb2091098)

IO requests are successful when retried (httpsupportmicrosoftcomkb2015757)

IO Delay Problems reported by SQL Server (httpsupportmicrosoftcomkb2137408)

This system experienced unexpected shutdowns (httpsupportmicrosoftcomkb2091098)

tempdb corruption errors fix missing (httpsupportmicrosoftcomkb960770)

Critical SQL database inconsistency errors found (httpsupportmicrosoftcomkb2152734)

Logical consistency errors detected (httpsupportmicrosoftcomkb2152472)

Database have auto shrink option enabled (httpsupportmicrosoftcomkb2160663)

SQL Server Error logs are very big (httpsupportmicrosoftcomkb2199578)

incorrect affinity mask settings detected httpsupportmicrosoftcomkb2157114

Very low blocked process threshold setting detected httpsupportmicrosoftcomkb2157154

Potential security issue with legacy DTS stored procedures

httpsupportmicrosoftcomkb2202875

Winsock LSP loaded into SQL httpsupportmicrosoftcomkb2033448

Databases using simple recovery model httpsupportmicrosoftcomkb2137539

User database collation different from model httpsupportmicrosoftcomkb2026108

Database files and backups exist on the same volume httpsupportmicrosoftcomkb2027537

Databases have auto close option enabled httpsupportmicrosoftcomkb2160685

LSI SAS drivers needs update httpsupportmicrosoftcomkb2121098

SQL tempdb database not configured optimally httpsupportmicrosoftcomkb2154845

SQL Database file has sparse attribute set httpsupportmicrosoftcomkb2028447

Invalid startup parameters httpsupportmicrosoftcomkb2028433

MSDTC settings not configured optimally httpsupportmicrosoftcomkb2027550

sql incorrect results fix missing httpsupportmicrosoftcomkb971780

File System needs tuning for better FileStream performance

httpsupportmicrosoftcomkb2160002

linked server memory leak fix missing httpsupportmicrosoftcomkb971622EN-US

Windows service pack is not at recommended level httpsupportmicrosoftcomkb2121098

default extended event health session not in expected state

httpsupportmicrosoftcomkb2160570

TcpSysAndChimneyCheck httpsupportmicrosoftcomKB918483

FDHOST Launcher service is not configured properly httpsupportmicrosoftcomkb2160720

Unrecommended SQL Server Agent service account httpsupportmicrosoftcomkb2160720

A required Windows fix to avoid sparse file related problems is missing

httpsupportmicrosoftcomkb2002606

Page 37

Significant Portion of SQL Server Memory Has Been Paged Out

httpsupportmicrosoftcomkb2028324

Server Exception or Hang Detected on Server httpsupportmicrosoftcomkb2028589

Databases exist without CHECKSUM protection httpsupportmicrosoftcomkb2078345

backups outdated for databases httpsupportmicrosoftcomkb2027537

Database consistency check not current httpsupportmicrosoftcomkb2033590

SQL Server Memory settings are incorrect httpsupportmicrosoftcomKB918483EN-US

Autogrow Failed or took a long time httpsupportmicrosoftcomkb2091024

Storport driver fix from KBA 940467 missing httpsupportmicrosoftcomkb2121098

Storport driver fix from KBA 950903 missing httpsupportmicrosoftcomkb2121098

SQLCLR needs additional memory configuration httpsupportmicrosoftcomkb969962EN-US

Operating System files and drivers needs update for working set trimming

httpsupportmicrosoftcomkb2121098

Agent Token Replacement httpsupportmicrosoftcomkb2202637

Auditing Log in failures httpsupportmicrosoftcomkb2187161

Databases with high number of VLF present httpsupportmicrosoftcomkb2028436

Transparent Data Encryption Certificate httpsupportmicrosoftcomkb2201900

Permission on the Binn folder httpsupportmicrosoftcomkb2029023

Index Statistics Are Outdated

Server public permissions httpsupportmicrosoftcomkb2160698

Detected use of older versions of SQLNCLI httpsupportmicrosoftcomkb979779

62 AS Rules

Please find below a summary of the 34 Analysis Server Rules with the links to the rule descriptions

Flight Recorder Enabled for SQL Server Analysis Services

httpsupportmicrosoftcomkb2128005

Excessive amount of memory preallocated to Analysis Services

httpsupportmicrosoftcomkb2027474

Server not configured for optimal concurrent query throughput

httpsupportmicrosoftcomkb2135031

Non standard value detected for Analysis Services memory configuration

httpsupportmicrosoftcomkb2027472

Process Thread Pool Max limit above recommended limit

httpsupportmicrosoftcomkb2134497

Process Thread Pool Minimum is below the recommended limit

httpsupportmicrosoftcomkb2134855

Server is running a build with a known regression httpsupportmicrosoftcomkb2157941

Slice not set on a ROLAP partition or a partition where proactive caching is enabled and

ROLAP storage ay occur httpsupportmicrosoftcomkb2027754

Server is ignoring duplicate key errors httpsupportmicrosoftcomkb2027761

No default member defined for non-aggregatable attribute

httpsupportmicrosoftcomkb2027769

UnknownMember set to hidden httpsupportmicrosoftcomkb2027628

Non-numeric key column for high cardinality attribute httpsupportmicrosoftcomkb2028138

Attribute hiearchy enabled for high cardinality non-key attribute

httpsupportmicrosoftcomkb2028143

ROLAP storage or OnlineMode set to immediate for dimension with custom rollup definition

detected httpsupportmicrosoftcomkb2132742

Page 38

Account or Time attribute types defined in a non-matching dimension type

httpsupportmicrosoftcomkb2157299

An Account or Time dimension has no matching attribute defined

httpsupportmicrosoftcomkb2027418

Dimension has no attribute defined with the same type

httpsupportmicrosoftcomkb2027443

Attribute Dimension type mismatch httpsupportmicrosoftcomkb2157327

Mismatched dimension attribute types detected in dimension

httpsupportmicrosoftcomkb2027459

Possible incorrect order of levels defined in hierarchy httpsupportmicrosoftcomkb2027460

Define attribute relationships as Rigid where possible httpsupportmicrosoftcomkb2027468

Redundant attribute relationships detected httpsupportmicrosoftcomkb2127437

Diamond-shape relationship detected httpsupportmicrosoftcomkb2127570

Non-Standard Attribute Relationship name detected httpsupportmicrosoftcomkb2127862

Proactive Caching set for dimension without a processing query

httpsupportmicrosoftcomkb2027541

No Time dimension detected httpsupportmicrosoftcomkb2027532

More than 3 parent-child dimensions with custom rollups defined

httpsupportmicrosoftcomkb2134431

Encountered a parent-child dimension with more than 500000 members

httpsupportmicrosoftcomkb2131918

Single attribute dimensions detected httpsupportmicrosoftcomkb2141654

Measure groups with zero dimensional overlap detected in cube

httpsupportmicrosoftcomkb2027609

Proactive Caching set for a partition without a processing query

Default measure for perspective not in the perspective

httpsupportmicrosoftcomkb2027603

Use MOLAP storage for dimensions that participate in semi-additive measure groups

httpsupportmicrosoftcomkb2135112

Measure group defined with no partition httpsupportmicrosoftcomkb2027545

63 RS Rules

RSWindowsNegotiate is missing from your configuration

httpsupportmicrosoftcomkb2145506

HTTP Logging is not enabled httpsupportmicrosoftcomkb2145909

Verbose logging is enabled httpsupportmicrosoftcomkb2146315

NTLM authentication may fail for local httpsupportmicrosoftcomkb2146369

Missing extended protection settings httpsupportmicrosoftcomkb2146062

64 IS Rules

Logging task missing for package httpsupportmicrosoftcomkb2027723

ActiveX Script task detected in package httpsupportmicrosoftcomkb2027712

Unrecommended Integration Services service account detected

httpsupportmicrosoftcomkb2027684

Integration Services logging table found in system database master and or msdb

httpsupportmicrosoftcomkb2027706

Integration Services memory dump detected httpsupportmicrosoftcomkb2027727

Page 39

65 Setup Rules

Unsupported Operating System Version Detected httpsupportmicrosoftcomkb2022909

WOW64 not supported for SQL Failover Clustering httpsupportmicrosoftcomkb2157198

Installer cache is missing for the SQL Installation httpsupportmicrosoftcomkb2015100

SQL Server WMI Provider Health Check

66 Replication Rules

Replication Timeout Alerts Type httpsupportmicrosoftcomkb2118349

Replication Pub and Sub out of sync (Data Validation) httpsupportmicrosoftcomkb2118386

Replication Pub and Sub out of sync (Constraint Violations)

httpsupportmicrosoftcomkb2118410

Replication Pub and Sub out of sync (Skipped Transactions)

httpsupportmicrosoftcomkb2194498

Merge Replication Health Check httpsupportmicrosoftcomkb2118445

Subscriptions Approaching Expiration httpgomicrosoftcomfwlinkLinkId=184483

Replication Cleanup and Retention Health Check httpsupportmicrosoftcomkb2118485

Replication Latency Threshold violations httpsupportmicrosoftcomkb2118425

Page 40

7 HOW TO DEAL WITH DEVIATIONS

Deviations from these Best Practices may indicate potential issues and configuration changes may be

necessary Make sure you have tested any intended changes in a test environment before deploying

them to a production environment You could also find deviations from Best Practices that are

acceptable or even necessary for your environment For example

SAP has its special Network Packet Size of 8 KB

Existing Non-Microsoft Clients ndash would require Mixed Mode Authentication

Page 41

8 MOTIVATION TO USE SQL BPA R2

Bob Ward explained in his Article ldquoWhy use SQL Server 2008 R2 BPA Case 1 Missing Updatesrdquo

the common pitfalls during maintenance and operation of SQL Server and how address them by using

the SQL BPA

In brief itrsquos a customer scenario where the customer is facing an issue after a major update to

SQL2008 After some troubleshooting and an update to a certain CU (that is meant to fix the issue) the

problem still occurs Bobs article states the common resulting consequences ndash the involvement of

Microsoft Support and the final solution ndash adding a needed traceflag

The good news in this story is that the customer would not have needed to go to all that effort if they

would have run the SQL BPA It would have told them about the update and instructed them to put the

traceflag in place BPA is a mechanism that proactively advises you and instructs you on dealing with

common known issues

Page 42

9 ADDITIONAL INFORMATION

91 PowerShell

To use the functionality of the Baseline Configuration Analyzer with PowerShell you must import this

module first

Import-module BaselineConfigurationAnalyzer

You can list the commands of this module with the following syntax

$x=Get-Module BaselineConfigurationAnalyzer

$xExportedCommands

The following commands are stored in this module

Get-MbcaModel

Get-MbcaResult

Invoke-MbcaModel

Set-MbcaResult

You get help of this command with the following syntax

Get-help ltcommandgt -full

911 Get-MBCAModel

SYNOPSIS

The Get-MBCAModel cmdlet lets you retrieve and view the list of models that are supported by

Microsoft Baseline Configuration Analyzer (MBCA) and that are installed on a computer

SYNTAX

Get-MBCAModel [[-ModelId] ltstring[]gt] [[-SubModelId] ltstringgt] [ltCommonParametersgt]

DESCRIPTION

The Get-MBCAModel cmdlet lets you retrieve and view the list of models that are supported by

Microsoft Baseline Configuration Analyzer (MBCA) and installed on the computer If no parameter is

specified Get-MBCAModel returns all models that are installed on the computer If a model is specified

by using the -ModelId parameter information about the specified model is returned

You must be a member of the Administrators group on the computer on which you want to run this

cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with

elevated user rights that is Run as Administrator

The results of the Get-MBCAModel cmdlet include the following details about models

1 Branding information (manufacturer or company display names version number) that is found in

the model manifest

2 Dynamic parameters that are included with the model

3 Submodels that are included with the model

PARAMETERS

-ModelId ltstring[]gt

The -ModelId parameter specifies the ID of the MBCA model about which you want to view

details You can obtain valid values for the ModelId parameter by running the Get-MBCAModel

cmdlet with no parameters and targeted at a computer on which MBCA models are installed

Page 43

This parameter supports wild card characters

Required false

Position 2

Default value

Accept pipeline input true (By Value By Property Name)

Accept wildcard characters False

This must be SQL2008R2BPA for SQL Server 2008 R2 Best Practice Analyzer

-SubModelId ltstringgt

The -SubModelId parameter specifies the ID of the submodel of an MBCA model about which you

want to view details You can obtain valid values for the -SubModelId parameter by running the

Get-MBCAModel cmdlet without parameters and targeted at a computer on which MBCA models

are installed Not all models have submodels

The -ModelId parameter is required with the -SubModelId parameter

Required false

Position 3

Default value

Accept pipeline input false

Accept wildcard characters false

ltCommonParametersgt

This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable

WarningAction WarningVariable OutBuffer and OutVariable For more information type get-

help about_commonparameters

Examples

Get-MBCAModel

In the preceding example Get-MBCAModel with no parameters added returns details about all MBCA

models that are installed on the computer

Get-MBCAModel -ModelId SQL2008R2BPA

The preceding example can be used to return details about the MBCA model that is specified in the -

ModelId parameter represented by Model Id

$model= Get-MBCAModel -ModelId SQL2008R2BPA

$modelParameters

In the preceding example Get-MBCAModel returns details about the specified MBCA model that is

represented by Model Id The results of the cmdlet are stored in the variable $model

In the next line of the example the Parameters property of the model details that were stored in the

$model object returns details about which parameters are supported by the model

Get-MBCAModel -ModelId SQL2008R2BPA -SubModelId ltSubModel Idgt

The preceding example can be used to return details about the MBCA sub-model that is specified by

the -SubModelId parameter represented by SubModel Id Note that the -ModelId parameter is

required by the -SubModelId parameter

$model= Get-MBCAModel -ModelId SQL2008R2BPA

Page 44

$modelSubModels

In the preceding example Get-MBCAModel returns details about the specified MBCA model that is

represented by Model Id The results of the cmdlet are stored in the variable $model

In the next line of the example the SubModels property of the model details that were stored in the

$model object returns a list of the submodels of the model specified in the first line

912 Invoke-MBCAModel

SYNOPSIS

The Invoke-MBCAModel cmdlet lets you start a Microsoft Baseline Configuration Analyzer (MBCA)

scan for a specific model that is installed on your computer

SYNTAX

Invoke-MBCAModel [-ModelId] ltstringgt -SubModelId ltstringgt [-Authentication

ltAuthenticationMechanismgt] [-CertificateThumbprint ltstringgt] [-ComputerName

ltstring[]gt] [-ConfigurationName ltstringgt] [-Context ltstringgt] [-Credential

ltstringgt] [-Mode ltModeEnumgt] [-Port ltintgt] [-RepositoryPath ltstringgt] [-

ThrottleLimit ltintgt] [-UseSSL] [ltCommonParametersgt]

DESCRIPTION

The Invoke-MBCAModel cmdlet allows you to start a Microsoft Baseline Configuration Analyzer

(MBCA) scan for a specific model that is installed on your computer The model is specified either by

using the parameter -ModelId or by piping the results of the Get-MBCAModel cmdlet into an Invoke-

MBCAMode cmdlet

After the MBCA scan has been performed the results of the scan are available to be retrieved by Get-

MBCAResult cmdlet

You must be a member of the Administrators group on the computer on which you want to run this

cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with

elevated user rights that is Run as Administrator

PARAMETERS

-Authentication ltAuthenticationMechanismgt

Specifies the authentication mechanism that is used to authenticate the users credentials Valid

values include Default Basic CredSSP Digest Kerberos Negotiate and

NegotiateWithImplicitCredential The default value is Default

For more information about the -Authentication parameter type the following and then press

Enter

Get-Help Invoke-Command -Parameter Authentication

Required false

Position named

Default value Default

Accept pipeline input false

Accept wildcard characters false

-CertificateThumbprint ltstringgt

Page 45

Specifies the digital public key certificate (X509) of a user account that has rights to perform the

cmdlet action The valid value is the certificate thumbprint of the certificate

For more information about this parameter type the following and then press Enter

Get-Help Invoke-Command -Parameter Certificate Thumbprint

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-ComputerName ltstring[]gt

The Invoke-MBCAModel cmdlet lets you run an MBCA scan of a submodel on a specific

computer by adding this parameter Valid values include NETBOS names IP addresses or fully-

qualified domain names of one or more computers in a comma-separated list To specify the local

computer type the computer name or localhost

All formats that are accepted by the -ComputerName parameter in Invoke-Command are

accepted

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-ConfigurationName ltstringgt

Specifies the session configuration that is used for a new PSSession

Enter a configuration name or the fully-qualified resource URI for a session configuration

Session configuration data is found on the remote computer on which you want to run a cmdlet

For more information about this parameter type the following and then press Enter

Get-Help Invoke-Command -Parameter ConfigurationName

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-Context ltstringgt

The -Context parameter lets you run scans on a submodel in the context of a specific model (one

that is different from the parent model of the submodel) For example an administrator might

want to run a scan on the Backend submodel of the SQL model but only those in the context

of a third model a technology that relies upon SQL Server

The -SubModelId parameter is required by the -Context parameter

Page 46

A model ID is the valid value of the -Context parameter

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-Credential ltstringgt

Specifies a user account that has permission to run this cmdlet The default value is the current

user

For more information about this parameter type the following and then press Enter

Get-Help Invoke-Command -Parameter Credential

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-Mode ltModeEnumgt

The -Mode parameter lets you run a scan that is exclusively either analysis of existing discovered

documents or discovery The default is to perform both discovery and analysis or All

If you do not add the -Mode parameter to the Invoke-MBCAModel cmdlet both discovery and

analysis are performed during a scan

Valid values are Discovery Analysis and All

Required false

Position named

Default value All

Accept pipeline input false

Accept wildcard characters false

-ModelId ltstringgt

The -ModelId parameter specifies the ID of the MBCA model that you want to scan You can

obtain valid values for the ModelId parameter by running the Get-MBCAModel cmdlet targeted at

a computer on which MBCA models are installed

Required true

Position 2

Default value

Accept pipeline input true (By Value By Property Name)

Accept wildcard characters False

Page 47

This must be SQL2008R2BPA for SQL Server 2008 R2 Best Practice Analyzer

-Port ltintgt

Specifies the network port on a remote computer on which you want to run a scan The default

value is port 80

For more information on this parameter type the following and then press Enter

Get-Help Invoke-Command -Parameter Port

Required false

Position named

Default value 80

Accept pipeline input false

Accept wildcard characters false

-RepositoryPath ltstringgt

The -RepositoryPath parameter is used to specify a non-default location of the results repository

The valid value for this parameter is a pathname If the parameter is not used the cmdlet writes

results to the default result repository

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-SubModelId ltstringgt

The -SubModelId parameter specifies the ID of the submodel of an MBCA model that you want to

scan You can obtain valid values for the -SubModelId parameter by running the Get-MBCAModel

cmdlet targeted at a computer on which MBCA models are installed Not all models have

submodels

The -ModelId parameter is required with the -SubModelId parameter

Required true

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-ThrottleLimit ltintgt

Specifies the maximum number of concurrent connections that can be established to run the

cmdlet If you omit this parameter or enter a value of 0 the default value of 32 is used

For more information about this parameter type the following and then press Enter

Get-Help Invoke-Command -Parameter ThrottleLimit

Required false

Page 48

Position named

Default value 32

Accept pipeline input false

Accept wildcard characters false

-UseSSL [ltSwitchParametergt]

Uses the Secure Sockets Layer (SSL) protocol to establish a connection on a remote computer

By default SSL is not used

For more information about this parameter type the following and then press Enter

Get-Help Invoke-Command -Parameter UseSSL

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

ltCommonParametersgt

This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable

WarningAction WarningVariable OutBuffer and OutVariable For more information type get-

help about_commonparameters

OUTPUTS

SystemCollectionsGenericListltMicrosoftBestPracticesCoreInterfaceInvokeBpaModelOutputgt

The output object encapsulates the results of the cmdlet that you entered It contains information such

as the MBCA model ID the success or failure of the cmdlet and other details

NOTES

If the cmdlet is used to perform a single-model scan and the cmdlet is cancelled (by using CTRL+C)

before the temporary results file is copied to its final location the temporary file is discarded and any

previous scan results file for the role are preserved The message Processing of Invoke-MBCAModel

cancelled by user is displayed if the command is cancelled before existing scan results files are

overwritten

If the cmdlet is used to perform a scan of multiple models by piping in results from the Get-MBCAModel

cmdlet and the command is cancelled scans that were completed before the cancel command was

entered cannot be cancelled A scan in progress behaves as described above in the single-model scan

cancellation scenario Subsequent scans in the pipeline are cancelled

If a concurrent scan of the same model is attempted the cmdlet returns the following error message

Another scan for this MBCA model is in progress Only one scan is allowed at a time

-------------------------- EXAMPLE 1 --------------------------

Invoke-MBCAModel -ModelId SQL2008R2BPA

Description

The preceding example starts a MBCA scan on the model that is represented by ltModel Idgt

-------------------------- EXAMPLE 2 --------------------------

Page 49

Invoke-MBCAModel -ModelId SQL2008R2BPA -Scope domain -Name

redmondmicrosoftcom

Description

The preceding example starts an MBCA scan on the model ID that is specified by Model Id

The administrator starts the MBCA scan with additional model-specific parameters that are exposed by

the model (For an example of how to obtain model-specific parameters see the examples for the Get-

MBCAModel cmdlet)

For example to scan a model that requires model-specific parameters (such as -Scope and -Name) to

be passed to the command the administrator can specify the values of these model-specific

parameters with the Invoke-MBCAModel cmdlet

-------------------------- EXAMPLE 3 --------------------------

Invoke-MBCAModel -ModelId SQL2008R2BPA -Mode Discovery

Description

The preceding example starts an MBCA scan on the model that is represented by Model Id The

cmdlet is instructed by the -Mode parameter to perform only the discovery -- not the analysis -- portion

of the scan

-------------------------- EXAMPLE 4 --------------------------

Invoke-MBCAModel -ModelId SQL2008R2BPA -Mode Analysis -RepositoryPath

ltRepository Pathgt

Description

The preceding example starts an MBCA scan on the model that is represented by Model Id The -

Mode parameter value of Analysis indicates that the scan will perform analysis -- not discovery -- on

existing documents that are specified in the non-default repository path provided with the -Repository

Path parameter

-------------------------- EXAMPLE 5 --------------------------

Invoke-MBCAModel -Id ltModel Idgt -SubModelId ltSubModel Idgt -ComputerName

ltServergt -Context ltContext Model Idgt -RepositoryPath ltRespository Pathgt -

AsJob -Authentication ltAuthenticatonMechanismgt -Port ltPort Numbergt -UseSSL -

ThrottleLimit ltThrottle Limitgt

Description

The preceding example starts an MBCA scan on the submodel that is represented by SubModel Id

and on the computer that is represented by Server

Because the administrator only wants to see results from the submodel that apply in the context of a

third model the administrator runs the scan within the context of the model ID that is specified in the -

Context parameter The cmdlet results are saved to the non-default repository path that is specified in

the -RepositoryPath parameter

Because the -AsJob parameter is added the scan runs in the background The -AsJob -

Authentication -Port -UseSSL and -ThrottleLimit parameters are passed through for use by the

Invoke-Command cmdlet to perform discovery on a remote computer For more information about

these parameters see the Help for the Invoke-Command cmdlet available in Windows PowerShell V2

913 Get-MBCAResult

SYNOPSIS

Page 50

The Get-MBCAResult cmdlet lets you retrieve and view the results of a Microsoft Baseline

Configuration Analyzer scan on a specific model or the configuration data that was used to run a scan

SYNTAX

Get-MBCAResult [-ModelId] ltstringgt [[-CollectedConfiguration]] -SubModelId

ltstringgt [-ComputerName ltstring[]gt] [-Context ltstringgt] [-Filter

ltFilterEnumgt] [-RepositoryPath ltstringgt] [ltCommonParametersgt]

DESCRIPTION

The Get-MBCAResult cmdlet lets you retrieve and view the results of a Microsoft Baseline

Configuration Analyzer scan on a specific model or the configuration data that was used to run a scan

To use the command add the -ModelId parameter and then specify the model ID for which you want

to view the most recent MBCA scan results or collected configuration data If you want to retrieve the

configuration data collected add the -CollectedConfiguration switch parameter

You must be a member of the Administrators group on the computer on which you want to run this

cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with

elevated user rights that is Run as Administrator

PARAMETERS

-CollectedConfiguration [ltSwitchParametergt]

The -CollectedConfiguration parameter allows you to obtain the configuration data that was

collected for the most recent MBCA scan If this switch parameter is added to Get-MBCAResults

the cmdlet returns only the configuration data that was collected for a scan

Required false

Position 3

Default value

Accept pipeline input false

Accept wildcard characters false

-ComputerName ltstring[]gt

The -ComputerName parameter lets you obtain scan results that were collected for the most

recent MBCA scan of a submodel on a specific computer To specify the local computer type the

computer name or localhost Multiple values for -ComputerName can be separated by

commas

The -SubModelId parameter is required by the -ComputerName parameter

Valid values for the -ComputerName parameter include localhost a NET BIOS name an IP

address or a fully-qualified domain name (FQDN) of one or more computers in a comma-

separated list

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-Context ltstringgt

Page 51

The -Context parameter lets you obtain scan results that were collected for the most recent

MBCA scan of a submodel in the context of a specific model (one that is different from the parent

model of the submodel) For example an administrator might want to display scan results for the

Backend submodel of the SQL model but only those in the context of a third model a

technology that relies upon SQL Server

The -SubModelId parameter is required by the -Context parameter

A model ID is the valid value of the -Context parameter

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-Filter ltFilterEnumgt

The -Filter parameter lets you instruct the Get-MBCAResult cmdlet to return only Compliant

Noncompliant or All results Valid values are Noncompliant Compliant or All The default value

is All

The -Filter parameter is ignored if the -CollectedConfiguration switch parameter is added

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-ModelId ltstringgt

The -ModelId parameter specifies the ID of the MBCA model for which you want to view scan

results You can obtain valid values for the ModelId parameter by running the Get-MBCAModel

cmdlet targeted at a computer on which MBCA models are installed

Required true

Position 2

Default value

Accept pipeline input true (By Value By Property Name)

Accept wildcard characters False

This must be SQL2008R2BPA for SQL Server 2008 R2 Best Practice Analyzer

-RepositoryPath ltstringgt

The -RepositoryPath parameter is used to specify a non-default location of the results repository

The valid value for this parameter is a path name If the parameter is not used the cmdlet obtains

results from the default result repository

Required false

Position named

Page 52

Default value

Accept pipeline input false

Accept wildcard characters false

-SubModelId ltstringgt

The -SubModelId parameter specifies the ID of the submodel of an MBCA model for which you

want to view scan results You can obtain valid values for the -SubModelId parameter by running

the Get-MBCAModel cmdlet targeted at a computer on which MBCA models are installed Not all

models have submodels

The -ModelId parameter is required with the -SubModelId parameter

Required true

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

ltCommonParametersgt

This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable

WarningAction WarningVariable OutBuffer and OutVariable For more information type get-

help about_commonparameters

OUTPUTS

SystemCollectionsGenericListltMicrosoftBestPracticesCoreInterfaceResultgt OR

SystemXmlXmlDocument (if -CollectedData specified)

If you do not use the -CollectedConfiguration parameter verbose output can be any of the following

1 Initializing MBCA engine for getting MBCA Results

2 Attempting to get MBCA results for Model Id = 0

3 Completed getting MBCA results for Model Id = 0 Number of Results = 1

If you add the -CollectedConfiguration parameter to display configuration data that was used for a

scan verbose output can be any of the following

1 Initializing MBCA engine for getting MBCA Configuration Data

2 Attempting to get MBCA collected configuration data for Model Id = 0

3 Completed getting MBCA collected configuration data for Model Id = 0

NOTES

The Get-MBCAResult cmdlet must be run by a member of the Administrators group and it does not

start a new scan

Cancellation behaviour

Single Model - To cancel this cmdlet you must press Ctrl+C before the ResultCollection is displayed

on the console The operation is cancelled and results are not displayed on the console

Multiple Models or Pipelining - If you cancel this cmdlet while it is retrieving results for multiple models

the cmdlet generates only those results that were displayed on the console before the cancellation

Any subsequent results in the pipeline are cancelled and not displayed

Page 53

-------------------------- EXAMPLE 1 --------------------------

Get-MBCAResult -Id SQL2008R2BPA

Description

The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results

for the model that is represented by Model Id

-------------------------- EXAMPLE 2 --------------------------

Get-MBCAModel | Get-MBCAResult

In the preceding example Get-MBCAModel is used to return a list of all MBCA models that are

installed on the computer The results of the Get-MBCAModel cmdlet are piped to the Get-

MBCAResult cmdlet to retrieve the most recent MBCA scan results for all models that are both

supported by MBCA and installed on the computer at which the cmdlet is targeted

-------------------------- EXAMPLE 3 --------------------------

$result = Get-MBCAResult SQL2008R2BPA -CollectedConfiguration

$resultDiscoveryDocument

Description

In the preceding example configuration data (in XML form) that was collected during the most recent

Microsoft Baseline Configuration Analyzer scan of the model that is represented by Model Id is

retrieved and stored as a property in the variable $result $resultDiscoveryDocument is of type

SystemXmlXmlDocument

-------------------------- EXAMPLE 4 --------------------------

Get-MBCAResult SQL2008R2BPA -Filter Noncompliant

Description

The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results

for the model that is represented by Model Id and then applies a filter to show only Noncompliant

results

------------------------- EXAMPLE 5 --------------------------

Get-MBCAResult SQL2008R2BPA -SubModelId ltSubModel Idgt

Description

The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results

for the submodel that is represented by SubModelId Note that the parent model ID must be specified

to use the -SubModelId parameter

------------------------- EXAMPLE 6 --------------------------

Get-MBCAResult SQL2008R2BPA -SubModelId ltSubModel Idgt -ComputerName ltServergt

-Context ltContext Model Idgt -RepositoryPath ltRepository Pathgt

Description

The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results

for the submodel that is represented by SubModelId The parent model ID is provided as required by

the -SubModelID parameter

The -Context parameter indicates that the administrator wants to see only those scan results that are in

the context of the model that is represented by Context Model Id for example only those results from

a SQL Server scan that specifically apply to another technology such as Web Server (IIS)

Page 54

The scan results are further narrowed to only those from a computer that is specified in the -

ComputerName parameter as Server and only those results found in the non-default results

repository that is represented by Repository Path

914 Set-MBCAResult

SYNOPSIS

The Set-MBCAResult cmdlet lets you exclude or include existing results of a Microsoft Baseline

Configuration Analyzer (MBCA) scan to show you only the scan results that you want to see

SYNTAX

Set-MBCAResult [[-Exclude] ltBooleangt] [-Results] ltResultgtgt [[-

RepostitoryPath] ltstringgt] [ltCommonParametersgt]

DESCRIPTION

The Set-MBCAResult cmdlet lets you exclude or include existing results of a Microsoft Baseline

Configuration Analyzer (MBCA) scan to show you only the scan results that you want to see

The action specified in the cmdlet (Exclude for example) determines how the existing results of an

MBCA scan are updated Set-MBCAResult is typically applied after using the Get-MBCAResult cmdlet

to return a collection of scan results

You can apply filters to results that are returned by the Get-MBCAResult cmdlet and then pipe the

filtered collection of results to the Set-MBCAResult cmdlet specifying either to include or exclude

filtered scan results

You must be a member of the Administrators group on the computer on which you want to run this

cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with

elevated user rights that is Run as Administrator

PARAMETERS

-Exclude ltBooleangt

Excludes scan results from the results collection that were previously obtained by the Get-

MBCAResult command To exclude results by using the -Exclude parameter add the value $true

following the parameter as shown

-Exclude $true

To include results that have been excluded use the $false value for the -Exclude parameter

Required false

Position 2

Default value

Accept pipeline input false

Accept wildcard characters false

-RepostitoryPath ltstringgt

The -RepositoryPath parameter is used to specify a non-default location of the results repository

The valid value for this parameter is a path name If the parameter is not used the cmdlet

modifies results from the default result repository

Required false

Page 55

Position 4

Default value

Accept pipeline input false

Accept wildcard characters false

-Results ltResultgtgt

Specifies the result collection to be updated by the Set-MBCAResult cmdlet The -Results

parameter is typically used to specify a filtered subset of scan results that has already been

stored in a variable the variable name is provided as the valid value for the -Results parameter

For example if you have created a variable $allPerformance to store all the Performance

category results for an MBCA scan of all models on a computer and you want to exclude those

Performance results from the complete collection of scan results you add the parameter -Results

$all Performance to a Set-MBCAResult cmdlet

For a more detailed example see the Examples section of the Help for this cmdlet

Required true

Position 3

Default value

Accept pipeline input true (ByValue)

Accept wildcard characters false

ltCommonParametersgt

This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable

WarningAction WarningVariable OutBuffer and OutVariable For more information type ldquoget-

help about_commonparameters

NOTES

If the Set-MBCAResult command is cancelled before the results are written to a file the operation is

cancelled and the results file is not modified If cancellation occurs after the results file has been

modified the commands actions are carried out and the command cannot be cancelled

-------------------------- EXAMPLE 1 --------------------------

Get-MBCAResult -ModelId SQL2008R2BPA | Where $_Category -eq

Performance | Set-MBCAResult -Exclude $true

Description

The first section of the preceding example to the left of the first pipe character (|) uses the Get-

MBCAResult cmdlet to retrieve Baseline Configuration Analyzer scan results for the model ID that is

represented by Model Id

The second section of the command filters the results of the Get-MBCAResult cmdlet to get only those

scan results for which the category name is equal to Performance

The final section of the example following the second pipe character excludes the Performance

results that were filtered by the previous section of the example

-------------------------- EXAMPLE 2 --------------------------

$rcPolicy = Get-MBCAResult -ModelId SQL2008R2BPA -RepositoryPath

CReposPath | Where $_Category -eq Policy

Page 56

Set-MBCAResult -Exclude $true -RepositoryPath CReposPath -Results

$rcPolicy

Description

The first line of the preceding example to the left of the pipe character (|) instructs the Get-

MBCAResult cmdlet to retrieve Baseline Configuration Analyzer scan results for the model that is

represented by Specified Model Id from the specified non-default repository path

The second section of the example after the pipe character filters the results of the Get-MBCAResult

cmdlet to return only those scan results for which the category name is equal to (note the -eq option)

Policy The variable $rcPolicy is created to store the filtered results of the Get-MBCAResult cmdlet this

variable can be used in subsequent commands to represent those results

The second line of the command uses the Set-MBCAResult cmdlet to exclude the set of results that

are stored in the $rcPolicy variable In this example the -Results parameter is added because the

administrator wants to exclude a specific subset of scan results for that model and has created the

variable $rcPolicy to represent that subset of results The repository root is specified in the second line

because the administrator wants to modify the results in the same non-default repository from which

the data in $rcPolicy was retrieved

915 MBCA Model Authoring

Further information about configuration and usage of MBCA models you can in the

MBCA_ModelAuthoringGuidedocx

Page 57

Did this paper help you Please give us your feedback Tell us on a scale of 1 (poor) to 5 (excellent)

how would you rate this paper and why have you given it this rating For example

Are you rating it high due to having good examples excellent screen shots clear writing or

another reason

Are you rating it low due to poor examples fuzzy screen shots or unclear writing

This feedback will help us improve the quality of white papers we release

Send feedback

Page 9: SQL2008R2 BPA Whitepaper v10

Page 9

Notes

If you click the Advanced link on a troubleshooter and then clear the Apply repairs

automatically check box the troubleshooter displays a list of fixes to choose from if any

problems are found

Windows includes several troubleshooters and more are available online when you select the

Get the most up-to-date troubleshooters from the Windows Online Troubleshooting service

check box at the bottom of Troubleshooting

httpsupportmicrosoftcomgpsystem_maintenance_for_windows

Page 10

2 SYSTEM REQUIREMENTS

SQL Server 2008 R2 Best Practices Advisor is supported on the following Operating Systems

1 Windows Vista

2 Windows 7

3 Windows Server 2003

4 Windows Server 2003 R2

5 Windows Server 2008

6 Windows Server 2008 R2

Supported editions of SQL Server

1 SQL Server 2008 all editions except Express

2 SQL Server 2008 R2 all editions except Express

Supported Components of SQL Server

1 Analysis Services

2 Database Engine

3 Integration Services

4 Reporting Services

5 Replication

6 Setup

These components are designed as Submodels for the BPA This means that they will be run

concurrently where possible

21 Required Permissions for Running SQL Server 2008 R2 BPA

Administration Privileges

To run MBCA v20 a user must be a member of the administrators group on the machine being

scanned and on the machine the scan is initiated from If a user is not an administrator on the machine

that is being scanned an appropriate error message displays

SQL Server

To successfully access all of the database properties and SQL Server Configurations a user must be

the Systems Administrator (sysadmin) on the instance of SQL Server

Analysis Services

The user or the administrators group must be member of the server administrator role within an

instance of Microsoft SQL Server Analysis Services have unrestricted access to all Analysis Services

objects and data in that instance

httpmsdnmicrosoftcomen-uslibraryms174561aspx

Integration Services

The user or the administrators group must be members of the sysadmin or db_ssisadmin roles

httpmsdnmicrosoftcomen-uslibraryms141053aspx

Reporting Services

Page 11

The user or the administrators group must be member of the System Administrator and Content

Manager role

22 Prerequisites

The following are required for using SQL Server 2008 R2 Best Practices Analyzer

1 PowerShell V20

Windows PowerShell 20 requires the Microsoft NET Framework 20 with Service Pack 1

2 Microsoft Baseline Configuration Analyzer V20

3 SQL Server Management Tools for SQL Server 2008 or SQL Server 2008 R2

The following table outlines the prerequisite Microsoft utilities components by Operating System

necessary to have on your server prior to installing and running SQL Server 2008 R2 BPA

OS 1Install

WinRM

2Install

PowerShell 20

3Install

MBCA 20

Configure PowerShell1 7 Install SQL2008

or SQL 2008 R2

Management Tools 4Remoting 5Execution

Level

6 MaxShells

PerUser

Win Vista Y Y Y Y Y Y Y

Windows 7 N N Y Y Y Y Y

Windows

Server 2003

Y Y Y Y Y Y Y

Windows

Server 2003

R2

Y Y Y Y Y Y Y

Windows

Server 2008

Y Y Y Y Y Y Y

Windows

Server 2008

R2

N N Y Y Y Y Y

1 These changes will be done from the installation routine of the BPA

Page 12

3 INSTALL

We recommend installing BPA on a workstation or administration server and performing the scan

operation remotely against servers in your SQL Server infrastructure It is also possible to install this

tool on the production SQL Server locally

Installation process

1 InstallConfigure PowerShell and WinRM

2 Microsoft Baseline Configuration Analyzer V20

3 Microsoftreg SQL Serverreg 2008 R2 Best Practices Analyzer

It exists two ways to install the Best Practices Analyzer

With a graphical user interface (setup wizard) or

Command line

31 Installing PowerShell 20 and WinRM

BPA install configures WinRM and PowerShell options by default Most of this section is only needed if

something goes wrong and you need to configure this stuff by hand

Windows Server 2003 R2

WinRM is not installed by default but it is available as the Hardware Management feature through the

AddRemove System Components feature in the Control Panel under Management and Monitoring

Tools Complete installation and information about configuring WinRM using the WINRM command-line

tool is available online in the Hardware Management Introduction which describes the WinRM and the

IPMI features in Windows Server 2003 R2

On Windows Vista Windows Server 2003 and Windows Server 2008

This is installed as part of Windows Management Framework Core The WinRM service starts

automatically on Windows Server 2008 On Windows Vista the service must be started manually

On Windows Server 2008 R2 and Windows 7

This is installed as part of the OS

Note Check for additional information and configuration guidelines for WinRM and for PowerShell

20

SQL Server 2008 R2 BPA is able to scan both the local computer and remote computers Therefore in

both the local and remote cases it required that your PowerShell settings be modified These are done

by the BPA installation

PowerShell Execution Policy

The PowerShell Execution Policy is set to Restricted by default To run SQL Server 2008 R2 BPA

through the PowerShell command Line set the policy to RemoteSigned using the below command

Set-ExecutionPolicy RemoteSigned -f

You can use the command Set-ExecutionPolicy Restricted ndashf to set the execution policy back to

restricted This command is not required when executing the scan through the MBCA GUI

After the installation you must enable the PowerShell remote scripting if you are want to use the BPA

remote to another workgroup machine or a computer that have Kerberos enabled You need to run this

command only once on each computer that will receive commands You do not need to run it on

Page 13

computers that only send commands Because the configuration activates listeners it is prudent to run

it only where it is needed You can do this with the following command line

powershellexe -NoLogo -NoProfile -Noninteractive -Command Enable-

PSRemoting -force

Enable-PSRemoting performs configuration actions to enable this machine for remote management

Includes

1 Runs the Set-WSManQuickConfig cmdlet which performs the following tasks

Starts the WinRM service

Sets the startup type on the WinRM service to Automatic

Creates a listener to accept requests on any IP address

Enables a firewall exception for WS-Management communications

Enables all registered Windows PowerShell session configurations to receive instructions

from a remote computer

Registers the MicrosoftPowerShell session configuration if it is not already registered

Registers the MicrosoftPowerShell32 session configuration on 64-bit computers if it is

not already registered

Removes the Deny Everyone setting from the security descriptor for all the registered

session configurations

Restarts the WinRM service to make the preceding changes effective

2 Configures MaxShellsPerUser using winrm set winrmconfigwinrs

``MaxShellsPerUser=`10``

Specifies the maximum number of concurrent shells that any user can remotely open on

the same computer If this policy setting is enabled the user will not be able to open new

remote shells if the count exceeds the specified limit If this policy setting is disabled or is

not configured the limit will be set to 5 remote shells per user by default and you receive

the following error message

[localhost] Connecting to remote server failed with the following

error message The WS-Management service cannot process the

request This user is allowed a maximum number of 5 concurrent

shells which has been exceeded Close existing shells or raise the

quota for this user For more information see the

about_Remote_Troubleshooting Help topic

+ CategoryInfo OpenError

(SystemManagemehellipRemoteRunspa

ceRemoteRunspace) [] PSRemotingTransportException

+ FullyQualifiedErrorId PSSessionOpenFailed

For more information about PowerShell remoting please see MSDN

32 Install MBCA

Download the edition of MBCA depending on your platform (x86 or x64) before installation

Page 14

Please find below the screenshots demonstrating the visual flow of the MBCA Installation

Welcome screen

License terms

Folder selection

Completion screen

33 Install BPA

Download the correct edition depending on your platform (x86 or x64) before installing If you have

trouble with the installation please section 57 Troubleshooting Installation

331 Command line

Following is an optimized command line setup example

msiexec i SQL2008R2BPA_Setup64msi l log ctempsqlbpa_installlog qn

msiexec parameters

i = package name (SQL2008R2BPA_Setup32msi or SQL2008R2BPA_Setup64msi

depending on your platform)

l = log granularity ldquordquo - Log all information except for v and x options

log = log file

q = display settings (qn ndash no user interface)

SKIPCA=1 (if no domain controller is available Skip Certification Authority)

For information on additional public properties Consult the Windowsreg Installer SDK for documentation

on the command line syntax

Page 15

332 GUI

Please find below the screenshots demonstrating the visual flow of the SQL Server 2008 R2 BPA

Installation

Welcome screen

License terms

System Configuration Changes (see 31 Installing PowerShell 20 and WinRM)

Ready to install decision

Install progress

Completion screen

Page 16

333 Port and Firewall restrictions

For scanning SQL Server or BI instances on an alternate server behind a firewall you must open all

necessary ports

34 Updates

Microsoft is working on quarterly updates of the rule set and tool improvements of the SQL Server

2008 R2 Best Practice Analyzer Please visit the Download site from Microsoft regularly to find new

updates

35 Uninstall

351 BPA

352 MBCA

353 Reset PowerShell settings

After the uninstall of the BPA you may disable the PowerShell remote scripting You can do this with

the following command line

powershellexe -NoLogo -NoProfile -Noninteractive -Command Disable-

PSRemoting -force

Disable-PSRemoting performs configuration actions to enable this machine for remote management

Page 17

4 USAGE

There are two ways to scan a server using MBCA and SQL 2008 R2 BPA They are

Scanning through the local machine

o In this case you are using MBCA and SQL 2008 R2 BPA running on the local machine to

perform the scan

o This scan can be of the local or an alternate server

Scanning through a remote machine

o In this case MBCA is used to connect to a remote server that has MBCA and SQL 2008

R2 BPA installed on it

o This scan is using the local machine to form the connection to the remote machine and is

actually performing the scan through the remote machine

41 Help file

The help file for the SQL Server 2008 R2 Best Practice Analyzer contains very useful information This

help file is available after the installation of BPA and is located at Start-gtAll programs-gtSQL Server

2008 R2 BPA

42 GUI

1 Ensure that MBCA v2 and SQL 2008 R2 BPA are installed on the machine

2 Run the MBCA application from the start menu with elevated user rights

Page 18

3 On the MBCA home page ensure the SQL Server 2008 R2 BPArdquo product is selected

4 Click Start Scan which displays a page to specify parameters as shown below

5 Fill in Alternate_Server_to_Scan with the remote machine you want to scan

ComputerName

IP address nnnn

FQDN (Fully Qualified Domain Name)

Enter ldquordquo localhost or leave this blank if you want to scan the local machine

Page 19

Enter the instance name you want to scan To scan the default instance enter MSSQLSERVER

or leave this as blank Toggle the checkboxes to enabledisable scans for those rule categories

Each of the following six check boxes correspond to the SQL Server categories listed previously

Select at least one category in order to run a successful scan

Analyze_SQL_Analysis_Services

Analyze_SQL_Server_Engine

Analyze_SQL_Integration_Services

Analyze_SQL_Server_Replication

Analyze_SQL_Reporting_Services

Analyze_SQL_Server_Setup

Note Only one SQL Server instance can be scanned at a time through the MBCA GUI

6 Click Start Scan MBCA will start the configured scan and display the below page while in

progress

7 When the scan is complete results will be displayed grouped by Severity as shown below

Page 20

43 Connect to a remote computer

A scan connected to a remote computer is different than scanning an alternate server

ldquoConnect to a Remote Computerrdquo is functionality provided by Microsoft Baseline Configuration Analyzer

and is used to remotely run MBCA against a server from the console of the client The client needs to

have MBCA installed but does not need BPA as it is literally running the copy of MBCA installed on the

server using the BPA installed on the server In this case the copy of MBCA installed on the client is

used only to remotely connect to the copy of MBCA installed on the server

To use this functionality you first start MBCA on the client computer and select ldquoConnect to Another

Computerrdquo

1 In the ldquoConnect to Another Computerrdquo text box you can specify a NetBIOS name a fully qualified

domain name (FQDN) or an IPv4 or IPv6 address If no port number is specified the default port

number is used The following are examples of formats that you can specify in the Connect to

Another Computer text box

ComputerName

Page 21

ComputerNamePortNumber

IP address nnnn

IPv6 address [nnnnnnnn]

IPv4 address with port number nnnnPortNumber

IPv6 address with port number [nnnnnnnn]PortNumber

Note If an administrator has changed the computerrsquos default port number any port other than the

default port must be opened in Windows Firewall to allow incoming connections on that port Port

5985 is opened by default when WinRM is configured All other ports remain blocked until opened

For more information about how to unblock a port in Windows Firewall see the Help for Windows

Firewall For more information about how to configure WinRM in a Command Prompt session type

winrm help and then press Enter

2 Additionally you must supply credentials

3 CredSSP

Windows Remote Management (WinRM) supports the delegation of user credentials across

multiple remote computers The multi-hop support functionality can now use Credential Security

Service Provider (CredSSP) for authentication CredSSP enables an application to delegate the

userrsquos credentials from the client computer to the target server

CredSSP authentication is intended for environments where Kerberos delegation cannot be used

Support for CredSSP was added to allow a user to connect to a remote server and have the ability

to access a second-hop machine such as a file share

Note WinRM clients and servers will support CredSSP authentication only with explicit credentials

Windows XP Windows Server 2003 and earlier CredSSP is not supported

First you must set CredSSP on both the client and the server

Using the Group Policy Editor (gpeditmsc) make sure to enable ldquoAllow Delegating Fresh

Credentialsrdquo and check ldquoConcatenate OS defaults with input aboverdquo

Add the server or domain to the list of servers in the format ldquoWSMANdomainnamecomrdquo

Next enable and configure PowerShell Remoting on both the Client and Server by running the

following commands in a PowerShell command window opened with elevated permissions Note

Page 22

You can configure a single machine as both a client and a server simultaneously so that you can

scan from either computer

Enable PowerShell Remoting

o Enable-psremoting ndashf

Settings for a client

o Enable-WSManCredSSP ndashrole Client ndashDelegateComputer [NetBiosNameOfServer]

or

o Enable-WSManCredSSP ndashrole Client ndashDelegateComputer [FQDN OF SERVER]

Settings for the server

o Enable-WSManCredSSP ndashrole Server

o set-item WSManlocalhostShellMaxMemoryPerShellMB ndashValue 20000

o set-item WSManlocalhostShellMaxShellsPerUser ndashvalue 20

44 PowerShell

Details see 91 PowerShell

To use the functionality of the Microsoft Baseline Configuration Analyzer you must import this module

first

Import-module BaselineConfigurationAnalyzer

You can list the commands of this module with the following syntax

$x=Get-Module BaselineConfigurationAnalyzer

$xExportedCommands

441 Run Scan

To run a full scan of the BPA on the alternate server on a named instance you can use the following

command line

Invoke-MBCAModel -ModelId SQL2008R2BPA -Alternate_Server_to_scan

servername -SQL_Server_Instance_Name instancename -

Analyze_SQL_Server_Engine -Analyze_SQL_Server_Replication -

Page 23

Analyze_SQL_Server_Setup -Analyze_SQL_Analysis_Services -

Analyze_SQL_Integration_Services -Analyze_SQL_Reporting_Services

The result looks like this part

ModelId SQL2008R2BPA

SubModelId

Success True

ScanTime

Success = True is important This is the indicator that your scan was successful

Parameter description

-Alternate_Server_to_scan servername

-SQL_Server_Instance_Name instancename

-Analyze_SQL_Server_Engine

-Analyze_SQL_Server_Replication

-Analyze_SQL_Server_Setup

-Analyze_SQL_Analysis_Services

-Analyze_SQL_Integration_Services

-Analyze_SQL_Reporting_Services

The parameter list is equal the parameter screen in the GUI

The scans of the different services are optional You can remove technologies which you do not need

to scan

The next example starts the scan only for the Analysis Services on the alternate server ldquoservernamerdquo

and for the named instance ldquoinstancerdquo A log file will be written to ldquoctempssastxtrdquo

Invoke-MbcaModel -ModelId SQL2008R2BPA -SubModelId AnalysisServices -

ComputerName servername -SqlServerInstance instance -SSASLogFile

ctempssastxt

Invoke-MbcaModel -ModelId SQL2008R2BPA -SubModelId Engine -ComputerName

computername -SqlServerInstance servername -CurrentLoginName

($EnvUSERDOMAIN + + $EnvUSERNAME)ToString() -EngineLogFile

ctempenginetxt ndashRepositoryPath (CTEMPSQL2008 + (Get-

Date)ToString(yyyyMMdd))ToString()

442 Create Report

model = get-MbcaModel ndashModelId sql2008r2bpa

$scanResult = get-MbcaResult ndashModelId sql2008r2bpa

$collectedConfig = get-MbcaResult ndashModelId sql2008r2bpa ndash

CollectedConfiguration

$model $scanResult $collectedConfig | export-CliXml ctempasxml

Get-MBCAResult -ModelId SQL2008R2BPA -SubModelId AnalysisServices |

ConvertTo-Html | Add-Content -Path ctesthtml

The next command retrieves the results of the most recent BPA scan for the specified model and

saves them in HTML format applying the standard cascading style sheets that are stored in the path

windirsystem32WindowsPowerShellv10ModulesBestPracticesBestPracticesReportFormatc

Page 24

ss If you want to substitute cascading style sheets provide the path to the different cascading style

sheets

Get-MBCAResult -ModelId SQL2008R2BPA | $_Severity -eq Warning -or

$_Severity -eq Error | ConvertTo-Html -As Table -property ResultNumber

SubModelID ComputerName Severity Category Title Problem Impact

Resolution Help -Head lth1gtSQL Server 2008 (R2) Best Practice Analyzer

Reportlth1gtrdquo -Title SQL Server 2008 Best Practice Analyzer -body

(ltpgtReport creation date + (Get-Date)ToString(ddMMyyyy hhmmss) +

ltpgt)toString() -pre ltPgtGenerated by user $envusername on computer

$envcomputernameltPgt -post For details contact Microsoft Premier-

CssUri $env BestPracticesReportFormatcss gt ctempsql2008r2bpahtm

443 Exporting and opening reports by using Get-MBCAResult

You can use the Get-MBCAResult cmdlet to export scan results and configuration data to an XML

report that you can open for viewing in the future either by using Get-MBCAResult or by using the

MBCA GUI Exporting reports allows you to compare older scans with more recent scans to measure

the progress of your best practice compliance

Example of exporting to XML

$results = Get-MBCAResult ltModel Idgt

$collectedconfig = Get-MBCAResult ltModel Idgt -CollectedConfiguration

$results $collectedconfig | Export-CliXml cexportxml

Example of opening archived XML report file

$loadedResults $loadedConfiguration = Import-CliXml cexportxml

444 Report Result Directory

The reporting result path

AppDataMicrosoftBaselineConfigurationAnalyzer

2ReportsSQL2008R2BPAResults

Will be overwritten during each run of the tool or invoke command

Solution save older results before you start the check

copy-item -path ($EnvLocalAppdata +

MicrosoftMicrosoftBaselineConfigurationAnalyzer 2Reports)ToString() -

destination ($EnvLocalAppdata +

MicrosoftMicrosoftBaselineConfigurationAnalyzer 2Reports_ + (Get-

Date)ToString(yyyyMMddhhmmss))ToString() ndashrecurse

Afterwards you can create a report with the following command

$prevrepPath = (Get-ChildItem ($EnvLocalAppdata +

MicrosoftMicrosoftBaselineConfigurationAnalyzer 2)ToString() -exclude

Reports | Sort-Object name -descending)[0]

Get-MBCAResult -ModelId SQL2008R2BPA ndashRepositoryPath ($EnvLocalAppdata +

MicrosoftMicrosoftBaselineConfigurationAnalyzer 2rdquo +

$prevrepPathname)ToString() | ConvertTo-Html -As Table -property

ResultNumberSubModelID ComputerName Severity Category Title Problem

Impact Resolution Help -Head lth1gtSQL Server 2008 (R2) Best Practice

Analyzer Reportlth1gtrdquo -Title SQL Server 2008 Best Practice Analyzer -body

(ltpgtReport creation date + (Get-Date)ToString(ddMMyyyy hhmmss) +

ltpgt)toString() -pre ltPgtGenerated by user $envusername on computer

Page 25

$envcomputernameltPgt -post For details contact Microsoft Premier gt

ctempsql2008r2bpahtm

Page 26

5 TROUBLESHOOTING

51 Application directories

To following directories are used by MBCA

Report output directory localappdataMicrosoftMicrosoftBaselineConfigurationAnalyzer 2ReportsSQL2008R2BPAResults

Model configuration path ProgramdataMicrosoftMicrosoft Baseline Configuration Analyzer 2ModelsSQL2008R2BPA

Temp and log files directory tempSQL2008R2BPASQL2008ltdategt_lttimegt

Registry [HKEY_LOCAL_MACHINESOFTWAREMicrosoftBaselineConfigurationAnalyzer]

Log Files

During Data Discovery SQL Server 2008 R2 BPA creates log files for troubleshooting The log file

contains the following information

Pre-requisite validation

Timestamp finished rules start and end times

Run-time scripting errors and exceptions from Power Shell Traps

Log Files Location

For every scan log files are created in userrsquos Local Temp directory (Temp) and follows the folder

structure SQL2008R2BPAlt Instance Name gtlt datestamp_timestamp gtlt Log files gt

Note In case of a remote scan the category log files are generated on the remote system at the same

path whereas the common log file is generated in the local system

Log Files Structure

A common log file gets generated and contains information about each categorys execution Apart

from this each category has its own log file which details the rule execution The names of the log files

are given below

Common File - ModelLogtxt

Engine Rules - EngineLogtxt

Replication Rules - ReplicationLogtxt

Setup Rules - SetupLogtxt

Analysis Services Rules - AnalysisServicesLogtxt

Reporting Services Rules - ReportingServicesLogtxt

Integration Services Rules - IntegrationServicesLogtxt

52 Windows Server 2003 ndash NumberOfLogicalProcessors

Analysis Services RID2803 and RID2804 ndash NumberOfLogicalProcessors property is unavailable in

Win32_Processor for with Windows Server 2003

Solution The NumberOfLogicalProcessors property does not exist in the WIN32_PROCESSOR object

in Windows Server 2003 It has been implemented in the hotfix

httpsupportmicrosoftcomkb932370

Both of the rules below will function properly if you apply this hotfix For more information look here

Page 27

53 MBCA

This message indicates that on prerequisite is not installed

Please install the version 2 of the MBCA

54 Where can I find the Instance name in result set of the analyzer

report

The instance name is in the collected data option of the analyzer report in the BPA GUI

55 Memory limit of remote PowerShell process

By default remote PowerShell process can consume only 150 MB or less memory This default limit is

significantly small and once this limit is reached there could be a WinRM exception causing and remote

connection immediately terminates Any application or Cmdlet which is involved in PowerShell

remoting should be tested for this memory limit this may cause some of the command to fail for

example site collection creation

Solution Increase the memory limit for the remote shell Use the following command to increase this

limitation to 1000MB This is only necessary if you need to run those commands on that server

Set-Item WSManlocalhostShellMaxMemoryPerShellMB 1000

56 Remote connect

If you try to ldquoConnect to another computerrdquo from MBCA and you receive the following message

Page 28

You should check first if the Hotfix KB968930 is installed

Afterwards validate that the ldquoWindows Remote Managementrdquo service is started

Enable-PSRemoting

If CredSSP is unsupported or unavailable you will see the following message

Page 29

If you have no permission to access the remote server you get the error message

Page 30

57 Installation

571 PowerShell error

After getting through the Pre-Reqs for BPA (PowerShell 20 MBCA NET Framework) you may hit

one of two scenarios when installing BPA

In all of the cases of an install failure you will see the following error

There is a problem with this Windows Installer package A program run as part of the setup did not

finish as expected Contact your support personnel or package vendor

In your Application Event Log for both of these scenarios you will also see the following entry

Log Name Application

Source MsiInstaller

Date 6102010 83818 AM

Event ID 11722

Task Category None

Level Error

Keywords Classic

User ltUsernamegt

Computer ltMachine namegt

Description

Product Microsoft SQL Server 2008 R2 BPA -- Error 1722 There is a problem

with this Windows Installer package A program run as part of the setup did

not finish as expected Contact your support personnel or package

vendor Action EnablePSRemoting location powershellexe command -NoLogo

-NoProfile -Command Enable-PSRemoting ndashforce

Page 31

This is an indicator that PowerShell is not configured You must run the following command

powershellexe -NoLogo -NoProfile -Command Enable-PSRemoting ndashforce

572 Workgroup or Non-Domain computer

In this scenario the Enable-PSRemoting command should execute fine from a PowerShell prompt

The actual error coming back from the PowerShell command within the Installer is ldquoAccess Deniedrdquo

To work around this issue you can do the following

1 Open a command prompt with Administrative Privileges

2 Change to the directory where the msi file resides

3 Type msiexec i ltMSI Namegt SKIPCA=1

4 MSI Name will either be SQL2008R2BPA_Setup32msi or SQL2008R2BPA_Setup64msi

depending on your platform

5 Once BPA is installed open a PowerShell prompt with Administrative Privileges

6 Execute the following commands

a Enable-PSRemoting

b winrm set winrmconfigwinrs ``MaxShellsPerUser=`10``

This should allow BPA to be successfully installed in the workgroup scenario

573 Kerberos Failure

This scenario is that you are failing with the above due to a Kerberos issue This particular issue could

actually show up after you have installed BPA depending on how you have configured your

environment

The issue stems from the fact that the Windows Remoting Windows Service uses the Network Service

account Windows Remoting also uses SOAP calls over HTTP and defaults to using Kerberos As a

result it will be using the HOST Service Principal Name (SPN) that is on the Machine Account as it is

running under that context You may have an HTTP SPN that resides on a different account with that

host name For example if you are running an IIS Web Application such as SharePoint or if you are

using Reporting Services and the service account is set to a Domain User account instead of Network

Service or Local System If your URL of your application matches the machine name then your HTTP

SPN will be the same Thatrsquos where this problem comes in WinRM will stop working at that point and

give you a message similar to the following

Set-WSManQuickConfig WinRM cannot process the request The following error

occured while using Negotiate authentication An unknown security error

occurred

Possible causes are

-The user name or password specified are invalid

-Kerberos is used when no authentication method and no user name are

specified

-Kerberos accepts domain user names but not local user names

-The Service Principal Name (SPN) for the remote computer name and port

does not exist

-The client and remote computers are in different domains and there is no

trust between the two domains

After checking for the above issues try the following

-Check the Event Viewer for events related to authentication

-Change the authentication method add the destination computer to the

WinRM TrustedHosts configuration setting or use HTTPS transport

Note that computers in the TrustedHosts list might not be authenticated

-For more information about WinRM configuration run the following

Page 32

command winrm help config

At line50 char33

+ Set-WSManQuickConfig ltltltlt -force

+ CategoryInfo InvalidOperation () [Set-WSManQuickConfig]

InvalidOperationException

+ FullyQualifiedErrorId

WsManErrorMicrosoftWSManManagementSetWSManQuickConfigCommand

You can get this type of error from WinRM for muliple reasons The one that

we saw in our testing was the HTTP SPN scenario

If you do have an HTTP SPN defined on a Domain Account that is using the name of your machine

you have some options First you can follow the steps mentioned above to get BPA installed The

Enable-PSRemoting command will give you the above error You can temporarily remove the HTTP

SPN to get remoting enabled and then re-add the HTTP SPN

Once BPA is setup you will still not be able to run BPA if you put the HTTP SPN back in place You will

see the following when you attempt to perform a scan

This will occur regardless of which component you try to scan It could be the Engine Setup RS etchellip

One option to perform the scan successfully is to temporarily remove the HTTP SPN again run the

scan and then put the HTTP SPN back in place Another option but one that will probably require

further testing from your applicationrsquos end would be to run the application under a Host Header and

then your HTTP SPN would not include the machine name allowing BPA to run without issue

Page 33

6 RULES

Searching for ldquoSQL Server 20087 R2 BPArdquo at Microsoftcom reveals

Here is an example of one of these articles that talks about a rule to check for a recent ldquocleanrdquo

CHECKDB

Page 34

BPA works by measuring a rolersquos compliance with best practice rules in eight different categories of a

rolersquos effectiveness trustworthiness and reliability Results of measurements can be any of the three

severity levels described in the following table

Severity level Description

Noncompliant Noncompliant results are returned when a role does not satisfy the conditions of a rule

Compliant Compliant results are returned when a role satisfies the conditions of a rule

Warning Warning results are returned when a role is compliant as operating currently but may not satisfy the conditions of a

rule if changes are not made to its configuration or policy settings For example a scan of Remote Desktop Services

might show a warning result if a license server is unavailable to the role because even if no remote connections are

active at the time of the scan not having the license server prevents new remote connections from obtaining valid

client access licenses

Page 35

BPA rule categories

The following table describes the categories of best practice rules against which roles are measured

during a BPA scan

Category Name Description

Security Security rules are applied to measure a rolersquos relative risk for exposure to threats such as unauthorized or malicious

users or loss or theft of confidential or proprietary data

Performance Performance rules are applied to measure a rolersquos ability to process requests and perform its prescribed duties in

the enterprise within expected periods of time given the rolersquos workload

Configuration Configuration rules are applied to identify role settings that might require modification for the role to perform

optimally Configuration rules can help prevent setting conflicts that can result in error messages or prevent the role

from performing its prescribed duties in an enterprise

Policy Policy rules are applied to identify Group Policy or Windows Registry settings that might require modification for the

role to operate optimally and securely

Operation Operation rules are applied to identify possible failures of a role to perform its prescribed tasks in the enterprise

Predeployment Predeployment rules are applied before an installed role is deployed in the enterprise to let administrators to

evaluate whether best practices were satisfied before you use the role in production

Postdeployment Postdeployment rules are applied after all required services have started for a role and the role is running in the

enterprise

BPA Prerequisites BPA Prerequisite rules explain configuration settings policy settings and features that are required for the role

before BPA can apply specific rules from other categories A prerequisite in scan results indicates that an incorrect

setting a missing role role service or feature an incorrectly enabled or disabled policy a registry key setting or

other configuration has prevented BPA from applying one or more rules during a scan A prerequisite result does

not imply compliance or noncompliance It means that a rule could not be applied and therefore is not part of the

scan results

61 Engine Rules

Please find below a summary of the 74 Engine Rules with the links to the rule descriptions These rules

are checking that you have a secure resilient and well performing SQL configuration

Authentication Mode (httpsupportmicrosoftcomkb2028697)

Lightweight Pooling is enabled (httpsupportmicrosoftcomkb2160691)

Locks Configuration Not Dynamic (httpsupportmicrosoftcomkb2199576)

non-default network packet size in use (httpsupportmicrosoftcomkb2157175)

degree of parallelism not set to recommended value (httpsupportmicrosoftcomkb2023536)

Use Database Mail instead of SQL Mail (httpsupportmicrosoftcomkb2028584)

SQL Server Agent Proxy Account (httpsupportmicrosoftcomkb2160741)

SQL Login Password Policy Strength and password expiry

(httpsupportmicrosoftcomkb2028712)

Trustworthy Bit (httpsupportmicrosoftcomkb2183687)

Symmetric Keys Check (httpsupportmicrosoftcomkb2162020)

Asymmetric Keys Check (httpsupportmicrosoftcomkb2162020)

SQL Server installed on PDC BDC (httpsupportmicrosoftcomkb2032911)

Page 36

SQL Server Admin role membership check (httpsupportmicrosoftcomkb2184138)

Windows API calls intercepted (httpsupportmicrosoftcomkb2033238)

unsupported DotNET framework assemblies present (httpsupportmicrosoftcomkb2033344)

Disk partition starting offset may be incorrect (httpsupportmicrosoftcomkb2023571)

non-default max worker threads value configured (httpsupportmicrosoftcomkb2157129)

Guest Permissions (httpsupportmicrosoftcomkb2186935)

Data and Log files on the same volume (httpsupportmicrosoftcomkb2033523)

IO timeouts and IO controller errors detected (httpsupportmicrosoftcomkb2091098)

IO device errors detected (httpsupportmicrosoftcomkb2091098)

IO errors during page faults detected (httpsupportmicrosoftcomkb2091098)

cluster disk corruption encountered (httpsupportmicrosoftcomkb2091098)

disk defragmentation encountered corruption (httpsupportmicrosoftcomkb2091098)

failed IO requests detected (httpsupportmicrosoftcomkb2091098)

IO requests are successful when retried (httpsupportmicrosoftcomkb2015757)

IO Delay Problems reported by SQL Server (httpsupportmicrosoftcomkb2137408)

This system experienced unexpected shutdowns (httpsupportmicrosoftcomkb2091098)

tempdb corruption errors fix missing (httpsupportmicrosoftcomkb960770)

Critical SQL database inconsistency errors found (httpsupportmicrosoftcomkb2152734)

Logical consistency errors detected (httpsupportmicrosoftcomkb2152472)

Database have auto shrink option enabled (httpsupportmicrosoftcomkb2160663)

SQL Server Error logs are very big (httpsupportmicrosoftcomkb2199578)

incorrect affinity mask settings detected httpsupportmicrosoftcomkb2157114

Very low blocked process threshold setting detected httpsupportmicrosoftcomkb2157154

Potential security issue with legacy DTS stored procedures

httpsupportmicrosoftcomkb2202875

Winsock LSP loaded into SQL httpsupportmicrosoftcomkb2033448

Databases using simple recovery model httpsupportmicrosoftcomkb2137539

User database collation different from model httpsupportmicrosoftcomkb2026108

Database files and backups exist on the same volume httpsupportmicrosoftcomkb2027537

Databases have auto close option enabled httpsupportmicrosoftcomkb2160685

LSI SAS drivers needs update httpsupportmicrosoftcomkb2121098

SQL tempdb database not configured optimally httpsupportmicrosoftcomkb2154845

SQL Database file has sparse attribute set httpsupportmicrosoftcomkb2028447

Invalid startup parameters httpsupportmicrosoftcomkb2028433

MSDTC settings not configured optimally httpsupportmicrosoftcomkb2027550

sql incorrect results fix missing httpsupportmicrosoftcomkb971780

File System needs tuning for better FileStream performance

httpsupportmicrosoftcomkb2160002

linked server memory leak fix missing httpsupportmicrosoftcomkb971622EN-US

Windows service pack is not at recommended level httpsupportmicrosoftcomkb2121098

default extended event health session not in expected state

httpsupportmicrosoftcomkb2160570

TcpSysAndChimneyCheck httpsupportmicrosoftcomKB918483

FDHOST Launcher service is not configured properly httpsupportmicrosoftcomkb2160720

Unrecommended SQL Server Agent service account httpsupportmicrosoftcomkb2160720

A required Windows fix to avoid sparse file related problems is missing

httpsupportmicrosoftcomkb2002606

Page 37

Significant Portion of SQL Server Memory Has Been Paged Out

httpsupportmicrosoftcomkb2028324

Server Exception or Hang Detected on Server httpsupportmicrosoftcomkb2028589

Databases exist without CHECKSUM protection httpsupportmicrosoftcomkb2078345

backups outdated for databases httpsupportmicrosoftcomkb2027537

Database consistency check not current httpsupportmicrosoftcomkb2033590

SQL Server Memory settings are incorrect httpsupportmicrosoftcomKB918483EN-US

Autogrow Failed or took a long time httpsupportmicrosoftcomkb2091024

Storport driver fix from KBA 940467 missing httpsupportmicrosoftcomkb2121098

Storport driver fix from KBA 950903 missing httpsupportmicrosoftcomkb2121098

SQLCLR needs additional memory configuration httpsupportmicrosoftcomkb969962EN-US

Operating System files and drivers needs update for working set trimming

httpsupportmicrosoftcomkb2121098

Agent Token Replacement httpsupportmicrosoftcomkb2202637

Auditing Log in failures httpsupportmicrosoftcomkb2187161

Databases with high number of VLF present httpsupportmicrosoftcomkb2028436

Transparent Data Encryption Certificate httpsupportmicrosoftcomkb2201900

Permission on the Binn folder httpsupportmicrosoftcomkb2029023

Index Statistics Are Outdated

Server public permissions httpsupportmicrosoftcomkb2160698

Detected use of older versions of SQLNCLI httpsupportmicrosoftcomkb979779

62 AS Rules

Please find below a summary of the 34 Analysis Server Rules with the links to the rule descriptions

Flight Recorder Enabled for SQL Server Analysis Services

httpsupportmicrosoftcomkb2128005

Excessive amount of memory preallocated to Analysis Services

httpsupportmicrosoftcomkb2027474

Server not configured for optimal concurrent query throughput

httpsupportmicrosoftcomkb2135031

Non standard value detected for Analysis Services memory configuration

httpsupportmicrosoftcomkb2027472

Process Thread Pool Max limit above recommended limit

httpsupportmicrosoftcomkb2134497

Process Thread Pool Minimum is below the recommended limit

httpsupportmicrosoftcomkb2134855

Server is running a build with a known regression httpsupportmicrosoftcomkb2157941

Slice not set on a ROLAP partition or a partition where proactive caching is enabled and

ROLAP storage ay occur httpsupportmicrosoftcomkb2027754

Server is ignoring duplicate key errors httpsupportmicrosoftcomkb2027761

No default member defined for non-aggregatable attribute

httpsupportmicrosoftcomkb2027769

UnknownMember set to hidden httpsupportmicrosoftcomkb2027628

Non-numeric key column for high cardinality attribute httpsupportmicrosoftcomkb2028138

Attribute hiearchy enabled for high cardinality non-key attribute

httpsupportmicrosoftcomkb2028143

ROLAP storage or OnlineMode set to immediate for dimension with custom rollup definition

detected httpsupportmicrosoftcomkb2132742

Page 38

Account or Time attribute types defined in a non-matching dimension type

httpsupportmicrosoftcomkb2157299

An Account or Time dimension has no matching attribute defined

httpsupportmicrosoftcomkb2027418

Dimension has no attribute defined with the same type

httpsupportmicrosoftcomkb2027443

Attribute Dimension type mismatch httpsupportmicrosoftcomkb2157327

Mismatched dimension attribute types detected in dimension

httpsupportmicrosoftcomkb2027459

Possible incorrect order of levels defined in hierarchy httpsupportmicrosoftcomkb2027460

Define attribute relationships as Rigid where possible httpsupportmicrosoftcomkb2027468

Redundant attribute relationships detected httpsupportmicrosoftcomkb2127437

Diamond-shape relationship detected httpsupportmicrosoftcomkb2127570

Non-Standard Attribute Relationship name detected httpsupportmicrosoftcomkb2127862

Proactive Caching set for dimension without a processing query

httpsupportmicrosoftcomkb2027541

No Time dimension detected httpsupportmicrosoftcomkb2027532

More than 3 parent-child dimensions with custom rollups defined

httpsupportmicrosoftcomkb2134431

Encountered a parent-child dimension with more than 500000 members

httpsupportmicrosoftcomkb2131918

Single attribute dimensions detected httpsupportmicrosoftcomkb2141654

Measure groups with zero dimensional overlap detected in cube

httpsupportmicrosoftcomkb2027609

Proactive Caching set for a partition without a processing query

Default measure for perspective not in the perspective

httpsupportmicrosoftcomkb2027603

Use MOLAP storage for dimensions that participate in semi-additive measure groups

httpsupportmicrosoftcomkb2135112

Measure group defined with no partition httpsupportmicrosoftcomkb2027545

63 RS Rules

RSWindowsNegotiate is missing from your configuration

httpsupportmicrosoftcomkb2145506

HTTP Logging is not enabled httpsupportmicrosoftcomkb2145909

Verbose logging is enabled httpsupportmicrosoftcomkb2146315

NTLM authentication may fail for local httpsupportmicrosoftcomkb2146369

Missing extended protection settings httpsupportmicrosoftcomkb2146062

64 IS Rules

Logging task missing for package httpsupportmicrosoftcomkb2027723

ActiveX Script task detected in package httpsupportmicrosoftcomkb2027712

Unrecommended Integration Services service account detected

httpsupportmicrosoftcomkb2027684

Integration Services logging table found in system database master and or msdb

httpsupportmicrosoftcomkb2027706

Integration Services memory dump detected httpsupportmicrosoftcomkb2027727

Page 39

65 Setup Rules

Unsupported Operating System Version Detected httpsupportmicrosoftcomkb2022909

WOW64 not supported for SQL Failover Clustering httpsupportmicrosoftcomkb2157198

Installer cache is missing for the SQL Installation httpsupportmicrosoftcomkb2015100

SQL Server WMI Provider Health Check

66 Replication Rules

Replication Timeout Alerts Type httpsupportmicrosoftcomkb2118349

Replication Pub and Sub out of sync (Data Validation) httpsupportmicrosoftcomkb2118386

Replication Pub and Sub out of sync (Constraint Violations)

httpsupportmicrosoftcomkb2118410

Replication Pub and Sub out of sync (Skipped Transactions)

httpsupportmicrosoftcomkb2194498

Merge Replication Health Check httpsupportmicrosoftcomkb2118445

Subscriptions Approaching Expiration httpgomicrosoftcomfwlinkLinkId=184483

Replication Cleanup and Retention Health Check httpsupportmicrosoftcomkb2118485

Replication Latency Threshold violations httpsupportmicrosoftcomkb2118425

Page 40

7 HOW TO DEAL WITH DEVIATIONS

Deviations from these Best Practices may indicate potential issues and configuration changes may be

necessary Make sure you have tested any intended changes in a test environment before deploying

them to a production environment You could also find deviations from Best Practices that are

acceptable or even necessary for your environment For example

SAP has its special Network Packet Size of 8 KB

Existing Non-Microsoft Clients ndash would require Mixed Mode Authentication

Page 41

8 MOTIVATION TO USE SQL BPA R2

Bob Ward explained in his Article ldquoWhy use SQL Server 2008 R2 BPA Case 1 Missing Updatesrdquo

the common pitfalls during maintenance and operation of SQL Server and how address them by using

the SQL BPA

In brief itrsquos a customer scenario where the customer is facing an issue after a major update to

SQL2008 After some troubleshooting and an update to a certain CU (that is meant to fix the issue) the

problem still occurs Bobs article states the common resulting consequences ndash the involvement of

Microsoft Support and the final solution ndash adding a needed traceflag

The good news in this story is that the customer would not have needed to go to all that effort if they

would have run the SQL BPA It would have told them about the update and instructed them to put the

traceflag in place BPA is a mechanism that proactively advises you and instructs you on dealing with

common known issues

Page 42

9 ADDITIONAL INFORMATION

91 PowerShell

To use the functionality of the Baseline Configuration Analyzer with PowerShell you must import this

module first

Import-module BaselineConfigurationAnalyzer

You can list the commands of this module with the following syntax

$x=Get-Module BaselineConfigurationAnalyzer

$xExportedCommands

The following commands are stored in this module

Get-MbcaModel

Get-MbcaResult

Invoke-MbcaModel

Set-MbcaResult

You get help of this command with the following syntax

Get-help ltcommandgt -full

911 Get-MBCAModel

SYNOPSIS

The Get-MBCAModel cmdlet lets you retrieve and view the list of models that are supported by

Microsoft Baseline Configuration Analyzer (MBCA) and that are installed on a computer

SYNTAX

Get-MBCAModel [[-ModelId] ltstring[]gt] [[-SubModelId] ltstringgt] [ltCommonParametersgt]

DESCRIPTION

The Get-MBCAModel cmdlet lets you retrieve and view the list of models that are supported by

Microsoft Baseline Configuration Analyzer (MBCA) and installed on the computer If no parameter is

specified Get-MBCAModel returns all models that are installed on the computer If a model is specified

by using the -ModelId parameter information about the specified model is returned

You must be a member of the Administrators group on the computer on which you want to run this

cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with

elevated user rights that is Run as Administrator

The results of the Get-MBCAModel cmdlet include the following details about models

1 Branding information (manufacturer or company display names version number) that is found in

the model manifest

2 Dynamic parameters that are included with the model

3 Submodels that are included with the model

PARAMETERS

-ModelId ltstring[]gt

The -ModelId parameter specifies the ID of the MBCA model about which you want to view

details You can obtain valid values for the ModelId parameter by running the Get-MBCAModel

cmdlet with no parameters and targeted at a computer on which MBCA models are installed

Page 43

This parameter supports wild card characters

Required false

Position 2

Default value

Accept pipeline input true (By Value By Property Name)

Accept wildcard characters False

This must be SQL2008R2BPA for SQL Server 2008 R2 Best Practice Analyzer

-SubModelId ltstringgt

The -SubModelId parameter specifies the ID of the submodel of an MBCA model about which you

want to view details You can obtain valid values for the -SubModelId parameter by running the

Get-MBCAModel cmdlet without parameters and targeted at a computer on which MBCA models

are installed Not all models have submodels

The -ModelId parameter is required with the -SubModelId parameter

Required false

Position 3

Default value

Accept pipeline input false

Accept wildcard characters false

ltCommonParametersgt

This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable

WarningAction WarningVariable OutBuffer and OutVariable For more information type get-

help about_commonparameters

Examples

Get-MBCAModel

In the preceding example Get-MBCAModel with no parameters added returns details about all MBCA

models that are installed on the computer

Get-MBCAModel -ModelId SQL2008R2BPA

The preceding example can be used to return details about the MBCA model that is specified in the -

ModelId parameter represented by Model Id

$model= Get-MBCAModel -ModelId SQL2008R2BPA

$modelParameters

In the preceding example Get-MBCAModel returns details about the specified MBCA model that is

represented by Model Id The results of the cmdlet are stored in the variable $model

In the next line of the example the Parameters property of the model details that were stored in the

$model object returns details about which parameters are supported by the model

Get-MBCAModel -ModelId SQL2008R2BPA -SubModelId ltSubModel Idgt

The preceding example can be used to return details about the MBCA sub-model that is specified by

the -SubModelId parameter represented by SubModel Id Note that the -ModelId parameter is

required by the -SubModelId parameter

$model= Get-MBCAModel -ModelId SQL2008R2BPA

Page 44

$modelSubModels

In the preceding example Get-MBCAModel returns details about the specified MBCA model that is

represented by Model Id The results of the cmdlet are stored in the variable $model

In the next line of the example the SubModels property of the model details that were stored in the

$model object returns a list of the submodels of the model specified in the first line

912 Invoke-MBCAModel

SYNOPSIS

The Invoke-MBCAModel cmdlet lets you start a Microsoft Baseline Configuration Analyzer (MBCA)

scan for a specific model that is installed on your computer

SYNTAX

Invoke-MBCAModel [-ModelId] ltstringgt -SubModelId ltstringgt [-Authentication

ltAuthenticationMechanismgt] [-CertificateThumbprint ltstringgt] [-ComputerName

ltstring[]gt] [-ConfigurationName ltstringgt] [-Context ltstringgt] [-Credential

ltstringgt] [-Mode ltModeEnumgt] [-Port ltintgt] [-RepositoryPath ltstringgt] [-

ThrottleLimit ltintgt] [-UseSSL] [ltCommonParametersgt]

DESCRIPTION

The Invoke-MBCAModel cmdlet allows you to start a Microsoft Baseline Configuration Analyzer

(MBCA) scan for a specific model that is installed on your computer The model is specified either by

using the parameter -ModelId or by piping the results of the Get-MBCAModel cmdlet into an Invoke-

MBCAMode cmdlet

After the MBCA scan has been performed the results of the scan are available to be retrieved by Get-

MBCAResult cmdlet

You must be a member of the Administrators group on the computer on which you want to run this

cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with

elevated user rights that is Run as Administrator

PARAMETERS

-Authentication ltAuthenticationMechanismgt

Specifies the authentication mechanism that is used to authenticate the users credentials Valid

values include Default Basic CredSSP Digest Kerberos Negotiate and

NegotiateWithImplicitCredential The default value is Default

For more information about the -Authentication parameter type the following and then press

Enter

Get-Help Invoke-Command -Parameter Authentication

Required false

Position named

Default value Default

Accept pipeline input false

Accept wildcard characters false

-CertificateThumbprint ltstringgt

Page 45

Specifies the digital public key certificate (X509) of a user account that has rights to perform the

cmdlet action The valid value is the certificate thumbprint of the certificate

For more information about this parameter type the following and then press Enter

Get-Help Invoke-Command -Parameter Certificate Thumbprint

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-ComputerName ltstring[]gt

The Invoke-MBCAModel cmdlet lets you run an MBCA scan of a submodel on a specific

computer by adding this parameter Valid values include NETBOS names IP addresses or fully-

qualified domain names of one or more computers in a comma-separated list To specify the local

computer type the computer name or localhost

All formats that are accepted by the -ComputerName parameter in Invoke-Command are

accepted

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-ConfigurationName ltstringgt

Specifies the session configuration that is used for a new PSSession

Enter a configuration name or the fully-qualified resource URI for a session configuration

Session configuration data is found on the remote computer on which you want to run a cmdlet

For more information about this parameter type the following and then press Enter

Get-Help Invoke-Command -Parameter ConfigurationName

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-Context ltstringgt

The -Context parameter lets you run scans on a submodel in the context of a specific model (one

that is different from the parent model of the submodel) For example an administrator might

want to run a scan on the Backend submodel of the SQL model but only those in the context

of a third model a technology that relies upon SQL Server

The -SubModelId parameter is required by the -Context parameter

Page 46

A model ID is the valid value of the -Context parameter

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-Credential ltstringgt

Specifies a user account that has permission to run this cmdlet The default value is the current

user

For more information about this parameter type the following and then press Enter

Get-Help Invoke-Command -Parameter Credential

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-Mode ltModeEnumgt

The -Mode parameter lets you run a scan that is exclusively either analysis of existing discovered

documents or discovery The default is to perform both discovery and analysis or All

If you do not add the -Mode parameter to the Invoke-MBCAModel cmdlet both discovery and

analysis are performed during a scan

Valid values are Discovery Analysis and All

Required false

Position named

Default value All

Accept pipeline input false

Accept wildcard characters false

-ModelId ltstringgt

The -ModelId parameter specifies the ID of the MBCA model that you want to scan You can

obtain valid values for the ModelId parameter by running the Get-MBCAModel cmdlet targeted at

a computer on which MBCA models are installed

Required true

Position 2

Default value

Accept pipeline input true (By Value By Property Name)

Accept wildcard characters False

Page 47

This must be SQL2008R2BPA for SQL Server 2008 R2 Best Practice Analyzer

-Port ltintgt

Specifies the network port on a remote computer on which you want to run a scan The default

value is port 80

For more information on this parameter type the following and then press Enter

Get-Help Invoke-Command -Parameter Port

Required false

Position named

Default value 80

Accept pipeline input false

Accept wildcard characters false

-RepositoryPath ltstringgt

The -RepositoryPath parameter is used to specify a non-default location of the results repository

The valid value for this parameter is a pathname If the parameter is not used the cmdlet writes

results to the default result repository

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-SubModelId ltstringgt

The -SubModelId parameter specifies the ID of the submodel of an MBCA model that you want to

scan You can obtain valid values for the -SubModelId parameter by running the Get-MBCAModel

cmdlet targeted at a computer on which MBCA models are installed Not all models have

submodels

The -ModelId parameter is required with the -SubModelId parameter

Required true

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-ThrottleLimit ltintgt

Specifies the maximum number of concurrent connections that can be established to run the

cmdlet If you omit this parameter or enter a value of 0 the default value of 32 is used

For more information about this parameter type the following and then press Enter

Get-Help Invoke-Command -Parameter ThrottleLimit

Required false

Page 48

Position named

Default value 32

Accept pipeline input false

Accept wildcard characters false

-UseSSL [ltSwitchParametergt]

Uses the Secure Sockets Layer (SSL) protocol to establish a connection on a remote computer

By default SSL is not used

For more information about this parameter type the following and then press Enter

Get-Help Invoke-Command -Parameter UseSSL

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

ltCommonParametersgt

This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable

WarningAction WarningVariable OutBuffer and OutVariable For more information type get-

help about_commonparameters

OUTPUTS

SystemCollectionsGenericListltMicrosoftBestPracticesCoreInterfaceInvokeBpaModelOutputgt

The output object encapsulates the results of the cmdlet that you entered It contains information such

as the MBCA model ID the success or failure of the cmdlet and other details

NOTES

If the cmdlet is used to perform a single-model scan and the cmdlet is cancelled (by using CTRL+C)

before the temporary results file is copied to its final location the temporary file is discarded and any

previous scan results file for the role are preserved The message Processing of Invoke-MBCAModel

cancelled by user is displayed if the command is cancelled before existing scan results files are

overwritten

If the cmdlet is used to perform a scan of multiple models by piping in results from the Get-MBCAModel

cmdlet and the command is cancelled scans that were completed before the cancel command was

entered cannot be cancelled A scan in progress behaves as described above in the single-model scan

cancellation scenario Subsequent scans in the pipeline are cancelled

If a concurrent scan of the same model is attempted the cmdlet returns the following error message

Another scan for this MBCA model is in progress Only one scan is allowed at a time

-------------------------- EXAMPLE 1 --------------------------

Invoke-MBCAModel -ModelId SQL2008R2BPA

Description

The preceding example starts a MBCA scan on the model that is represented by ltModel Idgt

-------------------------- EXAMPLE 2 --------------------------

Page 49

Invoke-MBCAModel -ModelId SQL2008R2BPA -Scope domain -Name

redmondmicrosoftcom

Description

The preceding example starts an MBCA scan on the model ID that is specified by Model Id

The administrator starts the MBCA scan with additional model-specific parameters that are exposed by

the model (For an example of how to obtain model-specific parameters see the examples for the Get-

MBCAModel cmdlet)

For example to scan a model that requires model-specific parameters (such as -Scope and -Name) to

be passed to the command the administrator can specify the values of these model-specific

parameters with the Invoke-MBCAModel cmdlet

-------------------------- EXAMPLE 3 --------------------------

Invoke-MBCAModel -ModelId SQL2008R2BPA -Mode Discovery

Description

The preceding example starts an MBCA scan on the model that is represented by Model Id The

cmdlet is instructed by the -Mode parameter to perform only the discovery -- not the analysis -- portion

of the scan

-------------------------- EXAMPLE 4 --------------------------

Invoke-MBCAModel -ModelId SQL2008R2BPA -Mode Analysis -RepositoryPath

ltRepository Pathgt

Description

The preceding example starts an MBCA scan on the model that is represented by Model Id The -

Mode parameter value of Analysis indicates that the scan will perform analysis -- not discovery -- on

existing documents that are specified in the non-default repository path provided with the -Repository

Path parameter

-------------------------- EXAMPLE 5 --------------------------

Invoke-MBCAModel -Id ltModel Idgt -SubModelId ltSubModel Idgt -ComputerName

ltServergt -Context ltContext Model Idgt -RepositoryPath ltRespository Pathgt -

AsJob -Authentication ltAuthenticatonMechanismgt -Port ltPort Numbergt -UseSSL -

ThrottleLimit ltThrottle Limitgt

Description

The preceding example starts an MBCA scan on the submodel that is represented by SubModel Id

and on the computer that is represented by Server

Because the administrator only wants to see results from the submodel that apply in the context of a

third model the administrator runs the scan within the context of the model ID that is specified in the -

Context parameter The cmdlet results are saved to the non-default repository path that is specified in

the -RepositoryPath parameter

Because the -AsJob parameter is added the scan runs in the background The -AsJob -

Authentication -Port -UseSSL and -ThrottleLimit parameters are passed through for use by the

Invoke-Command cmdlet to perform discovery on a remote computer For more information about

these parameters see the Help for the Invoke-Command cmdlet available in Windows PowerShell V2

913 Get-MBCAResult

SYNOPSIS

Page 50

The Get-MBCAResult cmdlet lets you retrieve and view the results of a Microsoft Baseline

Configuration Analyzer scan on a specific model or the configuration data that was used to run a scan

SYNTAX

Get-MBCAResult [-ModelId] ltstringgt [[-CollectedConfiguration]] -SubModelId

ltstringgt [-ComputerName ltstring[]gt] [-Context ltstringgt] [-Filter

ltFilterEnumgt] [-RepositoryPath ltstringgt] [ltCommonParametersgt]

DESCRIPTION

The Get-MBCAResult cmdlet lets you retrieve and view the results of a Microsoft Baseline

Configuration Analyzer scan on a specific model or the configuration data that was used to run a scan

To use the command add the -ModelId parameter and then specify the model ID for which you want

to view the most recent MBCA scan results or collected configuration data If you want to retrieve the

configuration data collected add the -CollectedConfiguration switch parameter

You must be a member of the Administrators group on the computer on which you want to run this

cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with

elevated user rights that is Run as Administrator

PARAMETERS

-CollectedConfiguration [ltSwitchParametergt]

The -CollectedConfiguration parameter allows you to obtain the configuration data that was

collected for the most recent MBCA scan If this switch parameter is added to Get-MBCAResults

the cmdlet returns only the configuration data that was collected for a scan

Required false

Position 3

Default value

Accept pipeline input false

Accept wildcard characters false

-ComputerName ltstring[]gt

The -ComputerName parameter lets you obtain scan results that were collected for the most

recent MBCA scan of a submodel on a specific computer To specify the local computer type the

computer name or localhost Multiple values for -ComputerName can be separated by

commas

The -SubModelId parameter is required by the -ComputerName parameter

Valid values for the -ComputerName parameter include localhost a NET BIOS name an IP

address or a fully-qualified domain name (FQDN) of one or more computers in a comma-

separated list

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-Context ltstringgt

Page 51

The -Context parameter lets you obtain scan results that were collected for the most recent

MBCA scan of a submodel in the context of a specific model (one that is different from the parent

model of the submodel) For example an administrator might want to display scan results for the

Backend submodel of the SQL model but only those in the context of a third model a

technology that relies upon SQL Server

The -SubModelId parameter is required by the -Context parameter

A model ID is the valid value of the -Context parameter

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-Filter ltFilterEnumgt

The -Filter parameter lets you instruct the Get-MBCAResult cmdlet to return only Compliant

Noncompliant or All results Valid values are Noncompliant Compliant or All The default value

is All

The -Filter parameter is ignored if the -CollectedConfiguration switch parameter is added

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-ModelId ltstringgt

The -ModelId parameter specifies the ID of the MBCA model for which you want to view scan

results You can obtain valid values for the ModelId parameter by running the Get-MBCAModel

cmdlet targeted at a computer on which MBCA models are installed

Required true

Position 2

Default value

Accept pipeline input true (By Value By Property Name)

Accept wildcard characters False

This must be SQL2008R2BPA for SQL Server 2008 R2 Best Practice Analyzer

-RepositoryPath ltstringgt

The -RepositoryPath parameter is used to specify a non-default location of the results repository

The valid value for this parameter is a path name If the parameter is not used the cmdlet obtains

results from the default result repository

Required false

Position named

Page 52

Default value

Accept pipeline input false

Accept wildcard characters false

-SubModelId ltstringgt

The -SubModelId parameter specifies the ID of the submodel of an MBCA model for which you

want to view scan results You can obtain valid values for the -SubModelId parameter by running

the Get-MBCAModel cmdlet targeted at a computer on which MBCA models are installed Not all

models have submodels

The -ModelId parameter is required with the -SubModelId parameter

Required true

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

ltCommonParametersgt

This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable

WarningAction WarningVariable OutBuffer and OutVariable For more information type get-

help about_commonparameters

OUTPUTS

SystemCollectionsGenericListltMicrosoftBestPracticesCoreInterfaceResultgt OR

SystemXmlXmlDocument (if -CollectedData specified)

If you do not use the -CollectedConfiguration parameter verbose output can be any of the following

1 Initializing MBCA engine for getting MBCA Results

2 Attempting to get MBCA results for Model Id = 0

3 Completed getting MBCA results for Model Id = 0 Number of Results = 1

If you add the -CollectedConfiguration parameter to display configuration data that was used for a

scan verbose output can be any of the following

1 Initializing MBCA engine for getting MBCA Configuration Data

2 Attempting to get MBCA collected configuration data for Model Id = 0

3 Completed getting MBCA collected configuration data for Model Id = 0

NOTES

The Get-MBCAResult cmdlet must be run by a member of the Administrators group and it does not

start a new scan

Cancellation behaviour

Single Model - To cancel this cmdlet you must press Ctrl+C before the ResultCollection is displayed

on the console The operation is cancelled and results are not displayed on the console

Multiple Models or Pipelining - If you cancel this cmdlet while it is retrieving results for multiple models

the cmdlet generates only those results that were displayed on the console before the cancellation

Any subsequent results in the pipeline are cancelled and not displayed

Page 53

-------------------------- EXAMPLE 1 --------------------------

Get-MBCAResult -Id SQL2008R2BPA

Description

The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results

for the model that is represented by Model Id

-------------------------- EXAMPLE 2 --------------------------

Get-MBCAModel | Get-MBCAResult

In the preceding example Get-MBCAModel is used to return a list of all MBCA models that are

installed on the computer The results of the Get-MBCAModel cmdlet are piped to the Get-

MBCAResult cmdlet to retrieve the most recent MBCA scan results for all models that are both

supported by MBCA and installed on the computer at which the cmdlet is targeted

-------------------------- EXAMPLE 3 --------------------------

$result = Get-MBCAResult SQL2008R2BPA -CollectedConfiguration

$resultDiscoveryDocument

Description

In the preceding example configuration data (in XML form) that was collected during the most recent

Microsoft Baseline Configuration Analyzer scan of the model that is represented by Model Id is

retrieved and stored as a property in the variable $result $resultDiscoveryDocument is of type

SystemXmlXmlDocument

-------------------------- EXAMPLE 4 --------------------------

Get-MBCAResult SQL2008R2BPA -Filter Noncompliant

Description

The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results

for the model that is represented by Model Id and then applies a filter to show only Noncompliant

results

------------------------- EXAMPLE 5 --------------------------

Get-MBCAResult SQL2008R2BPA -SubModelId ltSubModel Idgt

Description

The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results

for the submodel that is represented by SubModelId Note that the parent model ID must be specified

to use the -SubModelId parameter

------------------------- EXAMPLE 6 --------------------------

Get-MBCAResult SQL2008R2BPA -SubModelId ltSubModel Idgt -ComputerName ltServergt

-Context ltContext Model Idgt -RepositoryPath ltRepository Pathgt

Description

The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results

for the submodel that is represented by SubModelId The parent model ID is provided as required by

the -SubModelID parameter

The -Context parameter indicates that the administrator wants to see only those scan results that are in

the context of the model that is represented by Context Model Id for example only those results from

a SQL Server scan that specifically apply to another technology such as Web Server (IIS)

Page 54

The scan results are further narrowed to only those from a computer that is specified in the -

ComputerName parameter as Server and only those results found in the non-default results

repository that is represented by Repository Path

914 Set-MBCAResult

SYNOPSIS

The Set-MBCAResult cmdlet lets you exclude or include existing results of a Microsoft Baseline

Configuration Analyzer (MBCA) scan to show you only the scan results that you want to see

SYNTAX

Set-MBCAResult [[-Exclude] ltBooleangt] [-Results] ltResultgtgt [[-

RepostitoryPath] ltstringgt] [ltCommonParametersgt]

DESCRIPTION

The Set-MBCAResult cmdlet lets you exclude or include existing results of a Microsoft Baseline

Configuration Analyzer (MBCA) scan to show you only the scan results that you want to see

The action specified in the cmdlet (Exclude for example) determines how the existing results of an

MBCA scan are updated Set-MBCAResult is typically applied after using the Get-MBCAResult cmdlet

to return a collection of scan results

You can apply filters to results that are returned by the Get-MBCAResult cmdlet and then pipe the

filtered collection of results to the Set-MBCAResult cmdlet specifying either to include or exclude

filtered scan results

You must be a member of the Administrators group on the computer on which you want to run this

cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with

elevated user rights that is Run as Administrator

PARAMETERS

-Exclude ltBooleangt

Excludes scan results from the results collection that were previously obtained by the Get-

MBCAResult command To exclude results by using the -Exclude parameter add the value $true

following the parameter as shown

-Exclude $true

To include results that have been excluded use the $false value for the -Exclude parameter

Required false

Position 2

Default value

Accept pipeline input false

Accept wildcard characters false

-RepostitoryPath ltstringgt

The -RepositoryPath parameter is used to specify a non-default location of the results repository

The valid value for this parameter is a path name If the parameter is not used the cmdlet

modifies results from the default result repository

Required false

Page 55

Position 4

Default value

Accept pipeline input false

Accept wildcard characters false

-Results ltResultgtgt

Specifies the result collection to be updated by the Set-MBCAResult cmdlet The -Results

parameter is typically used to specify a filtered subset of scan results that has already been

stored in a variable the variable name is provided as the valid value for the -Results parameter

For example if you have created a variable $allPerformance to store all the Performance

category results for an MBCA scan of all models on a computer and you want to exclude those

Performance results from the complete collection of scan results you add the parameter -Results

$all Performance to a Set-MBCAResult cmdlet

For a more detailed example see the Examples section of the Help for this cmdlet

Required true

Position 3

Default value

Accept pipeline input true (ByValue)

Accept wildcard characters false

ltCommonParametersgt

This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable

WarningAction WarningVariable OutBuffer and OutVariable For more information type ldquoget-

help about_commonparameters

NOTES

If the Set-MBCAResult command is cancelled before the results are written to a file the operation is

cancelled and the results file is not modified If cancellation occurs after the results file has been

modified the commands actions are carried out and the command cannot be cancelled

-------------------------- EXAMPLE 1 --------------------------

Get-MBCAResult -ModelId SQL2008R2BPA | Where $_Category -eq

Performance | Set-MBCAResult -Exclude $true

Description

The first section of the preceding example to the left of the first pipe character (|) uses the Get-

MBCAResult cmdlet to retrieve Baseline Configuration Analyzer scan results for the model ID that is

represented by Model Id

The second section of the command filters the results of the Get-MBCAResult cmdlet to get only those

scan results for which the category name is equal to Performance

The final section of the example following the second pipe character excludes the Performance

results that were filtered by the previous section of the example

-------------------------- EXAMPLE 2 --------------------------

$rcPolicy = Get-MBCAResult -ModelId SQL2008R2BPA -RepositoryPath

CReposPath | Where $_Category -eq Policy

Page 56

Set-MBCAResult -Exclude $true -RepositoryPath CReposPath -Results

$rcPolicy

Description

The first line of the preceding example to the left of the pipe character (|) instructs the Get-

MBCAResult cmdlet to retrieve Baseline Configuration Analyzer scan results for the model that is

represented by Specified Model Id from the specified non-default repository path

The second section of the example after the pipe character filters the results of the Get-MBCAResult

cmdlet to return only those scan results for which the category name is equal to (note the -eq option)

Policy The variable $rcPolicy is created to store the filtered results of the Get-MBCAResult cmdlet this

variable can be used in subsequent commands to represent those results

The second line of the command uses the Set-MBCAResult cmdlet to exclude the set of results that

are stored in the $rcPolicy variable In this example the -Results parameter is added because the

administrator wants to exclude a specific subset of scan results for that model and has created the

variable $rcPolicy to represent that subset of results The repository root is specified in the second line

because the administrator wants to modify the results in the same non-default repository from which

the data in $rcPolicy was retrieved

915 MBCA Model Authoring

Further information about configuration and usage of MBCA models you can in the

MBCA_ModelAuthoringGuidedocx

Page 57

Did this paper help you Please give us your feedback Tell us on a scale of 1 (poor) to 5 (excellent)

how would you rate this paper and why have you given it this rating For example

Are you rating it high due to having good examples excellent screen shots clear writing or

another reason

Are you rating it low due to poor examples fuzzy screen shots or unclear writing

This feedback will help us improve the quality of white papers we release

Send feedback

Page 10: SQL2008R2 BPA Whitepaper v10

Page 10

2 SYSTEM REQUIREMENTS

SQL Server 2008 R2 Best Practices Advisor is supported on the following Operating Systems

1 Windows Vista

2 Windows 7

3 Windows Server 2003

4 Windows Server 2003 R2

5 Windows Server 2008

6 Windows Server 2008 R2

Supported editions of SQL Server

1 SQL Server 2008 all editions except Express

2 SQL Server 2008 R2 all editions except Express

Supported Components of SQL Server

1 Analysis Services

2 Database Engine

3 Integration Services

4 Reporting Services

5 Replication

6 Setup

These components are designed as Submodels for the BPA This means that they will be run

concurrently where possible

21 Required Permissions for Running SQL Server 2008 R2 BPA

Administration Privileges

To run MBCA v20 a user must be a member of the administrators group on the machine being

scanned and on the machine the scan is initiated from If a user is not an administrator on the machine

that is being scanned an appropriate error message displays

SQL Server

To successfully access all of the database properties and SQL Server Configurations a user must be

the Systems Administrator (sysadmin) on the instance of SQL Server

Analysis Services

The user or the administrators group must be member of the server administrator role within an

instance of Microsoft SQL Server Analysis Services have unrestricted access to all Analysis Services

objects and data in that instance

httpmsdnmicrosoftcomen-uslibraryms174561aspx

Integration Services

The user or the administrators group must be members of the sysadmin or db_ssisadmin roles

httpmsdnmicrosoftcomen-uslibraryms141053aspx

Reporting Services

Page 11

The user or the administrators group must be member of the System Administrator and Content

Manager role

22 Prerequisites

The following are required for using SQL Server 2008 R2 Best Practices Analyzer

1 PowerShell V20

Windows PowerShell 20 requires the Microsoft NET Framework 20 with Service Pack 1

2 Microsoft Baseline Configuration Analyzer V20

3 SQL Server Management Tools for SQL Server 2008 or SQL Server 2008 R2

The following table outlines the prerequisite Microsoft utilities components by Operating System

necessary to have on your server prior to installing and running SQL Server 2008 R2 BPA

OS 1Install

WinRM

2Install

PowerShell 20

3Install

MBCA 20

Configure PowerShell1 7 Install SQL2008

or SQL 2008 R2

Management Tools 4Remoting 5Execution

Level

6 MaxShells

PerUser

Win Vista Y Y Y Y Y Y Y

Windows 7 N N Y Y Y Y Y

Windows

Server 2003

Y Y Y Y Y Y Y

Windows

Server 2003

R2

Y Y Y Y Y Y Y

Windows

Server 2008

Y Y Y Y Y Y Y

Windows

Server 2008

R2

N N Y Y Y Y Y

1 These changes will be done from the installation routine of the BPA

Page 12

3 INSTALL

We recommend installing BPA on a workstation or administration server and performing the scan

operation remotely against servers in your SQL Server infrastructure It is also possible to install this

tool on the production SQL Server locally

Installation process

1 InstallConfigure PowerShell and WinRM

2 Microsoft Baseline Configuration Analyzer V20

3 Microsoftreg SQL Serverreg 2008 R2 Best Practices Analyzer

It exists two ways to install the Best Practices Analyzer

With a graphical user interface (setup wizard) or

Command line

31 Installing PowerShell 20 and WinRM

BPA install configures WinRM and PowerShell options by default Most of this section is only needed if

something goes wrong and you need to configure this stuff by hand

Windows Server 2003 R2

WinRM is not installed by default but it is available as the Hardware Management feature through the

AddRemove System Components feature in the Control Panel under Management and Monitoring

Tools Complete installation and information about configuring WinRM using the WINRM command-line

tool is available online in the Hardware Management Introduction which describes the WinRM and the

IPMI features in Windows Server 2003 R2

On Windows Vista Windows Server 2003 and Windows Server 2008

This is installed as part of Windows Management Framework Core The WinRM service starts

automatically on Windows Server 2008 On Windows Vista the service must be started manually

On Windows Server 2008 R2 and Windows 7

This is installed as part of the OS

Note Check for additional information and configuration guidelines for WinRM and for PowerShell

20

SQL Server 2008 R2 BPA is able to scan both the local computer and remote computers Therefore in

both the local and remote cases it required that your PowerShell settings be modified These are done

by the BPA installation

PowerShell Execution Policy

The PowerShell Execution Policy is set to Restricted by default To run SQL Server 2008 R2 BPA

through the PowerShell command Line set the policy to RemoteSigned using the below command

Set-ExecutionPolicy RemoteSigned -f

You can use the command Set-ExecutionPolicy Restricted ndashf to set the execution policy back to

restricted This command is not required when executing the scan through the MBCA GUI

After the installation you must enable the PowerShell remote scripting if you are want to use the BPA

remote to another workgroup machine or a computer that have Kerberos enabled You need to run this

command only once on each computer that will receive commands You do not need to run it on

Page 13

computers that only send commands Because the configuration activates listeners it is prudent to run

it only where it is needed You can do this with the following command line

powershellexe -NoLogo -NoProfile -Noninteractive -Command Enable-

PSRemoting -force

Enable-PSRemoting performs configuration actions to enable this machine for remote management

Includes

1 Runs the Set-WSManQuickConfig cmdlet which performs the following tasks

Starts the WinRM service

Sets the startup type on the WinRM service to Automatic

Creates a listener to accept requests on any IP address

Enables a firewall exception for WS-Management communications

Enables all registered Windows PowerShell session configurations to receive instructions

from a remote computer

Registers the MicrosoftPowerShell session configuration if it is not already registered

Registers the MicrosoftPowerShell32 session configuration on 64-bit computers if it is

not already registered

Removes the Deny Everyone setting from the security descriptor for all the registered

session configurations

Restarts the WinRM service to make the preceding changes effective

2 Configures MaxShellsPerUser using winrm set winrmconfigwinrs

``MaxShellsPerUser=`10``

Specifies the maximum number of concurrent shells that any user can remotely open on

the same computer If this policy setting is enabled the user will not be able to open new

remote shells if the count exceeds the specified limit If this policy setting is disabled or is

not configured the limit will be set to 5 remote shells per user by default and you receive

the following error message

[localhost] Connecting to remote server failed with the following

error message The WS-Management service cannot process the

request This user is allowed a maximum number of 5 concurrent

shells which has been exceeded Close existing shells or raise the

quota for this user For more information see the

about_Remote_Troubleshooting Help topic

+ CategoryInfo OpenError

(SystemManagemehellipRemoteRunspa

ceRemoteRunspace) [] PSRemotingTransportException

+ FullyQualifiedErrorId PSSessionOpenFailed

For more information about PowerShell remoting please see MSDN

32 Install MBCA

Download the edition of MBCA depending on your platform (x86 or x64) before installation

Page 14

Please find below the screenshots demonstrating the visual flow of the MBCA Installation

Welcome screen

License terms

Folder selection

Completion screen

33 Install BPA

Download the correct edition depending on your platform (x86 or x64) before installing If you have

trouble with the installation please section 57 Troubleshooting Installation

331 Command line

Following is an optimized command line setup example

msiexec i SQL2008R2BPA_Setup64msi l log ctempsqlbpa_installlog qn

msiexec parameters

i = package name (SQL2008R2BPA_Setup32msi or SQL2008R2BPA_Setup64msi

depending on your platform)

l = log granularity ldquordquo - Log all information except for v and x options

log = log file

q = display settings (qn ndash no user interface)

SKIPCA=1 (if no domain controller is available Skip Certification Authority)

For information on additional public properties Consult the Windowsreg Installer SDK for documentation

on the command line syntax

Page 15

332 GUI

Please find below the screenshots demonstrating the visual flow of the SQL Server 2008 R2 BPA

Installation

Welcome screen

License terms

System Configuration Changes (see 31 Installing PowerShell 20 and WinRM)

Ready to install decision

Install progress

Completion screen

Page 16

333 Port and Firewall restrictions

For scanning SQL Server or BI instances on an alternate server behind a firewall you must open all

necessary ports

34 Updates

Microsoft is working on quarterly updates of the rule set and tool improvements of the SQL Server

2008 R2 Best Practice Analyzer Please visit the Download site from Microsoft regularly to find new

updates

35 Uninstall

351 BPA

352 MBCA

353 Reset PowerShell settings

After the uninstall of the BPA you may disable the PowerShell remote scripting You can do this with

the following command line

powershellexe -NoLogo -NoProfile -Noninteractive -Command Disable-

PSRemoting -force

Disable-PSRemoting performs configuration actions to enable this machine for remote management

Page 17

4 USAGE

There are two ways to scan a server using MBCA and SQL 2008 R2 BPA They are

Scanning through the local machine

o In this case you are using MBCA and SQL 2008 R2 BPA running on the local machine to

perform the scan

o This scan can be of the local or an alternate server

Scanning through a remote machine

o In this case MBCA is used to connect to a remote server that has MBCA and SQL 2008

R2 BPA installed on it

o This scan is using the local machine to form the connection to the remote machine and is

actually performing the scan through the remote machine

41 Help file

The help file for the SQL Server 2008 R2 Best Practice Analyzer contains very useful information This

help file is available after the installation of BPA and is located at Start-gtAll programs-gtSQL Server

2008 R2 BPA

42 GUI

1 Ensure that MBCA v2 and SQL 2008 R2 BPA are installed on the machine

2 Run the MBCA application from the start menu with elevated user rights

Page 18

3 On the MBCA home page ensure the SQL Server 2008 R2 BPArdquo product is selected

4 Click Start Scan which displays a page to specify parameters as shown below

5 Fill in Alternate_Server_to_Scan with the remote machine you want to scan

ComputerName

IP address nnnn

FQDN (Fully Qualified Domain Name)

Enter ldquordquo localhost or leave this blank if you want to scan the local machine

Page 19

Enter the instance name you want to scan To scan the default instance enter MSSQLSERVER

or leave this as blank Toggle the checkboxes to enabledisable scans for those rule categories

Each of the following six check boxes correspond to the SQL Server categories listed previously

Select at least one category in order to run a successful scan

Analyze_SQL_Analysis_Services

Analyze_SQL_Server_Engine

Analyze_SQL_Integration_Services

Analyze_SQL_Server_Replication

Analyze_SQL_Reporting_Services

Analyze_SQL_Server_Setup

Note Only one SQL Server instance can be scanned at a time through the MBCA GUI

6 Click Start Scan MBCA will start the configured scan and display the below page while in

progress

7 When the scan is complete results will be displayed grouped by Severity as shown below

Page 20

43 Connect to a remote computer

A scan connected to a remote computer is different than scanning an alternate server

ldquoConnect to a Remote Computerrdquo is functionality provided by Microsoft Baseline Configuration Analyzer

and is used to remotely run MBCA against a server from the console of the client The client needs to

have MBCA installed but does not need BPA as it is literally running the copy of MBCA installed on the

server using the BPA installed on the server In this case the copy of MBCA installed on the client is

used only to remotely connect to the copy of MBCA installed on the server

To use this functionality you first start MBCA on the client computer and select ldquoConnect to Another

Computerrdquo

1 In the ldquoConnect to Another Computerrdquo text box you can specify a NetBIOS name a fully qualified

domain name (FQDN) or an IPv4 or IPv6 address If no port number is specified the default port

number is used The following are examples of formats that you can specify in the Connect to

Another Computer text box

ComputerName

Page 21

ComputerNamePortNumber

IP address nnnn

IPv6 address [nnnnnnnn]

IPv4 address with port number nnnnPortNumber

IPv6 address with port number [nnnnnnnn]PortNumber

Note If an administrator has changed the computerrsquos default port number any port other than the

default port must be opened in Windows Firewall to allow incoming connections on that port Port

5985 is opened by default when WinRM is configured All other ports remain blocked until opened

For more information about how to unblock a port in Windows Firewall see the Help for Windows

Firewall For more information about how to configure WinRM in a Command Prompt session type

winrm help and then press Enter

2 Additionally you must supply credentials

3 CredSSP

Windows Remote Management (WinRM) supports the delegation of user credentials across

multiple remote computers The multi-hop support functionality can now use Credential Security

Service Provider (CredSSP) for authentication CredSSP enables an application to delegate the

userrsquos credentials from the client computer to the target server

CredSSP authentication is intended for environments where Kerberos delegation cannot be used

Support for CredSSP was added to allow a user to connect to a remote server and have the ability

to access a second-hop machine such as a file share

Note WinRM clients and servers will support CredSSP authentication only with explicit credentials

Windows XP Windows Server 2003 and earlier CredSSP is not supported

First you must set CredSSP on both the client and the server

Using the Group Policy Editor (gpeditmsc) make sure to enable ldquoAllow Delegating Fresh

Credentialsrdquo and check ldquoConcatenate OS defaults with input aboverdquo

Add the server or domain to the list of servers in the format ldquoWSMANdomainnamecomrdquo

Next enable and configure PowerShell Remoting on both the Client and Server by running the

following commands in a PowerShell command window opened with elevated permissions Note

Page 22

You can configure a single machine as both a client and a server simultaneously so that you can

scan from either computer

Enable PowerShell Remoting

o Enable-psremoting ndashf

Settings for a client

o Enable-WSManCredSSP ndashrole Client ndashDelegateComputer [NetBiosNameOfServer]

or

o Enable-WSManCredSSP ndashrole Client ndashDelegateComputer [FQDN OF SERVER]

Settings for the server

o Enable-WSManCredSSP ndashrole Server

o set-item WSManlocalhostShellMaxMemoryPerShellMB ndashValue 20000

o set-item WSManlocalhostShellMaxShellsPerUser ndashvalue 20

44 PowerShell

Details see 91 PowerShell

To use the functionality of the Microsoft Baseline Configuration Analyzer you must import this module

first

Import-module BaselineConfigurationAnalyzer

You can list the commands of this module with the following syntax

$x=Get-Module BaselineConfigurationAnalyzer

$xExportedCommands

441 Run Scan

To run a full scan of the BPA on the alternate server on a named instance you can use the following

command line

Invoke-MBCAModel -ModelId SQL2008R2BPA -Alternate_Server_to_scan

servername -SQL_Server_Instance_Name instancename -

Analyze_SQL_Server_Engine -Analyze_SQL_Server_Replication -

Page 23

Analyze_SQL_Server_Setup -Analyze_SQL_Analysis_Services -

Analyze_SQL_Integration_Services -Analyze_SQL_Reporting_Services

The result looks like this part

ModelId SQL2008R2BPA

SubModelId

Success True

ScanTime

Success = True is important This is the indicator that your scan was successful

Parameter description

-Alternate_Server_to_scan servername

-SQL_Server_Instance_Name instancename

-Analyze_SQL_Server_Engine

-Analyze_SQL_Server_Replication

-Analyze_SQL_Server_Setup

-Analyze_SQL_Analysis_Services

-Analyze_SQL_Integration_Services

-Analyze_SQL_Reporting_Services

The parameter list is equal the parameter screen in the GUI

The scans of the different services are optional You can remove technologies which you do not need

to scan

The next example starts the scan only for the Analysis Services on the alternate server ldquoservernamerdquo

and for the named instance ldquoinstancerdquo A log file will be written to ldquoctempssastxtrdquo

Invoke-MbcaModel -ModelId SQL2008R2BPA -SubModelId AnalysisServices -

ComputerName servername -SqlServerInstance instance -SSASLogFile

ctempssastxt

Invoke-MbcaModel -ModelId SQL2008R2BPA -SubModelId Engine -ComputerName

computername -SqlServerInstance servername -CurrentLoginName

($EnvUSERDOMAIN + + $EnvUSERNAME)ToString() -EngineLogFile

ctempenginetxt ndashRepositoryPath (CTEMPSQL2008 + (Get-

Date)ToString(yyyyMMdd))ToString()

442 Create Report

model = get-MbcaModel ndashModelId sql2008r2bpa

$scanResult = get-MbcaResult ndashModelId sql2008r2bpa

$collectedConfig = get-MbcaResult ndashModelId sql2008r2bpa ndash

CollectedConfiguration

$model $scanResult $collectedConfig | export-CliXml ctempasxml

Get-MBCAResult -ModelId SQL2008R2BPA -SubModelId AnalysisServices |

ConvertTo-Html | Add-Content -Path ctesthtml

The next command retrieves the results of the most recent BPA scan for the specified model and

saves them in HTML format applying the standard cascading style sheets that are stored in the path

windirsystem32WindowsPowerShellv10ModulesBestPracticesBestPracticesReportFormatc

Page 24

ss If you want to substitute cascading style sheets provide the path to the different cascading style

sheets

Get-MBCAResult -ModelId SQL2008R2BPA | $_Severity -eq Warning -or

$_Severity -eq Error | ConvertTo-Html -As Table -property ResultNumber

SubModelID ComputerName Severity Category Title Problem Impact

Resolution Help -Head lth1gtSQL Server 2008 (R2) Best Practice Analyzer

Reportlth1gtrdquo -Title SQL Server 2008 Best Practice Analyzer -body

(ltpgtReport creation date + (Get-Date)ToString(ddMMyyyy hhmmss) +

ltpgt)toString() -pre ltPgtGenerated by user $envusername on computer

$envcomputernameltPgt -post For details contact Microsoft Premier-

CssUri $env BestPracticesReportFormatcss gt ctempsql2008r2bpahtm

443 Exporting and opening reports by using Get-MBCAResult

You can use the Get-MBCAResult cmdlet to export scan results and configuration data to an XML

report that you can open for viewing in the future either by using Get-MBCAResult or by using the

MBCA GUI Exporting reports allows you to compare older scans with more recent scans to measure

the progress of your best practice compliance

Example of exporting to XML

$results = Get-MBCAResult ltModel Idgt

$collectedconfig = Get-MBCAResult ltModel Idgt -CollectedConfiguration

$results $collectedconfig | Export-CliXml cexportxml

Example of opening archived XML report file

$loadedResults $loadedConfiguration = Import-CliXml cexportxml

444 Report Result Directory

The reporting result path

AppDataMicrosoftBaselineConfigurationAnalyzer

2ReportsSQL2008R2BPAResults

Will be overwritten during each run of the tool or invoke command

Solution save older results before you start the check

copy-item -path ($EnvLocalAppdata +

MicrosoftMicrosoftBaselineConfigurationAnalyzer 2Reports)ToString() -

destination ($EnvLocalAppdata +

MicrosoftMicrosoftBaselineConfigurationAnalyzer 2Reports_ + (Get-

Date)ToString(yyyyMMddhhmmss))ToString() ndashrecurse

Afterwards you can create a report with the following command

$prevrepPath = (Get-ChildItem ($EnvLocalAppdata +

MicrosoftMicrosoftBaselineConfigurationAnalyzer 2)ToString() -exclude

Reports | Sort-Object name -descending)[0]

Get-MBCAResult -ModelId SQL2008R2BPA ndashRepositoryPath ($EnvLocalAppdata +

MicrosoftMicrosoftBaselineConfigurationAnalyzer 2rdquo +

$prevrepPathname)ToString() | ConvertTo-Html -As Table -property

ResultNumberSubModelID ComputerName Severity Category Title Problem

Impact Resolution Help -Head lth1gtSQL Server 2008 (R2) Best Practice

Analyzer Reportlth1gtrdquo -Title SQL Server 2008 Best Practice Analyzer -body

(ltpgtReport creation date + (Get-Date)ToString(ddMMyyyy hhmmss) +

ltpgt)toString() -pre ltPgtGenerated by user $envusername on computer

Page 25

$envcomputernameltPgt -post For details contact Microsoft Premier gt

ctempsql2008r2bpahtm

Page 26

5 TROUBLESHOOTING

51 Application directories

To following directories are used by MBCA

Report output directory localappdataMicrosoftMicrosoftBaselineConfigurationAnalyzer 2ReportsSQL2008R2BPAResults

Model configuration path ProgramdataMicrosoftMicrosoft Baseline Configuration Analyzer 2ModelsSQL2008R2BPA

Temp and log files directory tempSQL2008R2BPASQL2008ltdategt_lttimegt

Registry [HKEY_LOCAL_MACHINESOFTWAREMicrosoftBaselineConfigurationAnalyzer]

Log Files

During Data Discovery SQL Server 2008 R2 BPA creates log files for troubleshooting The log file

contains the following information

Pre-requisite validation

Timestamp finished rules start and end times

Run-time scripting errors and exceptions from Power Shell Traps

Log Files Location

For every scan log files are created in userrsquos Local Temp directory (Temp) and follows the folder

structure SQL2008R2BPAlt Instance Name gtlt datestamp_timestamp gtlt Log files gt

Note In case of a remote scan the category log files are generated on the remote system at the same

path whereas the common log file is generated in the local system

Log Files Structure

A common log file gets generated and contains information about each categorys execution Apart

from this each category has its own log file which details the rule execution The names of the log files

are given below

Common File - ModelLogtxt

Engine Rules - EngineLogtxt

Replication Rules - ReplicationLogtxt

Setup Rules - SetupLogtxt

Analysis Services Rules - AnalysisServicesLogtxt

Reporting Services Rules - ReportingServicesLogtxt

Integration Services Rules - IntegrationServicesLogtxt

52 Windows Server 2003 ndash NumberOfLogicalProcessors

Analysis Services RID2803 and RID2804 ndash NumberOfLogicalProcessors property is unavailable in

Win32_Processor for with Windows Server 2003

Solution The NumberOfLogicalProcessors property does not exist in the WIN32_PROCESSOR object

in Windows Server 2003 It has been implemented in the hotfix

httpsupportmicrosoftcomkb932370

Both of the rules below will function properly if you apply this hotfix For more information look here

Page 27

53 MBCA

This message indicates that on prerequisite is not installed

Please install the version 2 of the MBCA

54 Where can I find the Instance name in result set of the analyzer

report

The instance name is in the collected data option of the analyzer report in the BPA GUI

55 Memory limit of remote PowerShell process

By default remote PowerShell process can consume only 150 MB or less memory This default limit is

significantly small and once this limit is reached there could be a WinRM exception causing and remote

connection immediately terminates Any application or Cmdlet which is involved in PowerShell

remoting should be tested for this memory limit this may cause some of the command to fail for

example site collection creation

Solution Increase the memory limit for the remote shell Use the following command to increase this

limitation to 1000MB This is only necessary if you need to run those commands on that server

Set-Item WSManlocalhostShellMaxMemoryPerShellMB 1000

56 Remote connect

If you try to ldquoConnect to another computerrdquo from MBCA and you receive the following message

Page 28

You should check first if the Hotfix KB968930 is installed

Afterwards validate that the ldquoWindows Remote Managementrdquo service is started

Enable-PSRemoting

If CredSSP is unsupported or unavailable you will see the following message

Page 29

If you have no permission to access the remote server you get the error message

Page 30

57 Installation

571 PowerShell error

After getting through the Pre-Reqs for BPA (PowerShell 20 MBCA NET Framework) you may hit

one of two scenarios when installing BPA

In all of the cases of an install failure you will see the following error

There is a problem with this Windows Installer package A program run as part of the setup did not

finish as expected Contact your support personnel or package vendor

In your Application Event Log for both of these scenarios you will also see the following entry

Log Name Application

Source MsiInstaller

Date 6102010 83818 AM

Event ID 11722

Task Category None

Level Error

Keywords Classic

User ltUsernamegt

Computer ltMachine namegt

Description

Product Microsoft SQL Server 2008 R2 BPA -- Error 1722 There is a problem

with this Windows Installer package A program run as part of the setup did

not finish as expected Contact your support personnel or package

vendor Action EnablePSRemoting location powershellexe command -NoLogo

-NoProfile -Command Enable-PSRemoting ndashforce

Page 31

This is an indicator that PowerShell is not configured You must run the following command

powershellexe -NoLogo -NoProfile -Command Enable-PSRemoting ndashforce

572 Workgroup or Non-Domain computer

In this scenario the Enable-PSRemoting command should execute fine from a PowerShell prompt

The actual error coming back from the PowerShell command within the Installer is ldquoAccess Deniedrdquo

To work around this issue you can do the following

1 Open a command prompt with Administrative Privileges

2 Change to the directory where the msi file resides

3 Type msiexec i ltMSI Namegt SKIPCA=1

4 MSI Name will either be SQL2008R2BPA_Setup32msi or SQL2008R2BPA_Setup64msi

depending on your platform

5 Once BPA is installed open a PowerShell prompt with Administrative Privileges

6 Execute the following commands

a Enable-PSRemoting

b winrm set winrmconfigwinrs ``MaxShellsPerUser=`10``

This should allow BPA to be successfully installed in the workgroup scenario

573 Kerberos Failure

This scenario is that you are failing with the above due to a Kerberos issue This particular issue could

actually show up after you have installed BPA depending on how you have configured your

environment

The issue stems from the fact that the Windows Remoting Windows Service uses the Network Service

account Windows Remoting also uses SOAP calls over HTTP and defaults to using Kerberos As a

result it will be using the HOST Service Principal Name (SPN) that is on the Machine Account as it is

running under that context You may have an HTTP SPN that resides on a different account with that

host name For example if you are running an IIS Web Application such as SharePoint or if you are

using Reporting Services and the service account is set to a Domain User account instead of Network

Service or Local System If your URL of your application matches the machine name then your HTTP

SPN will be the same Thatrsquos where this problem comes in WinRM will stop working at that point and

give you a message similar to the following

Set-WSManQuickConfig WinRM cannot process the request The following error

occured while using Negotiate authentication An unknown security error

occurred

Possible causes are

-The user name or password specified are invalid

-Kerberos is used when no authentication method and no user name are

specified

-Kerberos accepts domain user names but not local user names

-The Service Principal Name (SPN) for the remote computer name and port

does not exist

-The client and remote computers are in different domains and there is no

trust between the two domains

After checking for the above issues try the following

-Check the Event Viewer for events related to authentication

-Change the authentication method add the destination computer to the

WinRM TrustedHosts configuration setting or use HTTPS transport

Note that computers in the TrustedHosts list might not be authenticated

-For more information about WinRM configuration run the following

Page 32

command winrm help config

At line50 char33

+ Set-WSManQuickConfig ltltltlt -force

+ CategoryInfo InvalidOperation () [Set-WSManQuickConfig]

InvalidOperationException

+ FullyQualifiedErrorId

WsManErrorMicrosoftWSManManagementSetWSManQuickConfigCommand

You can get this type of error from WinRM for muliple reasons The one that

we saw in our testing was the HTTP SPN scenario

If you do have an HTTP SPN defined on a Domain Account that is using the name of your machine

you have some options First you can follow the steps mentioned above to get BPA installed The

Enable-PSRemoting command will give you the above error You can temporarily remove the HTTP

SPN to get remoting enabled and then re-add the HTTP SPN

Once BPA is setup you will still not be able to run BPA if you put the HTTP SPN back in place You will

see the following when you attempt to perform a scan

This will occur regardless of which component you try to scan It could be the Engine Setup RS etchellip

One option to perform the scan successfully is to temporarily remove the HTTP SPN again run the

scan and then put the HTTP SPN back in place Another option but one that will probably require

further testing from your applicationrsquos end would be to run the application under a Host Header and

then your HTTP SPN would not include the machine name allowing BPA to run without issue

Page 33

6 RULES

Searching for ldquoSQL Server 20087 R2 BPArdquo at Microsoftcom reveals

Here is an example of one of these articles that talks about a rule to check for a recent ldquocleanrdquo

CHECKDB

Page 34

BPA works by measuring a rolersquos compliance with best practice rules in eight different categories of a

rolersquos effectiveness trustworthiness and reliability Results of measurements can be any of the three

severity levels described in the following table

Severity level Description

Noncompliant Noncompliant results are returned when a role does not satisfy the conditions of a rule

Compliant Compliant results are returned when a role satisfies the conditions of a rule

Warning Warning results are returned when a role is compliant as operating currently but may not satisfy the conditions of a

rule if changes are not made to its configuration or policy settings For example a scan of Remote Desktop Services

might show a warning result if a license server is unavailable to the role because even if no remote connections are

active at the time of the scan not having the license server prevents new remote connections from obtaining valid

client access licenses

Page 35

BPA rule categories

The following table describes the categories of best practice rules against which roles are measured

during a BPA scan

Category Name Description

Security Security rules are applied to measure a rolersquos relative risk for exposure to threats such as unauthorized or malicious

users or loss or theft of confidential or proprietary data

Performance Performance rules are applied to measure a rolersquos ability to process requests and perform its prescribed duties in

the enterprise within expected periods of time given the rolersquos workload

Configuration Configuration rules are applied to identify role settings that might require modification for the role to perform

optimally Configuration rules can help prevent setting conflicts that can result in error messages or prevent the role

from performing its prescribed duties in an enterprise

Policy Policy rules are applied to identify Group Policy or Windows Registry settings that might require modification for the

role to operate optimally and securely

Operation Operation rules are applied to identify possible failures of a role to perform its prescribed tasks in the enterprise

Predeployment Predeployment rules are applied before an installed role is deployed in the enterprise to let administrators to

evaluate whether best practices were satisfied before you use the role in production

Postdeployment Postdeployment rules are applied after all required services have started for a role and the role is running in the

enterprise

BPA Prerequisites BPA Prerequisite rules explain configuration settings policy settings and features that are required for the role

before BPA can apply specific rules from other categories A prerequisite in scan results indicates that an incorrect

setting a missing role role service or feature an incorrectly enabled or disabled policy a registry key setting or

other configuration has prevented BPA from applying one or more rules during a scan A prerequisite result does

not imply compliance or noncompliance It means that a rule could not be applied and therefore is not part of the

scan results

61 Engine Rules

Please find below a summary of the 74 Engine Rules with the links to the rule descriptions These rules

are checking that you have a secure resilient and well performing SQL configuration

Authentication Mode (httpsupportmicrosoftcomkb2028697)

Lightweight Pooling is enabled (httpsupportmicrosoftcomkb2160691)

Locks Configuration Not Dynamic (httpsupportmicrosoftcomkb2199576)

non-default network packet size in use (httpsupportmicrosoftcomkb2157175)

degree of parallelism not set to recommended value (httpsupportmicrosoftcomkb2023536)

Use Database Mail instead of SQL Mail (httpsupportmicrosoftcomkb2028584)

SQL Server Agent Proxy Account (httpsupportmicrosoftcomkb2160741)

SQL Login Password Policy Strength and password expiry

(httpsupportmicrosoftcomkb2028712)

Trustworthy Bit (httpsupportmicrosoftcomkb2183687)

Symmetric Keys Check (httpsupportmicrosoftcomkb2162020)

Asymmetric Keys Check (httpsupportmicrosoftcomkb2162020)

SQL Server installed on PDC BDC (httpsupportmicrosoftcomkb2032911)

Page 36

SQL Server Admin role membership check (httpsupportmicrosoftcomkb2184138)

Windows API calls intercepted (httpsupportmicrosoftcomkb2033238)

unsupported DotNET framework assemblies present (httpsupportmicrosoftcomkb2033344)

Disk partition starting offset may be incorrect (httpsupportmicrosoftcomkb2023571)

non-default max worker threads value configured (httpsupportmicrosoftcomkb2157129)

Guest Permissions (httpsupportmicrosoftcomkb2186935)

Data and Log files on the same volume (httpsupportmicrosoftcomkb2033523)

IO timeouts and IO controller errors detected (httpsupportmicrosoftcomkb2091098)

IO device errors detected (httpsupportmicrosoftcomkb2091098)

IO errors during page faults detected (httpsupportmicrosoftcomkb2091098)

cluster disk corruption encountered (httpsupportmicrosoftcomkb2091098)

disk defragmentation encountered corruption (httpsupportmicrosoftcomkb2091098)

failed IO requests detected (httpsupportmicrosoftcomkb2091098)

IO requests are successful when retried (httpsupportmicrosoftcomkb2015757)

IO Delay Problems reported by SQL Server (httpsupportmicrosoftcomkb2137408)

This system experienced unexpected shutdowns (httpsupportmicrosoftcomkb2091098)

tempdb corruption errors fix missing (httpsupportmicrosoftcomkb960770)

Critical SQL database inconsistency errors found (httpsupportmicrosoftcomkb2152734)

Logical consistency errors detected (httpsupportmicrosoftcomkb2152472)

Database have auto shrink option enabled (httpsupportmicrosoftcomkb2160663)

SQL Server Error logs are very big (httpsupportmicrosoftcomkb2199578)

incorrect affinity mask settings detected httpsupportmicrosoftcomkb2157114

Very low blocked process threshold setting detected httpsupportmicrosoftcomkb2157154

Potential security issue with legacy DTS stored procedures

httpsupportmicrosoftcomkb2202875

Winsock LSP loaded into SQL httpsupportmicrosoftcomkb2033448

Databases using simple recovery model httpsupportmicrosoftcomkb2137539

User database collation different from model httpsupportmicrosoftcomkb2026108

Database files and backups exist on the same volume httpsupportmicrosoftcomkb2027537

Databases have auto close option enabled httpsupportmicrosoftcomkb2160685

LSI SAS drivers needs update httpsupportmicrosoftcomkb2121098

SQL tempdb database not configured optimally httpsupportmicrosoftcomkb2154845

SQL Database file has sparse attribute set httpsupportmicrosoftcomkb2028447

Invalid startup parameters httpsupportmicrosoftcomkb2028433

MSDTC settings not configured optimally httpsupportmicrosoftcomkb2027550

sql incorrect results fix missing httpsupportmicrosoftcomkb971780

File System needs tuning for better FileStream performance

httpsupportmicrosoftcomkb2160002

linked server memory leak fix missing httpsupportmicrosoftcomkb971622EN-US

Windows service pack is not at recommended level httpsupportmicrosoftcomkb2121098

default extended event health session not in expected state

httpsupportmicrosoftcomkb2160570

TcpSysAndChimneyCheck httpsupportmicrosoftcomKB918483

FDHOST Launcher service is not configured properly httpsupportmicrosoftcomkb2160720

Unrecommended SQL Server Agent service account httpsupportmicrosoftcomkb2160720

A required Windows fix to avoid sparse file related problems is missing

httpsupportmicrosoftcomkb2002606

Page 37

Significant Portion of SQL Server Memory Has Been Paged Out

httpsupportmicrosoftcomkb2028324

Server Exception or Hang Detected on Server httpsupportmicrosoftcomkb2028589

Databases exist without CHECKSUM protection httpsupportmicrosoftcomkb2078345

backups outdated for databases httpsupportmicrosoftcomkb2027537

Database consistency check not current httpsupportmicrosoftcomkb2033590

SQL Server Memory settings are incorrect httpsupportmicrosoftcomKB918483EN-US

Autogrow Failed or took a long time httpsupportmicrosoftcomkb2091024

Storport driver fix from KBA 940467 missing httpsupportmicrosoftcomkb2121098

Storport driver fix from KBA 950903 missing httpsupportmicrosoftcomkb2121098

SQLCLR needs additional memory configuration httpsupportmicrosoftcomkb969962EN-US

Operating System files and drivers needs update for working set trimming

httpsupportmicrosoftcomkb2121098

Agent Token Replacement httpsupportmicrosoftcomkb2202637

Auditing Log in failures httpsupportmicrosoftcomkb2187161

Databases with high number of VLF present httpsupportmicrosoftcomkb2028436

Transparent Data Encryption Certificate httpsupportmicrosoftcomkb2201900

Permission on the Binn folder httpsupportmicrosoftcomkb2029023

Index Statistics Are Outdated

Server public permissions httpsupportmicrosoftcomkb2160698

Detected use of older versions of SQLNCLI httpsupportmicrosoftcomkb979779

62 AS Rules

Please find below a summary of the 34 Analysis Server Rules with the links to the rule descriptions

Flight Recorder Enabled for SQL Server Analysis Services

httpsupportmicrosoftcomkb2128005

Excessive amount of memory preallocated to Analysis Services

httpsupportmicrosoftcomkb2027474

Server not configured for optimal concurrent query throughput

httpsupportmicrosoftcomkb2135031

Non standard value detected for Analysis Services memory configuration

httpsupportmicrosoftcomkb2027472

Process Thread Pool Max limit above recommended limit

httpsupportmicrosoftcomkb2134497

Process Thread Pool Minimum is below the recommended limit

httpsupportmicrosoftcomkb2134855

Server is running a build with a known regression httpsupportmicrosoftcomkb2157941

Slice not set on a ROLAP partition or a partition where proactive caching is enabled and

ROLAP storage ay occur httpsupportmicrosoftcomkb2027754

Server is ignoring duplicate key errors httpsupportmicrosoftcomkb2027761

No default member defined for non-aggregatable attribute

httpsupportmicrosoftcomkb2027769

UnknownMember set to hidden httpsupportmicrosoftcomkb2027628

Non-numeric key column for high cardinality attribute httpsupportmicrosoftcomkb2028138

Attribute hiearchy enabled for high cardinality non-key attribute

httpsupportmicrosoftcomkb2028143

ROLAP storage or OnlineMode set to immediate for dimension with custom rollup definition

detected httpsupportmicrosoftcomkb2132742

Page 38

Account or Time attribute types defined in a non-matching dimension type

httpsupportmicrosoftcomkb2157299

An Account or Time dimension has no matching attribute defined

httpsupportmicrosoftcomkb2027418

Dimension has no attribute defined with the same type

httpsupportmicrosoftcomkb2027443

Attribute Dimension type mismatch httpsupportmicrosoftcomkb2157327

Mismatched dimension attribute types detected in dimension

httpsupportmicrosoftcomkb2027459

Possible incorrect order of levels defined in hierarchy httpsupportmicrosoftcomkb2027460

Define attribute relationships as Rigid where possible httpsupportmicrosoftcomkb2027468

Redundant attribute relationships detected httpsupportmicrosoftcomkb2127437

Diamond-shape relationship detected httpsupportmicrosoftcomkb2127570

Non-Standard Attribute Relationship name detected httpsupportmicrosoftcomkb2127862

Proactive Caching set for dimension without a processing query

httpsupportmicrosoftcomkb2027541

No Time dimension detected httpsupportmicrosoftcomkb2027532

More than 3 parent-child dimensions with custom rollups defined

httpsupportmicrosoftcomkb2134431

Encountered a parent-child dimension with more than 500000 members

httpsupportmicrosoftcomkb2131918

Single attribute dimensions detected httpsupportmicrosoftcomkb2141654

Measure groups with zero dimensional overlap detected in cube

httpsupportmicrosoftcomkb2027609

Proactive Caching set for a partition without a processing query

Default measure for perspective not in the perspective

httpsupportmicrosoftcomkb2027603

Use MOLAP storage for dimensions that participate in semi-additive measure groups

httpsupportmicrosoftcomkb2135112

Measure group defined with no partition httpsupportmicrosoftcomkb2027545

63 RS Rules

RSWindowsNegotiate is missing from your configuration

httpsupportmicrosoftcomkb2145506

HTTP Logging is not enabled httpsupportmicrosoftcomkb2145909

Verbose logging is enabled httpsupportmicrosoftcomkb2146315

NTLM authentication may fail for local httpsupportmicrosoftcomkb2146369

Missing extended protection settings httpsupportmicrosoftcomkb2146062

64 IS Rules

Logging task missing for package httpsupportmicrosoftcomkb2027723

ActiveX Script task detected in package httpsupportmicrosoftcomkb2027712

Unrecommended Integration Services service account detected

httpsupportmicrosoftcomkb2027684

Integration Services logging table found in system database master and or msdb

httpsupportmicrosoftcomkb2027706

Integration Services memory dump detected httpsupportmicrosoftcomkb2027727

Page 39

65 Setup Rules

Unsupported Operating System Version Detected httpsupportmicrosoftcomkb2022909

WOW64 not supported for SQL Failover Clustering httpsupportmicrosoftcomkb2157198

Installer cache is missing for the SQL Installation httpsupportmicrosoftcomkb2015100

SQL Server WMI Provider Health Check

66 Replication Rules

Replication Timeout Alerts Type httpsupportmicrosoftcomkb2118349

Replication Pub and Sub out of sync (Data Validation) httpsupportmicrosoftcomkb2118386

Replication Pub and Sub out of sync (Constraint Violations)

httpsupportmicrosoftcomkb2118410

Replication Pub and Sub out of sync (Skipped Transactions)

httpsupportmicrosoftcomkb2194498

Merge Replication Health Check httpsupportmicrosoftcomkb2118445

Subscriptions Approaching Expiration httpgomicrosoftcomfwlinkLinkId=184483

Replication Cleanup and Retention Health Check httpsupportmicrosoftcomkb2118485

Replication Latency Threshold violations httpsupportmicrosoftcomkb2118425

Page 40

7 HOW TO DEAL WITH DEVIATIONS

Deviations from these Best Practices may indicate potential issues and configuration changes may be

necessary Make sure you have tested any intended changes in a test environment before deploying

them to a production environment You could also find deviations from Best Practices that are

acceptable or even necessary for your environment For example

SAP has its special Network Packet Size of 8 KB

Existing Non-Microsoft Clients ndash would require Mixed Mode Authentication

Page 41

8 MOTIVATION TO USE SQL BPA R2

Bob Ward explained in his Article ldquoWhy use SQL Server 2008 R2 BPA Case 1 Missing Updatesrdquo

the common pitfalls during maintenance and operation of SQL Server and how address them by using

the SQL BPA

In brief itrsquos a customer scenario where the customer is facing an issue after a major update to

SQL2008 After some troubleshooting and an update to a certain CU (that is meant to fix the issue) the

problem still occurs Bobs article states the common resulting consequences ndash the involvement of

Microsoft Support and the final solution ndash adding a needed traceflag

The good news in this story is that the customer would not have needed to go to all that effort if they

would have run the SQL BPA It would have told them about the update and instructed them to put the

traceflag in place BPA is a mechanism that proactively advises you and instructs you on dealing with

common known issues

Page 42

9 ADDITIONAL INFORMATION

91 PowerShell

To use the functionality of the Baseline Configuration Analyzer with PowerShell you must import this

module first

Import-module BaselineConfigurationAnalyzer

You can list the commands of this module with the following syntax

$x=Get-Module BaselineConfigurationAnalyzer

$xExportedCommands

The following commands are stored in this module

Get-MbcaModel

Get-MbcaResult

Invoke-MbcaModel

Set-MbcaResult

You get help of this command with the following syntax

Get-help ltcommandgt -full

911 Get-MBCAModel

SYNOPSIS

The Get-MBCAModel cmdlet lets you retrieve and view the list of models that are supported by

Microsoft Baseline Configuration Analyzer (MBCA) and that are installed on a computer

SYNTAX

Get-MBCAModel [[-ModelId] ltstring[]gt] [[-SubModelId] ltstringgt] [ltCommonParametersgt]

DESCRIPTION

The Get-MBCAModel cmdlet lets you retrieve and view the list of models that are supported by

Microsoft Baseline Configuration Analyzer (MBCA) and installed on the computer If no parameter is

specified Get-MBCAModel returns all models that are installed on the computer If a model is specified

by using the -ModelId parameter information about the specified model is returned

You must be a member of the Administrators group on the computer on which you want to run this

cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with

elevated user rights that is Run as Administrator

The results of the Get-MBCAModel cmdlet include the following details about models

1 Branding information (manufacturer or company display names version number) that is found in

the model manifest

2 Dynamic parameters that are included with the model

3 Submodels that are included with the model

PARAMETERS

-ModelId ltstring[]gt

The -ModelId parameter specifies the ID of the MBCA model about which you want to view

details You can obtain valid values for the ModelId parameter by running the Get-MBCAModel

cmdlet with no parameters and targeted at a computer on which MBCA models are installed

Page 43

This parameter supports wild card characters

Required false

Position 2

Default value

Accept pipeline input true (By Value By Property Name)

Accept wildcard characters False

This must be SQL2008R2BPA for SQL Server 2008 R2 Best Practice Analyzer

-SubModelId ltstringgt

The -SubModelId parameter specifies the ID of the submodel of an MBCA model about which you

want to view details You can obtain valid values for the -SubModelId parameter by running the

Get-MBCAModel cmdlet without parameters and targeted at a computer on which MBCA models

are installed Not all models have submodels

The -ModelId parameter is required with the -SubModelId parameter

Required false

Position 3

Default value

Accept pipeline input false

Accept wildcard characters false

ltCommonParametersgt

This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable

WarningAction WarningVariable OutBuffer and OutVariable For more information type get-

help about_commonparameters

Examples

Get-MBCAModel

In the preceding example Get-MBCAModel with no parameters added returns details about all MBCA

models that are installed on the computer

Get-MBCAModel -ModelId SQL2008R2BPA

The preceding example can be used to return details about the MBCA model that is specified in the -

ModelId parameter represented by Model Id

$model= Get-MBCAModel -ModelId SQL2008R2BPA

$modelParameters

In the preceding example Get-MBCAModel returns details about the specified MBCA model that is

represented by Model Id The results of the cmdlet are stored in the variable $model

In the next line of the example the Parameters property of the model details that were stored in the

$model object returns details about which parameters are supported by the model

Get-MBCAModel -ModelId SQL2008R2BPA -SubModelId ltSubModel Idgt

The preceding example can be used to return details about the MBCA sub-model that is specified by

the -SubModelId parameter represented by SubModel Id Note that the -ModelId parameter is

required by the -SubModelId parameter

$model= Get-MBCAModel -ModelId SQL2008R2BPA

Page 44

$modelSubModels

In the preceding example Get-MBCAModel returns details about the specified MBCA model that is

represented by Model Id The results of the cmdlet are stored in the variable $model

In the next line of the example the SubModels property of the model details that were stored in the

$model object returns a list of the submodels of the model specified in the first line

912 Invoke-MBCAModel

SYNOPSIS

The Invoke-MBCAModel cmdlet lets you start a Microsoft Baseline Configuration Analyzer (MBCA)

scan for a specific model that is installed on your computer

SYNTAX

Invoke-MBCAModel [-ModelId] ltstringgt -SubModelId ltstringgt [-Authentication

ltAuthenticationMechanismgt] [-CertificateThumbprint ltstringgt] [-ComputerName

ltstring[]gt] [-ConfigurationName ltstringgt] [-Context ltstringgt] [-Credential

ltstringgt] [-Mode ltModeEnumgt] [-Port ltintgt] [-RepositoryPath ltstringgt] [-

ThrottleLimit ltintgt] [-UseSSL] [ltCommonParametersgt]

DESCRIPTION

The Invoke-MBCAModel cmdlet allows you to start a Microsoft Baseline Configuration Analyzer

(MBCA) scan for a specific model that is installed on your computer The model is specified either by

using the parameter -ModelId or by piping the results of the Get-MBCAModel cmdlet into an Invoke-

MBCAMode cmdlet

After the MBCA scan has been performed the results of the scan are available to be retrieved by Get-

MBCAResult cmdlet

You must be a member of the Administrators group on the computer on which you want to run this

cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with

elevated user rights that is Run as Administrator

PARAMETERS

-Authentication ltAuthenticationMechanismgt

Specifies the authentication mechanism that is used to authenticate the users credentials Valid

values include Default Basic CredSSP Digest Kerberos Negotiate and

NegotiateWithImplicitCredential The default value is Default

For more information about the -Authentication parameter type the following and then press

Enter

Get-Help Invoke-Command -Parameter Authentication

Required false

Position named

Default value Default

Accept pipeline input false

Accept wildcard characters false

-CertificateThumbprint ltstringgt

Page 45

Specifies the digital public key certificate (X509) of a user account that has rights to perform the

cmdlet action The valid value is the certificate thumbprint of the certificate

For more information about this parameter type the following and then press Enter

Get-Help Invoke-Command -Parameter Certificate Thumbprint

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-ComputerName ltstring[]gt

The Invoke-MBCAModel cmdlet lets you run an MBCA scan of a submodel on a specific

computer by adding this parameter Valid values include NETBOS names IP addresses or fully-

qualified domain names of one or more computers in a comma-separated list To specify the local

computer type the computer name or localhost

All formats that are accepted by the -ComputerName parameter in Invoke-Command are

accepted

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-ConfigurationName ltstringgt

Specifies the session configuration that is used for a new PSSession

Enter a configuration name or the fully-qualified resource URI for a session configuration

Session configuration data is found on the remote computer on which you want to run a cmdlet

For more information about this parameter type the following and then press Enter

Get-Help Invoke-Command -Parameter ConfigurationName

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-Context ltstringgt

The -Context parameter lets you run scans on a submodel in the context of a specific model (one

that is different from the parent model of the submodel) For example an administrator might

want to run a scan on the Backend submodel of the SQL model but only those in the context

of a third model a technology that relies upon SQL Server

The -SubModelId parameter is required by the -Context parameter

Page 46

A model ID is the valid value of the -Context parameter

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-Credential ltstringgt

Specifies a user account that has permission to run this cmdlet The default value is the current

user

For more information about this parameter type the following and then press Enter

Get-Help Invoke-Command -Parameter Credential

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-Mode ltModeEnumgt

The -Mode parameter lets you run a scan that is exclusively either analysis of existing discovered

documents or discovery The default is to perform both discovery and analysis or All

If you do not add the -Mode parameter to the Invoke-MBCAModel cmdlet both discovery and

analysis are performed during a scan

Valid values are Discovery Analysis and All

Required false

Position named

Default value All

Accept pipeline input false

Accept wildcard characters false

-ModelId ltstringgt

The -ModelId parameter specifies the ID of the MBCA model that you want to scan You can

obtain valid values for the ModelId parameter by running the Get-MBCAModel cmdlet targeted at

a computer on which MBCA models are installed

Required true

Position 2

Default value

Accept pipeline input true (By Value By Property Name)

Accept wildcard characters False

Page 47

This must be SQL2008R2BPA for SQL Server 2008 R2 Best Practice Analyzer

-Port ltintgt

Specifies the network port on a remote computer on which you want to run a scan The default

value is port 80

For more information on this parameter type the following and then press Enter

Get-Help Invoke-Command -Parameter Port

Required false

Position named

Default value 80

Accept pipeline input false

Accept wildcard characters false

-RepositoryPath ltstringgt

The -RepositoryPath parameter is used to specify a non-default location of the results repository

The valid value for this parameter is a pathname If the parameter is not used the cmdlet writes

results to the default result repository

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-SubModelId ltstringgt

The -SubModelId parameter specifies the ID of the submodel of an MBCA model that you want to

scan You can obtain valid values for the -SubModelId parameter by running the Get-MBCAModel

cmdlet targeted at a computer on which MBCA models are installed Not all models have

submodels

The -ModelId parameter is required with the -SubModelId parameter

Required true

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-ThrottleLimit ltintgt

Specifies the maximum number of concurrent connections that can be established to run the

cmdlet If you omit this parameter or enter a value of 0 the default value of 32 is used

For more information about this parameter type the following and then press Enter

Get-Help Invoke-Command -Parameter ThrottleLimit

Required false

Page 48

Position named

Default value 32

Accept pipeline input false

Accept wildcard characters false

-UseSSL [ltSwitchParametergt]

Uses the Secure Sockets Layer (SSL) protocol to establish a connection on a remote computer

By default SSL is not used

For more information about this parameter type the following and then press Enter

Get-Help Invoke-Command -Parameter UseSSL

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

ltCommonParametersgt

This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable

WarningAction WarningVariable OutBuffer and OutVariable For more information type get-

help about_commonparameters

OUTPUTS

SystemCollectionsGenericListltMicrosoftBestPracticesCoreInterfaceInvokeBpaModelOutputgt

The output object encapsulates the results of the cmdlet that you entered It contains information such

as the MBCA model ID the success or failure of the cmdlet and other details

NOTES

If the cmdlet is used to perform a single-model scan and the cmdlet is cancelled (by using CTRL+C)

before the temporary results file is copied to its final location the temporary file is discarded and any

previous scan results file for the role are preserved The message Processing of Invoke-MBCAModel

cancelled by user is displayed if the command is cancelled before existing scan results files are

overwritten

If the cmdlet is used to perform a scan of multiple models by piping in results from the Get-MBCAModel

cmdlet and the command is cancelled scans that were completed before the cancel command was

entered cannot be cancelled A scan in progress behaves as described above in the single-model scan

cancellation scenario Subsequent scans in the pipeline are cancelled

If a concurrent scan of the same model is attempted the cmdlet returns the following error message

Another scan for this MBCA model is in progress Only one scan is allowed at a time

-------------------------- EXAMPLE 1 --------------------------

Invoke-MBCAModel -ModelId SQL2008R2BPA

Description

The preceding example starts a MBCA scan on the model that is represented by ltModel Idgt

-------------------------- EXAMPLE 2 --------------------------

Page 49

Invoke-MBCAModel -ModelId SQL2008R2BPA -Scope domain -Name

redmondmicrosoftcom

Description

The preceding example starts an MBCA scan on the model ID that is specified by Model Id

The administrator starts the MBCA scan with additional model-specific parameters that are exposed by

the model (For an example of how to obtain model-specific parameters see the examples for the Get-

MBCAModel cmdlet)

For example to scan a model that requires model-specific parameters (such as -Scope and -Name) to

be passed to the command the administrator can specify the values of these model-specific

parameters with the Invoke-MBCAModel cmdlet

-------------------------- EXAMPLE 3 --------------------------

Invoke-MBCAModel -ModelId SQL2008R2BPA -Mode Discovery

Description

The preceding example starts an MBCA scan on the model that is represented by Model Id The

cmdlet is instructed by the -Mode parameter to perform only the discovery -- not the analysis -- portion

of the scan

-------------------------- EXAMPLE 4 --------------------------

Invoke-MBCAModel -ModelId SQL2008R2BPA -Mode Analysis -RepositoryPath

ltRepository Pathgt

Description

The preceding example starts an MBCA scan on the model that is represented by Model Id The -

Mode parameter value of Analysis indicates that the scan will perform analysis -- not discovery -- on

existing documents that are specified in the non-default repository path provided with the -Repository

Path parameter

-------------------------- EXAMPLE 5 --------------------------

Invoke-MBCAModel -Id ltModel Idgt -SubModelId ltSubModel Idgt -ComputerName

ltServergt -Context ltContext Model Idgt -RepositoryPath ltRespository Pathgt -

AsJob -Authentication ltAuthenticatonMechanismgt -Port ltPort Numbergt -UseSSL -

ThrottleLimit ltThrottle Limitgt

Description

The preceding example starts an MBCA scan on the submodel that is represented by SubModel Id

and on the computer that is represented by Server

Because the administrator only wants to see results from the submodel that apply in the context of a

third model the administrator runs the scan within the context of the model ID that is specified in the -

Context parameter The cmdlet results are saved to the non-default repository path that is specified in

the -RepositoryPath parameter

Because the -AsJob parameter is added the scan runs in the background The -AsJob -

Authentication -Port -UseSSL and -ThrottleLimit parameters are passed through for use by the

Invoke-Command cmdlet to perform discovery on a remote computer For more information about

these parameters see the Help for the Invoke-Command cmdlet available in Windows PowerShell V2

913 Get-MBCAResult

SYNOPSIS

Page 50

The Get-MBCAResult cmdlet lets you retrieve and view the results of a Microsoft Baseline

Configuration Analyzer scan on a specific model or the configuration data that was used to run a scan

SYNTAX

Get-MBCAResult [-ModelId] ltstringgt [[-CollectedConfiguration]] -SubModelId

ltstringgt [-ComputerName ltstring[]gt] [-Context ltstringgt] [-Filter

ltFilterEnumgt] [-RepositoryPath ltstringgt] [ltCommonParametersgt]

DESCRIPTION

The Get-MBCAResult cmdlet lets you retrieve and view the results of a Microsoft Baseline

Configuration Analyzer scan on a specific model or the configuration data that was used to run a scan

To use the command add the -ModelId parameter and then specify the model ID for which you want

to view the most recent MBCA scan results or collected configuration data If you want to retrieve the

configuration data collected add the -CollectedConfiguration switch parameter

You must be a member of the Administrators group on the computer on which you want to run this

cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with

elevated user rights that is Run as Administrator

PARAMETERS

-CollectedConfiguration [ltSwitchParametergt]

The -CollectedConfiguration parameter allows you to obtain the configuration data that was

collected for the most recent MBCA scan If this switch parameter is added to Get-MBCAResults

the cmdlet returns only the configuration data that was collected for a scan

Required false

Position 3

Default value

Accept pipeline input false

Accept wildcard characters false

-ComputerName ltstring[]gt

The -ComputerName parameter lets you obtain scan results that were collected for the most

recent MBCA scan of a submodel on a specific computer To specify the local computer type the

computer name or localhost Multiple values for -ComputerName can be separated by

commas

The -SubModelId parameter is required by the -ComputerName parameter

Valid values for the -ComputerName parameter include localhost a NET BIOS name an IP

address or a fully-qualified domain name (FQDN) of one or more computers in a comma-

separated list

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-Context ltstringgt

Page 51

The -Context parameter lets you obtain scan results that were collected for the most recent

MBCA scan of a submodel in the context of a specific model (one that is different from the parent

model of the submodel) For example an administrator might want to display scan results for the

Backend submodel of the SQL model but only those in the context of a third model a

technology that relies upon SQL Server

The -SubModelId parameter is required by the -Context parameter

A model ID is the valid value of the -Context parameter

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-Filter ltFilterEnumgt

The -Filter parameter lets you instruct the Get-MBCAResult cmdlet to return only Compliant

Noncompliant or All results Valid values are Noncompliant Compliant or All The default value

is All

The -Filter parameter is ignored if the -CollectedConfiguration switch parameter is added

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-ModelId ltstringgt

The -ModelId parameter specifies the ID of the MBCA model for which you want to view scan

results You can obtain valid values for the ModelId parameter by running the Get-MBCAModel

cmdlet targeted at a computer on which MBCA models are installed

Required true

Position 2

Default value

Accept pipeline input true (By Value By Property Name)

Accept wildcard characters False

This must be SQL2008R2BPA for SQL Server 2008 R2 Best Practice Analyzer

-RepositoryPath ltstringgt

The -RepositoryPath parameter is used to specify a non-default location of the results repository

The valid value for this parameter is a path name If the parameter is not used the cmdlet obtains

results from the default result repository

Required false

Position named

Page 52

Default value

Accept pipeline input false

Accept wildcard characters false

-SubModelId ltstringgt

The -SubModelId parameter specifies the ID of the submodel of an MBCA model for which you

want to view scan results You can obtain valid values for the -SubModelId parameter by running

the Get-MBCAModel cmdlet targeted at a computer on which MBCA models are installed Not all

models have submodels

The -ModelId parameter is required with the -SubModelId parameter

Required true

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

ltCommonParametersgt

This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable

WarningAction WarningVariable OutBuffer and OutVariable For more information type get-

help about_commonparameters

OUTPUTS

SystemCollectionsGenericListltMicrosoftBestPracticesCoreInterfaceResultgt OR

SystemXmlXmlDocument (if -CollectedData specified)

If you do not use the -CollectedConfiguration parameter verbose output can be any of the following

1 Initializing MBCA engine for getting MBCA Results

2 Attempting to get MBCA results for Model Id = 0

3 Completed getting MBCA results for Model Id = 0 Number of Results = 1

If you add the -CollectedConfiguration parameter to display configuration data that was used for a

scan verbose output can be any of the following

1 Initializing MBCA engine for getting MBCA Configuration Data

2 Attempting to get MBCA collected configuration data for Model Id = 0

3 Completed getting MBCA collected configuration data for Model Id = 0

NOTES

The Get-MBCAResult cmdlet must be run by a member of the Administrators group and it does not

start a new scan

Cancellation behaviour

Single Model - To cancel this cmdlet you must press Ctrl+C before the ResultCollection is displayed

on the console The operation is cancelled and results are not displayed on the console

Multiple Models or Pipelining - If you cancel this cmdlet while it is retrieving results for multiple models

the cmdlet generates only those results that were displayed on the console before the cancellation

Any subsequent results in the pipeline are cancelled and not displayed

Page 53

-------------------------- EXAMPLE 1 --------------------------

Get-MBCAResult -Id SQL2008R2BPA

Description

The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results

for the model that is represented by Model Id

-------------------------- EXAMPLE 2 --------------------------

Get-MBCAModel | Get-MBCAResult

In the preceding example Get-MBCAModel is used to return a list of all MBCA models that are

installed on the computer The results of the Get-MBCAModel cmdlet are piped to the Get-

MBCAResult cmdlet to retrieve the most recent MBCA scan results for all models that are both

supported by MBCA and installed on the computer at which the cmdlet is targeted

-------------------------- EXAMPLE 3 --------------------------

$result = Get-MBCAResult SQL2008R2BPA -CollectedConfiguration

$resultDiscoveryDocument

Description

In the preceding example configuration data (in XML form) that was collected during the most recent

Microsoft Baseline Configuration Analyzer scan of the model that is represented by Model Id is

retrieved and stored as a property in the variable $result $resultDiscoveryDocument is of type

SystemXmlXmlDocument

-------------------------- EXAMPLE 4 --------------------------

Get-MBCAResult SQL2008R2BPA -Filter Noncompliant

Description

The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results

for the model that is represented by Model Id and then applies a filter to show only Noncompliant

results

------------------------- EXAMPLE 5 --------------------------

Get-MBCAResult SQL2008R2BPA -SubModelId ltSubModel Idgt

Description

The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results

for the submodel that is represented by SubModelId Note that the parent model ID must be specified

to use the -SubModelId parameter

------------------------- EXAMPLE 6 --------------------------

Get-MBCAResult SQL2008R2BPA -SubModelId ltSubModel Idgt -ComputerName ltServergt

-Context ltContext Model Idgt -RepositoryPath ltRepository Pathgt

Description

The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results

for the submodel that is represented by SubModelId The parent model ID is provided as required by

the -SubModelID parameter

The -Context parameter indicates that the administrator wants to see only those scan results that are in

the context of the model that is represented by Context Model Id for example only those results from

a SQL Server scan that specifically apply to another technology such as Web Server (IIS)

Page 54

The scan results are further narrowed to only those from a computer that is specified in the -

ComputerName parameter as Server and only those results found in the non-default results

repository that is represented by Repository Path

914 Set-MBCAResult

SYNOPSIS

The Set-MBCAResult cmdlet lets you exclude or include existing results of a Microsoft Baseline

Configuration Analyzer (MBCA) scan to show you only the scan results that you want to see

SYNTAX

Set-MBCAResult [[-Exclude] ltBooleangt] [-Results] ltResultgtgt [[-

RepostitoryPath] ltstringgt] [ltCommonParametersgt]

DESCRIPTION

The Set-MBCAResult cmdlet lets you exclude or include existing results of a Microsoft Baseline

Configuration Analyzer (MBCA) scan to show you only the scan results that you want to see

The action specified in the cmdlet (Exclude for example) determines how the existing results of an

MBCA scan are updated Set-MBCAResult is typically applied after using the Get-MBCAResult cmdlet

to return a collection of scan results

You can apply filters to results that are returned by the Get-MBCAResult cmdlet and then pipe the

filtered collection of results to the Set-MBCAResult cmdlet specifying either to include or exclude

filtered scan results

You must be a member of the Administrators group on the computer on which you want to run this

cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with

elevated user rights that is Run as Administrator

PARAMETERS

-Exclude ltBooleangt

Excludes scan results from the results collection that were previously obtained by the Get-

MBCAResult command To exclude results by using the -Exclude parameter add the value $true

following the parameter as shown

-Exclude $true

To include results that have been excluded use the $false value for the -Exclude parameter

Required false

Position 2

Default value

Accept pipeline input false

Accept wildcard characters false

-RepostitoryPath ltstringgt

The -RepositoryPath parameter is used to specify a non-default location of the results repository

The valid value for this parameter is a path name If the parameter is not used the cmdlet

modifies results from the default result repository

Required false

Page 55

Position 4

Default value

Accept pipeline input false

Accept wildcard characters false

-Results ltResultgtgt

Specifies the result collection to be updated by the Set-MBCAResult cmdlet The -Results

parameter is typically used to specify a filtered subset of scan results that has already been

stored in a variable the variable name is provided as the valid value for the -Results parameter

For example if you have created a variable $allPerformance to store all the Performance

category results for an MBCA scan of all models on a computer and you want to exclude those

Performance results from the complete collection of scan results you add the parameter -Results

$all Performance to a Set-MBCAResult cmdlet

For a more detailed example see the Examples section of the Help for this cmdlet

Required true

Position 3

Default value

Accept pipeline input true (ByValue)

Accept wildcard characters false

ltCommonParametersgt

This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable

WarningAction WarningVariable OutBuffer and OutVariable For more information type ldquoget-

help about_commonparameters

NOTES

If the Set-MBCAResult command is cancelled before the results are written to a file the operation is

cancelled and the results file is not modified If cancellation occurs after the results file has been

modified the commands actions are carried out and the command cannot be cancelled

-------------------------- EXAMPLE 1 --------------------------

Get-MBCAResult -ModelId SQL2008R2BPA | Where $_Category -eq

Performance | Set-MBCAResult -Exclude $true

Description

The first section of the preceding example to the left of the first pipe character (|) uses the Get-

MBCAResult cmdlet to retrieve Baseline Configuration Analyzer scan results for the model ID that is

represented by Model Id

The second section of the command filters the results of the Get-MBCAResult cmdlet to get only those

scan results for which the category name is equal to Performance

The final section of the example following the second pipe character excludes the Performance

results that were filtered by the previous section of the example

-------------------------- EXAMPLE 2 --------------------------

$rcPolicy = Get-MBCAResult -ModelId SQL2008R2BPA -RepositoryPath

CReposPath | Where $_Category -eq Policy

Page 56

Set-MBCAResult -Exclude $true -RepositoryPath CReposPath -Results

$rcPolicy

Description

The first line of the preceding example to the left of the pipe character (|) instructs the Get-

MBCAResult cmdlet to retrieve Baseline Configuration Analyzer scan results for the model that is

represented by Specified Model Id from the specified non-default repository path

The second section of the example after the pipe character filters the results of the Get-MBCAResult

cmdlet to return only those scan results for which the category name is equal to (note the -eq option)

Policy The variable $rcPolicy is created to store the filtered results of the Get-MBCAResult cmdlet this

variable can be used in subsequent commands to represent those results

The second line of the command uses the Set-MBCAResult cmdlet to exclude the set of results that

are stored in the $rcPolicy variable In this example the -Results parameter is added because the

administrator wants to exclude a specific subset of scan results for that model and has created the

variable $rcPolicy to represent that subset of results The repository root is specified in the second line

because the administrator wants to modify the results in the same non-default repository from which

the data in $rcPolicy was retrieved

915 MBCA Model Authoring

Further information about configuration and usage of MBCA models you can in the

MBCA_ModelAuthoringGuidedocx

Page 57

Did this paper help you Please give us your feedback Tell us on a scale of 1 (poor) to 5 (excellent)

how would you rate this paper and why have you given it this rating For example

Are you rating it high due to having good examples excellent screen shots clear writing or

another reason

Are you rating it low due to poor examples fuzzy screen shots or unclear writing

This feedback will help us improve the quality of white papers we release

Send feedback

Page 11: SQL2008R2 BPA Whitepaper v10

Page 11

The user or the administrators group must be member of the System Administrator and Content

Manager role

22 Prerequisites

The following are required for using SQL Server 2008 R2 Best Practices Analyzer

1 PowerShell V20

Windows PowerShell 20 requires the Microsoft NET Framework 20 with Service Pack 1

2 Microsoft Baseline Configuration Analyzer V20

3 SQL Server Management Tools for SQL Server 2008 or SQL Server 2008 R2

The following table outlines the prerequisite Microsoft utilities components by Operating System

necessary to have on your server prior to installing and running SQL Server 2008 R2 BPA

OS 1Install

WinRM

2Install

PowerShell 20

3Install

MBCA 20

Configure PowerShell1 7 Install SQL2008

or SQL 2008 R2

Management Tools 4Remoting 5Execution

Level

6 MaxShells

PerUser

Win Vista Y Y Y Y Y Y Y

Windows 7 N N Y Y Y Y Y

Windows

Server 2003

Y Y Y Y Y Y Y

Windows

Server 2003

R2

Y Y Y Y Y Y Y

Windows

Server 2008

Y Y Y Y Y Y Y

Windows

Server 2008

R2

N N Y Y Y Y Y

1 These changes will be done from the installation routine of the BPA

Page 12

3 INSTALL

We recommend installing BPA on a workstation or administration server and performing the scan

operation remotely against servers in your SQL Server infrastructure It is also possible to install this

tool on the production SQL Server locally

Installation process

1 InstallConfigure PowerShell and WinRM

2 Microsoft Baseline Configuration Analyzer V20

3 Microsoftreg SQL Serverreg 2008 R2 Best Practices Analyzer

It exists two ways to install the Best Practices Analyzer

With a graphical user interface (setup wizard) or

Command line

31 Installing PowerShell 20 and WinRM

BPA install configures WinRM and PowerShell options by default Most of this section is only needed if

something goes wrong and you need to configure this stuff by hand

Windows Server 2003 R2

WinRM is not installed by default but it is available as the Hardware Management feature through the

AddRemove System Components feature in the Control Panel under Management and Monitoring

Tools Complete installation and information about configuring WinRM using the WINRM command-line

tool is available online in the Hardware Management Introduction which describes the WinRM and the

IPMI features in Windows Server 2003 R2

On Windows Vista Windows Server 2003 and Windows Server 2008

This is installed as part of Windows Management Framework Core The WinRM service starts

automatically on Windows Server 2008 On Windows Vista the service must be started manually

On Windows Server 2008 R2 and Windows 7

This is installed as part of the OS

Note Check for additional information and configuration guidelines for WinRM and for PowerShell

20

SQL Server 2008 R2 BPA is able to scan both the local computer and remote computers Therefore in

both the local and remote cases it required that your PowerShell settings be modified These are done

by the BPA installation

PowerShell Execution Policy

The PowerShell Execution Policy is set to Restricted by default To run SQL Server 2008 R2 BPA

through the PowerShell command Line set the policy to RemoteSigned using the below command

Set-ExecutionPolicy RemoteSigned -f

You can use the command Set-ExecutionPolicy Restricted ndashf to set the execution policy back to

restricted This command is not required when executing the scan through the MBCA GUI

After the installation you must enable the PowerShell remote scripting if you are want to use the BPA

remote to another workgroup machine or a computer that have Kerberos enabled You need to run this

command only once on each computer that will receive commands You do not need to run it on

Page 13

computers that only send commands Because the configuration activates listeners it is prudent to run

it only where it is needed You can do this with the following command line

powershellexe -NoLogo -NoProfile -Noninteractive -Command Enable-

PSRemoting -force

Enable-PSRemoting performs configuration actions to enable this machine for remote management

Includes

1 Runs the Set-WSManQuickConfig cmdlet which performs the following tasks

Starts the WinRM service

Sets the startup type on the WinRM service to Automatic

Creates a listener to accept requests on any IP address

Enables a firewall exception for WS-Management communications

Enables all registered Windows PowerShell session configurations to receive instructions

from a remote computer

Registers the MicrosoftPowerShell session configuration if it is not already registered

Registers the MicrosoftPowerShell32 session configuration on 64-bit computers if it is

not already registered

Removes the Deny Everyone setting from the security descriptor for all the registered

session configurations

Restarts the WinRM service to make the preceding changes effective

2 Configures MaxShellsPerUser using winrm set winrmconfigwinrs

``MaxShellsPerUser=`10``

Specifies the maximum number of concurrent shells that any user can remotely open on

the same computer If this policy setting is enabled the user will not be able to open new

remote shells if the count exceeds the specified limit If this policy setting is disabled or is

not configured the limit will be set to 5 remote shells per user by default and you receive

the following error message

[localhost] Connecting to remote server failed with the following

error message The WS-Management service cannot process the

request This user is allowed a maximum number of 5 concurrent

shells which has been exceeded Close existing shells or raise the

quota for this user For more information see the

about_Remote_Troubleshooting Help topic

+ CategoryInfo OpenError

(SystemManagemehellipRemoteRunspa

ceRemoteRunspace) [] PSRemotingTransportException

+ FullyQualifiedErrorId PSSessionOpenFailed

For more information about PowerShell remoting please see MSDN

32 Install MBCA

Download the edition of MBCA depending on your platform (x86 or x64) before installation

Page 14

Please find below the screenshots demonstrating the visual flow of the MBCA Installation

Welcome screen

License terms

Folder selection

Completion screen

33 Install BPA

Download the correct edition depending on your platform (x86 or x64) before installing If you have

trouble with the installation please section 57 Troubleshooting Installation

331 Command line

Following is an optimized command line setup example

msiexec i SQL2008R2BPA_Setup64msi l log ctempsqlbpa_installlog qn

msiexec parameters

i = package name (SQL2008R2BPA_Setup32msi or SQL2008R2BPA_Setup64msi

depending on your platform)

l = log granularity ldquordquo - Log all information except for v and x options

log = log file

q = display settings (qn ndash no user interface)

SKIPCA=1 (if no domain controller is available Skip Certification Authority)

For information on additional public properties Consult the Windowsreg Installer SDK for documentation

on the command line syntax

Page 15

332 GUI

Please find below the screenshots demonstrating the visual flow of the SQL Server 2008 R2 BPA

Installation

Welcome screen

License terms

System Configuration Changes (see 31 Installing PowerShell 20 and WinRM)

Ready to install decision

Install progress

Completion screen

Page 16

333 Port and Firewall restrictions

For scanning SQL Server or BI instances on an alternate server behind a firewall you must open all

necessary ports

34 Updates

Microsoft is working on quarterly updates of the rule set and tool improvements of the SQL Server

2008 R2 Best Practice Analyzer Please visit the Download site from Microsoft regularly to find new

updates

35 Uninstall

351 BPA

352 MBCA

353 Reset PowerShell settings

After the uninstall of the BPA you may disable the PowerShell remote scripting You can do this with

the following command line

powershellexe -NoLogo -NoProfile -Noninteractive -Command Disable-

PSRemoting -force

Disable-PSRemoting performs configuration actions to enable this machine for remote management

Page 17

4 USAGE

There are two ways to scan a server using MBCA and SQL 2008 R2 BPA They are

Scanning through the local machine

o In this case you are using MBCA and SQL 2008 R2 BPA running on the local machine to

perform the scan

o This scan can be of the local or an alternate server

Scanning through a remote machine

o In this case MBCA is used to connect to a remote server that has MBCA and SQL 2008

R2 BPA installed on it

o This scan is using the local machine to form the connection to the remote machine and is

actually performing the scan through the remote machine

41 Help file

The help file for the SQL Server 2008 R2 Best Practice Analyzer contains very useful information This

help file is available after the installation of BPA and is located at Start-gtAll programs-gtSQL Server

2008 R2 BPA

42 GUI

1 Ensure that MBCA v2 and SQL 2008 R2 BPA are installed on the machine

2 Run the MBCA application from the start menu with elevated user rights

Page 18

3 On the MBCA home page ensure the SQL Server 2008 R2 BPArdquo product is selected

4 Click Start Scan which displays a page to specify parameters as shown below

5 Fill in Alternate_Server_to_Scan with the remote machine you want to scan

ComputerName

IP address nnnn

FQDN (Fully Qualified Domain Name)

Enter ldquordquo localhost or leave this blank if you want to scan the local machine

Page 19

Enter the instance name you want to scan To scan the default instance enter MSSQLSERVER

or leave this as blank Toggle the checkboxes to enabledisable scans for those rule categories

Each of the following six check boxes correspond to the SQL Server categories listed previously

Select at least one category in order to run a successful scan

Analyze_SQL_Analysis_Services

Analyze_SQL_Server_Engine

Analyze_SQL_Integration_Services

Analyze_SQL_Server_Replication

Analyze_SQL_Reporting_Services

Analyze_SQL_Server_Setup

Note Only one SQL Server instance can be scanned at a time through the MBCA GUI

6 Click Start Scan MBCA will start the configured scan and display the below page while in

progress

7 When the scan is complete results will be displayed grouped by Severity as shown below

Page 20

43 Connect to a remote computer

A scan connected to a remote computer is different than scanning an alternate server

ldquoConnect to a Remote Computerrdquo is functionality provided by Microsoft Baseline Configuration Analyzer

and is used to remotely run MBCA against a server from the console of the client The client needs to

have MBCA installed but does not need BPA as it is literally running the copy of MBCA installed on the

server using the BPA installed on the server In this case the copy of MBCA installed on the client is

used only to remotely connect to the copy of MBCA installed on the server

To use this functionality you first start MBCA on the client computer and select ldquoConnect to Another

Computerrdquo

1 In the ldquoConnect to Another Computerrdquo text box you can specify a NetBIOS name a fully qualified

domain name (FQDN) or an IPv4 or IPv6 address If no port number is specified the default port

number is used The following are examples of formats that you can specify in the Connect to

Another Computer text box

ComputerName

Page 21

ComputerNamePortNumber

IP address nnnn

IPv6 address [nnnnnnnn]

IPv4 address with port number nnnnPortNumber

IPv6 address with port number [nnnnnnnn]PortNumber

Note If an administrator has changed the computerrsquos default port number any port other than the

default port must be opened in Windows Firewall to allow incoming connections on that port Port

5985 is opened by default when WinRM is configured All other ports remain blocked until opened

For more information about how to unblock a port in Windows Firewall see the Help for Windows

Firewall For more information about how to configure WinRM in a Command Prompt session type

winrm help and then press Enter

2 Additionally you must supply credentials

3 CredSSP

Windows Remote Management (WinRM) supports the delegation of user credentials across

multiple remote computers The multi-hop support functionality can now use Credential Security

Service Provider (CredSSP) for authentication CredSSP enables an application to delegate the

userrsquos credentials from the client computer to the target server

CredSSP authentication is intended for environments where Kerberos delegation cannot be used

Support for CredSSP was added to allow a user to connect to a remote server and have the ability

to access a second-hop machine such as a file share

Note WinRM clients and servers will support CredSSP authentication only with explicit credentials

Windows XP Windows Server 2003 and earlier CredSSP is not supported

First you must set CredSSP on both the client and the server

Using the Group Policy Editor (gpeditmsc) make sure to enable ldquoAllow Delegating Fresh

Credentialsrdquo and check ldquoConcatenate OS defaults with input aboverdquo

Add the server or domain to the list of servers in the format ldquoWSMANdomainnamecomrdquo

Next enable and configure PowerShell Remoting on both the Client and Server by running the

following commands in a PowerShell command window opened with elevated permissions Note

Page 22

You can configure a single machine as both a client and a server simultaneously so that you can

scan from either computer

Enable PowerShell Remoting

o Enable-psremoting ndashf

Settings for a client

o Enable-WSManCredSSP ndashrole Client ndashDelegateComputer [NetBiosNameOfServer]

or

o Enable-WSManCredSSP ndashrole Client ndashDelegateComputer [FQDN OF SERVER]

Settings for the server

o Enable-WSManCredSSP ndashrole Server

o set-item WSManlocalhostShellMaxMemoryPerShellMB ndashValue 20000

o set-item WSManlocalhostShellMaxShellsPerUser ndashvalue 20

44 PowerShell

Details see 91 PowerShell

To use the functionality of the Microsoft Baseline Configuration Analyzer you must import this module

first

Import-module BaselineConfigurationAnalyzer

You can list the commands of this module with the following syntax

$x=Get-Module BaselineConfigurationAnalyzer

$xExportedCommands

441 Run Scan

To run a full scan of the BPA on the alternate server on a named instance you can use the following

command line

Invoke-MBCAModel -ModelId SQL2008R2BPA -Alternate_Server_to_scan

servername -SQL_Server_Instance_Name instancename -

Analyze_SQL_Server_Engine -Analyze_SQL_Server_Replication -

Page 23

Analyze_SQL_Server_Setup -Analyze_SQL_Analysis_Services -

Analyze_SQL_Integration_Services -Analyze_SQL_Reporting_Services

The result looks like this part

ModelId SQL2008R2BPA

SubModelId

Success True

ScanTime

Success = True is important This is the indicator that your scan was successful

Parameter description

-Alternate_Server_to_scan servername

-SQL_Server_Instance_Name instancename

-Analyze_SQL_Server_Engine

-Analyze_SQL_Server_Replication

-Analyze_SQL_Server_Setup

-Analyze_SQL_Analysis_Services

-Analyze_SQL_Integration_Services

-Analyze_SQL_Reporting_Services

The parameter list is equal the parameter screen in the GUI

The scans of the different services are optional You can remove technologies which you do not need

to scan

The next example starts the scan only for the Analysis Services on the alternate server ldquoservernamerdquo

and for the named instance ldquoinstancerdquo A log file will be written to ldquoctempssastxtrdquo

Invoke-MbcaModel -ModelId SQL2008R2BPA -SubModelId AnalysisServices -

ComputerName servername -SqlServerInstance instance -SSASLogFile

ctempssastxt

Invoke-MbcaModel -ModelId SQL2008R2BPA -SubModelId Engine -ComputerName

computername -SqlServerInstance servername -CurrentLoginName

($EnvUSERDOMAIN + + $EnvUSERNAME)ToString() -EngineLogFile

ctempenginetxt ndashRepositoryPath (CTEMPSQL2008 + (Get-

Date)ToString(yyyyMMdd))ToString()

442 Create Report

model = get-MbcaModel ndashModelId sql2008r2bpa

$scanResult = get-MbcaResult ndashModelId sql2008r2bpa

$collectedConfig = get-MbcaResult ndashModelId sql2008r2bpa ndash

CollectedConfiguration

$model $scanResult $collectedConfig | export-CliXml ctempasxml

Get-MBCAResult -ModelId SQL2008R2BPA -SubModelId AnalysisServices |

ConvertTo-Html | Add-Content -Path ctesthtml

The next command retrieves the results of the most recent BPA scan for the specified model and

saves them in HTML format applying the standard cascading style sheets that are stored in the path

windirsystem32WindowsPowerShellv10ModulesBestPracticesBestPracticesReportFormatc

Page 24

ss If you want to substitute cascading style sheets provide the path to the different cascading style

sheets

Get-MBCAResult -ModelId SQL2008R2BPA | $_Severity -eq Warning -or

$_Severity -eq Error | ConvertTo-Html -As Table -property ResultNumber

SubModelID ComputerName Severity Category Title Problem Impact

Resolution Help -Head lth1gtSQL Server 2008 (R2) Best Practice Analyzer

Reportlth1gtrdquo -Title SQL Server 2008 Best Practice Analyzer -body

(ltpgtReport creation date + (Get-Date)ToString(ddMMyyyy hhmmss) +

ltpgt)toString() -pre ltPgtGenerated by user $envusername on computer

$envcomputernameltPgt -post For details contact Microsoft Premier-

CssUri $env BestPracticesReportFormatcss gt ctempsql2008r2bpahtm

443 Exporting and opening reports by using Get-MBCAResult

You can use the Get-MBCAResult cmdlet to export scan results and configuration data to an XML

report that you can open for viewing in the future either by using Get-MBCAResult or by using the

MBCA GUI Exporting reports allows you to compare older scans with more recent scans to measure

the progress of your best practice compliance

Example of exporting to XML

$results = Get-MBCAResult ltModel Idgt

$collectedconfig = Get-MBCAResult ltModel Idgt -CollectedConfiguration

$results $collectedconfig | Export-CliXml cexportxml

Example of opening archived XML report file

$loadedResults $loadedConfiguration = Import-CliXml cexportxml

444 Report Result Directory

The reporting result path

AppDataMicrosoftBaselineConfigurationAnalyzer

2ReportsSQL2008R2BPAResults

Will be overwritten during each run of the tool or invoke command

Solution save older results before you start the check

copy-item -path ($EnvLocalAppdata +

MicrosoftMicrosoftBaselineConfigurationAnalyzer 2Reports)ToString() -

destination ($EnvLocalAppdata +

MicrosoftMicrosoftBaselineConfigurationAnalyzer 2Reports_ + (Get-

Date)ToString(yyyyMMddhhmmss))ToString() ndashrecurse

Afterwards you can create a report with the following command

$prevrepPath = (Get-ChildItem ($EnvLocalAppdata +

MicrosoftMicrosoftBaselineConfigurationAnalyzer 2)ToString() -exclude

Reports | Sort-Object name -descending)[0]

Get-MBCAResult -ModelId SQL2008R2BPA ndashRepositoryPath ($EnvLocalAppdata +

MicrosoftMicrosoftBaselineConfigurationAnalyzer 2rdquo +

$prevrepPathname)ToString() | ConvertTo-Html -As Table -property

ResultNumberSubModelID ComputerName Severity Category Title Problem

Impact Resolution Help -Head lth1gtSQL Server 2008 (R2) Best Practice

Analyzer Reportlth1gtrdquo -Title SQL Server 2008 Best Practice Analyzer -body

(ltpgtReport creation date + (Get-Date)ToString(ddMMyyyy hhmmss) +

ltpgt)toString() -pre ltPgtGenerated by user $envusername on computer

Page 25

$envcomputernameltPgt -post For details contact Microsoft Premier gt

ctempsql2008r2bpahtm

Page 26

5 TROUBLESHOOTING

51 Application directories

To following directories are used by MBCA

Report output directory localappdataMicrosoftMicrosoftBaselineConfigurationAnalyzer 2ReportsSQL2008R2BPAResults

Model configuration path ProgramdataMicrosoftMicrosoft Baseline Configuration Analyzer 2ModelsSQL2008R2BPA

Temp and log files directory tempSQL2008R2BPASQL2008ltdategt_lttimegt

Registry [HKEY_LOCAL_MACHINESOFTWAREMicrosoftBaselineConfigurationAnalyzer]

Log Files

During Data Discovery SQL Server 2008 R2 BPA creates log files for troubleshooting The log file

contains the following information

Pre-requisite validation

Timestamp finished rules start and end times

Run-time scripting errors and exceptions from Power Shell Traps

Log Files Location

For every scan log files are created in userrsquos Local Temp directory (Temp) and follows the folder

structure SQL2008R2BPAlt Instance Name gtlt datestamp_timestamp gtlt Log files gt

Note In case of a remote scan the category log files are generated on the remote system at the same

path whereas the common log file is generated in the local system

Log Files Structure

A common log file gets generated and contains information about each categorys execution Apart

from this each category has its own log file which details the rule execution The names of the log files

are given below

Common File - ModelLogtxt

Engine Rules - EngineLogtxt

Replication Rules - ReplicationLogtxt

Setup Rules - SetupLogtxt

Analysis Services Rules - AnalysisServicesLogtxt

Reporting Services Rules - ReportingServicesLogtxt

Integration Services Rules - IntegrationServicesLogtxt

52 Windows Server 2003 ndash NumberOfLogicalProcessors

Analysis Services RID2803 and RID2804 ndash NumberOfLogicalProcessors property is unavailable in

Win32_Processor for with Windows Server 2003

Solution The NumberOfLogicalProcessors property does not exist in the WIN32_PROCESSOR object

in Windows Server 2003 It has been implemented in the hotfix

httpsupportmicrosoftcomkb932370

Both of the rules below will function properly if you apply this hotfix For more information look here

Page 27

53 MBCA

This message indicates that on prerequisite is not installed

Please install the version 2 of the MBCA

54 Where can I find the Instance name in result set of the analyzer

report

The instance name is in the collected data option of the analyzer report in the BPA GUI

55 Memory limit of remote PowerShell process

By default remote PowerShell process can consume only 150 MB or less memory This default limit is

significantly small and once this limit is reached there could be a WinRM exception causing and remote

connection immediately terminates Any application or Cmdlet which is involved in PowerShell

remoting should be tested for this memory limit this may cause some of the command to fail for

example site collection creation

Solution Increase the memory limit for the remote shell Use the following command to increase this

limitation to 1000MB This is only necessary if you need to run those commands on that server

Set-Item WSManlocalhostShellMaxMemoryPerShellMB 1000

56 Remote connect

If you try to ldquoConnect to another computerrdquo from MBCA and you receive the following message

Page 28

You should check first if the Hotfix KB968930 is installed

Afterwards validate that the ldquoWindows Remote Managementrdquo service is started

Enable-PSRemoting

If CredSSP is unsupported or unavailable you will see the following message

Page 29

If you have no permission to access the remote server you get the error message

Page 30

57 Installation

571 PowerShell error

After getting through the Pre-Reqs for BPA (PowerShell 20 MBCA NET Framework) you may hit

one of two scenarios when installing BPA

In all of the cases of an install failure you will see the following error

There is a problem with this Windows Installer package A program run as part of the setup did not

finish as expected Contact your support personnel or package vendor

In your Application Event Log for both of these scenarios you will also see the following entry

Log Name Application

Source MsiInstaller

Date 6102010 83818 AM

Event ID 11722

Task Category None

Level Error

Keywords Classic

User ltUsernamegt

Computer ltMachine namegt

Description

Product Microsoft SQL Server 2008 R2 BPA -- Error 1722 There is a problem

with this Windows Installer package A program run as part of the setup did

not finish as expected Contact your support personnel or package

vendor Action EnablePSRemoting location powershellexe command -NoLogo

-NoProfile -Command Enable-PSRemoting ndashforce

Page 31

This is an indicator that PowerShell is not configured You must run the following command

powershellexe -NoLogo -NoProfile -Command Enable-PSRemoting ndashforce

572 Workgroup or Non-Domain computer

In this scenario the Enable-PSRemoting command should execute fine from a PowerShell prompt

The actual error coming back from the PowerShell command within the Installer is ldquoAccess Deniedrdquo

To work around this issue you can do the following

1 Open a command prompt with Administrative Privileges

2 Change to the directory where the msi file resides

3 Type msiexec i ltMSI Namegt SKIPCA=1

4 MSI Name will either be SQL2008R2BPA_Setup32msi or SQL2008R2BPA_Setup64msi

depending on your platform

5 Once BPA is installed open a PowerShell prompt with Administrative Privileges

6 Execute the following commands

a Enable-PSRemoting

b winrm set winrmconfigwinrs ``MaxShellsPerUser=`10``

This should allow BPA to be successfully installed in the workgroup scenario

573 Kerberos Failure

This scenario is that you are failing with the above due to a Kerberos issue This particular issue could

actually show up after you have installed BPA depending on how you have configured your

environment

The issue stems from the fact that the Windows Remoting Windows Service uses the Network Service

account Windows Remoting also uses SOAP calls over HTTP and defaults to using Kerberos As a

result it will be using the HOST Service Principal Name (SPN) that is on the Machine Account as it is

running under that context You may have an HTTP SPN that resides on a different account with that

host name For example if you are running an IIS Web Application such as SharePoint or if you are

using Reporting Services and the service account is set to a Domain User account instead of Network

Service or Local System If your URL of your application matches the machine name then your HTTP

SPN will be the same Thatrsquos where this problem comes in WinRM will stop working at that point and

give you a message similar to the following

Set-WSManQuickConfig WinRM cannot process the request The following error

occured while using Negotiate authentication An unknown security error

occurred

Possible causes are

-The user name or password specified are invalid

-Kerberos is used when no authentication method and no user name are

specified

-Kerberos accepts domain user names but not local user names

-The Service Principal Name (SPN) for the remote computer name and port

does not exist

-The client and remote computers are in different domains and there is no

trust between the two domains

After checking for the above issues try the following

-Check the Event Viewer for events related to authentication

-Change the authentication method add the destination computer to the

WinRM TrustedHosts configuration setting or use HTTPS transport

Note that computers in the TrustedHosts list might not be authenticated

-For more information about WinRM configuration run the following

Page 32

command winrm help config

At line50 char33

+ Set-WSManQuickConfig ltltltlt -force

+ CategoryInfo InvalidOperation () [Set-WSManQuickConfig]

InvalidOperationException

+ FullyQualifiedErrorId

WsManErrorMicrosoftWSManManagementSetWSManQuickConfigCommand

You can get this type of error from WinRM for muliple reasons The one that

we saw in our testing was the HTTP SPN scenario

If you do have an HTTP SPN defined on a Domain Account that is using the name of your machine

you have some options First you can follow the steps mentioned above to get BPA installed The

Enable-PSRemoting command will give you the above error You can temporarily remove the HTTP

SPN to get remoting enabled and then re-add the HTTP SPN

Once BPA is setup you will still not be able to run BPA if you put the HTTP SPN back in place You will

see the following when you attempt to perform a scan

This will occur regardless of which component you try to scan It could be the Engine Setup RS etchellip

One option to perform the scan successfully is to temporarily remove the HTTP SPN again run the

scan and then put the HTTP SPN back in place Another option but one that will probably require

further testing from your applicationrsquos end would be to run the application under a Host Header and

then your HTTP SPN would not include the machine name allowing BPA to run without issue

Page 33

6 RULES

Searching for ldquoSQL Server 20087 R2 BPArdquo at Microsoftcom reveals

Here is an example of one of these articles that talks about a rule to check for a recent ldquocleanrdquo

CHECKDB

Page 34

BPA works by measuring a rolersquos compliance with best practice rules in eight different categories of a

rolersquos effectiveness trustworthiness and reliability Results of measurements can be any of the three

severity levels described in the following table

Severity level Description

Noncompliant Noncompliant results are returned when a role does not satisfy the conditions of a rule

Compliant Compliant results are returned when a role satisfies the conditions of a rule

Warning Warning results are returned when a role is compliant as operating currently but may not satisfy the conditions of a

rule if changes are not made to its configuration or policy settings For example a scan of Remote Desktop Services

might show a warning result if a license server is unavailable to the role because even if no remote connections are

active at the time of the scan not having the license server prevents new remote connections from obtaining valid

client access licenses

Page 35

BPA rule categories

The following table describes the categories of best practice rules against which roles are measured

during a BPA scan

Category Name Description

Security Security rules are applied to measure a rolersquos relative risk for exposure to threats such as unauthorized or malicious

users or loss or theft of confidential or proprietary data

Performance Performance rules are applied to measure a rolersquos ability to process requests and perform its prescribed duties in

the enterprise within expected periods of time given the rolersquos workload

Configuration Configuration rules are applied to identify role settings that might require modification for the role to perform

optimally Configuration rules can help prevent setting conflicts that can result in error messages or prevent the role

from performing its prescribed duties in an enterprise

Policy Policy rules are applied to identify Group Policy or Windows Registry settings that might require modification for the

role to operate optimally and securely

Operation Operation rules are applied to identify possible failures of a role to perform its prescribed tasks in the enterprise

Predeployment Predeployment rules are applied before an installed role is deployed in the enterprise to let administrators to

evaluate whether best practices were satisfied before you use the role in production

Postdeployment Postdeployment rules are applied after all required services have started for a role and the role is running in the

enterprise

BPA Prerequisites BPA Prerequisite rules explain configuration settings policy settings and features that are required for the role

before BPA can apply specific rules from other categories A prerequisite in scan results indicates that an incorrect

setting a missing role role service or feature an incorrectly enabled or disabled policy a registry key setting or

other configuration has prevented BPA from applying one or more rules during a scan A prerequisite result does

not imply compliance or noncompliance It means that a rule could not be applied and therefore is not part of the

scan results

61 Engine Rules

Please find below a summary of the 74 Engine Rules with the links to the rule descriptions These rules

are checking that you have a secure resilient and well performing SQL configuration

Authentication Mode (httpsupportmicrosoftcomkb2028697)

Lightweight Pooling is enabled (httpsupportmicrosoftcomkb2160691)

Locks Configuration Not Dynamic (httpsupportmicrosoftcomkb2199576)

non-default network packet size in use (httpsupportmicrosoftcomkb2157175)

degree of parallelism not set to recommended value (httpsupportmicrosoftcomkb2023536)

Use Database Mail instead of SQL Mail (httpsupportmicrosoftcomkb2028584)

SQL Server Agent Proxy Account (httpsupportmicrosoftcomkb2160741)

SQL Login Password Policy Strength and password expiry

(httpsupportmicrosoftcomkb2028712)

Trustworthy Bit (httpsupportmicrosoftcomkb2183687)

Symmetric Keys Check (httpsupportmicrosoftcomkb2162020)

Asymmetric Keys Check (httpsupportmicrosoftcomkb2162020)

SQL Server installed on PDC BDC (httpsupportmicrosoftcomkb2032911)

Page 36

SQL Server Admin role membership check (httpsupportmicrosoftcomkb2184138)

Windows API calls intercepted (httpsupportmicrosoftcomkb2033238)

unsupported DotNET framework assemblies present (httpsupportmicrosoftcomkb2033344)

Disk partition starting offset may be incorrect (httpsupportmicrosoftcomkb2023571)

non-default max worker threads value configured (httpsupportmicrosoftcomkb2157129)

Guest Permissions (httpsupportmicrosoftcomkb2186935)

Data and Log files on the same volume (httpsupportmicrosoftcomkb2033523)

IO timeouts and IO controller errors detected (httpsupportmicrosoftcomkb2091098)

IO device errors detected (httpsupportmicrosoftcomkb2091098)

IO errors during page faults detected (httpsupportmicrosoftcomkb2091098)

cluster disk corruption encountered (httpsupportmicrosoftcomkb2091098)

disk defragmentation encountered corruption (httpsupportmicrosoftcomkb2091098)

failed IO requests detected (httpsupportmicrosoftcomkb2091098)

IO requests are successful when retried (httpsupportmicrosoftcomkb2015757)

IO Delay Problems reported by SQL Server (httpsupportmicrosoftcomkb2137408)

This system experienced unexpected shutdowns (httpsupportmicrosoftcomkb2091098)

tempdb corruption errors fix missing (httpsupportmicrosoftcomkb960770)

Critical SQL database inconsistency errors found (httpsupportmicrosoftcomkb2152734)

Logical consistency errors detected (httpsupportmicrosoftcomkb2152472)

Database have auto shrink option enabled (httpsupportmicrosoftcomkb2160663)

SQL Server Error logs are very big (httpsupportmicrosoftcomkb2199578)

incorrect affinity mask settings detected httpsupportmicrosoftcomkb2157114

Very low blocked process threshold setting detected httpsupportmicrosoftcomkb2157154

Potential security issue with legacy DTS stored procedures

httpsupportmicrosoftcomkb2202875

Winsock LSP loaded into SQL httpsupportmicrosoftcomkb2033448

Databases using simple recovery model httpsupportmicrosoftcomkb2137539

User database collation different from model httpsupportmicrosoftcomkb2026108

Database files and backups exist on the same volume httpsupportmicrosoftcomkb2027537

Databases have auto close option enabled httpsupportmicrosoftcomkb2160685

LSI SAS drivers needs update httpsupportmicrosoftcomkb2121098

SQL tempdb database not configured optimally httpsupportmicrosoftcomkb2154845

SQL Database file has sparse attribute set httpsupportmicrosoftcomkb2028447

Invalid startup parameters httpsupportmicrosoftcomkb2028433

MSDTC settings not configured optimally httpsupportmicrosoftcomkb2027550

sql incorrect results fix missing httpsupportmicrosoftcomkb971780

File System needs tuning for better FileStream performance

httpsupportmicrosoftcomkb2160002

linked server memory leak fix missing httpsupportmicrosoftcomkb971622EN-US

Windows service pack is not at recommended level httpsupportmicrosoftcomkb2121098

default extended event health session not in expected state

httpsupportmicrosoftcomkb2160570

TcpSysAndChimneyCheck httpsupportmicrosoftcomKB918483

FDHOST Launcher service is not configured properly httpsupportmicrosoftcomkb2160720

Unrecommended SQL Server Agent service account httpsupportmicrosoftcomkb2160720

A required Windows fix to avoid sparse file related problems is missing

httpsupportmicrosoftcomkb2002606

Page 37

Significant Portion of SQL Server Memory Has Been Paged Out

httpsupportmicrosoftcomkb2028324

Server Exception or Hang Detected on Server httpsupportmicrosoftcomkb2028589

Databases exist without CHECKSUM protection httpsupportmicrosoftcomkb2078345

backups outdated for databases httpsupportmicrosoftcomkb2027537

Database consistency check not current httpsupportmicrosoftcomkb2033590

SQL Server Memory settings are incorrect httpsupportmicrosoftcomKB918483EN-US

Autogrow Failed or took a long time httpsupportmicrosoftcomkb2091024

Storport driver fix from KBA 940467 missing httpsupportmicrosoftcomkb2121098

Storport driver fix from KBA 950903 missing httpsupportmicrosoftcomkb2121098

SQLCLR needs additional memory configuration httpsupportmicrosoftcomkb969962EN-US

Operating System files and drivers needs update for working set trimming

httpsupportmicrosoftcomkb2121098

Agent Token Replacement httpsupportmicrosoftcomkb2202637

Auditing Log in failures httpsupportmicrosoftcomkb2187161

Databases with high number of VLF present httpsupportmicrosoftcomkb2028436

Transparent Data Encryption Certificate httpsupportmicrosoftcomkb2201900

Permission on the Binn folder httpsupportmicrosoftcomkb2029023

Index Statistics Are Outdated

Server public permissions httpsupportmicrosoftcomkb2160698

Detected use of older versions of SQLNCLI httpsupportmicrosoftcomkb979779

62 AS Rules

Please find below a summary of the 34 Analysis Server Rules with the links to the rule descriptions

Flight Recorder Enabled for SQL Server Analysis Services

httpsupportmicrosoftcomkb2128005

Excessive amount of memory preallocated to Analysis Services

httpsupportmicrosoftcomkb2027474

Server not configured for optimal concurrent query throughput

httpsupportmicrosoftcomkb2135031

Non standard value detected for Analysis Services memory configuration

httpsupportmicrosoftcomkb2027472

Process Thread Pool Max limit above recommended limit

httpsupportmicrosoftcomkb2134497

Process Thread Pool Minimum is below the recommended limit

httpsupportmicrosoftcomkb2134855

Server is running a build with a known regression httpsupportmicrosoftcomkb2157941

Slice not set on a ROLAP partition or a partition where proactive caching is enabled and

ROLAP storage ay occur httpsupportmicrosoftcomkb2027754

Server is ignoring duplicate key errors httpsupportmicrosoftcomkb2027761

No default member defined for non-aggregatable attribute

httpsupportmicrosoftcomkb2027769

UnknownMember set to hidden httpsupportmicrosoftcomkb2027628

Non-numeric key column for high cardinality attribute httpsupportmicrosoftcomkb2028138

Attribute hiearchy enabled for high cardinality non-key attribute

httpsupportmicrosoftcomkb2028143

ROLAP storage or OnlineMode set to immediate for dimension with custom rollup definition

detected httpsupportmicrosoftcomkb2132742

Page 38

Account or Time attribute types defined in a non-matching dimension type

httpsupportmicrosoftcomkb2157299

An Account or Time dimension has no matching attribute defined

httpsupportmicrosoftcomkb2027418

Dimension has no attribute defined with the same type

httpsupportmicrosoftcomkb2027443

Attribute Dimension type mismatch httpsupportmicrosoftcomkb2157327

Mismatched dimension attribute types detected in dimension

httpsupportmicrosoftcomkb2027459

Possible incorrect order of levels defined in hierarchy httpsupportmicrosoftcomkb2027460

Define attribute relationships as Rigid where possible httpsupportmicrosoftcomkb2027468

Redundant attribute relationships detected httpsupportmicrosoftcomkb2127437

Diamond-shape relationship detected httpsupportmicrosoftcomkb2127570

Non-Standard Attribute Relationship name detected httpsupportmicrosoftcomkb2127862

Proactive Caching set for dimension without a processing query

httpsupportmicrosoftcomkb2027541

No Time dimension detected httpsupportmicrosoftcomkb2027532

More than 3 parent-child dimensions with custom rollups defined

httpsupportmicrosoftcomkb2134431

Encountered a parent-child dimension with more than 500000 members

httpsupportmicrosoftcomkb2131918

Single attribute dimensions detected httpsupportmicrosoftcomkb2141654

Measure groups with zero dimensional overlap detected in cube

httpsupportmicrosoftcomkb2027609

Proactive Caching set for a partition without a processing query

Default measure for perspective not in the perspective

httpsupportmicrosoftcomkb2027603

Use MOLAP storage for dimensions that participate in semi-additive measure groups

httpsupportmicrosoftcomkb2135112

Measure group defined with no partition httpsupportmicrosoftcomkb2027545

63 RS Rules

RSWindowsNegotiate is missing from your configuration

httpsupportmicrosoftcomkb2145506

HTTP Logging is not enabled httpsupportmicrosoftcomkb2145909

Verbose logging is enabled httpsupportmicrosoftcomkb2146315

NTLM authentication may fail for local httpsupportmicrosoftcomkb2146369

Missing extended protection settings httpsupportmicrosoftcomkb2146062

64 IS Rules

Logging task missing for package httpsupportmicrosoftcomkb2027723

ActiveX Script task detected in package httpsupportmicrosoftcomkb2027712

Unrecommended Integration Services service account detected

httpsupportmicrosoftcomkb2027684

Integration Services logging table found in system database master and or msdb

httpsupportmicrosoftcomkb2027706

Integration Services memory dump detected httpsupportmicrosoftcomkb2027727

Page 39

65 Setup Rules

Unsupported Operating System Version Detected httpsupportmicrosoftcomkb2022909

WOW64 not supported for SQL Failover Clustering httpsupportmicrosoftcomkb2157198

Installer cache is missing for the SQL Installation httpsupportmicrosoftcomkb2015100

SQL Server WMI Provider Health Check

66 Replication Rules

Replication Timeout Alerts Type httpsupportmicrosoftcomkb2118349

Replication Pub and Sub out of sync (Data Validation) httpsupportmicrosoftcomkb2118386

Replication Pub and Sub out of sync (Constraint Violations)

httpsupportmicrosoftcomkb2118410

Replication Pub and Sub out of sync (Skipped Transactions)

httpsupportmicrosoftcomkb2194498

Merge Replication Health Check httpsupportmicrosoftcomkb2118445

Subscriptions Approaching Expiration httpgomicrosoftcomfwlinkLinkId=184483

Replication Cleanup and Retention Health Check httpsupportmicrosoftcomkb2118485

Replication Latency Threshold violations httpsupportmicrosoftcomkb2118425

Page 40

7 HOW TO DEAL WITH DEVIATIONS

Deviations from these Best Practices may indicate potential issues and configuration changes may be

necessary Make sure you have tested any intended changes in a test environment before deploying

them to a production environment You could also find deviations from Best Practices that are

acceptable or even necessary for your environment For example

SAP has its special Network Packet Size of 8 KB

Existing Non-Microsoft Clients ndash would require Mixed Mode Authentication

Page 41

8 MOTIVATION TO USE SQL BPA R2

Bob Ward explained in his Article ldquoWhy use SQL Server 2008 R2 BPA Case 1 Missing Updatesrdquo

the common pitfalls during maintenance and operation of SQL Server and how address them by using

the SQL BPA

In brief itrsquos a customer scenario where the customer is facing an issue after a major update to

SQL2008 After some troubleshooting and an update to a certain CU (that is meant to fix the issue) the

problem still occurs Bobs article states the common resulting consequences ndash the involvement of

Microsoft Support and the final solution ndash adding a needed traceflag

The good news in this story is that the customer would not have needed to go to all that effort if they

would have run the SQL BPA It would have told them about the update and instructed them to put the

traceflag in place BPA is a mechanism that proactively advises you and instructs you on dealing with

common known issues

Page 42

9 ADDITIONAL INFORMATION

91 PowerShell

To use the functionality of the Baseline Configuration Analyzer with PowerShell you must import this

module first

Import-module BaselineConfigurationAnalyzer

You can list the commands of this module with the following syntax

$x=Get-Module BaselineConfigurationAnalyzer

$xExportedCommands

The following commands are stored in this module

Get-MbcaModel

Get-MbcaResult

Invoke-MbcaModel

Set-MbcaResult

You get help of this command with the following syntax

Get-help ltcommandgt -full

911 Get-MBCAModel

SYNOPSIS

The Get-MBCAModel cmdlet lets you retrieve and view the list of models that are supported by

Microsoft Baseline Configuration Analyzer (MBCA) and that are installed on a computer

SYNTAX

Get-MBCAModel [[-ModelId] ltstring[]gt] [[-SubModelId] ltstringgt] [ltCommonParametersgt]

DESCRIPTION

The Get-MBCAModel cmdlet lets you retrieve and view the list of models that are supported by

Microsoft Baseline Configuration Analyzer (MBCA) and installed on the computer If no parameter is

specified Get-MBCAModel returns all models that are installed on the computer If a model is specified

by using the -ModelId parameter information about the specified model is returned

You must be a member of the Administrators group on the computer on which you want to run this

cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with

elevated user rights that is Run as Administrator

The results of the Get-MBCAModel cmdlet include the following details about models

1 Branding information (manufacturer or company display names version number) that is found in

the model manifest

2 Dynamic parameters that are included with the model

3 Submodels that are included with the model

PARAMETERS

-ModelId ltstring[]gt

The -ModelId parameter specifies the ID of the MBCA model about which you want to view

details You can obtain valid values for the ModelId parameter by running the Get-MBCAModel

cmdlet with no parameters and targeted at a computer on which MBCA models are installed

Page 43

This parameter supports wild card characters

Required false

Position 2

Default value

Accept pipeline input true (By Value By Property Name)

Accept wildcard characters False

This must be SQL2008R2BPA for SQL Server 2008 R2 Best Practice Analyzer

-SubModelId ltstringgt

The -SubModelId parameter specifies the ID of the submodel of an MBCA model about which you

want to view details You can obtain valid values for the -SubModelId parameter by running the

Get-MBCAModel cmdlet without parameters and targeted at a computer on which MBCA models

are installed Not all models have submodels

The -ModelId parameter is required with the -SubModelId parameter

Required false

Position 3

Default value

Accept pipeline input false

Accept wildcard characters false

ltCommonParametersgt

This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable

WarningAction WarningVariable OutBuffer and OutVariable For more information type get-

help about_commonparameters

Examples

Get-MBCAModel

In the preceding example Get-MBCAModel with no parameters added returns details about all MBCA

models that are installed on the computer

Get-MBCAModel -ModelId SQL2008R2BPA

The preceding example can be used to return details about the MBCA model that is specified in the -

ModelId parameter represented by Model Id

$model= Get-MBCAModel -ModelId SQL2008R2BPA

$modelParameters

In the preceding example Get-MBCAModel returns details about the specified MBCA model that is

represented by Model Id The results of the cmdlet are stored in the variable $model

In the next line of the example the Parameters property of the model details that were stored in the

$model object returns details about which parameters are supported by the model

Get-MBCAModel -ModelId SQL2008R2BPA -SubModelId ltSubModel Idgt

The preceding example can be used to return details about the MBCA sub-model that is specified by

the -SubModelId parameter represented by SubModel Id Note that the -ModelId parameter is

required by the -SubModelId parameter

$model= Get-MBCAModel -ModelId SQL2008R2BPA

Page 44

$modelSubModels

In the preceding example Get-MBCAModel returns details about the specified MBCA model that is

represented by Model Id The results of the cmdlet are stored in the variable $model

In the next line of the example the SubModels property of the model details that were stored in the

$model object returns a list of the submodels of the model specified in the first line

912 Invoke-MBCAModel

SYNOPSIS

The Invoke-MBCAModel cmdlet lets you start a Microsoft Baseline Configuration Analyzer (MBCA)

scan for a specific model that is installed on your computer

SYNTAX

Invoke-MBCAModel [-ModelId] ltstringgt -SubModelId ltstringgt [-Authentication

ltAuthenticationMechanismgt] [-CertificateThumbprint ltstringgt] [-ComputerName

ltstring[]gt] [-ConfigurationName ltstringgt] [-Context ltstringgt] [-Credential

ltstringgt] [-Mode ltModeEnumgt] [-Port ltintgt] [-RepositoryPath ltstringgt] [-

ThrottleLimit ltintgt] [-UseSSL] [ltCommonParametersgt]

DESCRIPTION

The Invoke-MBCAModel cmdlet allows you to start a Microsoft Baseline Configuration Analyzer

(MBCA) scan for a specific model that is installed on your computer The model is specified either by

using the parameter -ModelId or by piping the results of the Get-MBCAModel cmdlet into an Invoke-

MBCAMode cmdlet

After the MBCA scan has been performed the results of the scan are available to be retrieved by Get-

MBCAResult cmdlet

You must be a member of the Administrators group on the computer on which you want to run this

cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with

elevated user rights that is Run as Administrator

PARAMETERS

-Authentication ltAuthenticationMechanismgt

Specifies the authentication mechanism that is used to authenticate the users credentials Valid

values include Default Basic CredSSP Digest Kerberos Negotiate and

NegotiateWithImplicitCredential The default value is Default

For more information about the -Authentication parameter type the following and then press

Enter

Get-Help Invoke-Command -Parameter Authentication

Required false

Position named

Default value Default

Accept pipeline input false

Accept wildcard characters false

-CertificateThumbprint ltstringgt

Page 45

Specifies the digital public key certificate (X509) of a user account that has rights to perform the

cmdlet action The valid value is the certificate thumbprint of the certificate

For more information about this parameter type the following and then press Enter

Get-Help Invoke-Command -Parameter Certificate Thumbprint

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-ComputerName ltstring[]gt

The Invoke-MBCAModel cmdlet lets you run an MBCA scan of a submodel on a specific

computer by adding this parameter Valid values include NETBOS names IP addresses or fully-

qualified domain names of one or more computers in a comma-separated list To specify the local

computer type the computer name or localhost

All formats that are accepted by the -ComputerName parameter in Invoke-Command are

accepted

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-ConfigurationName ltstringgt

Specifies the session configuration that is used for a new PSSession

Enter a configuration name or the fully-qualified resource URI for a session configuration

Session configuration data is found on the remote computer on which you want to run a cmdlet

For more information about this parameter type the following and then press Enter

Get-Help Invoke-Command -Parameter ConfigurationName

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-Context ltstringgt

The -Context parameter lets you run scans on a submodel in the context of a specific model (one

that is different from the parent model of the submodel) For example an administrator might

want to run a scan on the Backend submodel of the SQL model but only those in the context

of a third model a technology that relies upon SQL Server

The -SubModelId parameter is required by the -Context parameter

Page 46

A model ID is the valid value of the -Context parameter

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-Credential ltstringgt

Specifies a user account that has permission to run this cmdlet The default value is the current

user

For more information about this parameter type the following and then press Enter

Get-Help Invoke-Command -Parameter Credential

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-Mode ltModeEnumgt

The -Mode parameter lets you run a scan that is exclusively either analysis of existing discovered

documents or discovery The default is to perform both discovery and analysis or All

If you do not add the -Mode parameter to the Invoke-MBCAModel cmdlet both discovery and

analysis are performed during a scan

Valid values are Discovery Analysis and All

Required false

Position named

Default value All

Accept pipeline input false

Accept wildcard characters false

-ModelId ltstringgt

The -ModelId parameter specifies the ID of the MBCA model that you want to scan You can

obtain valid values for the ModelId parameter by running the Get-MBCAModel cmdlet targeted at

a computer on which MBCA models are installed

Required true

Position 2

Default value

Accept pipeline input true (By Value By Property Name)

Accept wildcard characters False

Page 47

This must be SQL2008R2BPA for SQL Server 2008 R2 Best Practice Analyzer

-Port ltintgt

Specifies the network port on a remote computer on which you want to run a scan The default

value is port 80

For more information on this parameter type the following and then press Enter

Get-Help Invoke-Command -Parameter Port

Required false

Position named

Default value 80

Accept pipeline input false

Accept wildcard characters false

-RepositoryPath ltstringgt

The -RepositoryPath parameter is used to specify a non-default location of the results repository

The valid value for this parameter is a pathname If the parameter is not used the cmdlet writes

results to the default result repository

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-SubModelId ltstringgt

The -SubModelId parameter specifies the ID of the submodel of an MBCA model that you want to

scan You can obtain valid values for the -SubModelId parameter by running the Get-MBCAModel

cmdlet targeted at a computer on which MBCA models are installed Not all models have

submodels

The -ModelId parameter is required with the -SubModelId parameter

Required true

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-ThrottleLimit ltintgt

Specifies the maximum number of concurrent connections that can be established to run the

cmdlet If you omit this parameter or enter a value of 0 the default value of 32 is used

For more information about this parameter type the following and then press Enter

Get-Help Invoke-Command -Parameter ThrottleLimit

Required false

Page 48

Position named

Default value 32

Accept pipeline input false

Accept wildcard characters false

-UseSSL [ltSwitchParametergt]

Uses the Secure Sockets Layer (SSL) protocol to establish a connection on a remote computer

By default SSL is not used

For more information about this parameter type the following and then press Enter

Get-Help Invoke-Command -Parameter UseSSL

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

ltCommonParametersgt

This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable

WarningAction WarningVariable OutBuffer and OutVariable For more information type get-

help about_commonparameters

OUTPUTS

SystemCollectionsGenericListltMicrosoftBestPracticesCoreInterfaceInvokeBpaModelOutputgt

The output object encapsulates the results of the cmdlet that you entered It contains information such

as the MBCA model ID the success or failure of the cmdlet and other details

NOTES

If the cmdlet is used to perform a single-model scan and the cmdlet is cancelled (by using CTRL+C)

before the temporary results file is copied to its final location the temporary file is discarded and any

previous scan results file for the role are preserved The message Processing of Invoke-MBCAModel

cancelled by user is displayed if the command is cancelled before existing scan results files are

overwritten

If the cmdlet is used to perform a scan of multiple models by piping in results from the Get-MBCAModel

cmdlet and the command is cancelled scans that were completed before the cancel command was

entered cannot be cancelled A scan in progress behaves as described above in the single-model scan

cancellation scenario Subsequent scans in the pipeline are cancelled

If a concurrent scan of the same model is attempted the cmdlet returns the following error message

Another scan for this MBCA model is in progress Only one scan is allowed at a time

-------------------------- EXAMPLE 1 --------------------------

Invoke-MBCAModel -ModelId SQL2008R2BPA

Description

The preceding example starts a MBCA scan on the model that is represented by ltModel Idgt

-------------------------- EXAMPLE 2 --------------------------

Page 49

Invoke-MBCAModel -ModelId SQL2008R2BPA -Scope domain -Name

redmondmicrosoftcom

Description

The preceding example starts an MBCA scan on the model ID that is specified by Model Id

The administrator starts the MBCA scan with additional model-specific parameters that are exposed by

the model (For an example of how to obtain model-specific parameters see the examples for the Get-

MBCAModel cmdlet)

For example to scan a model that requires model-specific parameters (such as -Scope and -Name) to

be passed to the command the administrator can specify the values of these model-specific

parameters with the Invoke-MBCAModel cmdlet

-------------------------- EXAMPLE 3 --------------------------

Invoke-MBCAModel -ModelId SQL2008R2BPA -Mode Discovery

Description

The preceding example starts an MBCA scan on the model that is represented by Model Id The

cmdlet is instructed by the -Mode parameter to perform only the discovery -- not the analysis -- portion

of the scan

-------------------------- EXAMPLE 4 --------------------------

Invoke-MBCAModel -ModelId SQL2008R2BPA -Mode Analysis -RepositoryPath

ltRepository Pathgt

Description

The preceding example starts an MBCA scan on the model that is represented by Model Id The -

Mode parameter value of Analysis indicates that the scan will perform analysis -- not discovery -- on

existing documents that are specified in the non-default repository path provided with the -Repository

Path parameter

-------------------------- EXAMPLE 5 --------------------------

Invoke-MBCAModel -Id ltModel Idgt -SubModelId ltSubModel Idgt -ComputerName

ltServergt -Context ltContext Model Idgt -RepositoryPath ltRespository Pathgt -

AsJob -Authentication ltAuthenticatonMechanismgt -Port ltPort Numbergt -UseSSL -

ThrottleLimit ltThrottle Limitgt

Description

The preceding example starts an MBCA scan on the submodel that is represented by SubModel Id

and on the computer that is represented by Server

Because the administrator only wants to see results from the submodel that apply in the context of a

third model the administrator runs the scan within the context of the model ID that is specified in the -

Context parameter The cmdlet results are saved to the non-default repository path that is specified in

the -RepositoryPath parameter

Because the -AsJob parameter is added the scan runs in the background The -AsJob -

Authentication -Port -UseSSL and -ThrottleLimit parameters are passed through for use by the

Invoke-Command cmdlet to perform discovery on a remote computer For more information about

these parameters see the Help for the Invoke-Command cmdlet available in Windows PowerShell V2

913 Get-MBCAResult

SYNOPSIS

Page 50

The Get-MBCAResult cmdlet lets you retrieve and view the results of a Microsoft Baseline

Configuration Analyzer scan on a specific model or the configuration data that was used to run a scan

SYNTAX

Get-MBCAResult [-ModelId] ltstringgt [[-CollectedConfiguration]] -SubModelId

ltstringgt [-ComputerName ltstring[]gt] [-Context ltstringgt] [-Filter

ltFilterEnumgt] [-RepositoryPath ltstringgt] [ltCommonParametersgt]

DESCRIPTION

The Get-MBCAResult cmdlet lets you retrieve and view the results of a Microsoft Baseline

Configuration Analyzer scan on a specific model or the configuration data that was used to run a scan

To use the command add the -ModelId parameter and then specify the model ID for which you want

to view the most recent MBCA scan results or collected configuration data If you want to retrieve the

configuration data collected add the -CollectedConfiguration switch parameter

You must be a member of the Administrators group on the computer on which you want to run this

cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with

elevated user rights that is Run as Administrator

PARAMETERS

-CollectedConfiguration [ltSwitchParametergt]

The -CollectedConfiguration parameter allows you to obtain the configuration data that was

collected for the most recent MBCA scan If this switch parameter is added to Get-MBCAResults

the cmdlet returns only the configuration data that was collected for a scan

Required false

Position 3

Default value

Accept pipeline input false

Accept wildcard characters false

-ComputerName ltstring[]gt

The -ComputerName parameter lets you obtain scan results that were collected for the most

recent MBCA scan of a submodel on a specific computer To specify the local computer type the

computer name or localhost Multiple values for -ComputerName can be separated by

commas

The -SubModelId parameter is required by the -ComputerName parameter

Valid values for the -ComputerName parameter include localhost a NET BIOS name an IP

address or a fully-qualified domain name (FQDN) of one or more computers in a comma-

separated list

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-Context ltstringgt

Page 51

The -Context parameter lets you obtain scan results that were collected for the most recent

MBCA scan of a submodel in the context of a specific model (one that is different from the parent

model of the submodel) For example an administrator might want to display scan results for the

Backend submodel of the SQL model but only those in the context of a third model a

technology that relies upon SQL Server

The -SubModelId parameter is required by the -Context parameter

A model ID is the valid value of the -Context parameter

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-Filter ltFilterEnumgt

The -Filter parameter lets you instruct the Get-MBCAResult cmdlet to return only Compliant

Noncompliant or All results Valid values are Noncompliant Compliant or All The default value

is All

The -Filter parameter is ignored if the -CollectedConfiguration switch parameter is added

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-ModelId ltstringgt

The -ModelId parameter specifies the ID of the MBCA model for which you want to view scan

results You can obtain valid values for the ModelId parameter by running the Get-MBCAModel

cmdlet targeted at a computer on which MBCA models are installed

Required true

Position 2

Default value

Accept pipeline input true (By Value By Property Name)

Accept wildcard characters False

This must be SQL2008R2BPA for SQL Server 2008 R2 Best Practice Analyzer

-RepositoryPath ltstringgt

The -RepositoryPath parameter is used to specify a non-default location of the results repository

The valid value for this parameter is a path name If the parameter is not used the cmdlet obtains

results from the default result repository

Required false

Position named

Page 52

Default value

Accept pipeline input false

Accept wildcard characters false

-SubModelId ltstringgt

The -SubModelId parameter specifies the ID of the submodel of an MBCA model for which you

want to view scan results You can obtain valid values for the -SubModelId parameter by running

the Get-MBCAModel cmdlet targeted at a computer on which MBCA models are installed Not all

models have submodels

The -ModelId parameter is required with the -SubModelId parameter

Required true

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

ltCommonParametersgt

This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable

WarningAction WarningVariable OutBuffer and OutVariable For more information type get-

help about_commonparameters

OUTPUTS

SystemCollectionsGenericListltMicrosoftBestPracticesCoreInterfaceResultgt OR

SystemXmlXmlDocument (if -CollectedData specified)

If you do not use the -CollectedConfiguration parameter verbose output can be any of the following

1 Initializing MBCA engine for getting MBCA Results

2 Attempting to get MBCA results for Model Id = 0

3 Completed getting MBCA results for Model Id = 0 Number of Results = 1

If you add the -CollectedConfiguration parameter to display configuration data that was used for a

scan verbose output can be any of the following

1 Initializing MBCA engine for getting MBCA Configuration Data

2 Attempting to get MBCA collected configuration data for Model Id = 0

3 Completed getting MBCA collected configuration data for Model Id = 0

NOTES

The Get-MBCAResult cmdlet must be run by a member of the Administrators group and it does not

start a new scan

Cancellation behaviour

Single Model - To cancel this cmdlet you must press Ctrl+C before the ResultCollection is displayed

on the console The operation is cancelled and results are not displayed on the console

Multiple Models or Pipelining - If you cancel this cmdlet while it is retrieving results for multiple models

the cmdlet generates only those results that were displayed on the console before the cancellation

Any subsequent results in the pipeline are cancelled and not displayed

Page 53

-------------------------- EXAMPLE 1 --------------------------

Get-MBCAResult -Id SQL2008R2BPA

Description

The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results

for the model that is represented by Model Id

-------------------------- EXAMPLE 2 --------------------------

Get-MBCAModel | Get-MBCAResult

In the preceding example Get-MBCAModel is used to return a list of all MBCA models that are

installed on the computer The results of the Get-MBCAModel cmdlet are piped to the Get-

MBCAResult cmdlet to retrieve the most recent MBCA scan results for all models that are both

supported by MBCA and installed on the computer at which the cmdlet is targeted

-------------------------- EXAMPLE 3 --------------------------

$result = Get-MBCAResult SQL2008R2BPA -CollectedConfiguration

$resultDiscoveryDocument

Description

In the preceding example configuration data (in XML form) that was collected during the most recent

Microsoft Baseline Configuration Analyzer scan of the model that is represented by Model Id is

retrieved and stored as a property in the variable $result $resultDiscoveryDocument is of type

SystemXmlXmlDocument

-------------------------- EXAMPLE 4 --------------------------

Get-MBCAResult SQL2008R2BPA -Filter Noncompliant

Description

The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results

for the model that is represented by Model Id and then applies a filter to show only Noncompliant

results

------------------------- EXAMPLE 5 --------------------------

Get-MBCAResult SQL2008R2BPA -SubModelId ltSubModel Idgt

Description

The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results

for the submodel that is represented by SubModelId Note that the parent model ID must be specified

to use the -SubModelId parameter

------------------------- EXAMPLE 6 --------------------------

Get-MBCAResult SQL2008R2BPA -SubModelId ltSubModel Idgt -ComputerName ltServergt

-Context ltContext Model Idgt -RepositoryPath ltRepository Pathgt

Description

The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results

for the submodel that is represented by SubModelId The parent model ID is provided as required by

the -SubModelID parameter

The -Context parameter indicates that the administrator wants to see only those scan results that are in

the context of the model that is represented by Context Model Id for example only those results from

a SQL Server scan that specifically apply to another technology such as Web Server (IIS)

Page 54

The scan results are further narrowed to only those from a computer that is specified in the -

ComputerName parameter as Server and only those results found in the non-default results

repository that is represented by Repository Path

914 Set-MBCAResult

SYNOPSIS

The Set-MBCAResult cmdlet lets you exclude or include existing results of a Microsoft Baseline

Configuration Analyzer (MBCA) scan to show you only the scan results that you want to see

SYNTAX

Set-MBCAResult [[-Exclude] ltBooleangt] [-Results] ltResultgtgt [[-

RepostitoryPath] ltstringgt] [ltCommonParametersgt]

DESCRIPTION

The Set-MBCAResult cmdlet lets you exclude or include existing results of a Microsoft Baseline

Configuration Analyzer (MBCA) scan to show you only the scan results that you want to see

The action specified in the cmdlet (Exclude for example) determines how the existing results of an

MBCA scan are updated Set-MBCAResult is typically applied after using the Get-MBCAResult cmdlet

to return a collection of scan results

You can apply filters to results that are returned by the Get-MBCAResult cmdlet and then pipe the

filtered collection of results to the Set-MBCAResult cmdlet specifying either to include or exclude

filtered scan results

You must be a member of the Administrators group on the computer on which you want to run this

cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with

elevated user rights that is Run as Administrator

PARAMETERS

-Exclude ltBooleangt

Excludes scan results from the results collection that were previously obtained by the Get-

MBCAResult command To exclude results by using the -Exclude parameter add the value $true

following the parameter as shown

-Exclude $true

To include results that have been excluded use the $false value for the -Exclude parameter

Required false

Position 2

Default value

Accept pipeline input false

Accept wildcard characters false

-RepostitoryPath ltstringgt

The -RepositoryPath parameter is used to specify a non-default location of the results repository

The valid value for this parameter is a path name If the parameter is not used the cmdlet

modifies results from the default result repository

Required false

Page 55

Position 4

Default value

Accept pipeline input false

Accept wildcard characters false

-Results ltResultgtgt

Specifies the result collection to be updated by the Set-MBCAResult cmdlet The -Results

parameter is typically used to specify a filtered subset of scan results that has already been

stored in a variable the variable name is provided as the valid value for the -Results parameter

For example if you have created a variable $allPerformance to store all the Performance

category results for an MBCA scan of all models on a computer and you want to exclude those

Performance results from the complete collection of scan results you add the parameter -Results

$all Performance to a Set-MBCAResult cmdlet

For a more detailed example see the Examples section of the Help for this cmdlet

Required true

Position 3

Default value

Accept pipeline input true (ByValue)

Accept wildcard characters false

ltCommonParametersgt

This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable

WarningAction WarningVariable OutBuffer and OutVariable For more information type ldquoget-

help about_commonparameters

NOTES

If the Set-MBCAResult command is cancelled before the results are written to a file the operation is

cancelled and the results file is not modified If cancellation occurs after the results file has been

modified the commands actions are carried out and the command cannot be cancelled

-------------------------- EXAMPLE 1 --------------------------

Get-MBCAResult -ModelId SQL2008R2BPA | Where $_Category -eq

Performance | Set-MBCAResult -Exclude $true

Description

The first section of the preceding example to the left of the first pipe character (|) uses the Get-

MBCAResult cmdlet to retrieve Baseline Configuration Analyzer scan results for the model ID that is

represented by Model Id

The second section of the command filters the results of the Get-MBCAResult cmdlet to get only those

scan results for which the category name is equal to Performance

The final section of the example following the second pipe character excludes the Performance

results that were filtered by the previous section of the example

-------------------------- EXAMPLE 2 --------------------------

$rcPolicy = Get-MBCAResult -ModelId SQL2008R2BPA -RepositoryPath

CReposPath | Where $_Category -eq Policy

Page 56

Set-MBCAResult -Exclude $true -RepositoryPath CReposPath -Results

$rcPolicy

Description

The first line of the preceding example to the left of the pipe character (|) instructs the Get-

MBCAResult cmdlet to retrieve Baseline Configuration Analyzer scan results for the model that is

represented by Specified Model Id from the specified non-default repository path

The second section of the example after the pipe character filters the results of the Get-MBCAResult

cmdlet to return only those scan results for which the category name is equal to (note the -eq option)

Policy The variable $rcPolicy is created to store the filtered results of the Get-MBCAResult cmdlet this

variable can be used in subsequent commands to represent those results

The second line of the command uses the Set-MBCAResult cmdlet to exclude the set of results that

are stored in the $rcPolicy variable In this example the -Results parameter is added because the

administrator wants to exclude a specific subset of scan results for that model and has created the

variable $rcPolicy to represent that subset of results The repository root is specified in the second line

because the administrator wants to modify the results in the same non-default repository from which

the data in $rcPolicy was retrieved

915 MBCA Model Authoring

Further information about configuration and usage of MBCA models you can in the

MBCA_ModelAuthoringGuidedocx

Page 57

Did this paper help you Please give us your feedback Tell us on a scale of 1 (poor) to 5 (excellent)

how would you rate this paper and why have you given it this rating For example

Are you rating it high due to having good examples excellent screen shots clear writing or

another reason

Are you rating it low due to poor examples fuzzy screen shots or unclear writing

This feedback will help us improve the quality of white papers we release

Send feedback

Page 12: SQL2008R2 BPA Whitepaper v10

Page 12

3 INSTALL

We recommend installing BPA on a workstation or administration server and performing the scan

operation remotely against servers in your SQL Server infrastructure It is also possible to install this

tool on the production SQL Server locally

Installation process

1 InstallConfigure PowerShell and WinRM

2 Microsoft Baseline Configuration Analyzer V20

3 Microsoftreg SQL Serverreg 2008 R2 Best Practices Analyzer

It exists two ways to install the Best Practices Analyzer

With a graphical user interface (setup wizard) or

Command line

31 Installing PowerShell 20 and WinRM

BPA install configures WinRM and PowerShell options by default Most of this section is only needed if

something goes wrong and you need to configure this stuff by hand

Windows Server 2003 R2

WinRM is not installed by default but it is available as the Hardware Management feature through the

AddRemove System Components feature in the Control Panel under Management and Monitoring

Tools Complete installation and information about configuring WinRM using the WINRM command-line

tool is available online in the Hardware Management Introduction which describes the WinRM and the

IPMI features in Windows Server 2003 R2

On Windows Vista Windows Server 2003 and Windows Server 2008

This is installed as part of Windows Management Framework Core The WinRM service starts

automatically on Windows Server 2008 On Windows Vista the service must be started manually

On Windows Server 2008 R2 and Windows 7

This is installed as part of the OS

Note Check for additional information and configuration guidelines for WinRM and for PowerShell

20

SQL Server 2008 R2 BPA is able to scan both the local computer and remote computers Therefore in

both the local and remote cases it required that your PowerShell settings be modified These are done

by the BPA installation

PowerShell Execution Policy

The PowerShell Execution Policy is set to Restricted by default To run SQL Server 2008 R2 BPA

through the PowerShell command Line set the policy to RemoteSigned using the below command

Set-ExecutionPolicy RemoteSigned -f

You can use the command Set-ExecutionPolicy Restricted ndashf to set the execution policy back to

restricted This command is not required when executing the scan through the MBCA GUI

After the installation you must enable the PowerShell remote scripting if you are want to use the BPA

remote to another workgroup machine or a computer that have Kerberos enabled You need to run this

command only once on each computer that will receive commands You do not need to run it on

Page 13

computers that only send commands Because the configuration activates listeners it is prudent to run

it only where it is needed You can do this with the following command line

powershellexe -NoLogo -NoProfile -Noninteractive -Command Enable-

PSRemoting -force

Enable-PSRemoting performs configuration actions to enable this machine for remote management

Includes

1 Runs the Set-WSManQuickConfig cmdlet which performs the following tasks

Starts the WinRM service

Sets the startup type on the WinRM service to Automatic

Creates a listener to accept requests on any IP address

Enables a firewall exception for WS-Management communications

Enables all registered Windows PowerShell session configurations to receive instructions

from a remote computer

Registers the MicrosoftPowerShell session configuration if it is not already registered

Registers the MicrosoftPowerShell32 session configuration on 64-bit computers if it is

not already registered

Removes the Deny Everyone setting from the security descriptor for all the registered

session configurations

Restarts the WinRM service to make the preceding changes effective

2 Configures MaxShellsPerUser using winrm set winrmconfigwinrs

``MaxShellsPerUser=`10``

Specifies the maximum number of concurrent shells that any user can remotely open on

the same computer If this policy setting is enabled the user will not be able to open new

remote shells if the count exceeds the specified limit If this policy setting is disabled or is

not configured the limit will be set to 5 remote shells per user by default and you receive

the following error message

[localhost] Connecting to remote server failed with the following

error message The WS-Management service cannot process the

request This user is allowed a maximum number of 5 concurrent

shells which has been exceeded Close existing shells or raise the

quota for this user For more information see the

about_Remote_Troubleshooting Help topic

+ CategoryInfo OpenError

(SystemManagemehellipRemoteRunspa

ceRemoteRunspace) [] PSRemotingTransportException

+ FullyQualifiedErrorId PSSessionOpenFailed

For more information about PowerShell remoting please see MSDN

32 Install MBCA

Download the edition of MBCA depending on your platform (x86 or x64) before installation

Page 14

Please find below the screenshots demonstrating the visual flow of the MBCA Installation

Welcome screen

License terms

Folder selection

Completion screen

33 Install BPA

Download the correct edition depending on your platform (x86 or x64) before installing If you have

trouble with the installation please section 57 Troubleshooting Installation

331 Command line

Following is an optimized command line setup example

msiexec i SQL2008R2BPA_Setup64msi l log ctempsqlbpa_installlog qn

msiexec parameters

i = package name (SQL2008R2BPA_Setup32msi or SQL2008R2BPA_Setup64msi

depending on your platform)

l = log granularity ldquordquo - Log all information except for v and x options

log = log file

q = display settings (qn ndash no user interface)

SKIPCA=1 (if no domain controller is available Skip Certification Authority)

For information on additional public properties Consult the Windowsreg Installer SDK for documentation

on the command line syntax

Page 15

332 GUI

Please find below the screenshots demonstrating the visual flow of the SQL Server 2008 R2 BPA

Installation

Welcome screen

License terms

System Configuration Changes (see 31 Installing PowerShell 20 and WinRM)

Ready to install decision

Install progress

Completion screen

Page 16

333 Port and Firewall restrictions

For scanning SQL Server or BI instances on an alternate server behind a firewall you must open all

necessary ports

34 Updates

Microsoft is working on quarterly updates of the rule set and tool improvements of the SQL Server

2008 R2 Best Practice Analyzer Please visit the Download site from Microsoft regularly to find new

updates

35 Uninstall

351 BPA

352 MBCA

353 Reset PowerShell settings

After the uninstall of the BPA you may disable the PowerShell remote scripting You can do this with

the following command line

powershellexe -NoLogo -NoProfile -Noninteractive -Command Disable-

PSRemoting -force

Disable-PSRemoting performs configuration actions to enable this machine for remote management

Page 17

4 USAGE

There are two ways to scan a server using MBCA and SQL 2008 R2 BPA They are

Scanning through the local machine

o In this case you are using MBCA and SQL 2008 R2 BPA running on the local machine to

perform the scan

o This scan can be of the local or an alternate server

Scanning through a remote machine

o In this case MBCA is used to connect to a remote server that has MBCA and SQL 2008

R2 BPA installed on it

o This scan is using the local machine to form the connection to the remote machine and is

actually performing the scan through the remote machine

41 Help file

The help file for the SQL Server 2008 R2 Best Practice Analyzer contains very useful information This

help file is available after the installation of BPA and is located at Start-gtAll programs-gtSQL Server

2008 R2 BPA

42 GUI

1 Ensure that MBCA v2 and SQL 2008 R2 BPA are installed on the machine

2 Run the MBCA application from the start menu with elevated user rights

Page 18

3 On the MBCA home page ensure the SQL Server 2008 R2 BPArdquo product is selected

4 Click Start Scan which displays a page to specify parameters as shown below

5 Fill in Alternate_Server_to_Scan with the remote machine you want to scan

ComputerName

IP address nnnn

FQDN (Fully Qualified Domain Name)

Enter ldquordquo localhost or leave this blank if you want to scan the local machine

Page 19

Enter the instance name you want to scan To scan the default instance enter MSSQLSERVER

or leave this as blank Toggle the checkboxes to enabledisable scans for those rule categories

Each of the following six check boxes correspond to the SQL Server categories listed previously

Select at least one category in order to run a successful scan

Analyze_SQL_Analysis_Services

Analyze_SQL_Server_Engine

Analyze_SQL_Integration_Services

Analyze_SQL_Server_Replication

Analyze_SQL_Reporting_Services

Analyze_SQL_Server_Setup

Note Only one SQL Server instance can be scanned at a time through the MBCA GUI

6 Click Start Scan MBCA will start the configured scan and display the below page while in

progress

7 When the scan is complete results will be displayed grouped by Severity as shown below

Page 20

43 Connect to a remote computer

A scan connected to a remote computer is different than scanning an alternate server

ldquoConnect to a Remote Computerrdquo is functionality provided by Microsoft Baseline Configuration Analyzer

and is used to remotely run MBCA against a server from the console of the client The client needs to

have MBCA installed but does not need BPA as it is literally running the copy of MBCA installed on the

server using the BPA installed on the server In this case the copy of MBCA installed on the client is

used only to remotely connect to the copy of MBCA installed on the server

To use this functionality you first start MBCA on the client computer and select ldquoConnect to Another

Computerrdquo

1 In the ldquoConnect to Another Computerrdquo text box you can specify a NetBIOS name a fully qualified

domain name (FQDN) or an IPv4 or IPv6 address If no port number is specified the default port

number is used The following are examples of formats that you can specify in the Connect to

Another Computer text box

ComputerName

Page 21

ComputerNamePortNumber

IP address nnnn

IPv6 address [nnnnnnnn]

IPv4 address with port number nnnnPortNumber

IPv6 address with port number [nnnnnnnn]PortNumber

Note If an administrator has changed the computerrsquos default port number any port other than the

default port must be opened in Windows Firewall to allow incoming connections on that port Port

5985 is opened by default when WinRM is configured All other ports remain blocked until opened

For more information about how to unblock a port in Windows Firewall see the Help for Windows

Firewall For more information about how to configure WinRM in a Command Prompt session type

winrm help and then press Enter

2 Additionally you must supply credentials

3 CredSSP

Windows Remote Management (WinRM) supports the delegation of user credentials across

multiple remote computers The multi-hop support functionality can now use Credential Security

Service Provider (CredSSP) for authentication CredSSP enables an application to delegate the

userrsquos credentials from the client computer to the target server

CredSSP authentication is intended for environments where Kerberos delegation cannot be used

Support for CredSSP was added to allow a user to connect to a remote server and have the ability

to access a second-hop machine such as a file share

Note WinRM clients and servers will support CredSSP authentication only with explicit credentials

Windows XP Windows Server 2003 and earlier CredSSP is not supported

First you must set CredSSP on both the client and the server

Using the Group Policy Editor (gpeditmsc) make sure to enable ldquoAllow Delegating Fresh

Credentialsrdquo and check ldquoConcatenate OS defaults with input aboverdquo

Add the server or domain to the list of servers in the format ldquoWSMANdomainnamecomrdquo

Next enable and configure PowerShell Remoting on both the Client and Server by running the

following commands in a PowerShell command window opened with elevated permissions Note

Page 22

You can configure a single machine as both a client and a server simultaneously so that you can

scan from either computer

Enable PowerShell Remoting

o Enable-psremoting ndashf

Settings for a client

o Enable-WSManCredSSP ndashrole Client ndashDelegateComputer [NetBiosNameOfServer]

or

o Enable-WSManCredSSP ndashrole Client ndashDelegateComputer [FQDN OF SERVER]

Settings for the server

o Enable-WSManCredSSP ndashrole Server

o set-item WSManlocalhostShellMaxMemoryPerShellMB ndashValue 20000

o set-item WSManlocalhostShellMaxShellsPerUser ndashvalue 20

44 PowerShell

Details see 91 PowerShell

To use the functionality of the Microsoft Baseline Configuration Analyzer you must import this module

first

Import-module BaselineConfigurationAnalyzer

You can list the commands of this module with the following syntax

$x=Get-Module BaselineConfigurationAnalyzer

$xExportedCommands

441 Run Scan

To run a full scan of the BPA on the alternate server on a named instance you can use the following

command line

Invoke-MBCAModel -ModelId SQL2008R2BPA -Alternate_Server_to_scan

servername -SQL_Server_Instance_Name instancename -

Analyze_SQL_Server_Engine -Analyze_SQL_Server_Replication -

Page 23

Analyze_SQL_Server_Setup -Analyze_SQL_Analysis_Services -

Analyze_SQL_Integration_Services -Analyze_SQL_Reporting_Services

The result looks like this part

ModelId SQL2008R2BPA

SubModelId

Success True

ScanTime

Success = True is important This is the indicator that your scan was successful

Parameter description

-Alternate_Server_to_scan servername

-SQL_Server_Instance_Name instancename

-Analyze_SQL_Server_Engine

-Analyze_SQL_Server_Replication

-Analyze_SQL_Server_Setup

-Analyze_SQL_Analysis_Services

-Analyze_SQL_Integration_Services

-Analyze_SQL_Reporting_Services

The parameter list is equal the parameter screen in the GUI

The scans of the different services are optional You can remove technologies which you do not need

to scan

The next example starts the scan only for the Analysis Services on the alternate server ldquoservernamerdquo

and for the named instance ldquoinstancerdquo A log file will be written to ldquoctempssastxtrdquo

Invoke-MbcaModel -ModelId SQL2008R2BPA -SubModelId AnalysisServices -

ComputerName servername -SqlServerInstance instance -SSASLogFile

ctempssastxt

Invoke-MbcaModel -ModelId SQL2008R2BPA -SubModelId Engine -ComputerName

computername -SqlServerInstance servername -CurrentLoginName

($EnvUSERDOMAIN + + $EnvUSERNAME)ToString() -EngineLogFile

ctempenginetxt ndashRepositoryPath (CTEMPSQL2008 + (Get-

Date)ToString(yyyyMMdd))ToString()

442 Create Report

model = get-MbcaModel ndashModelId sql2008r2bpa

$scanResult = get-MbcaResult ndashModelId sql2008r2bpa

$collectedConfig = get-MbcaResult ndashModelId sql2008r2bpa ndash

CollectedConfiguration

$model $scanResult $collectedConfig | export-CliXml ctempasxml

Get-MBCAResult -ModelId SQL2008R2BPA -SubModelId AnalysisServices |

ConvertTo-Html | Add-Content -Path ctesthtml

The next command retrieves the results of the most recent BPA scan for the specified model and

saves them in HTML format applying the standard cascading style sheets that are stored in the path

windirsystem32WindowsPowerShellv10ModulesBestPracticesBestPracticesReportFormatc

Page 24

ss If you want to substitute cascading style sheets provide the path to the different cascading style

sheets

Get-MBCAResult -ModelId SQL2008R2BPA | $_Severity -eq Warning -or

$_Severity -eq Error | ConvertTo-Html -As Table -property ResultNumber

SubModelID ComputerName Severity Category Title Problem Impact

Resolution Help -Head lth1gtSQL Server 2008 (R2) Best Practice Analyzer

Reportlth1gtrdquo -Title SQL Server 2008 Best Practice Analyzer -body

(ltpgtReport creation date + (Get-Date)ToString(ddMMyyyy hhmmss) +

ltpgt)toString() -pre ltPgtGenerated by user $envusername on computer

$envcomputernameltPgt -post For details contact Microsoft Premier-

CssUri $env BestPracticesReportFormatcss gt ctempsql2008r2bpahtm

443 Exporting and opening reports by using Get-MBCAResult

You can use the Get-MBCAResult cmdlet to export scan results and configuration data to an XML

report that you can open for viewing in the future either by using Get-MBCAResult or by using the

MBCA GUI Exporting reports allows you to compare older scans with more recent scans to measure

the progress of your best practice compliance

Example of exporting to XML

$results = Get-MBCAResult ltModel Idgt

$collectedconfig = Get-MBCAResult ltModel Idgt -CollectedConfiguration

$results $collectedconfig | Export-CliXml cexportxml

Example of opening archived XML report file

$loadedResults $loadedConfiguration = Import-CliXml cexportxml

444 Report Result Directory

The reporting result path

AppDataMicrosoftBaselineConfigurationAnalyzer

2ReportsSQL2008R2BPAResults

Will be overwritten during each run of the tool or invoke command

Solution save older results before you start the check

copy-item -path ($EnvLocalAppdata +

MicrosoftMicrosoftBaselineConfigurationAnalyzer 2Reports)ToString() -

destination ($EnvLocalAppdata +

MicrosoftMicrosoftBaselineConfigurationAnalyzer 2Reports_ + (Get-

Date)ToString(yyyyMMddhhmmss))ToString() ndashrecurse

Afterwards you can create a report with the following command

$prevrepPath = (Get-ChildItem ($EnvLocalAppdata +

MicrosoftMicrosoftBaselineConfigurationAnalyzer 2)ToString() -exclude

Reports | Sort-Object name -descending)[0]

Get-MBCAResult -ModelId SQL2008R2BPA ndashRepositoryPath ($EnvLocalAppdata +

MicrosoftMicrosoftBaselineConfigurationAnalyzer 2rdquo +

$prevrepPathname)ToString() | ConvertTo-Html -As Table -property

ResultNumberSubModelID ComputerName Severity Category Title Problem

Impact Resolution Help -Head lth1gtSQL Server 2008 (R2) Best Practice

Analyzer Reportlth1gtrdquo -Title SQL Server 2008 Best Practice Analyzer -body

(ltpgtReport creation date + (Get-Date)ToString(ddMMyyyy hhmmss) +

ltpgt)toString() -pre ltPgtGenerated by user $envusername on computer

Page 25

$envcomputernameltPgt -post For details contact Microsoft Premier gt

ctempsql2008r2bpahtm

Page 26

5 TROUBLESHOOTING

51 Application directories

To following directories are used by MBCA

Report output directory localappdataMicrosoftMicrosoftBaselineConfigurationAnalyzer 2ReportsSQL2008R2BPAResults

Model configuration path ProgramdataMicrosoftMicrosoft Baseline Configuration Analyzer 2ModelsSQL2008R2BPA

Temp and log files directory tempSQL2008R2BPASQL2008ltdategt_lttimegt

Registry [HKEY_LOCAL_MACHINESOFTWAREMicrosoftBaselineConfigurationAnalyzer]

Log Files

During Data Discovery SQL Server 2008 R2 BPA creates log files for troubleshooting The log file

contains the following information

Pre-requisite validation

Timestamp finished rules start and end times

Run-time scripting errors and exceptions from Power Shell Traps

Log Files Location

For every scan log files are created in userrsquos Local Temp directory (Temp) and follows the folder

structure SQL2008R2BPAlt Instance Name gtlt datestamp_timestamp gtlt Log files gt

Note In case of a remote scan the category log files are generated on the remote system at the same

path whereas the common log file is generated in the local system

Log Files Structure

A common log file gets generated and contains information about each categorys execution Apart

from this each category has its own log file which details the rule execution The names of the log files

are given below

Common File - ModelLogtxt

Engine Rules - EngineLogtxt

Replication Rules - ReplicationLogtxt

Setup Rules - SetupLogtxt

Analysis Services Rules - AnalysisServicesLogtxt

Reporting Services Rules - ReportingServicesLogtxt

Integration Services Rules - IntegrationServicesLogtxt

52 Windows Server 2003 ndash NumberOfLogicalProcessors

Analysis Services RID2803 and RID2804 ndash NumberOfLogicalProcessors property is unavailable in

Win32_Processor for with Windows Server 2003

Solution The NumberOfLogicalProcessors property does not exist in the WIN32_PROCESSOR object

in Windows Server 2003 It has been implemented in the hotfix

httpsupportmicrosoftcomkb932370

Both of the rules below will function properly if you apply this hotfix For more information look here

Page 27

53 MBCA

This message indicates that on prerequisite is not installed

Please install the version 2 of the MBCA

54 Where can I find the Instance name in result set of the analyzer

report

The instance name is in the collected data option of the analyzer report in the BPA GUI

55 Memory limit of remote PowerShell process

By default remote PowerShell process can consume only 150 MB or less memory This default limit is

significantly small and once this limit is reached there could be a WinRM exception causing and remote

connection immediately terminates Any application or Cmdlet which is involved in PowerShell

remoting should be tested for this memory limit this may cause some of the command to fail for

example site collection creation

Solution Increase the memory limit for the remote shell Use the following command to increase this

limitation to 1000MB This is only necessary if you need to run those commands on that server

Set-Item WSManlocalhostShellMaxMemoryPerShellMB 1000

56 Remote connect

If you try to ldquoConnect to another computerrdquo from MBCA and you receive the following message

Page 28

You should check first if the Hotfix KB968930 is installed

Afterwards validate that the ldquoWindows Remote Managementrdquo service is started

Enable-PSRemoting

If CredSSP is unsupported or unavailable you will see the following message

Page 29

If you have no permission to access the remote server you get the error message

Page 30

57 Installation

571 PowerShell error

After getting through the Pre-Reqs for BPA (PowerShell 20 MBCA NET Framework) you may hit

one of two scenarios when installing BPA

In all of the cases of an install failure you will see the following error

There is a problem with this Windows Installer package A program run as part of the setup did not

finish as expected Contact your support personnel or package vendor

In your Application Event Log for both of these scenarios you will also see the following entry

Log Name Application

Source MsiInstaller

Date 6102010 83818 AM

Event ID 11722

Task Category None

Level Error

Keywords Classic

User ltUsernamegt

Computer ltMachine namegt

Description

Product Microsoft SQL Server 2008 R2 BPA -- Error 1722 There is a problem

with this Windows Installer package A program run as part of the setup did

not finish as expected Contact your support personnel or package

vendor Action EnablePSRemoting location powershellexe command -NoLogo

-NoProfile -Command Enable-PSRemoting ndashforce

Page 31

This is an indicator that PowerShell is not configured You must run the following command

powershellexe -NoLogo -NoProfile -Command Enable-PSRemoting ndashforce

572 Workgroup or Non-Domain computer

In this scenario the Enable-PSRemoting command should execute fine from a PowerShell prompt

The actual error coming back from the PowerShell command within the Installer is ldquoAccess Deniedrdquo

To work around this issue you can do the following

1 Open a command prompt with Administrative Privileges

2 Change to the directory where the msi file resides

3 Type msiexec i ltMSI Namegt SKIPCA=1

4 MSI Name will either be SQL2008R2BPA_Setup32msi or SQL2008R2BPA_Setup64msi

depending on your platform

5 Once BPA is installed open a PowerShell prompt with Administrative Privileges

6 Execute the following commands

a Enable-PSRemoting

b winrm set winrmconfigwinrs ``MaxShellsPerUser=`10``

This should allow BPA to be successfully installed in the workgroup scenario

573 Kerberos Failure

This scenario is that you are failing with the above due to a Kerberos issue This particular issue could

actually show up after you have installed BPA depending on how you have configured your

environment

The issue stems from the fact that the Windows Remoting Windows Service uses the Network Service

account Windows Remoting also uses SOAP calls over HTTP and defaults to using Kerberos As a

result it will be using the HOST Service Principal Name (SPN) that is on the Machine Account as it is

running under that context You may have an HTTP SPN that resides on a different account with that

host name For example if you are running an IIS Web Application such as SharePoint or if you are

using Reporting Services and the service account is set to a Domain User account instead of Network

Service or Local System If your URL of your application matches the machine name then your HTTP

SPN will be the same Thatrsquos where this problem comes in WinRM will stop working at that point and

give you a message similar to the following

Set-WSManQuickConfig WinRM cannot process the request The following error

occured while using Negotiate authentication An unknown security error

occurred

Possible causes are

-The user name or password specified are invalid

-Kerberos is used when no authentication method and no user name are

specified

-Kerberos accepts domain user names but not local user names

-The Service Principal Name (SPN) for the remote computer name and port

does not exist

-The client and remote computers are in different domains and there is no

trust between the two domains

After checking for the above issues try the following

-Check the Event Viewer for events related to authentication

-Change the authentication method add the destination computer to the

WinRM TrustedHosts configuration setting or use HTTPS transport

Note that computers in the TrustedHosts list might not be authenticated

-For more information about WinRM configuration run the following

Page 32

command winrm help config

At line50 char33

+ Set-WSManQuickConfig ltltltlt -force

+ CategoryInfo InvalidOperation () [Set-WSManQuickConfig]

InvalidOperationException

+ FullyQualifiedErrorId

WsManErrorMicrosoftWSManManagementSetWSManQuickConfigCommand

You can get this type of error from WinRM for muliple reasons The one that

we saw in our testing was the HTTP SPN scenario

If you do have an HTTP SPN defined on a Domain Account that is using the name of your machine

you have some options First you can follow the steps mentioned above to get BPA installed The

Enable-PSRemoting command will give you the above error You can temporarily remove the HTTP

SPN to get remoting enabled and then re-add the HTTP SPN

Once BPA is setup you will still not be able to run BPA if you put the HTTP SPN back in place You will

see the following when you attempt to perform a scan

This will occur regardless of which component you try to scan It could be the Engine Setup RS etchellip

One option to perform the scan successfully is to temporarily remove the HTTP SPN again run the

scan and then put the HTTP SPN back in place Another option but one that will probably require

further testing from your applicationrsquos end would be to run the application under a Host Header and

then your HTTP SPN would not include the machine name allowing BPA to run without issue

Page 33

6 RULES

Searching for ldquoSQL Server 20087 R2 BPArdquo at Microsoftcom reveals

Here is an example of one of these articles that talks about a rule to check for a recent ldquocleanrdquo

CHECKDB

Page 34

BPA works by measuring a rolersquos compliance with best practice rules in eight different categories of a

rolersquos effectiveness trustworthiness and reliability Results of measurements can be any of the three

severity levels described in the following table

Severity level Description

Noncompliant Noncompliant results are returned when a role does not satisfy the conditions of a rule

Compliant Compliant results are returned when a role satisfies the conditions of a rule

Warning Warning results are returned when a role is compliant as operating currently but may not satisfy the conditions of a

rule if changes are not made to its configuration or policy settings For example a scan of Remote Desktop Services

might show a warning result if a license server is unavailable to the role because even if no remote connections are

active at the time of the scan not having the license server prevents new remote connections from obtaining valid

client access licenses

Page 35

BPA rule categories

The following table describes the categories of best practice rules against which roles are measured

during a BPA scan

Category Name Description

Security Security rules are applied to measure a rolersquos relative risk for exposure to threats such as unauthorized or malicious

users or loss or theft of confidential or proprietary data

Performance Performance rules are applied to measure a rolersquos ability to process requests and perform its prescribed duties in

the enterprise within expected periods of time given the rolersquos workload

Configuration Configuration rules are applied to identify role settings that might require modification for the role to perform

optimally Configuration rules can help prevent setting conflicts that can result in error messages or prevent the role

from performing its prescribed duties in an enterprise

Policy Policy rules are applied to identify Group Policy or Windows Registry settings that might require modification for the

role to operate optimally and securely

Operation Operation rules are applied to identify possible failures of a role to perform its prescribed tasks in the enterprise

Predeployment Predeployment rules are applied before an installed role is deployed in the enterprise to let administrators to

evaluate whether best practices were satisfied before you use the role in production

Postdeployment Postdeployment rules are applied after all required services have started for a role and the role is running in the

enterprise

BPA Prerequisites BPA Prerequisite rules explain configuration settings policy settings and features that are required for the role

before BPA can apply specific rules from other categories A prerequisite in scan results indicates that an incorrect

setting a missing role role service or feature an incorrectly enabled or disabled policy a registry key setting or

other configuration has prevented BPA from applying one or more rules during a scan A prerequisite result does

not imply compliance or noncompliance It means that a rule could not be applied and therefore is not part of the

scan results

61 Engine Rules

Please find below a summary of the 74 Engine Rules with the links to the rule descriptions These rules

are checking that you have a secure resilient and well performing SQL configuration

Authentication Mode (httpsupportmicrosoftcomkb2028697)

Lightweight Pooling is enabled (httpsupportmicrosoftcomkb2160691)

Locks Configuration Not Dynamic (httpsupportmicrosoftcomkb2199576)

non-default network packet size in use (httpsupportmicrosoftcomkb2157175)

degree of parallelism not set to recommended value (httpsupportmicrosoftcomkb2023536)

Use Database Mail instead of SQL Mail (httpsupportmicrosoftcomkb2028584)

SQL Server Agent Proxy Account (httpsupportmicrosoftcomkb2160741)

SQL Login Password Policy Strength and password expiry

(httpsupportmicrosoftcomkb2028712)

Trustworthy Bit (httpsupportmicrosoftcomkb2183687)

Symmetric Keys Check (httpsupportmicrosoftcomkb2162020)

Asymmetric Keys Check (httpsupportmicrosoftcomkb2162020)

SQL Server installed on PDC BDC (httpsupportmicrosoftcomkb2032911)

Page 36

SQL Server Admin role membership check (httpsupportmicrosoftcomkb2184138)

Windows API calls intercepted (httpsupportmicrosoftcomkb2033238)

unsupported DotNET framework assemblies present (httpsupportmicrosoftcomkb2033344)

Disk partition starting offset may be incorrect (httpsupportmicrosoftcomkb2023571)

non-default max worker threads value configured (httpsupportmicrosoftcomkb2157129)

Guest Permissions (httpsupportmicrosoftcomkb2186935)

Data and Log files on the same volume (httpsupportmicrosoftcomkb2033523)

IO timeouts and IO controller errors detected (httpsupportmicrosoftcomkb2091098)

IO device errors detected (httpsupportmicrosoftcomkb2091098)

IO errors during page faults detected (httpsupportmicrosoftcomkb2091098)

cluster disk corruption encountered (httpsupportmicrosoftcomkb2091098)

disk defragmentation encountered corruption (httpsupportmicrosoftcomkb2091098)

failed IO requests detected (httpsupportmicrosoftcomkb2091098)

IO requests are successful when retried (httpsupportmicrosoftcomkb2015757)

IO Delay Problems reported by SQL Server (httpsupportmicrosoftcomkb2137408)

This system experienced unexpected shutdowns (httpsupportmicrosoftcomkb2091098)

tempdb corruption errors fix missing (httpsupportmicrosoftcomkb960770)

Critical SQL database inconsistency errors found (httpsupportmicrosoftcomkb2152734)

Logical consistency errors detected (httpsupportmicrosoftcomkb2152472)

Database have auto shrink option enabled (httpsupportmicrosoftcomkb2160663)

SQL Server Error logs are very big (httpsupportmicrosoftcomkb2199578)

incorrect affinity mask settings detected httpsupportmicrosoftcomkb2157114

Very low blocked process threshold setting detected httpsupportmicrosoftcomkb2157154

Potential security issue with legacy DTS stored procedures

httpsupportmicrosoftcomkb2202875

Winsock LSP loaded into SQL httpsupportmicrosoftcomkb2033448

Databases using simple recovery model httpsupportmicrosoftcomkb2137539

User database collation different from model httpsupportmicrosoftcomkb2026108

Database files and backups exist on the same volume httpsupportmicrosoftcomkb2027537

Databases have auto close option enabled httpsupportmicrosoftcomkb2160685

LSI SAS drivers needs update httpsupportmicrosoftcomkb2121098

SQL tempdb database not configured optimally httpsupportmicrosoftcomkb2154845

SQL Database file has sparse attribute set httpsupportmicrosoftcomkb2028447

Invalid startup parameters httpsupportmicrosoftcomkb2028433

MSDTC settings not configured optimally httpsupportmicrosoftcomkb2027550

sql incorrect results fix missing httpsupportmicrosoftcomkb971780

File System needs tuning for better FileStream performance

httpsupportmicrosoftcomkb2160002

linked server memory leak fix missing httpsupportmicrosoftcomkb971622EN-US

Windows service pack is not at recommended level httpsupportmicrosoftcomkb2121098

default extended event health session not in expected state

httpsupportmicrosoftcomkb2160570

TcpSysAndChimneyCheck httpsupportmicrosoftcomKB918483

FDHOST Launcher service is not configured properly httpsupportmicrosoftcomkb2160720

Unrecommended SQL Server Agent service account httpsupportmicrosoftcomkb2160720

A required Windows fix to avoid sparse file related problems is missing

httpsupportmicrosoftcomkb2002606

Page 37

Significant Portion of SQL Server Memory Has Been Paged Out

httpsupportmicrosoftcomkb2028324

Server Exception or Hang Detected on Server httpsupportmicrosoftcomkb2028589

Databases exist without CHECKSUM protection httpsupportmicrosoftcomkb2078345

backups outdated for databases httpsupportmicrosoftcomkb2027537

Database consistency check not current httpsupportmicrosoftcomkb2033590

SQL Server Memory settings are incorrect httpsupportmicrosoftcomKB918483EN-US

Autogrow Failed or took a long time httpsupportmicrosoftcomkb2091024

Storport driver fix from KBA 940467 missing httpsupportmicrosoftcomkb2121098

Storport driver fix from KBA 950903 missing httpsupportmicrosoftcomkb2121098

SQLCLR needs additional memory configuration httpsupportmicrosoftcomkb969962EN-US

Operating System files and drivers needs update for working set trimming

httpsupportmicrosoftcomkb2121098

Agent Token Replacement httpsupportmicrosoftcomkb2202637

Auditing Log in failures httpsupportmicrosoftcomkb2187161

Databases with high number of VLF present httpsupportmicrosoftcomkb2028436

Transparent Data Encryption Certificate httpsupportmicrosoftcomkb2201900

Permission on the Binn folder httpsupportmicrosoftcomkb2029023

Index Statistics Are Outdated

Server public permissions httpsupportmicrosoftcomkb2160698

Detected use of older versions of SQLNCLI httpsupportmicrosoftcomkb979779

62 AS Rules

Please find below a summary of the 34 Analysis Server Rules with the links to the rule descriptions

Flight Recorder Enabled for SQL Server Analysis Services

httpsupportmicrosoftcomkb2128005

Excessive amount of memory preallocated to Analysis Services

httpsupportmicrosoftcomkb2027474

Server not configured for optimal concurrent query throughput

httpsupportmicrosoftcomkb2135031

Non standard value detected for Analysis Services memory configuration

httpsupportmicrosoftcomkb2027472

Process Thread Pool Max limit above recommended limit

httpsupportmicrosoftcomkb2134497

Process Thread Pool Minimum is below the recommended limit

httpsupportmicrosoftcomkb2134855

Server is running a build with a known regression httpsupportmicrosoftcomkb2157941

Slice not set on a ROLAP partition or a partition where proactive caching is enabled and

ROLAP storage ay occur httpsupportmicrosoftcomkb2027754

Server is ignoring duplicate key errors httpsupportmicrosoftcomkb2027761

No default member defined for non-aggregatable attribute

httpsupportmicrosoftcomkb2027769

UnknownMember set to hidden httpsupportmicrosoftcomkb2027628

Non-numeric key column for high cardinality attribute httpsupportmicrosoftcomkb2028138

Attribute hiearchy enabled for high cardinality non-key attribute

httpsupportmicrosoftcomkb2028143

ROLAP storage or OnlineMode set to immediate for dimension with custom rollup definition

detected httpsupportmicrosoftcomkb2132742

Page 38

Account or Time attribute types defined in a non-matching dimension type

httpsupportmicrosoftcomkb2157299

An Account or Time dimension has no matching attribute defined

httpsupportmicrosoftcomkb2027418

Dimension has no attribute defined with the same type

httpsupportmicrosoftcomkb2027443

Attribute Dimension type mismatch httpsupportmicrosoftcomkb2157327

Mismatched dimension attribute types detected in dimension

httpsupportmicrosoftcomkb2027459

Possible incorrect order of levels defined in hierarchy httpsupportmicrosoftcomkb2027460

Define attribute relationships as Rigid where possible httpsupportmicrosoftcomkb2027468

Redundant attribute relationships detected httpsupportmicrosoftcomkb2127437

Diamond-shape relationship detected httpsupportmicrosoftcomkb2127570

Non-Standard Attribute Relationship name detected httpsupportmicrosoftcomkb2127862

Proactive Caching set for dimension without a processing query

httpsupportmicrosoftcomkb2027541

No Time dimension detected httpsupportmicrosoftcomkb2027532

More than 3 parent-child dimensions with custom rollups defined

httpsupportmicrosoftcomkb2134431

Encountered a parent-child dimension with more than 500000 members

httpsupportmicrosoftcomkb2131918

Single attribute dimensions detected httpsupportmicrosoftcomkb2141654

Measure groups with zero dimensional overlap detected in cube

httpsupportmicrosoftcomkb2027609

Proactive Caching set for a partition without a processing query

Default measure for perspective not in the perspective

httpsupportmicrosoftcomkb2027603

Use MOLAP storage for dimensions that participate in semi-additive measure groups

httpsupportmicrosoftcomkb2135112

Measure group defined with no partition httpsupportmicrosoftcomkb2027545

63 RS Rules

RSWindowsNegotiate is missing from your configuration

httpsupportmicrosoftcomkb2145506

HTTP Logging is not enabled httpsupportmicrosoftcomkb2145909

Verbose logging is enabled httpsupportmicrosoftcomkb2146315

NTLM authentication may fail for local httpsupportmicrosoftcomkb2146369

Missing extended protection settings httpsupportmicrosoftcomkb2146062

64 IS Rules

Logging task missing for package httpsupportmicrosoftcomkb2027723

ActiveX Script task detected in package httpsupportmicrosoftcomkb2027712

Unrecommended Integration Services service account detected

httpsupportmicrosoftcomkb2027684

Integration Services logging table found in system database master and or msdb

httpsupportmicrosoftcomkb2027706

Integration Services memory dump detected httpsupportmicrosoftcomkb2027727

Page 39

65 Setup Rules

Unsupported Operating System Version Detected httpsupportmicrosoftcomkb2022909

WOW64 not supported for SQL Failover Clustering httpsupportmicrosoftcomkb2157198

Installer cache is missing for the SQL Installation httpsupportmicrosoftcomkb2015100

SQL Server WMI Provider Health Check

66 Replication Rules

Replication Timeout Alerts Type httpsupportmicrosoftcomkb2118349

Replication Pub and Sub out of sync (Data Validation) httpsupportmicrosoftcomkb2118386

Replication Pub and Sub out of sync (Constraint Violations)

httpsupportmicrosoftcomkb2118410

Replication Pub and Sub out of sync (Skipped Transactions)

httpsupportmicrosoftcomkb2194498

Merge Replication Health Check httpsupportmicrosoftcomkb2118445

Subscriptions Approaching Expiration httpgomicrosoftcomfwlinkLinkId=184483

Replication Cleanup and Retention Health Check httpsupportmicrosoftcomkb2118485

Replication Latency Threshold violations httpsupportmicrosoftcomkb2118425

Page 40

7 HOW TO DEAL WITH DEVIATIONS

Deviations from these Best Practices may indicate potential issues and configuration changes may be

necessary Make sure you have tested any intended changes in a test environment before deploying

them to a production environment You could also find deviations from Best Practices that are

acceptable or even necessary for your environment For example

SAP has its special Network Packet Size of 8 KB

Existing Non-Microsoft Clients ndash would require Mixed Mode Authentication

Page 41

8 MOTIVATION TO USE SQL BPA R2

Bob Ward explained in his Article ldquoWhy use SQL Server 2008 R2 BPA Case 1 Missing Updatesrdquo

the common pitfalls during maintenance and operation of SQL Server and how address them by using

the SQL BPA

In brief itrsquos a customer scenario where the customer is facing an issue after a major update to

SQL2008 After some troubleshooting and an update to a certain CU (that is meant to fix the issue) the

problem still occurs Bobs article states the common resulting consequences ndash the involvement of

Microsoft Support and the final solution ndash adding a needed traceflag

The good news in this story is that the customer would not have needed to go to all that effort if they

would have run the SQL BPA It would have told them about the update and instructed them to put the

traceflag in place BPA is a mechanism that proactively advises you and instructs you on dealing with

common known issues

Page 42

9 ADDITIONAL INFORMATION

91 PowerShell

To use the functionality of the Baseline Configuration Analyzer with PowerShell you must import this

module first

Import-module BaselineConfigurationAnalyzer

You can list the commands of this module with the following syntax

$x=Get-Module BaselineConfigurationAnalyzer

$xExportedCommands

The following commands are stored in this module

Get-MbcaModel

Get-MbcaResult

Invoke-MbcaModel

Set-MbcaResult

You get help of this command with the following syntax

Get-help ltcommandgt -full

911 Get-MBCAModel

SYNOPSIS

The Get-MBCAModel cmdlet lets you retrieve and view the list of models that are supported by

Microsoft Baseline Configuration Analyzer (MBCA) and that are installed on a computer

SYNTAX

Get-MBCAModel [[-ModelId] ltstring[]gt] [[-SubModelId] ltstringgt] [ltCommonParametersgt]

DESCRIPTION

The Get-MBCAModel cmdlet lets you retrieve and view the list of models that are supported by

Microsoft Baseline Configuration Analyzer (MBCA) and installed on the computer If no parameter is

specified Get-MBCAModel returns all models that are installed on the computer If a model is specified

by using the -ModelId parameter information about the specified model is returned

You must be a member of the Administrators group on the computer on which you want to run this

cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with

elevated user rights that is Run as Administrator

The results of the Get-MBCAModel cmdlet include the following details about models

1 Branding information (manufacturer or company display names version number) that is found in

the model manifest

2 Dynamic parameters that are included with the model

3 Submodels that are included with the model

PARAMETERS

-ModelId ltstring[]gt

The -ModelId parameter specifies the ID of the MBCA model about which you want to view

details You can obtain valid values for the ModelId parameter by running the Get-MBCAModel

cmdlet with no parameters and targeted at a computer on which MBCA models are installed

Page 43

This parameter supports wild card characters

Required false

Position 2

Default value

Accept pipeline input true (By Value By Property Name)

Accept wildcard characters False

This must be SQL2008R2BPA for SQL Server 2008 R2 Best Practice Analyzer

-SubModelId ltstringgt

The -SubModelId parameter specifies the ID of the submodel of an MBCA model about which you

want to view details You can obtain valid values for the -SubModelId parameter by running the

Get-MBCAModel cmdlet without parameters and targeted at a computer on which MBCA models

are installed Not all models have submodels

The -ModelId parameter is required with the -SubModelId parameter

Required false

Position 3

Default value

Accept pipeline input false

Accept wildcard characters false

ltCommonParametersgt

This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable

WarningAction WarningVariable OutBuffer and OutVariable For more information type get-

help about_commonparameters

Examples

Get-MBCAModel

In the preceding example Get-MBCAModel with no parameters added returns details about all MBCA

models that are installed on the computer

Get-MBCAModel -ModelId SQL2008R2BPA

The preceding example can be used to return details about the MBCA model that is specified in the -

ModelId parameter represented by Model Id

$model= Get-MBCAModel -ModelId SQL2008R2BPA

$modelParameters

In the preceding example Get-MBCAModel returns details about the specified MBCA model that is

represented by Model Id The results of the cmdlet are stored in the variable $model

In the next line of the example the Parameters property of the model details that were stored in the

$model object returns details about which parameters are supported by the model

Get-MBCAModel -ModelId SQL2008R2BPA -SubModelId ltSubModel Idgt

The preceding example can be used to return details about the MBCA sub-model that is specified by

the -SubModelId parameter represented by SubModel Id Note that the -ModelId parameter is

required by the -SubModelId parameter

$model= Get-MBCAModel -ModelId SQL2008R2BPA

Page 44

$modelSubModels

In the preceding example Get-MBCAModel returns details about the specified MBCA model that is

represented by Model Id The results of the cmdlet are stored in the variable $model

In the next line of the example the SubModels property of the model details that were stored in the

$model object returns a list of the submodels of the model specified in the first line

912 Invoke-MBCAModel

SYNOPSIS

The Invoke-MBCAModel cmdlet lets you start a Microsoft Baseline Configuration Analyzer (MBCA)

scan for a specific model that is installed on your computer

SYNTAX

Invoke-MBCAModel [-ModelId] ltstringgt -SubModelId ltstringgt [-Authentication

ltAuthenticationMechanismgt] [-CertificateThumbprint ltstringgt] [-ComputerName

ltstring[]gt] [-ConfigurationName ltstringgt] [-Context ltstringgt] [-Credential

ltstringgt] [-Mode ltModeEnumgt] [-Port ltintgt] [-RepositoryPath ltstringgt] [-

ThrottleLimit ltintgt] [-UseSSL] [ltCommonParametersgt]

DESCRIPTION

The Invoke-MBCAModel cmdlet allows you to start a Microsoft Baseline Configuration Analyzer

(MBCA) scan for a specific model that is installed on your computer The model is specified either by

using the parameter -ModelId or by piping the results of the Get-MBCAModel cmdlet into an Invoke-

MBCAMode cmdlet

After the MBCA scan has been performed the results of the scan are available to be retrieved by Get-

MBCAResult cmdlet

You must be a member of the Administrators group on the computer on which you want to run this

cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with

elevated user rights that is Run as Administrator

PARAMETERS

-Authentication ltAuthenticationMechanismgt

Specifies the authentication mechanism that is used to authenticate the users credentials Valid

values include Default Basic CredSSP Digest Kerberos Negotiate and

NegotiateWithImplicitCredential The default value is Default

For more information about the -Authentication parameter type the following and then press

Enter

Get-Help Invoke-Command -Parameter Authentication

Required false

Position named

Default value Default

Accept pipeline input false

Accept wildcard characters false

-CertificateThumbprint ltstringgt

Page 45

Specifies the digital public key certificate (X509) of a user account that has rights to perform the

cmdlet action The valid value is the certificate thumbprint of the certificate

For more information about this parameter type the following and then press Enter

Get-Help Invoke-Command -Parameter Certificate Thumbprint

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-ComputerName ltstring[]gt

The Invoke-MBCAModel cmdlet lets you run an MBCA scan of a submodel on a specific

computer by adding this parameter Valid values include NETBOS names IP addresses or fully-

qualified domain names of one or more computers in a comma-separated list To specify the local

computer type the computer name or localhost

All formats that are accepted by the -ComputerName parameter in Invoke-Command are

accepted

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-ConfigurationName ltstringgt

Specifies the session configuration that is used for a new PSSession

Enter a configuration name or the fully-qualified resource URI for a session configuration

Session configuration data is found on the remote computer on which you want to run a cmdlet

For more information about this parameter type the following and then press Enter

Get-Help Invoke-Command -Parameter ConfigurationName

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-Context ltstringgt

The -Context parameter lets you run scans on a submodel in the context of a specific model (one

that is different from the parent model of the submodel) For example an administrator might

want to run a scan on the Backend submodel of the SQL model but only those in the context

of a third model a technology that relies upon SQL Server

The -SubModelId parameter is required by the -Context parameter

Page 46

A model ID is the valid value of the -Context parameter

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-Credential ltstringgt

Specifies a user account that has permission to run this cmdlet The default value is the current

user

For more information about this parameter type the following and then press Enter

Get-Help Invoke-Command -Parameter Credential

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-Mode ltModeEnumgt

The -Mode parameter lets you run a scan that is exclusively either analysis of existing discovered

documents or discovery The default is to perform both discovery and analysis or All

If you do not add the -Mode parameter to the Invoke-MBCAModel cmdlet both discovery and

analysis are performed during a scan

Valid values are Discovery Analysis and All

Required false

Position named

Default value All

Accept pipeline input false

Accept wildcard characters false

-ModelId ltstringgt

The -ModelId parameter specifies the ID of the MBCA model that you want to scan You can

obtain valid values for the ModelId parameter by running the Get-MBCAModel cmdlet targeted at

a computer on which MBCA models are installed

Required true

Position 2

Default value

Accept pipeline input true (By Value By Property Name)

Accept wildcard characters False

Page 47

This must be SQL2008R2BPA for SQL Server 2008 R2 Best Practice Analyzer

-Port ltintgt

Specifies the network port on a remote computer on which you want to run a scan The default

value is port 80

For more information on this parameter type the following and then press Enter

Get-Help Invoke-Command -Parameter Port

Required false

Position named

Default value 80

Accept pipeline input false

Accept wildcard characters false

-RepositoryPath ltstringgt

The -RepositoryPath parameter is used to specify a non-default location of the results repository

The valid value for this parameter is a pathname If the parameter is not used the cmdlet writes

results to the default result repository

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-SubModelId ltstringgt

The -SubModelId parameter specifies the ID of the submodel of an MBCA model that you want to

scan You can obtain valid values for the -SubModelId parameter by running the Get-MBCAModel

cmdlet targeted at a computer on which MBCA models are installed Not all models have

submodels

The -ModelId parameter is required with the -SubModelId parameter

Required true

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-ThrottleLimit ltintgt

Specifies the maximum number of concurrent connections that can be established to run the

cmdlet If you omit this parameter or enter a value of 0 the default value of 32 is used

For more information about this parameter type the following and then press Enter

Get-Help Invoke-Command -Parameter ThrottleLimit

Required false

Page 48

Position named

Default value 32

Accept pipeline input false

Accept wildcard characters false

-UseSSL [ltSwitchParametergt]

Uses the Secure Sockets Layer (SSL) protocol to establish a connection on a remote computer

By default SSL is not used

For more information about this parameter type the following and then press Enter

Get-Help Invoke-Command -Parameter UseSSL

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

ltCommonParametersgt

This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable

WarningAction WarningVariable OutBuffer and OutVariable For more information type get-

help about_commonparameters

OUTPUTS

SystemCollectionsGenericListltMicrosoftBestPracticesCoreInterfaceInvokeBpaModelOutputgt

The output object encapsulates the results of the cmdlet that you entered It contains information such

as the MBCA model ID the success or failure of the cmdlet and other details

NOTES

If the cmdlet is used to perform a single-model scan and the cmdlet is cancelled (by using CTRL+C)

before the temporary results file is copied to its final location the temporary file is discarded and any

previous scan results file for the role are preserved The message Processing of Invoke-MBCAModel

cancelled by user is displayed if the command is cancelled before existing scan results files are

overwritten

If the cmdlet is used to perform a scan of multiple models by piping in results from the Get-MBCAModel

cmdlet and the command is cancelled scans that were completed before the cancel command was

entered cannot be cancelled A scan in progress behaves as described above in the single-model scan

cancellation scenario Subsequent scans in the pipeline are cancelled

If a concurrent scan of the same model is attempted the cmdlet returns the following error message

Another scan for this MBCA model is in progress Only one scan is allowed at a time

-------------------------- EXAMPLE 1 --------------------------

Invoke-MBCAModel -ModelId SQL2008R2BPA

Description

The preceding example starts a MBCA scan on the model that is represented by ltModel Idgt

-------------------------- EXAMPLE 2 --------------------------

Page 49

Invoke-MBCAModel -ModelId SQL2008R2BPA -Scope domain -Name

redmondmicrosoftcom

Description

The preceding example starts an MBCA scan on the model ID that is specified by Model Id

The administrator starts the MBCA scan with additional model-specific parameters that are exposed by

the model (For an example of how to obtain model-specific parameters see the examples for the Get-

MBCAModel cmdlet)

For example to scan a model that requires model-specific parameters (such as -Scope and -Name) to

be passed to the command the administrator can specify the values of these model-specific

parameters with the Invoke-MBCAModel cmdlet

-------------------------- EXAMPLE 3 --------------------------

Invoke-MBCAModel -ModelId SQL2008R2BPA -Mode Discovery

Description

The preceding example starts an MBCA scan on the model that is represented by Model Id The

cmdlet is instructed by the -Mode parameter to perform only the discovery -- not the analysis -- portion

of the scan

-------------------------- EXAMPLE 4 --------------------------

Invoke-MBCAModel -ModelId SQL2008R2BPA -Mode Analysis -RepositoryPath

ltRepository Pathgt

Description

The preceding example starts an MBCA scan on the model that is represented by Model Id The -

Mode parameter value of Analysis indicates that the scan will perform analysis -- not discovery -- on

existing documents that are specified in the non-default repository path provided with the -Repository

Path parameter

-------------------------- EXAMPLE 5 --------------------------

Invoke-MBCAModel -Id ltModel Idgt -SubModelId ltSubModel Idgt -ComputerName

ltServergt -Context ltContext Model Idgt -RepositoryPath ltRespository Pathgt -

AsJob -Authentication ltAuthenticatonMechanismgt -Port ltPort Numbergt -UseSSL -

ThrottleLimit ltThrottle Limitgt

Description

The preceding example starts an MBCA scan on the submodel that is represented by SubModel Id

and on the computer that is represented by Server

Because the administrator only wants to see results from the submodel that apply in the context of a

third model the administrator runs the scan within the context of the model ID that is specified in the -

Context parameter The cmdlet results are saved to the non-default repository path that is specified in

the -RepositoryPath parameter

Because the -AsJob parameter is added the scan runs in the background The -AsJob -

Authentication -Port -UseSSL and -ThrottleLimit parameters are passed through for use by the

Invoke-Command cmdlet to perform discovery on a remote computer For more information about

these parameters see the Help for the Invoke-Command cmdlet available in Windows PowerShell V2

913 Get-MBCAResult

SYNOPSIS

Page 50

The Get-MBCAResult cmdlet lets you retrieve and view the results of a Microsoft Baseline

Configuration Analyzer scan on a specific model or the configuration data that was used to run a scan

SYNTAX

Get-MBCAResult [-ModelId] ltstringgt [[-CollectedConfiguration]] -SubModelId

ltstringgt [-ComputerName ltstring[]gt] [-Context ltstringgt] [-Filter

ltFilterEnumgt] [-RepositoryPath ltstringgt] [ltCommonParametersgt]

DESCRIPTION

The Get-MBCAResult cmdlet lets you retrieve and view the results of a Microsoft Baseline

Configuration Analyzer scan on a specific model or the configuration data that was used to run a scan

To use the command add the -ModelId parameter and then specify the model ID for which you want

to view the most recent MBCA scan results or collected configuration data If you want to retrieve the

configuration data collected add the -CollectedConfiguration switch parameter

You must be a member of the Administrators group on the computer on which you want to run this

cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with

elevated user rights that is Run as Administrator

PARAMETERS

-CollectedConfiguration [ltSwitchParametergt]

The -CollectedConfiguration parameter allows you to obtain the configuration data that was

collected for the most recent MBCA scan If this switch parameter is added to Get-MBCAResults

the cmdlet returns only the configuration data that was collected for a scan

Required false

Position 3

Default value

Accept pipeline input false

Accept wildcard characters false

-ComputerName ltstring[]gt

The -ComputerName parameter lets you obtain scan results that were collected for the most

recent MBCA scan of a submodel on a specific computer To specify the local computer type the

computer name or localhost Multiple values for -ComputerName can be separated by

commas

The -SubModelId parameter is required by the -ComputerName parameter

Valid values for the -ComputerName parameter include localhost a NET BIOS name an IP

address or a fully-qualified domain name (FQDN) of one or more computers in a comma-

separated list

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-Context ltstringgt

Page 51

The -Context parameter lets you obtain scan results that were collected for the most recent

MBCA scan of a submodel in the context of a specific model (one that is different from the parent

model of the submodel) For example an administrator might want to display scan results for the

Backend submodel of the SQL model but only those in the context of a third model a

technology that relies upon SQL Server

The -SubModelId parameter is required by the -Context parameter

A model ID is the valid value of the -Context parameter

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-Filter ltFilterEnumgt

The -Filter parameter lets you instruct the Get-MBCAResult cmdlet to return only Compliant

Noncompliant or All results Valid values are Noncompliant Compliant or All The default value

is All

The -Filter parameter is ignored if the -CollectedConfiguration switch parameter is added

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-ModelId ltstringgt

The -ModelId parameter specifies the ID of the MBCA model for which you want to view scan

results You can obtain valid values for the ModelId parameter by running the Get-MBCAModel

cmdlet targeted at a computer on which MBCA models are installed

Required true

Position 2

Default value

Accept pipeline input true (By Value By Property Name)

Accept wildcard characters False

This must be SQL2008R2BPA for SQL Server 2008 R2 Best Practice Analyzer

-RepositoryPath ltstringgt

The -RepositoryPath parameter is used to specify a non-default location of the results repository

The valid value for this parameter is a path name If the parameter is not used the cmdlet obtains

results from the default result repository

Required false

Position named

Page 52

Default value

Accept pipeline input false

Accept wildcard characters false

-SubModelId ltstringgt

The -SubModelId parameter specifies the ID of the submodel of an MBCA model for which you

want to view scan results You can obtain valid values for the -SubModelId parameter by running

the Get-MBCAModel cmdlet targeted at a computer on which MBCA models are installed Not all

models have submodels

The -ModelId parameter is required with the -SubModelId parameter

Required true

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

ltCommonParametersgt

This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable

WarningAction WarningVariable OutBuffer and OutVariable For more information type get-

help about_commonparameters

OUTPUTS

SystemCollectionsGenericListltMicrosoftBestPracticesCoreInterfaceResultgt OR

SystemXmlXmlDocument (if -CollectedData specified)

If you do not use the -CollectedConfiguration parameter verbose output can be any of the following

1 Initializing MBCA engine for getting MBCA Results

2 Attempting to get MBCA results for Model Id = 0

3 Completed getting MBCA results for Model Id = 0 Number of Results = 1

If you add the -CollectedConfiguration parameter to display configuration data that was used for a

scan verbose output can be any of the following

1 Initializing MBCA engine for getting MBCA Configuration Data

2 Attempting to get MBCA collected configuration data for Model Id = 0

3 Completed getting MBCA collected configuration data for Model Id = 0

NOTES

The Get-MBCAResult cmdlet must be run by a member of the Administrators group and it does not

start a new scan

Cancellation behaviour

Single Model - To cancel this cmdlet you must press Ctrl+C before the ResultCollection is displayed

on the console The operation is cancelled and results are not displayed on the console

Multiple Models or Pipelining - If you cancel this cmdlet while it is retrieving results for multiple models

the cmdlet generates only those results that were displayed on the console before the cancellation

Any subsequent results in the pipeline are cancelled and not displayed

Page 53

-------------------------- EXAMPLE 1 --------------------------

Get-MBCAResult -Id SQL2008R2BPA

Description

The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results

for the model that is represented by Model Id

-------------------------- EXAMPLE 2 --------------------------

Get-MBCAModel | Get-MBCAResult

In the preceding example Get-MBCAModel is used to return a list of all MBCA models that are

installed on the computer The results of the Get-MBCAModel cmdlet are piped to the Get-

MBCAResult cmdlet to retrieve the most recent MBCA scan results for all models that are both

supported by MBCA and installed on the computer at which the cmdlet is targeted

-------------------------- EXAMPLE 3 --------------------------

$result = Get-MBCAResult SQL2008R2BPA -CollectedConfiguration

$resultDiscoveryDocument

Description

In the preceding example configuration data (in XML form) that was collected during the most recent

Microsoft Baseline Configuration Analyzer scan of the model that is represented by Model Id is

retrieved and stored as a property in the variable $result $resultDiscoveryDocument is of type

SystemXmlXmlDocument

-------------------------- EXAMPLE 4 --------------------------

Get-MBCAResult SQL2008R2BPA -Filter Noncompliant

Description

The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results

for the model that is represented by Model Id and then applies a filter to show only Noncompliant

results

------------------------- EXAMPLE 5 --------------------------

Get-MBCAResult SQL2008R2BPA -SubModelId ltSubModel Idgt

Description

The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results

for the submodel that is represented by SubModelId Note that the parent model ID must be specified

to use the -SubModelId parameter

------------------------- EXAMPLE 6 --------------------------

Get-MBCAResult SQL2008R2BPA -SubModelId ltSubModel Idgt -ComputerName ltServergt

-Context ltContext Model Idgt -RepositoryPath ltRepository Pathgt

Description

The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results

for the submodel that is represented by SubModelId The parent model ID is provided as required by

the -SubModelID parameter

The -Context parameter indicates that the administrator wants to see only those scan results that are in

the context of the model that is represented by Context Model Id for example only those results from

a SQL Server scan that specifically apply to another technology such as Web Server (IIS)

Page 54

The scan results are further narrowed to only those from a computer that is specified in the -

ComputerName parameter as Server and only those results found in the non-default results

repository that is represented by Repository Path

914 Set-MBCAResult

SYNOPSIS

The Set-MBCAResult cmdlet lets you exclude or include existing results of a Microsoft Baseline

Configuration Analyzer (MBCA) scan to show you only the scan results that you want to see

SYNTAX

Set-MBCAResult [[-Exclude] ltBooleangt] [-Results] ltResultgtgt [[-

RepostitoryPath] ltstringgt] [ltCommonParametersgt]

DESCRIPTION

The Set-MBCAResult cmdlet lets you exclude or include existing results of a Microsoft Baseline

Configuration Analyzer (MBCA) scan to show you only the scan results that you want to see

The action specified in the cmdlet (Exclude for example) determines how the existing results of an

MBCA scan are updated Set-MBCAResult is typically applied after using the Get-MBCAResult cmdlet

to return a collection of scan results

You can apply filters to results that are returned by the Get-MBCAResult cmdlet and then pipe the

filtered collection of results to the Set-MBCAResult cmdlet specifying either to include or exclude

filtered scan results

You must be a member of the Administrators group on the computer on which you want to run this

cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with

elevated user rights that is Run as Administrator

PARAMETERS

-Exclude ltBooleangt

Excludes scan results from the results collection that were previously obtained by the Get-

MBCAResult command To exclude results by using the -Exclude parameter add the value $true

following the parameter as shown

-Exclude $true

To include results that have been excluded use the $false value for the -Exclude parameter

Required false

Position 2

Default value

Accept pipeline input false

Accept wildcard characters false

-RepostitoryPath ltstringgt

The -RepositoryPath parameter is used to specify a non-default location of the results repository

The valid value for this parameter is a path name If the parameter is not used the cmdlet

modifies results from the default result repository

Required false

Page 55

Position 4

Default value

Accept pipeline input false

Accept wildcard characters false

-Results ltResultgtgt

Specifies the result collection to be updated by the Set-MBCAResult cmdlet The -Results

parameter is typically used to specify a filtered subset of scan results that has already been

stored in a variable the variable name is provided as the valid value for the -Results parameter

For example if you have created a variable $allPerformance to store all the Performance

category results for an MBCA scan of all models on a computer and you want to exclude those

Performance results from the complete collection of scan results you add the parameter -Results

$all Performance to a Set-MBCAResult cmdlet

For a more detailed example see the Examples section of the Help for this cmdlet

Required true

Position 3

Default value

Accept pipeline input true (ByValue)

Accept wildcard characters false

ltCommonParametersgt

This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable

WarningAction WarningVariable OutBuffer and OutVariable For more information type ldquoget-

help about_commonparameters

NOTES

If the Set-MBCAResult command is cancelled before the results are written to a file the operation is

cancelled and the results file is not modified If cancellation occurs after the results file has been

modified the commands actions are carried out and the command cannot be cancelled

-------------------------- EXAMPLE 1 --------------------------

Get-MBCAResult -ModelId SQL2008R2BPA | Where $_Category -eq

Performance | Set-MBCAResult -Exclude $true

Description

The first section of the preceding example to the left of the first pipe character (|) uses the Get-

MBCAResult cmdlet to retrieve Baseline Configuration Analyzer scan results for the model ID that is

represented by Model Id

The second section of the command filters the results of the Get-MBCAResult cmdlet to get only those

scan results for which the category name is equal to Performance

The final section of the example following the second pipe character excludes the Performance

results that were filtered by the previous section of the example

-------------------------- EXAMPLE 2 --------------------------

$rcPolicy = Get-MBCAResult -ModelId SQL2008R2BPA -RepositoryPath

CReposPath | Where $_Category -eq Policy

Page 56

Set-MBCAResult -Exclude $true -RepositoryPath CReposPath -Results

$rcPolicy

Description

The first line of the preceding example to the left of the pipe character (|) instructs the Get-

MBCAResult cmdlet to retrieve Baseline Configuration Analyzer scan results for the model that is

represented by Specified Model Id from the specified non-default repository path

The second section of the example after the pipe character filters the results of the Get-MBCAResult

cmdlet to return only those scan results for which the category name is equal to (note the -eq option)

Policy The variable $rcPolicy is created to store the filtered results of the Get-MBCAResult cmdlet this

variable can be used in subsequent commands to represent those results

The second line of the command uses the Set-MBCAResult cmdlet to exclude the set of results that

are stored in the $rcPolicy variable In this example the -Results parameter is added because the

administrator wants to exclude a specific subset of scan results for that model and has created the

variable $rcPolicy to represent that subset of results The repository root is specified in the second line

because the administrator wants to modify the results in the same non-default repository from which

the data in $rcPolicy was retrieved

915 MBCA Model Authoring

Further information about configuration and usage of MBCA models you can in the

MBCA_ModelAuthoringGuidedocx

Page 57

Did this paper help you Please give us your feedback Tell us on a scale of 1 (poor) to 5 (excellent)

how would you rate this paper and why have you given it this rating For example

Are you rating it high due to having good examples excellent screen shots clear writing or

another reason

Are you rating it low due to poor examples fuzzy screen shots or unclear writing

This feedback will help us improve the quality of white papers we release

Send feedback

Page 13: SQL2008R2 BPA Whitepaper v10

Page 13

computers that only send commands Because the configuration activates listeners it is prudent to run

it only where it is needed You can do this with the following command line

powershellexe -NoLogo -NoProfile -Noninteractive -Command Enable-

PSRemoting -force

Enable-PSRemoting performs configuration actions to enable this machine for remote management

Includes

1 Runs the Set-WSManQuickConfig cmdlet which performs the following tasks

Starts the WinRM service

Sets the startup type on the WinRM service to Automatic

Creates a listener to accept requests on any IP address

Enables a firewall exception for WS-Management communications

Enables all registered Windows PowerShell session configurations to receive instructions

from a remote computer

Registers the MicrosoftPowerShell session configuration if it is not already registered

Registers the MicrosoftPowerShell32 session configuration on 64-bit computers if it is

not already registered

Removes the Deny Everyone setting from the security descriptor for all the registered

session configurations

Restarts the WinRM service to make the preceding changes effective

2 Configures MaxShellsPerUser using winrm set winrmconfigwinrs

``MaxShellsPerUser=`10``

Specifies the maximum number of concurrent shells that any user can remotely open on

the same computer If this policy setting is enabled the user will not be able to open new

remote shells if the count exceeds the specified limit If this policy setting is disabled or is

not configured the limit will be set to 5 remote shells per user by default and you receive

the following error message

[localhost] Connecting to remote server failed with the following

error message The WS-Management service cannot process the

request This user is allowed a maximum number of 5 concurrent

shells which has been exceeded Close existing shells or raise the

quota for this user For more information see the

about_Remote_Troubleshooting Help topic

+ CategoryInfo OpenError

(SystemManagemehellipRemoteRunspa

ceRemoteRunspace) [] PSRemotingTransportException

+ FullyQualifiedErrorId PSSessionOpenFailed

For more information about PowerShell remoting please see MSDN

32 Install MBCA

Download the edition of MBCA depending on your platform (x86 or x64) before installation

Page 14

Please find below the screenshots demonstrating the visual flow of the MBCA Installation

Welcome screen

License terms

Folder selection

Completion screen

33 Install BPA

Download the correct edition depending on your platform (x86 or x64) before installing If you have

trouble with the installation please section 57 Troubleshooting Installation

331 Command line

Following is an optimized command line setup example

msiexec i SQL2008R2BPA_Setup64msi l log ctempsqlbpa_installlog qn

msiexec parameters

i = package name (SQL2008R2BPA_Setup32msi or SQL2008R2BPA_Setup64msi

depending on your platform)

l = log granularity ldquordquo - Log all information except for v and x options

log = log file

q = display settings (qn ndash no user interface)

SKIPCA=1 (if no domain controller is available Skip Certification Authority)

For information on additional public properties Consult the Windowsreg Installer SDK for documentation

on the command line syntax

Page 15

332 GUI

Please find below the screenshots demonstrating the visual flow of the SQL Server 2008 R2 BPA

Installation

Welcome screen

License terms

System Configuration Changes (see 31 Installing PowerShell 20 and WinRM)

Ready to install decision

Install progress

Completion screen

Page 16

333 Port and Firewall restrictions

For scanning SQL Server or BI instances on an alternate server behind a firewall you must open all

necessary ports

34 Updates

Microsoft is working on quarterly updates of the rule set and tool improvements of the SQL Server

2008 R2 Best Practice Analyzer Please visit the Download site from Microsoft regularly to find new

updates

35 Uninstall

351 BPA

352 MBCA

353 Reset PowerShell settings

After the uninstall of the BPA you may disable the PowerShell remote scripting You can do this with

the following command line

powershellexe -NoLogo -NoProfile -Noninteractive -Command Disable-

PSRemoting -force

Disable-PSRemoting performs configuration actions to enable this machine for remote management

Page 17

4 USAGE

There are two ways to scan a server using MBCA and SQL 2008 R2 BPA They are

Scanning through the local machine

o In this case you are using MBCA and SQL 2008 R2 BPA running on the local machine to

perform the scan

o This scan can be of the local or an alternate server

Scanning through a remote machine

o In this case MBCA is used to connect to a remote server that has MBCA and SQL 2008

R2 BPA installed on it

o This scan is using the local machine to form the connection to the remote machine and is

actually performing the scan through the remote machine

41 Help file

The help file for the SQL Server 2008 R2 Best Practice Analyzer contains very useful information This

help file is available after the installation of BPA and is located at Start-gtAll programs-gtSQL Server

2008 R2 BPA

42 GUI

1 Ensure that MBCA v2 and SQL 2008 R2 BPA are installed on the machine

2 Run the MBCA application from the start menu with elevated user rights

Page 18

3 On the MBCA home page ensure the SQL Server 2008 R2 BPArdquo product is selected

4 Click Start Scan which displays a page to specify parameters as shown below

5 Fill in Alternate_Server_to_Scan with the remote machine you want to scan

ComputerName

IP address nnnn

FQDN (Fully Qualified Domain Name)

Enter ldquordquo localhost or leave this blank if you want to scan the local machine

Page 19

Enter the instance name you want to scan To scan the default instance enter MSSQLSERVER

or leave this as blank Toggle the checkboxes to enabledisable scans for those rule categories

Each of the following six check boxes correspond to the SQL Server categories listed previously

Select at least one category in order to run a successful scan

Analyze_SQL_Analysis_Services

Analyze_SQL_Server_Engine

Analyze_SQL_Integration_Services

Analyze_SQL_Server_Replication

Analyze_SQL_Reporting_Services

Analyze_SQL_Server_Setup

Note Only one SQL Server instance can be scanned at a time through the MBCA GUI

6 Click Start Scan MBCA will start the configured scan and display the below page while in

progress

7 When the scan is complete results will be displayed grouped by Severity as shown below

Page 20

43 Connect to a remote computer

A scan connected to a remote computer is different than scanning an alternate server

ldquoConnect to a Remote Computerrdquo is functionality provided by Microsoft Baseline Configuration Analyzer

and is used to remotely run MBCA against a server from the console of the client The client needs to

have MBCA installed but does not need BPA as it is literally running the copy of MBCA installed on the

server using the BPA installed on the server In this case the copy of MBCA installed on the client is

used only to remotely connect to the copy of MBCA installed on the server

To use this functionality you first start MBCA on the client computer and select ldquoConnect to Another

Computerrdquo

1 In the ldquoConnect to Another Computerrdquo text box you can specify a NetBIOS name a fully qualified

domain name (FQDN) or an IPv4 or IPv6 address If no port number is specified the default port

number is used The following are examples of formats that you can specify in the Connect to

Another Computer text box

ComputerName

Page 21

ComputerNamePortNumber

IP address nnnn

IPv6 address [nnnnnnnn]

IPv4 address with port number nnnnPortNumber

IPv6 address with port number [nnnnnnnn]PortNumber

Note If an administrator has changed the computerrsquos default port number any port other than the

default port must be opened in Windows Firewall to allow incoming connections on that port Port

5985 is opened by default when WinRM is configured All other ports remain blocked until opened

For more information about how to unblock a port in Windows Firewall see the Help for Windows

Firewall For more information about how to configure WinRM in a Command Prompt session type

winrm help and then press Enter

2 Additionally you must supply credentials

3 CredSSP

Windows Remote Management (WinRM) supports the delegation of user credentials across

multiple remote computers The multi-hop support functionality can now use Credential Security

Service Provider (CredSSP) for authentication CredSSP enables an application to delegate the

userrsquos credentials from the client computer to the target server

CredSSP authentication is intended for environments where Kerberos delegation cannot be used

Support for CredSSP was added to allow a user to connect to a remote server and have the ability

to access a second-hop machine such as a file share

Note WinRM clients and servers will support CredSSP authentication only with explicit credentials

Windows XP Windows Server 2003 and earlier CredSSP is not supported

First you must set CredSSP on both the client and the server

Using the Group Policy Editor (gpeditmsc) make sure to enable ldquoAllow Delegating Fresh

Credentialsrdquo and check ldquoConcatenate OS defaults with input aboverdquo

Add the server or domain to the list of servers in the format ldquoWSMANdomainnamecomrdquo

Next enable and configure PowerShell Remoting on both the Client and Server by running the

following commands in a PowerShell command window opened with elevated permissions Note

Page 22

You can configure a single machine as both a client and a server simultaneously so that you can

scan from either computer

Enable PowerShell Remoting

o Enable-psremoting ndashf

Settings for a client

o Enable-WSManCredSSP ndashrole Client ndashDelegateComputer [NetBiosNameOfServer]

or

o Enable-WSManCredSSP ndashrole Client ndashDelegateComputer [FQDN OF SERVER]

Settings for the server

o Enable-WSManCredSSP ndashrole Server

o set-item WSManlocalhostShellMaxMemoryPerShellMB ndashValue 20000

o set-item WSManlocalhostShellMaxShellsPerUser ndashvalue 20

44 PowerShell

Details see 91 PowerShell

To use the functionality of the Microsoft Baseline Configuration Analyzer you must import this module

first

Import-module BaselineConfigurationAnalyzer

You can list the commands of this module with the following syntax

$x=Get-Module BaselineConfigurationAnalyzer

$xExportedCommands

441 Run Scan

To run a full scan of the BPA on the alternate server on a named instance you can use the following

command line

Invoke-MBCAModel -ModelId SQL2008R2BPA -Alternate_Server_to_scan

servername -SQL_Server_Instance_Name instancename -

Analyze_SQL_Server_Engine -Analyze_SQL_Server_Replication -

Page 23

Analyze_SQL_Server_Setup -Analyze_SQL_Analysis_Services -

Analyze_SQL_Integration_Services -Analyze_SQL_Reporting_Services

The result looks like this part

ModelId SQL2008R2BPA

SubModelId

Success True

ScanTime

Success = True is important This is the indicator that your scan was successful

Parameter description

-Alternate_Server_to_scan servername

-SQL_Server_Instance_Name instancename

-Analyze_SQL_Server_Engine

-Analyze_SQL_Server_Replication

-Analyze_SQL_Server_Setup

-Analyze_SQL_Analysis_Services

-Analyze_SQL_Integration_Services

-Analyze_SQL_Reporting_Services

The parameter list is equal the parameter screen in the GUI

The scans of the different services are optional You can remove technologies which you do not need

to scan

The next example starts the scan only for the Analysis Services on the alternate server ldquoservernamerdquo

and for the named instance ldquoinstancerdquo A log file will be written to ldquoctempssastxtrdquo

Invoke-MbcaModel -ModelId SQL2008R2BPA -SubModelId AnalysisServices -

ComputerName servername -SqlServerInstance instance -SSASLogFile

ctempssastxt

Invoke-MbcaModel -ModelId SQL2008R2BPA -SubModelId Engine -ComputerName

computername -SqlServerInstance servername -CurrentLoginName

($EnvUSERDOMAIN + + $EnvUSERNAME)ToString() -EngineLogFile

ctempenginetxt ndashRepositoryPath (CTEMPSQL2008 + (Get-

Date)ToString(yyyyMMdd))ToString()

442 Create Report

model = get-MbcaModel ndashModelId sql2008r2bpa

$scanResult = get-MbcaResult ndashModelId sql2008r2bpa

$collectedConfig = get-MbcaResult ndashModelId sql2008r2bpa ndash

CollectedConfiguration

$model $scanResult $collectedConfig | export-CliXml ctempasxml

Get-MBCAResult -ModelId SQL2008R2BPA -SubModelId AnalysisServices |

ConvertTo-Html | Add-Content -Path ctesthtml

The next command retrieves the results of the most recent BPA scan for the specified model and

saves them in HTML format applying the standard cascading style sheets that are stored in the path

windirsystem32WindowsPowerShellv10ModulesBestPracticesBestPracticesReportFormatc

Page 24

ss If you want to substitute cascading style sheets provide the path to the different cascading style

sheets

Get-MBCAResult -ModelId SQL2008R2BPA | $_Severity -eq Warning -or

$_Severity -eq Error | ConvertTo-Html -As Table -property ResultNumber

SubModelID ComputerName Severity Category Title Problem Impact

Resolution Help -Head lth1gtSQL Server 2008 (R2) Best Practice Analyzer

Reportlth1gtrdquo -Title SQL Server 2008 Best Practice Analyzer -body

(ltpgtReport creation date + (Get-Date)ToString(ddMMyyyy hhmmss) +

ltpgt)toString() -pre ltPgtGenerated by user $envusername on computer

$envcomputernameltPgt -post For details contact Microsoft Premier-

CssUri $env BestPracticesReportFormatcss gt ctempsql2008r2bpahtm

443 Exporting and opening reports by using Get-MBCAResult

You can use the Get-MBCAResult cmdlet to export scan results and configuration data to an XML

report that you can open for viewing in the future either by using Get-MBCAResult or by using the

MBCA GUI Exporting reports allows you to compare older scans with more recent scans to measure

the progress of your best practice compliance

Example of exporting to XML

$results = Get-MBCAResult ltModel Idgt

$collectedconfig = Get-MBCAResult ltModel Idgt -CollectedConfiguration

$results $collectedconfig | Export-CliXml cexportxml

Example of opening archived XML report file

$loadedResults $loadedConfiguration = Import-CliXml cexportxml

444 Report Result Directory

The reporting result path

AppDataMicrosoftBaselineConfigurationAnalyzer

2ReportsSQL2008R2BPAResults

Will be overwritten during each run of the tool or invoke command

Solution save older results before you start the check

copy-item -path ($EnvLocalAppdata +

MicrosoftMicrosoftBaselineConfigurationAnalyzer 2Reports)ToString() -

destination ($EnvLocalAppdata +

MicrosoftMicrosoftBaselineConfigurationAnalyzer 2Reports_ + (Get-

Date)ToString(yyyyMMddhhmmss))ToString() ndashrecurse

Afterwards you can create a report with the following command

$prevrepPath = (Get-ChildItem ($EnvLocalAppdata +

MicrosoftMicrosoftBaselineConfigurationAnalyzer 2)ToString() -exclude

Reports | Sort-Object name -descending)[0]

Get-MBCAResult -ModelId SQL2008R2BPA ndashRepositoryPath ($EnvLocalAppdata +

MicrosoftMicrosoftBaselineConfigurationAnalyzer 2rdquo +

$prevrepPathname)ToString() | ConvertTo-Html -As Table -property

ResultNumberSubModelID ComputerName Severity Category Title Problem

Impact Resolution Help -Head lth1gtSQL Server 2008 (R2) Best Practice

Analyzer Reportlth1gtrdquo -Title SQL Server 2008 Best Practice Analyzer -body

(ltpgtReport creation date + (Get-Date)ToString(ddMMyyyy hhmmss) +

ltpgt)toString() -pre ltPgtGenerated by user $envusername on computer

Page 25

$envcomputernameltPgt -post For details contact Microsoft Premier gt

ctempsql2008r2bpahtm

Page 26

5 TROUBLESHOOTING

51 Application directories

To following directories are used by MBCA

Report output directory localappdataMicrosoftMicrosoftBaselineConfigurationAnalyzer 2ReportsSQL2008R2BPAResults

Model configuration path ProgramdataMicrosoftMicrosoft Baseline Configuration Analyzer 2ModelsSQL2008R2BPA

Temp and log files directory tempSQL2008R2BPASQL2008ltdategt_lttimegt

Registry [HKEY_LOCAL_MACHINESOFTWAREMicrosoftBaselineConfigurationAnalyzer]

Log Files

During Data Discovery SQL Server 2008 R2 BPA creates log files for troubleshooting The log file

contains the following information

Pre-requisite validation

Timestamp finished rules start and end times

Run-time scripting errors and exceptions from Power Shell Traps

Log Files Location

For every scan log files are created in userrsquos Local Temp directory (Temp) and follows the folder

structure SQL2008R2BPAlt Instance Name gtlt datestamp_timestamp gtlt Log files gt

Note In case of a remote scan the category log files are generated on the remote system at the same

path whereas the common log file is generated in the local system

Log Files Structure

A common log file gets generated and contains information about each categorys execution Apart

from this each category has its own log file which details the rule execution The names of the log files

are given below

Common File - ModelLogtxt

Engine Rules - EngineLogtxt

Replication Rules - ReplicationLogtxt

Setup Rules - SetupLogtxt

Analysis Services Rules - AnalysisServicesLogtxt

Reporting Services Rules - ReportingServicesLogtxt

Integration Services Rules - IntegrationServicesLogtxt

52 Windows Server 2003 ndash NumberOfLogicalProcessors

Analysis Services RID2803 and RID2804 ndash NumberOfLogicalProcessors property is unavailable in

Win32_Processor for with Windows Server 2003

Solution The NumberOfLogicalProcessors property does not exist in the WIN32_PROCESSOR object

in Windows Server 2003 It has been implemented in the hotfix

httpsupportmicrosoftcomkb932370

Both of the rules below will function properly if you apply this hotfix For more information look here

Page 27

53 MBCA

This message indicates that on prerequisite is not installed

Please install the version 2 of the MBCA

54 Where can I find the Instance name in result set of the analyzer

report

The instance name is in the collected data option of the analyzer report in the BPA GUI

55 Memory limit of remote PowerShell process

By default remote PowerShell process can consume only 150 MB or less memory This default limit is

significantly small and once this limit is reached there could be a WinRM exception causing and remote

connection immediately terminates Any application or Cmdlet which is involved in PowerShell

remoting should be tested for this memory limit this may cause some of the command to fail for

example site collection creation

Solution Increase the memory limit for the remote shell Use the following command to increase this

limitation to 1000MB This is only necessary if you need to run those commands on that server

Set-Item WSManlocalhostShellMaxMemoryPerShellMB 1000

56 Remote connect

If you try to ldquoConnect to another computerrdquo from MBCA and you receive the following message

Page 28

You should check first if the Hotfix KB968930 is installed

Afterwards validate that the ldquoWindows Remote Managementrdquo service is started

Enable-PSRemoting

If CredSSP is unsupported or unavailable you will see the following message

Page 29

If you have no permission to access the remote server you get the error message

Page 30

57 Installation

571 PowerShell error

After getting through the Pre-Reqs for BPA (PowerShell 20 MBCA NET Framework) you may hit

one of two scenarios when installing BPA

In all of the cases of an install failure you will see the following error

There is a problem with this Windows Installer package A program run as part of the setup did not

finish as expected Contact your support personnel or package vendor

In your Application Event Log for both of these scenarios you will also see the following entry

Log Name Application

Source MsiInstaller

Date 6102010 83818 AM

Event ID 11722

Task Category None

Level Error

Keywords Classic

User ltUsernamegt

Computer ltMachine namegt

Description

Product Microsoft SQL Server 2008 R2 BPA -- Error 1722 There is a problem

with this Windows Installer package A program run as part of the setup did

not finish as expected Contact your support personnel or package

vendor Action EnablePSRemoting location powershellexe command -NoLogo

-NoProfile -Command Enable-PSRemoting ndashforce

Page 31

This is an indicator that PowerShell is not configured You must run the following command

powershellexe -NoLogo -NoProfile -Command Enable-PSRemoting ndashforce

572 Workgroup or Non-Domain computer

In this scenario the Enable-PSRemoting command should execute fine from a PowerShell prompt

The actual error coming back from the PowerShell command within the Installer is ldquoAccess Deniedrdquo

To work around this issue you can do the following

1 Open a command prompt with Administrative Privileges

2 Change to the directory where the msi file resides

3 Type msiexec i ltMSI Namegt SKIPCA=1

4 MSI Name will either be SQL2008R2BPA_Setup32msi or SQL2008R2BPA_Setup64msi

depending on your platform

5 Once BPA is installed open a PowerShell prompt with Administrative Privileges

6 Execute the following commands

a Enable-PSRemoting

b winrm set winrmconfigwinrs ``MaxShellsPerUser=`10``

This should allow BPA to be successfully installed in the workgroup scenario

573 Kerberos Failure

This scenario is that you are failing with the above due to a Kerberos issue This particular issue could

actually show up after you have installed BPA depending on how you have configured your

environment

The issue stems from the fact that the Windows Remoting Windows Service uses the Network Service

account Windows Remoting also uses SOAP calls over HTTP and defaults to using Kerberos As a

result it will be using the HOST Service Principal Name (SPN) that is on the Machine Account as it is

running under that context You may have an HTTP SPN that resides on a different account with that

host name For example if you are running an IIS Web Application such as SharePoint or if you are

using Reporting Services and the service account is set to a Domain User account instead of Network

Service or Local System If your URL of your application matches the machine name then your HTTP

SPN will be the same Thatrsquos where this problem comes in WinRM will stop working at that point and

give you a message similar to the following

Set-WSManQuickConfig WinRM cannot process the request The following error

occured while using Negotiate authentication An unknown security error

occurred

Possible causes are

-The user name or password specified are invalid

-Kerberos is used when no authentication method and no user name are

specified

-Kerberos accepts domain user names but not local user names

-The Service Principal Name (SPN) for the remote computer name and port

does not exist

-The client and remote computers are in different domains and there is no

trust between the two domains

After checking for the above issues try the following

-Check the Event Viewer for events related to authentication

-Change the authentication method add the destination computer to the

WinRM TrustedHosts configuration setting or use HTTPS transport

Note that computers in the TrustedHosts list might not be authenticated

-For more information about WinRM configuration run the following

Page 32

command winrm help config

At line50 char33

+ Set-WSManQuickConfig ltltltlt -force

+ CategoryInfo InvalidOperation () [Set-WSManQuickConfig]

InvalidOperationException

+ FullyQualifiedErrorId

WsManErrorMicrosoftWSManManagementSetWSManQuickConfigCommand

You can get this type of error from WinRM for muliple reasons The one that

we saw in our testing was the HTTP SPN scenario

If you do have an HTTP SPN defined on a Domain Account that is using the name of your machine

you have some options First you can follow the steps mentioned above to get BPA installed The

Enable-PSRemoting command will give you the above error You can temporarily remove the HTTP

SPN to get remoting enabled and then re-add the HTTP SPN

Once BPA is setup you will still not be able to run BPA if you put the HTTP SPN back in place You will

see the following when you attempt to perform a scan

This will occur regardless of which component you try to scan It could be the Engine Setup RS etchellip

One option to perform the scan successfully is to temporarily remove the HTTP SPN again run the

scan and then put the HTTP SPN back in place Another option but one that will probably require

further testing from your applicationrsquos end would be to run the application under a Host Header and

then your HTTP SPN would not include the machine name allowing BPA to run without issue

Page 33

6 RULES

Searching for ldquoSQL Server 20087 R2 BPArdquo at Microsoftcom reveals

Here is an example of one of these articles that talks about a rule to check for a recent ldquocleanrdquo

CHECKDB

Page 34

BPA works by measuring a rolersquos compliance with best practice rules in eight different categories of a

rolersquos effectiveness trustworthiness and reliability Results of measurements can be any of the three

severity levels described in the following table

Severity level Description

Noncompliant Noncompliant results are returned when a role does not satisfy the conditions of a rule

Compliant Compliant results are returned when a role satisfies the conditions of a rule

Warning Warning results are returned when a role is compliant as operating currently but may not satisfy the conditions of a

rule if changes are not made to its configuration or policy settings For example a scan of Remote Desktop Services

might show a warning result if a license server is unavailable to the role because even if no remote connections are

active at the time of the scan not having the license server prevents new remote connections from obtaining valid

client access licenses

Page 35

BPA rule categories

The following table describes the categories of best practice rules against which roles are measured

during a BPA scan

Category Name Description

Security Security rules are applied to measure a rolersquos relative risk for exposure to threats such as unauthorized or malicious

users or loss or theft of confidential or proprietary data

Performance Performance rules are applied to measure a rolersquos ability to process requests and perform its prescribed duties in

the enterprise within expected periods of time given the rolersquos workload

Configuration Configuration rules are applied to identify role settings that might require modification for the role to perform

optimally Configuration rules can help prevent setting conflicts that can result in error messages or prevent the role

from performing its prescribed duties in an enterprise

Policy Policy rules are applied to identify Group Policy or Windows Registry settings that might require modification for the

role to operate optimally and securely

Operation Operation rules are applied to identify possible failures of a role to perform its prescribed tasks in the enterprise

Predeployment Predeployment rules are applied before an installed role is deployed in the enterprise to let administrators to

evaluate whether best practices were satisfied before you use the role in production

Postdeployment Postdeployment rules are applied after all required services have started for a role and the role is running in the

enterprise

BPA Prerequisites BPA Prerequisite rules explain configuration settings policy settings and features that are required for the role

before BPA can apply specific rules from other categories A prerequisite in scan results indicates that an incorrect

setting a missing role role service or feature an incorrectly enabled or disabled policy a registry key setting or

other configuration has prevented BPA from applying one or more rules during a scan A prerequisite result does

not imply compliance or noncompliance It means that a rule could not be applied and therefore is not part of the

scan results

61 Engine Rules

Please find below a summary of the 74 Engine Rules with the links to the rule descriptions These rules

are checking that you have a secure resilient and well performing SQL configuration

Authentication Mode (httpsupportmicrosoftcomkb2028697)

Lightweight Pooling is enabled (httpsupportmicrosoftcomkb2160691)

Locks Configuration Not Dynamic (httpsupportmicrosoftcomkb2199576)

non-default network packet size in use (httpsupportmicrosoftcomkb2157175)

degree of parallelism not set to recommended value (httpsupportmicrosoftcomkb2023536)

Use Database Mail instead of SQL Mail (httpsupportmicrosoftcomkb2028584)

SQL Server Agent Proxy Account (httpsupportmicrosoftcomkb2160741)

SQL Login Password Policy Strength and password expiry

(httpsupportmicrosoftcomkb2028712)

Trustworthy Bit (httpsupportmicrosoftcomkb2183687)

Symmetric Keys Check (httpsupportmicrosoftcomkb2162020)

Asymmetric Keys Check (httpsupportmicrosoftcomkb2162020)

SQL Server installed on PDC BDC (httpsupportmicrosoftcomkb2032911)

Page 36

SQL Server Admin role membership check (httpsupportmicrosoftcomkb2184138)

Windows API calls intercepted (httpsupportmicrosoftcomkb2033238)

unsupported DotNET framework assemblies present (httpsupportmicrosoftcomkb2033344)

Disk partition starting offset may be incorrect (httpsupportmicrosoftcomkb2023571)

non-default max worker threads value configured (httpsupportmicrosoftcomkb2157129)

Guest Permissions (httpsupportmicrosoftcomkb2186935)

Data and Log files on the same volume (httpsupportmicrosoftcomkb2033523)

IO timeouts and IO controller errors detected (httpsupportmicrosoftcomkb2091098)

IO device errors detected (httpsupportmicrosoftcomkb2091098)

IO errors during page faults detected (httpsupportmicrosoftcomkb2091098)

cluster disk corruption encountered (httpsupportmicrosoftcomkb2091098)

disk defragmentation encountered corruption (httpsupportmicrosoftcomkb2091098)

failed IO requests detected (httpsupportmicrosoftcomkb2091098)

IO requests are successful when retried (httpsupportmicrosoftcomkb2015757)

IO Delay Problems reported by SQL Server (httpsupportmicrosoftcomkb2137408)

This system experienced unexpected shutdowns (httpsupportmicrosoftcomkb2091098)

tempdb corruption errors fix missing (httpsupportmicrosoftcomkb960770)

Critical SQL database inconsistency errors found (httpsupportmicrosoftcomkb2152734)

Logical consistency errors detected (httpsupportmicrosoftcomkb2152472)

Database have auto shrink option enabled (httpsupportmicrosoftcomkb2160663)

SQL Server Error logs are very big (httpsupportmicrosoftcomkb2199578)

incorrect affinity mask settings detected httpsupportmicrosoftcomkb2157114

Very low blocked process threshold setting detected httpsupportmicrosoftcomkb2157154

Potential security issue with legacy DTS stored procedures

httpsupportmicrosoftcomkb2202875

Winsock LSP loaded into SQL httpsupportmicrosoftcomkb2033448

Databases using simple recovery model httpsupportmicrosoftcomkb2137539

User database collation different from model httpsupportmicrosoftcomkb2026108

Database files and backups exist on the same volume httpsupportmicrosoftcomkb2027537

Databases have auto close option enabled httpsupportmicrosoftcomkb2160685

LSI SAS drivers needs update httpsupportmicrosoftcomkb2121098

SQL tempdb database not configured optimally httpsupportmicrosoftcomkb2154845

SQL Database file has sparse attribute set httpsupportmicrosoftcomkb2028447

Invalid startup parameters httpsupportmicrosoftcomkb2028433

MSDTC settings not configured optimally httpsupportmicrosoftcomkb2027550

sql incorrect results fix missing httpsupportmicrosoftcomkb971780

File System needs tuning for better FileStream performance

httpsupportmicrosoftcomkb2160002

linked server memory leak fix missing httpsupportmicrosoftcomkb971622EN-US

Windows service pack is not at recommended level httpsupportmicrosoftcomkb2121098

default extended event health session not in expected state

httpsupportmicrosoftcomkb2160570

TcpSysAndChimneyCheck httpsupportmicrosoftcomKB918483

FDHOST Launcher service is not configured properly httpsupportmicrosoftcomkb2160720

Unrecommended SQL Server Agent service account httpsupportmicrosoftcomkb2160720

A required Windows fix to avoid sparse file related problems is missing

httpsupportmicrosoftcomkb2002606

Page 37

Significant Portion of SQL Server Memory Has Been Paged Out

httpsupportmicrosoftcomkb2028324

Server Exception or Hang Detected on Server httpsupportmicrosoftcomkb2028589

Databases exist without CHECKSUM protection httpsupportmicrosoftcomkb2078345

backups outdated for databases httpsupportmicrosoftcomkb2027537

Database consistency check not current httpsupportmicrosoftcomkb2033590

SQL Server Memory settings are incorrect httpsupportmicrosoftcomKB918483EN-US

Autogrow Failed or took a long time httpsupportmicrosoftcomkb2091024

Storport driver fix from KBA 940467 missing httpsupportmicrosoftcomkb2121098

Storport driver fix from KBA 950903 missing httpsupportmicrosoftcomkb2121098

SQLCLR needs additional memory configuration httpsupportmicrosoftcomkb969962EN-US

Operating System files and drivers needs update for working set trimming

httpsupportmicrosoftcomkb2121098

Agent Token Replacement httpsupportmicrosoftcomkb2202637

Auditing Log in failures httpsupportmicrosoftcomkb2187161

Databases with high number of VLF present httpsupportmicrosoftcomkb2028436

Transparent Data Encryption Certificate httpsupportmicrosoftcomkb2201900

Permission on the Binn folder httpsupportmicrosoftcomkb2029023

Index Statistics Are Outdated

Server public permissions httpsupportmicrosoftcomkb2160698

Detected use of older versions of SQLNCLI httpsupportmicrosoftcomkb979779

62 AS Rules

Please find below a summary of the 34 Analysis Server Rules with the links to the rule descriptions

Flight Recorder Enabled for SQL Server Analysis Services

httpsupportmicrosoftcomkb2128005

Excessive amount of memory preallocated to Analysis Services

httpsupportmicrosoftcomkb2027474

Server not configured for optimal concurrent query throughput

httpsupportmicrosoftcomkb2135031

Non standard value detected for Analysis Services memory configuration

httpsupportmicrosoftcomkb2027472

Process Thread Pool Max limit above recommended limit

httpsupportmicrosoftcomkb2134497

Process Thread Pool Minimum is below the recommended limit

httpsupportmicrosoftcomkb2134855

Server is running a build with a known regression httpsupportmicrosoftcomkb2157941

Slice not set on a ROLAP partition or a partition where proactive caching is enabled and

ROLAP storage ay occur httpsupportmicrosoftcomkb2027754

Server is ignoring duplicate key errors httpsupportmicrosoftcomkb2027761

No default member defined for non-aggregatable attribute

httpsupportmicrosoftcomkb2027769

UnknownMember set to hidden httpsupportmicrosoftcomkb2027628

Non-numeric key column for high cardinality attribute httpsupportmicrosoftcomkb2028138

Attribute hiearchy enabled for high cardinality non-key attribute

httpsupportmicrosoftcomkb2028143

ROLAP storage or OnlineMode set to immediate for dimension with custom rollup definition

detected httpsupportmicrosoftcomkb2132742

Page 38

Account or Time attribute types defined in a non-matching dimension type

httpsupportmicrosoftcomkb2157299

An Account or Time dimension has no matching attribute defined

httpsupportmicrosoftcomkb2027418

Dimension has no attribute defined with the same type

httpsupportmicrosoftcomkb2027443

Attribute Dimension type mismatch httpsupportmicrosoftcomkb2157327

Mismatched dimension attribute types detected in dimension

httpsupportmicrosoftcomkb2027459

Possible incorrect order of levels defined in hierarchy httpsupportmicrosoftcomkb2027460

Define attribute relationships as Rigid where possible httpsupportmicrosoftcomkb2027468

Redundant attribute relationships detected httpsupportmicrosoftcomkb2127437

Diamond-shape relationship detected httpsupportmicrosoftcomkb2127570

Non-Standard Attribute Relationship name detected httpsupportmicrosoftcomkb2127862

Proactive Caching set for dimension without a processing query

httpsupportmicrosoftcomkb2027541

No Time dimension detected httpsupportmicrosoftcomkb2027532

More than 3 parent-child dimensions with custom rollups defined

httpsupportmicrosoftcomkb2134431

Encountered a parent-child dimension with more than 500000 members

httpsupportmicrosoftcomkb2131918

Single attribute dimensions detected httpsupportmicrosoftcomkb2141654

Measure groups with zero dimensional overlap detected in cube

httpsupportmicrosoftcomkb2027609

Proactive Caching set for a partition without a processing query

Default measure for perspective not in the perspective

httpsupportmicrosoftcomkb2027603

Use MOLAP storage for dimensions that participate in semi-additive measure groups

httpsupportmicrosoftcomkb2135112

Measure group defined with no partition httpsupportmicrosoftcomkb2027545

63 RS Rules

RSWindowsNegotiate is missing from your configuration

httpsupportmicrosoftcomkb2145506

HTTP Logging is not enabled httpsupportmicrosoftcomkb2145909

Verbose logging is enabled httpsupportmicrosoftcomkb2146315

NTLM authentication may fail for local httpsupportmicrosoftcomkb2146369

Missing extended protection settings httpsupportmicrosoftcomkb2146062

64 IS Rules

Logging task missing for package httpsupportmicrosoftcomkb2027723

ActiveX Script task detected in package httpsupportmicrosoftcomkb2027712

Unrecommended Integration Services service account detected

httpsupportmicrosoftcomkb2027684

Integration Services logging table found in system database master and or msdb

httpsupportmicrosoftcomkb2027706

Integration Services memory dump detected httpsupportmicrosoftcomkb2027727

Page 39

65 Setup Rules

Unsupported Operating System Version Detected httpsupportmicrosoftcomkb2022909

WOW64 not supported for SQL Failover Clustering httpsupportmicrosoftcomkb2157198

Installer cache is missing for the SQL Installation httpsupportmicrosoftcomkb2015100

SQL Server WMI Provider Health Check

66 Replication Rules

Replication Timeout Alerts Type httpsupportmicrosoftcomkb2118349

Replication Pub and Sub out of sync (Data Validation) httpsupportmicrosoftcomkb2118386

Replication Pub and Sub out of sync (Constraint Violations)

httpsupportmicrosoftcomkb2118410

Replication Pub and Sub out of sync (Skipped Transactions)

httpsupportmicrosoftcomkb2194498

Merge Replication Health Check httpsupportmicrosoftcomkb2118445

Subscriptions Approaching Expiration httpgomicrosoftcomfwlinkLinkId=184483

Replication Cleanup and Retention Health Check httpsupportmicrosoftcomkb2118485

Replication Latency Threshold violations httpsupportmicrosoftcomkb2118425

Page 40

7 HOW TO DEAL WITH DEVIATIONS

Deviations from these Best Practices may indicate potential issues and configuration changes may be

necessary Make sure you have tested any intended changes in a test environment before deploying

them to a production environment You could also find deviations from Best Practices that are

acceptable or even necessary for your environment For example

SAP has its special Network Packet Size of 8 KB

Existing Non-Microsoft Clients ndash would require Mixed Mode Authentication

Page 41

8 MOTIVATION TO USE SQL BPA R2

Bob Ward explained in his Article ldquoWhy use SQL Server 2008 R2 BPA Case 1 Missing Updatesrdquo

the common pitfalls during maintenance and operation of SQL Server and how address them by using

the SQL BPA

In brief itrsquos a customer scenario where the customer is facing an issue after a major update to

SQL2008 After some troubleshooting and an update to a certain CU (that is meant to fix the issue) the

problem still occurs Bobs article states the common resulting consequences ndash the involvement of

Microsoft Support and the final solution ndash adding a needed traceflag

The good news in this story is that the customer would not have needed to go to all that effort if they

would have run the SQL BPA It would have told them about the update and instructed them to put the

traceflag in place BPA is a mechanism that proactively advises you and instructs you on dealing with

common known issues

Page 42

9 ADDITIONAL INFORMATION

91 PowerShell

To use the functionality of the Baseline Configuration Analyzer with PowerShell you must import this

module first

Import-module BaselineConfigurationAnalyzer

You can list the commands of this module with the following syntax

$x=Get-Module BaselineConfigurationAnalyzer

$xExportedCommands

The following commands are stored in this module

Get-MbcaModel

Get-MbcaResult

Invoke-MbcaModel

Set-MbcaResult

You get help of this command with the following syntax

Get-help ltcommandgt -full

911 Get-MBCAModel

SYNOPSIS

The Get-MBCAModel cmdlet lets you retrieve and view the list of models that are supported by

Microsoft Baseline Configuration Analyzer (MBCA) and that are installed on a computer

SYNTAX

Get-MBCAModel [[-ModelId] ltstring[]gt] [[-SubModelId] ltstringgt] [ltCommonParametersgt]

DESCRIPTION

The Get-MBCAModel cmdlet lets you retrieve and view the list of models that are supported by

Microsoft Baseline Configuration Analyzer (MBCA) and installed on the computer If no parameter is

specified Get-MBCAModel returns all models that are installed on the computer If a model is specified

by using the -ModelId parameter information about the specified model is returned

You must be a member of the Administrators group on the computer on which you want to run this

cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with

elevated user rights that is Run as Administrator

The results of the Get-MBCAModel cmdlet include the following details about models

1 Branding information (manufacturer or company display names version number) that is found in

the model manifest

2 Dynamic parameters that are included with the model

3 Submodels that are included with the model

PARAMETERS

-ModelId ltstring[]gt

The -ModelId parameter specifies the ID of the MBCA model about which you want to view

details You can obtain valid values for the ModelId parameter by running the Get-MBCAModel

cmdlet with no parameters and targeted at a computer on which MBCA models are installed

Page 43

This parameter supports wild card characters

Required false

Position 2

Default value

Accept pipeline input true (By Value By Property Name)

Accept wildcard characters False

This must be SQL2008R2BPA for SQL Server 2008 R2 Best Practice Analyzer

-SubModelId ltstringgt

The -SubModelId parameter specifies the ID of the submodel of an MBCA model about which you

want to view details You can obtain valid values for the -SubModelId parameter by running the

Get-MBCAModel cmdlet without parameters and targeted at a computer on which MBCA models

are installed Not all models have submodels

The -ModelId parameter is required with the -SubModelId parameter

Required false

Position 3

Default value

Accept pipeline input false

Accept wildcard characters false

ltCommonParametersgt

This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable

WarningAction WarningVariable OutBuffer and OutVariable For more information type get-

help about_commonparameters

Examples

Get-MBCAModel

In the preceding example Get-MBCAModel with no parameters added returns details about all MBCA

models that are installed on the computer

Get-MBCAModel -ModelId SQL2008R2BPA

The preceding example can be used to return details about the MBCA model that is specified in the -

ModelId parameter represented by Model Id

$model= Get-MBCAModel -ModelId SQL2008R2BPA

$modelParameters

In the preceding example Get-MBCAModel returns details about the specified MBCA model that is

represented by Model Id The results of the cmdlet are stored in the variable $model

In the next line of the example the Parameters property of the model details that were stored in the

$model object returns details about which parameters are supported by the model

Get-MBCAModel -ModelId SQL2008R2BPA -SubModelId ltSubModel Idgt

The preceding example can be used to return details about the MBCA sub-model that is specified by

the -SubModelId parameter represented by SubModel Id Note that the -ModelId parameter is

required by the -SubModelId parameter

$model= Get-MBCAModel -ModelId SQL2008R2BPA

Page 44

$modelSubModels

In the preceding example Get-MBCAModel returns details about the specified MBCA model that is

represented by Model Id The results of the cmdlet are stored in the variable $model

In the next line of the example the SubModels property of the model details that were stored in the

$model object returns a list of the submodels of the model specified in the first line

912 Invoke-MBCAModel

SYNOPSIS

The Invoke-MBCAModel cmdlet lets you start a Microsoft Baseline Configuration Analyzer (MBCA)

scan for a specific model that is installed on your computer

SYNTAX

Invoke-MBCAModel [-ModelId] ltstringgt -SubModelId ltstringgt [-Authentication

ltAuthenticationMechanismgt] [-CertificateThumbprint ltstringgt] [-ComputerName

ltstring[]gt] [-ConfigurationName ltstringgt] [-Context ltstringgt] [-Credential

ltstringgt] [-Mode ltModeEnumgt] [-Port ltintgt] [-RepositoryPath ltstringgt] [-

ThrottleLimit ltintgt] [-UseSSL] [ltCommonParametersgt]

DESCRIPTION

The Invoke-MBCAModel cmdlet allows you to start a Microsoft Baseline Configuration Analyzer

(MBCA) scan for a specific model that is installed on your computer The model is specified either by

using the parameter -ModelId or by piping the results of the Get-MBCAModel cmdlet into an Invoke-

MBCAMode cmdlet

After the MBCA scan has been performed the results of the scan are available to be retrieved by Get-

MBCAResult cmdlet

You must be a member of the Administrators group on the computer on which you want to run this

cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with

elevated user rights that is Run as Administrator

PARAMETERS

-Authentication ltAuthenticationMechanismgt

Specifies the authentication mechanism that is used to authenticate the users credentials Valid

values include Default Basic CredSSP Digest Kerberos Negotiate and

NegotiateWithImplicitCredential The default value is Default

For more information about the -Authentication parameter type the following and then press

Enter

Get-Help Invoke-Command -Parameter Authentication

Required false

Position named

Default value Default

Accept pipeline input false

Accept wildcard characters false

-CertificateThumbprint ltstringgt

Page 45

Specifies the digital public key certificate (X509) of a user account that has rights to perform the

cmdlet action The valid value is the certificate thumbprint of the certificate

For more information about this parameter type the following and then press Enter

Get-Help Invoke-Command -Parameter Certificate Thumbprint

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-ComputerName ltstring[]gt

The Invoke-MBCAModel cmdlet lets you run an MBCA scan of a submodel on a specific

computer by adding this parameter Valid values include NETBOS names IP addresses or fully-

qualified domain names of one or more computers in a comma-separated list To specify the local

computer type the computer name or localhost

All formats that are accepted by the -ComputerName parameter in Invoke-Command are

accepted

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-ConfigurationName ltstringgt

Specifies the session configuration that is used for a new PSSession

Enter a configuration name or the fully-qualified resource URI for a session configuration

Session configuration data is found on the remote computer on which you want to run a cmdlet

For more information about this parameter type the following and then press Enter

Get-Help Invoke-Command -Parameter ConfigurationName

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-Context ltstringgt

The -Context parameter lets you run scans on a submodel in the context of a specific model (one

that is different from the parent model of the submodel) For example an administrator might

want to run a scan on the Backend submodel of the SQL model but only those in the context

of a third model a technology that relies upon SQL Server

The -SubModelId parameter is required by the -Context parameter

Page 46

A model ID is the valid value of the -Context parameter

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-Credential ltstringgt

Specifies a user account that has permission to run this cmdlet The default value is the current

user

For more information about this parameter type the following and then press Enter

Get-Help Invoke-Command -Parameter Credential

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-Mode ltModeEnumgt

The -Mode parameter lets you run a scan that is exclusively either analysis of existing discovered

documents or discovery The default is to perform both discovery and analysis or All

If you do not add the -Mode parameter to the Invoke-MBCAModel cmdlet both discovery and

analysis are performed during a scan

Valid values are Discovery Analysis and All

Required false

Position named

Default value All

Accept pipeline input false

Accept wildcard characters false

-ModelId ltstringgt

The -ModelId parameter specifies the ID of the MBCA model that you want to scan You can

obtain valid values for the ModelId parameter by running the Get-MBCAModel cmdlet targeted at

a computer on which MBCA models are installed

Required true

Position 2

Default value

Accept pipeline input true (By Value By Property Name)

Accept wildcard characters False

Page 47

This must be SQL2008R2BPA for SQL Server 2008 R2 Best Practice Analyzer

-Port ltintgt

Specifies the network port on a remote computer on which you want to run a scan The default

value is port 80

For more information on this parameter type the following and then press Enter

Get-Help Invoke-Command -Parameter Port

Required false

Position named

Default value 80

Accept pipeline input false

Accept wildcard characters false

-RepositoryPath ltstringgt

The -RepositoryPath parameter is used to specify a non-default location of the results repository

The valid value for this parameter is a pathname If the parameter is not used the cmdlet writes

results to the default result repository

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-SubModelId ltstringgt

The -SubModelId parameter specifies the ID of the submodel of an MBCA model that you want to

scan You can obtain valid values for the -SubModelId parameter by running the Get-MBCAModel

cmdlet targeted at a computer on which MBCA models are installed Not all models have

submodels

The -ModelId parameter is required with the -SubModelId parameter

Required true

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-ThrottleLimit ltintgt

Specifies the maximum number of concurrent connections that can be established to run the

cmdlet If you omit this parameter or enter a value of 0 the default value of 32 is used

For more information about this parameter type the following and then press Enter

Get-Help Invoke-Command -Parameter ThrottleLimit

Required false

Page 48

Position named

Default value 32

Accept pipeline input false

Accept wildcard characters false

-UseSSL [ltSwitchParametergt]

Uses the Secure Sockets Layer (SSL) protocol to establish a connection on a remote computer

By default SSL is not used

For more information about this parameter type the following and then press Enter

Get-Help Invoke-Command -Parameter UseSSL

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

ltCommonParametersgt

This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable

WarningAction WarningVariable OutBuffer and OutVariable For more information type get-

help about_commonparameters

OUTPUTS

SystemCollectionsGenericListltMicrosoftBestPracticesCoreInterfaceInvokeBpaModelOutputgt

The output object encapsulates the results of the cmdlet that you entered It contains information such

as the MBCA model ID the success or failure of the cmdlet and other details

NOTES

If the cmdlet is used to perform a single-model scan and the cmdlet is cancelled (by using CTRL+C)

before the temporary results file is copied to its final location the temporary file is discarded and any

previous scan results file for the role are preserved The message Processing of Invoke-MBCAModel

cancelled by user is displayed if the command is cancelled before existing scan results files are

overwritten

If the cmdlet is used to perform a scan of multiple models by piping in results from the Get-MBCAModel

cmdlet and the command is cancelled scans that were completed before the cancel command was

entered cannot be cancelled A scan in progress behaves as described above in the single-model scan

cancellation scenario Subsequent scans in the pipeline are cancelled

If a concurrent scan of the same model is attempted the cmdlet returns the following error message

Another scan for this MBCA model is in progress Only one scan is allowed at a time

-------------------------- EXAMPLE 1 --------------------------

Invoke-MBCAModel -ModelId SQL2008R2BPA

Description

The preceding example starts a MBCA scan on the model that is represented by ltModel Idgt

-------------------------- EXAMPLE 2 --------------------------

Page 49

Invoke-MBCAModel -ModelId SQL2008R2BPA -Scope domain -Name

redmondmicrosoftcom

Description

The preceding example starts an MBCA scan on the model ID that is specified by Model Id

The administrator starts the MBCA scan with additional model-specific parameters that are exposed by

the model (For an example of how to obtain model-specific parameters see the examples for the Get-

MBCAModel cmdlet)

For example to scan a model that requires model-specific parameters (such as -Scope and -Name) to

be passed to the command the administrator can specify the values of these model-specific

parameters with the Invoke-MBCAModel cmdlet

-------------------------- EXAMPLE 3 --------------------------

Invoke-MBCAModel -ModelId SQL2008R2BPA -Mode Discovery

Description

The preceding example starts an MBCA scan on the model that is represented by Model Id The

cmdlet is instructed by the -Mode parameter to perform only the discovery -- not the analysis -- portion

of the scan

-------------------------- EXAMPLE 4 --------------------------

Invoke-MBCAModel -ModelId SQL2008R2BPA -Mode Analysis -RepositoryPath

ltRepository Pathgt

Description

The preceding example starts an MBCA scan on the model that is represented by Model Id The -

Mode parameter value of Analysis indicates that the scan will perform analysis -- not discovery -- on

existing documents that are specified in the non-default repository path provided with the -Repository

Path parameter

-------------------------- EXAMPLE 5 --------------------------

Invoke-MBCAModel -Id ltModel Idgt -SubModelId ltSubModel Idgt -ComputerName

ltServergt -Context ltContext Model Idgt -RepositoryPath ltRespository Pathgt -

AsJob -Authentication ltAuthenticatonMechanismgt -Port ltPort Numbergt -UseSSL -

ThrottleLimit ltThrottle Limitgt

Description

The preceding example starts an MBCA scan on the submodel that is represented by SubModel Id

and on the computer that is represented by Server

Because the administrator only wants to see results from the submodel that apply in the context of a

third model the administrator runs the scan within the context of the model ID that is specified in the -

Context parameter The cmdlet results are saved to the non-default repository path that is specified in

the -RepositoryPath parameter

Because the -AsJob parameter is added the scan runs in the background The -AsJob -

Authentication -Port -UseSSL and -ThrottleLimit parameters are passed through for use by the

Invoke-Command cmdlet to perform discovery on a remote computer For more information about

these parameters see the Help for the Invoke-Command cmdlet available in Windows PowerShell V2

913 Get-MBCAResult

SYNOPSIS

Page 50

The Get-MBCAResult cmdlet lets you retrieve and view the results of a Microsoft Baseline

Configuration Analyzer scan on a specific model or the configuration data that was used to run a scan

SYNTAX

Get-MBCAResult [-ModelId] ltstringgt [[-CollectedConfiguration]] -SubModelId

ltstringgt [-ComputerName ltstring[]gt] [-Context ltstringgt] [-Filter

ltFilterEnumgt] [-RepositoryPath ltstringgt] [ltCommonParametersgt]

DESCRIPTION

The Get-MBCAResult cmdlet lets you retrieve and view the results of a Microsoft Baseline

Configuration Analyzer scan on a specific model or the configuration data that was used to run a scan

To use the command add the -ModelId parameter and then specify the model ID for which you want

to view the most recent MBCA scan results or collected configuration data If you want to retrieve the

configuration data collected add the -CollectedConfiguration switch parameter

You must be a member of the Administrators group on the computer on which you want to run this

cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with

elevated user rights that is Run as Administrator

PARAMETERS

-CollectedConfiguration [ltSwitchParametergt]

The -CollectedConfiguration parameter allows you to obtain the configuration data that was

collected for the most recent MBCA scan If this switch parameter is added to Get-MBCAResults

the cmdlet returns only the configuration data that was collected for a scan

Required false

Position 3

Default value

Accept pipeline input false

Accept wildcard characters false

-ComputerName ltstring[]gt

The -ComputerName parameter lets you obtain scan results that were collected for the most

recent MBCA scan of a submodel on a specific computer To specify the local computer type the

computer name or localhost Multiple values for -ComputerName can be separated by

commas

The -SubModelId parameter is required by the -ComputerName parameter

Valid values for the -ComputerName parameter include localhost a NET BIOS name an IP

address or a fully-qualified domain name (FQDN) of one or more computers in a comma-

separated list

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-Context ltstringgt

Page 51

The -Context parameter lets you obtain scan results that were collected for the most recent

MBCA scan of a submodel in the context of a specific model (one that is different from the parent

model of the submodel) For example an administrator might want to display scan results for the

Backend submodel of the SQL model but only those in the context of a third model a

technology that relies upon SQL Server

The -SubModelId parameter is required by the -Context parameter

A model ID is the valid value of the -Context parameter

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-Filter ltFilterEnumgt

The -Filter parameter lets you instruct the Get-MBCAResult cmdlet to return only Compliant

Noncompliant or All results Valid values are Noncompliant Compliant or All The default value

is All

The -Filter parameter is ignored if the -CollectedConfiguration switch parameter is added

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-ModelId ltstringgt

The -ModelId parameter specifies the ID of the MBCA model for which you want to view scan

results You can obtain valid values for the ModelId parameter by running the Get-MBCAModel

cmdlet targeted at a computer on which MBCA models are installed

Required true

Position 2

Default value

Accept pipeline input true (By Value By Property Name)

Accept wildcard characters False

This must be SQL2008R2BPA for SQL Server 2008 R2 Best Practice Analyzer

-RepositoryPath ltstringgt

The -RepositoryPath parameter is used to specify a non-default location of the results repository

The valid value for this parameter is a path name If the parameter is not used the cmdlet obtains

results from the default result repository

Required false

Position named

Page 52

Default value

Accept pipeline input false

Accept wildcard characters false

-SubModelId ltstringgt

The -SubModelId parameter specifies the ID of the submodel of an MBCA model for which you

want to view scan results You can obtain valid values for the -SubModelId parameter by running

the Get-MBCAModel cmdlet targeted at a computer on which MBCA models are installed Not all

models have submodels

The -ModelId parameter is required with the -SubModelId parameter

Required true

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

ltCommonParametersgt

This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable

WarningAction WarningVariable OutBuffer and OutVariable For more information type get-

help about_commonparameters

OUTPUTS

SystemCollectionsGenericListltMicrosoftBestPracticesCoreInterfaceResultgt OR

SystemXmlXmlDocument (if -CollectedData specified)

If you do not use the -CollectedConfiguration parameter verbose output can be any of the following

1 Initializing MBCA engine for getting MBCA Results

2 Attempting to get MBCA results for Model Id = 0

3 Completed getting MBCA results for Model Id = 0 Number of Results = 1

If you add the -CollectedConfiguration parameter to display configuration data that was used for a

scan verbose output can be any of the following

1 Initializing MBCA engine for getting MBCA Configuration Data

2 Attempting to get MBCA collected configuration data for Model Id = 0

3 Completed getting MBCA collected configuration data for Model Id = 0

NOTES

The Get-MBCAResult cmdlet must be run by a member of the Administrators group and it does not

start a new scan

Cancellation behaviour

Single Model - To cancel this cmdlet you must press Ctrl+C before the ResultCollection is displayed

on the console The operation is cancelled and results are not displayed on the console

Multiple Models or Pipelining - If you cancel this cmdlet while it is retrieving results for multiple models

the cmdlet generates only those results that were displayed on the console before the cancellation

Any subsequent results in the pipeline are cancelled and not displayed

Page 53

-------------------------- EXAMPLE 1 --------------------------

Get-MBCAResult -Id SQL2008R2BPA

Description

The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results

for the model that is represented by Model Id

-------------------------- EXAMPLE 2 --------------------------

Get-MBCAModel | Get-MBCAResult

In the preceding example Get-MBCAModel is used to return a list of all MBCA models that are

installed on the computer The results of the Get-MBCAModel cmdlet are piped to the Get-

MBCAResult cmdlet to retrieve the most recent MBCA scan results for all models that are both

supported by MBCA and installed on the computer at which the cmdlet is targeted

-------------------------- EXAMPLE 3 --------------------------

$result = Get-MBCAResult SQL2008R2BPA -CollectedConfiguration

$resultDiscoveryDocument

Description

In the preceding example configuration data (in XML form) that was collected during the most recent

Microsoft Baseline Configuration Analyzer scan of the model that is represented by Model Id is

retrieved and stored as a property in the variable $result $resultDiscoveryDocument is of type

SystemXmlXmlDocument

-------------------------- EXAMPLE 4 --------------------------

Get-MBCAResult SQL2008R2BPA -Filter Noncompliant

Description

The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results

for the model that is represented by Model Id and then applies a filter to show only Noncompliant

results

------------------------- EXAMPLE 5 --------------------------

Get-MBCAResult SQL2008R2BPA -SubModelId ltSubModel Idgt

Description

The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results

for the submodel that is represented by SubModelId Note that the parent model ID must be specified

to use the -SubModelId parameter

------------------------- EXAMPLE 6 --------------------------

Get-MBCAResult SQL2008R2BPA -SubModelId ltSubModel Idgt -ComputerName ltServergt

-Context ltContext Model Idgt -RepositoryPath ltRepository Pathgt

Description

The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results

for the submodel that is represented by SubModelId The parent model ID is provided as required by

the -SubModelID parameter

The -Context parameter indicates that the administrator wants to see only those scan results that are in

the context of the model that is represented by Context Model Id for example only those results from

a SQL Server scan that specifically apply to another technology such as Web Server (IIS)

Page 54

The scan results are further narrowed to only those from a computer that is specified in the -

ComputerName parameter as Server and only those results found in the non-default results

repository that is represented by Repository Path

914 Set-MBCAResult

SYNOPSIS

The Set-MBCAResult cmdlet lets you exclude or include existing results of a Microsoft Baseline

Configuration Analyzer (MBCA) scan to show you only the scan results that you want to see

SYNTAX

Set-MBCAResult [[-Exclude] ltBooleangt] [-Results] ltResultgtgt [[-

RepostitoryPath] ltstringgt] [ltCommonParametersgt]

DESCRIPTION

The Set-MBCAResult cmdlet lets you exclude or include existing results of a Microsoft Baseline

Configuration Analyzer (MBCA) scan to show you only the scan results that you want to see

The action specified in the cmdlet (Exclude for example) determines how the existing results of an

MBCA scan are updated Set-MBCAResult is typically applied after using the Get-MBCAResult cmdlet

to return a collection of scan results

You can apply filters to results that are returned by the Get-MBCAResult cmdlet and then pipe the

filtered collection of results to the Set-MBCAResult cmdlet specifying either to include or exclude

filtered scan results

You must be a member of the Administrators group on the computer on which you want to run this

cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with

elevated user rights that is Run as Administrator

PARAMETERS

-Exclude ltBooleangt

Excludes scan results from the results collection that were previously obtained by the Get-

MBCAResult command To exclude results by using the -Exclude parameter add the value $true

following the parameter as shown

-Exclude $true

To include results that have been excluded use the $false value for the -Exclude parameter

Required false

Position 2

Default value

Accept pipeline input false

Accept wildcard characters false

-RepostitoryPath ltstringgt

The -RepositoryPath parameter is used to specify a non-default location of the results repository

The valid value for this parameter is a path name If the parameter is not used the cmdlet

modifies results from the default result repository

Required false

Page 55

Position 4

Default value

Accept pipeline input false

Accept wildcard characters false

-Results ltResultgtgt

Specifies the result collection to be updated by the Set-MBCAResult cmdlet The -Results

parameter is typically used to specify a filtered subset of scan results that has already been

stored in a variable the variable name is provided as the valid value for the -Results parameter

For example if you have created a variable $allPerformance to store all the Performance

category results for an MBCA scan of all models on a computer and you want to exclude those

Performance results from the complete collection of scan results you add the parameter -Results

$all Performance to a Set-MBCAResult cmdlet

For a more detailed example see the Examples section of the Help for this cmdlet

Required true

Position 3

Default value

Accept pipeline input true (ByValue)

Accept wildcard characters false

ltCommonParametersgt

This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable

WarningAction WarningVariable OutBuffer and OutVariable For more information type ldquoget-

help about_commonparameters

NOTES

If the Set-MBCAResult command is cancelled before the results are written to a file the operation is

cancelled and the results file is not modified If cancellation occurs after the results file has been

modified the commands actions are carried out and the command cannot be cancelled

-------------------------- EXAMPLE 1 --------------------------

Get-MBCAResult -ModelId SQL2008R2BPA | Where $_Category -eq

Performance | Set-MBCAResult -Exclude $true

Description

The first section of the preceding example to the left of the first pipe character (|) uses the Get-

MBCAResult cmdlet to retrieve Baseline Configuration Analyzer scan results for the model ID that is

represented by Model Id

The second section of the command filters the results of the Get-MBCAResult cmdlet to get only those

scan results for which the category name is equal to Performance

The final section of the example following the second pipe character excludes the Performance

results that were filtered by the previous section of the example

-------------------------- EXAMPLE 2 --------------------------

$rcPolicy = Get-MBCAResult -ModelId SQL2008R2BPA -RepositoryPath

CReposPath | Where $_Category -eq Policy

Page 56

Set-MBCAResult -Exclude $true -RepositoryPath CReposPath -Results

$rcPolicy

Description

The first line of the preceding example to the left of the pipe character (|) instructs the Get-

MBCAResult cmdlet to retrieve Baseline Configuration Analyzer scan results for the model that is

represented by Specified Model Id from the specified non-default repository path

The second section of the example after the pipe character filters the results of the Get-MBCAResult

cmdlet to return only those scan results for which the category name is equal to (note the -eq option)

Policy The variable $rcPolicy is created to store the filtered results of the Get-MBCAResult cmdlet this

variable can be used in subsequent commands to represent those results

The second line of the command uses the Set-MBCAResult cmdlet to exclude the set of results that

are stored in the $rcPolicy variable In this example the -Results parameter is added because the

administrator wants to exclude a specific subset of scan results for that model and has created the

variable $rcPolicy to represent that subset of results The repository root is specified in the second line

because the administrator wants to modify the results in the same non-default repository from which

the data in $rcPolicy was retrieved

915 MBCA Model Authoring

Further information about configuration and usage of MBCA models you can in the

MBCA_ModelAuthoringGuidedocx

Page 57

Did this paper help you Please give us your feedback Tell us on a scale of 1 (poor) to 5 (excellent)

how would you rate this paper and why have you given it this rating For example

Are you rating it high due to having good examples excellent screen shots clear writing or

another reason

Are you rating it low due to poor examples fuzzy screen shots or unclear writing

This feedback will help us improve the quality of white papers we release

Send feedback

Page 14: SQL2008R2 BPA Whitepaper v10

Page 14

Please find below the screenshots demonstrating the visual flow of the MBCA Installation

Welcome screen

License terms

Folder selection

Completion screen

33 Install BPA

Download the correct edition depending on your platform (x86 or x64) before installing If you have

trouble with the installation please section 57 Troubleshooting Installation

331 Command line

Following is an optimized command line setup example

msiexec i SQL2008R2BPA_Setup64msi l log ctempsqlbpa_installlog qn

msiexec parameters

i = package name (SQL2008R2BPA_Setup32msi or SQL2008R2BPA_Setup64msi

depending on your platform)

l = log granularity ldquordquo - Log all information except for v and x options

log = log file

q = display settings (qn ndash no user interface)

SKIPCA=1 (if no domain controller is available Skip Certification Authority)

For information on additional public properties Consult the Windowsreg Installer SDK for documentation

on the command line syntax

Page 15

332 GUI

Please find below the screenshots demonstrating the visual flow of the SQL Server 2008 R2 BPA

Installation

Welcome screen

License terms

System Configuration Changes (see 31 Installing PowerShell 20 and WinRM)

Ready to install decision

Install progress

Completion screen

Page 16

333 Port and Firewall restrictions

For scanning SQL Server or BI instances on an alternate server behind a firewall you must open all

necessary ports

34 Updates

Microsoft is working on quarterly updates of the rule set and tool improvements of the SQL Server

2008 R2 Best Practice Analyzer Please visit the Download site from Microsoft regularly to find new

updates

35 Uninstall

351 BPA

352 MBCA

353 Reset PowerShell settings

After the uninstall of the BPA you may disable the PowerShell remote scripting You can do this with

the following command line

powershellexe -NoLogo -NoProfile -Noninteractive -Command Disable-

PSRemoting -force

Disable-PSRemoting performs configuration actions to enable this machine for remote management

Page 17

4 USAGE

There are two ways to scan a server using MBCA and SQL 2008 R2 BPA They are

Scanning through the local machine

o In this case you are using MBCA and SQL 2008 R2 BPA running on the local machine to

perform the scan

o This scan can be of the local or an alternate server

Scanning through a remote machine

o In this case MBCA is used to connect to a remote server that has MBCA and SQL 2008

R2 BPA installed on it

o This scan is using the local machine to form the connection to the remote machine and is

actually performing the scan through the remote machine

41 Help file

The help file for the SQL Server 2008 R2 Best Practice Analyzer contains very useful information This

help file is available after the installation of BPA and is located at Start-gtAll programs-gtSQL Server

2008 R2 BPA

42 GUI

1 Ensure that MBCA v2 and SQL 2008 R2 BPA are installed on the machine

2 Run the MBCA application from the start menu with elevated user rights

Page 18

3 On the MBCA home page ensure the SQL Server 2008 R2 BPArdquo product is selected

4 Click Start Scan which displays a page to specify parameters as shown below

5 Fill in Alternate_Server_to_Scan with the remote machine you want to scan

ComputerName

IP address nnnn

FQDN (Fully Qualified Domain Name)

Enter ldquordquo localhost or leave this blank if you want to scan the local machine

Page 19

Enter the instance name you want to scan To scan the default instance enter MSSQLSERVER

or leave this as blank Toggle the checkboxes to enabledisable scans for those rule categories

Each of the following six check boxes correspond to the SQL Server categories listed previously

Select at least one category in order to run a successful scan

Analyze_SQL_Analysis_Services

Analyze_SQL_Server_Engine

Analyze_SQL_Integration_Services

Analyze_SQL_Server_Replication

Analyze_SQL_Reporting_Services

Analyze_SQL_Server_Setup

Note Only one SQL Server instance can be scanned at a time through the MBCA GUI

6 Click Start Scan MBCA will start the configured scan and display the below page while in

progress

7 When the scan is complete results will be displayed grouped by Severity as shown below

Page 20

43 Connect to a remote computer

A scan connected to a remote computer is different than scanning an alternate server

ldquoConnect to a Remote Computerrdquo is functionality provided by Microsoft Baseline Configuration Analyzer

and is used to remotely run MBCA against a server from the console of the client The client needs to

have MBCA installed but does not need BPA as it is literally running the copy of MBCA installed on the

server using the BPA installed on the server In this case the copy of MBCA installed on the client is

used only to remotely connect to the copy of MBCA installed on the server

To use this functionality you first start MBCA on the client computer and select ldquoConnect to Another

Computerrdquo

1 In the ldquoConnect to Another Computerrdquo text box you can specify a NetBIOS name a fully qualified

domain name (FQDN) or an IPv4 or IPv6 address If no port number is specified the default port

number is used The following are examples of formats that you can specify in the Connect to

Another Computer text box

ComputerName

Page 21

ComputerNamePortNumber

IP address nnnn

IPv6 address [nnnnnnnn]

IPv4 address with port number nnnnPortNumber

IPv6 address with port number [nnnnnnnn]PortNumber

Note If an administrator has changed the computerrsquos default port number any port other than the

default port must be opened in Windows Firewall to allow incoming connections on that port Port

5985 is opened by default when WinRM is configured All other ports remain blocked until opened

For more information about how to unblock a port in Windows Firewall see the Help for Windows

Firewall For more information about how to configure WinRM in a Command Prompt session type

winrm help and then press Enter

2 Additionally you must supply credentials

3 CredSSP

Windows Remote Management (WinRM) supports the delegation of user credentials across

multiple remote computers The multi-hop support functionality can now use Credential Security

Service Provider (CredSSP) for authentication CredSSP enables an application to delegate the

userrsquos credentials from the client computer to the target server

CredSSP authentication is intended for environments where Kerberos delegation cannot be used

Support for CredSSP was added to allow a user to connect to a remote server and have the ability

to access a second-hop machine such as a file share

Note WinRM clients and servers will support CredSSP authentication only with explicit credentials

Windows XP Windows Server 2003 and earlier CredSSP is not supported

First you must set CredSSP on both the client and the server

Using the Group Policy Editor (gpeditmsc) make sure to enable ldquoAllow Delegating Fresh

Credentialsrdquo and check ldquoConcatenate OS defaults with input aboverdquo

Add the server or domain to the list of servers in the format ldquoWSMANdomainnamecomrdquo

Next enable and configure PowerShell Remoting on both the Client and Server by running the

following commands in a PowerShell command window opened with elevated permissions Note

Page 22

You can configure a single machine as both a client and a server simultaneously so that you can

scan from either computer

Enable PowerShell Remoting

o Enable-psremoting ndashf

Settings for a client

o Enable-WSManCredSSP ndashrole Client ndashDelegateComputer [NetBiosNameOfServer]

or

o Enable-WSManCredSSP ndashrole Client ndashDelegateComputer [FQDN OF SERVER]

Settings for the server

o Enable-WSManCredSSP ndashrole Server

o set-item WSManlocalhostShellMaxMemoryPerShellMB ndashValue 20000

o set-item WSManlocalhostShellMaxShellsPerUser ndashvalue 20

44 PowerShell

Details see 91 PowerShell

To use the functionality of the Microsoft Baseline Configuration Analyzer you must import this module

first

Import-module BaselineConfigurationAnalyzer

You can list the commands of this module with the following syntax

$x=Get-Module BaselineConfigurationAnalyzer

$xExportedCommands

441 Run Scan

To run a full scan of the BPA on the alternate server on a named instance you can use the following

command line

Invoke-MBCAModel -ModelId SQL2008R2BPA -Alternate_Server_to_scan

servername -SQL_Server_Instance_Name instancename -

Analyze_SQL_Server_Engine -Analyze_SQL_Server_Replication -

Page 23

Analyze_SQL_Server_Setup -Analyze_SQL_Analysis_Services -

Analyze_SQL_Integration_Services -Analyze_SQL_Reporting_Services

The result looks like this part

ModelId SQL2008R2BPA

SubModelId

Success True

ScanTime

Success = True is important This is the indicator that your scan was successful

Parameter description

-Alternate_Server_to_scan servername

-SQL_Server_Instance_Name instancename

-Analyze_SQL_Server_Engine

-Analyze_SQL_Server_Replication

-Analyze_SQL_Server_Setup

-Analyze_SQL_Analysis_Services

-Analyze_SQL_Integration_Services

-Analyze_SQL_Reporting_Services

The parameter list is equal the parameter screen in the GUI

The scans of the different services are optional You can remove technologies which you do not need

to scan

The next example starts the scan only for the Analysis Services on the alternate server ldquoservernamerdquo

and for the named instance ldquoinstancerdquo A log file will be written to ldquoctempssastxtrdquo

Invoke-MbcaModel -ModelId SQL2008R2BPA -SubModelId AnalysisServices -

ComputerName servername -SqlServerInstance instance -SSASLogFile

ctempssastxt

Invoke-MbcaModel -ModelId SQL2008R2BPA -SubModelId Engine -ComputerName

computername -SqlServerInstance servername -CurrentLoginName

($EnvUSERDOMAIN + + $EnvUSERNAME)ToString() -EngineLogFile

ctempenginetxt ndashRepositoryPath (CTEMPSQL2008 + (Get-

Date)ToString(yyyyMMdd))ToString()

442 Create Report

model = get-MbcaModel ndashModelId sql2008r2bpa

$scanResult = get-MbcaResult ndashModelId sql2008r2bpa

$collectedConfig = get-MbcaResult ndashModelId sql2008r2bpa ndash

CollectedConfiguration

$model $scanResult $collectedConfig | export-CliXml ctempasxml

Get-MBCAResult -ModelId SQL2008R2BPA -SubModelId AnalysisServices |

ConvertTo-Html | Add-Content -Path ctesthtml

The next command retrieves the results of the most recent BPA scan for the specified model and

saves them in HTML format applying the standard cascading style sheets that are stored in the path

windirsystem32WindowsPowerShellv10ModulesBestPracticesBestPracticesReportFormatc

Page 24

ss If you want to substitute cascading style sheets provide the path to the different cascading style

sheets

Get-MBCAResult -ModelId SQL2008R2BPA | $_Severity -eq Warning -or

$_Severity -eq Error | ConvertTo-Html -As Table -property ResultNumber

SubModelID ComputerName Severity Category Title Problem Impact

Resolution Help -Head lth1gtSQL Server 2008 (R2) Best Practice Analyzer

Reportlth1gtrdquo -Title SQL Server 2008 Best Practice Analyzer -body

(ltpgtReport creation date + (Get-Date)ToString(ddMMyyyy hhmmss) +

ltpgt)toString() -pre ltPgtGenerated by user $envusername on computer

$envcomputernameltPgt -post For details contact Microsoft Premier-

CssUri $env BestPracticesReportFormatcss gt ctempsql2008r2bpahtm

443 Exporting and opening reports by using Get-MBCAResult

You can use the Get-MBCAResult cmdlet to export scan results and configuration data to an XML

report that you can open for viewing in the future either by using Get-MBCAResult or by using the

MBCA GUI Exporting reports allows you to compare older scans with more recent scans to measure

the progress of your best practice compliance

Example of exporting to XML

$results = Get-MBCAResult ltModel Idgt

$collectedconfig = Get-MBCAResult ltModel Idgt -CollectedConfiguration

$results $collectedconfig | Export-CliXml cexportxml

Example of opening archived XML report file

$loadedResults $loadedConfiguration = Import-CliXml cexportxml

444 Report Result Directory

The reporting result path

AppDataMicrosoftBaselineConfigurationAnalyzer

2ReportsSQL2008R2BPAResults

Will be overwritten during each run of the tool or invoke command

Solution save older results before you start the check

copy-item -path ($EnvLocalAppdata +

MicrosoftMicrosoftBaselineConfigurationAnalyzer 2Reports)ToString() -

destination ($EnvLocalAppdata +

MicrosoftMicrosoftBaselineConfigurationAnalyzer 2Reports_ + (Get-

Date)ToString(yyyyMMddhhmmss))ToString() ndashrecurse

Afterwards you can create a report with the following command

$prevrepPath = (Get-ChildItem ($EnvLocalAppdata +

MicrosoftMicrosoftBaselineConfigurationAnalyzer 2)ToString() -exclude

Reports | Sort-Object name -descending)[0]

Get-MBCAResult -ModelId SQL2008R2BPA ndashRepositoryPath ($EnvLocalAppdata +

MicrosoftMicrosoftBaselineConfigurationAnalyzer 2rdquo +

$prevrepPathname)ToString() | ConvertTo-Html -As Table -property

ResultNumberSubModelID ComputerName Severity Category Title Problem

Impact Resolution Help -Head lth1gtSQL Server 2008 (R2) Best Practice

Analyzer Reportlth1gtrdquo -Title SQL Server 2008 Best Practice Analyzer -body

(ltpgtReport creation date + (Get-Date)ToString(ddMMyyyy hhmmss) +

ltpgt)toString() -pre ltPgtGenerated by user $envusername on computer

Page 25

$envcomputernameltPgt -post For details contact Microsoft Premier gt

ctempsql2008r2bpahtm

Page 26

5 TROUBLESHOOTING

51 Application directories

To following directories are used by MBCA

Report output directory localappdataMicrosoftMicrosoftBaselineConfigurationAnalyzer 2ReportsSQL2008R2BPAResults

Model configuration path ProgramdataMicrosoftMicrosoft Baseline Configuration Analyzer 2ModelsSQL2008R2BPA

Temp and log files directory tempSQL2008R2BPASQL2008ltdategt_lttimegt

Registry [HKEY_LOCAL_MACHINESOFTWAREMicrosoftBaselineConfigurationAnalyzer]

Log Files

During Data Discovery SQL Server 2008 R2 BPA creates log files for troubleshooting The log file

contains the following information

Pre-requisite validation

Timestamp finished rules start and end times

Run-time scripting errors and exceptions from Power Shell Traps

Log Files Location

For every scan log files are created in userrsquos Local Temp directory (Temp) and follows the folder

structure SQL2008R2BPAlt Instance Name gtlt datestamp_timestamp gtlt Log files gt

Note In case of a remote scan the category log files are generated on the remote system at the same

path whereas the common log file is generated in the local system

Log Files Structure

A common log file gets generated and contains information about each categorys execution Apart

from this each category has its own log file which details the rule execution The names of the log files

are given below

Common File - ModelLogtxt

Engine Rules - EngineLogtxt

Replication Rules - ReplicationLogtxt

Setup Rules - SetupLogtxt

Analysis Services Rules - AnalysisServicesLogtxt

Reporting Services Rules - ReportingServicesLogtxt

Integration Services Rules - IntegrationServicesLogtxt

52 Windows Server 2003 ndash NumberOfLogicalProcessors

Analysis Services RID2803 and RID2804 ndash NumberOfLogicalProcessors property is unavailable in

Win32_Processor for with Windows Server 2003

Solution The NumberOfLogicalProcessors property does not exist in the WIN32_PROCESSOR object

in Windows Server 2003 It has been implemented in the hotfix

httpsupportmicrosoftcomkb932370

Both of the rules below will function properly if you apply this hotfix For more information look here

Page 27

53 MBCA

This message indicates that on prerequisite is not installed

Please install the version 2 of the MBCA

54 Where can I find the Instance name in result set of the analyzer

report

The instance name is in the collected data option of the analyzer report in the BPA GUI

55 Memory limit of remote PowerShell process

By default remote PowerShell process can consume only 150 MB or less memory This default limit is

significantly small and once this limit is reached there could be a WinRM exception causing and remote

connection immediately terminates Any application or Cmdlet which is involved in PowerShell

remoting should be tested for this memory limit this may cause some of the command to fail for

example site collection creation

Solution Increase the memory limit for the remote shell Use the following command to increase this

limitation to 1000MB This is only necessary if you need to run those commands on that server

Set-Item WSManlocalhostShellMaxMemoryPerShellMB 1000

56 Remote connect

If you try to ldquoConnect to another computerrdquo from MBCA and you receive the following message

Page 28

You should check first if the Hotfix KB968930 is installed

Afterwards validate that the ldquoWindows Remote Managementrdquo service is started

Enable-PSRemoting

If CredSSP is unsupported or unavailable you will see the following message

Page 29

If you have no permission to access the remote server you get the error message

Page 30

57 Installation

571 PowerShell error

After getting through the Pre-Reqs for BPA (PowerShell 20 MBCA NET Framework) you may hit

one of two scenarios when installing BPA

In all of the cases of an install failure you will see the following error

There is a problem with this Windows Installer package A program run as part of the setup did not

finish as expected Contact your support personnel or package vendor

In your Application Event Log for both of these scenarios you will also see the following entry

Log Name Application

Source MsiInstaller

Date 6102010 83818 AM

Event ID 11722

Task Category None

Level Error

Keywords Classic

User ltUsernamegt

Computer ltMachine namegt

Description

Product Microsoft SQL Server 2008 R2 BPA -- Error 1722 There is a problem

with this Windows Installer package A program run as part of the setup did

not finish as expected Contact your support personnel or package

vendor Action EnablePSRemoting location powershellexe command -NoLogo

-NoProfile -Command Enable-PSRemoting ndashforce

Page 31

This is an indicator that PowerShell is not configured You must run the following command

powershellexe -NoLogo -NoProfile -Command Enable-PSRemoting ndashforce

572 Workgroup or Non-Domain computer

In this scenario the Enable-PSRemoting command should execute fine from a PowerShell prompt

The actual error coming back from the PowerShell command within the Installer is ldquoAccess Deniedrdquo

To work around this issue you can do the following

1 Open a command prompt with Administrative Privileges

2 Change to the directory where the msi file resides

3 Type msiexec i ltMSI Namegt SKIPCA=1

4 MSI Name will either be SQL2008R2BPA_Setup32msi or SQL2008R2BPA_Setup64msi

depending on your platform

5 Once BPA is installed open a PowerShell prompt with Administrative Privileges

6 Execute the following commands

a Enable-PSRemoting

b winrm set winrmconfigwinrs ``MaxShellsPerUser=`10``

This should allow BPA to be successfully installed in the workgroup scenario

573 Kerberos Failure

This scenario is that you are failing with the above due to a Kerberos issue This particular issue could

actually show up after you have installed BPA depending on how you have configured your

environment

The issue stems from the fact that the Windows Remoting Windows Service uses the Network Service

account Windows Remoting also uses SOAP calls over HTTP and defaults to using Kerberos As a

result it will be using the HOST Service Principal Name (SPN) that is on the Machine Account as it is

running under that context You may have an HTTP SPN that resides on a different account with that

host name For example if you are running an IIS Web Application such as SharePoint or if you are

using Reporting Services and the service account is set to a Domain User account instead of Network

Service or Local System If your URL of your application matches the machine name then your HTTP

SPN will be the same Thatrsquos where this problem comes in WinRM will stop working at that point and

give you a message similar to the following

Set-WSManQuickConfig WinRM cannot process the request The following error

occured while using Negotiate authentication An unknown security error

occurred

Possible causes are

-The user name or password specified are invalid

-Kerberos is used when no authentication method and no user name are

specified

-Kerberos accepts domain user names but not local user names

-The Service Principal Name (SPN) for the remote computer name and port

does not exist

-The client and remote computers are in different domains and there is no

trust between the two domains

After checking for the above issues try the following

-Check the Event Viewer for events related to authentication

-Change the authentication method add the destination computer to the

WinRM TrustedHosts configuration setting or use HTTPS transport

Note that computers in the TrustedHosts list might not be authenticated

-For more information about WinRM configuration run the following

Page 32

command winrm help config

At line50 char33

+ Set-WSManQuickConfig ltltltlt -force

+ CategoryInfo InvalidOperation () [Set-WSManQuickConfig]

InvalidOperationException

+ FullyQualifiedErrorId

WsManErrorMicrosoftWSManManagementSetWSManQuickConfigCommand

You can get this type of error from WinRM for muliple reasons The one that

we saw in our testing was the HTTP SPN scenario

If you do have an HTTP SPN defined on a Domain Account that is using the name of your machine

you have some options First you can follow the steps mentioned above to get BPA installed The

Enable-PSRemoting command will give you the above error You can temporarily remove the HTTP

SPN to get remoting enabled and then re-add the HTTP SPN

Once BPA is setup you will still not be able to run BPA if you put the HTTP SPN back in place You will

see the following when you attempt to perform a scan

This will occur regardless of which component you try to scan It could be the Engine Setup RS etchellip

One option to perform the scan successfully is to temporarily remove the HTTP SPN again run the

scan and then put the HTTP SPN back in place Another option but one that will probably require

further testing from your applicationrsquos end would be to run the application under a Host Header and

then your HTTP SPN would not include the machine name allowing BPA to run without issue

Page 33

6 RULES

Searching for ldquoSQL Server 20087 R2 BPArdquo at Microsoftcom reveals

Here is an example of one of these articles that talks about a rule to check for a recent ldquocleanrdquo

CHECKDB

Page 34

BPA works by measuring a rolersquos compliance with best practice rules in eight different categories of a

rolersquos effectiveness trustworthiness and reliability Results of measurements can be any of the three

severity levels described in the following table

Severity level Description

Noncompliant Noncompliant results are returned when a role does not satisfy the conditions of a rule

Compliant Compliant results are returned when a role satisfies the conditions of a rule

Warning Warning results are returned when a role is compliant as operating currently but may not satisfy the conditions of a

rule if changes are not made to its configuration or policy settings For example a scan of Remote Desktop Services

might show a warning result if a license server is unavailable to the role because even if no remote connections are

active at the time of the scan not having the license server prevents new remote connections from obtaining valid

client access licenses

Page 35

BPA rule categories

The following table describes the categories of best practice rules against which roles are measured

during a BPA scan

Category Name Description

Security Security rules are applied to measure a rolersquos relative risk for exposure to threats such as unauthorized or malicious

users or loss or theft of confidential or proprietary data

Performance Performance rules are applied to measure a rolersquos ability to process requests and perform its prescribed duties in

the enterprise within expected periods of time given the rolersquos workload

Configuration Configuration rules are applied to identify role settings that might require modification for the role to perform

optimally Configuration rules can help prevent setting conflicts that can result in error messages or prevent the role

from performing its prescribed duties in an enterprise

Policy Policy rules are applied to identify Group Policy or Windows Registry settings that might require modification for the

role to operate optimally and securely

Operation Operation rules are applied to identify possible failures of a role to perform its prescribed tasks in the enterprise

Predeployment Predeployment rules are applied before an installed role is deployed in the enterprise to let administrators to

evaluate whether best practices were satisfied before you use the role in production

Postdeployment Postdeployment rules are applied after all required services have started for a role and the role is running in the

enterprise

BPA Prerequisites BPA Prerequisite rules explain configuration settings policy settings and features that are required for the role

before BPA can apply specific rules from other categories A prerequisite in scan results indicates that an incorrect

setting a missing role role service or feature an incorrectly enabled or disabled policy a registry key setting or

other configuration has prevented BPA from applying one or more rules during a scan A prerequisite result does

not imply compliance or noncompliance It means that a rule could not be applied and therefore is not part of the

scan results

61 Engine Rules

Please find below a summary of the 74 Engine Rules with the links to the rule descriptions These rules

are checking that you have a secure resilient and well performing SQL configuration

Authentication Mode (httpsupportmicrosoftcomkb2028697)

Lightweight Pooling is enabled (httpsupportmicrosoftcomkb2160691)

Locks Configuration Not Dynamic (httpsupportmicrosoftcomkb2199576)

non-default network packet size in use (httpsupportmicrosoftcomkb2157175)

degree of parallelism not set to recommended value (httpsupportmicrosoftcomkb2023536)

Use Database Mail instead of SQL Mail (httpsupportmicrosoftcomkb2028584)

SQL Server Agent Proxy Account (httpsupportmicrosoftcomkb2160741)

SQL Login Password Policy Strength and password expiry

(httpsupportmicrosoftcomkb2028712)

Trustworthy Bit (httpsupportmicrosoftcomkb2183687)

Symmetric Keys Check (httpsupportmicrosoftcomkb2162020)

Asymmetric Keys Check (httpsupportmicrosoftcomkb2162020)

SQL Server installed on PDC BDC (httpsupportmicrosoftcomkb2032911)

Page 36

SQL Server Admin role membership check (httpsupportmicrosoftcomkb2184138)

Windows API calls intercepted (httpsupportmicrosoftcomkb2033238)

unsupported DotNET framework assemblies present (httpsupportmicrosoftcomkb2033344)

Disk partition starting offset may be incorrect (httpsupportmicrosoftcomkb2023571)

non-default max worker threads value configured (httpsupportmicrosoftcomkb2157129)

Guest Permissions (httpsupportmicrosoftcomkb2186935)

Data and Log files on the same volume (httpsupportmicrosoftcomkb2033523)

IO timeouts and IO controller errors detected (httpsupportmicrosoftcomkb2091098)

IO device errors detected (httpsupportmicrosoftcomkb2091098)

IO errors during page faults detected (httpsupportmicrosoftcomkb2091098)

cluster disk corruption encountered (httpsupportmicrosoftcomkb2091098)

disk defragmentation encountered corruption (httpsupportmicrosoftcomkb2091098)

failed IO requests detected (httpsupportmicrosoftcomkb2091098)

IO requests are successful when retried (httpsupportmicrosoftcomkb2015757)

IO Delay Problems reported by SQL Server (httpsupportmicrosoftcomkb2137408)

This system experienced unexpected shutdowns (httpsupportmicrosoftcomkb2091098)

tempdb corruption errors fix missing (httpsupportmicrosoftcomkb960770)

Critical SQL database inconsistency errors found (httpsupportmicrosoftcomkb2152734)

Logical consistency errors detected (httpsupportmicrosoftcomkb2152472)

Database have auto shrink option enabled (httpsupportmicrosoftcomkb2160663)

SQL Server Error logs are very big (httpsupportmicrosoftcomkb2199578)

incorrect affinity mask settings detected httpsupportmicrosoftcomkb2157114

Very low blocked process threshold setting detected httpsupportmicrosoftcomkb2157154

Potential security issue with legacy DTS stored procedures

httpsupportmicrosoftcomkb2202875

Winsock LSP loaded into SQL httpsupportmicrosoftcomkb2033448

Databases using simple recovery model httpsupportmicrosoftcomkb2137539

User database collation different from model httpsupportmicrosoftcomkb2026108

Database files and backups exist on the same volume httpsupportmicrosoftcomkb2027537

Databases have auto close option enabled httpsupportmicrosoftcomkb2160685

LSI SAS drivers needs update httpsupportmicrosoftcomkb2121098

SQL tempdb database not configured optimally httpsupportmicrosoftcomkb2154845

SQL Database file has sparse attribute set httpsupportmicrosoftcomkb2028447

Invalid startup parameters httpsupportmicrosoftcomkb2028433

MSDTC settings not configured optimally httpsupportmicrosoftcomkb2027550

sql incorrect results fix missing httpsupportmicrosoftcomkb971780

File System needs tuning for better FileStream performance

httpsupportmicrosoftcomkb2160002

linked server memory leak fix missing httpsupportmicrosoftcomkb971622EN-US

Windows service pack is not at recommended level httpsupportmicrosoftcomkb2121098

default extended event health session not in expected state

httpsupportmicrosoftcomkb2160570

TcpSysAndChimneyCheck httpsupportmicrosoftcomKB918483

FDHOST Launcher service is not configured properly httpsupportmicrosoftcomkb2160720

Unrecommended SQL Server Agent service account httpsupportmicrosoftcomkb2160720

A required Windows fix to avoid sparse file related problems is missing

httpsupportmicrosoftcomkb2002606

Page 37

Significant Portion of SQL Server Memory Has Been Paged Out

httpsupportmicrosoftcomkb2028324

Server Exception or Hang Detected on Server httpsupportmicrosoftcomkb2028589

Databases exist without CHECKSUM protection httpsupportmicrosoftcomkb2078345

backups outdated for databases httpsupportmicrosoftcomkb2027537

Database consistency check not current httpsupportmicrosoftcomkb2033590

SQL Server Memory settings are incorrect httpsupportmicrosoftcomKB918483EN-US

Autogrow Failed or took a long time httpsupportmicrosoftcomkb2091024

Storport driver fix from KBA 940467 missing httpsupportmicrosoftcomkb2121098

Storport driver fix from KBA 950903 missing httpsupportmicrosoftcomkb2121098

SQLCLR needs additional memory configuration httpsupportmicrosoftcomkb969962EN-US

Operating System files and drivers needs update for working set trimming

httpsupportmicrosoftcomkb2121098

Agent Token Replacement httpsupportmicrosoftcomkb2202637

Auditing Log in failures httpsupportmicrosoftcomkb2187161

Databases with high number of VLF present httpsupportmicrosoftcomkb2028436

Transparent Data Encryption Certificate httpsupportmicrosoftcomkb2201900

Permission on the Binn folder httpsupportmicrosoftcomkb2029023

Index Statistics Are Outdated

Server public permissions httpsupportmicrosoftcomkb2160698

Detected use of older versions of SQLNCLI httpsupportmicrosoftcomkb979779

62 AS Rules

Please find below a summary of the 34 Analysis Server Rules with the links to the rule descriptions

Flight Recorder Enabled for SQL Server Analysis Services

httpsupportmicrosoftcomkb2128005

Excessive amount of memory preallocated to Analysis Services

httpsupportmicrosoftcomkb2027474

Server not configured for optimal concurrent query throughput

httpsupportmicrosoftcomkb2135031

Non standard value detected for Analysis Services memory configuration

httpsupportmicrosoftcomkb2027472

Process Thread Pool Max limit above recommended limit

httpsupportmicrosoftcomkb2134497

Process Thread Pool Minimum is below the recommended limit

httpsupportmicrosoftcomkb2134855

Server is running a build with a known regression httpsupportmicrosoftcomkb2157941

Slice not set on a ROLAP partition or a partition where proactive caching is enabled and

ROLAP storage ay occur httpsupportmicrosoftcomkb2027754

Server is ignoring duplicate key errors httpsupportmicrosoftcomkb2027761

No default member defined for non-aggregatable attribute

httpsupportmicrosoftcomkb2027769

UnknownMember set to hidden httpsupportmicrosoftcomkb2027628

Non-numeric key column for high cardinality attribute httpsupportmicrosoftcomkb2028138

Attribute hiearchy enabled for high cardinality non-key attribute

httpsupportmicrosoftcomkb2028143

ROLAP storage or OnlineMode set to immediate for dimension with custom rollup definition

detected httpsupportmicrosoftcomkb2132742

Page 38

Account or Time attribute types defined in a non-matching dimension type

httpsupportmicrosoftcomkb2157299

An Account or Time dimension has no matching attribute defined

httpsupportmicrosoftcomkb2027418

Dimension has no attribute defined with the same type

httpsupportmicrosoftcomkb2027443

Attribute Dimension type mismatch httpsupportmicrosoftcomkb2157327

Mismatched dimension attribute types detected in dimension

httpsupportmicrosoftcomkb2027459

Possible incorrect order of levels defined in hierarchy httpsupportmicrosoftcomkb2027460

Define attribute relationships as Rigid where possible httpsupportmicrosoftcomkb2027468

Redundant attribute relationships detected httpsupportmicrosoftcomkb2127437

Diamond-shape relationship detected httpsupportmicrosoftcomkb2127570

Non-Standard Attribute Relationship name detected httpsupportmicrosoftcomkb2127862

Proactive Caching set for dimension without a processing query

httpsupportmicrosoftcomkb2027541

No Time dimension detected httpsupportmicrosoftcomkb2027532

More than 3 parent-child dimensions with custom rollups defined

httpsupportmicrosoftcomkb2134431

Encountered a parent-child dimension with more than 500000 members

httpsupportmicrosoftcomkb2131918

Single attribute dimensions detected httpsupportmicrosoftcomkb2141654

Measure groups with zero dimensional overlap detected in cube

httpsupportmicrosoftcomkb2027609

Proactive Caching set for a partition without a processing query

Default measure for perspective not in the perspective

httpsupportmicrosoftcomkb2027603

Use MOLAP storage for dimensions that participate in semi-additive measure groups

httpsupportmicrosoftcomkb2135112

Measure group defined with no partition httpsupportmicrosoftcomkb2027545

63 RS Rules

RSWindowsNegotiate is missing from your configuration

httpsupportmicrosoftcomkb2145506

HTTP Logging is not enabled httpsupportmicrosoftcomkb2145909

Verbose logging is enabled httpsupportmicrosoftcomkb2146315

NTLM authentication may fail for local httpsupportmicrosoftcomkb2146369

Missing extended protection settings httpsupportmicrosoftcomkb2146062

64 IS Rules

Logging task missing for package httpsupportmicrosoftcomkb2027723

ActiveX Script task detected in package httpsupportmicrosoftcomkb2027712

Unrecommended Integration Services service account detected

httpsupportmicrosoftcomkb2027684

Integration Services logging table found in system database master and or msdb

httpsupportmicrosoftcomkb2027706

Integration Services memory dump detected httpsupportmicrosoftcomkb2027727

Page 39

65 Setup Rules

Unsupported Operating System Version Detected httpsupportmicrosoftcomkb2022909

WOW64 not supported for SQL Failover Clustering httpsupportmicrosoftcomkb2157198

Installer cache is missing for the SQL Installation httpsupportmicrosoftcomkb2015100

SQL Server WMI Provider Health Check

66 Replication Rules

Replication Timeout Alerts Type httpsupportmicrosoftcomkb2118349

Replication Pub and Sub out of sync (Data Validation) httpsupportmicrosoftcomkb2118386

Replication Pub and Sub out of sync (Constraint Violations)

httpsupportmicrosoftcomkb2118410

Replication Pub and Sub out of sync (Skipped Transactions)

httpsupportmicrosoftcomkb2194498

Merge Replication Health Check httpsupportmicrosoftcomkb2118445

Subscriptions Approaching Expiration httpgomicrosoftcomfwlinkLinkId=184483

Replication Cleanup and Retention Health Check httpsupportmicrosoftcomkb2118485

Replication Latency Threshold violations httpsupportmicrosoftcomkb2118425

Page 40

7 HOW TO DEAL WITH DEVIATIONS

Deviations from these Best Practices may indicate potential issues and configuration changes may be

necessary Make sure you have tested any intended changes in a test environment before deploying

them to a production environment You could also find deviations from Best Practices that are

acceptable or even necessary for your environment For example

SAP has its special Network Packet Size of 8 KB

Existing Non-Microsoft Clients ndash would require Mixed Mode Authentication

Page 41

8 MOTIVATION TO USE SQL BPA R2

Bob Ward explained in his Article ldquoWhy use SQL Server 2008 R2 BPA Case 1 Missing Updatesrdquo

the common pitfalls during maintenance and operation of SQL Server and how address them by using

the SQL BPA

In brief itrsquos a customer scenario where the customer is facing an issue after a major update to

SQL2008 After some troubleshooting and an update to a certain CU (that is meant to fix the issue) the

problem still occurs Bobs article states the common resulting consequences ndash the involvement of

Microsoft Support and the final solution ndash adding a needed traceflag

The good news in this story is that the customer would not have needed to go to all that effort if they

would have run the SQL BPA It would have told them about the update and instructed them to put the

traceflag in place BPA is a mechanism that proactively advises you and instructs you on dealing with

common known issues

Page 42

9 ADDITIONAL INFORMATION

91 PowerShell

To use the functionality of the Baseline Configuration Analyzer with PowerShell you must import this

module first

Import-module BaselineConfigurationAnalyzer

You can list the commands of this module with the following syntax

$x=Get-Module BaselineConfigurationAnalyzer

$xExportedCommands

The following commands are stored in this module

Get-MbcaModel

Get-MbcaResult

Invoke-MbcaModel

Set-MbcaResult

You get help of this command with the following syntax

Get-help ltcommandgt -full

911 Get-MBCAModel

SYNOPSIS

The Get-MBCAModel cmdlet lets you retrieve and view the list of models that are supported by

Microsoft Baseline Configuration Analyzer (MBCA) and that are installed on a computer

SYNTAX

Get-MBCAModel [[-ModelId] ltstring[]gt] [[-SubModelId] ltstringgt] [ltCommonParametersgt]

DESCRIPTION

The Get-MBCAModel cmdlet lets you retrieve and view the list of models that are supported by

Microsoft Baseline Configuration Analyzer (MBCA) and installed on the computer If no parameter is

specified Get-MBCAModel returns all models that are installed on the computer If a model is specified

by using the -ModelId parameter information about the specified model is returned

You must be a member of the Administrators group on the computer on which you want to run this

cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with

elevated user rights that is Run as Administrator

The results of the Get-MBCAModel cmdlet include the following details about models

1 Branding information (manufacturer or company display names version number) that is found in

the model manifest

2 Dynamic parameters that are included with the model

3 Submodels that are included with the model

PARAMETERS

-ModelId ltstring[]gt

The -ModelId parameter specifies the ID of the MBCA model about which you want to view

details You can obtain valid values for the ModelId parameter by running the Get-MBCAModel

cmdlet with no parameters and targeted at a computer on which MBCA models are installed

Page 43

This parameter supports wild card characters

Required false

Position 2

Default value

Accept pipeline input true (By Value By Property Name)

Accept wildcard characters False

This must be SQL2008R2BPA for SQL Server 2008 R2 Best Practice Analyzer

-SubModelId ltstringgt

The -SubModelId parameter specifies the ID of the submodel of an MBCA model about which you

want to view details You can obtain valid values for the -SubModelId parameter by running the

Get-MBCAModel cmdlet without parameters and targeted at a computer on which MBCA models

are installed Not all models have submodels

The -ModelId parameter is required with the -SubModelId parameter

Required false

Position 3

Default value

Accept pipeline input false

Accept wildcard characters false

ltCommonParametersgt

This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable

WarningAction WarningVariable OutBuffer and OutVariable For more information type get-

help about_commonparameters

Examples

Get-MBCAModel

In the preceding example Get-MBCAModel with no parameters added returns details about all MBCA

models that are installed on the computer

Get-MBCAModel -ModelId SQL2008R2BPA

The preceding example can be used to return details about the MBCA model that is specified in the -

ModelId parameter represented by Model Id

$model= Get-MBCAModel -ModelId SQL2008R2BPA

$modelParameters

In the preceding example Get-MBCAModel returns details about the specified MBCA model that is

represented by Model Id The results of the cmdlet are stored in the variable $model

In the next line of the example the Parameters property of the model details that were stored in the

$model object returns details about which parameters are supported by the model

Get-MBCAModel -ModelId SQL2008R2BPA -SubModelId ltSubModel Idgt

The preceding example can be used to return details about the MBCA sub-model that is specified by

the -SubModelId parameter represented by SubModel Id Note that the -ModelId parameter is

required by the -SubModelId parameter

$model= Get-MBCAModel -ModelId SQL2008R2BPA

Page 44

$modelSubModels

In the preceding example Get-MBCAModel returns details about the specified MBCA model that is

represented by Model Id The results of the cmdlet are stored in the variable $model

In the next line of the example the SubModels property of the model details that were stored in the

$model object returns a list of the submodels of the model specified in the first line

912 Invoke-MBCAModel

SYNOPSIS

The Invoke-MBCAModel cmdlet lets you start a Microsoft Baseline Configuration Analyzer (MBCA)

scan for a specific model that is installed on your computer

SYNTAX

Invoke-MBCAModel [-ModelId] ltstringgt -SubModelId ltstringgt [-Authentication

ltAuthenticationMechanismgt] [-CertificateThumbprint ltstringgt] [-ComputerName

ltstring[]gt] [-ConfigurationName ltstringgt] [-Context ltstringgt] [-Credential

ltstringgt] [-Mode ltModeEnumgt] [-Port ltintgt] [-RepositoryPath ltstringgt] [-

ThrottleLimit ltintgt] [-UseSSL] [ltCommonParametersgt]

DESCRIPTION

The Invoke-MBCAModel cmdlet allows you to start a Microsoft Baseline Configuration Analyzer

(MBCA) scan for a specific model that is installed on your computer The model is specified either by

using the parameter -ModelId or by piping the results of the Get-MBCAModel cmdlet into an Invoke-

MBCAMode cmdlet

After the MBCA scan has been performed the results of the scan are available to be retrieved by Get-

MBCAResult cmdlet

You must be a member of the Administrators group on the computer on which you want to run this

cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with

elevated user rights that is Run as Administrator

PARAMETERS

-Authentication ltAuthenticationMechanismgt

Specifies the authentication mechanism that is used to authenticate the users credentials Valid

values include Default Basic CredSSP Digest Kerberos Negotiate and

NegotiateWithImplicitCredential The default value is Default

For more information about the -Authentication parameter type the following and then press

Enter

Get-Help Invoke-Command -Parameter Authentication

Required false

Position named

Default value Default

Accept pipeline input false

Accept wildcard characters false

-CertificateThumbprint ltstringgt

Page 45

Specifies the digital public key certificate (X509) of a user account that has rights to perform the

cmdlet action The valid value is the certificate thumbprint of the certificate

For more information about this parameter type the following and then press Enter

Get-Help Invoke-Command -Parameter Certificate Thumbprint

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-ComputerName ltstring[]gt

The Invoke-MBCAModel cmdlet lets you run an MBCA scan of a submodel on a specific

computer by adding this parameter Valid values include NETBOS names IP addresses or fully-

qualified domain names of one or more computers in a comma-separated list To specify the local

computer type the computer name or localhost

All formats that are accepted by the -ComputerName parameter in Invoke-Command are

accepted

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-ConfigurationName ltstringgt

Specifies the session configuration that is used for a new PSSession

Enter a configuration name or the fully-qualified resource URI for a session configuration

Session configuration data is found on the remote computer on which you want to run a cmdlet

For more information about this parameter type the following and then press Enter

Get-Help Invoke-Command -Parameter ConfigurationName

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-Context ltstringgt

The -Context parameter lets you run scans on a submodel in the context of a specific model (one

that is different from the parent model of the submodel) For example an administrator might

want to run a scan on the Backend submodel of the SQL model but only those in the context

of a third model a technology that relies upon SQL Server

The -SubModelId parameter is required by the -Context parameter

Page 46

A model ID is the valid value of the -Context parameter

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-Credential ltstringgt

Specifies a user account that has permission to run this cmdlet The default value is the current

user

For more information about this parameter type the following and then press Enter

Get-Help Invoke-Command -Parameter Credential

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-Mode ltModeEnumgt

The -Mode parameter lets you run a scan that is exclusively either analysis of existing discovered

documents or discovery The default is to perform both discovery and analysis or All

If you do not add the -Mode parameter to the Invoke-MBCAModel cmdlet both discovery and

analysis are performed during a scan

Valid values are Discovery Analysis and All

Required false

Position named

Default value All

Accept pipeline input false

Accept wildcard characters false

-ModelId ltstringgt

The -ModelId parameter specifies the ID of the MBCA model that you want to scan You can

obtain valid values for the ModelId parameter by running the Get-MBCAModel cmdlet targeted at

a computer on which MBCA models are installed

Required true

Position 2

Default value

Accept pipeline input true (By Value By Property Name)

Accept wildcard characters False

Page 47

This must be SQL2008R2BPA for SQL Server 2008 R2 Best Practice Analyzer

-Port ltintgt

Specifies the network port on a remote computer on which you want to run a scan The default

value is port 80

For more information on this parameter type the following and then press Enter

Get-Help Invoke-Command -Parameter Port

Required false

Position named

Default value 80

Accept pipeline input false

Accept wildcard characters false

-RepositoryPath ltstringgt

The -RepositoryPath parameter is used to specify a non-default location of the results repository

The valid value for this parameter is a pathname If the parameter is not used the cmdlet writes

results to the default result repository

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-SubModelId ltstringgt

The -SubModelId parameter specifies the ID of the submodel of an MBCA model that you want to

scan You can obtain valid values for the -SubModelId parameter by running the Get-MBCAModel

cmdlet targeted at a computer on which MBCA models are installed Not all models have

submodels

The -ModelId parameter is required with the -SubModelId parameter

Required true

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-ThrottleLimit ltintgt

Specifies the maximum number of concurrent connections that can be established to run the

cmdlet If you omit this parameter or enter a value of 0 the default value of 32 is used

For more information about this parameter type the following and then press Enter

Get-Help Invoke-Command -Parameter ThrottleLimit

Required false

Page 48

Position named

Default value 32

Accept pipeline input false

Accept wildcard characters false

-UseSSL [ltSwitchParametergt]

Uses the Secure Sockets Layer (SSL) protocol to establish a connection on a remote computer

By default SSL is not used

For more information about this parameter type the following and then press Enter

Get-Help Invoke-Command -Parameter UseSSL

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

ltCommonParametersgt

This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable

WarningAction WarningVariable OutBuffer and OutVariable For more information type get-

help about_commonparameters

OUTPUTS

SystemCollectionsGenericListltMicrosoftBestPracticesCoreInterfaceInvokeBpaModelOutputgt

The output object encapsulates the results of the cmdlet that you entered It contains information such

as the MBCA model ID the success or failure of the cmdlet and other details

NOTES

If the cmdlet is used to perform a single-model scan and the cmdlet is cancelled (by using CTRL+C)

before the temporary results file is copied to its final location the temporary file is discarded and any

previous scan results file for the role are preserved The message Processing of Invoke-MBCAModel

cancelled by user is displayed if the command is cancelled before existing scan results files are

overwritten

If the cmdlet is used to perform a scan of multiple models by piping in results from the Get-MBCAModel

cmdlet and the command is cancelled scans that were completed before the cancel command was

entered cannot be cancelled A scan in progress behaves as described above in the single-model scan

cancellation scenario Subsequent scans in the pipeline are cancelled

If a concurrent scan of the same model is attempted the cmdlet returns the following error message

Another scan for this MBCA model is in progress Only one scan is allowed at a time

-------------------------- EXAMPLE 1 --------------------------

Invoke-MBCAModel -ModelId SQL2008R2BPA

Description

The preceding example starts a MBCA scan on the model that is represented by ltModel Idgt

-------------------------- EXAMPLE 2 --------------------------

Page 49

Invoke-MBCAModel -ModelId SQL2008R2BPA -Scope domain -Name

redmondmicrosoftcom

Description

The preceding example starts an MBCA scan on the model ID that is specified by Model Id

The administrator starts the MBCA scan with additional model-specific parameters that are exposed by

the model (For an example of how to obtain model-specific parameters see the examples for the Get-

MBCAModel cmdlet)

For example to scan a model that requires model-specific parameters (such as -Scope and -Name) to

be passed to the command the administrator can specify the values of these model-specific

parameters with the Invoke-MBCAModel cmdlet

-------------------------- EXAMPLE 3 --------------------------

Invoke-MBCAModel -ModelId SQL2008R2BPA -Mode Discovery

Description

The preceding example starts an MBCA scan on the model that is represented by Model Id The

cmdlet is instructed by the -Mode parameter to perform only the discovery -- not the analysis -- portion

of the scan

-------------------------- EXAMPLE 4 --------------------------

Invoke-MBCAModel -ModelId SQL2008R2BPA -Mode Analysis -RepositoryPath

ltRepository Pathgt

Description

The preceding example starts an MBCA scan on the model that is represented by Model Id The -

Mode parameter value of Analysis indicates that the scan will perform analysis -- not discovery -- on

existing documents that are specified in the non-default repository path provided with the -Repository

Path parameter

-------------------------- EXAMPLE 5 --------------------------

Invoke-MBCAModel -Id ltModel Idgt -SubModelId ltSubModel Idgt -ComputerName

ltServergt -Context ltContext Model Idgt -RepositoryPath ltRespository Pathgt -

AsJob -Authentication ltAuthenticatonMechanismgt -Port ltPort Numbergt -UseSSL -

ThrottleLimit ltThrottle Limitgt

Description

The preceding example starts an MBCA scan on the submodel that is represented by SubModel Id

and on the computer that is represented by Server

Because the administrator only wants to see results from the submodel that apply in the context of a

third model the administrator runs the scan within the context of the model ID that is specified in the -

Context parameter The cmdlet results are saved to the non-default repository path that is specified in

the -RepositoryPath parameter

Because the -AsJob parameter is added the scan runs in the background The -AsJob -

Authentication -Port -UseSSL and -ThrottleLimit parameters are passed through for use by the

Invoke-Command cmdlet to perform discovery on a remote computer For more information about

these parameters see the Help for the Invoke-Command cmdlet available in Windows PowerShell V2

913 Get-MBCAResult

SYNOPSIS

Page 50

The Get-MBCAResult cmdlet lets you retrieve and view the results of a Microsoft Baseline

Configuration Analyzer scan on a specific model or the configuration data that was used to run a scan

SYNTAX

Get-MBCAResult [-ModelId] ltstringgt [[-CollectedConfiguration]] -SubModelId

ltstringgt [-ComputerName ltstring[]gt] [-Context ltstringgt] [-Filter

ltFilterEnumgt] [-RepositoryPath ltstringgt] [ltCommonParametersgt]

DESCRIPTION

The Get-MBCAResult cmdlet lets you retrieve and view the results of a Microsoft Baseline

Configuration Analyzer scan on a specific model or the configuration data that was used to run a scan

To use the command add the -ModelId parameter and then specify the model ID for which you want

to view the most recent MBCA scan results or collected configuration data If you want to retrieve the

configuration data collected add the -CollectedConfiguration switch parameter

You must be a member of the Administrators group on the computer on which you want to run this

cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with

elevated user rights that is Run as Administrator

PARAMETERS

-CollectedConfiguration [ltSwitchParametergt]

The -CollectedConfiguration parameter allows you to obtain the configuration data that was

collected for the most recent MBCA scan If this switch parameter is added to Get-MBCAResults

the cmdlet returns only the configuration data that was collected for a scan

Required false

Position 3

Default value

Accept pipeline input false

Accept wildcard characters false

-ComputerName ltstring[]gt

The -ComputerName parameter lets you obtain scan results that were collected for the most

recent MBCA scan of a submodel on a specific computer To specify the local computer type the

computer name or localhost Multiple values for -ComputerName can be separated by

commas

The -SubModelId parameter is required by the -ComputerName parameter

Valid values for the -ComputerName parameter include localhost a NET BIOS name an IP

address or a fully-qualified domain name (FQDN) of one or more computers in a comma-

separated list

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-Context ltstringgt

Page 51

The -Context parameter lets you obtain scan results that were collected for the most recent

MBCA scan of a submodel in the context of a specific model (one that is different from the parent

model of the submodel) For example an administrator might want to display scan results for the

Backend submodel of the SQL model but only those in the context of a third model a

technology that relies upon SQL Server

The -SubModelId parameter is required by the -Context parameter

A model ID is the valid value of the -Context parameter

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-Filter ltFilterEnumgt

The -Filter parameter lets you instruct the Get-MBCAResult cmdlet to return only Compliant

Noncompliant or All results Valid values are Noncompliant Compliant or All The default value

is All

The -Filter parameter is ignored if the -CollectedConfiguration switch parameter is added

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-ModelId ltstringgt

The -ModelId parameter specifies the ID of the MBCA model for which you want to view scan

results You can obtain valid values for the ModelId parameter by running the Get-MBCAModel

cmdlet targeted at a computer on which MBCA models are installed

Required true

Position 2

Default value

Accept pipeline input true (By Value By Property Name)

Accept wildcard characters False

This must be SQL2008R2BPA for SQL Server 2008 R2 Best Practice Analyzer

-RepositoryPath ltstringgt

The -RepositoryPath parameter is used to specify a non-default location of the results repository

The valid value for this parameter is a path name If the parameter is not used the cmdlet obtains

results from the default result repository

Required false

Position named

Page 52

Default value

Accept pipeline input false

Accept wildcard characters false

-SubModelId ltstringgt

The -SubModelId parameter specifies the ID of the submodel of an MBCA model for which you

want to view scan results You can obtain valid values for the -SubModelId parameter by running

the Get-MBCAModel cmdlet targeted at a computer on which MBCA models are installed Not all

models have submodels

The -ModelId parameter is required with the -SubModelId parameter

Required true

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

ltCommonParametersgt

This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable

WarningAction WarningVariable OutBuffer and OutVariable For more information type get-

help about_commonparameters

OUTPUTS

SystemCollectionsGenericListltMicrosoftBestPracticesCoreInterfaceResultgt OR

SystemXmlXmlDocument (if -CollectedData specified)

If you do not use the -CollectedConfiguration parameter verbose output can be any of the following

1 Initializing MBCA engine for getting MBCA Results

2 Attempting to get MBCA results for Model Id = 0

3 Completed getting MBCA results for Model Id = 0 Number of Results = 1

If you add the -CollectedConfiguration parameter to display configuration data that was used for a

scan verbose output can be any of the following

1 Initializing MBCA engine for getting MBCA Configuration Data

2 Attempting to get MBCA collected configuration data for Model Id = 0

3 Completed getting MBCA collected configuration data for Model Id = 0

NOTES

The Get-MBCAResult cmdlet must be run by a member of the Administrators group and it does not

start a new scan

Cancellation behaviour

Single Model - To cancel this cmdlet you must press Ctrl+C before the ResultCollection is displayed

on the console The operation is cancelled and results are not displayed on the console

Multiple Models or Pipelining - If you cancel this cmdlet while it is retrieving results for multiple models

the cmdlet generates only those results that were displayed on the console before the cancellation

Any subsequent results in the pipeline are cancelled and not displayed

Page 53

-------------------------- EXAMPLE 1 --------------------------

Get-MBCAResult -Id SQL2008R2BPA

Description

The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results

for the model that is represented by Model Id

-------------------------- EXAMPLE 2 --------------------------

Get-MBCAModel | Get-MBCAResult

In the preceding example Get-MBCAModel is used to return a list of all MBCA models that are

installed on the computer The results of the Get-MBCAModel cmdlet are piped to the Get-

MBCAResult cmdlet to retrieve the most recent MBCA scan results for all models that are both

supported by MBCA and installed on the computer at which the cmdlet is targeted

-------------------------- EXAMPLE 3 --------------------------

$result = Get-MBCAResult SQL2008R2BPA -CollectedConfiguration

$resultDiscoveryDocument

Description

In the preceding example configuration data (in XML form) that was collected during the most recent

Microsoft Baseline Configuration Analyzer scan of the model that is represented by Model Id is

retrieved and stored as a property in the variable $result $resultDiscoveryDocument is of type

SystemXmlXmlDocument

-------------------------- EXAMPLE 4 --------------------------

Get-MBCAResult SQL2008R2BPA -Filter Noncompliant

Description

The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results

for the model that is represented by Model Id and then applies a filter to show only Noncompliant

results

------------------------- EXAMPLE 5 --------------------------

Get-MBCAResult SQL2008R2BPA -SubModelId ltSubModel Idgt

Description

The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results

for the submodel that is represented by SubModelId Note that the parent model ID must be specified

to use the -SubModelId parameter

------------------------- EXAMPLE 6 --------------------------

Get-MBCAResult SQL2008R2BPA -SubModelId ltSubModel Idgt -ComputerName ltServergt

-Context ltContext Model Idgt -RepositoryPath ltRepository Pathgt

Description

The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results

for the submodel that is represented by SubModelId The parent model ID is provided as required by

the -SubModelID parameter

The -Context parameter indicates that the administrator wants to see only those scan results that are in

the context of the model that is represented by Context Model Id for example only those results from

a SQL Server scan that specifically apply to another technology such as Web Server (IIS)

Page 54

The scan results are further narrowed to only those from a computer that is specified in the -

ComputerName parameter as Server and only those results found in the non-default results

repository that is represented by Repository Path

914 Set-MBCAResult

SYNOPSIS

The Set-MBCAResult cmdlet lets you exclude or include existing results of a Microsoft Baseline

Configuration Analyzer (MBCA) scan to show you only the scan results that you want to see

SYNTAX

Set-MBCAResult [[-Exclude] ltBooleangt] [-Results] ltResultgtgt [[-

RepostitoryPath] ltstringgt] [ltCommonParametersgt]

DESCRIPTION

The Set-MBCAResult cmdlet lets you exclude or include existing results of a Microsoft Baseline

Configuration Analyzer (MBCA) scan to show you only the scan results that you want to see

The action specified in the cmdlet (Exclude for example) determines how the existing results of an

MBCA scan are updated Set-MBCAResult is typically applied after using the Get-MBCAResult cmdlet

to return a collection of scan results

You can apply filters to results that are returned by the Get-MBCAResult cmdlet and then pipe the

filtered collection of results to the Set-MBCAResult cmdlet specifying either to include or exclude

filtered scan results

You must be a member of the Administrators group on the computer on which you want to run this

cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with

elevated user rights that is Run as Administrator

PARAMETERS

-Exclude ltBooleangt

Excludes scan results from the results collection that were previously obtained by the Get-

MBCAResult command To exclude results by using the -Exclude parameter add the value $true

following the parameter as shown

-Exclude $true

To include results that have been excluded use the $false value for the -Exclude parameter

Required false

Position 2

Default value

Accept pipeline input false

Accept wildcard characters false

-RepostitoryPath ltstringgt

The -RepositoryPath parameter is used to specify a non-default location of the results repository

The valid value for this parameter is a path name If the parameter is not used the cmdlet

modifies results from the default result repository

Required false

Page 55

Position 4

Default value

Accept pipeline input false

Accept wildcard characters false

-Results ltResultgtgt

Specifies the result collection to be updated by the Set-MBCAResult cmdlet The -Results

parameter is typically used to specify a filtered subset of scan results that has already been

stored in a variable the variable name is provided as the valid value for the -Results parameter

For example if you have created a variable $allPerformance to store all the Performance

category results for an MBCA scan of all models on a computer and you want to exclude those

Performance results from the complete collection of scan results you add the parameter -Results

$all Performance to a Set-MBCAResult cmdlet

For a more detailed example see the Examples section of the Help for this cmdlet

Required true

Position 3

Default value

Accept pipeline input true (ByValue)

Accept wildcard characters false

ltCommonParametersgt

This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable

WarningAction WarningVariable OutBuffer and OutVariable For more information type ldquoget-

help about_commonparameters

NOTES

If the Set-MBCAResult command is cancelled before the results are written to a file the operation is

cancelled and the results file is not modified If cancellation occurs after the results file has been

modified the commands actions are carried out and the command cannot be cancelled

-------------------------- EXAMPLE 1 --------------------------

Get-MBCAResult -ModelId SQL2008R2BPA | Where $_Category -eq

Performance | Set-MBCAResult -Exclude $true

Description

The first section of the preceding example to the left of the first pipe character (|) uses the Get-

MBCAResult cmdlet to retrieve Baseline Configuration Analyzer scan results for the model ID that is

represented by Model Id

The second section of the command filters the results of the Get-MBCAResult cmdlet to get only those

scan results for which the category name is equal to Performance

The final section of the example following the second pipe character excludes the Performance

results that were filtered by the previous section of the example

-------------------------- EXAMPLE 2 --------------------------

$rcPolicy = Get-MBCAResult -ModelId SQL2008R2BPA -RepositoryPath

CReposPath | Where $_Category -eq Policy

Page 56

Set-MBCAResult -Exclude $true -RepositoryPath CReposPath -Results

$rcPolicy

Description

The first line of the preceding example to the left of the pipe character (|) instructs the Get-

MBCAResult cmdlet to retrieve Baseline Configuration Analyzer scan results for the model that is

represented by Specified Model Id from the specified non-default repository path

The second section of the example after the pipe character filters the results of the Get-MBCAResult

cmdlet to return only those scan results for which the category name is equal to (note the -eq option)

Policy The variable $rcPolicy is created to store the filtered results of the Get-MBCAResult cmdlet this

variable can be used in subsequent commands to represent those results

The second line of the command uses the Set-MBCAResult cmdlet to exclude the set of results that

are stored in the $rcPolicy variable In this example the -Results parameter is added because the

administrator wants to exclude a specific subset of scan results for that model and has created the

variable $rcPolicy to represent that subset of results The repository root is specified in the second line

because the administrator wants to modify the results in the same non-default repository from which

the data in $rcPolicy was retrieved

915 MBCA Model Authoring

Further information about configuration and usage of MBCA models you can in the

MBCA_ModelAuthoringGuidedocx

Page 57

Did this paper help you Please give us your feedback Tell us on a scale of 1 (poor) to 5 (excellent)

how would you rate this paper and why have you given it this rating For example

Are you rating it high due to having good examples excellent screen shots clear writing or

another reason

Are you rating it low due to poor examples fuzzy screen shots or unclear writing

This feedback will help us improve the quality of white papers we release

Send feedback

Page 15: SQL2008R2 BPA Whitepaper v10

Page 15

332 GUI

Please find below the screenshots demonstrating the visual flow of the SQL Server 2008 R2 BPA

Installation

Welcome screen

License terms

System Configuration Changes (see 31 Installing PowerShell 20 and WinRM)

Ready to install decision

Install progress

Completion screen

Page 16

333 Port and Firewall restrictions

For scanning SQL Server or BI instances on an alternate server behind a firewall you must open all

necessary ports

34 Updates

Microsoft is working on quarterly updates of the rule set and tool improvements of the SQL Server

2008 R2 Best Practice Analyzer Please visit the Download site from Microsoft regularly to find new

updates

35 Uninstall

351 BPA

352 MBCA

353 Reset PowerShell settings

After the uninstall of the BPA you may disable the PowerShell remote scripting You can do this with

the following command line

powershellexe -NoLogo -NoProfile -Noninteractive -Command Disable-

PSRemoting -force

Disable-PSRemoting performs configuration actions to enable this machine for remote management

Page 17

4 USAGE

There are two ways to scan a server using MBCA and SQL 2008 R2 BPA They are

Scanning through the local machine

o In this case you are using MBCA and SQL 2008 R2 BPA running on the local machine to

perform the scan

o This scan can be of the local or an alternate server

Scanning through a remote machine

o In this case MBCA is used to connect to a remote server that has MBCA and SQL 2008

R2 BPA installed on it

o This scan is using the local machine to form the connection to the remote machine and is

actually performing the scan through the remote machine

41 Help file

The help file for the SQL Server 2008 R2 Best Practice Analyzer contains very useful information This

help file is available after the installation of BPA and is located at Start-gtAll programs-gtSQL Server

2008 R2 BPA

42 GUI

1 Ensure that MBCA v2 and SQL 2008 R2 BPA are installed on the machine

2 Run the MBCA application from the start menu with elevated user rights

Page 18

3 On the MBCA home page ensure the SQL Server 2008 R2 BPArdquo product is selected

4 Click Start Scan which displays a page to specify parameters as shown below

5 Fill in Alternate_Server_to_Scan with the remote machine you want to scan

ComputerName

IP address nnnn

FQDN (Fully Qualified Domain Name)

Enter ldquordquo localhost or leave this blank if you want to scan the local machine

Page 19

Enter the instance name you want to scan To scan the default instance enter MSSQLSERVER

or leave this as blank Toggle the checkboxes to enabledisable scans for those rule categories

Each of the following six check boxes correspond to the SQL Server categories listed previously

Select at least one category in order to run a successful scan

Analyze_SQL_Analysis_Services

Analyze_SQL_Server_Engine

Analyze_SQL_Integration_Services

Analyze_SQL_Server_Replication

Analyze_SQL_Reporting_Services

Analyze_SQL_Server_Setup

Note Only one SQL Server instance can be scanned at a time through the MBCA GUI

6 Click Start Scan MBCA will start the configured scan and display the below page while in

progress

7 When the scan is complete results will be displayed grouped by Severity as shown below

Page 20

43 Connect to a remote computer

A scan connected to a remote computer is different than scanning an alternate server

ldquoConnect to a Remote Computerrdquo is functionality provided by Microsoft Baseline Configuration Analyzer

and is used to remotely run MBCA against a server from the console of the client The client needs to

have MBCA installed but does not need BPA as it is literally running the copy of MBCA installed on the

server using the BPA installed on the server In this case the copy of MBCA installed on the client is

used only to remotely connect to the copy of MBCA installed on the server

To use this functionality you first start MBCA on the client computer and select ldquoConnect to Another

Computerrdquo

1 In the ldquoConnect to Another Computerrdquo text box you can specify a NetBIOS name a fully qualified

domain name (FQDN) or an IPv4 or IPv6 address If no port number is specified the default port

number is used The following are examples of formats that you can specify in the Connect to

Another Computer text box

ComputerName

Page 21

ComputerNamePortNumber

IP address nnnn

IPv6 address [nnnnnnnn]

IPv4 address with port number nnnnPortNumber

IPv6 address with port number [nnnnnnnn]PortNumber

Note If an administrator has changed the computerrsquos default port number any port other than the

default port must be opened in Windows Firewall to allow incoming connections on that port Port

5985 is opened by default when WinRM is configured All other ports remain blocked until opened

For more information about how to unblock a port in Windows Firewall see the Help for Windows

Firewall For more information about how to configure WinRM in a Command Prompt session type

winrm help and then press Enter

2 Additionally you must supply credentials

3 CredSSP

Windows Remote Management (WinRM) supports the delegation of user credentials across

multiple remote computers The multi-hop support functionality can now use Credential Security

Service Provider (CredSSP) for authentication CredSSP enables an application to delegate the

userrsquos credentials from the client computer to the target server

CredSSP authentication is intended for environments where Kerberos delegation cannot be used

Support for CredSSP was added to allow a user to connect to a remote server and have the ability

to access a second-hop machine such as a file share

Note WinRM clients and servers will support CredSSP authentication only with explicit credentials

Windows XP Windows Server 2003 and earlier CredSSP is not supported

First you must set CredSSP on both the client and the server

Using the Group Policy Editor (gpeditmsc) make sure to enable ldquoAllow Delegating Fresh

Credentialsrdquo and check ldquoConcatenate OS defaults with input aboverdquo

Add the server or domain to the list of servers in the format ldquoWSMANdomainnamecomrdquo

Next enable and configure PowerShell Remoting on both the Client and Server by running the

following commands in a PowerShell command window opened with elevated permissions Note

Page 22

You can configure a single machine as both a client and a server simultaneously so that you can

scan from either computer

Enable PowerShell Remoting

o Enable-psremoting ndashf

Settings for a client

o Enable-WSManCredSSP ndashrole Client ndashDelegateComputer [NetBiosNameOfServer]

or

o Enable-WSManCredSSP ndashrole Client ndashDelegateComputer [FQDN OF SERVER]

Settings for the server

o Enable-WSManCredSSP ndashrole Server

o set-item WSManlocalhostShellMaxMemoryPerShellMB ndashValue 20000

o set-item WSManlocalhostShellMaxShellsPerUser ndashvalue 20

44 PowerShell

Details see 91 PowerShell

To use the functionality of the Microsoft Baseline Configuration Analyzer you must import this module

first

Import-module BaselineConfigurationAnalyzer

You can list the commands of this module with the following syntax

$x=Get-Module BaselineConfigurationAnalyzer

$xExportedCommands

441 Run Scan

To run a full scan of the BPA on the alternate server on a named instance you can use the following

command line

Invoke-MBCAModel -ModelId SQL2008R2BPA -Alternate_Server_to_scan

servername -SQL_Server_Instance_Name instancename -

Analyze_SQL_Server_Engine -Analyze_SQL_Server_Replication -

Page 23

Analyze_SQL_Server_Setup -Analyze_SQL_Analysis_Services -

Analyze_SQL_Integration_Services -Analyze_SQL_Reporting_Services

The result looks like this part

ModelId SQL2008R2BPA

SubModelId

Success True

ScanTime

Success = True is important This is the indicator that your scan was successful

Parameter description

-Alternate_Server_to_scan servername

-SQL_Server_Instance_Name instancename

-Analyze_SQL_Server_Engine

-Analyze_SQL_Server_Replication

-Analyze_SQL_Server_Setup

-Analyze_SQL_Analysis_Services

-Analyze_SQL_Integration_Services

-Analyze_SQL_Reporting_Services

The parameter list is equal the parameter screen in the GUI

The scans of the different services are optional You can remove technologies which you do not need

to scan

The next example starts the scan only for the Analysis Services on the alternate server ldquoservernamerdquo

and for the named instance ldquoinstancerdquo A log file will be written to ldquoctempssastxtrdquo

Invoke-MbcaModel -ModelId SQL2008R2BPA -SubModelId AnalysisServices -

ComputerName servername -SqlServerInstance instance -SSASLogFile

ctempssastxt

Invoke-MbcaModel -ModelId SQL2008R2BPA -SubModelId Engine -ComputerName

computername -SqlServerInstance servername -CurrentLoginName

($EnvUSERDOMAIN + + $EnvUSERNAME)ToString() -EngineLogFile

ctempenginetxt ndashRepositoryPath (CTEMPSQL2008 + (Get-

Date)ToString(yyyyMMdd))ToString()

442 Create Report

model = get-MbcaModel ndashModelId sql2008r2bpa

$scanResult = get-MbcaResult ndashModelId sql2008r2bpa

$collectedConfig = get-MbcaResult ndashModelId sql2008r2bpa ndash

CollectedConfiguration

$model $scanResult $collectedConfig | export-CliXml ctempasxml

Get-MBCAResult -ModelId SQL2008R2BPA -SubModelId AnalysisServices |

ConvertTo-Html | Add-Content -Path ctesthtml

The next command retrieves the results of the most recent BPA scan for the specified model and

saves them in HTML format applying the standard cascading style sheets that are stored in the path

windirsystem32WindowsPowerShellv10ModulesBestPracticesBestPracticesReportFormatc

Page 24

ss If you want to substitute cascading style sheets provide the path to the different cascading style

sheets

Get-MBCAResult -ModelId SQL2008R2BPA | $_Severity -eq Warning -or

$_Severity -eq Error | ConvertTo-Html -As Table -property ResultNumber

SubModelID ComputerName Severity Category Title Problem Impact

Resolution Help -Head lth1gtSQL Server 2008 (R2) Best Practice Analyzer

Reportlth1gtrdquo -Title SQL Server 2008 Best Practice Analyzer -body

(ltpgtReport creation date + (Get-Date)ToString(ddMMyyyy hhmmss) +

ltpgt)toString() -pre ltPgtGenerated by user $envusername on computer

$envcomputernameltPgt -post For details contact Microsoft Premier-

CssUri $env BestPracticesReportFormatcss gt ctempsql2008r2bpahtm

443 Exporting and opening reports by using Get-MBCAResult

You can use the Get-MBCAResult cmdlet to export scan results and configuration data to an XML

report that you can open for viewing in the future either by using Get-MBCAResult or by using the

MBCA GUI Exporting reports allows you to compare older scans with more recent scans to measure

the progress of your best practice compliance

Example of exporting to XML

$results = Get-MBCAResult ltModel Idgt

$collectedconfig = Get-MBCAResult ltModel Idgt -CollectedConfiguration

$results $collectedconfig | Export-CliXml cexportxml

Example of opening archived XML report file

$loadedResults $loadedConfiguration = Import-CliXml cexportxml

444 Report Result Directory

The reporting result path

AppDataMicrosoftBaselineConfigurationAnalyzer

2ReportsSQL2008R2BPAResults

Will be overwritten during each run of the tool or invoke command

Solution save older results before you start the check

copy-item -path ($EnvLocalAppdata +

MicrosoftMicrosoftBaselineConfigurationAnalyzer 2Reports)ToString() -

destination ($EnvLocalAppdata +

MicrosoftMicrosoftBaselineConfigurationAnalyzer 2Reports_ + (Get-

Date)ToString(yyyyMMddhhmmss))ToString() ndashrecurse

Afterwards you can create a report with the following command

$prevrepPath = (Get-ChildItem ($EnvLocalAppdata +

MicrosoftMicrosoftBaselineConfigurationAnalyzer 2)ToString() -exclude

Reports | Sort-Object name -descending)[0]

Get-MBCAResult -ModelId SQL2008R2BPA ndashRepositoryPath ($EnvLocalAppdata +

MicrosoftMicrosoftBaselineConfigurationAnalyzer 2rdquo +

$prevrepPathname)ToString() | ConvertTo-Html -As Table -property

ResultNumberSubModelID ComputerName Severity Category Title Problem

Impact Resolution Help -Head lth1gtSQL Server 2008 (R2) Best Practice

Analyzer Reportlth1gtrdquo -Title SQL Server 2008 Best Practice Analyzer -body

(ltpgtReport creation date + (Get-Date)ToString(ddMMyyyy hhmmss) +

ltpgt)toString() -pre ltPgtGenerated by user $envusername on computer

Page 25

$envcomputernameltPgt -post For details contact Microsoft Premier gt

ctempsql2008r2bpahtm

Page 26

5 TROUBLESHOOTING

51 Application directories

To following directories are used by MBCA

Report output directory localappdataMicrosoftMicrosoftBaselineConfigurationAnalyzer 2ReportsSQL2008R2BPAResults

Model configuration path ProgramdataMicrosoftMicrosoft Baseline Configuration Analyzer 2ModelsSQL2008R2BPA

Temp and log files directory tempSQL2008R2BPASQL2008ltdategt_lttimegt

Registry [HKEY_LOCAL_MACHINESOFTWAREMicrosoftBaselineConfigurationAnalyzer]

Log Files

During Data Discovery SQL Server 2008 R2 BPA creates log files for troubleshooting The log file

contains the following information

Pre-requisite validation

Timestamp finished rules start and end times

Run-time scripting errors and exceptions from Power Shell Traps

Log Files Location

For every scan log files are created in userrsquos Local Temp directory (Temp) and follows the folder

structure SQL2008R2BPAlt Instance Name gtlt datestamp_timestamp gtlt Log files gt

Note In case of a remote scan the category log files are generated on the remote system at the same

path whereas the common log file is generated in the local system

Log Files Structure

A common log file gets generated and contains information about each categorys execution Apart

from this each category has its own log file which details the rule execution The names of the log files

are given below

Common File - ModelLogtxt

Engine Rules - EngineLogtxt

Replication Rules - ReplicationLogtxt

Setup Rules - SetupLogtxt

Analysis Services Rules - AnalysisServicesLogtxt

Reporting Services Rules - ReportingServicesLogtxt

Integration Services Rules - IntegrationServicesLogtxt

52 Windows Server 2003 ndash NumberOfLogicalProcessors

Analysis Services RID2803 and RID2804 ndash NumberOfLogicalProcessors property is unavailable in

Win32_Processor for with Windows Server 2003

Solution The NumberOfLogicalProcessors property does not exist in the WIN32_PROCESSOR object

in Windows Server 2003 It has been implemented in the hotfix

httpsupportmicrosoftcomkb932370

Both of the rules below will function properly if you apply this hotfix For more information look here

Page 27

53 MBCA

This message indicates that on prerequisite is not installed

Please install the version 2 of the MBCA

54 Where can I find the Instance name in result set of the analyzer

report

The instance name is in the collected data option of the analyzer report in the BPA GUI

55 Memory limit of remote PowerShell process

By default remote PowerShell process can consume only 150 MB or less memory This default limit is

significantly small and once this limit is reached there could be a WinRM exception causing and remote

connection immediately terminates Any application or Cmdlet which is involved in PowerShell

remoting should be tested for this memory limit this may cause some of the command to fail for

example site collection creation

Solution Increase the memory limit for the remote shell Use the following command to increase this

limitation to 1000MB This is only necessary if you need to run those commands on that server

Set-Item WSManlocalhostShellMaxMemoryPerShellMB 1000

56 Remote connect

If you try to ldquoConnect to another computerrdquo from MBCA and you receive the following message

Page 28

You should check first if the Hotfix KB968930 is installed

Afterwards validate that the ldquoWindows Remote Managementrdquo service is started

Enable-PSRemoting

If CredSSP is unsupported or unavailable you will see the following message

Page 29

If you have no permission to access the remote server you get the error message

Page 30

57 Installation

571 PowerShell error

After getting through the Pre-Reqs for BPA (PowerShell 20 MBCA NET Framework) you may hit

one of two scenarios when installing BPA

In all of the cases of an install failure you will see the following error

There is a problem with this Windows Installer package A program run as part of the setup did not

finish as expected Contact your support personnel or package vendor

In your Application Event Log for both of these scenarios you will also see the following entry

Log Name Application

Source MsiInstaller

Date 6102010 83818 AM

Event ID 11722

Task Category None

Level Error

Keywords Classic

User ltUsernamegt

Computer ltMachine namegt

Description

Product Microsoft SQL Server 2008 R2 BPA -- Error 1722 There is a problem

with this Windows Installer package A program run as part of the setup did

not finish as expected Contact your support personnel or package

vendor Action EnablePSRemoting location powershellexe command -NoLogo

-NoProfile -Command Enable-PSRemoting ndashforce

Page 31

This is an indicator that PowerShell is not configured You must run the following command

powershellexe -NoLogo -NoProfile -Command Enable-PSRemoting ndashforce

572 Workgroup or Non-Domain computer

In this scenario the Enable-PSRemoting command should execute fine from a PowerShell prompt

The actual error coming back from the PowerShell command within the Installer is ldquoAccess Deniedrdquo

To work around this issue you can do the following

1 Open a command prompt with Administrative Privileges

2 Change to the directory where the msi file resides

3 Type msiexec i ltMSI Namegt SKIPCA=1

4 MSI Name will either be SQL2008R2BPA_Setup32msi or SQL2008R2BPA_Setup64msi

depending on your platform

5 Once BPA is installed open a PowerShell prompt with Administrative Privileges

6 Execute the following commands

a Enable-PSRemoting

b winrm set winrmconfigwinrs ``MaxShellsPerUser=`10``

This should allow BPA to be successfully installed in the workgroup scenario

573 Kerberos Failure

This scenario is that you are failing with the above due to a Kerberos issue This particular issue could

actually show up after you have installed BPA depending on how you have configured your

environment

The issue stems from the fact that the Windows Remoting Windows Service uses the Network Service

account Windows Remoting also uses SOAP calls over HTTP and defaults to using Kerberos As a

result it will be using the HOST Service Principal Name (SPN) that is on the Machine Account as it is

running under that context You may have an HTTP SPN that resides on a different account with that

host name For example if you are running an IIS Web Application such as SharePoint or if you are

using Reporting Services and the service account is set to a Domain User account instead of Network

Service or Local System If your URL of your application matches the machine name then your HTTP

SPN will be the same Thatrsquos where this problem comes in WinRM will stop working at that point and

give you a message similar to the following

Set-WSManQuickConfig WinRM cannot process the request The following error

occured while using Negotiate authentication An unknown security error

occurred

Possible causes are

-The user name or password specified are invalid

-Kerberos is used when no authentication method and no user name are

specified

-Kerberos accepts domain user names but not local user names

-The Service Principal Name (SPN) for the remote computer name and port

does not exist

-The client and remote computers are in different domains and there is no

trust between the two domains

After checking for the above issues try the following

-Check the Event Viewer for events related to authentication

-Change the authentication method add the destination computer to the

WinRM TrustedHosts configuration setting or use HTTPS transport

Note that computers in the TrustedHosts list might not be authenticated

-For more information about WinRM configuration run the following

Page 32

command winrm help config

At line50 char33

+ Set-WSManQuickConfig ltltltlt -force

+ CategoryInfo InvalidOperation () [Set-WSManQuickConfig]

InvalidOperationException

+ FullyQualifiedErrorId

WsManErrorMicrosoftWSManManagementSetWSManQuickConfigCommand

You can get this type of error from WinRM for muliple reasons The one that

we saw in our testing was the HTTP SPN scenario

If you do have an HTTP SPN defined on a Domain Account that is using the name of your machine

you have some options First you can follow the steps mentioned above to get BPA installed The

Enable-PSRemoting command will give you the above error You can temporarily remove the HTTP

SPN to get remoting enabled and then re-add the HTTP SPN

Once BPA is setup you will still not be able to run BPA if you put the HTTP SPN back in place You will

see the following when you attempt to perform a scan

This will occur regardless of which component you try to scan It could be the Engine Setup RS etchellip

One option to perform the scan successfully is to temporarily remove the HTTP SPN again run the

scan and then put the HTTP SPN back in place Another option but one that will probably require

further testing from your applicationrsquos end would be to run the application under a Host Header and

then your HTTP SPN would not include the machine name allowing BPA to run without issue

Page 33

6 RULES

Searching for ldquoSQL Server 20087 R2 BPArdquo at Microsoftcom reveals

Here is an example of one of these articles that talks about a rule to check for a recent ldquocleanrdquo

CHECKDB

Page 34

BPA works by measuring a rolersquos compliance with best practice rules in eight different categories of a

rolersquos effectiveness trustworthiness and reliability Results of measurements can be any of the three

severity levels described in the following table

Severity level Description

Noncompliant Noncompliant results are returned when a role does not satisfy the conditions of a rule

Compliant Compliant results are returned when a role satisfies the conditions of a rule

Warning Warning results are returned when a role is compliant as operating currently but may not satisfy the conditions of a

rule if changes are not made to its configuration or policy settings For example a scan of Remote Desktop Services

might show a warning result if a license server is unavailable to the role because even if no remote connections are

active at the time of the scan not having the license server prevents new remote connections from obtaining valid

client access licenses

Page 35

BPA rule categories

The following table describes the categories of best practice rules against which roles are measured

during a BPA scan

Category Name Description

Security Security rules are applied to measure a rolersquos relative risk for exposure to threats such as unauthorized or malicious

users or loss or theft of confidential or proprietary data

Performance Performance rules are applied to measure a rolersquos ability to process requests and perform its prescribed duties in

the enterprise within expected periods of time given the rolersquos workload

Configuration Configuration rules are applied to identify role settings that might require modification for the role to perform

optimally Configuration rules can help prevent setting conflicts that can result in error messages or prevent the role

from performing its prescribed duties in an enterprise

Policy Policy rules are applied to identify Group Policy or Windows Registry settings that might require modification for the

role to operate optimally and securely

Operation Operation rules are applied to identify possible failures of a role to perform its prescribed tasks in the enterprise

Predeployment Predeployment rules are applied before an installed role is deployed in the enterprise to let administrators to

evaluate whether best practices were satisfied before you use the role in production

Postdeployment Postdeployment rules are applied after all required services have started for a role and the role is running in the

enterprise

BPA Prerequisites BPA Prerequisite rules explain configuration settings policy settings and features that are required for the role

before BPA can apply specific rules from other categories A prerequisite in scan results indicates that an incorrect

setting a missing role role service or feature an incorrectly enabled or disabled policy a registry key setting or

other configuration has prevented BPA from applying one or more rules during a scan A prerequisite result does

not imply compliance or noncompliance It means that a rule could not be applied and therefore is not part of the

scan results

61 Engine Rules

Please find below a summary of the 74 Engine Rules with the links to the rule descriptions These rules

are checking that you have a secure resilient and well performing SQL configuration

Authentication Mode (httpsupportmicrosoftcomkb2028697)

Lightweight Pooling is enabled (httpsupportmicrosoftcomkb2160691)

Locks Configuration Not Dynamic (httpsupportmicrosoftcomkb2199576)

non-default network packet size in use (httpsupportmicrosoftcomkb2157175)

degree of parallelism not set to recommended value (httpsupportmicrosoftcomkb2023536)

Use Database Mail instead of SQL Mail (httpsupportmicrosoftcomkb2028584)

SQL Server Agent Proxy Account (httpsupportmicrosoftcomkb2160741)

SQL Login Password Policy Strength and password expiry

(httpsupportmicrosoftcomkb2028712)

Trustworthy Bit (httpsupportmicrosoftcomkb2183687)

Symmetric Keys Check (httpsupportmicrosoftcomkb2162020)

Asymmetric Keys Check (httpsupportmicrosoftcomkb2162020)

SQL Server installed on PDC BDC (httpsupportmicrosoftcomkb2032911)

Page 36

SQL Server Admin role membership check (httpsupportmicrosoftcomkb2184138)

Windows API calls intercepted (httpsupportmicrosoftcomkb2033238)

unsupported DotNET framework assemblies present (httpsupportmicrosoftcomkb2033344)

Disk partition starting offset may be incorrect (httpsupportmicrosoftcomkb2023571)

non-default max worker threads value configured (httpsupportmicrosoftcomkb2157129)

Guest Permissions (httpsupportmicrosoftcomkb2186935)

Data and Log files on the same volume (httpsupportmicrosoftcomkb2033523)

IO timeouts and IO controller errors detected (httpsupportmicrosoftcomkb2091098)

IO device errors detected (httpsupportmicrosoftcomkb2091098)

IO errors during page faults detected (httpsupportmicrosoftcomkb2091098)

cluster disk corruption encountered (httpsupportmicrosoftcomkb2091098)

disk defragmentation encountered corruption (httpsupportmicrosoftcomkb2091098)

failed IO requests detected (httpsupportmicrosoftcomkb2091098)

IO requests are successful when retried (httpsupportmicrosoftcomkb2015757)

IO Delay Problems reported by SQL Server (httpsupportmicrosoftcomkb2137408)

This system experienced unexpected shutdowns (httpsupportmicrosoftcomkb2091098)

tempdb corruption errors fix missing (httpsupportmicrosoftcomkb960770)

Critical SQL database inconsistency errors found (httpsupportmicrosoftcomkb2152734)

Logical consistency errors detected (httpsupportmicrosoftcomkb2152472)

Database have auto shrink option enabled (httpsupportmicrosoftcomkb2160663)

SQL Server Error logs are very big (httpsupportmicrosoftcomkb2199578)

incorrect affinity mask settings detected httpsupportmicrosoftcomkb2157114

Very low blocked process threshold setting detected httpsupportmicrosoftcomkb2157154

Potential security issue with legacy DTS stored procedures

httpsupportmicrosoftcomkb2202875

Winsock LSP loaded into SQL httpsupportmicrosoftcomkb2033448

Databases using simple recovery model httpsupportmicrosoftcomkb2137539

User database collation different from model httpsupportmicrosoftcomkb2026108

Database files and backups exist on the same volume httpsupportmicrosoftcomkb2027537

Databases have auto close option enabled httpsupportmicrosoftcomkb2160685

LSI SAS drivers needs update httpsupportmicrosoftcomkb2121098

SQL tempdb database not configured optimally httpsupportmicrosoftcomkb2154845

SQL Database file has sparse attribute set httpsupportmicrosoftcomkb2028447

Invalid startup parameters httpsupportmicrosoftcomkb2028433

MSDTC settings not configured optimally httpsupportmicrosoftcomkb2027550

sql incorrect results fix missing httpsupportmicrosoftcomkb971780

File System needs tuning for better FileStream performance

httpsupportmicrosoftcomkb2160002

linked server memory leak fix missing httpsupportmicrosoftcomkb971622EN-US

Windows service pack is not at recommended level httpsupportmicrosoftcomkb2121098

default extended event health session not in expected state

httpsupportmicrosoftcomkb2160570

TcpSysAndChimneyCheck httpsupportmicrosoftcomKB918483

FDHOST Launcher service is not configured properly httpsupportmicrosoftcomkb2160720

Unrecommended SQL Server Agent service account httpsupportmicrosoftcomkb2160720

A required Windows fix to avoid sparse file related problems is missing

httpsupportmicrosoftcomkb2002606

Page 37

Significant Portion of SQL Server Memory Has Been Paged Out

httpsupportmicrosoftcomkb2028324

Server Exception or Hang Detected on Server httpsupportmicrosoftcomkb2028589

Databases exist without CHECKSUM protection httpsupportmicrosoftcomkb2078345

backups outdated for databases httpsupportmicrosoftcomkb2027537

Database consistency check not current httpsupportmicrosoftcomkb2033590

SQL Server Memory settings are incorrect httpsupportmicrosoftcomKB918483EN-US

Autogrow Failed or took a long time httpsupportmicrosoftcomkb2091024

Storport driver fix from KBA 940467 missing httpsupportmicrosoftcomkb2121098

Storport driver fix from KBA 950903 missing httpsupportmicrosoftcomkb2121098

SQLCLR needs additional memory configuration httpsupportmicrosoftcomkb969962EN-US

Operating System files and drivers needs update for working set trimming

httpsupportmicrosoftcomkb2121098

Agent Token Replacement httpsupportmicrosoftcomkb2202637

Auditing Log in failures httpsupportmicrosoftcomkb2187161

Databases with high number of VLF present httpsupportmicrosoftcomkb2028436

Transparent Data Encryption Certificate httpsupportmicrosoftcomkb2201900

Permission on the Binn folder httpsupportmicrosoftcomkb2029023

Index Statistics Are Outdated

Server public permissions httpsupportmicrosoftcomkb2160698

Detected use of older versions of SQLNCLI httpsupportmicrosoftcomkb979779

62 AS Rules

Please find below a summary of the 34 Analysis Server Rules with the links to the rule descriptions

Flight Recorder Enabled for SQL Server Analysis Services

httpsupportmicrosoftcomkb2128005

Excessive amount of memory preallocated to Analysis Services

httpsupportmicrosoftcomkb2027474

Server not configured for optimal concurrent query throughput

httpsupportmicrosoftcomkb2135031

Non standard value detected for Analysis Services memory configuration

httpsupportmicrosoftcomkb2027472

Process Thread Pool Max limit above recommended limit

httpsupportmicrosoftcomkb2134497

Process Thread Pool Minimum is below the recommended limit

httpsupportmicrosoftcomkb2134855

Server is running a build with a known regression httpsupportmicrosoftcomkb2157941

Slice not set on a ROLAP partition or a partition where proactive caching is enabled and

ROLAP storage ay occur httpsupportmicrosoftcomkb2027754

Server is ignoring duplicate key errors httpsupportmicrosoftcomkb2027761

No default member defined for non-aggregatable attribute

httpsupportmicrosoftcomkb2027769

UnknownMember set to hidden httpsupportmicrosoftcomkb2027628

Non-numeric key column for high cardinality attribute httpsupportmicrosoftcomkb2028138

Attribute hiearchy enabled for high cardinality non-key attribute

httpsupportmicrosoftcomkb2028143

ROLAP storage or OnlineMode set to immediate for dimension with custom rollup definition

detected httpsupportmicrosoftcomkb2132742

Page 38

Account or Time attribute types defined in a non-matching dimension type

httpsupportmicrosoftcomkb2157299

An Account or Time dimension has no matching attribute defined

httpsupportmicrosoftcomkb2027418

Dimension has no attribute defined with the same type

httpsupportmicrosoftcomkb2027443

Attribute Dimension type mismatch httpsupportmicrosoftcomkb2157327

Mismatched dimension attribute types detected in dimension

httpsupportmicrosoftcomkb2027459

Possible incorrect order of levels defined in hierarchy httpsupportmicrosoftcomkb2027460

Define attribute relationships as Rigid where possible httpsupportmicrosoftcomkb2027468

Redundant attribute relationships detected httpsupportmicrosoftcomkb2127437

Diamond-shape relationship detected httpsupportmicrosoftcomkb2127570

Non-Standard Attribute Relationship name detected httpsupportmicrosoftcomkb2127862

Proactive Caching set for dimension without a processing query

httpsupportmicrosoftcomkb2027541

No Time dimension detected httpsupportmicrosoftcomkb2027532

More than 3 parent-child dimensions with custom rollups defined

httpsupportmicrosoftcomkb2134431

Encountered a parent-child dimension with more than 500000 members

httpsupportmicrosoftcomkb2131918

Single attribute dimensions detected httpsupportmicrosoftcomkb2141654

Measure groups with zero dimensional overlap detected in cube

httpsupportmicrosoftcomkb2027609

Proactive Caching set for a partition without a processing query

Default measure for perspective not in the perspective

httpsupportmicrosoftcomkb2027603

Use MOLAP storage for dimensions that participate in semi-additive measure groups

httpsupportmicrosoftcomkb2135112

Measure group defined with no partition httpsupportmicrosoftcomkb2027545

63 RS Rules

RSWindowsNegotiate is missing from your configuration

httpsupportmicrosoftcomkb2145506

HTTP Logging is not enabled httpsupportmicrosoftcomkb2145909

Verbose logging is enabled httpsupportmicrosoftcomkb2146315

NTLM authentication may fail for local httpsupportmicrosoftcomkb2146369

Missing extended protection settings httpsupportmicrosoftcomkb2146062

64 IS Rules

Logging task missing for package httpsupportmicrosoftcomkb2027723

ActiveX Script task detected in package httpsupportmicrosoftcomkb2027712

Unrecommended Integration Services service account detected

httpsupportmicrosoftcomkb2027684

Integration Services logging table found in system database master and or msdb

httpsupportmicrosoftcomkb2027706

Integration Services memory dump detected httpsupportmicrosoftcomkb2027727

Page 39

65 Setup Rules

Unsupported Operating System Version Detected httpsupportmicrosoftcomkb2022909

WOW64 not supported for SQL Failover Clustering httpsupportmicrosoftcomkb2157198

Installer cache is missing for the SQL Installation httpsupportmicrosoftcomkb2015100

SQL Server WMI Provider Health Check

66 Replication Rules

Replication Timeout Alerts Type httpsupportmicrosoftcomkb2118349

Replication Pub and Sub out of sync (Data Validation) httpsupportmicrosoftcomkb2118386

Replication Pub and Sub out of sync (Constraint Violations)

httpsupportmicrosoftcomkb2118410

Replication Pub and Sub out of sync (Skipped Transactions)

httpsupportmicrosoftcomkb2194498

Merge Replication Health Check httpsupportmicrosoftcomkb2118445

Subscriptions Approaching Expiration httpgomicrosoftcomfwlinkLinkId=184483

Replication Cleanup and Retention Health Check httpsupportmicrosoftcomkb2118485

Replication Latency Threshold violations httpsupportmicrosoftcomkb2118425

Page 40

7 HOW TO DEAL WITH DEVIATIONS

Deviations from these Best Practices may indicate potential issues and configuration changes may be

necessary Make sure you have tested any intended changes in a test environment before deploying

them to a production environment You could also find deviations from Best Practices that are

acceptable or even necessary for your environment For example

SAP has its special Network Packet Size of 8 KB

Existing Non-Microsoft Clients ndash would require Mixed Mode Authentication

Page 41

8 MOTIVATION TO USE SQL BPA R2

Bob Ward explained in his Article ldquoWhy use SQL Server 2008 R2 BPA Case 1 Missing Updatesrdquo

the common pitfalls during maintenance and operation of SQL Server and how address them by using

the SQL BPA

In brief itrsquos a customer scenario where the customer is facing an issue after a major update to

SQL2008 After some troubleshooting and an update to a certain CU (that is meant to fix the issue) the

problem still occurs Bobs article states the common resulting consequences ndash the involvement of

Microsoft Support and the final solution ndash adding a needed traceflag

The good news in this story is that the customer would not have needed to go to all that effort if they

would have run the SQL BPA It would have told them about the update and instructed them to put the

traceflag in place BPA is a mechanism that proactively advises you and instructs you on dealing with

common known issues

Page 42

9 ADDITIONAL INFORMATION

91 PowerShell

To use the functionality of the Baseline Configuration Analyzer with PowerShell you must import this

module first

Import-module BaselineConfigurationAnalyzer

You can list the commands of this module with the following syntax

$x=Get-Module BaselineConfigurationAnalyzer

$xExportedCommands

The following commands are stored in this module

Get-MbcaModel

Get-MbcaResult

Invoke-MbcaModel

Set-MbcaResult

You get help of this command with the following syntax

Get-help ltcommandgt -full

911 Get-MBCAModel

SYNOPSIS

The Get-MBCAModel cmdlet lets you retrieve and view the list of models that are supported by

Microsoft Baseline Configuration Analyzer (MBCA) and that are installed on a computer

SYNTAX

Get-MBCAModel [[-ModelId] ltstring[]gt] [[-SubModelId] ltstringgt] [ltCommonParametersgt]

DESCRIPTION

The Get-MBCAModel cmdlet lets you retrieve and view the list of models that are supported by

Microsoft Baseline Configuration Analyzer (MBCA) and installed on the computer If no parameter is

specified Get-MBCAModel returns all models that are installed on the computer If a model is specified

by using the -ModelId parameter information about the specified model is returned

You must be a member of the Administrators group on the computer on which you want to run this

cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with

elevated user rights that is Run as Administrator

The results of the Get-MBCAModel cmdlet include the following details about models

1 Branding information (manufacturer or company display names version number) that is found in

the model manifest

2 Dynamic parameters that are included with the model

3 Submodels that are included with the model

PARAMETERS

-ModelId ltstring[]gt

The -ModelId parameter specifies the ID of the MBCA model about which you want to view

details You can obtain valid values for the ModelId parameter by running the Get-MBCAModel

cmdlet with no parameters and targeted at a computer on which MBCA models are installed

Page 43

This parameter supports wild card characters

Required false

Position 2

Default value

Accept pipeline input true (By Value By Property Name)

Accept wildcard characters False

This must be SQL2008R2BPA for SQL Server 2008 R2 Best Practice Analyzer

-SubModelId ltstringgt

The -SubModelId parameter specifies the ID of the submodel of an MBCA model about which you

want to view details You can obtain valid values for the -SubModelId parameter by running the

Get-MBCAModel cmdlet without parameters and targeted at a computer on which MBCA models

are installed Not all models have submodels

The -ModelId parameter is required with the -SubModelId parameter

Required false

Position 3

Default value

Accept pipeline input false

Accept wildcard characters false

ltCommonParametersgt

This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable

WarningAction WarningVariable OutBuffer and OutVariable For more information type get-

help about_commonparameters

Examples

Get-MBCAModel

In the preceding example Get-MBCAModel with no parameters added returns details about all MBCA

models that are installed on the computer

Get-MBCAModel -ModelId SQL2008R2BPA

The preceding example can be used to return details about the MBCA model that is specified in the -

ModelId parameter represented by Model Id

$model= Get-MBCAModel -ModelId SQL2008R2BPA

$modelParameters

In the preceding example Get-MBCAModel returns details about the specified MBCA model that is

represented by Model Id The results of the cmdlet are stored in the variable $model

In the next line of the example the Parameters property of the model details that were stored in the

$model object returns details about which parameters are supported by the model

Get-MBCAModel -ModelId SQL2008R2BPA -SubModelId ltSubModel Idgt

The preceding example can be used to return details about the MBCA sub-model that is specified by

the -SubModelId parameter represented by SubModel Id Note that the -ModelId parameter is

required by the -SubModelId parameter

$model= Get-MBCAModel -ModelId SQL2008R2BPA

Page 44

$modelSubModels

In the preceding example Get-MBCAModel returns details about the specified MBCA model that is

represented by Model Id The results of the cmdlet are stored in the variable $model

In the next line of the example the SubModels property of the model details that were stored in the

$model object returns a list of the submodels of the model specified in the first line

912 Invoke-MBCAModel

SYNOPSIS

The Invoke-MBCAModel cmdlet lets you start a Microsoft Baseline Configuration Analyzer (MBCA)

scan for a specific model that is installed on your computer

SYNTAX

Invoke-MBCAModel [-ModelId] ltstringgt -SubModelId ltstringgt [-Authentication

ltAuthenticationMechanismgt] [-CertificateThumbprint ltstringgt] [-ComputerName

ltstring[]gt] [-ConfigurationName ltstringgt] [-Context ltstringgt] [-Credential

ltstringgt] [-Mode ltModeEnumgt] [-Port ltintgt] [-RepositoryPath ltstringgt] [-

ThrottleLimit ltintgt] [-UseSSL] [ltCommonParametersgt]

DESCRIPTION

The Invoke-MBCAModel cmdlet allows you to start a Microsoft Baseline Configuration Analyzer

(MBCA) scan for a specific model that is installed on your computer The model is specified either by

using the parameter -ModelId or by piping the results of the Get-MBCAModel cmdlet into an Invoke-

MBCAMode cmdlet

After the MBCA scan has been performed the results of the scan are available to be retrieved by Get-

MBCAResult cmdlet

You must be a member of the Administrators group on the computer on which you want to run this

cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with

elevated user rights that is Run as Administrator

PARAMETERS

-Authentication ltAuthenticationMechanismgt

Specifies the authentication mechanism that is used to authenticate the users credentials Valid

values include Default Basic CredSSP Digest Kerberos Negotiate and

NegotiateWithImplicitCredential The default value is Default

For more information about the -Authentication parameter type the following and then press

Enter

Get-Help Invoke-Command -Parameter Authentication

Required false

Position named

Default value Default

Accept pipeline input false

Accept wildcard characters false

-CertificateThumbprint ltstringgt

Page 45

Specifies the digital public key certificate (X509) of a user account that has rights to perform the

cmdlet action The valid value is the certificate thumbprint of the certificate

For more information about this parameter type the following and then press Enter

Get-Help Invoke-Command -Parameter Certificate Thumbprint

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-ComputerName ltstring[]gt

The Invoke-MBCAModel cmdlet lets you run an MBCA scan of a submodel on a specific

computer by adding this parameter Valid values include NETBOS names IP addresses or fully-

qualified domain names of one or more computers in a comma-separated list To specify the local

computer type the computer name or localhost

All formats that are accepted by the -ComputerName parameter in Invoke-Command are

accepted

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-ConfigurationName ltstringgt

Specifies the session configuration that is used for a new PSSession

Enter a configuration name or the fully-qualified resource URI for a session configuration

Session configuration data is found on the remote computer on which you want to run a cmdlet

For more information about this parameter type the following and then press Enter

Get-Help Invoke-Command -Parameter ConfigurationName

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-Context ltstringgt

The -Context parameter lets you run scans on a submodel in the context of a specific model (one

that is different from the parent model of the submodel) For example an administrator might

want to run a scan on the Backend submodel of the SQL model but only those in the context

of a third model a technology that relies upon SQL Server

The -SubModelId parameter is required by the -Context parameter

Page 46

A model ID is the valid value of the -Context parameter

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-Credential ltstringgt

Specifies a user account that has permission to run this cmdlet The default value is the current

user

For more information about this parameter type the following and then press Enter

Get-Help Invoke-Command -Parameter Credential

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-Mode ltModeEnumgt

The -Mode parameter lets you run a scan that is exclusively either analysis of existing discovered

documents or discovery The default is to perform both discovery and analysis or All

If you do not add the -Mode parameter to the Invoke-MBCAModel cmdlet both discovery and

analysis are performed during a scan

Valid values are Discovery Analysis and All

Required false

Position named

Default value All

Accept pipeline input false

Accept wildcard characters false

-ModelId ltstringgt

The -ModelId parameter specifies the ID of the MBCA model that you want to scan You can

obtain valid values for the ModelId parameter by running the Get-MBCAModel cmdlet targeted at

a computer on which MBCA models are installed

Required true

Position 2

Default value

Accept pipeline input true (By Value By Property Name)

Accept wildcard characters False

Page 47

This must be SQL2008R2BPA for SQL Server 2008 R2 Best Practice Analyzer

-Port ltintgt

Specifies the network port on a remote computer on which you want to run a scan The default

value is port 80

For more information on this parameter type the following and then press Enter

Get-Help Invoke-Command -Parameter Port

Required false

Position named

Default value 80

Accept pipeline input false

Accept wildcard characters false

-RepositoryPath ltstringgt

The -RepositoryPath parameter is used to specify a non-default location of the results repository

The valid value for this parameter is a pathname If the parameter is not used the cmdlet writes

results to the default result repository

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-SubModelId ltstringgt

The -SubModelId parameter specifies the ID of the submodel of an MBCA model that you want to

scan You can obtain valid values for the -SubModelId parameter by running the Get-MBCAModel

cmdlet targeted at a computer on which MBCA models are installed Not all models have

submodels

The -ModelId parameter is required with the -SubModelId parameter

Required true

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-ThrottleLimit ltintgt

Specifies the maximum number of concurrent connections that can be established to run the

cmdlet If you omit this parameter or enter a value of 0 the default value of 32 is used

For more information about this parameter type the following and then press Enter

Get-Help Invoke-Command -Parameter ThrottleLimit

Required false

Page 48

Position named

Default value 32

Accept pipeline input false

Accept wildcard characters false

-UseSSL [ltSwitchParametergt]

Uses the Secure Sockets Layer (SSL) protocol to establish a connection on a remote computer

By default SSL is not used

For more information about this parameter type the following and then press Enter

Get-Help Invoke-Command -Parameter UseSSL

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

ltCommonParametersgt

This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable

WarningAction WarningVariable OutBuffer and OutVariable For more information type get-

help about_commonparameters

OUTPUTS

SystemCollectionsGenericListltMicrosoftBestPracticesCoreInterfaceInvokeBpaModelOutputgt

The output object encapsulates the results of the cmdlet that you entered It contains information such

as the MBCA model ID the success or failure of the cmdlet and other details

NOTES

If the cmdlet is used to perform a single-model scan and the cmdlet is cancelled (by using CTRL+C)

before the temporary results file is copied to its final location the temporary file is discarded and any

previous scan results file for the role are preserved The message Processing of Invoke-MBCAModel

cancelled by user is displayed if the command is cancelled before existing scan results files are

overwritten

If the cmdlet is used to perform a scan of multiple models by piping in results from the Get-MBCAModel

cmdlet and the command is cancelled scans that were completed before the cancel command was

entered cannot be cancelled A scan in progress behaves as described above in the single-model scan

cancellation scenario Subsequent scans in the pipeline are cancelled

If a concurrent scan of the same model is attempted the cmdlet returns the following error message

Another scan for this MBCA model is in progress Only one scan is allowed at a time

-------------------------- EXAMPLE 1 --------------------------

Invoke-MBCAModel -ModelId SQL2008R2BPA

Description

The preceding example starts a MBCA scan on the model that is represented by ltModel Idgt

-------------------------- EXAMPLE 2 --------------------------

Page 49

Invoke-MBCAModel -ModelId SQL2008R2BPA -Scope domain -Name

redmondmicrosoftcom

Description

The preceding example starts an MBCA scan on the model ID that is specified by Model Id

The administrator starts the MBCA scan with additional model-specific parameters that are exposed by

the model (For an example of how to obtain model-specific parameters see the examples for the Get-

MBCAModel cmdlet)

For example to scan a model that requires model-specific parameters (such as -Scope and -Name) to

be passed to the command the administrator can specify the values of these model-specific

parameters with the Invoke-MBCAModel cmdlet

-------------------------- EXAMPLE 3 --------------------------

Invoke-MBCAModel -ModelId SQL2008R2BPA -Mode Discovery

Description

The preceding example starts an MBCA scan on the model that is represented by Model Id The

cmdlet is instructed by the -Mode parameter to perform only the discovery -- not the analysis -- portion

of the scan

-------------------------- EXAMPLE 4 --------------------------

Invoke-MBCAModel -ModelId SQL2008R2BPA -Mode Analysis -RepositoryPath

ltRepository Pathgt

Description

The preceding example starts an MBCA scan on the model that is represented by Model Id The -

Mode parameter value of Analysis indicates that the scan will perform analysis -- not discovery -- on

existing documents that are specified in the non-default repository path provided with the -Repository

Path parameter

-------------------------- EXAMPLE 5 --------------------------

Invoke-MBCAModel -Id ltModel Idgt -SubModelId ltSubModel Idgt -ComputerName

ltServergt -Context ltContext Model Idgt -RepositoryPath ltRespository Pathgt -

AsJob -Authentication ltAuthenticatonMechanismgt -Port ltPort Numbergt -UseSSL -

ThrottleLimit ltThrottle Limitgt

Description

The preceding example starts an MBCA scan on the submodel that is represented by SubModel Id

and on the computer that is represented by Server

Because the administrator only wants to see results from the submodel that apply in the context of a

third model the administrator runs the scan within the context of the model ID that is specified in the -

Context parameter The cmdlet results are saved to the non-default repository path that is specified in

the -RepositoryPath parameter

Because the -AsJob parameter is added the scan runs in the background The -AsJob -

Authentication -Port -UseSSL and -ThrottleLimit parameters are passed through for use by the

Invoke-Command cmdlet to perform discovery on a remote computer For more information about

these parameters see the Help for the Invoke-Command cmdlet available in Windows PowerShell V2

913 Get-MBCAResult

SYNOPSIS

Page 50

The Get-MBCAResult cmdlet lets you retrieve and view the results of a Microsoft Baseline

Configuration Analyzer scan on a specific model or the configuration data that was used to run a scan

SYNTAX

Get-MBCAResult [-ModelId] ltstringgt [[-CollectedConfiguration]] -SubModelId

ltstringgt [-ComputerName ltstring[]gt] [-Context ltstringgt] [-Filter

ltFilterEnumgt] [-RepositoryPath ltstringgt] [ltCommonParametersgt]

DESCRIPTION

The Get-MBCAResult cmdlet lets you retrieve and view the results of a Microsoft Baseline

Configuration Analyzer scan on a specific model or the configuration data that was used to run a scan

To use the command add the -ModelId parameter and then specify the model ID for which you want

to view the most recent MBCA scan results or collected configuration data If you want to retrieve the

configuration data collected add the -CollectedConfiguration switch parameter

You must be a member of the Administrators group on the computer on which you want to run this

cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with

elevated user rights that is Run as Administrator

PARAMETERS

-CollectedConfiguration [ltSwitchParametergt]

The -CollectedConfiguration parameter allows you to obtain the configuration data that was

collected for the most recent MBCA scan If this switch parameter is added to Get-MBCAResults

the cmdlet returns only the configuration data that was collected for a scan

Required false

Position 3

Default value

Accept pipeline input false

Accept wildcard characters false

-ComputerName ltstring[]gt

The -ComputerName parameter lets you obtain scan results that were collected for the most

recent MBCA scan of a submodel on a specific computer To specify the local computer type the

computer name or localhost Multiple values for -ComputerName can be separated by

commas

The -SubModelId parameter is required by the -ComputerName parameter

Valid values for the -ComputerName parameter include localhost a NET BIOS name an IP

address or a fully-qualified domain name (FQDN) of one or more computers in a comma-

separated list

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-Context ltstringgt

Page 51

The -Context parameter lets you obtain scan results that were collected for the most recent

MBCA scan of a submodel in the context of a specific model (one that is different from the parent

model of the submodel) For example an administrator might want to display scan results for the

Backend submodel of the SQL model but only those in the context of a third model a

technology that relies upon SQL Server

The -SubModelId parameter is required by the -Context parameter

A model ID is the valid value of the -Context parameter

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-Filter ltFilterEnumgt

The -Filter parameter lets you instruct the Get-MBCAResult cmdlet to return only Compliant

Noncompliant or All results Valid values are Noncompliant Compliant or All The default value

is All

The -Filter parameter is ignored if the -CollectedConfiguration switch parameter is added

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-ModelId ltstringgt

The -ModelId parameter specifies the ID of the MBCA model for which you want to view scan

results You can obtain valid values for the ModelId parameter by running the Get-MBCAModel

cmdlet targeted at a computer on which MBCA models are installed

Required true

Position 2

Default value

Accept pipeline input true (By Value By Property Name)

Accept wildcard characters False

This must be SQL2008R2BPA for SQL Server 2008 R2 Best Practice Analyzer

-RepositoryPath ltstringgt

The -RepositoryPath parameter is used to specify a non-default location of the results repository

The valid value for this parameter is a path name If the parameter is not used the cmdlet obtains

results from the default result repository

Required false

Position named

Page 52

Default value

Accept pipeline input false

Accept wildcard characters false

-SubModelId ltstringgt

The -SubModelId parameter specifies the ID of the submodel of an MBCA model for which you

want to view scan results You can obtain valid values for the -SubModelId parameter by running

the Get-MBCAModel cmdlet targeted at a computer on which MBCA models are installed Not all

models have submodels

The -ModelId parameter is required with the -SubModelId parameter

Required true

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

ltCommonParametersgt

This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable

WarningAction WarningVariable OutBuffer and OutVariable For more information type get-

help about_commonparameters

OUTPUTS

SystemCollectionsGenericListltMicrosoftBestPracticesCoreInterfaceResultgt OR

SystemXmlXmlDocument (if -CollectedData specified)

If you do not use the -CollectedConfiguration parameter verbose output can be any of the following

1 Initializing MBCA engine for getting MBCA Results

2 Attempting to get MBCA results for Model Id = 0

3 Completed getting MBCA results for Model Id = 0 Number of Results = 1

If you add the -CollectedConfiguration parameter to display configuration data that was used for a

scan verbose output can be any of the following

1 Initializing MBCA engine for getting MBCA Configuration Data

2 Attempting to get MBCA collected configuration data for Model Id = 0

3 Completed getting MBCA collected configuration data for Model Id = 0

NOTES

The Get-MBCAResult cmdlet must be run by a member of the Administrators group and it does not

start a new scan

Cancellation behaviour

Single Model - To cancel this cmdlet you must press Ctrl+C before the ResultCollection is displayed

on the console The operation is cancelled and results are not displayed on the console

Multiple Models or Pipelining - If you cancel this cmdlet while it is retrieving results for multiple models

the cmdlet generates only those results that were displayed on the console before the cancellation

Any subsequent results in the pipeline are cancelled and not displayed

Page 53

-------------------------- EXAMPLE 1 --------------------------

Get-MBCAResult -Id SQL2008R2BPA

Description

The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results

for the model that is represented by Model Id

-------------------------- EXAMPLE 2 --------------------------

Get-MBCAModel | Get-MBCAResult

In the preceding example Get-MBCAModel is used to return a list of all MBCA models that are

installed on the computer The results of the Get-MBCAModel cmdlet are piped to the Get-

MBCAResult cmdlet to retrieve the most recent MBCA scan results for all models that are both

supported by MBCA and installed on the computer at which the cmdlet is targeted

-------------------------- EXAMPLE 3 --------------------------

$result = Get-MBCAResult SQL2008R2BPA -CollectedConfiguration

$resultDiscoveryDocument

Description

In the preceding example configuration data (in XML form) that was collected during the most recent

Microsoft Baseline Configuration Analyzer scan of the model that is represented by Model Id is

retrieved and stored as a property in the variable $result $resultDiscoveryDocument is of type

SystemXmlXmlDocument

-------------------------- EXAMPLE 4 --------------------------

Get-MBCAResult SQL2008R2BPA -Filter Noncompliant

Description

The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results

for the model that is represented by Model Id and then applies a filter to show only Noncompliant

results

------------------------- EXAMPLE 5 --------------------------

Get-MBCAResult SQL2008R2BPA -SubModelId ltSubModel Idgt

Description

The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results

for the submodel that is represented by SubModelId Note that the parent model ID must be specified

to use the -SubModelId parameter

------------------------- EXAMPLE 6 --------------------------

Get-MBCAResult SQL2008R2BPA -SubModelId ltSubModel Idgt -ComputerName ltServergt

-Context ltContext Model Idgt -RepositoryPath ltRepository Pathgt

Description

The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results

for the submodel that is represented by SubModelId The parent model ID is provided as required by

the -SubModelID parameter

The -Context parameter indicates that the administrator wants to see only those scan results that are in

the context of the model that is represented by Context Model Id for example only those results from

a SQL Server scan that specifically apply to another technology such as Web Server (IIS)

Page 54

The scan results are further narrowed to only those from a computer that is specified in the -

ComputerName parameter as Server and only those results found in the non-default results

repository that is represented by Repository Path

914 Set-MBCAResult

SYNOPSIS

The Set-MBCAResult cmdlet lets you exclude or include existing results of a Microsoft Baseline

Configuration Analyzer (MBCA) scan to show you only the scan results that you want to see

SYNTAX

Set-MBCAResult [[-Exclude] ltBooleangt] [-Results] ltResultgtgt [[-

RepostitoryPath] ltstringgt] [ltCommonParametersgt]

DESCRIPTION

The Set-MBCAResult cmdlet lets you exclude or include existing results of a Microsoft Baseline

Configuration Analyzer (MBCA) scan to show you only the scan results that you want to see

The action specified in the cmdlet (Exclude for example) determines how the existing results of an

MBCA scan are updated Set-MBCAResult is typically applied after using the Get-MBCAResult cmdlet

to return a collection of scan results

You can apply filters to results that are returned by the Get-MBCAResult cmdlet and then pipe the

filtered collection of results to the Set-MBCAResult cmdlet specifying either to include or exclude

filtered scan results

You must be a member of the Administrators group on the computer on which you want to run this

cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with

elevated user rights that is Run as Administrator

PARAMETERS

-Exclude ltBooleangt

Excludes scan results from the results collection that were previously obtained by the Get-

MBCAResult command To exclude results by using the -Exclude parameter add the value $true

following the parameter as shown

-Exclude $true

To include results that have been excluded use the $false value for the -Exclude parameter

Required false

Position 2

Default value

Accept pipeline input false

Accept wildcard characters false

-RepostitoryPath ltstringgt

The -RepositoryPath parameter is used to specify a non-default location of the results repository

The valid value for this parameter is a path name If the parameter is not used the cmdlet

modifies results from the default result repository

Required false

Page 55

Position 4

Default value

Accept pipeline input false

Accept wildcard characters false

-Results ltResultgtgt

Specifies the result collection to be updated by the Set-MBCAResult cmdlet The -Results

parameter is typically used to specify a filtered subset of scan results that has already been

stored in a variable the variable name is provided as the valid value for the -Results parameter

For example if you have created a variable $allPerformance to store all the Performance

category results for an MBCA scan of all models on a computer and you want to exclude those

Performance results from the complete collection of scan results you add the parameter -Results

$all Performance to a Set-MBCAResult cmdlet

For a more detailed example see the Examples section of the Help for this cmdlet

Required true

Position 3

Default value

Accept pipeline input true (ByValue)

Accept wildcard characters false

ltCommonParametersgt

This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable

WarningAction WarningVariable OutBuffer and OutVariable For more information type ldquoget-

help about_commonparameters

NOTES

If the Set-MBCAResult command is cancelled before the results are written to a file the operation is

cancelled and the results file is not modified If cancellation occurs after the results file has been

modified the commands actions are carried out and the command cannot be cancelled

-------------------------- EXAMPLE 1 --------------------------

Get-MBCAResult -ModelId SQL2008R2BPA | Where $_Category -eq

Performance | Set-MBCAResult -Exclude $true

Description

The first section of the preceding example to the left of the first pipe character (|) uses the Get-

MBCAResult cmdlet to retrieve Baseline Configuration Analyzer scan results for the model ID that is

represented by Model Id

The second section of the command filters the results of the Get-MBCAResult cmdlet to get only those

scan results for which the category name is equal to Performance

The final section of the example following the second pipe character excludes the Performance

results that were filtered by the previous section of the example

-------------------------- EXAMPLE 2 --------------------------

$rcPolicy = Get-MBCAResult -ModelId SQL2008R2BPA -RepositoryPath

CReposPath | Where $_Category -eq Policy

Page 56

Set-MBCAResult -Exclude $true -RepositoryPath CReposPath -Results

$rcPolicy

Description

The first line of the preceding example to the left of the pipe character (|) instructs the Get-

MBCAResult cmdlet to retrieve Baseline Configuration Analyzer scan results for the model that is

represented by Specified Model Id from the specified non-default repository path

The second section of the example after the pipe character filters the results of the Get-MBCAResult

cmdlet to return only those scan results for which the category name is equal to (note the -eq option)

Policy The variable $rcPolicy is created to store the filtered results of the Get-MBCAResult cmdlet this

variable can be used in subsequent commands to represent those results

The second line of the command uses the Set-MBCAResult cmdlet to exclude the set of results that

are stored in the $rcPolicy variable In this example the -Results parameter is added because the

administrator wants to exclude a specific subset of scan results for that model and has created the

variable $rcPolicy to represent that subset of results The repository root is specified in the second line

because the administrator wants to modify the results in the same non-default repository from which

the data in $rcPolicy was retrieved

915 MBCA Model Authoring

Further information about configuration and usage of MBCA models you can in the

MBCA_ModelAuthoringGuidedocx

Page 57

Did this paper help you Please give us your feedback Tell us on a scale of 1 (poor) to 5 (excellent)

how would you rate this paper and why have you given it this rating For example

Are you rating it high due to having good examples excellent screen shots clear writing or

another reason

Are you rating it low due to poor examples fuzzy screen shots or unclear writing

This feedback will help us improve the quality of white papers we release

Send feedback

Page 16: SQL2008R2 BPA Whitepaper v10

Page 16

333 Port and Firewall restrictions

For scanning SQL Server or BI instances on an alternate server behind a firewall you must open all

necessary ports

34 Updates

Microsoft is working on quarterly updates of the rule set and tool improvements of the SQL Server

2008 R2 Best Practice Analyzer Please visit the Download site from Microsoft regularly to find new

updates

35 Uninstall

351 BPA

352 MBCA

353 Reset PowerShell settings

After the uninstall of the BPA you may disable the PowerShell remote scripting You can do this with

the following command line

powershellexe -NoLogo -NoProfile -Noninteractive -Command Disable-

PSRemoting -force

Disable-PSRemoting performs configuration actions to enable this machine for remote management

Page 17

4 USAGE

There are two ways to scan a server using MBCA and SQL 2008 R2 BPA They are

Scanning through the local machine

o In this case you are using MBCA and SQL 2008 R2 BPA running on the local machine to

perform the scan

o This scan can be of the local or an alternate server

Scanning through a remote machine

o In this case MBCA is used to connect to a remote server that has MBCA and SQL 2008

R2 BPA installed on it

o This scan is using the local machine to form the connection to the remote machine and is

actually performing the scan through the remote machine

41 Help file

The help file for the SQL Server 2008 R2 Best Practice Analyzer contains very useful information This

help file is available after the installation of BPA and is located at Start-gtAll programs-gtSQL Server

2008 R2 BPA

42 GUI

1 Ensure that MBCA v2 and SQL 2008 R2 BPA are installed on the machine

2 Run the MBCA application from the start menu with elevated user rights

Page 18

3 On the MBCA home page ensure the SQL Server 2008 R2 BPArdquo product is selected

4 Click Start Scan which displays a page to specify parameters as shown below

5 Fill in Alternate_Server_to_Scan with the remote machine you want to scan

ComputerName

IP address nnnn

FQDN (Fully Qualified Domain Name)

Enter ldquordquo localhost or leave this blank if you want to scan the local machine

Page 19

Enter the instance name you want to scan To scan the default instance enter MSSQLSERVER

or leave this as blank Toggle the checkboxes to enabledisable scans for those rule categories

Each of the following six check boxes correspond to the SQL Server categories listed previously

Select at least one category in order to run a successful scan

Analyze_SQL_Analysis_Services

Analyze_SQL_Server_Engine

Analyze_SQL_Integration_Services

Analyze_SQL_Server_Replication

Analyze_SQL_Reporting_Services

Analyze_SQL_Server_Setup

Note Only one SQL Server instance can be scanned at a time through the MBCA GUI

6 Click Start Scan MBCA will start the configured scan and display the below page while in

progress

7 When the scan is complete results will be displayed grouped by Severity as shown below

Page 20

43 Connect to a remote computer

A scan connected to a remote computer is different than scanning an alternate server

ldquoConnect to a Remote Computerrdquo is functionality provided by Microsoft Baseline Configuration Analyzer

and is used to remotely run MBCA against a server from the console of the client The client needs to

have MBCA installed but does not need BPA as it is literally running the copy of MBCA installed on the

server using the BPA installed on the server In this case the copy of MBCA installed on the client is

used only to remotely connect to the copy of MBCA installed on the server

To use this functionality you first start MBCA on the client computer and select ldquoConnect to Another

Computerrdquo

1 In the ldquoConnect to Another Computerrdquo text box you can specify a NetBIOS name a fully qualified

domain name (FQDN) or an IPv4 or IPv6 address If no port number is specified the default port

number is used The following are examples of formats that you can specify in the Connect to

Another Computer text box

ComputerName

Page 21

ComputerNamePortNumber

IP address nnnn

IPv6 address [nnnnnnnn]

IPv4 address with port number nnnnPortNumber

IPv6 address with port number [nnnnnnnn]PortNumber

Note If an administrator has changed the computerrsquos default port number any port other than the

default port must be opened in Windows Firewall to allow incoming connections on that port Port

5985 is opened by default when WinRM is configured All other ports remain blocked until opened

For more information about how to unblock a port in Windows Firewall see the Help for Windows

Firewall For more information about how to configure WinRM in a Command Prompt session type

winrm help and then press Enter

2 Additionally you must supply credentials

3 CredSSP

Windows Remote Management (WinRM) supports the delegation of user credentials across

multiple remote computers The multi-hop support functionality can now use Credential Security

Service Provider (CredSSP) for authentication CredSSP enables an application to delegate the

userrsquos credentials from the client computer to the target server

CredSSP authentication is intended for environments where Kerberos delegation cannot be used

Support for CredSSP was added to allow a user to connect to a remote server and have the ability

to access a second-hop machine such as a file share

Note WinRM clients and servers will support CredSSP authentication only with explicit credentials

Windows XP Windows Server 2003 and earlier CredSSP is not supported

First you must set CredSSP on both the client and the server

Using the Group Policy Editor (gpeditmsc) make sure to enable ldquoAllow Delegating Fresh

Credentialsrdquo and check ldquoConcatenate OS defaults with input aboverdquo

Add the server or domain to the list of servers in the format ldquoWSMANdomainnamecomrdquo

Next enable and configure PowerShell Remoting on both the Client and Server by running the

following commands in a PowerShell command window opened with elevated permissions Note

Page 22

You can configure a single machine as both a client and a server simultaneously so that you can

scan from either computer

Enable PowerShell Remoting

o Enable-psremoting ndashf

Settings for a client

o Enable-WSManCredSSP ndashrole Client ndashDelegateComputer [NetBiosNameOfServer]

or

o Enable-WSManCredSSP ndashrole Client ndashDelegateComputer [FQDN OF SERVER]

Settings for the server

o Enable-WSManCredSSP ndashrole Server

o set-item WSManlocalhostShellMaxMemoryPerShellMB ndashValue 20000

o set-item WSManlocalhostShellMaxShellsPerUser ndashvalue 20

44 PowerShell

Details see 91 PowerShell

To use the functionality of the Microsoft Baseline Configuration Analyzer you must import this module

first

Import-module BaselineConfigurationAnalyzer

You can list the commands of this module with the following syntax

$x=Get-Module BaselineConfigurationAnalyzer

$xExportedCommands

441 Run Scan

To run a full scan of the BPA on the alternate server on a named instance you can use the following

command line

Invoke-MBCAModel -ModelId SQL2008R2BPA -Alternate_Server_to_scan

servername -SQL_Server_Instance_Name instancename -

Analyze_SQL_Server_Engine -Analyze_SQL_Server_Replication -

Page 23

Analyze_SQL_Server_Setup -Analyze_SQL_Analysis_Services -

Analyze_SQL_Integration_Services -Analyze_SQL_Reporting_Services

The result looks like this part

ModelId SQL2008R2BPA

SubModelId

Success True

ScanTime

Success = True is important This is the indicator that your scan was successful

Parameter description

-Alternate_Server_to_scan servername

-SQL_Server_Instance_Name instancename

-Analyze_SQL_Server_Engine

-Analyze_SQL_Server_Replication

-Analyze_SQL_Server_Setup

-Analyze_SQL_Analysis_Services

-Analyze_SQL_Integration_Services

-Analyze_SQL_Reporting_Services

The parameter list is equal the parameter screen in the GUI

The scans of the different services are optional You can remove technologies which you do not need

to scan

The next example starts the scan only for the Analysis Services on the alternate server ldquoservernamerdquo

and for the named instance ldquoinstancerdquo A log file will be written to ldquoctempssastxtrdquo

Invoke-MbcaModel -ModelId SQL2008R2BPA -SubModelId AnalysisServices -

ComputerName servername -SqlServerInstance instance -SSASLogFile

ctempssastxt

Invoke-MbcaModel -ModelId SQL2008R2BPA -SubModelId Engine -ComputerName

computername -SqlServerInstance servername -CurrentLoginName

($EnvUSERDOMAIN + + $EnvUSERNAME)ToString() -EngineLogFile

ctempenginetxt ndashRepositoryPath (CTEMPSQL2008 + (Get-

Date)ToString(yyyyMMdd))ToString()

442 Create Report

model = get-MbcaModel ndashModelId sql2008r2bpa

$scanResult = get-MbcaResult ndashModelId sql2008r2bpa

$collectedConfig = get-MbcaResult ndashModelId sql2008r2bpa ndash

CollectedConfiguration

$model $scanResult $collectedConfig | export-CliXml ctempasxml

Get-MBCAResult -ModelId SQL2008R2BPA -SubModelId AnalysisServices |

ConvertTo-Html | Add-Content -Path ctesthtml

The next command retrieves the results of the most recent BPA scan for the specified model and

saves them in HTML format applying the standard cascading style sheets that are stored in the path

windirsystem32WindowsPowerShellv10ModulesBestPracticesBestPracticesReportFormatc

Page 24

ss If you want to substitute cascading style sheets provide the path to the different cascading style

sheets

Get-MBCAResult -ModelId SQL2008R2BPA | $_Severity -eq Warning -or

$_Severity -eq Error | ConvertTo-Html -As Table -property ResultNumber

SubModelID ComputerName Severity Category Title Problem Impact

Resolution Help -Head lth1gtSQL Server 2008 (R2) Best Practice Analyzer

Reportlth1gtrdquo -Title SQL Server 2008 Best Practice Analyzer -body

(ltpgtReport creation date + (Get-Date)ToString(ddMMyyyy hhmmss) +

ltpgt)toString() -pre ltPgtGenerated by user $envusername on computer

$envcomputernameltPgt -post For details contact Microsoft Premier-

CssUri $env BestPracticesReportFormatcss gt ctempsql2008r2bpahtm

443 Exporting and opening reports by using Get-MBCAResult

You can use the Get-MBCAResult cmdlet to export scan results and configuration data to an XML

report that you can open for viewing in the future either by using Get-MBCAResult or by using the

MBCA GUI Exporting reports allows you to compare older scans with more recent scans to measure

the progress of your best practice compliance

Example of exporting to XML

$results = Get-MBCAResult ltModel Idgt

$collectedconfig = Get-MBCAResult ltModel Idgt -CollectedConfiguration

$results $collectedconfig | Export-CliXml cexportxml

Example of opening archived XML report file

$loadedResults $loadedConfiguration = Import-CliXml cexportxml

444 Report Result Directory

The reporting result path

AppDataMicrosoftBaselineConfigurationAnalyzer

2ReportsSQL2008R2BPAResults

Will be overwritten during each run of the tool or invoke command

Solution save older results before you start the check

copy-item -path ($EnvLocalAppdata +

MicrosoftMicrosoftBaselineConfigurationAnalyzer 2Reports)ToString() -

destination ($EnvLocalAppdata +

MicrosoftMicrosoftBaselineConfigurationAnalyzer 2Reports_ + (Get-

Date)ToString(yyyyMMddhhmmss))ToString() ndashrecurse

Afterwards you can create a report with the following command

$prevrepPath = (Get-ChildItem ($EnvLocalAppdata +

MicrosoftMicrosoftBaselineConfigurationAnalyzer 2)ToString() -exclude

Reports | Sort-Object name -descending)[0]

Get-MBCAResult -ModelId SQL2008R2BPA ndashRepositoryPath ($EnvLocalAppdata +

MicrosoftMicrosoftBaselineConfigurationAnalyzer 2rdquo +

$prevrepPathname)ToString() | ConvertTo-Html -As Table -property

ResultNumberSubModelID ComputerName Severity Category Title Problem

Impact Resolution Help -Head lth1gtSQL Server 2008 (R2) Best Practice

Analyzer Reportlth1gtrdquo -Title SQL Server 2008 Best Practice Analyzer -body

(ltpgtReport creation date + (Get-Date)ToString(ddMMyyyy hhmmss) +

ltpgt)toString() -pre ltPgtGenerated by user $envusername on computer

Page 25

$envcomputernameltPgt -post For details contact Microsoft Premier gt

ctempsql2008r2bpahtm

Page 26

5 TROUBLESHOOTING

51 Application directories

To following directories are used by MBCA

Report output directory localappdataMicrosoftMicrosoftBaselineConfigurationAnalyzer 2ReportsSQL2008R2BPAResults

Model configuration path ProgramdataMicrosoftMicrosoft Baseline Configuration Analyzer 2ModelsSQL2008R2BPA

Temp and log files directory tempSQL2008R2BPASQL2008ltdategt_lttimegt

Registry [HKEY_LOCAL_MACHINESOFTWAREMicrosoftBaselineConfigurationAnalyzer]

Log Files

During Data Discovery SQL Server 2008 R2 BPA creates log files for troubleshooting The log file

contains the following information

Pre-requisite validation

Timestamp finished rules start and end times

Run-time scripting errors and exceptions from Power Shell Traps

Log Files Location

For every scan log files are created in userrsquos Local Temp directory (Temp) and follows the folder

structure SQL2008R2BPAlt Instance Name gtlt datestamp_timestamp gtlt Log files gt

Note In case of a remote scan the category log files are generated on the remote system at the same

path whereas the common log file is generated in the local system

Log Files Structure

A common log file gets generated and contains information about each categorys execution Apart

from this each category has its own log file which details the rule execution The names of the log files

are given below

Common File - ModelLogtxt

Engine Rules - EngineLogtxt

Replication Rules - ReplicationLogtxt

Setup Rules - SetupLogtxt

Analysis Services Rules - AnalysisServicesLogtxt

Reporting Services Rules - ReportingServicesLogtxt

Integration Services Rules - IntegrationServicesLogtxt

52 Windows Server 2003 ndash NumberOfLogicalProcessors

Analysis Services RID2803 and RID2804 ndash NumberOfLogicalProcessors property is unavailable in

Win32_Processor for with Windows Server 2003

Solution The NumberOfLogicalProcessors property does not exist in the WIN32_PROCESSOR object

in Windows Server 2003 It has been implemented in the hotfix

httpsupportmicrosoftcomkb932370

Both of the rules below will function properly if you apply this hotfix For more information look here

Page 27

53 MBCA

This message indicates that on prerequisite is not installed

Please install the version 2 of the MBCA

54 Where can I find the Instance name in result set of the analyzer

report

The instance name is in the collected data option of the analyzer report in the BPA GUI

55 Memory limit of remote PowerShell process

By default remote PowerShell process can consume only 150 MB or less memory This default limit is

significantly small and once this limit is reached there could be a WinRM exception causing and remote

connection immediately terminates Any application or Cmdlet which is involved in PowerShell

remoting should be tested for this memory limit this may cause some of the command to fail for

example site collection creation

Solution Increase the memory limit for the remote shell Use the following command to increase this

limitation to 1000MB This is only necessary if you need to run those commands on that server

Set-Item WSManlocalhostShellMaxMemoryPerShellMB 1000

56 Remote connect

If you try to ldquoConnect to another computerrdquo from MBCA and you receive the following message

Page 28

You should check first if the Hotfix KB968930 is installed

Afterwards validate that the ldquoWindows Remote Managementrdquo service is started

Enable-PSRemoting

If CredSSP is unsupported or unavailable you will see the following message

Page 29

If you have no permission to access the remote server you get the error message

Page 30

57 Installation

571 PowerShell error

After getting through the Pre-Reqs for BPA (PowerShell 20 MBCA NET Framework) you may hit

one of two scenarios when installing BPA

In all of the cases of an install failure you will see the following error

There is a problem with this Windows Installer package A program run as part of the setup did not

finish as expected Contact your support personnel or package vendor

In your Application Event Log for both of these scenarios you will also see the following entry

Log Name Application

Source MsiInstaller

Date 6102010 83818 AM

Event ID 11722

Task Category None

Level Error

Keywords Classic

User ltUsernamegt

Computer ltMachine namegt

Description

Product Microsoft SQL Server 2008 R2 BPA -- Error 1722 There is a problem

with this Windows Installer package A program run as part of the setup did

not finish as expected Contact your support personnel or package

vendor Action EnablePSRemoting location powershellexe command -NoLogo

-NoProfile -Command Enable-PSRemoting ndashforce

Page 31

This is an indicator that PowerShell is not configured You must run the following command

powershellexe -NoLogo -NoProfile -Command Enable-PSRemoting ndashforce

572 Workgroup or Non-Domain computer

In this scenario the Enable-PSRemoting command should execute fine from a PowerShell prompt

The actual error coming back from the PowerShell command within the Installer is ldquoAccess Deniedrdquo

To work around this issue you can do the following

1 Open a command prompt with Administrative Privileges

2 Change to the directory where the msi file resides

3 Type msiexec i ltMSI Namegt SKIPCA=1

4 MSI Name will either be SQL2008R2BPA_Setup32msi or SQL2008R2BPA_Setup64msi

depending on your platform

5 Once BPA is installed open a PowerShell prompt with Administrative Privileges

6 Execute the following commands

a Enable-PSRemoting

b winrm set winrmconfigwinrs ``MaxShellsPerUser=`10``

This should allow BPA to be successfully installed in the workgroup scenario

573 Kerberos Failure

This scenario is that you are failing with the above due to a Kerberos issue This particular issue could

actually show up after you have installed BPA depending on how you have configured your

environment

The issue stems from the fact that the Windows Remoting Windows Service uses the Network Service

account Windows Remoting also uses SOAP calls over HTTP and defaults to using Kerberos As a

result it will be using the HOST Service Principal Name (SPN) that is on the Machine Account as it is

running under that context You may have an HTTP SPN that resides on a different account with that

host name For example if you are running an IIS Web Application such as SharePoint or if you are

using Reporting Services and the service account is set to a Domain User account instead of Network

Service or Local System If your URL of your application matches the machine name then your HTTP

SPN will be the same Thatrsquos where this problem comes in WinRM will stop working at that point and

give you a message similar to the following

Set-WSManQuickConfig WinRM cannot process the request The following error

occured while using Negotiate authentication An unknown security error

occurred

Possible causes are

-The user name or password specified are invalid

-Kerberos is used when no authentication method and no user name are

specified

-Kerberos accepts domain user names but not local user names

-The Service Principal Name (SPN) for the remote computer name and port

does not exist

-The client and remote computers are in different domains and there is no

trust between the two domains

After checking for the above issues try the following

-Check the Event Viewer for events related to authentication

-Change the authentication method add the destination computer to the

WinRM TrustedHosts configuration setting or use HTTPS transport

Note that computers in the TrustedHosts list might not be authenticated

-For more information about WinRM configuration run the following

Page 32

command winrm help config

At line50 char33

+ Set-WSManQuickConfig ltltltlt -force

+ CategoryInfo InvalidOperation () [Set-WSManQuickConfig]

InvalidOperationException

+ FullyQualifiedErrorId

WsManErrorMicrosoftWSManManagementSetWSManQuickConfigCommand

You can get this type of error from WinRM for muliple reasons The one that

we saw in our testing was the HTTP SPN scenario

If you do have an HTTP SPN defined on a Domain Account that is using the name of your machine

you have some options First you can follow the steps mentioned above to get BPA installed The

Enable-PSRemoting command will give you the above error You can temporarily remove the HTTP

SPN to get remoting enabled and then re-add the HTTP SPN

Once BPA is setup you will still not be able to run BPA if you put the HTTP SPN back in place You will

see the following when you attempt to perform a scan

This will occur regardless of which component you try to scan It could be the Engine Setup RS etchellip

One option to perform the scan successfully is to temporarily remove the HTTP SPN again run the

scan and then put the HTTP SPN back in place Another option but one that will probably require

further testing from your applicationrsquos end would be to run the application under a Host Header and

then your HTTP SPN would not include the machine name allowing BPA to run without issue

Page 33

6 RULES

Searching for ldquoSQL Server 20087 R2 BPArdquo at Microsoftcom reveals

Here is an example of one of these articles that talks about a rule to check for a recent ldquocleanrdquo

CHECKDB

Page 34

BPA works by measuring a rolersquos compliance with best practice rules in eight different categories of a

rolersquos effectiveness trustworthiness and reliability Results of measurements can be any of the three

severity levels described in the following table

Severity level Description

Noncompliant Noncompliant results are returned when a role does not satisfy the conditions of a rule

Compliant Compliant results are returned when a role satisfies the conditions of a rule

Warning Warning results are returned when a role is compliant as operating currently but may not satisfy the conditions of a

rule if changes are not made to its configuration or policy settings For example a scan of Remote Desktop Services

might show a warning result if a license server is unavailable to the role because even if no remote connections are

active at the time of the scan not having the license server prevents new remote connections from obtaining valid

client access licenses

Page 35

BPA rule categories

The following table describes the categories of best practice rules against which roles are measured

during a BPA scan

Category Name Description

Security Security rules are applied to measure a rolersquos relative risk for exposure to threats such as unauthorized or malicious

users or loss or theft of confidential or proprietary data

Performance Performance rules are applied to measure a rolersquos ability to process requests and perform its prescribed duties in

the enterprise within expected periods of time given the rolersquos workload

Configuration Configuration rules are applied to identify role settings that might require modification for the role to perform

optimally Configuration rules can help prevent setting conflicts that can result in error messages or prevent the role

from performing its prescribed duties in an enterprise

Policy Policy rules are applied to identify Group Policy or Windows Registry settings that might require modification for the

role to operate optimally and securely

Operation Operation rules are applied to identify possible failures of a role to perform its prescribed tasks in the enterprise

Predeployment Predeployment rules are applied before an installed role is deployed in the enterprise to let administrators to

evaluate whether best practices were satisfied before you use the role in production

Postdeployment Postdeployment rules are applied after all required services have started for a role and the role is running in the

enterprise

BPA Prerequisites BPA Prerequisite rules explain configuration settings policy settings and features that are required for the role

before BPA can apply specific rules from other categories A prerequisite in scan results indicates that an incorrect

setting a missing role role service or feature an incorrectly enabled or disabled policy a registry key setting or

other configuration has prevented BPA from applying one or more rules during a scan A prerequisite result does

not imply compliance or noncompliance It means that a rule could not be applied and therefore is not part of the

scan results

61 Engine Rules

Please find below a summary of the 74 Engine Rules with the links to the rule descriptions These rules

are checking that you have a secure resilient and well performing SQL configuration

Authentication Mode (httpsupportmicrosoftcomkb2028697)

Lightweight Pooling is enabled (httpsupportmicrosoftcomkb2160691)

Locks Configuration Not Dynamic (httpsupportmicrosoftcomkb2199576)

non-default network packet size in use (httpsupportmicrosoftcomkb2157175)

degree of parallelism not set to recommended value (httpsupportmicrosoftcomkb2023536)

Use Database Mail instead of SQL Mail (httpsupportmicrosoftcomkb2028584)

SQL Server Agent Proxy Account (httpsupportmicrosoftcomkb2160741)

SQL Login Password Policy Strength and password expiry

(httpsupportmicrosoftcomkb2028712)

Trustworthy Bit (httpsupportmicrosoftcomkb2183687)

Symmetric Keys Check (httpsupportmicrosoftcomkb2162020)

Asymmetric Keys Check (httpsupportmicrosoftcomkb2162020)

SQL Server installed on PDC BDC (httpsupportmicrosoftcomkb2032911)

Page 36

SQL Server Admin role membership check (httpsupportmicrosoftcomkb2184138)

Windows API calls intercepted (httpsupportmicrosoftcomkb2033238)

unsupported DotNET framework assemblies present (httpsupportmicrosoftcomkb2033344)

Disk partition starting offset may be incorrect (httpsupportmicrosoftcomkb2023571)

non-default max worker threads value configured (httpsupportmicrosoftcomkb2157129)

Guest Permissions (httpsupportmicrosoftcomkb2186935)

Data and Log files on the same volume (httpsupportmicrosoftcomkb2033523)

IO timeouts and IO controller errors detected (httpsupportmicrosoftcomkb2091098)

IO device errors detected (httpsupportmicrosoftcomkb2091098)

IO errors during page faults detected (httpsupportmicrosoftcomkb2091098)

cluster disk corruption encountered (httpsupportmicrosoftcomkb2091098)

disk defragmentation encountered corruption (httpsupportmicrosoftcomkb2091098)

failed IO requests detected (httpsupportmicrosoftcomkb2091098)

IO requests are successful when retried (httpsupportmicrosoftcomkb2015757)

IO Delay Problems reported by SQL Server (httpsupportmicrosoftcomkb2137408)

This system experienced unexpected shutdowns (httpsupportmicrosoftcomkb2091098)

tempdb corruption errors fix missing (httpsupportmicrosoftcomkb960770)

Critical SQL database inconsistency errors found (httpsupportmicrosoftcomkb2152734)

Logical consistency errors detected (httpsupportmicrosoftcomkb2152472)

Database have auto shrink option enabled (httpsupportmicrosoftcomkb2160663)

SQL Server Error logs are very big (httpsupportmicrosoftcomkb2199578)

incorrect affinity mask settings detected httpsupportmicrosoftcomkb2157114

Very low blocked process threshold setting detected httpsupportmicrosoftcomkb2157154

Potential security issue with legacy DTS stored procedures

httpsupportmicrosoftcomkb2202875

Winsock LSP loaded into SQL httpsupportmicrosoftcomkb2033448

Databases using simple recovery model httpsupportmicrosoftcomkb2137539

User database collation different from model httpsupportmicrosoftcomkb2026108

Database files and backups exist on the same volume httpsupportmicrosoftcomkb2027537

Databases have auto close option enabled httpsupportmicrosoftcomkb2160685

LSI SAS drivers needs update httpsupportmicrosoftcomkb2121098

SQL tempdb database not configured optimally httpsupportmicrosoftcomkb2154845

SQL Database file has sparse attribute set httpsupportmicrosoftcomkb2028447

Invalid startup parameters httpsupportmicrosoftcomkb2028433

MSDTC settings not configured optimally httpsupportmicrosoftcomkb2027550

sql incorrect results fix missing httpsupportmicrosoftcomkb971780

File System needs tuning for better FileStream performance

httpsupportmicrosoftcomkb2160002

linked server memory leak fix missing httpsupportmicrosoftcomkb971622EN-US

Windows service pack is not at recommended level httpsupportmicrosoftcomkb2121098

default extended event health session not in expected state

httpsupportmicrosoftcomkb2160570

TcpSysAndChimneyCheck httpsupportmicrosoftcomKB918483

FDHOST Launcher service is not configured properly httpsupportmicrosoftcomkb2160720

Unrecommended SQL Server Agent service account httpsupportmicrosoftcomkb2160720

A required Windows fix to avoid sparse file related problems is missing

httpsupportmicrosoftcomkb2002606

Page 37

Significant Portion of SQL Server Memory Has Been Paged Out

httpsupportmicrosoftcomkb2028324

Server Exception or Hang Detected on Server httpsupportmicrosoftcomkb2028589

Databases exist without CHECKSUM protection httpsupportmicrosoftcomkb2078345

backups outdated for databases httpsupportmicrosoftcomkb2027537

Database consistency check not current httpsupportmicrosoftcomkb2033590

SQL Server Memory settings are incorrect httpsupportmicrosoftcomKB918483EN-US

Autogrow Failed or took a long time httpsupportmicrosoftcomkb2091024

Storport driver fix from KBA 940467 missing httpsupportmicrosoftcomkb2121098

Storport driver fix from KBA 950903 missing httpsupportmicrosoftcomkb2121098

SQLCLR needs additional memory configuration httpsupportmicrosoftcomkb969962EN-US

Operating System files and drivers needs update for working set trimming

httpsupportmicrosoftcomkb2121098

Agent Token Replacement httpsupportmicrosoftcomkb2202637

Auditing Log in failures httpsupportmicrosoftcomkb2187161

Databases with high number of VLF present httpsupportmicrosoftcomkb2028436

Transparent Data Encryption Certificate httpsupportmicrosoftcomkb2201900

Permission on the Binn folder httpsupportmicrosoftcomkb2029023

Index Statistics Are Outdated

Server public permissions httpsupportmicrosoftcomkb2160698

Detected use of older versions of SQLNCLI httpsupportmicrosoftcomkb979779

62 AS Rules

Please find below a summary of the 34 Analysis Server Rules with the links to the rule descriptions

Flight Recorder Enabled for SQL Server Analysis Services

httpsupportmicrosoftcomkb2128005

Excessive amount of memory preallocated to Analysis Services

httpsupportmicrosoftcomkb2027474

Server not configured for optimal concurrent query throughput

httpsupportmicrosoftcomkb2135031

Non standard value detected for Analysis Services memory configuration

httpsupportmicrosoftcomkb2027472

Process Thread Pool Max limit above recommended limit

httpsupportmicrosoftcomkb2134497

Process Thread Pool Minimum is below the recommended limit

httpsupportmicrosoftcomkb2134855

Server is running a build with a known regression httpsupportmicrosoftcomkb2157941

Slice not set on a ROLAP partition or a partition where proactive caching is enabled and

ROLAP storage ay occur httpsupportmicrosoftcomkb2027754

Server is ignoring duplicate key errors httpsupportmicrosoftcomkb2027761

No default member defined for non-aggregatable attribute

httpsupportmicrosoftcomkb2027769

UnknownMember set to hidden httpsupportmicrosoftcomkb2027628

Non-numeric key column for high cardinality attribute httpsupportmicrosoftcomkb2028138

Attribute hiearchy enabled for high cardinality non-key attribute

httpsupportmicrosoftcomkb2028143

ROLAP storage or OnlineMode set to immediate for dimension with custom rollup definition

detected httpsupportmicrosoftcomkb2132742

Page 38

Account or Time attribute types defined in a non-matching dimension type

httpsupportmicrosoftcomkb2157299

An Account or Time dimension has no matching attribute defined

httpsupportmicrosoftcomkb2027418

Dimension has no attribute defined with the same type

httpsupportmicrosoftcomkb2027443

Attribute Dimension type mismatch httpsupportmicrosoftcomkb2157327

Mismatched dimension attribute types detected in dimension

httpsupportmicrosoftcomkb2027459

Possible incorrect order of levels defined in hierarchy httpsupportmicrosoftcomkb2027460

Define attribute relationships as Rigid where possible httpsupportmicrosoftcomkb2027468

Redundant attribute relationships detected httpsupportmicrosoftcomkb2127437

Diamond-shape relationship detected httpsupportmicrosoftcomkb2127570

Non-Standard Attribute Relationship name detected httpsupportmicrosoftcomkb2127862

Proactive Caching set for dimension without a processing query

httpsupportmicrosoftcomkb2027541

No Time dimension detected httpsupportmicrosoftcomkb2027532

More than 3 parent-child dimensions with custom rollups defined

httpsupportmicrosoftcomkb2134431

Encountered a parent-child dimension with more than 500000 members

httpsupportmicrosoftcomkb2131918

Single attribute dimensions detected httpsupportmicrosoftcomkb2141654

Measure groups with zero dimensional overlap detected in cube

httpsupportmicrosoftcomkb2027609

Proactive Caching set for a partition without a processing query

Default measure for perspective not in the perspective

httpsupportmicrosoftcomkb2027603

Use MOLAP storage for dimensions that participate in semi-additive measure groups

httpsupportmicrosoftcomkb2135112

Measure group defined with no partition httpsupportmicrosoftcomkb2027545

63 RS Rules

RSWindowsNegotiate is missing from your configuration

httpsupportmicrosoftcomkb2145506

HTTP Logging is not enabled httpsupportmicrosoftcomkb2145909

Verbose logging is enabled httpsupportmicrosoftcomkb2146315

NTLM authentication may fail for local httpsupportmicrosoftcomkb2146369

Missing extended protection settings httpsupportmicrosoftcomkb2146062

64 IS Rules

Logging task missing for package httpsupportmicrosoftcomkb2027723

ActiveX Script task detected in package httpsupportmicrosoftcomkb2027712

Unrecommended Integration Services service account detected

httpsupportmicrosoftcomkb2027684

Integration Services logging table found in system database master and or msdb

httpsupportmicrosoftcomkb2027706

Integration Services memory dump detected httpsupportmicrosoftcomkb2027727

Page 39

65 Setup Rules

Unsupported Operating System Version Detected httpsupportmicrosoftcomkb2022909

WOW64 not supported for SQL Failover Clustering httpsupportmicrosoftcomkb2157198

Installer cache is missing for the SQL Installation httpsupportmicrosoftcomkb2015100

SQL Server WMI Provider Health Check

66 Replication Rules

Replication Timeout Alerts Type httpsupportmicrosoftcomkb2118349

Replication Pub and Sub out of sync (Data Validation) httpsupportmicrosoftcomkb2118386

Replication Pub and Sub out of sync (Constraint Violations)

httpsupportmicrosoftcomkb2118410

Replication Pub and Sub out of sync (Skipped Transactions)

httpsupportmicrosoftcomkb2194498

Merge Replication Health Check httpsupportmicrosoftcomkb2118445

Subscriptions Approaching Expiration httpgomicrosoftcomfwlinkLinkId=184483

Replication Cleanup and Retention Health Check httpsupportmicrosoftcomkb2118485

Replication Latency Threshold violations httpsupportmicrosoftcomkb2118425

Page 40

7 HOW TO DEAL WITH DEVIATIONS

Deviations from these Best Practices may indicate potential issues and configuration changes may be

necessary Make sure you have tested any intended changes in a test environment before deploying

them to a production environment You could also find deviations from Best Practices that are

acceptable or even necessary for your environment For example

SAP has its special Network Packet Size of 8 KB

Existing Non-Microsoft Clients ndash would require Mixed Mode Authentication

Page 41

8 MOTIVATION TO USE SQL BPA R2

Bob Ward explained in his Article ldquoWhy use SQL Server 2008 R2 BPA Case 1 Missing Updatesrdquo

the common pitfalls during maintenance and operation of SQL Server and how address them by using

the SQL BPA

In brief itrsquos a customer scenario where the customer is facing an issue after a major update to

SQL2008 After some troubleshooting and an update to a certain CU (that is meant to fix the issue) the

problem still occurs Bobs article states the common resulting consequences ndash the involvement of

Microsoft Support and the final solution ndash adding a needed traceflag

The good news in this story is that the customer would not have needed to go to all that effort if they

would have run the SQL BPA It would have told them about the update and instructed them to put the

traceflag in place BPA is a mechanism that proactively advises you and instructs you on dealing with

common known issues

Page 42

9 ADDITIONAL INFORMATION

91 PowerShell

To use the functionality of the Baseline Configuration Analyzer with PowerShell you must import this

module first

Import-module BaselineConfigurationAnalyzer

You can list the commands of this module with the following syntax

$x=Get-Module BaselineConfigurationAnalyzer

$xExportedCommands

The following commands are stored in this module

Get-MbcaModel

Get-MbcaResult

Invoke-MbcaModel

Set-MbcaResult

You get help of this command with the following syntax

Get-help ltcommandgt -full

911 Get-MBCAModel

SYNOPSIS

The Get-MBCAModel cmdlet lets you retrieve and view the list of models that are supported by

Microsoft Baseline Configuration Analyzer (MBCA) and that are installed on a computer

SYNTAX

Get-MBCAModel [[-ModelId] ltstring[]gt] [[-SubModelId] ltstringgt] [ltCommonParametersgt]

DESCRIPTION

The Get-MBCAModel cmdlet lets you retrieve and view the list of models that are supported by

Microsoft Baseline Configuration Analyzer (MBCA) and installed on the computer If no parameter is

specified Get-MBCAModel returns all models that are installed on the computer If a model is specified

by using the -ModelId parameter information about the specified model is returned

You must be a member of the Administrators group on the computer on which you want to run this

cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with

elevated user rights that is Run as Administrator

The results of the Get-MBCAModel cmdlet include the following details about models

1 Branding information (manufacturer or company display names version number) that is found in

the model manifest

2 Dynamic parameters that are included with the model

3 Submodels that are included with the model

PARAMETERS

-ModelId ltstring[]gt

The -ModelId parameter specifies the ID of the MBCA model about which you want to view

details You can obtain valid values for the ModelId parameter by running the Get-MBCAModel

cmdlet with no parameters and targeted at a computer on which MBCA models are installed

Page 43

This parameter supports wild card characters

Required false

Position 2

Default value

Accept pipeline input true (By Value By Property Name)

Accept wildcard characters False

This must be SQL2008R2BPA for SQL Server 2008 R2 Best Practice Analyzer

-SubModelId ltstringgt

The -SubModelId parameter specifies the ID of the submodel of an MBCA model about which you

want to view details You can obtain valid values for the -SubModelId parameter by running the

Get-MBCAModel cmdlet without parameters and targeted at a computer on which MBCA models

are installed Not all models have submodels

The -ModelId parameter is required with the -SubModelId parameter

Required false

Position 3

Default value

Accept pipeline input false

Accept wildcard characters false

ltCommonParametersgt

This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable

WarningAction WarningVariable OutBuffer and OutVariable For more information type get-

help about_commonparameters

Examples

Get-MBCAModel

In the preceding example Get-MBCAModel with no parameters added returns details about all MBCA

models that are installed on the computer

Get-MBCAModel -ModelId SQL2008R2BPA

The preceding example can be used to return details about the MBCA model that is specified in the -

ModelId parameter represented by Model Id

$model= Get-MBCAModel -ModelId SQL2008R2BPA

$modelParameters

In the preceding example Get-MBCAModel returns details about the specified MBCA model that is

represented by Model Id The results of the cmdlet are stored in the variable $model

In the next line of the example the Parameters property of the model details that were stored in the

$model object returns details about which parameters are supported by the model

Get-MBCAModel -ModelId SQL2008R2BPA -SubModelId ltSubModel Idgt

The preceding example can be used to return details about the MBCA sub-model that is specified by

the -SubModelId parameter represented by SubModel Id Note that the -ModelId parameter is

required by the -SubModelId parameter

$model= Get-MBCAModel -ModelId SQL2008R2BPA

Page 44

$modelSubModels

In the preceding example Get-MBCAModel returns details about the specified MBCA model that is

represented by Model Id The results of the cmdlet are stored in the variable $model

In the next line of the example the SubModels property of the model details that were stored in the

$model object returns a list of the submodels of the model specified in the first line

912 Invoke-MBCAModel

SYNOPSIS

The Invoke-MBCAModel cmdlet lets you start a Microsoft Baseline Configuration Analyzer (MBCA)

scan for a specific model that is installed on your computer

SYNTAX

Invoke-MBCAModel [-ModelId] ltstringgt -SubModelId ltstringgt [-Authentication

ltAuthenticationMechanismgt] [-CertificateThumbprint ltstringgt] [-ComputerName

ltstring[]gt] [-ConfigurationName ltstringgt] [-Context ltstringgt] [-Credential

ltstringgt] [-Mode ltModeEnumgt] [-Port ltintgt] [-RepositoryPath ltstringgt] [-

ThrottleLimit ltintgt] [-UseSSL] [ltCommonParametersgt]

DESCRIPTION

The Invoke-MBCAModel cmdlet allows you to start a Microsoft Baseline Configuration Analyzer

(MBCA) scan for a specific model that is installed on your computer The model is specified either by

using the parameter -ModelId or by piping the results of the Get-MBCAModel cmdlet into an Invoke-

MBCAMode cmdlet

After the MBCA scan has been performed the results of the scan are available to be retrieved by Get-

MBCAResult cmdlet

You must be a member of the Administrators group on the computer on which you want to run this

cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with

elevated user rights that is Run as Administrator

PARAMETERS

-Authentication ltAuthenticationMechanismgt

Specifies the authentication mechanism that is used to authenticate the users credentials Valid

values include Default Basic CredSSP Digest Kerberos Negotiate and

NegotiateWithImplicitCredential The default value is Default

For more information about the -Authentication parameter type the following and then press

Enter

Get-Help Invoke-Command -Parameter Authentication

Required false

Position named

Default value Default

Accept pipeline input false

Accept wildcard characters false

-CertificateThumbprint ltstringgt

Page 45

Specifies the digital public key certificate (X509) of a user account that has rights to perform the

cmdlet action The valid value is the certificate thumbprint of the certificate

For more information about this parameter type the following and then press Enter

Get-Help Invoke-Command -Parameter Certificate Thumbprint

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-ComputerName ltstring[]gt

The Invoke-MBCAModel cmdlet lets you run an MBCA scan of a submodel on a specific

computer by adding this parameter Valid values include NETBOS names IP addresses or fully-

qualified domain names of one or more computers in a comma-separated list To specify the local

computer type the computer name or localhost

All formats that are accepted by the -ComputerName parameter in Invoke-Command are

accepted

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-ConfigurationName ltstringgt

Specifies the session configuration that is used for a new PSSession

Enter a configuration name or the fully-qualified resource URI for a session configuration

Session configuration data is found on the remote computer on which you want to run a cmdlet

For more information about this parameter type the following and then press Enter

Get-Help Invoke-Command -Parameter ConfigurationName

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-Context ltstringgt

The -Context parameter lets you run scans on a submodel in the context of a specific model (one

that is different from the parent model of the submodel) For example an administrator might

want to run a scan on the Backend submodel of the SQL model but only those in the context

of a third model a technology that relies upon SQL Server

The -SubModelId parameter is required by the -Context parameter

Page 46

A model ID is the valid value of the -Context parameter

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-Credential ltstringgt

Specifies a user account that has permission to run this cmdlet The default value is the current

user

For more information about this parameter type the following and then press Enter

Get-Help Invoke-Command -Parameter Credential

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-Mode ltModeEnumgt

The -Mode parameter lets you run a scan that is exclusively either analysis of existing discovered

documents or discovery The default is to perform both discovery and analysis or All

If you do not add the -Mode parameter to the Invoke-MBCAModel cmdlet both discovery and

analysis are performed during a scan

Valid values are Discovery Analysis and All

Required false

Position named

Default value All

Accept pipeline input false

Accept wildcard characters false

-ModelId ltstringgt

The -ModelId parameter specifies the ID of the MBCA model that you want to scan You can

obtain valid values for the ModelId parameter by running the Get-MBCAModel cmdlet targeted at

a computer on which MBCA models are installed

Required true

Position 2

Default value

Accept pipeline input true (By Value By Property Name)

Accept wildcard characters False

Page 47

This must be SQL2008R2BPA for SQL Server 2008 R2 Best Practice Analyzer

-Port ltintgt

Specifies the network port on a remote computer on which you want to run a scan The default

value is port 80

For more information on this parameter type the following and then press Enter

Get-Help Invoke-Command -Parameter Port

Required false

Position named

Default value 80

Accept pipeline input false

Accept wildcard characters false

-RepositoryPath ltstringgt

The -RepositoryPath parameter is used to specify a non-default location of the results repository

The valid value for this parameter is a pathname If the parameter is not used the cmdlet writes

results to the default result repository

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-SubModelId ltstringgt

The -SubModelId parameter specifies the ID of the submodel of an MBCA model that you want to

scan You can obtain valid values for the -SubModelId parameter by running the Get-MBCAModel

cmdlet targeted at a computer on which MBCA models are installed Not all models have

submodels

The -ModelId parameter is required with the -SubModelId parameter

Required true

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-ThrottleLimit ltintgt

Specifies the maximum number of concurrent connections that can be established to run the

cmdlet If you omit this parameter or enter a value of 0 the default value of 32 is used

For more information about this parameter type the following and then press Enter

Get-Help Invoke-Command -Parameter ThrottleLimit

Required false

Page 48

Position named

Default value 32

Accept pipeline input false

Accept wildcard characters false

-UseSSL [ltSwitchParametergt]

Uses the Secure Sockets Layer (SSL) protocol to establish a connection on a remote computer

By default SSL is not used

For more information about this parameter type the following and then press Enter

Get-Help Invoke-Command -Parameter UseSSL

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

ltCommonParametersgt

This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable

WarningAction WarningVariable OutBuffer and OutVariable For more information type get-

help about_commonparameters

OUTPUTS

SystemCollectionsGenericListltMicrosoftBestPracticesCoreInterfaceInvokeBpaModelOutputgt

The output object encapsulates the results of the cmdlet that you entered It contains information such

as the MBCA model ID the success or failure of the cmdlet and other details

NOTES

If the cmdlet is used to perform a single-model scan and the cmdlet is cancelled (by using CTRL+C)

before the temporary results file is copied to its final location the temporary file is discarded and any

previous scan results file for the role are preserved The message Processing of Invoke-MBCAModel

cancelled by user is displayed if the command is cancelled before existing scan results files are

overwritten

If the cmdlet is used to perform a scan of multiple models by piping in results from the Get-MBCAModel

cmdlet and the command is cancelled scans that were completed before the cancel command was

entered cannot be cancelled A scan in progress behaves as described above in the single-model scan

cancellation scenario Subsequent scans in the pipeline are cancelled

If a concurrent scan of the same model is attempted the cmdlet returns the following error message

Another scan for this MBCA model is in progress Only one scan is allowed at a time

-------------------------- EXAMPLE 1 --------------------------

Invoke-MBCAModel -ModelId SQL2008R2BPA

Description

The preceding example starts a MBCA scan on the model that is represented by ltModel Idgt

-------------------------- EXAMPLE 2 --------------------------

Page 49

Invoke-MBCAModel -ModelId SQL2008R2BPA -Scope domain -Name

redmondmicrosoftcom

Description

The preceding example starts an MBCA scan on the model ID that is specified by Model Id

The administrator starts the MBCA scan with additional model-specific parameters that are exposed by

the model (For an example of how to obtain model-specific parameters see the examples for the Get-

MBCAModel cmdlet)

For example to scan a model that requires model-specific parameters (such as -Scope and -Name) to

be passed to the command the administrator can specify the values of these model-specific

parameters with the Invoke-MBCAModel cmdlet

-------------------------- EXAMPLE 3 --------------------------

Invoke-MBCAModel -ModelId SQL2008R2BPA -Mode Discovery

Description

The preceding example starts an MBCA scan on the model that is represented by Model Id The

cmdlet is instructed by the -Mode parameter to perform only the discovery -- not the analysis -- portion

of the scan

-------------------------- EXAMPLE 4 --------------------------

Invoke-MBCAModel -ModelId SQL2008R2BPA -Mode Analysis -RepositoryPath

ltRepository Pathgt

Description

The preceding example starts an MBCA scan on the model that is represented by Model Id The -

Mode parameter value of Analysis indicates that the scan will perform analysis -- not discovery -- on

existing documents that are specified in the non-default repository path provided with the -Repository

Path parameter

-------------------------- EXAMPLE 5 --------------------------

Invoke-MBCAModel -Id ltModel Idgt -SubModelId ltSubModel Idgt -ComputerName

ltServergt -Context ltContext Model Idgt -RepositoryPath ltRespository Pathgt -

AsJob -Authentication ltAuthenticatonMechanismgt -Port ltPort Numbergt -UseSSL -

ThrottleLimit ltThrottle Limitgt

Description

The preceding example starts an MBCA scan on the submodel that is represented by SubModel Id

and on the computer that is represented by Server

Because the administrator only wants to see results from the submodel that apply in the context of a

third model the administrator runs the scan within the context of the model ID that is specified in the -

Context parameter The cmdlet results are saved to the non-default repository path that is specified in

the -RepositoryPath parameter

Because the -AsJob parameter is added the scan runs in the background The -AsJob -

Authentication -Port -UseSSL and -ThrottleLimit parameters are passed through for use by the

Invoke-Command cmdlet to perform discovery on a remote computer For more information about

these parameters see the Help for the Invoke-Command cmdlet available in Windows PowerShell V2

913 Get-MBCAResult

SYNOPSIS

Page 50

The Get-MBCAResult cmdlet lets you retrieve and view the results of a Microsoft Baseline

Configuration Analyzer scan on a specific model or the configuration data that was used to run a scan

SYNTAX

Get-MBCAResult [-ModelId] ltstringgt [[-CollectedConfiguration]] -SubModelId

ltstringgt [-ComputerName ltstring[]gt] [-Context ltstringgt] [-Filter

ltFilterEnumgt] [-RepositoryPath ltstringgt] [ltCommonParametersgt]

DESCRIPTION

The Get-MBCAResult cmdlet lets you retrieve and view the results of a Microsoft Baseline

Configuration Analyzer scan on a specific model or the configuration data that was used to run a scan

To use the command add the -ModelId parameter and then specify the model ID for which you want

to view the most recent MBCA scan results or collected configuration data If you want to retrieve the

configuration data collected add the -CollectedConfiguration switch parameter

You must be a member of the Administrators group on the computer on which you want to run this

cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with

elevated user rights that is Run as Administrator

PARAMETERS

-CollectedConfiguration [ltSwitchParametergt]

The -CollectedConfiguration parameter allows you to obtain the configuration data that was

collected for the most recent MBCA scan If this switch parameter is added to Get-MBCAResults

the cmdlet returns only the configuration data that was collected for a scan

Required false

Position 3

Default value

Accept pipeline input false

Accept wildcard characters false

-ComputerName ltstring[]gt

The -ComputerName parameter lets you obtain scan results that were collected for the most

recent MBCA scan of a submodel on a specific computer To specify the local computer type the

computer name or localhost Multiple values for -ComputerName can be separated by

commas

The -SubModelId parameter is required by the -ComputerName parameter

Valid values for the -ComputerName parameter include localhost a NET BIOS name an IP

address or a fully-qualified domain name (FQDN) of one or more computers in a comma-

separated list

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-Context ltstringgt

Page 51

The -Context parameter lets you obtain scan results that were collected for the most recent

MBCA scan of a submodel in the context of a specific model (one that is different from the parent

model of the submodel) For example an administrator might want to display scan results for the

Backend submodel of the SQL model but only those in the context of a third model a

technology that relies upon SQL Server

The -SubModelId parameter is required by the -Context parameter

A model ID is the valid value of the -Context parameter

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-Filter ltFilterEnumgt

The -Filter parameter lets you instruct the Get-MBCAResult cmdlet to return only Compliant

Noncompliant or All results Valid values are Noncompliant Compliant or All The default value

is All

The -Filter parameter is ignored if the -CollectedConfiguration switch parameter is added

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-ModelId ltstringgt

The -ModelId parameter specifies the ID of the MBCA model for which you want to view scan

results You can obtain valid values for the ModelId parameter by running the Get-MBCAModel

cmdlet targeted at a computer on which MBCA models are installed

Required true

Position 2

Default value

Accept pipeline input true (By Value By Property Name)

Accept wildcard characters False

This must be SQL2008R2BPA for SQL Server 2008 R2 Best Practice Analyzer

-RepositoryPath ltstringgt

The -RepositoryPath parameter is used to specify a non-default location of the results repository

The valid value for this parameter is a path name If the parameter is not used the cmdlet obtains

results from the default result repository

Required false

Position named

Page 52

Default value

Accept pipeline input false

Accept wildcard characters false

-SubModelId ltstringgt

The -SubModelId parameter specifies the ID of the submodel of an MBCA model for which you

want to view scan results You can obtain valid values for the -SubModelId parameter by running

the Get-MBCAModel cmdlet targeted at a computer on which MBCA models are installed Not all

models have submodels

The -ModelId parameter is required with the -SubModelId parameter

Required true

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

ltCommonParametersgt

This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable

WarningAction WarningVariable OutBuffer and OutVariable For more information type get-

help about_commonparameters

OUTPUTS

SystemCollectionsGenericListltMicrosoftBestPracticesCoreInterfaceResultgt OR

SystemXmlXmlDocument (if -CollectedData specified)

If you do not use the -CollectedConfiguration parameter verbose output can be any of the following

1 Initializing MBCA engine for getting MBCA Results

2 Attempting to get MBCA results for Model Id = 0

3 Completed getting MBCA results for Model Id = 0 Number of Results = 1

If you add the -CollectedConfiguration parameter to display configuration data that was used for a

scan verbose output can be any of the following

1 Initializing MBCA engine for getting MBCA Configuration Data

2 Attempting to get MBCA collected configuration data for Model Id = 0

3 Completed getting MBCA collected configuration data for Model Id = 0

NOTES

The Get-MBCAResult cmdlet must be run by a member of the Administrators group and it does not

start a new scan

Cancellation behaviour

Single Model - To cancel this cmdlet you must press Ctrl+C before the ResultCollection is displayed

on the console The operation is cancelled and results are not displayed on the console

Multiple Models or Pipelining - If you cancel this cmdlet while it is retrieving results for multiple models

the cmdlet generates only those results that were displayed on the console before the cancellation

Any subsequent results in the pipeline are cancelled and not displayed

Page 53

-------------------------- EXAMPLE 1 --------------------------

Get-MBCAResult -Id SQL2008R2BPA

Description

The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results

for the model that is represented by Model Id

-------------------------- EXAMPLE 2 --------------------------

Get-MBCAModel | Get-MBCAResult

In the preceding example Get-MBCAModel is used to return a list of all MBCA models that are

installed on the computer The results of the Get-MBCAModel cmdlet are piped to the Get-

MBCAResult cmdlet to retrieve the most recent MBCA scan results for all models that are both

supported by MBCA and installed on the computer at which the cmdlet is targeted

-------------------------- EXAMPLE 3 --------------------------

$result = Get-MBCAResult SQL2008R2BPA -CollectedConfiguration

$resultDiscoveryDocument

Description

In the preceding example configuration data (in XML form) that was collected during the most recent

Microsoft Baseline Configuration Analyzer scan of the model that is represented by Model Id is

retrieved and stored as a property in the variable $result $resultDiscoveryDocument is of type

SystemXmlXmlDocument

-------------------------- EXAMPLE 4 --------------------------

Get-MBCAResult SQL2008R2BPA -Filter Noncompliant

Description

The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results

for the model that is represented by Model Id and then applies a filter to show only Noncompliant

results

------------------------- EXAMPLE 5 --------------------------

Get-MBCAResult SQL2008R2BPA -SubModelId ltSubModel Idgt

Description

The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results

for the submodel that is represented by SubModelId Note that the parent model ID must be specified

to use the -SubModelId parameter

------------------------- EXAMPLE 6 --------------------------

Get-MBCAResult SQL2008R2BPA -SubModelId ltSubModel Idgt -ComputerName ltServergt

-Context ltContext Model Idgt -RepositoryPath ltRepository Pathgt

Description

The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results

for the submodel that is represented by SubModelId The parent model ID is provided as required by

the -SubModelID parameter

The -Context parameter indicates that the administrator wants to see only those scan results that are in

the context of the model that is represented by Context Model Id for example only those results from

a SQL Server scan that specifically apply to another technology such as Web Server (IIS)

Page 54

The scan results are further narrowed to only those from a computer that is specified in the -

ComputerName parameter as Server and only those results found in the non-default results

repository that is represented by Repository Path

914 Set-MBCAResult

SYNOPSIS

The Set-MBCAResult cmdlet lets you exclude or include existing results of a Microsoft Baseline

Configuration Analyzer (MBCA) scan to show you only the scan results that you want to see

SYNTAX

Set-MBCAResult [[-Exclude] ltBooleangt] [-Results] ltResultgtgt [[-

RepostitoryPath] ltstringgt] [ltCommonParametersgt]

DESCRIPTION

The Set-MBCAResult cmdlet lets you exclude or include existing results of a Microsoft Baseline

Configuration Analyzer (MBCA) scan to show you only the scan results that you want to see

The action specified in the cmdlet (Exclude for example) determines how the existing results of an

MBCA scan are updated Set-MBCAResult is typically applied after using the Get-MBCAResult cmdlet

to return a collection of scan results

You can apply filters to results that are returned by the Get-MBCAResult cmdlet and then pipe the

filtered collection of results to the Set-MBCAResult cmdlet specifying either to include or exclude

filtered scan results

You must be a member of the Administrators group on the computer on which you want to run this

cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with

elevated user rights that is Run as Administrator

PARAMETERS

-Exclude ltBooleangt

Excludes scan results from the results collection that were previously obtained by the Get-

MBCAResult command To exclude results by using the -Exclude parameter add the value $true

following the parameter as shown

-Exclude $true

To include results that have been excluded use the $false value for the -Exclude parameter

Required false

Position 2

Default value

Accept pipeline input false

Accept wildcard characters false

-RepostitoryPath ltstringgt

The -RepositoryPath parameter is used to specify a non-default location of the results repository

The valid value for this parameter is a path name If the parameter is not used the cmdlet

modifies results from the default result repository

Required false

Page 55

Position 4

Default value

Accept pipeline input false

Accept wildcard characters false

-Results ltResultgtgt

Specifies the result collection to be updated by the Set-MBCAResult cmdlet The -Results

parameter is typically used to specify a filtered subset of scan results that has already been

stored in a variable the variable name is provided as the valid value for the -Results parameter

For example if you have created a variable $allPerformance to store all the Performance

category results for an MBCA scan of all models on a computer and you want to exclude those

Performance results from the complete collection of scan results you add the parameter -Results

$all Performance to a Set-MBCAResult cmdlet

For a more detailed example see the Examples section of the Help for this cmdlet

Required true

Position 3

Default value

Accept pipeline input true (ByValue)

Accept wildcard characters false

ltCommonParametersgt

This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable

WarningAction WarningVariable OutBuffer and OutVariable For more information type ldquoget-

help about_commonparameters

NOTES

If the Set-MBCAResult command is cancelled before the results are written to a file the operation is

cancelled and the results file is not modified If cancellation occurs after the results file has been

modified the commands actions are carried out and the command cannot be cancelled

-------------------------- EXAMPLE 1 --------------------------

Get-MBCAResult -ModelId SQL2008R2BPA | Where $_Category -eq

Performance | Set-MBCAResult -Exclude $true

Description

The first section of the preceding example to the left of the first pipe character (|) uses the Get-

MBCAResult cmdlet to retrieve Baseline Configuration Analyzer scan results for the model ID that is

represented by Model Id

The second section of the command filters the results of the Get-MBCAResult cmdlet to get only those

scan results for which the category name is equal to Performance

The final section of the example following the second pipe character excludes the Performance

results that were filtered by the previous section of the example

-------------------------- EXAMPLE 2 --------------------------

$rcPolicy = Get-MBCAResult -ModelId SQL2008R2BPA -RepositoryPath

CReposPath | Where $_Category -eq Policy

Page 56

Set-MBCAResult -Exclude $true -RepositoryPath CReposPath -Results

$rcPolicy

Description

The first line of the preceding example to the left of the pipe character (|) instructs the Get-

MBCAResult cmdlet to retrieve Baseline Configuration Analyzer scan results for the model that is

represented by Specified Model Id from the specified non-default repository path

The second section of the example after the pipe character filters the results of the Get-MBCAResult

cmdlet to return only those scan results for which the category name is equal to (note the -eq option)

Policy The variable $rcPolicy is created to store the filtered results of the Get-MBCAResult cmdlet this

variable can be used in subsequent commands to represent those results

The second line of the command uses the Set-MBCAResult cmdlet to exclude the set of results that

are stored in the $rcPolicy variable In this example the -Results parameter is added because the

administrator wants to exclude a specific subset of scan results for that model and has created the

variable $rcPolicy to represent that subset of results The repository root is specified in the second line

because the administrator wants to modify the results in the same non-default repository from which

the data in $rcPolicy was retrieved

915 MBCA Model Authoring

Further information about configuration and usage of MBCA models you can in the

MBCA_ModelAuthoringGuidedocx

Page 57

Did this paper help you Please give us your feedback Tell us on a scale of 1 (poor) to 5 (excellent)

how would you rate this paper and why have you given it this rating For example

Are you rating it high due to having good examples excellent screen shots clear writing or

another reason

Are you rating it low due to poor examples fuzzy screen shots or unclear writing

This feedback will help us improve the quality of white papers we release

Send feedback

Page 17: SQL2008R2 BPA Whitepaper v10

Page 17

4 USAGE

There are two ways to scan a server using MBCA and SQL 2008 R2 BPA They are

Scanning through the local machine

o In this case you are using MBCA and SQL 2008 R2 BPA running on the local machine to

perform the scan

o This scan can be of the local or an alternate server

Scanning through a remote machine

o In this case MBCA is used to connect to a remote server that has MBCA and SQL 2008

R2 BPA installed on it

o This scan is using the local machine to form the connection to the remote machine and is

actually performing the scan through the remote machine

41 Help file

The help file for the SQL Server 2008 R2 Best Practice Analyzer contains very useful information This

help file is available after the installation of BPA and is located at Start-gtAll programs-gtSQL Server

2008 R2 BPA

42 GUI

1 Ensure that MBCA v2 and SQL 2008 R2 BPA are installed on the machine

2 Run the MBCA application from the start menu with elevated user rights

Page 18

3 On the MBCA home page ensure the SQL Server 2008 R2 BPArdquo product is selected

4 Click Start Scan which displays a page to specify parameters as shown below

5 Fill in Alternate_Server_to_Scan with the remote machine you want to scan

ComputerName

IP address nnnn

FQDN (Fully Qualified Domain Name)

Enter ldquordquo localhost or leave this blank if you want to scan the local machine

Page 19

Enter the instance name you want to scan To scan the default instance enter MSSQLSERVER

or leave this as blank Toggle the checkboxes to enabledisable scans for those rule categories

Each of the following six check boxes correspond to the SQL Server categories listed previously

Select at least one category in order to run a successful scan

Analyze_SQL_Analysis_Services

Analyze_SQL_Server_Engine

Analyze_SQL_Integration_Services

Analyze_SQL_Server_Replication

Analyze_SQL_Reporting_Services

Analyze_SQL_Server_Setup

Note Only one SQL Server instance can be scanned at a time through the MBCA GUI

6 Click Start Scan MBCA will start the configured scan and display the below page while in

progress

7 When the scan is complete results will be displayed grouped by Severity as shown below

Page 20

43 Connect to a remote computer

A scan connected to a remote computer is different than scanning an alternate server

ldquoConnect to a Remote Computerrdquo is functionality provided by Microsoft Baseline Configuration Analyzer

and is used to remotely run MBCA against a server from the console of the client The client needs to

have MBCA installed but does not need BPA as it is literally running the copy of MBCA installed on the

server using the BPA installed on the server In this case the copy of MBCA installed on the client is

used only to remotely connect to the copy of MBCA installed on the server

To use this functionality you first start MBCA on the client computer and select ldquoConnect to Another

Computerrdquo

1 In the ldquoConnect to Another Computerrdquo text box you can specify a NetBIOS name a fully qualified

domain name (FQDN) or an IPv4 or IPv6 address If no port number is specified the default port

number is used The following are examples of formats that you can specify in the Connect to

Another Computer text box

ComputerName

Page 21

ComputerNamePortNumber

IP address nnnn

IPv6 address [nnnnnnnn]

IPv4 address with port number nnnnPortNumber

IPv6 address with port number [nnnnnnnn]PortNumber

Note If an administrator has changed the computerrsquos default port number any port other than the

default port must be opened in Windows Firewall to allow incoming connections on that port Port

5985 is opened by default when WinRM is configured All other ports remain blocked until opened

For more information about how to unblock a port in Windows Firewall see the Help for Windows

Firewall For more information about how to configure WinRM in a Command Prompt session type

winrm help and then press Enter

2 Additionally you must supply credentials

3 CredSSP

Windows Remote Management (WinRM) supports the delegation of user credentials across

multiple remote computers The multi-hop support functionality can now use Credential Security

Service Provider (CredSSP) for authentication CredSSP enables an application to delegate the

userrsquos credentials from the client computer to the target server

CredSSP authentication is intended for environments where Kerberos delegation cannot be used

Support for CredSSP was added to allow a user to connect to a remote server and have the ability

to access a second-hop machine such as a file share

Note WinRM clients and servers will support CredSSP authentication only with explicit credentials

Windows XP Windows Server 2003 and earlier CredSSP is not supported

First you must set CredSSP on both the client and the server

Using the Group Policy Editor (gpeditmsc) make sure to enable ldquoAllow Delegating Fresh

Credentialsrdquo and check ldquoConcatenate OS defaults with input aboverdquo

Add the server or domain to the list of servers in the format ldquoWSMANdomainnamecomrdquo

Next enable and configure PowerShell Remoting on both the Client and Server by running the

following commands in a PowerShell command window opened with elevated permissions Note

Page 22

You can configure a single machine as both a client and a server simultaneously so that you can

scan from either computer

Enable PowerShell Remoting

o Enable-psremoting ndashf

Settings for a client

o Enable-WSManCredSSP ndashrole Client ndashDelegateComputer [NetBiosNameOfServer]

or

o Enable-WSManCredSSP ndashrole Client ndashDelegateComputer [FQDN OF SERVER]

Settings for the server

o Enable-WSManCredSSP ndashrole Server

o set-item WSManlocalhostShellMaxMemoryPerShellMB ndashValue 20000

o set-item WSManlocalhostShellMaxShellsPerUser ndashvalue 20

44 PowerShell

Details see 91 PowerShell

To use the functionality of the Microsoft Baseline Configuration Analyzer you must import this module

first

Import-module BaselineConfigurationAnalyzer

You can list the commands of this module with the following syntax

$x=Get-Module BaselineConfigurationAnalyzer

$xExportedCommands

441 Run Scan

To run a full scan of the BPA on the alternate server on a named instance you can use the following

command line

Invoke-MBCAModel -ModelId SQL2008R2BPA -Alternate_Server_to_scan

servername -SQL_Server_Instance_Name instancename -

Analyze_SQL_Server_Engine -Analyze_SQL_Server_Replication -

Page 23

Analyze_SQL_Server_Setup -Analyze_SQL_Analysis_Services -

Analyze_SQL_Integration_Services -Analyze_SQL_Reporting_Services

The result looks like this part

ModelId SQL2008R2BPA

SubModelId

Success True

ScanTime

Success = True is important This is the indicator that your scan was successful

Parameter description

-Alternate_Server_to_scan servername

-SQL_Server_Instance_Name instancename

-Analyze_SQL_Server_Engine

-Analyze_SQL_Server_Replication

-Analyze_SQL_Server_Setup

-Analyze_SQL_Analysis_Services

-Analyze_SQL_Integration_Services

-Analyze_SQL_Reporting_Services

The parameter list is equal the parameter screen in the GUI

The scans of the different services are optional You can remove technologies which you do not need

to scan

The next example starts the scan only for the Analysis Services on the alternate server ldquoservernamerdquo

and for the named instance ldquoinstancerdquo A log file will be written to ldquoctempssastxtrdquo

Invoke-MbcaModel -ModelId SQL2008R2BPA -SubModelId AnalysisServices -

ComputerName servername -SqlServerInstance instance -SSASLogFile

ctempssastxt

Invoke-MbcaModel -ModelId SQL2008R2BPA -SubModelId Engine -ComputerName

computername -SqlServerInstance servername -CurrentLoginName

($EnvUSERDOMAIN + + $EnvUSERNAME)ToString() -EngineLogFile

ctempenginetxt ndashRepositoryPath (CTEMPSQL2008 + (Get-

Date)ToString(yyyyMMdd))ToString()

442 Create Report

model = get-MbcaModel ndashModelId sql2008r2bpa

$scanResult = get-MbcaResult ndashModelId sql2008r2bpa

$collectedConfig = get-MbcaResult ndashModelId sql2008r2bpa ndash

CollectedConfiguration

$model $scanResult $collectedConfig | export-CliXml ctempasxml

Get-MBCAResult -ModelId SQL2008R2BPA -SubModelId AnalysisServices |

ConvertTo-Html | Add-Content -Path ctesthtml

The next command retrieves the results of the most recent BPA scan for the specified model and

saves them in HTML format applying the standard cascading style sheets that are stored in the path

windirsystem32WindowsPowerShellv10ModulesBestPracticesBestPracticesReportFormatc

Page 24

ss If you want to substitute cascading style sheets provide the path to the different cascading style

sheets

Get-MBCAResult -ModelId SQL2008R2BPA | $_Severity -eq Warning -or

$_Severity -eq Error | ConvertTo-Html -As Table -property ResultNumber

SubModelID ComputerName Severity Category Title Problem Impact

Resolution Help -Head lth1gtSQL Server 2008 (R2) Best Practice Analyzer

Reportlth1gtrdquo -Title SQL Server 2008 Best Practice Analyzer -body

(ltpgtReport creation date + (Get-Date)ToString(ddMMyyyy hhmmss) +

ltpgt)toString() -pre ltPgtGenerated by user $envusername on computer

$envcomputernameltPgt -post For details contact Microsoft Premier-

CssUri $env BestPracticesReportFormatcss gt ctempsql2008r2bpahtm

443 Exporting and opening reports by using Get-MBCAResult

You can use the Get-MBCAResult cmdlet to export scan results and configuration data to an XML

report that you can open for viewing in the future either by using Get-MBCAResult or by using the

MBCA GUI Exporting reports allows you to compare older scans with more recent scans to measure

the progress of your best practice compliance

Example of exporting to XML

$results = Get-MBCAResult ltModel Idgt

$collectedconfig = Get-MBCAResult ltModel Idgt -CollectedConfiguration

$results $collectedconfig | Export-CliXml cexportxml

Example of opening archived XML report file

$loadedResults $loadedConfiguration = Import-CliXml cexportxml

444 Report Result Directory

The reporting result path

AppDataMicrosoftBaselineConfigurationAnalyzer

2ReportsSQL2008R2BPAResults

Will be overwritten during each run of the tool or invoke command

Solution save older results before you start the check

copy-item -path ($EnvLocalAppdata +

MicrosoftMicrosoftBaselineConfigurationAnalyzer 2Reports)ToString() -

destination ($EnvLocalAppdata +

MicrosoftMicrosoftBaselineConfigurationAnalyzer 2Reports_ + (Get-

Date)ToString(yyyyMMddhhmmss))ToString() ndashrecurse

Afterwards you can create a report with the following command

$prevrepPath = (Get-ChildItem ($EnvLocalAppdata +

MicrosoftMicrosoftBaselineConfigurationAnalyzer 2)ToString() -exclude

Reports | Sort-Object name -descending)[0]

Get-MBCAResult -ModelId SQL2008R2BPA ndashRepositoryPath ($EnvLocalAppdata +

MicrosoftMicrosoftBaselineConfigurationAnalyzer 2rdquo +

$prevrepPathname)ToString() | ConvertTo-Html -As Table -property

ResultNumberSubModelID ComputerName Severity Category Title Problem

Impact Resolution Help -Head lth1gtSQL Server 2008 (R2) Best Practice

Analyzer Reportlth1gtrdquo -Title SQL Server 2008 Best Practice Analyzer -body

(ltpgtReport creation date + (Get-Date)ToString(ddMMyyyy hhmmss) +

ltpgt)toString() -pre ltPgtGenerated by user $envusername on computer

Page 25

$envcomputernameltPgt -post For details contact Microsoft Premier gt

ctempsql2008r2bpahtm

Page 26

5 TROUBLESHOOTING

51 Application directories

To following directories are used by MBCA

Report output directory localappdataMicrosoftMicrosoftBaselineConfigurationAnalyzer 2ReportsSQL2008R2BPAResults

Model configuration path ProgramdataMicrosoftMicrosoft Baseline Configuration Analyzer 2ModelsSQL2008R2BPA

Temp and log files directory tempSQL2008R2BPASQL2008ltdategt_lttimegt

Registry [HKEY_LOCAL_MACHINESOFTWAREMicrosoftBaselineConfigurationAnalyzer]

Log Files

During Data Discovery SQL Server 2008 R2 BPA creates log files for troubleshooting The log file

contains the following information

Pre-requisite validation

Timestamp finished rules start and end times

Run-time scripting errors and exceptions from Power Shell Traps

Log Files Location

For every scan log files are created in userrsquos Local Temp directory (Temp) and follows the folder

structure SQL2008R2BPAlt Instance Name gtlt datestamp_timestamp gtlt Log files gt

Note In case of a remote scan the category log files are generated on the remote system at the same

path whereas the common log file is generated in the local system

Log Files Structure

A common log file gets generated and contains information about each categorys execution Apart

from this each category has its own log file which details the rule execution The names of the log files

are given below

Common File - ModelLogtxt

Engine Rules - EngineLogtxt

Replication Rules - ReplicationLogtxt

Setup Rules - SetupLogtxt

Analysis Services Rules - AnalysisServicesLogtxt

Reporting Services Rules - ReportingServicesLogtxt

Integration Services Rules - IntegrationServicesLogtxt

52 Windows Server 2003 ndash NumberOfLogicalProcessors

Analysis Services RID2803 and RID2804 ndash NumberOfLogicalProcessors property is unavailable in

Win32_Processor for with Windows Server 2003

Solution The NumberOfLogicalProcessors property does not exist in the WIN32_PROCESSOR object

in Windows Server 2003 It has been implemented in the hotfix

httpsupportmicrosoftcomkb932370

Both of the rules below will function properly if you apply this hotfix For more information look here

Page 27

53 MBCA

This message indicates that on prerequisite is not installed

Please install the version 2 of the MBCA

54 Where can I find the Instance name in result set of the analyzer

report

The instance name is in the collected data option of the analyzer report in the BPA GUI

55 Memory limit of remote PowerShell process

By default remote PowerShell process can consume only 150 MB or less memory This default limit is

significantly small and once this limit is reached there could be a WinRM exception causing and remote

connection immediately terminates Any application or Cmdlet which is involved in PowerShell

remoting should be tested for this memory limit this may cause some of the command to fail for

example site collection creation

Solution Increase the memory limit for the remote shell Use the following command to increase this

limitation to 1000MB This is only necessary if you need to run those commands on that server

Set-Item WSManlocalhostShellMaxMemoryPerShellMB 1000

56 Remote connect

If you try to ldquoConnect to another computerrdquo from MBCA and you receive the following message

Page 28

You should check first if the Hotfix KB968930 is installed

Afterwards validate that the ldquoWindows Remote Managementrdquo service is started

Enable-PSRemoting

If CredSSP is unsupported or unavailable you will see the following message

Page 29

If you have no permission to access the remote server you get the error message

Page 30

57 Installation

571 PowerShell error

After getting through the Pre-Reqs for BPA (PowerShell 20 MBCA NET Framework) you may hit

one of two scenarios when installing BPA

In all of the cases of an install failure you will see the following error

There is a problem with this Windows Installer package A program run as part of the setup did not

finish as expected Contact your support personnel or package vendor

In your Application Event Log for both of these scenarios you will also see the following entry

Log Name Application

Source MsiInstaller

Date 6102010 83818 AM

Event ID 11722

Task Category None

Level Error

Keywords Classic

User ltUsernamegt

Computer ltMachine namegt

Description

Product Microsoft SQL Server 2008 R2 BPA -- Error 1722 There is a problem

with this Windows Installer package A program run as part of the setup did

not finish as expected Contact your support personnel or package

vendor Action EnablePSRemoting location powershellexe command -NoLogo

-NoProfile -Command Enable-PSRemoting ndashforce

Page 31

This is an indicator that PowerShell is not configured You must run the following command

powershellexe -NoLogo -NoProfile -Command Enable-PSRemoting ndashforce

572 Workgroup or Non-Domain computer

In this scenario the Enable-PSRemoting command should execute fine from a PowerShell prompt

The actual error coming back from the PowerShell command within the Installer is ldquoAccess Deniedrdquo

To work around this issue you can do the following

1 Open a command prompt with Administrative Privileges

2 Change to the directory where the msi file resides

3 Type msiexec i ltMSI Namegt SKIPCA=1

4 MSI Name will either be SQL2008R2BPA_Setup32msi or SQL2008R2BPA_Setup64msi

depending on your platform

5 Once BPA is installed open a PowerShell prompt with Administrative Privileges

6 Execute the following commands

a Enable-PSRemoting

b winrm set winrmconfigwinrs ``MaxShellsPerUser=`10``

This should allow BPA to be successfully installed in the workgroup scenario

573 Kerberos Failure

This scenario is that you are failing with the above due to a Kerberos issue This particular issue could

actually show up after you have installed BPA depending on how you have configured your

environment

The issue stems from the fact that the Windows Remoting Windows Service uses the Network Service

account Windows Remoting also uses SOAP calls over HTTP and defaults to using Kerberos As a

result it will be using the HOST Service Principal Name (SPN) that is on the Machine Account as it is

running under that context You may have an HTTP SPN that resides on a different account with that

host name For example if you are running an IIS Web Application such as SharePoint or if you are

using Reporting Services and the service account is set to a Domain User account instead of Network

Service or Local System If your URL of your application matches the machine name then your HTTP

SPN will be the same Thatrsquos where this problem comes in WinRM will stop working at that point and

give you a message similar to the following

Set-WSManQuickConfig WinRM cannot process the request The following error

occured while using Negotiate authentication An unknown security error

occurred

Possible causes are

-The user name or password specified are invalid

-Kerberos is used when no authentication method and no user name are

specified

-Kerberos accepts domain user names but not local user names

-The Service Principal Name (SPN) for the remote computer name and port

does not exist

-The client and remote computers are in different domains and there is no

trust between the two domains

After checking for the above issues try the following

-Check the Event Viewer for events related to authentication

-Change the authentication method add the destination computer to the

WinRM TrustedHosts configuration setting or use HTTPS transport

Note that computers in the TrustedHosts list might not be authenticated

-For more information about WinRM configuration run the following

Page 32

command winrm help config

At line50 char33

+ Set-WSManQuickConfig ltltltlt -force

+ CategoryInfo InvalidOperation () [Set-WSManQuickConfig]

InvalidOperationException

+ FullyQualifiedErrorId

WsManErrorMicrosoftWSManManagementSetWSManQuickConfigCommand

You can get this type of error from WinRM for muliple reasons The one that

we saw in our testing was the HTTP SPN scenario

If you do have an HTTP SPN defined on a Domain Account that is using the name of your machine

you have some options First you can follow the steps mentioned above to get BPA installed The

Enable-PSRemoting command will give you the above error You can temporarily remove the HTTP

SPN to get remoting enabled and then re-add the HTTP SPN

Once BPA is setup you will still not be able to run BPA if you put the HTTP SPN back in place You will

see the following when you attempt to perform a scan

This will occur regardless of which component you try to scan It could be the Engine Setup RS etchellip

One option to perform the scan successfully is to temporarily remove the HTTP SPN again run the

scan and then put the HTTP SPN back in place Another option but one that will probably require

further testing from your applicationrsquos end would be to run the application under a Host Header and

then your HTTP SPN would not include the machine name allowing BPA to run without issue

Page 33

6 RULES

Searching for ldquoSQL Server 20087 R2 BPArdquo at Microsoftcom reveals

Here is an example of one of these articles that talks about a rule to check for a recent ldquocleanrdquo

CHECKDB

Page 34

BPA works by measuring a rolersquos compliance with best practice rules in eight different categories of a

rolersquos effectiveness trustworthiness and reliability Results of measurements can be any of the three

severity levels described in the following table

Severity level Description

Noncompliant Noncompliant results are returned when a role does not satisfy the conditions of a rule

Compliant Compliant results are returned when a role satisfies the conditions of a rule

Warning Warning results are returned when a role is compliant as operating currently but may not satisfy the conditions of a

rule if changes are not made to its configuration or policy settings For example a scan of Remote Desktop Services

might show a warning result if a license server is unavailable to the role because even if no remote connections are

active at the time of the scan not having the license server prevents new remote connections from obtaining valid

client access licenses

Page 35

BPA rule categories

The following table describes the categories of best practice rules against which roles are measured

during a BPA scan

Category Name Description

Security Security rules are applied to measure a rolersquos relative risk for exposure to threats such as unauthorized or malicious

users or loss or theft of confidential or proprietary data

Performance Performance rules are applied to measure a rolersquos ability to process requests and perform its prescribed duties in

the enterprise within expected periods of time given the rolersquos workload

Configuration Configuration rules are applied to identify role settings that might require modification for the role to perform

optimally Configuration rules can help prevent setting conflicts that can result in error messages or prevent the role

from performing its prescribed duties in an enterprise

Policy Policy rules are applied to identify Group Policy or Windows Registry settings that might require modification for the

role to operate optimally and securely

Operation Operation rules are applied to identify possible failures of a role to perform its prescribed tasks in the enterprise

Predeployment Predeployment rules are applied before an installed role is deployed in the enterprise to let administrators to

evaluate whether best practices were satisfied before you use the role in production

Postdeployment Postdeployment rules are applied after all required services have started for a role and the role is running in the

enterprise

BPA Prerequisites BPA Prerequisite rules explain configuration settings policy settings and features that are required for the role

before BPA can apply specific rules from other categories A prerequisite in scan results indicates that an incorrect

setting a missing role role service or feature an incorrectly enabled or disabled policy a registry key setting or

other configuration has prevented BPA from applying one or more rules during a scan A prerequisite result does

not imply compliance or noncompliance It means that a rule could not be applied and therefore is not part of the

scan results

61 Engine Rules

Please find below a summary of the 74 Engine Rules with the links to the rule descriptions These rules

are checking that you have a secure resilient and well performing SQL configuration

Authentication Mode (httpsupportmicrosoftcomkb2028697)

Lightweight Pooling is enabled (httpsupportmicrosoftcomkb2160691)

Locks Configuration Not Dynamic (httpsupportmicrosoftcomkb2199576)

non-default network packet size in use (httpsupportmicrosoftcomkb2157175)

degree of parallelism not set to recommended value (httpsupportmicrosoftcomkb2023536)

Use Database Mail instead of SQL Mail (httpsupportmicrosoftcomkb2028584)

SQL Server Agent Proxy Account (httpsupportmicrosoftcomkb2160741)

SQL Login Password Policy Strength and password expiry

(httpsupportmicrosoftcomkb2028712)

Trustworthy Bit (httpsupportmicrosoftcomkb2183687)

Symmetric Keys Check (httpsupportmicrosoftcomkb2162020)

Asymmetric Keys Check (httpsupportmicrosoftcomkb2162020)

SQL Server installed on PDC BDC (httpsupportmicrosoftcomkb2032911)

Page 36

SQL Server Admin role membership check (httpsupportmicrosoftcomkb2184138)

Windows API calls intercepted (httpsupportmicrosoftcomkb2033238)

unsupported DotNET framework assemblies present (httpsupportmicrosoftcomkb2033344)

Disk partition starting offset may be incorrect (httpsupportmicrosoftcomkb2023571)

non-default max worker threads value configured (httpsupportmicrosoftcomkb2157129)

Guest Permissions (httpsupportmicrosoftcomkb2186935)

Data and Log files on the same volume (httpsupportmicrosoftcomkb2033523)

IO timeouts and IO controller errors detected (httpsupportmicrosoftcomkb2091098)

IO device errors detected (httpsupportmicrosoftcomkb2091098)

IO errors during page faults detected (httpsupportmicrosoftcomkb2091098)

cluster disk corruption encountered (httpsupportmicrosoftcomkb2091098)

disk defragmentation encountered corruption (httpsupportmicrosoftcomkb2091098)

failed IO requests detected (httpsupportmicrosoftcomkb2091098)

IO requests are successful when retried (httpsupportmicrosoftcomkb2015757)

IO Delay Problems reported by SQL Server (httpsupportmicrosoftcomkb2137408)

This system experienced unexpected shutdowns (httpsupportmicrosoftcomkb2091098)

tempdb corruption errors fix missing (httpsupportmicrosoftcomkb960770)

Critical SQL database inconsistency errors found (httpsupportmicrosoftcomkb2152734)

Logical consistency errors detected (httpsupportmicrosoftcomkb2152472)

Database have auto shrink option enabled (httpsupportmicrosoftcomkb2160663)

SQL Server Error logs are very big (httpsupportmicrosoftcomkb2199578)

incorrect affinity mask settings detected httpsupportmicrosoftcomkb2157114

Very low blocked process threshold setting detected httpsupportmicrosoftcomkb2157154

Potential security issue with legacy DTS stored procedures

httpsupportmicrosoftcomkb2202875

Winsock LSP loaded into SQL httpsupportmicrosoftcomkb2033448

Databases using simple recovery model httpsupportmicrosoftcomkb2137539

User database collation different from model httpsupportmicrosoftcomkb2026108

Database files and backups exist on the same volume httpsupportmicrosoftcomkb2027537

Databases have auto close option enabled httpsupportmicrosoftcomkb2160685

LSI SAS drivers needs update httpsupportmicrosoftcomkb2121098

SQL tempdb database not configured optimally httpsupportmicrosoftcomkb2154845

SQL Database file has sparse attribute set httpsupportmicrosoftcomkb2028447

Invalid startup parameters httpsupportmicrosoftcomkb2028433

MSDTC settings not configured optimally httpsupportmicrosoftcomkb2027550

sql incorrect results fix missing httpsupportmicrosoftcomkb971780

File System needs tuning for better FileStream performance

httpsupportmicrosoftcomkb2160002

linked server memory leak fix missing httpsupportmicrosoftcomkb971622EN-US

Windows service pack is not at recommended level httpsupportmicrosoftcomkb2121098

default extended event health session not in expected state

httpsupportmicrosoftcomkb2160570

TcpSysAndChimneyCheck httpsupportmicrosoftcomKB918483

FDHOST Launcher service is not configured properly httpsupportmicrosoftcomkb2160720

Unrecommended SQL Server Agent service account httpsupportmicrosoftcomkb2160720

A required Windows fix to avoid sparse file related problems is missing

httpsupportmicrosoftcomkb2002606

Page 37

Significant Portion of SQL Server Memory Has Been Paged Out

httpsupportmicrosoftcomkb2028324

Server Exception or Hang Detected on Server httpsupportmicrosoftcomkb2028589

Databases exist without CHECKSUM protection httpsupportmicrosoftcomkb2078345

backups outdated for databases httpsupportmicrosoftcomkb2027537

Database consistency check not current httpsupportmicrosoftcomkb2033590

SQL Server Memory settings are incorrect httpsupportmicrosoftcomKB918483EN-US

Autogrow Failed or took a long time httpsupportmicrosoftcomkb2091024

Storport driver fix from KBA 940467 missing httpsupportmicrosoftcomkb2121098

Storport driver fix from KBA 950903 missing httpsupportmicrosoftcomkb2121098

SQLCLR needs additional memory configuration httpsupportmicrosoftcomkb969962EN-US

Operating System files and drivers needs update for working set trimming

httpsupportmicrosoftcomkb2121098

Agent Token Replacement httpsupportmicrosoftcomkb2202637

Auditing Log in failures httpsupportmicrosoftcomkb2187161

Databases with high number of VLF present httpsupportmicrosoftcomkb2028436

Transparent Data Encryption Certificate httpsupportmicrosoftcomkb2201900

Permission on the Binn folder httpsupportmicrosoftcomkb2029023

Index Statistics Are Outdated

Server public permissions httpsupportmicrosoftcomkb2160698

Detected use of older versions of SQLNCLI httpsupportmicrosoftcomkb979779

62 AS Rules

Please find below a summary of the 34 Analysis Server Rules with the links to the rule descriptions

Flight Recorder Enabled for SQL Server Analysis Services

httpsupportmicrosoftcomkb2128005

Excessive amount of memory preallocated to Analysis Services

httpsupportmicrosoftcomkb2027474

Server not configured for optimal concurrent query throughput

httpsupportmicrosoftcomkb2135031

Non standard value detected for Analysis Services memory configuration

httpsupportmicrosoftcomkb2027472

Process Thread Pool Max limit above recommended limit

httpsupportmicrosoftcomkb2134497

Process Thread Pool Minimum is below the recommended limit

httpsupportmicrosoftcomkb2134855

Server is running a build with a known regression httpsupportmicrosoftcomkb2157941

Slice not set on a ROLAP partition or a partition where proactive caching is enabled and

ROLAP storage ay occur httpsupportmicrosoftcomkb2027754

Server is ignoring duplicate key errors httpsupportmicrosoftcomkb2027761

No default member defined for non-aggregatable attribute

httpsupportmicrosoftcomkb2027769

UnknownMember set to hidden httpsupportmicrosoftcomkb2027628

Non-numeric key column for high cardinality attribute httpsupportmicrosoftcomkb2028138

Attribute hiearchy enabled for high cardinality non-key attribute

httpsupportmicrosoftcomkb2028143

ROLAP storage or OnlineMode set to immediate for dimension with custom rollup definition

detected httpsupportmicrosoftcomkb2132742

Page 38

Account or Time attribute types defined in a non-matching dimension type

httpsupportmicrosoftcomkb2157299

An Account or Time dimension has no matching attribute defined

httpsupportmicrosoftcomkb2027418

Dimension has no attribute defined with the same type

httpsupportmicrosoftcomkb2027443

Attribute Dimension type mismatch httpsupportmicrosoftcomkb2157327

Mismatched dimension attribute types detected in dimension

httpsupportmicrosoftcomkb2027459

Possible incorrect order of levels defined in hierarchy httpsupportmicrosoftcomkb2027460

Define attribute relationships as Rigid where possible httpsupportmicrosoftcomkb2027468

Redundant attribute relationships detected httpsupportmicrosoftcomkb2127437

Diamond-shape relationship detected httpsupportmicrosoftcomkb2127570

Non-Standard Attribute Relationship name detected httpsupportmicrosoftcomkb2127862

Proactive Caching set for dimension without a processing query

httpsupportmicrosoftcomkb2027541

No Time dimension detected httpsupportmicrosoftcomkb2027532

More than 3 parent-child dimensions with custom rollups defined

httpsupportmicrosoftcomkb2134431

Encountered a parent-child dimension with more than 500000 members

httpsupportmicrosoftcomkb2131918

Single attribute dimensions detected httpsupportmicrosoftcomkb2141654

Measure groups with zero dimensional overlap detected in cube

httpsupportmicrosoftcomkb2027609

Proactive Caching set for a partition without a processing query

Default measure for perspective not in the perspective

httpsupportmicrosoftcomkb2027603

Use MOLAP storage for dimensions that participate in semi-additive measure groups

httpsupportmicrosoftcomkb2135112

Measure group defined with no partition httpsupportmicrosoftcomkb2027545

63 RS Rules

RSWindowsNegotiate is missing from your configuration

httpsupportmicrosoftcomkb2145506

HTTP Logging is not enabled httpsupportmicrosoftcomkb2145909

Verbose logging is enabled httpsupportmicrosoftcomkb2146315

NTLM authentication may fail for local httpsupportmicrosoftcomkb2146369

Missing extended protection settings httpsupportmicrosoftcomkb2146062

64 IS Rules

Logging task missing for package httpsupportmicrosoftcomkb2027723

ActiveX Script task detected in package httpsupportmicrosoftcomkb2027712

Unrecommended Integration Services service account detected

httpsupportmicrosoftcomkb2027684

Integration Services logging table found in system database master and or msdb

httpsupportmicrosoftcomkb2027706

Integration Services memory dump detected httpsupportmicrosoftcomkb2027727

Page 39

65 Setup Rules

Unsupported Operating System Version Detected httpsupportmicrosoftcomkb2022909

WOW64 not supported for SQL Failover Clustering httpsupportmicrosoftcomkb2157198

Installer cache is missing for the SQL Installation httpsupportmicrosoftcomkb2015100

SQL Server WMI Provider Health Check

66 Replication Rules

Replication Timeout Alerts Type httpsupportmicrosoftcomkb2118349

Replication Pub and Sub out of sync (Data Validation) httpsupportmicrosoftcomkb2118386

Replication Pub and Sub out of sync (Constraint Violations)

httpsupportmicrosoftcomkb2118410

Replication Pub and Sub out of sync (Skipped Transactions)

httpsupportmicrosoftcomkb2194498

Merge Replication Health Check httpsupportmicrosoftcomkb2118445

Subscriptions Approaching Expiration httpgomicrosoftcomfwlinkLinkId=184483

Replication Cleanup and Retention Health Check httpsupportmicrosoftcomkb2118485

Replication Latency Threshold violations httpsupportmicrosoftcomkb2118425

Page 40

7 HOW TO DEAL WITH DEVIATIONS

Deviations from these Best Practices may indicate potential issues and configuration changes may be

necessary Make sure you have tested any intended changes in a test environment before deploying

them to a production environment You could also find deviations from Best Practices that are

acceptable or even necessary for your environment For example

SAP has its special Network Packet Size of 8 KB

Existing Non-Microsoft Clients ndash would require Mixed Mode Authentication

Page 41

8 MOTIVATION TO USE SQL BPA R2

Bob Ward explained in his Article ldquoWhy use SQL Server 2008 R2 BPA Case 1 Missing Updatesrdquo

the common pitfalls during maintenance and operation of SQL Server and how address them by using

the SQL BPA

In brief itrsquos a customer scenario where the customer is facing an issue after a major update to

SQL2008 After some troubleshooting and an update to a certain CU (that is meant to fix the issue) the

problem still occurs Bobs article states the common resulting consequences ndash the involvement of

Microsoft Support and the final solution ndash adding a needed traceflag

The good news in this story is that the customer would not have needed to go to all that effort if they

would have run the SQL BPA It would have told them about the update and instructed them to put the

traceflag in place BPA is a mechanism that proactively advises you and instructs you on dealing with

common known issues

Page 42

9 ADDITIONAL INFORMATION

91 PowerShell

To use the functionality of the Baseline Configuration Analyzer with PowerShell you must import this

module first

Import-module BaselineConfigurationAnalyzer

You can list the commands of this module with the following syntax

$x=Get-Module BaselineConfigurationAnalyzer

$xExportedCommands

The following commands are stored in this module

Get-MbcaModel

Get-MbcaResult

Invoke-MbcaModel

Set-MbcaResult

You get help of this command with the following syntax

Get-help ltcommandgt -full

911 Get-MBCAModel

SYNOPSIS

The Get-MBCAModel cmdlet lets you retrieve and view the list of models that are supported by

Microsoft Baseline Configuration Analyzer (MBCA) and that are installed on a computer

SYNTAX

Get-MBCAModel [[-ModelId] ltstring[]gt] [[-SubModelId] ltstringgt] [ltCommonParametersgt]

DESCRIPTION

The Get-MBCAModel cmdlet lets you retrieve and view the list of models that are supported by

Microsoft Baseline Configuration Analyzer (MBCA) and installed on the computer If no parameter is

specified Get-MBCAModel returns all models that are installed on the computer If a model is specified

by using the -ModelId parameter information about the specified model is returned

You must be a member of the Administrators group on the computer on which you want to run this

cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with

elevated user rights that is Run as Administrator

The results of the Get-MBCAModel cmdlet include the following details about models

1 Branding information (manufacturer or company display names version number) that is found in

the model manifest

2 Dynamic parameters that are included with the model

3 Submodels that are included with the model

PARAMETERS

-ModelId ltstring[]gt

The -ModelId parameter specifies the ID of the MBCA model about which you want to view

details You can obtain valid values for the ModelId parameter by running the Get-MBCAModel

cmdlet with no parameters and targeted at a computer on which MBCA models are installed

Page 43

This parameter supports wild card characters

Required false

Position 2

Default value

Accept pipeline input true (By Value By Property Name)

Accept wildcard characters False

This must be SQL2008R2BPA for SQL Server 2008 R2 Best Practice Analyzer

-SubModelId ltstringgt

The -SubModelId parameter specifies the ID of the submodel of an MBCA model about which you

want to view details You can obtain valid values for the -SubModelId parameter by running the

Get-MBCAModel cmdlet without parameters and targeted at a computer on which MBCA models

are installed Not all models have submodels

The -ModelId parameter is required with the -SubModelId parameter

Required false

Position 3

Default value

Accept pipeline input false

Accept wildcard characters false

ltCommonParametersgt

This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable

WarningAction WarningVariable OutBuffer and OutVariable For more information type get-

help about_commonparameters

Examples

Get-MBCAModel

In the preceding example Get-MBCAModel with no parameters added returns details about all MBCA

models that are installed on the computer

Get-MBCAModel -ModelId SQL2008R2BPA

The preceding example can be used to return details about the MBCA model that is specified in the -

ModelId parameter represented by Model Id

$model= Get-MBCAModel -ModelId SQL2008R2BPA

$modelParameters

In the preceding example Get-MBCAModel returns details about the specified MBCA model that is

represented by Model Id The results of the cmdlet are stored in the variable $model

In the next line of the example the Parameters property of the model details that were stored in the

$model object returns details about which parameters are supported by the model

Get-MBCAModel -ModelId SQL2008R2BPA -SubModelId ltSubModel Idgt

The preceding example can be used to return details about the MBCA sub-model that is specified by

the -SubModelId parameter represented by SubModel Id Note that the -ModelId parameter is

required by the -SubModelId parameter

$model= Get-MBCAModel -ModelId SQL2008R2BPA

Page 44

$modelSubModels

In the preceding example Get-MBCAModel returns details about the specified MBCA model that is

represented by Model Id The results of the cmdlet are stored in the variable $model

In the next line of the example the SubModels property of the model details that were stored in the

$model object returns a list of the submodels of the model specified in the first line

912 Invoke-MBCAModel

SYNOPSIS

The Invoke-MBCAModel cmdlet lets you start a Microsoft Baseline Configuration Analyzer (MBCA)

scan for a specific model that is installed on your computer

SYNTAX

Invoke-MBCAModel [-ModelId] ltstringgt -SubModelId ltstringgt [-Authentication

ltAuthenticationMechanismgt] [-CertificateThumbprint ltstringgt] [-ComputerName

ltstring[]gt] [-ConfigurationName ltstringgt] [-Context ltstringgt] [-Credential

ltstringgt] [-Mode ltModeEnumgt] [-Port ltintgt] [-RepositoryPath ltstringgt] [-

ThrottleLimit ltintgt] [-UseSSL] [ltCommonParametersgt]

DESCRIPTION

The Invoke-MBCAModel cmdlet allows you to start a Microsoft Baseline Configuration Analyzer

(MBCA) scan for a specific model that is installed on your computer The model is specified either by

using the parameter -ModelId or by piping the results of the Get-MBCAModel cmdlet into an Invoke-

MBCAMode cmdlet

After the MBCA scan has been performed the results of the scan are available to be retrieved by Get-

MBCAResult cmdlet

You must be a member of the Administrators group on the computer on which you want to run this

cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with

elevated user rights that is Run as Administrator

PARAMETERS

-Authentication ltAuthenticationMechanismgt

Specifies the authentication mechanism that is used to authenticate the users credentials Valid

values include Default Basic CredSSP Digest Kerberos Negotiate and

NegotiateWithImplicitCredential The default value is Default

For more information about the -Authentication parameter type the following and then press

Enter

Get-Help Invoke-Command -Parameter Authentication

Required false

Position named

Default value Default

Accept pipeline input false

Accept wildcard characters false

-CertificateThumbprint ltstringgt

Page 45

Specifies the digital public key certificate (X509) of a user account that has rights to perform the

cmdlet action The valid value is the certificate thumbprint of the certificate

For more information about this parameter type the following and then press Enter

Get-Help Invoke-Command -Parameter Certificate Thumbprint

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-ComputerName ltstring[]gt

The Invoke-MBCAModel cmdlet lets you run an MBCA scan of a submodel on a specific

computer by adding this parameter Valid values include NETBOS names IP addresses or fully-

qualified domain names of one or more computers in a comma-separated list To specify the local

computer type the computer name or localhost

All formats that are accepted by the -ComputerName parameter in Invoke-Command are

accepted

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-ConfigurationName ltstringgt

Specifies the session configuration that is used for a new PSSession

Enter a configuration name or the fully-qualified resource URI for a session configuration

Session configuration data is found on the remote computer on which you want to run a cmdlet

For more information about this parameter type the following and then press Enter

Get-Help Invoke-Command -Parameter ConfigurationName

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-Context ltstringgt

The -Context parameter lets you run scans on a submodel in the context of a specific model (one

that is different from the parent model of the submodel) For example an administrator might

want to run a scan on the Backend submodel of the SQL model but only those in the context

of a third model a technology that relies upon SQL Server

The -SubModelId parameter is required by the -Context parameter

Page 46

A model ID is the valid value of the -Context parameter

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-Credential ltstringgt

Specifies a user account that has permission to run this cmdlet The default value is the current

user

For more information about this parameter type the following and then press Enter

Get-Help Invoke-Command -Parameter Credential

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-Mode ltModeEnumgt

The -Mode parameter lets you run a scan that is exclusively either analysis of existing discovered

documents or discovery The default is to perform both discovery and analysis or All

If you do not add the -Mode parameter to the Invoke-MBCAModel cmdlet both discovery and

analysis are performed during a scan

Valid values are Discovery Analysis and All

Required false

Position named

Default value All

Accept pipeline input false

Accept wildcard characters false

-ModelId ltstringgt

The -ModelId parameter specifies the ID of the MBCA model that you want to scan You can

obtain valid values for the ModelId parameter by running the Get-MBCAModel cmdlet targeted at

a computer on which MBCA models are installed

Required true

Position 2

Default value

Accept pipeline input true (By Value By Property Name)

Accept wildcard characters False

Page 47

This must be SQL2008R2BPA for SQL Server 2008 R2 Best Practice Analyzer

-Port ltintgt

Specifies the network port on a remote computer on which you want to run a scan The default

value is port 80

For more information on this parameter type the following and then press Enter

Get-Help Invoke-Command -Parameter Port

Required false

Position named

Default value 80

Accept pipeline input false

Accept wildcard characters false

-RepositoryPath ltstringgt

The -RepositoryPath parameter is used to specify a non-default location of the results repository

The valid value for this parameter is a pathname If the parameter is not used the cmdlet writes

results to the default result repository

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-SubModelId ltstringgt

The -SubModelId parameter specifies the ID of the submodel of an MBCA model that you want to

scan You can obtain valid values for the -SubModelId parameter by running the Get-MBCAModel

cmdlet targeted at a computer on which MBCA models are installed Not all models have

submodels

The -ModelId parameter is required with the -SubModelId parameter

Required true

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-ThrottleLimit ltintgt

Specifies the maximum number of concurrent connections that can be established to run the

cmdlet If you omit this parameter or enter a value of 0 the default value of 32 is used

For more information about this parameter type the following and then press Enter

Get-Help Invoke-Command -Parameter ThrottleLimit

Required false

Page 48

Position named

Default value 32

Accept pipeline input false

Accept wildcard characters false

-UseSSL [ltSwitchParametergt]

Uses the Secure Sockets Layer (SSL) protocol to establish a connection on a remote computer

By default SSL is not used

For more information about this parameter type the following and then press Enter

Get-Help Invoke-Command -Parameter UseSSL

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

ltCommonParametersgt

This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable

WarningAction WarningVariable OutBuffer and OutVariable For more information type get-

help about_commonparameters

OUTPUTS

SystemCollectionsGenericListltMicrosoftBestPracticesCoreInterfaceInvokeBpaModelOutputgt

The output object encapsulates the results of the cmdlet that you entered It contains information such

as the MBCA model ID the success or failure of the cmdlet and other details

NOTES

If the cmdlet is used to perform a single-model scan and the cmdlet is cancelled (by using CTRL+C)

before the temporary results file is copied to its final location the temporary file is discarded and any

previous scan results file for the role are preserved The message Processing of Invoke-MBCAModel

cancelled by user is displayed if the command is cancelled before existing scan results files are

overwritten

If the cmdlet is used to perform a scan of multiple models by piping in results from the Get-MBCAModel

cmdlet and the command is cancelled scans that were completed before the cancel command was

entered cannot be cancelled A scan in progress behaves as described above in the single-model scan

cancellation scenario Subsequent scans in the pipeline are cancelled

If a concurrent scan of the same model is attempted the cmdlet returns the following error message

Another scan for this MBCA model is in progress Only one scan is allowed at a time

-------------------------- EXAMPLE 1 --------------------------

Invoke-MBCAModel -ModelId SQL2008R2BPA

Description

The preceding example starts a MBCA scan on the model that is represented by ltModel Idgt

-------------------------- EXAMPLE 2 --------------------------

Page 49

Invoke-MBCAModel -ModelId SQL2008R2BPA -Scope domain -Name

redmondmicrosoftcom

Description

The preceding example starts an MBCA scan on the model ID that is specified by Model Id

The administrator starts the MBCA scan with additional model-specific parameters that are exposed by

the model (For an example of how to obtain model-specific parameters see the examples for the Get-

MBCAModel cmdlet)

For example to scan a model that requires model-specific parameters (such as -Scope and -Name) to

be passed to the command the administrator can specify the values of these model-specific

parameters with the Invoke-MBCAModel cmdlet

-------------------------- EXAMPLE 3 --------------------------

Invoke-MBCAModel -ModelId SQL2008R2BPA -Mode Discovery

Description

The preceding example starts an MBCA scan on the model that is represented by Model Id The

cmdlet is instructed by the -Mode parameter to perform only the discovery -- not the analysis -- portion

of the scan

-------------------------- EXAMPLE 4 --------------------------

Invoke-MBCAModel -ModelId SQL2008R2BPA -Mode Analysis -RepositoryPath

ltRepository Pathgt

Description

The preceding example starts an MBCA scan on the model that is represented by Model Id The -

Mode parameter value of Analysis indicates that the scan will perform analysis -- not discovery -- on

existing documents that are specified in the non-default repository path provided with the -Repository

Path parameter

-------------------------- EXAMPLE 5 --------------------------

Invoke-MBCAModel -Id ltModel Idgt -SubModelId ltSubModel Idgt -ComputerName

ltServergt -Context ltContext Model Idgt -RepositoryPath ltRespository Pathgt -

AsJob -Authentication ltAuthenticatonMechanismgt -Port ltPort Numbergt -UseSSL -

ThrottleLimit ltThrottle Limitgt

Description

The preceding example starts an MBCA scan on the submodel that is represented by SubModel Id

and on the computer that is represented by Server

Because the administrator only wants to see results from the submodel that apply in the context of a

third model the administrator runs the scan within the context of the model ID that is specified in the -

Context parameter The cmdlet results are saved to the non-default repository path that is specified in

the -RepositoryPath parameter

Because the -AsJob parameter is added the scan runs in the background The -AsJob -

Authentication -Port -UseSSL and -ThrottleLimit parameters are passed through for use by the

Invoke-Command cmdlet to perform discovery on a remote computer For more information about

these parameters see the Help for the Invoke-Command cmdlet available in Windows PowerShell V2

913 Get-MBCAResult

SYNOPSIS

Page 50

The Get-MBCAResult cmdlet lets you retrieve and view the results of a Microsoft Baseline

Configuration Analyzer scan on a specific model or the configuration data that was used to run a scan

SYNTAX

Get-MBCAResult [-ModelId] ltstringgt [[-CollectedConfiguration]] -SubModelId

ltstringgt [-ComputerName ltstring[]gt] [-Context ltstringgt] [-Filter

ltFilterEnumgt] [-RepositoryPath ltstringgt] [ltCommonParametersgt]

DESCRIPTION

The Get-MBCAResult cmdlet lets you retrieve and view the results of a Microsoft Baseline

Configuration Analyzer scan on a specific model or the configuration data that was used to run a scan

To use the command add the -ModelId parameter and then specify the model ID for which you want

to view the most recent MBCA scan results or collected configuration data If you want to retrieve the

configuration data collected add the -CollectedConfiguration switch parameter

You must be a member of the Administrators group on the computer on which you want to run this

cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with

elevated user rights that is Run as Administrator

PARAMETERS

-CollectedConfiguration [ltSwitchParametergt]

The -CollectedConfiguration parameter allows you to obtain the configuration data that was

collected for the most recent MBCA scan If this switch parameter is added to Get-MBCAResults

the cmdlet returns only the configuration data that was collected for a scan

Required false

Position 3

Default value

Accept pipeline input false

Accept wildcard characters false

-ComputerName ltstring[]gt

The -ComputerName parameter lets you obtain scan results that were collected for the most

recent MBCA scan of a submodel on a specific computer To specify the local computer type the

computer name or localhost Multiple values for -ComputerName can be separated by

commas

The -SubModelId parameter is required by the -ComputerName parameter

Valid values for the -ComputerName parameter include localhost a NET BIOS name an IP

address or a fully-qualified domain name (FQDN) of one or more computers in a comma-

separated list

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-Context ltstringgt

Page 51

The -Context parameter lets you obtain scan results that were collected for the most recent

MBCA scan of a submodel in the context of a specific model (one that is different from the parent

model of the submodel) For example an administrator might want to display scan results for the

Backend submodel of the SQL model but only those in the context of a third model a

technology that relies upon SQL Server

The -SubModelId parameter is required by the -Context parameter

A model ID is the valid value of the -Context parameter

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-Filter ltFilterEnumgt

The -Filter parameter lets you instruct the Get-MBCAResult cmdlet to return only Compliant

Noncompliant or All results Valid values are Noncompliant Compliant or All The default value

is All

The -Filter parameter is ignored if the -CollectedConfiguration switch parameter is added

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-ModelId ltstringgt

The -ModelId parameter specifies the ID of the MBCA model for which you want to view scan

results You can obtain valid values for the ModelId parameter by running the Get-MBCAModel

cmdlet targeted at a computer on which MBCA models are installed

Required true

Position 2

Default value

Accept pipeline input true (By Value By Property Name)

Accept wildcard characters False

This must be SQL2008R2BPA for SQL Server 2008 R2 Best Practice Analyzer

-RepositoryPath ltstringgt

The -RepositoryPath parameter is used to specify a non-default location of the results repository

The valid value for this parameter is a path name If the parameter is not used the cmdlet obtains

results from the default result repository

Required false

Position named

Page 52

Default value

Accept pipeline input false

Accept wildcard characters false

-SubModelId ltstringgt

The -SubModelId parameter specifies the ID of the submodel of an MBCA model for which you

want to view scan results You can obtain valid values for the -SubModelId parameter by running

the Get-MBCAModel cmdlet targeted at a computer on which MBCA models are installed Not all

models have submodels

The -ModelId parameter is required with the -SubModelId parameter

Required true

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

ltCommonParametersgt

This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable

WarningAction WarningVariable OutBuffer and OutVariable For more information type get-

help about_commonparameters

OUTPUTS

SystemCollectionsGenericListltMicrosoftBestPracticesCoreInterfaceResultgt OR

SystemXmlXmlDocument (if -CollectedData specified)

If you do not use the -CollectedConfiguration parameter verbose output can be any of the following

1 Initializing MBCA engine for getting MBCA Results

2 Attempting to get MBCA results for Model Id = 0

3 Completed getting MBCA results for Model Id = 0 Number of Results = 1

If you add the -CollectedConfiguration parameter to display configuration data that was used for a

scan verbose output can be any of the following

1 Initializing MBCA engine for getting MBCA Configuration Data

2 Attempting to get MBCA collected configuration data for Model Id = 0

3 Completed getting MBCA collected configuration data for Model Id = 0

NOTES

The Get-MBCAResult cmdlet must be run by a member of the Administrators group and it does not

start a new scan

Cancellation behaviour

Single Model - To cancel this cmdlet you must press Ctrl+C before the ResultCollection is displayed

on the console The operation is cancelled and results are not displayed on the console

Multiple Models or Pipelining - If you cancel this cmdlet while it is retrieving results for multiple models

the cmdlet generates only those results that were displayed on the console before the cancellation

Any subsequent results in the pipeline are cancelled and not displayed

Page 53

-------------------------- EXAMPLE 1 --------------------------

Get-MBCAResult -Id SQL2008R2BPA

Description

The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results

for the model that is represented by Model Id

-------------------------- EXAMPLE 2 --------------------------

Get-MBCAModel | Get-MBCAResult

In the preceding example Get-MBCAModel is used to return a list of all MBCA models that are

installed on the computer The results of the Get-MBCAModel cmdlet are piped to the Get-

MBCAResult cmdlet to retrieve the most recent MBCA scan results for all models that are both

supported by MBCA and installed on the computer at which the cmdlet is targeted

-------------------------- EXAMPLE 3 --------------------------

$result = Get-MBCAResult SQL2008R2BPA -CollectedConfiguration

$resultDiscoveryDocument

Description

In the preceding example configuration data (in XML form) that was collected during the most recent

Microsoft Baseline Configuration Analyzer scan of the model that is represented by Model Id is

retrieved and stored as a property in the variable $result $resultDiscoveryDocument is of type

SystemXmlXmlDocument

-------------------------- EXAMPLE 4 --------------------------

Get-MBCAResult SQL2008R2BPA -Filter Noncompliant

Description

The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results

for the model that is represented by Model Id and then applies a filter to show only Noncompliant

results

------------------------- EXAMPLE 5 --------------------------

Get-MBCAResult SQL2008R2BPA -SubModelId ltSubModel Idgt

Description

The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results

for the submodel that is represented by SubModelId Note that the parent model ID must be specified

to use the -SubModelId parameter

------------------------- EXAMPLE 6 --------------------------

Get-MBCAResult SQL2008R2BPA -SubModelId ltSubModel Idgt -ComputerName ltServergt

-Context ltContext Model Idgt -RepositoryPath ltRepository Pathgt

Description

The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results

for the submodel that is represented by SubModelId The parent model ID is provided as required by

the -SubModelID parameter

The -Context parameter indicates that the administrator wants to see only those scan results that are in

the context of the model that is represented by Context Model Id for example only those results from

a SQL Server scan that specifically apply to another technology such as Web Server (IIS)

Page 54

The scan results are further narrowed to only those from a computer that is specified in the -

ComputerName parameter as Server and only those results found in the non-default results

repository that is represented by Repository Path

914 Set-MBCAResult

SYNOPSIS

The Set-MBCAResult cmdlet lets you exclude or include existing results of a Microsoft Baseline

Configuration Analyzer (MBCA) scan to show you only the scan results that you want to see

SYNTAX

Set-MBCAResult [[-Exclude] ltBooleangt] [-Results] ltResultgtgt [[-

RepostitoryPath] ltstringgt] [ltCommonParametersgt]

DESCRIPTION

The Set-MBCAResult cmdlet lets you exclude or include existing results of a Microsoft Baseline

Configuration Analyzer (MBCA) scan to show you only the scan results that you want to see

The action specified in the cmdlet (Exclude for example) determines how the existing results of an

MBCA scan are updated Set-MBCAResult is typically applied after using the Get-MBCAResult cmdlet

to return a collection of scan results

You can apply filters to results that are returned by the Get-MBCAResult cmdlet and then pipe the

filtered collection of results to the Set-MBCAResult cmdlet specifying either to include or exclude

filtered scan results

You must be a member of the Administrators group on the computer on which you want to run this

cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with

elevated user rights that is Run as Administrator

PARAMETERS

-Exclude ltBooleangt

Excludes scan results from the results collection that were previously obtained by the Get-

MBCAResult command To exclude results by using the -Exclude parameter add the value $true

following the parameter as shown

-Exclude $true

To include results that have been excluded use the $false value for the -Exclude parameter

Required false

Position 2

Default value

Accept pipeline input false

Accept wildcard characters false

-RepostitoryPath ltstringgt

The -RepositoryPath parameter is used to specify a non-default location of the results repository

The valid value for this parameter is a path name If the parameter is not used the cmdlet

modifies results from the default result repository

Required false

Page 55

Position 4

Default value

Accept pipeline input false

Accept wildcard characters false

-Results ltResultgtgt

Specifies the result collection to be updated by the Set-MBCAResult cmdlet The -Results

parameter is typically used to specify a filtered subset of scan results that has already been

stored in a variable the variable name is provided as the valid value for the -Results parameter

For example if you have created a variable $allPerformance to store all the Performance

category results for an MBCA scan of all models on a computer and you want to exclude those

Performance results from the complete collection of scan results you add the parameter -Results

$all Performance to a Set-MBCAResult cmdlet

For a more detailed example see the Examples section of the Help for this cmdlet

Required true

Position 3

Default value

Accept pipeline input true (ByValue)

Accept wildcard characters false

ltCommonParametersgt

This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable

WarningAction WarningVariable OutBuffer and OutVariable For more information type ldquoget-

help about_commonparameters

NOTES

If the Set-MBCAResult command is cancelled before the results are written to a file the operation is

cancelled and the results file is not modified If cancellation occurs after the results file has been

modified the commands actions are carried out and the command cannot be cancelled

-------------------------- EXAMPLE 1 --------------------------

Get-MBCAResult -ModelId SQL2008R2BPA | Where $_Category -eq

Performance | Set-MBCAResult -Exclude $true

Description

The first section of the preceding example to the left of the first pipe character (|) uses the Get-

MBCAResult cmdlet to retrieve Baseline Configuration Analyzer scan results for the model ID that is

represented by Model Id

The second section of the command filters the results of the Get-MBCAResult cmdlet to get only those

scan results for which the category name is equal to Performance

The final section of the example following the second pipe character excludes the Performance

results that were filtered by the previous section of the example

-------------------------- EXAMPLE 2 --------------------------

$rcPolicy = Get-MBCAResult -ModelId SQL2008R2BPA -RepositoryPath

CReposPath | Where $_Category -eq Policy

Page 56

Set-MBCAResult -Exclude $true -RepositoryPath CReposPath -Results

$rcPolicy

Description

The first line of the preceding example to the left of the pipe character (|) instructs the Get-

MBCAResult cmdlet to retrieve Baseline Configuration Analyzer scan results for the model that is

represented by Specified Model Id from the specified non-default repository path

The second section of the example after the pipe character filters the results of the Get-MBCAResult

cmdlet to return only those scan results for which the category name is equal to (note the -eq option)

Policy The variable $rcPolicy is created to store the filtered results of the Get-MBCAResult cmdlet this

variable can be used in subsequent commands to represent those results

The second line of the command uses the Set-MBCAResult cmdlet to exclude the set of results that

are stored in the $rcPolicy variable In this example the -Results parameter is added because the

administrator wants to exclude a specific subset of scan results for that model and has created the

variable $rcPolicy to represent that subset of results The repository root is specified in the second line

because the administrator wants to modify the results in the same non-default repository from which

the data in $rcPolicy was retrieved

915 MBCA Model Authoring

Further information about configuration and usage of MBCA models you can in the

MBCA_ModelAuthoringGuidedocx

Page 57

Did this paper help you Please give us your feedback Tell us on a scale of 1 (poor) to 5 (excellent)

how would you rate this paper and why have you given it this rating For example

Are you rating it high due to having good examples excellent screen shots clear writing or

another reason

Are you rating it low due to poor examples fuzzy screen shots or unclear writing

This feedback will help us improve the quality of white papers we release

Send feedback

Page 18: SQL2008R2 BPA Whitepaper v10

Page 18

3 On the MBCA home page ensure the SQL Server 2008 R2 BPArdquo product is selected

4 Click Start Scan which displays a page to specify parameters as shown below

5 Fill in Alternate_Server_to_Scan with the remote machine you want to scan

ComputerName

IP address nnnn

FQDN (Fully Qualified Domain Name)

Enter ldquordquo localhost or leave this blank if you want to scan the local machine

Page 19

Enter the instance name you want to scan To scan the default instance enter MSSQLSERVER

or leave this as blank Toggle the checkboxes to enabledisable scans for those rule categories

Each of the following six check boxes correspond to the SQL Server categories listed previously

Select at least one category in order to run a successful scan

Analyze_SQL_Analysis_Services

Analyze_SQL_Server_Engine

Analyze_SQL_Integration_Services

Analyze_SQL_Server_Replication

Analyze_SQL_Reporting_Services

Analyze_SQL_Server_Setup

Note Only one SQL Server instance can be scanned at a time through the MBCA GUI

6 Click Start Scan MBCA will start the configured scan and display the below page while in

progress

7 When the scan is complete results will be displayed grouped by Severity as shown below

Page 20

43 Connect to a remote computer

A scan connected to a remote computer is different than scanning an alternate server

ldquoConnect to a Remote Computerrdquo is functionality provided by Microsoft Baseline Configuration Analyzer

and is used to remotely run MBCA against a server from the console of the client The client needs to

have MBCA installed but does not need BPA as it is literally running the copy of MBCA installed on the

server using the BPA installed on the server In this case the copy of MBCA installed on the client is

used only to remotely connect to the copy of MBCA installed on the server

To use this functionality you first start MBCA on the client computer and select ldquoConnect to Another

Computerrdquo

1 In the ldquoConnect to Another Computerrdquo text box you can specify a NetBIOS name a fully qualified

domain name (FQDN) or an IPv4 or IPv6 address If no port number is specified the default port

number is used The following are examples of formats that you can specify in the Connect to

Another Computer text box

ComputerName

Page 21

ComputerNamePortNumber

IP address nnnn

IPv6 address [nnnnnnnn]

IPv4 address with port number nnnnPortNumber

IPv6 address with port number [nnnnnnnn]PortNumber

Note If an administrator has changed the computerrsquos default port number any port other than the

default port must be opened in Windows Firewall to allow incoming connections on that port Port

5985 is opened by default when WinRM is configured All other ports remain blocked until opened

For more information about how to unblock a port in Windows Firewall see the Help for Windows

Firewall For more information about how to configure WinRM in a Command Prompt session type

winrm help and then press Enter

2 Additionally you must supply credentials

3 CredSSP

Windows Remote Management (WinRM) supports the delegation of user credentials across

multiple remote computers The multi-hop support functionality can now use Credential Security

Service Provider (CredSSP) for authentication CredSSP enables an application to delegate the

userrsquos credentials from the client computer to the target server

CredSSP authentication is intended for environments where Kerberos delegation cannot be used

Support for CredSSP was added to allow a user to connect to a remote server and have the ability

to access a second-hop machine such as a file share

Note WinRM clients and servers will support CredSSP authentication only with explicit credentials

Windows XP Windows Server 2003 and earlier CredSSP is not supported

First you must set CredSSP on both the client and the server

Using the Group Policy Editor (gpeditmsc) make sure to enable ldquoAllow Delegating Fresh

Credentialsrdquo and check ldquoConcatenate OS defaults with input aboverdquo

Add the server or domain to the list of servers in the format ldquoWSMANdomainnamecomrdquo

Next enable and configure PowerShell Remoting on both the Client and Server by running the

following commands in a PowerShell command window opened with elevated permissions Note

Page 22

You can configure a single machine as both a client and a server simultaneously so that you can

scan from either computer

Enable PowerShell Remoting

o Enable-psremoting ndashf

Settings for a client

o Enable-WSManCredSSP ndashrole Client ndashDelegateComputer [NetBiosNameOfServer]

or

o Enable-WSManCredSSP ndashrole Client ndashDelegateComputer [FQDN OF SERVER]

Settings for the server

o Enable-WSManCredSSP ndashrole Server

o set-item WSManlocalhostShellMaxMemoryPerShellMB ndashValue 20000

o set-item WSManlocalhostShellMaxShellsPerUser ndashvalue 20

44 PowerShell

Details see 91 PowerShell

To use the functionality of the Microsoft Baseline Configuration Analyzer you must import this module

first

Import-module BaselineConfigurationAnalyzer

You can list the commands of this module with the following syntax

$x=Get-Module BaselineConfigurationAnalyzer

$xExportedCommands

441 Run Scan

To run a full scan of the BPA on the alternate server on a named instance you can use the following

command line

Invoke-MBCAModel -ModelId SQL2008R2BPA -Alternate_Server_to_scan

servername -SQL_Server_Instance_Name instancename -

Analyze_SQL_Server_Engine -Analyze_SQL_Server_Replication -

Page 23

Analyze_SQL_Server_Setup -Analyze_SQL_Analysis_Services -

Analyze_SQL_Integration_Services -Analyze_SQL_Reporting_Services

The result looks like this part

ModelId SQL2008R2BPA

SubModelId

Success True

ScanTime

Success = True is important This is the indicator that your scan was successful

Parameter description

-Alternate_Server_to_scan servername

-SQL_Server_Instance_Name instancename

-Analyze_SQL_Server_Engine

-Analyze_SQL_Server_Replication

-Analyze_SQL_Server_Setup

-Analyze_SQL_Analysis_Services

-Analyze_SQL_Integration_Services

-Analyze_SQL_Reporting_Services

The parameter list is equal the parameter screen in the GUI

The scans of the different services are optional You can remove technologies which you do not need

to scan

The next example starts the scan only for the Analysis Services on the alternate server ldquoservernamerdquo

and for the named instance ldquoinstancerdquo A log file will be written to ldquoctempssastxtrdquo

Invoke-MbcaModel -ModelId SQL2008R2BPA -SubModelId AnalysisServices -

ComputerName servername -SqlServerInstance instance -SSASLogFile

ctempssastxt

Invoke-MbcaModel -ModelId SQL2008R2BPA -SubModelId Engine -ComputerName

computername -SqlServerInstance servername -CurrentLoginName

($EnvUSERDOMAIN + + $EnvUSERNAME)ToString() -EngineLogFile

ctempenginetxt ndashRepositoryPath (CTEMPSQL2008 + (Get-

Date)ToString(yyyyMMdd))ToString()

442 Create Report

model = get-MbcaModel ndashModelId sql2008r2bpa

$scanResult = get-MbcaResult ndashModelId sql2008r2bpa

$collectedConfig = get-MbcaResult ndashModelId sql2008r2bpa ndash

CollectedConfiguration

$model $scanResult $collectedConfig | export-CliXml ctempasxml

Get-MBCAResult -ModelId SQL2008R2BPA -SubModelId AnalysisServices |

ConvertTo-Html | Add-Content -Path ctesthtml

The next command retrieves the results of the most recent BPA scan for the specified model and

saves them in HTML format applying the standard cascading style sheets that are stored in the path

windirsystem32WindowsPowerShellv10ModulesBestPracticesBestPracticesReportFormatc

Page 24

ss If you want to substitute cascading style sheets provide the path to the different cascading style

sheets

Get-MBCAResult -ModelId SQL2008R2BPA | $_Severity -eq Warning -or

$_Severity -eq Error | ConvertTo-Html -As Table -property ResultNumber

SubModelID ComputerName Severity Category Title Problem Impact

Resolution Help -Head lth1gtSQL Server 2008 (R2) Best Practice Analyzer

Reportlth1gtrdquo -Title SQL Server 2008 Best Practice Analyzer -body

(ltpgtReport creation date + (Get-Date)ToString(ddMMyyyy hhmmss) +

ltpgt)toString() -pre ltPgtGenerated by user $envusername on computer

$envcomputernameltPgt -post For details contact Microsoft Premier-

CssUri $env BestPracticesReportFormatcss gt ctempsql2008r2bpahtm

443 Exporting and opening reports by using Get-MBCAResult

You can use the Get-MBCAResult cmdlet to export scan results and configuration data to an XML

report that you can open for viewing in the future either by using Get-MBCAResult or by using the

MBCA GUI Exporting reports allows you to compare older scans with more recent scans to measure

the progress of your best practice compliance

Example of exporting to XML

$results = Get-MBCAResult ltModel Idgt

$collectedconfig = Get-MBCAResult ltModel Idgt -CollectedConfiguration

$results $collectedconfig | Export-CliXml cexportxml

Example of opening archived XML report file

$loadedResults $loadedConfiguration = Import-CliXml cexportxml

444 Report Result Directory

The reporting result path

AppDataMicrosoftBaselineConfigurationAnalyzer

2ReportsSQL2008R2BPAResults

Will be overwritten during each run of the tool or invoke command

Solution save older results before you start the check

copy-item -path ($EnvLocalAppdata +

MicrosoftMicrosoftBaselineConfigurationAnalyzer 2Reports)ToString() -

destination ($EnvLocalAppdata +

MicrosoftMicrosoftBaselineConfigurationAnalyzer 2Reports_ + (Get-

Date)ToString(yyyyMMddhhmmss))ToString() ndashrecurse

Afterwards you can create a report with the following command

$prevrepPath = (Get-ChildItem ($EnvLocalAppdata +

MicrosoftMicrosoftBaselineConfigurationAnalyzer 2)ToString() -exclude

Reports | Sort-Object name -descending)[0]

Get-MBCAResult -ModelId SQL2008R2BPA ndashRepositoryPath ($EnvLocalAppdata +

MicrosoftMicrosoftBaselineConfigurationAnalyzer 2rdquo +

$prevrepPathname)ToString() | ConvertTo-Html -As Table -property

ResultNumberSubModelID ComputerName Severity Category Title Problem

Impact Resolution Help -Head lth1gtSQL Server 2008 (R2) Best Practice

Analyzer Reportlth1gtrdquo -Title SQL Server 2008 Best Practice Analyzer -body

(ltpgtReport creation date + (Get-Date)ToString(ddMMyyyy hhmmss) +

ltpgt)toString() -pre ltPgtGenerated by user $envusername on computer

Page 25

$envcomputernameltPgt -post For details contact Microsoft Premier gt

ctempsql2008r2bpahtm

Page 26

5 TROUBLESHOOTING

51 Application directories

To following directories are used by MBCA

Report output directory localappdataMicrosoftMicrosoftBaselineConfigurationAnalyzer 2ReportsSQL2008R2BPAResults

Model configuration path ProgramdataMicrosoftMicrosoft Baseline Configuration Analyzer 2ModelsSQL2008R2BPA

Temp and log files directory tempSQL2008R2BPASQL2008ltdategt_lttimegt

Registry [HKEY_LOCAL_MACHINESOFTWAREMicrosoftBaselineConfigurationAnalyzer]

Log Files

During Data Discovery SQL Server 2008 R2 BPA creates log files for troubleshooting The log file

contains the following information

Pre-requisite validation

Timestamp finished rules start and end times

Run-time scripting errors and exceptions from Power Shell Traps

Log Files Location

For every scan log files are created in userrsquos Local Temp directory (Temp) and follows the folder

structure SQL2008R2BPAlt Instance Name gtlt datestamp_timestamp gtlt Log files gt

Note In case of a remote scan the category log files are generated on the remote system at the same

path whereas the common log file is generated in the local system

Log Files Structure

A common log file gets generated and contains information about each categorys execution Apart

from this each category has its own log file which details the rule execution The names of the log files

are given below

Common File - ModelLogtxt

Engine Rules - EngineLogtxt

Replication Rules - ReplicationLogtxt

Setup Rules - SetupLogtxt

Analysis Services Rules - AnalysisServicesLogtxt

Reporting Services Rules - ReportingServicesLogtxt

Integration Services Rules - IntegrationServicesLogtxt

52 Windows Server 2003 ndash NumberOfLogicalProcessors

Analysis Services RID2803 and RID2804 ndash NumberOfLogicalProcessors property is unavailable in

Win32_Processor for with Windows Server 2003

Solution The NumberOfLogicalProcessors property does not exist in the WIN32_PROCESSOR object

in Windows Server 2003 It has been implemented in the hotfix

httpsupportmicrosoftcomkb932370

Both of the rules below will function properly if you apply this hotfix For more information look here

Page 27

53 MBCA

This message indicates that on prerequisite is not installed

Please install the version 2 of the MBCA

54 Where can I find the Instance name in result set of the analyzer

report

The instance name is in the collected data option of the analyzer report in the BPA GUI

55 Memory limit of remote PowerShell process

By default remote PowerShell process can consume only 150 MB or less memory This default limit is

significantly small and once this limit is reached there could be a WinRM exception causing and remote

connection immediately terminates Any application or Cmdlet which is involved in PowerShell

remoting should be tested for this memory limit this may cause some of the command to fail for

example site collection creation

Solution Increase the memory limit for the remote shell Use the following command to increase this

limitation to 1000MB This is only necessary if you need to run those commands on that server

Set-Item WSManlocalhostShellMaxMemoryPerShellMB 1000

56 Remote connect

If you try to ldquoConnect to another computerrdquo from MBCA and you receive the following message

Page 28

You should check first if the Hotfix KB968930 is installed

Afterwards validate that the ldquoWindows Remote Managementrdquo service is started

Enable-PSRemoting

If CredSSP is unsupported or unavailable you will see the following message

Page 29

If you have no permission to access the remote server you get the error message

Page 30

57 Installation

571 PowerShell error

After getting through the Pre-Reqs for BPA (PowerShell 20 MBCA NET Framework) you may hit

one of two scenarios when installing BPA

In all of the cases of an install failure you will see the following error

There is a problem with this Windows Installer package A program run as part of the setup did not

finish as expected Contact your support personnel or package vendor

In your Application Event Log for both of these scenarios you will also see the following entry

Log Name Application

Source MsiInstaller

Date 6102010 83818 AM

Event ID 11722

Task Category None

Level Error

Keywords Classic

User ltUsernamegt

Computer ltMachine namegt

Description

Product Microsoft SQL Server 2008 R2 BPA -- Error 1722 There is a problem

with this Windows Installer package A program run as part of the setup did

not finish as expected Contact your support personnel or package

vendor Action EnablePSRemoting location powershellexe command -NoLogo

-NoProfile -Command Enable-PSRemoting ndashforce

Page 31

This is an indicator that PowerShell is not configured You must run the following command

powershellexe -NoLogo -NoProfile -Command Enable-PSRemoting ndashforce

572 Workgroup or Non-Domain computer

In this scenario the Enable-PSRemoting command should execute fine from a PowerShell prompt

The actual error coming back from the PowerShell command within the Installer is ldquoAccess Deniedrdquo

To work around this issue you can do the following

1 Open a command prompt with Administrative Privileges

2 Change to the directory where the msi file resides

3 Type msiexec i ltMSI Namegt SKIPCA=1

4 MSI Name will either be SQL2008R2BPA_Setup32msi or SQL2008R2BPA_Setup64msi

depending on your platform

5 Once BPA is installed open a PowerShell prompt with Administrative Privileges

6 Execute the following commands

a Enable-PSRemoting

b winrm set winrmconfigwinrs ``MaxShellsPerUser=`10``

This should allow BPA to be successfully installed in the workgroup scenario

573 Kerberos Failure

This scenario is that you are failing with the above due to a Kerberos issue This particular issue could

actually show up after you have installed BPA depending on how you have configured your

environment

The issue stems from the fact that the Windows Remoting Windows Service uses the Network Service

account Windows Remoting also uses SOAP calls over HTTP and defaults to using Kerberos As a

result it will be using the HOST Service Principal Name (SPN) that is on the Machine Account as it is

running under that context You may have an HTTP SPN that resides on a different account with that

host name For example if you are running an IIS Web Application such as SharePoint or if you are

using Reporting Services and the service account is set to a Domain User account instead of Network

Service or Local System If your URL of your application matches the machine name then your HTTP

SPN will be the same Thatrsquos where this problem comes in WinRM will stop working at that point and

give you a message similar to the following

Set-WSManQuickConfig WinRM cannot process the request The following error

occured while using Negotiate authentication An unknown security error

occurred

Possible causes are

-The user name or password specified are invalid

-Kerberos is used when no authentication method and no user name are

specified

-Kerberos accepts domain user names but not local user names

-The Service Principal Name (SPN) for the remote computer name and port

does not exist

-The client and remote computers are in different domains and there is no

trust between the two domains

After checking for the above issues try the following

-Check the Event Viewer for events related to authentication

-Change the authentication method add the destination computer to the

WinRM TrustedHosts configuration setting or use HTTPS transport

Note that computers in the TrustedHosts list might not be authenticated

-For more information about WinRM configuration run the following

Page 32

command winrm help config

At line50 char33

+ Set-WSManQuickConfig ltltltlt -force

+ CategoryInfo InvalidOperation () [Set-WSManQuickConfig]

InvalidOperationException

+ FullyQualifiedErrorId

WsManErrorMicrosoftWSManManagementSetWSManQuickConfigCommand

You can get this type of error from WinRM for muliple reasons The one that

we saw in our testing was the HTTP SPN scenario

If you do have an HTTP SPN defined on a Domain Account that is using the name of your machine

you have some options First you can follow the steps mentioned above to get BPA installed The

Enable-PSRemoting command will give you the above error You can temporarily remove the HTTP

SPN to get remoting enabled and then re-add the HTTP SPN

Once BPA is setup you will still not be able to run BPA if you put the HTTP SPN back in place You will

see the following when you attempt to perform a scan

This will occur regardless of which component you try to scan It could be the Engine Setup RS etchellip

One option to perform the scan successfully is to temporarily remove the HTTP SPN again run the

scan and then put the HTTP SPN back in place Another option but one that will probably require

further testing from your applicationrsquos end would be to run the application under a Host Header and

then your HTTP SPN would not include the machine name allowing BPA to run without issue

Page 33

6 RULES

Searching for ldquoSQL Server 20087 R2 BPArdquo at Microsoftcom reveals

Here is an example of one of these articles that talks about a rule to check for a recent ldquocleanrdquo

CHECKDB

Page 34

BPA works by measuring a rolersquos compliance with best practice rules in eight different categories of a

rolersquos effectiveness trustworthiness and reliability Results of measurements can be any of the three

severity levels described in the following table

Severity level Description

Noncompliant Noncompliant results are returned when a role does not satisfy the conditions of a rule

Compliant Compliant results are returned when a role satisfies the conditions of a rule

Warning Warning results are returned when a role is compliant as operating currently but may not satisfy the conditions of a

rule if changes are not made to its configuration or policy settings For example a scan of Remote Desktop Services

might show a warning result if a license server is unavailable to the role because even if no remote connections are

active at the time of the scan not having the license server prevents new remote connections from obtaining valid

client access licenses

Page 35

BPA rule categories

The following table describes the categories of best practice rules against which roles are measured

during a BPA scan

Category Name Description

Security Security rules are applied to measure a rolersquos relative risk for exposure to threats such as unauthorized or malicious

users or loss or theft of confidential or proprietary data

Performance Performance rules are applied to measure a rolersquos ability to process requests and perform its prescribed duties in

the enterprise within expected periods of time given the rolersquos workload

Configuration Configuration rules are applied to identify role settings that might require modification for the role to perform

optimally Configuration rules can help prevent setting conflicts that can result in error messages or prevent the role

from performing its prescribed duties in an enterprise

Policy Policy rules are applied to identify Group Policy or Windows Registry settings that might require modification for the

role to operate optimally and securely

Operation Operation rules are applied to identify possible failures of a role to perform its prescribed tasks in the enterprise

Predeployment Predeployment rules are applied before an installed role is deployed in the enterprise to let administrators to

evaluate whether best practices were satisfied before you use the role in production

Postdeployment Postdeployment rules are applied after all required services have started for a role and the role is running in the

enterprise

BPA Prerequisites BPA Prerequisite rules explain configuration settings policy settings and features that are required for the role

before BPA can apply specific rules from other categories A prerequisite in scan results indicates that an incorrect

setting a missing role role service or feature an incorrectly enabled or disabled policy a registry key setting or

other configuration has prevented BPA from applying one or more rules during a scan A prerequisite result does

not imply compliance or noncompliance It means that a rule could not be applied and therefore is not part of the

scan results

61 Engine Rules

Please find below a summary of the 74 Engine Rules with the links to the rule descriptions These rules

are checking that you have a secure resilient and well performing SQL configuration

Authentication Mode (httpsupportmicrosoftcomkb2028697)

Lightweight Pooling is enabled (httpsupportmicrosoftcomkb2160691)

Locks Configuration Not Dynamic (httpsupportmicrosoftcomkb2199576)

non-default network packet size in use (httpsupportmicrosoftcomkb2157175)

degree of parallelism not set to recommended value (httpsupportmicrosoftcomkb2023536)

Use Database Mail instead of SQL Mail (httpsupportmicrosoftcomkb2028584)

SQL Server Agent Proxy Account (httpsupportmicrosoftcomkb2160741)

SQL Login Password Policy Strength and password expiry

(httpsupportmicrosoftcomkb2028712)

Trustworthy Bit (httpsupportmicrosoftcomkb2183687)

Symmetric Keys Check (httpsupportmicrosoftcomkb2162020)

Asymmetric Keys Check (httpsupportmicrosoftcomkb2162020)

SQL Server installed on PDC BDC (httpsupportmicrosoftcomkb2032911)

Page 36

SQL Server Admin role membership check (httpsupportmicrosoftcomkb2184138)

Windows API calls intercepted (httpsupportmicrosoftcomkb2033238)

unsupported DotNET framework assemblies present (httpsupportmicrosoftcomkb2033344)

Disk partition starting offset may be incorrect (httpsupportmicrosoftcomkb2023571)

non-default max worker threads value configured (httpsupportmicrosoftcomkb2157129)

Guest Permissions (httpsupportmicrosoftcomkb2186935)

Data and Log files on the same volume (httpsupportmicrosoftcomkb2033523)

IO timeouts and IO controller errors detected (httpsupportmicrosoftcomkb2091098)

IO device errors detected (httpsupportmicrosoftcomkb2091098)

IO errors during page faults detected (httpsupportmicrosoftcomkb2091098)

cluster disk corruption encountered (httpsupportmicrosoftcomkb2091098)

disk defragmentation encountered corruption (httpsupportmicrosoftcomkb2091098)

failed IO requests detected (httpsupportmicrosoftcomkb2091098)

IO requests are successful when retried (httpsupportmicrosoftcomkb2015757)

IO Delay Problems reported by SQL Server (httpsupportmicrosoftcomkb2137408)

This system experienced unexpected shutdowns (httpsupportmicrosoftcomkb2091098)

tempdb corruption errors fix missing (httpsupportmicrosoftcomkb960770)

Critical SQL database inconsistency errors found (httpsupportmicrosoftcomkb2152734)

Logical consistency errors detected (httpsupportmicrosoftcomkb2152472)

Database have auto shrink option enabled (httpsupportmicrosoftcomkb2160663)

SQL Server Error logs are very big (httpsupportmicrosoftcomkb2199578)

incorrect affinity mask settings detected httpsupportmicrosoftcomkb2157114

Very low blocked process threshold setting detected httpsupportmicrosoftcomkb2157154

Potential security issue with legacy DTS stored procedures

httpsupportmicrosoftcomkb2202875

Winsock LSP loaded into SQL httpsupportmicrosoftcomkb2033448

Databases using simple recovery model httpsupportmicrosoftcomkb2137539

User database collation different from model httpsupportmicrosoftcomkb2026108

Database files and backups exist on the same volume httpsupportmicrosoftcomkb2027537

Databases have auto close option enabled httpsupportmicrosoftcomkb2160685

LSI SAS drivers needs update httpsupportmicrosoftcomkb2121098

SQL tempdb database not configured optimally httpsupportmicrosoftcomkb2154845

SQL Database file has sparse attribute set httpsupportmicrosoftcomkb2028447

Invalid startup parameters httpsupportmicrosoftcomkb2028433

MSDTC settings not configured optimally httpsupportmicrosoftcomkb2027550

sql incorrect results fix missing httpsupportmicrosoftcomkb971780

File System needs tuning for better FileStream performance

httpsupportmicrosoftcomkb2160002

linked server memory leak fix missing httpsupportmicrosoftcomkb971622EN-US

Windows service pack is not at recommended level httpsupportmicrosoftcomkb2121098

default extended event health session not in expected state

httpsupportmicrosoftcomkb2160570

TcpSysAndChimneyCheck httpsupportmicrosoftcomKB918483

FDHOST Launcher service is not configured properly httpsupportmicrosoftcomkb2160720

Unrecommended SQL Server Agent service account httpsupportmicrosoftcomkb2160720

A required Windows fix to avoid sparse file related problems is missing

httpsupportmicrosoftcomkb2002606

Page 37

Significant Portion of SQL Server Memory Has Been Paged Out

httpsupportmicrosoftcomkb2028324

Server Exception or Hang Detected on Server httpsupportmicrosoftcomkb2028589

Databases exist without CHECKSUM protection httpsupportmicrosoftcomkb2078345

backups outdated for databases httpsupportmicrosoftcomkb2027537

Database consistency check not current httpsupportmicrosoftcomkb2033590

SQL Server Memory settings are incorrect httpsupportmicrosoftcomKB918483EN-US

Autogrow Failed or took a long time httpsupportmicrosoftcomkb2091024

Storport driver fix from KBA 940467 missing httpsupportmicrosoftcomkb2121098

Storport driver fix from KBA 950903 missing httpsupportmicrosoftcomkb2121098

SQLCLR needs additional memory configuration httpsupportmicrosoftcomkb969962EN-US

Operating System files and drivers needs update for working set trimming

httpsupportmicrosoftcomkb2121098

Agent Token Replacement httpsupportmicrosoftcomkb2202637

Auditing Log in failures httpsupportmicrosoftcomkb2187161

Databases with high number of VLF present httpsupportmicrosoftcomkb2028436

Transparent Data Encryption Certificate httpsupportmicrosoftcomkb2201900

Permission on the Binn folder httpsupportmicrosoftcomkb2029023

Index Statistics Are Outdated

Server public permissions httpsupportmicrosoftcomkb2160698

Detected use of older versions of SQLNCLI httpsupportmicrosoftcomkb979779

62 AS Rules

Please find below a summary of the 34 Analysis Server Rules with the links to the rule descriptions

Flight Recorder Enabled for SQL Server Analysis Services

httpsupportmicrosoftcomkb2128005

Excessive amount of memory preallocated to Analysis Services

httpsupportmicrosoftcomkb2027474

Server not configured for optimal concurrent query throughput

httpsupportmicrosoftcomkb2135031

Non standard value detected for Analysis Services memory configuration

httpsupportmicrosoftcomkb2027472

Process Thread Pool Max limit above recommended limit

httpsupportmicrosoftcomkb2134497

Process Thread Pool Minimum is below the recommended limit

httpsupportmicrosoftcomkb2134855

Server is running a build with a known regression httpsupportmicrosoftcomkb2157941

Slice not set on a ROLAP partition or a partition where proactive caching is enabled and

ROLAP storage ay occur httpsupportmicrosoftcomkb2027754

Server is ignoring duplicate key errors httpsupportmicrosoftcomkb2027761

No default member defined for non-aggregatable attribute

httpsupportmicrosoftcomkb2027769

UnknownMember set to hidden httpsupportmicrosoftcomkb2027628

Non-numeric key column for high cardinality attribute httpsupportmicrosoftcomkb2028138

Attribute hiearchy enabled for high cardinality non-key attribute

httpsupportmicrosoftcomkb2028143

ROLAP storage or OnlineMode set to immediate for dimension with custom rollup definition

detected httpsupportmicrosoftcomkb2132742

Page 38

Account or Time attribute types defined in a non-matching dimension type

httpsupportmicrosoftcomkb2157299

An Account or Time dimension has no matching attribute defined

httpsupportmicrosoftcomkb2027418

Dimension has no attribute defined with the same type

httpsupportmicrosoftcomkb2027443

Attribute Dimension type mismatch httpsupportmicrosoftcomkb2157327

Mismatched dimension attribute types detected in dimension

httpsupportmicrosoftcomkb2027459

Possible incorrect order of levels defined in hierarchy httpsupportmicrosoftcomkb2027460

Define attribute relationships as Rigid where possible httpsupportmicrosoftcomkb2027468

Redundant attribute relationships detected httpsupportmicrosoftcomkb2127437

Diamond-shape relationship detected httpsupportmicrosoftcomkb2127570

Non-Standard Attribute Relationship name detected httpsupportmicrosoftcomkb2127862

Proactive Caching set for dimension without a processing query

httpsupportmicrosoftcomkb2027541

No Time dimension detected httpsupportmicrosoftcomkb2027532

More than 3 parent-child dimensions with custom rollups defined

httpsupportmicrosoftcomkb2134431

Encountered a parent-child dimension with more than 500000 members

httpsupportmicrosoftcomkb2131918

Single attribute dimensions detected httpsupportmicrosoftcomkb2141654

Measure groups with zero dimensional overlap detected in cube

httpsupportmicrosoftcomkb2027609

Proactive Caching set for a partition without a processing query

Default measure for perspective not in the perspective

httpsupportmicrosoftcomkb2027603

Use MOLAP storage for dimensions that participate in semi-additive measure groups

httpsupportmicrosoftcomkb2135112

Measure group defined with no partition httpsupportmicrosoftcomkb2027545

63 RS Rules

RSWindowsNegotiate is missing from your configuration

httpsupportmicrosoftcomkb2145506

HTTP Logging is not enabled httpsupportmicrosoftcomkb2145909

Verbose logging is enabled httpsupportmicrosoftcomkb2146315

NTLM authentication may fail for local httpsupportmicrosoftcomkb2146369

Missing extended protection settings httpsupportmicrosoftcomkb2146062

64 IS Rules

Logging task missing for package httpsupportmicrosoftcomkb2027723

ActiveX Script task detected in package httpsupportmicrosoftcomkb2027712

Unrecommended Integration Services service account detected

httpsupportmicrosoftcomkb2027684

Integration Services logging table found in system database master and or msdb

httpsupportmicrosoftcomkb2027706

Integration Services memory dump detected httpsupportmicrosoftcomkb2027727

Page 39

65 Setup Rules

Unsupported Operating System Version Detected httpsupportmicrosoftcomkb2022909

WOW64 not supported for SQL Failover Clustering httpsupportmicrosoftcomkb2157198

Installer cache is missing for the SQL Installation httpsupportmicrosoftcomkb2015100

SQL Server WMI Provider Health Check

66 Replication Rules

Replication Timeout Alerts Type httpsupportmicrosoftcomkb2118349

Replication Pub and Sub out of sync (Data Validation) httpsupportmicrosoftcomkb2118386

Replication Pub and Sub out of sync (Constraint Violations)

httpsupportmicrosoftcomkb2118410

Replication Pub and Sub out of sync (Skipped Transactions)

httpsupportmicrosoftcomkb2194498

Merge Replication Health Check httpsupportmicrosoftcomkb2118445

Subscriptions Approaching Expiration httpgomicrosoftcomfwlinkLinkId=184483

Replication Cleanup and Retention Health Check httpsupportmicrosoftcomkb2118485

Replication Latency Threshold violations httpsupportmicrosoftcomkb2118425

Page 40

7 HOW TO DEAL WITH DEVIATIONS

Deviations from these Best Practices may indicate potential issues and configuration changes may be

necessary Make sure you have tested any intended changes in a test environment before deploying

them to a production environment You could also find deviations from Best Practices that are

acceptable or even necessary for your environment For example

SAP has its special Network Packet Size of 8 KB

Existing Non-Microsoft Clients ndash would require Mixed Mode Authentication

Page 41

8 MOTIVATION TO USE SQL BPA R2

Bob Ward explained in his Article ldquoWhy use SQL Server 2008 R2 BPA Case 1 Missing Updatesrdquo

the common pitfalls during maintenance and operation of SQL Server and how address them by using

the SQL BPA

In brief itrsquos a customer scenario where the customer is facing an issue after a major update to

SQL2008 After some troubleshooting and an update to a certain CU (that is meant to fix the issue) the

problem still occurs Bobs article states the common resulting consequences ndash the involvement of

Microsoft Support and the final solution ndash adding a needed traceflag

The good news in this story is that the customer would not have needed to go to all that effort if they

would have run the SQL BPA It would have told them about the update and instructed them to put the

traceflag in place BPA is a mechanism that proactively advises you and instructs you on dealing with

common known issues

Page 42

9 ADDITIONAL INFORMATION

91 PowerShell

To use the functionality of the Baseline Configuration Analyzer with PowerShell you must import this

module first

Import-module BaselineConfigurationAnalyzer

You can list the commands of this module with the following syntax

$x=Get-Module BaselineConfigurationAnalyzer

$xExportedCommands

The following commands are stored in this module

Get-MbcaModel

Get-MbcaResult

Invoke-MbcaModel

Set-MbcaResult

You get help of this command with the following syntax

Get-help ltcommandgt -full

911 Get-MBCAModel

SYNOPSIS

The Get-MBCAModel cmdlet lets you retrieve and view the list of models that are supported by

Microsoft Baseline Configuration Analyzer (MBCA) and that are installed on a computer

SYNTAX

Get-MBCAModel [[-ModelId] ltstring[]gt] [[-SubModelId] ltstringgt] [ltCommonParametersgt]

DESCRIPTION

The Get-MBCAModel cmdlet lets you retrieve and view the list of models that are supported by

Microsoft Baseline Configuration Analyzer (MBCA) and installed on the computer If no parameter is

specified Get-MBCAModel returns all models that are installed on the computer If a model is specified

by using the -ModelId parameter information about the specified model is returned

You must be a member of the Administrators group on the computer on which you want to run this

cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with

elevated user rights that is Run as Administrator

The results of the Get-MBCAModel cmdlet include the following details about models

1 Branding information (manufacturer or company display names version number) that is found in

the model manifest

2 Dynamic parameters that are included with the model

3 Submodels that are included with the model

PARAMETERS

-ModelId ltstring[]gt

The -ModelId parameter specifies the ID of the MBCA model about which you want to view

details You can obtain valid values for the ModelId parameter by running the Get-MBCAModel

cmdlet with no parameters and targeted at a computer on which MBCA models are installed

Page 43

This parameter supports wild card characters

Required false

Position 2

Default value

Accept pipeline input true (By Value By Property Name)

Accept wildcard characters False

This must be SQL2008R2BPA for SQL Server 2008 R2 Best Practice Analyzer

-SubModelId ltstringgt

The -SubModelId parameter specifies the ID of the submodel of an MBCA model about which you

want to view details You can obtain valid values for the -SubModelId parameter by running the

Get-MBCAModel cmdlet without parameters and targeted at a computer on which MBCA models

are installed Not all models have submodels

The -ModelId parameter is required with the -SubModelId parameter

Required false

Position 3

Default value

Accept pipeline input false

Accept wildcard characters false

ltCommonParametersgt

This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable

WarningAction WarningVariable OutBuffer and OutVariable For more information type get-

help about_commonparameters

Examples

Get-MBCAModel

In the preceding example Get-MBCAModel with no parameters added returns details about all MBCA

models that are installed on the computer

Get-MBCAModel -ModelId SQL2008R2BPA

The preceding example can be used to return details about the MBCA model that is specified in the -

ModelId parameter represented by Model Id

$model= Get-MBCAModel -ModelId SQL2008R2BPA

$modelParameters

In the preceding example Get-MBCAModel returns details about the specified MBCA model that is

represented by Model Id The results of the cmdlet are stored in the variable $model

In the next line of the example the Parameters property of the model details that were stored in the

$model object returns details about which parameters are supported by the model

Get-MBCAModel -ModelId SQL2008R2BPA -SubModelId ltSubModel Idgt

The preceding example can be used to return details about the MBCA sub-model that is specified by

the -SubModelId parameter represented by SubModel Id Note that the -ModelId parameter is

required by the -SubModelId parameter

$model= Get-MBCAModel -ModelId SQL2008R2BPA

Page 44

$modelSubModels

In the preceding example Get-MBCAModel returns details about the specified MBCA model that is

represented by Model Id The results of the cmdlet are stored in the variable $model

In the next line of the example the SubModels property of the model details that were stored in the

$model object returns a list of the submodels of the model specified in the first line

912 Invoke-MBCAModel

SYNOPSIS

The Invoke-MBCAModel cmdlet lets you start a Microsoft Baseline Configuration Analyzer (MBCA)

scan for a specific model that is installed on your computer

SYNTAX

Invoke-MBCAModel [-ModelId] ltstringgt -SubModelId ltstringgt [-Authentication

ltAuthenticationMechanismgt] [-CertificateThumbprint ltstringgt] [-ComputerName

ltstring[]gt] [-ConfigurationName ltstringgt] [-Context ltstringgt] [-Credential

ltstringgt] [-Mode ltModeEnumgt] [-Port ltintgt] [-RepositoryPath ltstringgt] [-

ThrottleLimit ltintgt] [-UseSSL] [ltCommonParametersgt]

DESCRIPTION

The Invoke-MBCAModel cmdlet allows you to start a Microsoft Baseline Configuration Analyzer

(MBCA) scan for a specific model that is installed on your computer The model is specified either by

using the parameter -ModelId or by piping the results of the Get-MBCAModel cmdlet into an Invoke-

MBCAMode cmdlet

After the MBCA scan has been performed the results of the scan are available to be retrieved by Get-

MBCAResult cmdlet

You must be a member of the Administrators group on the computer on which you want to run this

cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with

elevated user rights that is Run as Administrator

PARAMETERS

-Authentication ltAuthenticationMechanismgt

Specifies the authentication mechanism that is used to authenticate the users credentials Valid

values include Default Basic CredSSP Digest Kerberos Negotiate and

NegotiateWithImplicitCredential The default value is Default

For more information about the -Authentication parameter type the following and then press

Enter

Get-Help Invoke-Command -Parameter Authentication

Required false

Position named

Default value Default

Accept pipeline input false

Accept wildcard characters false

-CertificateThumbprint ltstringgt

Page 45

Specifies the digital public key certificate (X509) of a user account that has rights to perform the

cmdlet action The valid value is the certificate thumbprint of the certificate

For more information about this parameter type the following and then press Enter

Get-Help Invoke-Command -Parameter Certificate Thumbprint

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-ComputerName ltstring[]gt

The Invoke-MBCAModel cmdlet lets you run an MBCA scan of a submodel on a specific

computer by adding this parameter Valid values include NETBOS names IP addresses or fully-

qualified domain names of one or more computers in a comma-separated list To specify the local

computer type the computer name or localhost

All formats that are accepted by the -ComputerName parameter in Invoke-Command are

accepted

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-ConfigurationName ltstringgt

Specifies the session configuration that is used for a new PSSession

Enter a configuration name or the fully-qualified resource URI for a session configuration

Session configuration data is found on the remote computer on which you want to run a cmdlet

For more information about this parameter type the following and then press Enter

Get-Help Invoke-Command -Parameter ConfigurationName

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-Context ltstringgt

The -Context parameter lets you run scans on a submodel in the context of a specific model (one

that is different from the parent model of the submodel) For example an administrator might

want to run a scan on the Backend submodel of the SQL model but only those in the context

of a third model a technology that relies upon SQL Server

The -SubModelId parameter is required by the -Context parameter

Page 46

A model ID is the valid value of the -Context parameter

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-Credential ltstringgt

Specifies a user account that has permission to run this cmdlet The default value is the current

user

For more information about this parameter type the following and then press Enter

Get-Help Invoke-Command -Parameter Credential

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-Mode ltModeEnumgt

The -Mode parameter lets you run a scan that is exclusively either analysis of existing discovered

documents or discovery The default is to perform both discovery and analysis or All

If you do not add the -Mode parameter to the Invoke-MBCAModel cmdlet both discovery and

analysis are performed during a scan

Valid values are Discovery Analysis and All

Required false

Position named

Default value All

Accept pipeline input false

Accept wildcard characters false

-ModelId ltstringgt

The -ModelId parameter specifies the ID of the MBCA model that you want to scan You can

obtain valid values for the ModelId parameter by running the Get-MBCAModel cmdlet targeted at

a computer on which MBCA models are installed

Required true

Position 2

Default value

Accept pipeline input true (By Value By Property Name)

Accept wildcard characters False

Page 47

This must be SQL2008R2BPA for SQL Server 2008 R2 Best Practice Analyzer

-Port ltintgt

Specifies the network port on a remote computer on which you want to run a scan The default

value is port 80

For more information on this parameter type the following and then press Enter

Get-Help Invoke-Command -Parameter Port

Required false

Position named

Default value 80

Accept pipeline input false

Accept wildcard characters false

-RepositoryPath ltstringgt

The -RepositoryPath parameter is used to specify a non-default location of the results repository

The valid value for this parameter is a pathname If the parameter is not used the cmdlet writes

results to the default result repository

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-SubModelId ltstringgt

The -SubModelId parameter specifies the ID of the submodel of an MBCA model that you want to

scan You can obtain valid values for the -SubModelId parameter by running the Get-MBCAModel

cmdlet targeted at a computer on which MBCA models are installed Not all models have

submodels

The -ModelId parameter is required with the -SubModelId parameter

Required true

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-ThrottleLimit ltintgt

Specifies the maximum number of concurrent connections that can be established to run the

cmdlet If you omit this parameter or enter a value of 0 the default value of 32 is used

For more information about this parameter type the following and then press Enter

Get-Help Invoke-Command -Parameter ThrottleLimit

Required false

Page 48

Position named

Default value 32

Accept pipeline input false

Accept wildcard characters false

-UseSSL [ltSwitchParametergt]

Uses the Secure Sockets Layer (SSL) protocol to establish a connection on a remote computer

By default SSL is not used

For more information about this parameter type the following and then press Enter

Get-Help Invoke-Command -Parameter UseSSL

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

ltCommonParametersgt

This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable

WarningAction WarningVariable OutBuffer and OutVariable For more information type get-

help about_commonparameters

OUTPUTS

SystemCollectionsGenericListltMicrosoftBestPracticesCoreInterfaceInvokeBpaModelOutputgt

The output object encapsulates the results of the cmdlet that you entered It contains information such

as the MBCA model ID the success or failure of the cmdlet and other details

NOTES

If the cmdlet is used to perform a single-model scan and the cmdlet is cancelled (by using CTRL+C)

before the temporary results file is copied to its final location the temporary file is discarded and any

previous scan results file for the role are preserved The message Processing of Invoke-MBCAModel

cancelled by user is displayed if the command is cancelled before existing scan results files are

overwritten

If the cmdlet is used to perform a scan of multiple models by piping in results from the Get-MBCAModel

cmdlet and the command is cancelled scans that were completed before the cancel command was

entered cannot be cancelled A scan in progress behaves as described above in the single-model scan

cancellation scenario Subsequent scans in the pipeline are cancelled

If a concurrent scan of the same model is attempted the cmdlet returns the following error message

Another scan for this MBCA model is in progress Only one scan is allowed at a time

-------------------------- EXAMPLE 1 --------------------------

Invoke-MBCAModel -ModelId SQL2008R2BPA

Description

The preceding example starts a MBCA scan on the model that is represented by ltModel Idgt

-------------------------- EXAMPLE 2 --------------------------

Page 49

Invoke-MBCAModel -ModelId SQL2008R2BPA -Scope domain -Name

redmondmicrosoftcom

Description

The preceding example starts an MBCA scan on the model ID that is specified by Model Id

The administrator starts the MBCA scan with additional model-specific parameters that are exposed by

the model (For an example of how to obtain model-specific parameters see the examples for the Get-

MBCAModel cmdlet)

For example to scan a model that requires model-specific parameters (such as -Scope and -Name) to

be passed to the command the administrator can specify the values of these model-specific

parameters with the Invoke-MBCAModel cmdlet

-------------------------- EXAMPLE 3 --------------------------

Invoke-MBCAModel -ModelId SQL2008R2BPA -Mode Discovery

Description

The preceding example starts an MBCA scan on the model that is represented by Model Id The

cmdlet is instructed by the -Mode parameter to perform only the discovery -- not the analysis -- portion

of the scan

-------------------------- EXAMPLE 4 --------------------------

Invoke-MBCAModel -ModelId SQL2008R2BPA -Mode Analysis -RepositoryPath

ltRepository Pathgt

Description

The preceding example starts an MBCA scan on the model that is represented by Model Id The -

Mode parameter value of Analysis indicates that the scan will perform analysis -- not discovery -- on

existing documents that are specified in the non-default repository path provided with the -Repository

Path parameter

-------------------------- EXAMPLE 5 --------------------------

Invoke-MBCAModel -Id ltModel Idgt -SubModelId ltSubModel Idgt -ComputerName

ltServergt -Context ltContext Model Idgt -RepositoryPath ltRespository Pathgt -

AsJob -Authentication ltAuthenticatonMechanismgt -Port ltPort Numbergt -UseSSL -

ThrottleLimit ltThrottle Limitgt

Description

The preceding example starts an MBCA scan on the submodel that is represented by SubModel Id

and on the computer that is represented by Server

Because the administrator only wants to see results from the submodel that apply in the context of a

third model the administrator runs the scan within the context of the model ID that is specified in the -

Context parameter The cmdlet results are saved to the non-default repository path that is specified in

the -RepositoryPath parameter

Because the -AsJob parameter is added the scan runs in the background The -AsJob -

Authentication -Port -UseSSL and -ThrottleLimit parameters are passed through for use by the

Invoke-Command cmdlet to perform discovery on a remote computer For more information about

these parameters see the Help for the Invoke-Command cmdlet available in Windows PowerShell V2

913 Get-MBCAResult

SYNOPSIS

Page 50

The Get-MBCAResult cmdlet lets you retrieve and view the results of a Microsoft Baseline

Configuration Analyzer scan on a specific model or the configuration data that was used to run a scan

SYNTAX

Get-MBCAResult [-ModelId] ltstringgt [[-CollectedConfiguration]] -SubModelId

ltstringgt [-ComputerName ltstring[]gt] [-Context ltstringgt] [-Filter

ltFilterEnumgt] [-RepositoryPath ltstringgt] [ltCommonParametersgt]

DESCRIPTION

The Get-MBCAResult cmdlet lets you retrieve and view the results of a Microsoft Baseline

Configuration Analyzer scan on a specific model or the configuration data that was used to run a scan

To use the command add the -ModelId parameter and then specify the model ID for which you want

to view the most recent MBCA scan results or collected configuration data If you want to retrieve the

configuration data collected add the -CollectedConfiguration switch parameter

You must be a member of the Administrators group on the computer on which you want to run this

cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with

elevated user rights that is Run as Administrator

PARAMETERS

-CollectedConfiguration [ltSwitchParametergt]

The -CollectedConfiguration parameter allows you to obtain the configuration data that was

collected for the most recent MBCA scan If this switch parameter is added to Get-MBCAResults

the cmdlet returns only the configuration data that was collected for a scan

Required false

Position 3

Default value

Accept pipeline input false

Accept wildcard characters false

-ComputerName ltstring[]gt

The -ComputerName parameter lets you obtain scan results that were collected for the most

recent MBCA scan of a submodel on a specific computer To specify the local computer type the

computer name or localhost Multiple values for -ComputerName can be separated by

commas

The -SubModelId parameter is required by the -ComputerName parameter

Valid values for the -ComputerName parameter include localhost a NET BIOS name an IP

address or a fully-qualified domain name (FQDN) of one or more computers in a comma-

separated list

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-Context ltstringgt

Page 51

The -Context parameter lets you obtain scan results that were collected for the most recent

MBCA scan of a submodel in the context of a specific model (one that is different from the parent

model of the submodel) For example an administrator might want to display scan results for the

Backend submodel of the SQL model but only those in the context of a third model a

technology that relies upon SQL Server

The -SubModelId parameter is required by the -Context parameter

A model ID is the valid value of the -Context parameter

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-Filter ltFilterEnumgt

The -Filter parameter lets you instruct the Get-MBCAResult cmdlet to return only Compliant

Noncompliant or All results Valid values are Noncompliant Compliant or All The default value

is All

The -Filter parameter is ignored if the -CollectedConfiguration switch parameter is added

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-ModelId ltstringgt

The -ModelId parameter specifies the ID of the MBCA model for which you want to view scan

results You can obtain valid values for the ModelId parameter by running the Get-MBCAModel

cmdlet targeted at a computer on which MBCA models are installed

Required true

Position 2

Default value

Accept pipeline input true (By Value By Property Name)

Accept wildcard characters False

This must be SQL2008R2BPA for SQL Server 2008 R2 Best Practice Analyzer

-RepositoryPath ltstringgt

The -RepositoryPath parameter is used to specify a non-default location of the results repository

The valid value for this parameter is a path name If the parameter is not used the cmdlet obtains

results from the default result repository

Required false

Position named

Page 52

Default value

Accept pipeline input false

Accept wildcard characters false

-SubModelId ltstringgt

The -SubModelId parameter specifies the ID of the submodel of an MBCA model for which you

want to view scan results You can obtain valid values for the -SubModelId parameter by running

the Get-MBCAModel cmdlet targeted at a computer on which MBCA models are installed Not all

models have submodels

The -ModelId parameter is required with the -SubModelId parameter

Required true

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

ltCommonParametersgt

This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable

WarningAction WarningVariable OutBuffer and OutVariable For more information type get-

help about_commonparameters

OUTPUTS

SystemCollectionsGenericListltMicrosoftBestPracticesCoreInterfaceResultgt OR

SystemXmlXmlDocument (if -CollectedData specified)

If you do not use the -CollectedConfiguration parameter verbose output can be any of the following

1 Initializing MBCA engine for getting MBCA Results

2 Attempting to get MBCA results for Model Id = 0

3 Completed getting MBCA results for Model Id = 0 Number of Results = 1

If you add the -CollectedConfiguration parameter to display configuration data that was used for a

scan verbose output can be any of the following

1 Initializing MBCA engine for getting MBCA Configuration Data

2 Attempting to get MBCA collected configuration data for Model Id = 0

3 Completed getting MBCA collected configuration data for Model Id = 0

NOTES

The Get-MBCAResult cmdlet must be run by a member of the Administrators group and it does not

start a new scan

Cancellation behaviour

Single Model - To cancel this cmdlet you must press Ctrl+C before the ResultCollection is displayed

on the console The operation is cancelled and results are not displayed on the console

Multiple Models or Pipelining - If you cancel this cmdlet while it is retrieving results for multiple models

the cmdlet generates only those results that were displayed on the console before the cancellation

Any subsequent results in the pipeline are cancelled and not displayed

Page 53

-------------------------- EXAMPLE 1 --------------------------

Get-MBCAResult -Id SQL2008R2BPA

Description

The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results

for the model that is represented by Model Id

-------------------------- EXAMPLE 2 --------------------------

Get-MBCAModel | Get-MBCAResult

In the preceding example Get-MBCAModel is used to return a list of all MBCA models that are

installed on the computer The results of the Get-MBCAModel cmdlet are piped to the Get-

MBCAResult cmdlet to retrieve the most recent MBCA scan results for all models that are both

supported by MBCA and installed on the computer at which the cmdlet is targeted

-------------------------- EXAMPLE 3 --------------------------

$result = Get-MBCAResult SQL2008R2BPA -CollectedConfiguration

$resultDiscoveryDocument

Description

In the preceding example configuration data (in XML form) that was collected during the most recent

Microsoft Baseline Configuration Analyzer scan of the model that is represented by Model Id is

retrieved and stored as a property in the variable $result $resultDiscoveryDocument is of type

SystemXmlXmlDocument

-------------------------- EXAMPLE 4 --------------------------

Get-MBCAResult SQL2008R2BPA -Filter Noncompliant

Description

The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results

for the model that is represented by Model Id and then applies a filter to show only Noncompliant

results

------------------------- EXAMPLE 5 --------------------------

Get-MBCAResult SQL2008R2BPA -SubModelId ltSubModel Idgt

Description

The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results

for the submodel that is represented by SubModelId Note that the parent model ID must be specified

to use the -SubModelId parameter

------------------------- EXAMPLE 6 --------------------------

Get-MBCAResult SQL2008R2BPA -SubModelId ltSubModel Idgt -ComputerName ltServergt

-Context ltContext Model Idgt -RepositoryPath ltRepository Pathgt

Description

The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results

for the submodel that is represented by SubModelId The parent model ID is provided as required by

the -SubModelID parameter

The -Context parameter indicates that the administrator wants to see only those scan results that are in

the context of the model that is represented by Context Model Id for example only those results from

a SQL Server scan that specifically apply to another technology such as Web Server (IIS)

Page 54

The scan results are further narrowed to only those from a computer that is specified in the -

ComputerName parameter as Server and only those results found in the non-default results

repository that is represented by Repository Path

914 Set-MBCAResult

SYNOPSIS

The Set-MBCAResult cmdlet lets you exclude or include existing results of a Microsoft Baseline

Configuration Analyzer (MBCA) scan to show you only the scan results that you want to see

SYNTAX

Set-MBCAResult [[-Exclude] ltBooleangt] [-Results] ltResultgtgt [[-

RepostitoryPath] ltstringgt] [ltCommonParametersgt]

DESCRIPTION

The Set-MBCAResult cmdlet lets you exclude or include existing results of a Microsoft Baseline

Configuration Analyzer (MBCA) scan to show you only the scan results that you want to see

The action specified in the cmdlet (Exclude for example) determines how the existing results of an

MBCA scan are updated Set-MBCAResult is typically applied after using the Get-MBCAResult cmdlet

to return a collection of scan results

You can apply filters to results that are returned by the Get-MBCAResult cmdlet and then pipe the

filtered collection of results to the Set-MBCAResult cmdlet specifying either to include or exclude

filtered scan results

You must be a member of the Administrators group on the computer on which you want to run this

cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with

elevated user rights that is Run as Administrator

PARAMETERS

-Exclude ltBooleangt

Excludes scan results from the results collection that were previously obtained by the Get-

MBCAResult command To exclude results by using the -Exclude parameter add the value $true

following the parameter as shown

-Exclude $true

To include results that have been excluded use the $false value for the -Exclude parameter

Required false

Position 2

Default value

Accept pipeline input false

Accept wildcard characters false

-RepostitoryPath ltstringgt

The -RepositoryPath parameter is used to specify a non-default location of the results repository

The valid value for this parameter is a path name If the parameter is not used the cmdlet

modifies results from the default result repository

Required false

Page 55

Position 4

Default value

Accept pipeline input false

Accept wildcard characters false

-Results ltResultgtgt

Specifies the result collection to be updated by the Set-MBCAResult cmdlet The -Results

parameter is typically used to specify a filtered subset of scan results that has already been

stored in a variable the variable name is provided as the valid value for the -Results parameter

For example if you have created a variable $allPerformance to store all the Performance

category results for an MBCA scan of all models on a computer and you want to exclude those

Performance results from the complete collection of scan results you add the parameter -Results

$all Performance to a Set-MBCAResult cmdlet

For a more detailed example see the Examples section of the Help for this cmdlet

Required true

Position 3

Default value

Accept pipeline input true (ByValue)

Accept wildcard characters false

ltCommonParametersgt

This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable

WarningAction WarningVariable OutBuffer and OutVariable For more information type ldquoget-

help about_commonparameters

NOTES

If the Set-MBCAResult command is cancelled before the results are written to a file the operation is

cancelled and the results file is not modified If cancellation occurs after the results file has been

modified the commands actions are carried out and the command cannot be cancelled

-------------------------- EXAMPLE 1 --------------------------

Get-MBCAResult -ModelId SQL2008R2BPA | Where $_Category -eq

Performance | Set-MBCAResult -Exclude $true

Description

The first section of the preceding example to the left of the first pipe character (|) uses the Get-

MBCAResult cmdlet to retrieve Baseline Configuration Analyzer scan results for the model ID that is

represented by Model Id

The second section of the command filters the results of the Get-MBCAResult cmdlet to get only those

scan results for which the category name is equal to Performance

The final section of the example following the second pipe character excludes the Performance

results that were filtered by the previous section of the example

-------------------------- EXAMPLE 2 --------------------------

$rcPolicy = Get-MBCAResult -ModelId SQL2008R2BPA -RepositoryPath

CReposPath | Where $_Category -eq Policy

Page 56

Set-MBCAResult -Exclude $true -RepositoryPath CReposPath -Results

$rcPolicy

Description

The first line of the preceding example to the left of the pipe character (|) instructs the Get-

MBCAResult cmdlet to retrieve Baseline Configuration Analyzer scan results for the model that is

represented by Specified Model Id from the specified non-default repository path

The second section of the example after the pipe character filters the results of the Get-MBCAResult

cmdlet to return only those scan results for which the category name is equal to (note the -eq option)

Policy The variable $rcPolicy is created to store the filtered results of the Get-MBCAResult cmdlet this

variable can be used in subsequent commands to represent those results

The second line of the command uses the Set-MBCAResult cmdlet to exclude the set of results that

are stored in the $rcPolicy variable In this example the -Results parameter is added because the

administrator wants to exclude a specific subset of scan results for that model and has created the

variable $rcPolicy to represent that subset of results The repository root is specified in the second line

because the administrator wants to modify the results in the same non-default repository from which

the data in $rcPolicy was retrieved

915 MBCA Model Authoring

Further information about configuration and usage of MBCA models you can in the

MBCA_ModelAuthoringGuidedocx

Page 57

Did this paper help you Please give us your feedback Tell us on a scale of 1 (poor) to 5 (excellent)

how would you rate this paper and why have you given it this rating For example

Are you rating it high due to having good examples excellent screen shots clear writing or

another reason

Are you rating it low due to poor examples fuzzy screen shots or unclear writing

This feedback will help us improve the quality of white papers we release

Send feedback

Page 19: SQL2008R2 BPA Whitepaper v10

Page 19

Enter the instance name you want to scan To scan the default instance enter MSSQLSERVER

or leave this as blank Toggle the checkboxes to enabledisable scans for those rule categories

Each of the following six check boxes correspond to the SQL Server categories listed previously

Select at least one category in order to run a successful scan

Analyze_SQL_Analysis_Services

Analyze_SQL_Server_Engine

Analyze_SQL_Integration_Services

Analyze_SQL_Server_Replication

Analyze_SQL_Reporting_Services

Analyze_SQL_Server_Setup

Note Only one SQL Server instance can be scanned at a time through the MBCA GUI

6 Click Start Scan MBCA will start the configured scan and display the below page while in

progress

7 When the scan is complete results will be displayed grouped by Severity as shown below

Page 20

43 Connect to a remote computer

A scan connected to a remote computer is different than scanning an alternate server

ldquoConnect to a Remote Computerrdquo is functionality provided by Microsoft Baseline Configuration Analyzer

and is used to remotely run MBCA against a server from the console of the client The client needs to

have MBCA installed but does not need BPA as it is literally running the copy of MBCA installed on the

server using the BPA installed on the server In this case the copy of MBCA installed on the client is

used only to remotely connect to the copy of MBCA installed on the server

To use this functionality you first start MBCA on the client computer and select ldquoConnect to Another

Computerrdquo

1 In the ldquoConnect to Another Computerrdquo text box you can specify a NetBIOS name a fully qualified

domain name (FQDN) or an IPv4 or IPv6 address If no port number is specified the default port

number is used The following are examples of formats that you can specify in the Connect to

Another Computer text box

ComputerName

Page 21

ComputerNamePortNumber

IP address nnnn

IPv6 address [nnnnnnnn]

IPv4 address with port number nnnnPortNumber

IPv6 address with port number [nnnnnnnn]PortNumber

Note If an administrator has changed the computerrsquos default port number any port other than the

default port must be opened in Windows Firewall to allow incoming connections on that port Port

5985 is opened by default when WinRM is configured All other ports remain blocked until opened

For more information about how to unblock a port in Windows Firewall see the Help for Windows

Firewall For more information about how to configure WinRM in a Command Prompt session type

winrm help and then press Enter

2 Additionally you must supply credentials

3 CredSSP

Windows Remote Management (WinRM) supports the delegation of user credentials across

multiple remote computers The multi-hop support functionality can now use Credential Security

Service Provider (CredSSP) for authentication CredSSP enables an application to delegate the

userrsquos credentials from the client computer to the target server

CredSSP authentication is intended for environments where Kerberos delegation cannot be used

Support for CredSSP was added to allow a user to connect to a remote server and have the ability

to access a second-hop machine such as a file share

Note WinRM clients and servers will support CredSSP authentication only with explicit credentials

Windows XP Windows Server 2003 and earlier CredSSP is not supported

First you must set CredSSP on both the client and the server

Using the Group Policy Editor (gpeditmsc) make sure to enable ldquoAllow Delegating Fresh

Credentialsrdquo and check ldquoConcatenate OS defaults with input aboverdquo

Add the server or domain to the list of servers in the format ldquoWSMANdomainnamecomrdquo

Next enable and configure PowerShell Remoting on both the Client and Server by running the

following commands in a PowerShell command window opened with elevated permissions Note

Page 22

You can configure a single machine as both a client and a server simultaneously so that you can

scan from either computer

Enable PowerShell Remoting

o Enable-psremoting ndashf

Settings for a client

o Enable-WSManCredSSP ndashrole Client ndashDelegateComputer [NetBiosNameOfServer]

or

o Enable-WSManCredSSP ndashrole Client ndashDelegateComputer [FQDN OF SERVER]

Settings for the server

o Enable-WSManCredSSP ndashrole Server

o set-item WSManlocalhostShellMaxMemoryPerShellMB ndashValue 20000

o set-item WSManlocalhostShellMaxShellsPerUser ndashvalue 20

44 PowerShell

Details see 91 PowerShell

To use the functionality of the Microsoft Baseline Configuration Analyzer you must import this module

first

Import-module BaselineConfigurationAnalyzer

You can list the commands of this module with the following syntax

$x=Get-Module BaselineConfigurationAnalyzer

$xExportedCommands

441 Run Scan

To run a full scan of the BPA on the alternate server on a named instance you can use the following

command line

Invoke-MBCAModel -ModelId SQL2008R2BPA -Alternate_Server_to_scan

servername -SQL_Server_Instance_Name instancename -

Analyze_SQL_Server_Engine -Analyze_SQL_Server_Replication -

Page 23

Analyze_SQL_Server_Setup -Analyze_SQL_Analysis_Services -

Analyze_SQL_Integration_Services -Analyze_SQL_Reporting_Services

The result looks like this part

ModelId SQL2008R2BPA

SubModelId

Success True

ScanTime

Success = True is important This is the indicator that your scan was successful

Parameter description

-Alternate_Server_to_scan servername

-SQL_Server_Instance_Name instancename

-Analyze_SQL_Server_Engine

-Analyze_SQL_Server_Replication

-Analyze_SQL_Server_Setup

-Analyze_SQL_Analysis_Services

-Analyze_SQL_Integration_Services

-Analyze_SQL_Reporting_Services

The parameter list is equal the parameter screen in the GUI

The scans of the different services are optional You can remove technologies which you do not need

to scan

The next example starts the scan only for the Analysis Services on the alternate server ldquoservernamerdquo

and for the named instance ldquoinstancerdquo A log file will be written to ldquoctempssastxtrdquo

Invoke-MbcaModel -ModelId SQL2008R2BPA -SubModelId AnalysisServices -

ComputerName servername -SqlServerInstance instance -SSASLogFile

ctempssastxt

Invoke-MbcaModel -ModelId SQL2008R2BPA -SubModelId Engine -ComputerName

computername -SqlServerInstance servername -CurrentLoginName

($EnvUSERDOMAIN + + $EnvUSERNAME)ToString() -EngineLogFile

ctempenginetxt ndashRepositoryPath (CTEMPSQL2008 + (Get-

Date)ToString(yyyyMMdd))ToString()

442 Create Report

model = get-MbcaModel ndashModelId sql2008r2bpa

$scanResult = get-MbcaResult ndashModelId sql2008r2bpa

$collectedConfig = get-MbcaResult ndashModelId sql2008r2bpa ndash

CollectedConfiguration

$model $scanResult $collectedConfig | export-CliXml ctempasxml

Get-MBCAResult -ModelId SQL2008R2BPA -SubModelId AnalysisServices |

ConvertTo-Html | Add-Content -Path ctesthtml

The next command retrieves the results of the most recent BPA scan for the specified model and

saves them in HTML format applying the standard cascading style sheets that are stored in the path

windirsystem32WindowsPowerShellv10ModulesBestPracticesBestPracticesReportFormatc

Page 24

ss If you want to substitute cascading style sheets provide the path to the different cascading style

sheets

Get-MBCAResult -ModelId SQL2008R2BPA | $_Severity -eq Warning -or

$_Severity -eq Error | ConvertTo-Html -As Table -property ResultNumber

SubModelID ComputerName Severity Category Title Problem Impact

Resolution Help -Head lth1gtSQL Server 2008 (R2) Best Practice Analyzer

Reportlth1gtrdquo -Title SQL Server 2008 Best Practice Analyzer -body

(ltpgtReport creation date + (Get-Date)ToString(ddMMyyyy hhmmss) +

ltpgt)toString() -pre ltPgtGenerated by user $envusername on computer

$envcomputernameltPgt -post For details contact Microsoft Premier-

CssUri $env BestPracticesReportFormatcss gt ctempsql2008r2bpahtm

443 Exporting and opening reports by using Get-MBCAResult

You can use the Get-MBCAResult cmdlet to export scan results and configuration data to an XML

report that you can open for viewing in the future either by using Get-MBCAResult or by using the

MBCA GUI Exporting reports allows you to compare older scans with more recent scans to measure

the progress of your best practice compliance

Example of exporting to XML

$results = Get-MBCAResult ltModel Idgt

$collectedconfig = Get-MBCAResult ltModel Idgt -CollectedConfiguration

$results $collectedconfig | Export-CliXml cexportxml

Example of opening archived XML report file

$loadedResults $loadedConfiguration = Import-CliXml cexportxml

444 Report Result Directory

The reporting result path

AppDataMicrosoftBaselineConfigurationAnalyzer

2ReportsSQL2008R2BPAResults

Will be overwritten during each run of the tool or invoke command

Solution save older results before you start the check

copy-item -path ($EnvLocalAppdata +

MicrosoftMicrosoftBaselineConfigurationAnalyzer 2Reports)ToString() -

destination ($EnvLocalAppdata +

MicrosoftMicrosoftBaselineConfigurationAnalyzer 2Reports_ + (Get-

Date)ToString(yyyyMMddhhmmss))ToString() ndashrecurse

Afterwards you can create a report with the following command

$prevrepPath = (Get-ChildItem ($EnvLocalAppdata +

MicrosoftMicrosoftBaselineConfigurationAnalyzer 2)ToString() -exclude

Reports | Sort-Object name -descending)[0]

Get-MBCAResult -ModelId SQL2008R2BPA ndashRepositoryPath ($EnvLocalAppdata +

MicrosoftMicrosoftBaselineConfigurationAnalyzer 2rdquo +

$prevrepPathname)ToString() | ConvertTo-Html -As Table -property

ResultNumberSubModelID ComputerName Severity Category Title Problem

Impact Resolution Help -Head lth1gtSQL Server 2008 (R2) Best Practice

Analyzer Reportlth1gtrdquo -Title SQL Server 2008 Best Practice Analyzer -body

(ltpgtReport creation date + (Get-Date)ToString(ddMMyyyy hhmmss) +

ltpgt)toString() -pre ltPgtGenerated by user $envusername on computer

Page 25

$envcomputernameltPgt -post For details contact Microsoft Premier gt

ctempsql2008r2bpahtm

Page 26

5 TROUBLESHOOTING

51 Application directories

To following directories are used by MBCA

Report output directory localappdataMicrosoftMicrosoftBaselineConfigurationAnalyzer 2ReportsSQL2008R2BPAResults

Model configuration path ProgramdataMicrosoftMicrosoft Baseline Configuration Analyzer 2ModelsSQL2008R2BPA

Temp and log files directory tempSQL2008R2BPASQL2008ltdategt_lttimegt

Registry [HKEY_LOCAL_MACHINESOFTWAREMicrosoftBaselineConfigurationAnalyzer]

Log Files

During Data Discovery SQL Server 2008 R2 BPA creates log files for troubleshooting The log file

contains the following information

Pre-requisite validation

Timestamp finished rules start and end times

Run-time scripting errors and exceptions from Power Shell Traps

Log Files Location

For every scan log files are created in userrsquos Local Temp directory (Temp) and follows the folder

structure SQL2008R2BPAlt Instance Name gtlt datestamp_timestamp gtlt Log files gt

Note In case of a remote scan the category log files are generated on the remote system at the same

path whereas the common log file is generated in the local system

Log Files Structure

A common log file gets generated and contains information about each categorys execution Apart

from this each category has its own log file which details the rule execution The names of the log files

are given below

Common File - ModelLogtxt

Engine Rules - EngineLogtxt

Replication Rules - ReplicationLogtxt

Setup Rules - SetupLogtxt

Analysis Services Rules - AnalysisServicesLogtxt

Reporting Services Rules - ReportingServicesLogtxt

Integration Services Rules - IntegrationServicesLogtxt

52 Windows Server 2003 ndash NumberOfLogicalProcessors

Analysis Services RID2803 and RID2804 ndash NumberOfLogicalProcessors property is unavailable in

Win32_Processor for with Windows Server 2003

Solution The NumberOfLogicalProcessors property does not exist in the WIN32_PROCESSOR object

in Windows Server 2003 It has been implemented in the hotfix

httpsupportmicrosoftcomkb932370

Both of the rules below will function properly if you apply this hotfix For more information look here

Page 27

53 MBCA

This message indicates that on prerequisite is not installed

Please install the version 2 of the MBCA

54 Where can I find the Instance name in result set of the analyzer

report

The instance name is in the collected data option of the analyzer report in the BPA GUI

55 Memory limit of remote PowerShell process

By default remote PowerShell process can consume only 150 MB or less memory This default limit is

significantly small and once this limit is reached there could be a WinRM exception causing and remote

connection immediately terminates Any application or Cmdlet which is involved in PowerShell

remoting should be tested for this memory limit this may cause some of the command to fail for

example site collection creation

Solution Increase the memory limit for the remote shell Use the following command to increase this

limitation to 1000MB This is only necessary if you need to run those commands on that server

Set-Item WSManlocalhostShellMaxMemoryPerShellMB 1000

56 Remote connect

If you try to ldquoConnect to another computerrdquo from MBCA and you receive the following message

Page 28

You should check first if the Hotfix KB968930 is installed

Afterwards validate that the ldquoWindows Remote Managementrdquo service is started

Enable-PSRemoting

If CredSSP is unsupported or unavailable you will see the following message

Page 29

If you have no permission to access the remote server you get the error message

Page 30

57 Installation

571 PowerShell error

After getting through the Pre-Reqs for BPA (PowerShell 20 MBCA NET Framework) you may hit

one of two scenarios when installing BPA

In all of the cases of an install failure you will see the following error

There is a problem with this Windows Installer package A program run as part of the setup did not

finish as expected Contact your support personnel or package vendor

In your Application Event Log for both of these scenarios you will also see the following entry

Log Name Application

Source MsiInstaller

Date 6102010 83818 AM

Event ID 11722

Task Category None

Level Error

Keywords Classic

User ltUsernamegt

Computer ltMachine namegt

Description

Product Microsoft SQL Server 2008 R2 BPA -- Error 1722 There is a problem

with this Windows Installer package A program run as part of the setup did

not finish as expected Contact your support personnel or package

vendor Action EnablePSRemoting location powershellexe command -NoLogo

-NoProfile -Command Enable-PSRemoting ndashforce

Page 31

This is an indicator that PowerShell is not configured You must run the following command

powershellexe -NoLogo -NoProfile -Command Enable-PSRemoting ndashforce

572 Workgroup or Non-Domain computer

In this scenario the Enable-PSRemoting command should execute fine from a PowerShell prompt

The actual error coming back from the PowerShell command within the Installer is ldquoAccess Deniedrdquo

To work around this issue you can do the following

1 Open a command prompt with Administrative Privileges

2 Change to the directory where the msi file resides

3 Type msiexec i ltMSI Namegt SKIPCA=1

4 MSI Name will either be SQL2008R2BPA_Setup32msi or SQL2008R2BPA_Setup64msi

depending on your platform

5 Once BPA is installed open a PowerShell prompt with Administrative Privileges

6 Execute the following commands

a Enable-PSRemoting

b winrm set winrmconfigwinrs ``MaxShellsPerUser=`10``

This should allow BPA to be successfully installed in the workgroup scenario

573 Kerberos Failure

This scenario is that you are failing with the above due to a Kerberos issue This particular issue could

actually show up after you have installed BPA depending on how you have configured your

environment

The issue stems from the fact that the Windows Remoting Windows Service uses the Network Service

account Windows Remoting also uses SOAP calls over HTTP and defaults to using Kerberos As a

result it will be using the HOST Service Principal Name (SPN) that is on the Machine Account as it is

running under that context You may have an HTTP SPN that resides on a different account with that

host name For example if you are running an IIS Web Application such as SharePoint or if you are

using Reporting Services and the service account is set to a Domain User account instead of Network

Service or Local System If your URL of your application matches the machine name then your HTTP

SPN will be the same Thatrsquos where this problem comes in WinRM will stop working at that point and

give you a message similar to the following

Set-WSManQuickConfig WinRM cannot process the request The following error

occured while using Negotiate authentication An unknown security error

occurred

Possible causes are

-The user name or password specified are invalid

-Kerberos is used when no authentication method and no user name are

specified

-Kerberos accepts domain user names but not local user names

-The Service Principal Name (SPN) for the remote computer name and port

does not exist

-The client and remote computers are in different domains and there is no

trust between the two domains

After checking for the above issues try the following

-Check the Event Viewer for events related to authentication

-Change the authentication method add the destination computer to the

WinRM TrustedHosts configuration setting or use HTTPS transport

Note that computers in the TrustedHosts list might not be authenticated

-For more information about WinRM configuration run the following

Page 32

command winrm help config

At line50 char33

+ Set-WSManQuickConfig ltltltlt -force

+ CategoryInfo InvalidOperation () [Set-WSManQuickConfig]

InvalidOperationException

+ FullyQualifiedErrorId

WsManErrorMicrosoftWSManManagementSetWSManQuickConfigCommand

You can get this type of error from WinRM for muliple reasons The one that

we saw in our testing was the HTTP SPN scenario

If you do have an HTTP SPN defined on a Domain Account that is using the name of your machine

you have some options First you can follow the steps mentioned above to get BPA installed The

Enable-PSRemoting command will give you the above error You can temporarily remove the HTTP

SPN to get remoting enabled and then re-add the HTTP SPN

Once BPA is setup you will still not be able to run BPA if you put the HTTP SPN back in place You will

see the following when you attempt to perform a scan

This will occur regardless of which component you try to scan It could be the Engine Setup RS etchellip

One option to perform the scan successfully is to temporarily remove the HTTP SPN again run the

scan and then put the HTTP SPN back in place Another option but one that will probably require

further testing from your applicationrsquos end would be to run the application under a Host Header and

then your HTTP SPN would not include the machine name allowing BPA to run without issue

Page 33

6 RULES

Searching for ldquoSQL Server 20087 R2 BPArdquo at Microsoftcom reveals

Here is an example of one of these articles that talks about a rule to check for a recent ldquocleanrdquo

CHECKDB

Page 34

BPA works by measuring a rolersquos compliance with best practice rules in eight different categories of a

rolersquos effectiveness trustworthiness and reliability Results of measurements can be any of the three

severity levels described in the following table

Severity level Description

Noncompliant Noncompliant results are returned when a role does not satisfy the conditions of a rule

Compliant Compliant results are returned when a role satisfies the conditions of a rule

Warning Warning results are returned when a role is compliant as operating currently but may not satisfy the conditions of a

rule if changes are not made to its configuration or policy settings For example a scan of Remote Desktop Services

might show a warning result if a license server is unavailable to the role because even if no remote connections are

active at the time of the scan not having the license server prevents new remote connections from obtaining valid

client access licenses

Page 35

BPA rule categories

The following table describes the categories of best practice rules against which roles are measured

during a BPA scan

Category Name Description

Security Security rules are applied to measure a rolersquos relative risk for exposure to threats such as unauthorized or malicious

users or loss or theft of confidential or proprietary data

Performance Performance rules are applied to measure a rolersquos ability to process requests and perform its prescribed duties in

the enterprise within expected periods of time given the rolersquos workload

Configuration Configuration rules are applied to identify role settings that might require modification for the role to perform

optimally Configuration rules can help prevent setting conflicts that can result in error messages or prevent the role

from performing its prescribed duties in an enterprise

Policy Policy rules are applied to identify Group Policy or Windows Registry settings that might require modification for the

role to operate optimally and securely

Operation Operation rules are applied to identify possible failures of a role to perform its prescribed tasks in the enterprise

Predeployment Predeployment rules are applied before an installed role is deployed in the enterprise to let administrators to

evaluate whether best practices were satisfied before you use the role in production

Postdeployment Postdeployment rules are applied after all required services have started for a role and the role is running in the

enterprise

BPA Prerequisites BPA Prerequisite rules explain configuration settings policy settings and features that are required for the role

before BPA can apply specific rules from other categories A prerequisite in scan results indicates that an incorrect

setting a missing role role service or feature an incorrectly enabled or disabled policy a registry key setting or

other configuration has prevented BPA from applying one or more rules during a scan A prerequisite result does

not imply compliance or noncompliance It means that a rule could not be applied and therefore is not part of the

scan results

61 Engine Rules

Please find below a summary of the 74 Engine Rules with the links to the rule descriptions These rules

are checking that you have a secure resilient and well performing SQL configuration

Authentication Mode (httpsupportmicrosoftcomkb2028697)

Lightweight Pooling is enabled (httpsupportmicrosoftcomkb2160691)

Locks Configuration Not Dynamic (httpsupportmicrosoftcomkb2199576)

non-default network packet size in use (httpsupportmicrosoftcomkb2157175)

degree of parallelism not set to recommended value (httpsupportmicrosoftcomkb2023536)

Use Database Mail instead of SQL Mail (httpsupportmicrosoftcomkb2028584)

SQL Server Agent Proxy Account (httpsupportmicrosoftcomkb2160741)

SQL Login Password Policy Strength and password expiry

(httpsupportmicrosoftcomkb2028712)

Trustworthy Bit (httpsupportmicrosoftcomkb2183687)

Symmetric Keys Check (httpsupportmicrosoftcomkb2162020)

Asymmetric Keys Check (httpsupportmicrosoftcomkb2162020)

SQL Server installed on PDC BDC (httpsupportmicrosoftcomkb2032911)

Page 36

SQL Server Admin role membership check (httpsupportmicrosoftcomkb2184138)

Windows API calls intercepted (httpsupportmicrosoftcomkb2033238)

unsupported DotNET framework assemblies present (httpsupportmicrosoftcomkb2033344)

Disk partition starting offset may be incorrect (httpsupportmicrosoftcomkb2023571)

non-default max worker threads value configured (httpsupportmicrosoftcomkb2157129)

Guest Permissions (httpsupportmicrosoftcomkb2186935)

Data and Log files on the same volume (httpsupportmicrosoftcomkb2033523)

IO timeouts and IO controller errors detected (httpsupportmicrosoftcomkb2091098)

IO device errors detected (httpsupportmicrosoftcomkb2091098)

IO errors during page faults detected (httpsupportmicrosoftcomkb2091098)

cluster disk corruption encountered (httpsupportmicrosoftcomkb2091098)

disk defragmentation encountered corruption (httpsupportmicrosoftcomkb2091098)

failed IO requests detected (httpsupportmicrosoftcomkb2091098)

IO requests are successful when retried (httpsupportmicrosoftcomkb2015757)

IO Delay Problems reported by SQL Server (httpsupportmicrosoftcomkb2137408)

This system experienced unexpected shutdowns (httpsupportmicrosoftcomkb2091098)

tempdb corruption errors fix missing (httpsupportmicrosoftcomkb960770)

Critical SQL database inconsistency errors found (httpsupportmicrosoftcomkb2152734)

Logical consistency errors detected (httpsupportmicrosoftcomkb2152472)

Database have auto shrink option enabled (httpsupportmicrosoftcomkb2160663)

SQL Server Error logs are very big (httpsupportmicrosoftcomkb2199578)

incorrect affinity mask settings detected httpsupportmicrosoftcomkb2157114

Very low blocked process threshold setting detected httpsupportmicrosoftcomkb2157154

Potential security issue with legacy DTS stored procedures

httpsupportmicrosoftcomkb2202875

Winsock LSP loaded into SQL httpsupportmicrosoftcomkb2033448

Databases using simple recovery model httpsupportmicrosoftcomkb2137539

User database collation different from model httpsupportmicrosoftcomkb2026108

Database files and backups exist on the same volume httpsupportmicrosoftcomkb2027537

Databases have auto close option enabled httpsupportmicrosoftcomkb2160685

LSI SAS drivers needs update httpsupportmicrosoftcomkb2121098

SQL tempdb database not configured optimally httpsupportmicrosoftcomkb2154845

SQL Database file has sparse attribute set httpsupportmicrosoftcomkb2028447

Invalid startup parameters httpsupportmicrosoftcomkb2028433

MSDTC settings not configured optimally httpsupportmicrosoftcomkb2027550

sql incorrect results fix missing httpsupportmicrosoftcomkb971780

File System needs tuning for better FileStream performance

httpsupportmicrosoftcomkb2160002

linked server memory leak fix missing httpsupportmicrosoftcomkb971622EN-US

Windows service pack is not at recommended level httpsupportmicrosoftcomkb2121098

default extended event health session not in expected state

httpsupportmicrosoftcomkb2160570

TcpSysAndChimneyCheck httpsupportmicrosoftcomKB918483

FDHOST Launcher service is not configured properly httpsupportmicrosoftcomkb2160720

Unrecommended SQL Server Agent service account httpsupportmicrosoftcomkb2160720

A required Windows fix to avoid sparse file related problems is missing

httpsupportmicrosoftcomkb2002606

Page 37

Significant Portion of SQL Server Memory Has Been Paged Out

httpsupportmicrosoftcomkb2028324

Server Exception or Hang Detected on Server httpsupportmicrosoftcomkb2028589

Databases exist without CHECKSUM protection httpsupportmicrosoftcomkb2078345

backups outdated for databases httpsupportmicrosoftcomkb2027537

Database consistency check not current httpsupportmicrosoftcomkb2033590

SQL Server Memory settings are incorrect httpsupportmicrosoftcomKB918483EN-US

Autogrow Failed or took a long time httpsupportmicrosoftcomkb2091024

Storport driver fix from KBA 940467 missing httpsupportmicrosoftcomkb2121098

Storport driver fix from KBA 950903 missing httpsupportmicrosoftcomkb2121098

SQLCLR needs additional memory configuration httpsupportmicrosoftcomkb969962EN-US

Operating System files and drivers needs update for working set trimming

httpsupportmicrosoftcomkb2121098

Agent Token Replacement httpsupportmicrosoftcomkb2202637

Auditing Log in failures httpsupportmicrosoftcomkb2187161

Databases with high number of VLF present httpsupportmicrosoftcomkb2028436

Transparent Data Encryption Certificate httpsupportmicrosoftcomkb2201900

Permission on the Binn folder httpsupportmicrosoftcomkb2029023

Index Statistics Are Outdated

Server public permissions httpsupportmicrosoftcomkb2160698

Detected use of older versions of SQLNCLI httpsupportmicrosoftcomkb979779

62 AS Rules

Please find below a summary of the 34 Analysis Server Rules with the links to the rule descriptions

Flight Recorder Enabled for SQL Server Analysis Services

httpsupportmicrosoftcomkb2128005

Excessive amount of memory preallocated to Analysis Services

httpsupportmicrosoftcomkb2027474

Server not configured for optimal concurrent query throughput

httpsupportmicrosoftcomkb2135031

Non standard value detected for Analysis Services memory configuration

httpsupportmicrosoftcomkb2027472

Process Thread Pool Max limit above recommended limit

httpsupportmicrosoftcomkb2134497

Process Thread Pool Minimum is below the recommended limit

httpsupportmicrosoftcomkb2134855

Server is running a build with a known regression httpsupportmicrosoftcomkb2157941

Slice not set on a ROLAP partition or a partition where proactive caching is enabled and

ROLAP storage ay occur httpsupportmicrosoftcomkb2027754

Server is ignoring duplicate key errors httpsupportmicrosoftcomkb2027761

No default member defined for non-aggregatable attribute

httpsupportmicrosoftcomkb2027769

UnknownMember set to hidden httpsupportmicrosoftcomkb2027628

Non-numeric key column for high cardinality attribute httpsupportmicrosoftcomkb2028138

Attribute hiearchy enabled for high cardinality non-key attribute

httpsupportmicrosoftcomkb2028143

ROLAP storage or OnlineMode set to immediate for dimension with custom rollup definition

detected httpsupportmicrosoftcomkb2132742

Page 38

Account or Time attribute types defined in a non-matching dimension type

httpsupportmicrosoftcomkb2157299

An Account or Time dimension has no matching attribute defined

httpsupportmicrosoftcomkb2027418

Dimension has no attribute defined with the same type

httpsupportmicrosoftcomkb2027443

Attribute Dimension type mismatch httpsupportmicrosoftcomkb2157327

Mismatched dimension attribute types detected in dimension

httpsupportmicrosoftcomkb2027459

Possible incorrect order of levels defined in hierarchy httpsupportmicrosoftcomkb2027460

Define attribute relationships as Rigid where possible httpsupportmicrosoftcomkb2027468

Redundant attribute relationships detected httpsupportmicrosoftcomkb2127437

Diamond-shape relationship detected httpsupportmicrosoftcomkb2127570

Non-Standard Attribute Relationship name detected httpsupportmicrosoftcomkb2127862

Proactive Caching set for dimension without a processing query

httpsupportmicrosoftcomkb2027541

No Time dimension detected httpsupportmicrosoftcomkb2027532

More than 3 parent-child dimensions with custom rollups defined

httpsupportmicrosoftcomkb2134431

Encountered a parent-child dimension with more than 500000 members

httpsupportmicrosoftcomkb2131918

Single attribute dimensions detected httpsupportmicrosoftcomkb2141654

Measure groups with zero dimensional overlap detected in cube

httpsupportmicrosoftcomkb2027609

Proactive Caching set for a partition without a processing query

Default measure for perspective not in the perspective

httpsupportmicrosoftcomkb2027603

Use MOLAP storage for dimensions that participate in semi-additive measure groups

httpsupportmicrosoftcomkb2135112

Measure group defined with no partition httpsupportmicrosoftcomkb2027545

63 RS Rules

RSWindowsNegotiate is missing from your configuration

httpsupportmicrosoftcomkb2145506

HTTP Logging is not enabled httpsupportmicrosoftcomkb2145909

Verbose logging is enabled httpsupportmicrosoftcomkb2146315

NTLM authentication may fail for local httpsupportmicrosoftcomkb2146369

Missing extended protection settings httpsupportmicrosoftcomkb2146062

64 IS Rules

Logging task missing for package httpsupportmicrosoftcomkb2027723

ActiveX Script task detected in package httpsupportmicrosoftcomkb2027712

Unrecommended Integration Services service account detected

httpsupportmicrosoftcomkb2027684

Integration Services logging table found in system database master and or msdb

httpsupportmicrosoftcomkb2027706

Integration Services memory dump detected httpsupportmicrosoftcomkb2027727

Page 39

65 Setup Rules

Unsupported Operating System Version Detected httpsupportmicrosoftcomkb2022909

WOW64 not supported for SQL Failover Clustering httpsupportmicrosoftcomkb2157198

Installer cache is missing for the SQL Installation httpsupportmicrosoftcomkb2015100

SQL Server WMI Provider Health Check

66 Replication Rules

Replication Timeout Alerts Type httpsupportmicrosoftcomkb2118349

Replication Pub and Sub out of sync (Data Validation) httpsupportmicrosoftcomkb2118386

Replication Pub and Sub out of sync (Constraint Violations)

httpsupportmicrosoftcomkb2118410

Replication Pub and Sub out of sync (Skipped Transactions)

httpsupportmicrosoftcomkb2194498

Merge Replication Health Check httpsupportmicrosoftcomkb2118445

Subscriptions Approaching Expiration httpgomicrosoftcomfwlinkLinkId=184483

Replication Cleanup and Retention Health Check httpsupportmicrosoftcomkb2118485

Replication Latency Threshold violations httpsupportmicrosoftcomkb2118425

Page 40

7 HOW TO DEAL WITH DEVIATIONS

Deviations from these Best Practices may indicate potential issues and configuration changes may be

necessary Make sure you have tested any intended changes in a test environment before deploying

them to a production environment You could also find deviations from Best Practices that are

acceptable or even necessary for your environment For example

SAP has its special Network Packet Size of 8 KB

Existing Non-Microsoft Clients ndash would require Mixed Mode Authentication

Page 41

8 MOTIVATION TO USE SQL BPA R2

Bob Ward explained in his Article ldquoWhy use SQL Server 2008 R2 BPA Case 1 Missing Updatesrdquo

the common pitfalls during maintenance and operation of SQL Server and how address them by using

the SQL BPA

In brief itrsquos a customer scenario where the customer is facing an issue after a major update to

SQL2008 After some troubleshooting and an update to a certain CU (that is meant to fix the issue) the

problem still occurs Bobs article states the common resulting consequences ndash the involvement of

Microsoft Support and the final solution ndash adding a needed traceflag

The good news in this story is that the customer would not have needed to go to all that effort if they

would have run the SQL BPA It would have told them about the update and instructed them to put the

traceflag in place BPA is a mechanism that proactively advises you and instructs you on dealing with

common known issues

Page 42

9 ADDITIONAL INFORMATION

91 PowerShell

To use the functionality of the Baseline Configuration Analyzer with PowerShell you must import this

module first

Import-module BaselineConfigurationAnalyzer

You can list the commands of this module with the following syntax

$x=Get-Module BaselineConfigurationAnalyzer

$xExportedCommands

The following commands are stored in this module

Get-MbcaModel

Get-MbcaResult

Invoke-MbcaModel

Set-MbcaResult

You get help of this command with the following syntax

Get-help ltcommandgt -full

911 Get-MBCAModel

SYNOPSIS

The Get-MBCAModel cmdlet lets you retrieve and view the list of models that are supported by

Microsoft Baseline Configuration Analyzer (MBCA) and that are installed on a computer

SYNTAX

Get-MBCAModel [[-ModelId] ltstring[]gt] [[-SubModelId] ltstringgt] [ltCommonParametersgt]

DESCRIPTION

The Get-MBCAModel cmdlet lets you retrieve and view the list of models that are supported by

Microsoft Baseline Configuration Analyzer (MBCA) and installed on the computer If no parameter is

specified Get-MBCAModel returns all models that are installed on the computer If a model is specified

by using the -ModelId parameter information about the specified model is returned

You must be a member of the Administrators group on the computer on which you want to run this

cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with

elevated user rights that is Run as Administrator

The results of the Get-MBCAModel cmdlet include the following details about models

1 Branding information (manufacturer or company display names version number) that is found in

the model manifest

2 Dynamic parameters that are included with the model

3 Submodels that are included with the model

PARAMETERS

-ModelId ltstring[]gt

The -ModelId parameter specifies the ID of the MBCA model about which you want to view

details You can obtain valid values for the ModelId parameter by running the Get-MBCAModel

cmdlet with no parameters and targeted at a computer on which MBCA models are installed

Page 43

This parameter supports wild card characters

Required false

Position 2

Default value

Accept pipeline input true (By Value By Property Name)

Accept wildcard characters False

This must be SQL2008R2BPA for SQL Server 2008 R2 Best Practice Analyzer

-SubModelId ltstringgt

The -SubModelId parameter specifies the ID of the submodel of an MBCA model about which you

want to view details You can obtain valid values for the -SubModelId parameter by running the

Get-MBCAModel cmdlet without parameters and targeted at a computer on which MBCA models

are installed Not all models have submodels

The -ModelId parameter is required with the -SubModelId parameter

Required false

Position 3

Default value

Accept pipeline input false

Accept wildcard characters false

ltCommonParametersgt

This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable

WarningAction WarningVariable OutBuffer and OutVariable For more information type get-

help about_commonparameters

Examples

Get-MBCAModel

In the preceding example Get-MBCAModel with no parameters added returns details about all MBCA

models that are installed on the computer

Get-MBCAModel -ModelId SQL2008R2BPA

The preceding example can be used to return details about the MBCA model that is specified in the -

ModelId parameter represented by Model Id

$model= Get-MBCAModel -ModelId SQL2008R2BPA

$modelParameters

In the preceding example Get-MBCAModel returns details about the specified MBCA model that is

represented by Model Id The results of the cmdlet are stored in the variable $model

In the next line of the example the Parameters property of the model details that were stored in the

$model object returns details about which parameters are supported by the model

Get-MBCAModel -ModelId SQL2008R2BPA -SubModelId ltSubModel Idgt

The preceding example can be used to return details about the MBCA sub-model that is specified by

the -SubModelId parameter represented by SubModel Id Note that the -ModelId parameter is

required by the -SubModelId parameter

$model= Get-MBCAModel -ModelId SQL2008R2BPA

Page 44

$modelSubModels

In the preceding example Get-MBCAModel returns details about the specified MBCA model that is

represented by Model Id The results of the cmdlet are stored in the variable $model

In the next line of the example the SubModels property of the model details that were stored in the

$model object returns a list of the submodels of the model specified in the first line

912 Invoke-MBCAModel

SYNOPSIS

The Invoke-MBCAModel cmdlet lets you start a Microsoft Baseline Configuration Analyzer (MBCA)

scan for a specific model that is installed on your computer

SYNTAX

Invoke-MBCAModel [-ModelId] ltstringgt -SubModelId ltstringgt [-Authentication

ltAuthenticationMechanismgt] [-CertificateThumbprint ltstringgt] [-ComputerName

ltstring[]gt] [-ConfigurationName ltstringgt] [-Context ltstringgt] [-Credential

ltstringgt] [-Mode ltModeEnumgt] [-Port ltintgt] [-RepositoryPath ltstringgt] [-

ThrottleLimit ltintgt] [-UseSSL] [ltCommonParametersgt]

DESCRIPTION

The Invoke-MBCAModel cmdlet allows you to start a Microsoft Baseline Configuration Analyzer

(MBCA) scan for a specific model that is installed on your computer The model is specified either by

using the parameter -ModelId or by piping the results of the Get-MBCAModel cmdlet into an Invoke-

MBCAMode cmdlet

After the MBCA scan has been performed the results of the scan are available to be retrieved by Get-

MBCAResult cmdlet

You must be a member of the Administrators group on the computer on which you want to run this

cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with

elevated user rights that is Run as Administrator

PARAMETERS

-Authentication ltAuthenticationMechanismgt

Specifies the authentication mechanism that is used to authenticate the users credentials Valid

values include Default Basic CredSSP Digest Kerberos Negotiate and

NegotiateWithImplicitCredential The default value is Default

For more information about the -Authentication parameter type the following and then press

Enter

Get-Help Invoke-Command -Parameter Authentication

Required false

Position named

Default value Default

Accept pipeline input false

Accept wildcard characters false

-CertificateThumbprint ltstringgt

Page 45

Specifies the digital public key certificate (X509) of a user account that has rights to perform the

cmdlet action The valid value is the certificate thumbprint of the certificate

For more information about this parameter type the following and then press Enter

Get-Help Invoke-Command -Parameter Certificate Thumbprint

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-ComputerName ltstring[]gt

The Invoke-MBCAModel cmdlet lets you run an MBCA scan of a submodel on a specific

computer by adding this parameter Valid values include NETBOS names IP addresses or fully-

qualified domain names of one or more computers in a comma-separated list To specify the local

computer type the computer name or localhost

All formats that are accepted by the -ComputerName parameter in Invoke-Command are

accepted

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-ConfigurationName ltstringgt

Specifies the session configuration that is used for a new PSSession

Enter a configuration name or the fully-qualified resource URI for a session configuration

Session configuration data is found on the remote computer on which you want to run a cmdlet

For more information about this parameter type the following and then press Enter

Get-Help Invoke-Command -Parameter ConfigurationName

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-Context ltstringgt

The -Context parameter lets you run scans on a submodel in the context of a specific model (one

that is different from the parent model of the submodel) For example an administrator might

want to run a scan on the Backend submodel of the SQL model but only those in the context

of a third model a technology that relies upon SQL Server

The -SubModelId parameter is required by the -Context parameter

Page 46

A model ID is the valid value of the -Context parameter

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-Credential ltstringgt

Specifies a user account that has permission to run this cmdlet The default value is the current

user

For more information about this parameter type the following and then press Enter

Get-Help Invoke-Command -Parameter Credential

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-Mode ltModeEnumgt

The -Mode parameter lets you run a scan that is exclusively either analysis of existing discovered

documents or discovery The default is to perform both discovery and analysis or All

If you do not add the -Mode parameter to the Invoke-MBCAModel cmdlet both discovery and

analysis are performed during a scan

Valid values are Discovery Analysis and All

Required false

Position named

Default value All

Accept pipeline input false

Accept wildcard characters false

-ModelId ltstringgt

The -ModelId parameter specifies the ID of the MBCA model that you want to scan You can

obtain valid values for the ModelId parameter by running the Get-MBCAModel cmdlet targeted at

a computer on which MBCA models are installed

Required true

Position 2

Default value

Accept pipeline input true (By Value By Property Name)

Accept wildcard characters False

Page 47

This must be SQL2008R2BPA for SQL Server 2008 R2 Best Practice Analyzer

-Port ltintgt

Specifies the network port on a remote computer on which you want to run a scan The default

value is port 80

For more information on this parameter type the following and then press Enter

Get-Help Invoke-Command -Parameter Port

Required false

Position named

Default value 80

Accept pipeline input false

Accept wildcard characters false

-RepositoryPath ltstringgt

The -RepositoryPath parameter is used to specify a non-default location of the results repository

The valid value for this parameter is a pathname If the parameter is not used the cmdlet writes

results to the default result repository

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-SubModelId ltstringgt

The -SubModelId parameter specifies the ID of the submodel of an MBCA model that you want to

scan You can obtain valid values for the -SubModelId parameter by running the Get-MBCAModel

cmdlet targeted at a computer on which MBCA models are installed Not all models have

submodels

The -ModelId parameter is required with the -SubModelId parameter

Required true

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-ThrottleLimit ltintgt

Specifies the maximum number of concurrent connections that can be established to run the

cmdlet If you omit this parameter or enter a value of 0 the default value of 32 is used

For more information about this parameter type the following and then press Enter

Get-Help Invoke-Command -Parameter ThrottleLimit

Required false

Page 48

Position named

Default value 32

Accept pipeline input false

Accept wildcard characters false

-UseSSL [ltSwitchParametergt]

Uses the Secure Sockets Layer (SSL) protocol to establish a connection on a remote computer

By default SSL is not used

For more information about this parameter type the following and then press Enter

Get-Help Invoke-Command -Parameter UseSSL

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

ltCommonParametersgt

This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable

WarningAction WarningVariable OutBuffer and OutVariable For more information type get-

help about_commonparameters

OUTPUTS

SystemCollectionsGenericListltMicrosoftBestPracticesCoreInterfaceInvokeBpaModelOutputgt

The output object encapsulates the results of the cmdlet that you entered It contains information such

as the MBCA model ID the success or failure of the cmdlet and other details

NOTES

If the cmdlet is used to perform a single-model scan and the cmdlet is cancelled (by using CTRL+C)

before the temporary results file is copied to its final location the temporary file is discarded and any

previous scan results file for the role are preserved The message Processing of Invoke-MBCAModel

cancelled by user is displayed if the command is cancelled before existing scan results files are

overwritten

If the cmdlet is used to perform a scan of multiple models by piping in results from the Get-MBCAModel

cmdlet and the command is cancelled scans that were completed before the cancel command was

entered cannot be cancelled A scan in progress behaves as described above in the single-model scan

cancellation scenario Subsequent scans in the pipeline are cancelled

If a concurrent scan of the same model is attempted the cmdlet returns the following error message

Another scan for this MBCA model is in progress Only one scan is allowed at a time

-------------------------- EXAMPLE 1 --------------------------

Invoke-MBCAModel -ModelId SQL2008R2BPA

Description

The preceding example starts a MBCA scan on the model that is represented by ltModel Idgt

-------------------------- EXAMPLE 2 --------------------------

Page 49

Invoke-MBCAModel -ModelId SQL2008R2BPA -Scope domain -Name

redmondmicrosoftcom

Description

The preceding example starts an MBCA scan on the model ID that is specified by Model Id

The administrator starts the MBCA scan with additional model-specific parameters that are exposed by

the model (For an example of how to obtain model-specific parameters see the examples for the Get-

MBCAModel cmdlet)

For example to scan a model that requires model-specific parameters (such as -Scope and -Name) to

be passed to the command the administrator can specify the values of these model-specific

parameters with the Invoke-MBCAModel cmdlet

-------------------------- EXAMPLE 3 --------------------------

Invoke-MBCAModel -ModelId SQL2008R2BPA -Mode Discovery

Description

The preceding example starts an MBCA scan on the model that is represented by Model Id The

cmdlet is instructed by the -Mode parameter to perform only the discovery -- not the analysis -- portion

of the scan

-------------------------- EXAMPLE 4 --------------------------

Invoke-MBCAModel -ModelId SQL2008R2BPA -Mode Analysis -RepositoryPath

ltRepository Pathgt

Description

The preceding example starts an MBCA scan on the model that is represented by Model Id The -

Mode parameter value of Analysis indicates that the scan will perform analysis -- not discovery -- on

existing documents that are specified in the non-default repository path provided with the -Repository

Path parameter

-------------------------- EXAMPLE 5 --------------------------

Invoke-MBCAModel -Id ltModel Idgt -SubModelId ltSubModel Idgt -ComputerName

ltServergt -Context ltContext Model Idgt -RepositoryPath ltRespository Pathgt -

AsJob -Authentication ltAuthenticatonMechanismgt -Port ltPort Numbergt -UseSSL -

ThrottleLimit ltThrottle Limitgt

Description

The preceding example starts an MBCA scan on the submodel that is represented by SubModel Id

and on the computer that is represented by Server

Because the administrator only wants to see results from the submodel that apply in the context of a

third model the administrator runs the scan within the context of the model ID that is specified in the -

Context parameter The cmdlet results are saved to the non-default repository path that is specified in

the -RepositoryPath parameter

Because the -AsJob parameter is added the scan runs in the background The -AsJob -

Authentication -Port -UseSSL and -ThrottleLimit parameters are passed through for use by the

Invoke-Command cmdlet to perform discovery on a remote computer For more information about

these parameters see the Help for the Invoke-Command cmdlet available in Windows PowerShell V2

913 Get-MBCAResult

SYNOPSIS

Page 50

The Get-MBCAResult cmdlet lets you retrieve and view the results of a Microsoft Baseline

Configuration Analyzer scan on a specific model or the configuration data that was used to run a scan

SYNTAX

Get-MBCAResult [-ModelId] ltstringgt [[-CollectedConfiguration]] -SubModelId

ltstringgt [-ComputerName ltstring[]gt] [-Context ltstringgt] [-Filter

ltFilterEnumgt] [-RepositoryPath ltstringgt] [ltCommonParametersgt]

DESCRIPTION

The Get-MBCAResult cmdlet lets you retrieve and view the results of a Microsoft Baseline

Configuration Analyzer scan on a specific model or the configuration data that was used to run a scan

To use the command add the -ModelId parameter and then specify the model ID for which you want

to view the most recent MBCA scan results or collected configuration data If you want to retrieve the

configuration data collected add the -CollectedConfiguration switch parameter

You must be a member of the Administrators group on the computer on which you want to run this

cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with

elevated user rights that is Run as Administrator

PARAMETERS

-CollectedConfiguration [ltSwitchParametergt]

The -CollectedConfiguration parameter allows you to obtain the configuration data that was

collected for the most recent MBCA scan If this switch parameter is added to Get-MBCAResults

the cmdlet returns only the configuration data that was collected for a scan

Required false

Position 3

Default value

Accept pipeline input false

Accept wildcard characters false

-ComputerName ltstring[]gt

The -ComputerName parameter lets you obtain scan results that were collected for the most

recent MBCA scan of a submodel on a specific computer To specify the local computer type the

computer name or localhost Multiple values for -ComputerName can be separated by

commas

The -SubModelId parameter is required by the -ComputerName parameter

Valid values for the -ComputerName parameter include localhost a NET BIOS name an IP

address or a fully-qualified domain name (FQDN) of one or more computers in a comma-

separated list

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-Context ltstringgt

Page 51

The -Context parameter lets you obtain scan results that were collected for the most recent

MBCA scan of a submodel in the context of a specific model (one that is different from the parent

model of the submodel) For example an administrator might want to display scan results for the

Backend submodel of the SQL model but only those in the context of a third model a

technology that relies upon SQL Server

The -SubModelId parameter is required by the -Context parameter

A model ID is the valid value of the -Context parameter

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-Filter ltFilterEnumgt

The -Filter parameter lets you instruct the Get-MBCAResult cmdlet to return only Compliant

Noncompliant or All results Valid values are Noncompliant Compliant or All The default value

is All

The -Filter parameter is ignored if the -CollectedConfiguration switch parameter is added

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-ModelId ltstringgt

The -ModelId parameter specifies the ID of the MBCA model for which you want to view scan

results You can obtain valid values for the ModelId parameter by running the Get-MBCAModel

cmdlet targeted at a computer on which MBCA models are installed

Required true

Position 2

Default value

Accept pipeline input true (By Value By Property Name)

Accept wildcard characters False

This must be SQL2008R2BPA for SQL Server 2008 R2 Best Practice Analyzer

-RepositoryPath ltstringgt

The -RepositoryPath parameter is used to specify a non-default location of the results repository

The valid value for this parameter is a path name If the parameter is not used the cmdlet obtains

results from the default result repository

Required false

Position named

Page 52

Default value

Accept pipeline input false

Accept wildcard characters false

-SubModelId ltstringgt

The -SubModelId parameter specifies the ID of the submodel of an MBCA model for which you

want to view scan results You can obtain valid values for the -SubModelId parameter by running

the Get-MBCAModel cmdlet targeted at a computer on which MBCA models are installed Not all

models have submodels

The -ModelId parameter is required with the -SubModelId parameter

Required true

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

ltCommonParametersgt

This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable

WarningAction WarningVariable OutBuffer and OutVariable For more information type get-

help about_commonparameters

OUTPUTS

SystemCollectionsGenericListltMicrosoftBestPracticesCoreInterfaceResultgt OR

SystemXmlXmlDocument (if -CollectedData specified)

If you do not use the -CollectedConfiguration parameter verbose output can be any of the following

1 Initializing MBCA engine for getting MBCA Results

2 Attempting to get MBCA results for Model Id = 0

3 Completed getting MBCA results for Model Id = 0 Number of Results = 1

If you add the -CollectedConfiguration parameter to display configuration data that was used for a

scan verbose output can be any of the following

1 Initializing MBCA engine for getting MBCA Configuration Data

2 Attempting to get MBCA collected configuration data for Model Id = 0

3 Completed getting MBCA collected configuration data for Model Id = 0

NOTES

The Get-MBCAResult cmdlet must be run by a member of the Administrators group and it does not

start a new scan

Cancellation behaviour

Single Model - To cancel this cmdlet you must press Ctrl+C before the ResultCollection is displayed

on the console The operation is cancelled and results are not displayed on the console

Multiple Models or Pipelining - If you cancel this cmdlet while it is retrieving results for multiple models

the cmdlet generates only those results that were displayed on the console before the cancellation

Any subsequent results in the pipeline are cancelled and not displayed

Page 53

-------------------------- EXAMPLE 1 --------------------------

Get-MBCAResult -Id SQL2008R2BPA

Description

The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results

for the model that is represented by Model Id

-------------------------- EXAMPLE 2 --------------------------

Get-MBCAModel | Get-MBCAResult

In the preceding example Get-MBCAModel is used to return a list of all MBCA models that are

installed on the computer The results of the Get-MBCAModel cmdlet are piped to the Get-

MBCAResult cmdlet to retrieve the most recent MBCA scan results for all models that are both

supported by MBCA and installed on the computer at which the cmdlet is targeted

-------------------------- EXAMPLE 3 --------------------------

$result = Get-MBCAResult SQL2008R2BPA -CollectedConfiguration

$resultDiscoveryDocument

Description

In the preceding example configuration data (in XML form) that was collected during the most recent

Microsoft Baseline Configuration Analyzer scan of the model that is represented by Model Id is

retrieved and stored as a property in the variable $result $resultDiscoveryDocument is of type

SystemXmlXmlDocument

-------------------------- EXAMPLE 4 --------------------------

Get-MBCAResult SQL2008R2BPA -Filter Noncompliant

Description

The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results

for the model that is represented by Model Id and then applies a filter to show only Noncompliant

results

------------------------- EXAMPLE 5 --------------------------

Get-MBCAResult SQL2008R2BPA -SubModelId ltSubModel Idgt

Description

The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results

for the submodel that is represented by SubModelId Note that the parent model ID must be specified

to use the -SubModelId parameter

------------------------- EXAMPLE 6 --------------------------

Get-MBCAResult SQL2008R2BPA -SubModelId ltSubModel Idgt -ComputerName ltServergt

-Context ltContext Model Idgt -RepositoryPath ltRepository Pathgt

Description

The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results

for the submodel that is represented by SubModelId The parent model ID is provided as required by

the -SubModelID parameter

The -Context parameter indicates that the administrator wants to see only those scan results that are in

the context of the model that is represented by Context Model Id for example only those results from

a SQL Server scan that specifically apply to another technology such as Web Server (IIS)

Page 54

The scan results are further narrowed to only those from a computer that is specified in the -

ComputerName parameter as Server and only those results found in the non-default results

repository that is represented by Repository Path

914 Set-MBCAResult

SYNOPSIS

The Set-MBCAResult cmdlet lets you exclude or include existing results of a Microsoft Baseline

Configuration Analyzer (MBCA) scan to show you only the scan results that you want to see

SYNTAX

Set-MBCAResult [[-Exclude] ltBooleangt] [-Results] ltResultgtgt [[-

RepostitoryPath] ltstringgt] [ltCommonParametersgt]

DESCRIPTION

The Set-MBCAResult cmdlet lets you exclude or include existing results of a Microsoft Baseline

Configuration Analyzer (MBCA) scan to show you only the scan results that you want to see

The action specified in the cmdlet (Exclude for example) determines how the existing results of an

MBCA scan are updated Set-MBCAResult is typically applied after using the Get-MBCAResult cmdlet

to return a collection of scan results

You can apply filters to results that are returned by the Get-MBCAResult cmdlet and then pipe the

filtered collection of results to the Set-MBCAResult cmdlet specifying either to include or exclude

filtered scan results

You must be a member of the Administrators group on the computer on which you want to run this

cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with

elevated user rights that is Run as Administrator

PARAMETERS

-Exclude ltBooleangt

Excludes scan results from the results collection that were previously obtained by the Get-

MBCAResult command To exclude results by using the -Exclude parameter add the value $true

following the parameter as shown

-Exclude $true

To include results that have been excluded use the $false value for the -Exclude parameter

Required false

Position 2

Default value

Accept pipeline input false

Accept wildcard characters false

-RepostitoryPath ltstringgt

The -RepositoryPath parameter is used to specify a non-default location of the results repository

The valid value for this parameter is a path name If the parameter is not used the cmdlet

modifies results from the default result repository

Required false

Page 55

Position 4

Default value

Accept pipeline input false

Accept wildcard characters false

-Results ltResultgtgt

Specifies the result collection to be updated by the Set-MBCAResult cmdlet The -Results

parameter is typically used to specify a filtered subset of scan results that has already been

stored in a variable the variable name is provided as the valid value for the -Results parameter

For example if you have created a variable $allPerformance to store all the Performance

category results for an MBCA scan of all models on a computer and you want to exclude those

Performance results from the complete collection of scan results you add the parameter -Results

$all Performance to a Set-MBCAResult cmdlet

For a more detailed example see the Examples section of the Help for this cmdlet

Required true

Position 3

Default value

Accept pipeline input true (ByValue)

Accept wildcard characters false

ltCommonParametersgt

This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable

WarningAction WarningVariable OutBuffer and OutVariable For more information type ldquoget-

help about_commonparameters

NOTES

If the Set-MBCAResult command is cancelled before the results are written to a file the operation is

cancelled and the results file is not modified If cancellation occurs after the results file has been

modified the commands actions are carried out and the command cannot be cancelled

-------------------------- EXAMPLE 1 --------------------------

Get-MBCAResult -ModelId SQL2008R2BPA | Where $_Category -eq

Performance | Set-MBCAResult -Exclude $true

Description

The first section of the preceding example to the left of the first pipe character (|) uses the Get-

MBCAResult cmdlet to retrieve Baseline Configuration Analyzer scan results for the model ID that is

represented by Model Id

The second section of the command filters the results of the Get-MBCAResult cmdlet to get only those

scan results for which the category name is equal to Performance

The final section of the example following the second pipe character excludes the Performance

results that were filtered by the previous section of the example

-------------------------- EXAMPLE 2 --------------------------

$rcPolicy = Get-MBCAResult -ModelId SQL2008R2BPA -RepositoryPath

CReposPath | Where $_Category -eq Policy

Page 56

Set-MBCAResult -Exclude $true -RepositoryPath CReposPath -Results

$rcPolicy

Description

The first line of the preceding example to the left of the pipe character (|) instructs the Get-

MBCAResult cmdlet to retrieve Baseline Configuration Analyzer scan results for the model that is

represented by Specified Model Id from the specified non-default repository path

The second section of the example after the pipe character filters the results of the Get-MBCAResult

cmdlet to return only those scan results for which the category name is equal to (note the -eq option)

Policy The variable $rcPolicy is created to store the filtered results of the Get-MBCAResult cmdlet this

variable can be used in subsequent commands to represent those results

The second line of the command uses the Set-MBCAResult cmdlet to exclude the set of results that

are stored in the $rcPolicy variable In this example the -Results parameter is added because the

administrator wants to exclude a specific subset of scan results for that model and has created the

variable $rcPolicy to represent that subset of results The repository root is specified in the second line

because the administrator wants to modify the results in the same non-default repository from which

the data in $rcPolicy was retrieved

915 MBCA Model Authoring

Further information about configuration and usage of MBCA models you can in the

MBCA_ModelAuthoringGuidedocx

Page 57

Did this paper help you Please give us your feedback Tell us on a scale of 1 (poor) to 5 (excellent)

how would you rate this paper and why have you given it this rating For example

Are you rating it high due to having good examples excellent screen shots clear writing or

another reason

Are you rating it low due to poor examples fuzzy screen shots or unclear writing

This feedback will help us improve the quality of white papers we release

Send feedback

Page 20: SQL2008R2 BPA Whitepaper v10

Page 20

43 Connect to a remote computer

A scan connected to a remote computer is different than scanning an alternate server

ldquoConnect to a Remote Computerrdquo is functionality provided by Microsoft Baseline Configuration Analyzer

and is used to remotely run MBCA against a server from the console of the client The client needs to

have MBCA installed but does not need BPA as it is literally running the copy of MBCA installed on the

server using the BPA installed on the server In this case the copy of MBCA installed on the client is

used only to remotely connect to the copy of MBCA installed on the server

To use this functionality you first start MBCA on the client computer and select ldquoConnect to Another

Computerrdquo

1 In the ldquoConnect to Another Computerrdquo text box you can specify a NetBIOS name a fully qualified

domain name (FQDN) or an IPv4 or IPv6 address If no port number is specified the default port

number is used The following are examples of formats that you can specify in the Connect to

Another Computer text box

ComputerName

Page 21

ComputerNamePortNumber

IP address nnnn

IPv6 address [nnnnnnnn]

IPv4 address with port number nnnnPortNumber

IPv6 address with port number [nnnnnnnn]PortNumber

Note If an administrator has changed the computerrsquos default port number any port other than the

default port must be opened in Windows Firewall to allow incoming connections on that port Port

5985 is opened by default when WinRM is configured All other ports remain blocked until opened

For more information about how to unblock a port in Windows Firewall see the Help for Windows

Firewall For more information about how to configure WinRM in a Command Prompt session type

winrm help and then press Enter

2 Additionally you must supply credentials

3 CredSSP

Windows Remote Management (WinRM) supports the delegation of user credentials across

multiple remote computers The multi-hop support functionality can now use Credential Security

Service Provider (CredSSP) for authentication CredSSP enables an application to delegate the

userrsquos credentials from the client computer to the target server

CredSSP authentication is intended for environments where Kerberos delegation cannot be used

Support for CredSSP was added to allow a user to connect to a remote server and have the ability

to access a second-hop machine such as a file share

Note WinRM clients and servers will support CredSSP authentication only with explicit credentials

Windows XP Windows Server 2003 and earlier CredSSP is not supported

First you must set CredSSP on both the client and the server

Using the Group Policy Editor (gpeditmsc) make sure to enable ldquoAllow Delegating Fresh

Credentialsrdquo and check ldquoConcatenate OS defaults with input aboverdquo

Add the server or domain to the list of servers in the format ldquoWSMANdomainnamecomrdquo

Next enable and configure PowerShell Remoting on both the Client and Server by running the

following commands in a PowerShell command window opened with elevated permissions Note

Page 22

You can configure a single machine as both a client and a server simultaneously so that you can

scan from either computer

Enable PowerShell Remoting

o Enable-psremoting ndashf

Settings for a client

o Enable-WSManCredSSP ndashrole Client ndashDelegateComputer [NetBiosNameOfServer]

or

o Enable-WSManCredSSP ndashrole Client ndashDelegateComputer [FQDN OF SERVER]

Settings for the server

o Enable-WSManCredSSP ndashrole Server

o set-item WSManlocalhostShellMaxMemoryPerShellMB ndashValue 20000

o set-item WSManlocalhostShellMaxShellsPerUser ndashvalue 20

44 PowerShell

Details see 91 PowerShell

To use the functionality of the Microsoft Baseline Configuration Analyzer you must import this module

first

Import-module BaselineConfigurationAnalyzer

You can list the commands of this module with the following syntax

$x=Get-Module BaselineConfigurationAnalyzer

$xExportedCommands

441 Run Scan

To run a full scan of the BPA on the alternate server on a named instance you can use the following

command line

Invoke-MBCAModel -ModelId SQL2008R2BPA -Alternate_Server_to_scan

servername -SQL_Server_Instance_Name instancename -

Analyze_SQL_Server_Engine -Analyze_SQL_Server_Replication -

Page 23

Analyze_SQL_Server_Setup -Analyze_SQL_Analysis_Services -

Analyze_SQL_Integration_Services -Analyze_SQL_Reporting_Services

The result looks like this part

ModelId SQL2008R2BPA

SubModelId

Success True

ScanTime

Success = True is important This is the indicator that your scan was successful

Parameter description

-Alternate_Server_to_scan servername

-SQL_Server_Instance_Name instancename

-Analyze_SQL_Server_Engine

-Analyze_SQL_Server_Replication

-Analyze_SQL_Server_Setup

-Analyze_SQL_Analysis_Services

-Analyze_SQL_Integration_Services

-Analyze_SQL_Reporting_Services

The parameter list is equal the parameter screen in the GUI

The scans of the different services are optional You can remove technologies which you do not need

to scan

The next example starts the scan only for the Analysis Services on the alternate server ldquoservernamerdquo

and for the named instance ldquoinstancerdquo A log file will be written to ldquoctempssastxtrdquo

Invoke-MbcaModel -ModelId SQL2008R2BPA -SubModelId AnalysisServices -

ComputerName servername -SqlServerInstance instance -SSASLogFile

ctempssastxt

Invoke-MbcaModel -ModelId SQL2008R2BPA -SubModelId Engine -ComputerName

computername -SqlServerInstance servername -CurrentLoginName

($EnvUSERDOMAIN + + $EnvUSERNAME)ToString() -EngineLogFile

ctempenginetxt ndashRepositoryPath (CTEMPSQL2008 + (Get-

Date)ToString(yyyyMMdd))ToString()

442 Create Report

model = get-MbcaModel ndashModelId sql2008r2bpa

$scanResult = get-MbcaResult ndashModelId sql2008r2bpa

$collectedConfig = get-MbcaResult ndashModelId sql2008r2bpa ndash

CollectedConfiguration

$model $scanResult $collectedConfig | export-CliXml ctempasxml

Get-MBCAResult -ModelId SQL2008R2BPA -SubModelId AnalysisServices |

ConvertTo-Html | Add-Content -Path ctesthtml

The next command retrieves the results of the most recent BPA scan for the specified model and

saves them in HTML format applying the standard cascading style sheets that are stored in the path

windirsystem32WindowsPowerShellv10ModulesBestPracticesBestPracticesReportFormatc

Page 24

ss If you want to substitute cascading style sheets provide the path to the different cascading style

sheets

Get-MBCAResult -ModelId SQL2008R2BPA | $_Severity -eq Warning -or

$_Severity -eq Error | ConvertTo-Html -As Table -property ResultNumber

SubModelID ComputerName Severity Category Title Problem Impact

Resolution Help -Head lth1gtSQL Server 2008 (R2) Best Practice Analyzer

Reportlth1gtrdquo -Title SQL Server 2008 Best Practice Analyzer -body

(ltpgtReport creation date + (Get-Date)ToString(ddMMyyyy hhmmss) +

ltpgt)toString() -pre ltPgtGenerated by user $envusername on computer

$envcomputernameltPgt -post For details contact Microsoft Premier-

CssUri $env BestPracticesReportFormatcss gt ctempsql2008r2bpahtm

443 Exporting and opening reports by using Get-MBCAResult

You can use the Get-MBCAResult cmdlet to export scan results and configuration data to an XML

report that you can open for viewing in the future either by using Get-MBCAResult or by using the

MBCA GUI Exporting reports allows you to compare older scans with more recent scans to measure

the progress of your best practice compliance

Example of exporting to XML

$results = Get-MBCAResult ltModel Idgt

$collectedconfig = Get-MBCAResult ltModel Idgt -CollectedConfiguration

$results $collectedconfig | Export-CliXml cexportxml

Example of opening archived XML report file

$loadedResults $loadedConfiguration = Import-CliXml cexportxml

444 Report Result Directory

The reporting result path

AppDataMicrosoftBaselineConfigurationAnalyzer

2ReportsSQL2008R2BPAResults

Will be overwritten during each run of the tool or invoke command

Solution save older results before you start the check

copy-item -path ($EnvLocalAppdata +

MicrosoftMicrosoftBaselineConfigurationAnalyzer 2Reports)ToString() -

destination ($EnvLocalAppdata +

MicrosoftMicrosoftBaselineConfigurationAnalyzer 2Reports_ + (Get-

Date)ToString(yyyyMMddhhmmss))ToString() ndashrecurse

Afterwards you can create a report with the following command

$prevrepPath = (Get-ChildItem ($EnvLocalAppdata +

MicrosoftMicrosoftBaselineConfigurationAnalyzer 2)ToString() -exclude

Reports | Sort-Object name -descending)[0]

Get-MBCAResult -ModelId SQL2008R2BPA ndashRepositoryPath ($EnvLocalAppdata +

MicrosoftMicrosoftBaselineConfigurationAnalyzer 2rdquo +

$prevrepPathname)ToString() | ConvertTo-Html -As Table -property

ResultNumberSubModelID ComputerName Severity Category Title Problem

Impact Resolution Help -Head lth1gtSQL Server 2008 (R2) Best Practice

Analyzer Reportlth1gtrdquo -Title SQL Server 2008 Best Practice Analyzer -body

(ltpgtReport creation date + (Get-Date)ToString(ddMMyyyy hhmmss) +

ltpgt)toString() -pre ltPgtGenerated by user $envusername on computer

Page 25

$envcomputernameltPgt -post For details contact Microsoft Premier gt

ctempsql2008r2bpahtm

Page 26

5 TROUBLESHOOTING

51 Application directories

To following directories are used by MBCA

Report output directory localappdataMicrosoftMicrosoftBaselineConfigurationAnalyzer 2ReportsSQL2008R2BPAResults

Model configuration path ProgramdataMicrosoftMicrosoft Baseline Configuration Analyzer 2ModelsSQL2008R2BPA

Temp and log files directory tempSQL2008R2BPASQL2008ltdategt_lttimegt

Registry [HKEY_LOCAL_MACHINESOFTWAREMicrosoftBaselineConfigurationAnalyzer]

Log Files

During Data Discovery SQL Server 2008 R2 BPA creates log files for troubleshooting The log file

contains the following information

Pre-requisite validation

Timestamp finished rules start and end times

Run-time scripting errors and exceptions from Power Shell Traps

Log Files Location

For every scan log files are created in userrsquos Local Temp directory (Temp) and follows the folder

structure SQL2008R2BPAlt Instance Name gtlt datestamp_timestamp gtlt Log files gt

Note In case of a remote scan the category log files are generated on the remote system at the same

path whereas the common log file is generated in the local system

Log Files Structure

A common log file gets generated and contains information about each categorys execution Apart

from this each category has its own log file which details the rule execution The names of the log files

are given below

Common File - ModelLogtxt

Engine Rules - EngineLogtxt

Replication Rules - ReplicationLogtxt

Setup Rules - SetupLogtxt

Analysis Services Rules - AnalysisServicesLogtxt

Reporting Services Rules - ReportingServicesLogtxt

Integration Services Rules - IntegrationServicesLogtxt

52 Windows Server 2003 ndash NumberOfLogicalProcessors

Analysis Services RID2803 and RID2804 ndash NumberOfLogicalProcessors property is unavailable in

Win32_Processor for with Windows Server 2003

Solution The NumberOfLogicalProcessors property does not exist in the WIN32_PROCESSOR object

in Windows Server 2003 It has been implemented in the hotfix

httpsupportmicrosoftcomkb932370

Both of the rules below will function properly if you apply this hotfix For more information look here

Page 27

53 MBCA

This message indicates that on prerequisite is not installed

Please install the version 2 of the MBCA

54 Where can I find the Instance name in result set of the analyzer

report

The instance name is in the collected data option of the analyzer report in the BPA GUI

55 Memory limit of remote PowerShell process

By default remote PowerShell process can consume only 150 MB or less memory This default limit is

significantly small and once this limit is reached there could be a WinRM exception causing and remote

connection immediately terminates Any application or Cmdlet which is involved in PowerShell

remoting should be tested for this memory limit this may cause some of the command to fail for

example site collection creation

Solution Increase the memory limit for the remote shell Use the following command to increase this

limitation to 1000MB This is only necessary if you need to run those commands on that server

Set-Item WSManlocalhostShellMaxMemoryPerShellMB 1000

56 Remote connect

If you try to ldquoConnect to another computerrdquo from MBCA and you receive the following message

Page 28

You should check first if the Hotfix KB968930 is installed

Afterwards validate that the ldquoWindows Remote Managementrdquo service is started

Enable-PSRemoting

If CredSSP is unsupported or unavailable you will see the following message

Page 29

If you have no permission to access the remote server you get the error message

Page 30

57 Installation

571 PowerShell error

After getting through the Pre-Reqs for BPA (PowerShell 20 MBCA NET Framework) you may hit

one of two scenarios when installing BPA

In all of the cases of an install failure you will see the following error

There is a problem with this Windows Installer package A program run as part of the setup did not

finish as expected Contact your support personnel or package vendor

In your Application Event Log for both of these scenarios you will also see the following entry

Log Name Application

Source MsiInstaller

Date 6102010 83818 AM

Event ID 11722

Task Category None

Level Error

Keywords Classic

User ltUsernamegt

Computer ltMachine namegt

Description

Product Microsoft SQL Server 2008 R2 BPA -- Error 1722 There is a problem

with this Windows Installer package A program run as part of the setup did

not finish as expected Contact your support personnel or package

vendor Action EnablePSRemoting location powershellexe command -NoLogo

-NoProfile -Command Enable-PSRemoting ndashforce

Page 31

This is an indicator that PowerShell is not configured You must run the following command

powershellexe -NoLogo -NoProfile -Command Enable-PSRemoting ndashforce

572 Workgroup or Non-Domain computer

In this scenario the Enable-PSRemoting command should execute fine from a PowerShell prompt

The actual error coming back from the PowerShell command within the Installer is ldquoAccess Deniedrdquo

To work around this issue you can do the following

1 Open a command prompt with Administrative Privileges

2 Change to the directory where the msi file resides

3 Type msiexec i ltMSI Namegt SKIPCA=1

4 MSI Name will either be SQL2008R2BPA_Setup32msi or SQL2008R2BPA_Setup64msi

depending on your platform

5 Once BPA is installed open a PowerShell prompt with Administrative Privileges

6 Execute the following commands

a Enable-PSRemoting

b winrm set winrmconfigwinrs ``MaxShellsPerUser=`10``

This should allow BPA to be successfully installed in the workgroup scenario

573 Kerberos Failure

This scenario is that you are failing with the above due to a Kerberos issue This particular issue could

actually show up after you have installed BPA depending on how you have configured your

environment

The issue stems from the fact that the Windows Remoting Windows Service uses the Network Service

account Windows Remoting also uses SOAP calls over HTTP and defaults to using Kerberos As a

result it will be using the HOST Service Principal Name (SPN) that is on the Machine Account as it is

running under that context You may have an HTTP SPN that resides on a different account with that

host name For example if you are running an IIS Web Application such as SharePoint or if you are

using Reporting Services and the service account is set to a Domain User account instead of Network

Service or Local System If your URL of your application matches the machine name then your HTTP

SPN will be the same Thatrsquos where this problem comes in WinRM will stop working at that point and

give you a message similar to the following

Set-WSManQuickConfig WinRM cannot process the request The following error

occured while using Negotiate authentication An unknown security error

occurred

Possible causes are

-The user name or password specified are invalid

-Kerberos is used when no authentication method and no user name are

specified

-Kerberos accepts domain user names but not local user names

-The Service Principal Name (SPN) for the remote computer name and port

does not exist

-The client and remote computers are in different domains and there is no

trust between the two domains

After checking for the above issues try the following

-Check the Event Viewer for events related to authentication

-Change the authentication method add the destination computer to the

WinRM TrustedHosts configuration setting or use HTTPS transport

Note that computers in the TrustedHosts list might not be authenticated

-For more information about WinRM configuration run the following

Page 32

command winrm help config

At line50 char33

+ Set-WSManQuickConfig ltltltlt -force

+ CategoryInfo InvalidOperation () [Set-WSManQuickConfig]

InvalidOperationException

+ FullyQualifiedErrorId

WsManErrorMicrosoftWSManManagementSetWSManQuickConfigCommand

You can get this type of error from WinRM for muliple reasons The one that

we saw in our testing was the HTTP SPN scenario

If you do have an HTTP SPN defined on a Domain Account that is using the name of your machine

you have some options First you can follow the steps mentioned above to get BPA installed The

Enable-PSRemoting command will give you the above error You can temporarily remove the HTTP

SPN to get remoting enabled and then re-add the HTTP SPN

Once BPA is setup you will still not be able to run BPA if you put the HTTP SPN back in place You will

see the following when you attempt to perform a scan

This will occur regardless of which component you try to scan It could be the Engine Setup RS etchellip

One option to perform the scan successfully is to temporarily remove the HTTP SPN again run the

scan and then put the HTTP SPN back in place Another option but one that will probably require

further testing from your applicationrsquos end would be to run the application under a Host Header and

then your HTTP SPN would not include the machine name allowing BPA to run without issue

Page 33

6 RULES

Searching for ldquoSQL Server 20087 R2 BPArdquo at Microsoftcom reveals

Here is an example of one of these articles that talks about a rule to check for a recent ldquocleanrdquo

CHECKDB

Page 34

BPA works by measuring a rolersquos compliance with best practice rules in eight different categories of a

rolersquos effectiveness trustworthiness and reliability Results of measurements can be any of the three

severity levels described in the following table

Severity level Description

Noncompliant Noncompliant results are returned when a role does not satisfy the conditions of a rule

Compliant Compliant results are returned when a role satisfies the conditions of a rule

Warning Warning results are returned when a role is compliant as operating currently but may not satisfy the conditions of a

rule if changes are not made to its configuration or policy settings For example a scan of Remote Desktop Services

might show a warning result if a license server is unavailable to the role because even if no remote connections are

active at the time of the scan not having the license server prevents new remote connections from obtaining valid

client access licenses

Page 35

BPA rule categories

The following table describes the categories of best practice rules against which roles are measured

during a BPA scan

Category Name Description

Security Security rules are applied to measure a rolersquos relative risk for exposure to threats such as unauthorized or malicious

users or loss or theft of confidential or proprietary data

Performance Performance rules are applied to measure a rolersquos ability to process requests and perform its prescribed duties in

the enterprise within expected periods of time given the rolersquos workload

Configuration Configuration rules are applied to identify role settings that might require modification for the role to perform

optimally Configuration rules can help prevent setting conflicts that can result in error messages or prevent the role

from performing its prescribed duties in an enterprise

Policy Policy rules are applied to identify Group Policy or Windows Registry settings that might require modification for the

role to operate optimally and securely

Operation Operation rules are applied to identify possible failures of a role to perform its prescribed tasks in the enterprise

Predeployment Predeployment rules are applied before an installed role is deployed in the enterprise to let administrators to

evaluate whether best practices were satisfied before you use the role in production

Postdeployment Postdeployment rules are applied after all required services have started for a role and the role is running in the

enterprise

BPA Prerequisites BPA Prerequisite rules explain configuration settings policy settings and features that are required for the role

before BPA can apply specific rules from other categories A prerequisite in scan results indicates that an incorrect

setting a missing role role service or feature an incorrectly enabled or disabled policy a registry key setting or

other configuration has prevented BPA from applying one or more rules during a scan A prerequisite result does

not imply compliance or noncompliance It means that a rule could not be applied and therefore is not part of the

scan results

61 Engine Rules

Please find below a summary of the 74 Engine Rules with the links to the rule descriptions These rules

are checking that you have a secure resilient and well performing SQL configuration

Authentication Mode (httpsupportmicrosoftcomkb2028697)

Lightweight Pooling is enabled (httpsupportmicrosoftcomkb2160691)

Locks Configuration Not Dynamic (httpsupportmicrosoftcomkb2199576)

non-default network packet size in use (httpsupportmicrosoftcomkb2157175)

degree of parallelism not set to recommended value (httpsupportmicrosoftcomkb2023536)

Use Database Mail instead of SQL Mail (httpsupportmicrosoftcomkb2028584)

SQL Server Agent Proxy Account (httpsupportmicrosoftcomkb2160741)

SQL Login Password Policy Strength and password expiry

(httpsupportmicrosoftcomkb2028712)

Trustworthy Bit (httpsupportmicrosoftcomkb2183687)

Symmetric Keys Check (httpsupportmicrosoftcomkb2162020)

Asymmetric Keys Check (httpsupportmicrosoftcomkb2162020)

SQL Server installed on PDC BDC (httpsupportmicrosoftcomkb2032911)

Page 36

SQL Server Admin role membership check (httpsupportmicrosoftcomkb2184138)

Windows API calls intercepted (httpsupportmicrosoftcomkb2033238)

unsupported DotNET framework assemblies present (httpsupportmicrosoftcomkb2033344)

Disk partition starting offset may be incorrect (httpsupportmicrosoftcomkb2023571)

non-default max worker threads value configured (httpsupportmicrosoftcomkb2157129)

Guest Permissions (httpsupportmicrosoftcomkb2186935)

Data and Log files on the same volume (httpsupportmicrosoftcomkb2033523)

IO timeouts and IO controller errors detected (httpsupportmicrosoftcomkb2091098)

IO device errors detected (httpsupportmicrosoftcomkb2091098)

IO errors during page faults detected (httpsupportmicrosoftcomkb2091098)

cluster disk corruption encountered (httpsupportmicrosoftcomkb2091098)

disk defragmentation encountered corruption (httpsupportmicrosoftcomkb2091098)

failed IO requests detected (httpsupportmicrosoftcomkb2091098)

IO requests are successful when retried (httpsupportmicrosoftcomkb2015757)

IO Delay Problems reported by SQL Server (httpsupportmicrosoftcomkb2137408)

This system experienced unexpected shutdowns (httpsupportmicrosoftcomkb2091098)

tempdb corruption errors fix missing (httpsupportmicrosoftcomkb960770)

Critical SQL database inconsistency errors found (httpsupportmicrosoftcomkb2152734)

Logical consistency errors detected (httpsupportmicrosoftcomkb2152472)

Database have auto shrink option enabled (httpsupportmicrosoftcomkb2160663)

SQL Server Error logs are very big (httpsupportmicrosoftcomkb2199578)

incorrect affinity mask settings detected httpsupportmicrosoftcomkb2157114

Very low blocked process threshold setting detected httpsupportmicrosoftcomkb2157154

Potential security issue with legacy DTS stored procedures

httpsupportmicrosoftcomkb2202875

Winsock LSP loaded into SQL httpsupportmicrosoftcomkb2033448

Databases using simple recovery model httpsupportmicrosoftcomkb2137539

User database collation different from model httpsupportmicrosoftcomkb2026108

Database files and backups exist on the same volume httpsupportmicrosoftcomkb2027537

Databases have auto close option enabled httpsupportmicrosoftcomkb2160685

LSI SAS drivers needs update httpsupportmicrosoftcomkb2121098

SQL tempdb database not configured optimally httpsupportmicrosoftcomkb2154845

SQL Database file has sparse attribute set httpsupportmicrosoftcomkb2028447

Invalid startup parameters httpsupportmicrosoftcomkb2028433

MSDTC settings not configured optimally httpsupportmicrosoftcomkb2027550

sql incorrect results fix missing httpsupportmicrosoftcomkb971780

File System needs tuning for better FileStream performance

httpsupportmicrosoftcomkb2160002

linked server memory leak fix missing httpsupportmicrosoftcomkb971622EN-US

Windows service pack is not at recommended level httpsupportmicrosoftcomkb2121098

default extended event health session not in expected state

httpsupportmicrosoftcomkb2160570

TcpSysAndChimneyCheck httpsupportmicrosoftcomKB918483

FDHOST Launcher service is not configured properly httpsupportmicrosoftcomkb2160720

Unrecommended SQL Server Agent service account httpsupportmicrosoftcomkb2160720

A required Windows fix to avoid sparse file related problems is missing

httpsupportmicrosoftcomkb2002606

Page 37

Significant Portion of SQL Server Memory Has Been Paged Out

httpsupportmicrosoftcomkb2028324

Server Exception or Hang Detected on Server httpsupportmicrosoftcomkb2028589

Databases exist without CHECKSUM protection httpsupportmicrosoftcomkb2078345

backups outdated for databases httpsupportmicrosoftcomkb2027537

Database consistency check not current httpsupportmicrosoftcomkb2033590

SQL Server Memory settings are incorrect httpsupportmicrosoftcomKB918483EN-US

Autogrow Failed or took a long time httpsupportmicrosoftcomkb2091024

Storport driver fix from KBA 940467 missing httpsupportmicrosoftcomkb2121098

Storport driver fix from KBA 950903 missing httpsupportmicrosoftcomkb2121098

SQLCLR needs additional memory configuration httpsupportmicrosoftcomkb969962EN-US

Operating System files and drivers needs update for working set trimming

httpsupportmicrosoftcomkb2121098

Agent Token Replacement httpsupportmicrosoftcomkb2202637

Auditing Log in failures httpsupportmicrosoftcomkb2187161

Databases with high number of VLF present httpsupportmicrosoftcomkb2028436

Transparent Data Encryption Certificate httpsupportmicrosoftcomkb2201900

Permission on the Binn folder httpsupportmicrosoftcomkb2029023

Index Statistics Are Outdated

Server public permissions httpsupportmicrosoftcomkb2160698

Detected use of older versions of SQLNCLI httpsupportmicrosoftcomkb979779

62 AS Rules

Please find below a summary of the 34 Analysis Server Rules with the links to the rule descriptions

Flight Recorder Enabled for SQL Server Analysis Services

httpsupportmicrosoftcomkb2128005

Excessive amount of memory preallocated to Analysis Services

httpsupportmicrosoftcomkb2027474

Server not configured for optimal concurrent query throughput

httpsupportmicrosoftcomkb2135031

Non standard value detected for Analysis Services memory configuration

httpsupportmicrosoftcomkb2027472

Process Thread Pool Max limit above recommended limit

httpsupportmicrosoftcomkb2134497

Process Thread Pool Minimum is below the recommended limit

httpsupportmicrosoftcomkb2134855

Server is running a build with a known regression httpsupportmicrosoftcomkb2157941

Slice not set on a ROLAP partition or a partition where proactive caching is enabled and

ROLAP storage ay occur httpsupportmicrosoftcomkb2027754

Server is ignoring duplicate key errors httpsupportmicrosoftcomkb2027761

No default member defined for non-aggregatable attribute

httpsupportmicrosoftcomkb2027769

UnknownMember set to hidden httpsupportmicrosoftcomkb2027628

Non-numeric key column for high cardinality attribute httpsupportmicrosoftcomkb2028138

Attribute hiearchy enabled for high cardinality non-key attribute

httpsupportmicrosoftcomkb2028143

ROLAP storage or OnlineMode set to immediate for dimension with custom rollup definition

detected httpsupportmicrosoftcomkb2132742

Page 38

Account or Time attribute types defined in a non-matching dimension type

httpsupportmicrosoftcomkb2157299

An Account or Time dimension has no matching attribute defined

httpsupportmicrosoftcomkb2027418

Dimension has no attribute defined with the same type

httpsupportmicrosoftcomkb2027443

Attribute Dimension type mismatch httpsupportmicrosoftcomkb2157327

Mismatched dimension attribute types detected in dimension

httpsupportmicrosoftcomkb2027459

Possible incorrect order of levels defined in hierarchy httpsupportmicrosoftcomkb2027460

Define attribute relationships as Rigid where possible httpsupportmicrosoftcomkb2027468

Redundant attribute relationships detected httpsupportmicrosoftcomkb2127437

Diamond-shape relationship detected httpsupportmicrosoftcomkb2127570

Non-Standard Attribute Relationship name detected httpsupportmicrosoftcomkb2127862

Proactive Caching set for dimension without a processing query

httpsupportmicrosoftcomkb2027541

No Time dimension detected httpsupportmicrosoftcomkb2027532

More than 3 parent-child dimensions with custom rollups defined

httpsupportmicrosoftcomkb2134431

Encountered a parent-child dimension with more than 500000 members

httpsupportmicrosoftcomkb2131918

Single attribute dimensions detected httpsupportmicrosoftcomkb2141654

Measure groups with zero dimensional overlap detected in cube

httpsupportmicrosoftcomkb2027609

Proactive Caching set for a partition without a processing query

Default measure for perspective not in the perspective

httpsupportmicrosoftcomkb2027603

Use MOLAP storage for dimensions that participate in semi-additive measure groups

httpsupportmicrosoftcomkb2135112

Measure group defined with no partition httpsupportmicrosoftcomkb2027545

63 RS Rules

RSWindowsNegotiate is missing from your configuration

httpsupportmicrosoftcomkb2145506

HTTP Logging is not enabled httpsupportmicrosoftcomkb2145909

Verbose logging is enabled httpsupportmicrosoftcomkb2146315

NTLM authentication may fail for local httpsupportmicrosoftcomkb2146369

Missing extended protection settings httpsupportmicrosoftcomkb2146062

64 IS Rules

Logging task missing for package httpsupportmicrosoftcomkb2027723

ActiveX Script task detected in package httpsupportmicrosoftcomkb2027712

Unrecommended Integration Services service account detected

httpsupportmicrosoftcomkb2027684

Integration Services logging table found in system database master and or msdb

httpsupportmicrosoftcomkb2027706

Integration Services memory dump detected httpsupportmicrosoftcomkb2027727

Page 39

65 Setup Rules

Unsupported Operating System Version Detected httpsupportmicrosoftcomkb2022909

WOW64 not supported for SQL Failover Clustering httpsupportmicrosoftcomkb2157198

Installer cache is missing for the SQL Installation httpsupportmicrosoftcomkb2015100

SQL Server WMI Provider Health Check

66 Replication Rules

Replication Timeout Alerts Type httpsupportmicrosoftcomkb2118349

Replication Pub and Sub out of sync (Data Validation) httpsupportmicrosoftcomkb2118386

Replication Pub and Sub out of sync (Constraint Violations)

httpsupportmicrosoftcomkb2118410

Replication Pub and Sub out of sync (Skipped Transactions)

httpsupportmicrosoftcomkb2194498

Merge Replication Health Check httpsupportmicrosoftcomkb2118445

Subscriptions Approaching Expiration httpgomicrosoftcomfwlinkLinkId=184483

Replication Cleanup and Retention Health Check httpsupportmicrosoftcomkb2118485

Replication Latency Threshold violations httpsupportmicrosoftcomkb2118425

Page 40

7 HOW TO DEAL WITH DEVIATIONS

Deviations from these Best Practices may indicate potential issues and configuration changes may be

necessary Make sure you have tested any intended changes in a test environment before deploying

them to a production environment You could also find deviations from Best Practices that are

acceptable or even necessary for your environment For example

SAP has its special Network Packet Size of 8 KB

Existing Non-Microsoft Clients ndash would require Mixed Mode Authentication

Page 41

8 MOTIVATION TO USE SQL BPA R2

Bob Ward explained in his Article ldquoWhy use SQL Server 2008 R2 BPA Case 1 Missing Updatesrdquo

the common pitfalls during maintenance and operation of SQL Server and how address them by using

the SQL BPA

In brief itrsquos a customer scenario where the customer is facing an issue after a major update to

SQL2008 After some troubleshooting and an update to a certain CU (that is meant to fix the issue) the

problem still occurs Bobs article states the common resulting consequences ndash the involvement of

Microsoft Support and the final solution ndash adding a needed traceflag

The good news in this story is that the customer would not have needed to go to all that effort if they

would have run the SQL BPA It would have told them about the update and instructed them to put the

traceflag in place BPA is a mechanism that proactively advises you and instructs you on dealing with

common known issues

Page 42

9 ADDITIONAL INFORMATION

91 PowerShell

To use the functionality of the Baseline Configuration Analyzer with PowerShell you must import this

module first

Import-module BaselineConfigurationAnalyzer

You can list the commands of this module with the following syntax

$x=Get-Module BaselineConfigurationAnalyzer

$xExportedCommands

The following commands are stored in this module

Get-MbcaModel

Get-MbcaResult

Invoke-MbcaModel

Set-MbcaResult

You get help of this command with the following syntax

Get-help ltcommandgt -full

911 Get-MBCAModel

SYNOPSIS

The Get-MBCAModel cmdlet lets you retrieve and view the list of models that are supported by

Microsoft Baseline Configuration Analyzer (MBCA) and that are installed on a computer

SYNTAX

Get-MBCAModel [[-ModelId] ltstring[]gt] [[-SubModelId] ltstringgt] [ltCommonParametersgt]

DESCRIPTION

The Get-MBCAModel cmdlet lets you retrieve and view the list of models that are supported by

Microsoft Baseline Configuration Analyzer (MBCA) and installed on the computer If no parameter is

specified Get-MBCAModel returns all models that are installed on the computer If a model is specified

by using the -ModelId parameter information about the specified model is returned

You must be a member of the Administrators group on the computer on which you want to run this

cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with

elevated user rights that is Run as Administrator

The results of the Get-MBCAModel cmdlet include the following details about models

1 Branding information (manufacturer or company display names version number) that is found in

the model manifest

2 Dynamic parameters that are included with the model

3 Submodels that are included with the model

PARAMETERS

-ModelId ltstring[]gt

The -ModelId parameter specifies the ID of the MBCA model about which you want to view

details You can obtain valid values for the ModelId parameter by running the Get-MBCAModel

cmdlet with no parameters and targeted at a computer on which MBCA models are installed

Page 43

This parameter supports wild card characters

Required false

Position 2

Default value

Accept pipeline input true (By Value By Property Name)

Accept wildcard characters False

This must be SQL2008R2BPA for SQL Server 2008 R2 Best Practice Analyzer

-SubModelId ltstringgt

The -SubModelId parameter specifies the ID of the submodel of an MBCA model about which you

want to view details You can obtain valid values for the -SubModelId parameter by running the

Get-MBCAModel cmdlet without parameters and targeted at a computer on which MBCA models

are installed Not all models have submodels

The -ModelId parameter is required with the -SubModelId parameter

Required false

Position 3

Default value

Accept pipeline input false

Accept wildcard characters false

ltCommonParametersgt

This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable

WarningAction WarningVariable OutBuffer and OutVariable For more information type get-

help about_commonparameters

Examples

Get-MBCAModel

In the preceding example Get-MBCAModel with no parameters added returns details about all MBCA

models that are installed on the computer

Get-MBCAModel -ModelId SQL2008R2BPA

The preceding example can be used to return details about the MBCA model that is specified in the -

ModelId parameter represented by Model Id

$model= Get-MBCAModel -ModelId SQL2008R2BPA

$modelParameters

In the preceding example Get-MBCAModel returns details about the specified MBCA model that is

represented by Model Id The results of the cmdlet are stored in the variable $model

In the next line of the example the Parameters property of the model details that were stored in the

$model object returns details about which parameters are supported by the model

Get-MBCAModel -ModelId SQL2008R2BPA -SubModelId ltSubModel Idgt

The preceding example can be used to return details about the MBCA sub-model that is specified by

the -SubModelId parameter represented by SubModel Id Note that the -ModelId parameter is

required by the -SubModelId parameter

$model= Get-MBCAModel -ModelId SQL2008R2BPA

Page 44

$modelSubModels

In the preceding example Get-MBCAModel returns details about the specified MBCA model that is

represented by Model Id The results of the cmdlet are stored in the variable $model

In the next line of the example the SubModels property of the model details that were stored in the

$model object returns a list of the submodels of the model specified in the first line

912 Invoke-MBCAModel

SYNOPSIS

The Invoke-MBCAModel cmdlet lets you start a Microsoft Baseline Configuration Analyzer (MBCA)

scan for a specific model that is installed on your computer

SYNTAX

Invoke-MBCAModel [-ModelId] ltstringgt -SubModelId ltstringgt [-Authentication

ltAuthenticationMechanismgt] [-CertificateThumbprint ltstringgt] [-ComputerName

ltstring[]gt] [-ConfigurationName ltstringgt] [-Context ltstringgt] [-Credential

ltstringgt] [-Mode ltModeEnumgt] [-Port ltintgt] [-RepositoryPath ltstringgt] [-

ThrottleLimit ltintgt] [-UseSSL] [ltCommonParametersgt]

DESCRIPTION

The Invoke-MBCAModel cmdlet allows you to start a Microsoft Baseline Configuration Analyzer

(MBCA) scan for a specific model that is installed on your computer The model is specified either by

using the parameter -ModelId or by piping the results of the Get-MBCAModel cmdlet into an Invoke-

MBCAMode cmdlet

After the MBCA scan has been performed the results of the scan are available to be retrieved by Get-

MBCAResult cmdlet

You must be a member of the Administrators group on the computer on which you want to run this

cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with

elevated user rights that is Run as Administrator

PARAMETERS

-Authentication ltAuthenticationMechanismgt

Specifies the authentication mechanism that is used to authenticate the users credentials Valid

values include Default Basic CredSSP Digest Kerberos Negotiate and

NegotiateWithImplicitCredential The default value is Default

For more information about the -Authentication parameter type the following and then press

Enter

Get-Help Invoke-Command -Parameter Authentication

Required false

Position named

Default value Default

Accept pipeline input false

Accept wildcard characters false

-CertificateThumbprint ltstringgt

Page 45

Specifies the digital public key certificate (X509) of a user account that has rights to perform the

cmdlet action The valid value is the certificate thumbprint of the certificate

For more information about this parameter type the following and then press Enter

Get-Help Invoke-Command -Parameter Certificate Thumbprint

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-ComputerName ltstring[]gt

The Invoke-MBCAModel cmdlet lets you run an MBCA scan of a submodel on a specific

computer by adding this parameter Valid values include NETBOS names IP addresses or fully-

qualified domain names of one or more computers in a comma-separated list To specify the local

computer type the computer name or localhost

All formats that are accepted by the -ComputerName parameter in Invoke-Command are

accepted

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-ConfigurationName ltstringgt

Specifies the session configuration that is used for a new PSSession

Enter a configuration name or the fully-qualified resource URI for a session configuration

Session configuration data is found on the remote computer on which you want to run a cmdlet

For more information about this parameter type the following and then press Enter

Get-Help Invoke-Command -Parameter ConfigurationName

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-Context ltstringgt

The -Context parameter lets you run scans on a submodel in the context of a specific model (one

that is different from the parent model of the submodel) For example an administrator might

want to run a scan on the Backend submodel of the SQL model but only those in the context

of a third model a technology that relies upon SQL Server

The -SubModelId parameter is required by the -Context parameter

Page 46

A model ID is the valid value of the -Context parameter

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-Credential ltstringgt

Specifies a user account that has permission to run this cmdlet The default value is the current

user

For more information about this parameter type the following and then press Enter

Get-Help Invoke-Command -Parameter Credential

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-Mode ltModeEnumgt

The -Mode parameter lets you run a scan that is exclusively either analysis of existing discovered

documents or discovery The default is to perform both discovery and analysis or All

If you do not add the -Mode parameter to the Invoke-MBCAModel cmdlet both discovery and

analysis are performed during a scan

Valid values are Discovery Analysis and All

Required false

Position named

Default value All

Accept pipeline input false

Accept wildcard characters false

-ModelId ltstringgt

The -ModelId parameter specifies the ID of the MBCA model that you want to scan You can

obtain valid values for the ModelId parameter by running the Get-MBCAModel cmdlet targeted at

a computer on which MBCA models are installed

Required true

Position 2

Default value

Accept pipeline input true (By Value By Property Name)

Accept wildcard characters False

Page 47

This must be SQL2008R2BPA for SQL Server 2008 R2 Best Practice Analyzer

-Port ltintgt

Specifies the network port on a remote computer on which you want to run a scan The default

value is port 80

For more information on this parameter type the following and then press Enter

Get-Help Invoke-Command -Parameter Port

Required false

Position named

Default value 80

Accept pipeline input false

Accept wildcard characters false

-RepositoryPath ltstringgt

The -RepositoryPath parameter is used to specify a non-default location of the results repository

The valid value for this parameter is a pathname If the parameter is not used the cmdlet writes

results to the default result repository

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-SubModelId ltstringgt

The -SubModelId parameter specifies the ID of the submodel of an MBCA model that you want to

scan You can obtain valid values for the -SubModelId parameter by running the Get-MBCAModel

cmdlet targeted at a computer on which MBCA models are installed Not all models have

submodels

The -ModelId parameter is required with the -SubModelId parameter

Required true

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-ThrottleLimit ltintgt

Specifies the maximum number of concurrent connections that can be established to run the

cmdlet If you omit this parameter or enter a value of 0 the default value of 32 is used

For more information about this parameter type the following and then press Enter

Get-Help Invoke-Command -Parameter ThrottleLimit

Required false

Page 48

Position named

Default value 32

Accept pipeline input false

Accept wildcard characters false

-UseSSL [ltSwitchParametergt]

Uses the Secure Sockets Layer (SSL) protocol to establish a connection on a remote computer

By default SSL is not used

For more information about this parameter type the following and then press Enter

Get-Help Invoke-Command -Parameter UseSSL

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

ltCommonParametersgt

This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable

WarningAction WarningVariable OutBuffer and OutVariable For more information type get-

help about_commonparameters

OUTPUTS

SystemCollectionsGenericListltMicrosoftBestPracticesCoreInterfaceInvokeBpaModelOutputgt

The output object encapsulates the results of the cmdlet that you entered It contains information such

as the MBCA model ID the success or failure of the cmdlet and other details

NOTES

If the cmdlet is used to perform a single-model scan and the cmdlet is cancelled (by using CTRL+C)

before the temporary results file is copied to its final location the temporary file is discarded and any

previous scan results file for the role are preserved The message Processing of Invoke-MBCAModel

cancelled by user is displayed if the command is cancelled before existing scan results files are

overwritten

If the cmdlet is used to perform a scan of multiple models by piping in results from the Get-MBCAModel

cmdlet and the command is cancelled scans that were completed before the cancel command was

entered cannot be cancelled A scan in progress behaves as described above in the single-model scan

cancellation scenario Subsequent scans in the pipeline are cancelled

If a concurrent scan of the same model is attempted the cmdlet returns the following error message

Another scan for this MBCA model is in progress Only one scan is allowed at a time

-------------------------- EXAMPLE 1 --------------------------

Invoke-MBCAModel -ModelId SQL2008R2BPA

Description

The preceding example starts a MBCA scan on the model that is represented by ltModel Idgt

-------------------------- EXAMPLE 2 --------------------------

Page 49

Invoke-MBCAModel -ModelId SQL2008R2BPA -Scope domain -Name

redmondmicrosoftcom

Description

The preceding example starts an MBCA scan on the model ID that is specified by Model Id

The administrator starts the MBCA scan with additional model-specific parameters that are exposed by

the model (For an example of how to obtain model-specific parameters see the examples for the Get-

MBCAModel cmdlet)

For example to scan a model that requires model-specific parameters (such as -Scope and -Name) to

be passed to the command the administrator can specify the values of these model-specific

parameters with the Invoke-MBCAModel cmdlet

-------------------------- EXAMPLE 3 --------------------------

Invoke-MBCAModel -ModelId SQL2008R2BPA -Mode Discovery

Description

The preceding example starts an MBCA scan on the model that is represented by Model Id The

cmdlet is instructed by the -Mode parameter to perform only the discovery -- not the analysis -- portion

of the scan

-------------------------- EXAMPLE 4 --------------------------

Invoke-MBCAModel -ModelId SQL2008R2BPA -Mode Analysis -RepositoryPath

ltRepository Pathgt

Description

The preceding example starts an MBCA scan on the model that is represented by Model Id The -

Mode parameter value of Analysis indicates that the scan will perform analysis -- not discovery -- on

existing documents that are specified in the non-default repository path provided with the -Repository

Path parameter

-------------------------- EXAMPLE 5 --------------------------

Invoke-MBCAModel -Id ltModel Idgt -SubModelId ltSubModel Idgt -ComputerName

ltServergt -Context ltContext Model Idgt -RepositoryPath ltRespository Pathgt -

AsJob -Authentication ltAuthenticatonMechanismgt -Port ltPort Numbergt -UseSSL -

ThrottleLimit ltThrottle Limitgt

Description

The preceding example starts an MBCA scan on the submodel that is represented by SubModel Id

and on the computer that is represented by Server

Because the administrator only wants to see results from the submodel that apply in the context of a

third model the administrator runs the scan within the context of the model ID that is specified in the -

Context parameter The cmdlet results are saved to the non-default repository path that is specified in

the -RepositoryPath parameter

Because the -AsJob parameter is added the scan runs in the background The -AsJob -

Authentication -Port -UseSSL and -ThrottleLimit parameters are passed through for use by the

Invoke-Command cmdlet to perform discovery on a remote computer For more information about

these parameters see the Help for the Invoke-Command cmdlet available in Windows PowerShell V2

913 Get-MBCAResult

SYNOPSIS

Page 50

The Get-MBCAResult cmdlet lets you retrieve and view the results of a Microsoft Baseline

Configuration Analyzer scan on a specific model or the configuration data that was used to run a scan

SYNTAX

Get-MBCAResult [-ModelId] ltstringgt [[-CollectedConfiguration]] -SubModelId

ltstringgt [-ComputerName ltstring[]gt] [-Context ltstringgt] [-Filter

ltFilterEnumgt] [-RepositoryPath ltstringgt] [ltCommonParametersgt]

DESCRIPTION

The Get-MBCAResult cmdlet lets you retrieve and view the results of a Microsoft Baseline

Configuration Analyzer scan on a specific model or the configuration data that was used to run a scan

To use the command add the -ModelId parameter and then specify the model ID for which you want

to view the most recent MBCA scan results or collected configuration data If you want to retrieve the

configuration data collected add the -CollectedConfiguration switch parameter

You must be a member of the Administrators group on the computer on which you want to run this

cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with

elevated user rights that is Run as Administrator

PARAMETERS

-CollectedConfiguration [ltSwitchParametergt]

The -CollectedConfiguration parameter allows you to obtain the configuration data that was

collected for the most recent MBCA scan If this switch parameter is added to Get-MBCAResults

the cmdlet returns only the configuration data that was collected for a scan

Required false

Position 3

Default value

Accept pipeline input false

Accept wildcard characters false

-ComputerName ltstring[]gt

The -ComputerName parameter lets you obtain scan results that were collected for the most

recent MBCA scan of a submodel on a specific computer To specify the local computer type the

computer name or localhost Multiple values for -ComputerName can be separated by

commas

The -SubModelId parameter is required by the -ComputerName parameter

Valid values for the -ComputerName parameter include localhost a NET BIOS name an IP

address or a fully-qualified domain name (FQDN) of one or more computers in a comma-

separated list

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-Context ltstringgt

Page 51

The -Context parameter lets you obtain scan results that were collected for the most recent

MBCA scan of a submodel in the context of a specific model (one that is different from the parent

model of the submodel) For example an administrator might want to display scan results for the

Backend submodel of the SQL model but only those in the context of a third model a

technology that relies upon SQL Server

The -SubModelId parameter is required by the -Context parameter

A model ID is the valid value of the -Context parameter

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-Filter ltFilterEnumgt

The -Filter parameter lets you instruct the Get-MBCAResult cmdlet to return only Compliant

Noncompliant or All results Valid values are Noncompliant Compliant or All The default value

is All

The -Filter parameter is ignored if the -CollectedConfiguration switch parameter is added

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-ModelId ltstringgt

The -ModelId parameter specifies the ID of the MBCA model for which you want to view scan

results You can obtain valid values for the ModelId parameter by running the Get-MBCAModel

cmdlet targeted at a computer on which MBCA models are installed

Required true

Position 2

Default value

Accept pipeline input true (By Value By Property Name)

Accept wildcard characters False

This must be SQL2008R2BPA for SQL Server 2008 R2 Best Practice Analyzer

-RepositoryPath ltstringgt

The -RepositoryPath parameter is used to specify a non-default location of the results repository

The valid value for this parameter is a path name If the parameter is not used the cmdlet obtains

results from the default result repository

Required false

Position named

Page 52

Default value

Accept pipeline input false

Accept wildcard characters false

-SubModelId ltstringgt

The -SubModelId parameter specifies the ID of the submodel of an MBCA model for which you

want to view scan results You can obtain valid values for the -SubModelId parameter by running

the Get-MBCAModel cmdlet targeted at a computer on which MBCA models are installed Not all

models have submodels

The -ModelId parameter is required with the -SubModelId parameter

Required true

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

ltCommonParametersgt

This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable

WarningAction WarningVariable OutBuffer and OutVariable For more information type get-

help about_commonparameters

OUTPUTS

SystemCollectionsGenericListltMicrosoftBestPracticesCoreInterfaceResultgt OR

SystemXmlXmlDocument (if -CollectedData specified)

If you do not use the -CollectedConfiguration parameter verbose output can be any of the following

1 Initializing MBCA engine for getting MBCA Results

2 Attempting to get MBCA results for Model Id = 0

3 Completed getting MBCA results for Model Id = 0 Number of Results = 1

If you add the -CollectedConfiguration parameter to display configuration data that was used for a

scan verbose output can be any of the following

1 Initializing MBCA engine for getting MBCA Configuration Data

2 Attempting to get MBCA collected configuration data for Model Id = 0

3 Completed getting MBCA collected configuration data for Model Id = 0

NOTES

The Get-MBCAResult cmdlet must be run by a member of the Administrators group and it does not

start a new scan

Cancellation behaviour

Single Model - To cancel this cmdlet you must press Ctrl+C before the ResultCollection is displayed

on the console The operation is cancelled and results are not displayed on the console

Multiple Models or Pipelining - If you cancel this cmdlet while it is retrieving results for multiple models

the cmdlet generates only those results that were displayed on the console before the cancellation

Any subsequent results in the pipeline are cancelled and not displayed

Page 53

-------------------------- EXAMPLE 1 --------------------------

Get-MBCAResult -Id SQL2008R2BPA

Description

The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results

for the model that is represented by Model Id

-------------------------- EXAMPLE 2 --------------------------

Get-MBCAModel | Get-MBCAResult

In the preceding example Get-MBCAModel is used to return a list of all MBCA models that are

installed on the computer The results of the Get-MBCAModel cmdlet are piped to the Get-

MBCAResult cmdlet to retrieve the most recent MBCA scan results for all models that are both

supported by MBCA and installed on the computer at which the cmdlet is targeted

-------------------------- EXAMPLE 3 --------------------------

$result = Get-MBCAResult SQL2008R2BPA -CollectedConfiguration

$resultDiscoveryDocument

Description

In the preceding example configuration data (in XML form) that was collected during the most recent

Microsoft Baseline Configuration Analyzer scan of the model that is represented by Model Id is

retrieved and stored as a property in the variable $result $resultDiscoveryDocument is of type

SystemXmlXmlDocument

-------------------------- EXAMPLE 4 --------------------------

Get-MBCAResult SQL2008R2BPA -Filter Noncompliant

Description

The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results

for the model that is represented by Model Id and then applies a filter to show only Noncompliant

results

------------------------- EXAMPLE 5 --------------------------

Get-MBCAResult SQL2008R2BPA -SubModelId ltSubModel Idgt

Description

The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results

for the submodel that is represented by SubModelId Note that the parent model ID must be specified

to use the -SubModelId parameter

------------------------- EXAMPLE 6 --------------------------

Get-MBCAResult SQL2008R2BPA -SubModelId ltSubModel Idgt -ComputerName ltServergt

-Context ltContext Model Idgt -RepositoryPath ltRepository Pathgt

Description

The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results

for the submodel that is represented by SubModelId The parent model ID is provided as required by

the -SubModelID parameter

The -Context parameter indicates that the administrator wants to see only those scan results that are in

the context of the model that is represented by Context Model Id for example only those results from

a SQL Server scan that specifically apply to another technology such as Web Server (IIS)

Page 54

The scan results are further narrowed to only those from a computer that is specified in the -

ComputerName parameter as Server and only those results found in the non-default results

repository that is represented by Repository Path

914 Set-MBCAResult

SYNOPSIS

The Set-MBCAResult cmdlet lets you exclude or include existing results of a Microsoft Baseline

Configuration Analyzer (MBCA) scan to show you only the scan results that you want to see

SYNTAX

Set-MBCAResult [[-Exclude] ltBooleangt] [-Results] ltResultgtgt [[-

RepostitoryPath] ltstringgt] [ltCommonParametersgt]

DESCRIPTION

The Set-MBCAResult cmdlet lets you exclude or include existing results of a Microsoft Baseline

Configuration Analyzer (MBCA) scan to show you only the scan results that you want to see

The action specified in the cmdlet (Exclude for example) determines how the existing results of an

MBCA scan are updated Set-MBCAResult is typically applied after using the Get-MBCAResult cmdlet

to return a collection of scan results

You can apply filters to results that are returned by the Get-MBCAResult cmdlet and then pipe the

filtered collection of results to the Set-MBCAResult cmdlet specifying either to include or exclude

filtered scan results

You must be a member of the Administrators group on the computer on which you want to run this

cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with

elevated user rights that is Run as Administrator

PARAMETERS

-Exclude ltBooleangt

Excludes scan results from the results collection that were previously obtained by the Get-

MBCAResult command To exclude results by using the -Exclude parameter add the value $true

following the parameter as shown

-Exclude $true

To include results that have been excluded use the $false value for the -Exclude parameter

Required false

Position 2

Default value

Accept pipeline input false

Accept wildcard characters false

-RepostitoryPath ltstringgt

The -RepositoryPath parameter is used to specify a non-default location of the results repository

The valid value for this parameter is a path name If the parameter is not used the cmdlet

modifies results from the default result repository

Required false

Page 55

Position 4

Default value

Accept pipeline input false

Accept wildcard characters false

-Results ltResultgtgt

Specifies the result collection to be updated by the Set-MBCAResult cmdlet The -Results

parameter is typically used to specify a filtered subset of scan results that has already been

stored in a variable the variable name is provided as the valid value for the -Results parameter

For example if you have created a variable $allPerformance to store all the Performance

category results for an MBCA scan of all models on a computer and you want to exclude those

Performance results from the complete collection of scan results you add the parameter -Results

$all Performance to a Set-MBCAResult cmdlet

For a more detailed example see the Examples section of the Help for this cmdlet

Required true

Position 3

Default value

Accept pipeline input true (ByValue)

Accept wildcard characters false

ltCommonParametersgt

This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable

WarningAction WarningVariable OutBuffer and OutVariable For more information type ldquoget-

help about_commonparameters

NOTES

If the Set-MBCAResult command is cancelled before the results are written to a file the operation is

cancelled and the results file is not modified If cancellation occurs after the results file has been

modified the commands actions are carried out and the command cannot be cancelled

-------------------------- EXAMPLE 1 --------------------------

Get-MBCAResult -ModelId SQL2008R2BPA | Where $_Category -eq

Performance | Set-MBCAResult -Exclude $true

Description

The first section of the preceding example to the left of the first pipe character (|) uses the Get-

MBCAResult cmdlet to retrieve Baseline Configuration Analyzer scan results for the model ID that is

represented by Model Id

The second section of the command filters the results of the Get-MBCAResult cmdlet to get only those

scan results for which the category name is equal to Performance

The final section of the example following the second pipe character excludes the Performance

results that were filtered by the previous section of the example

-------------------------- EXAMPLE 2 --------------------------

$rcPolicy = Get-MBCAResult -ModelId SQL2008R2BPA -RepositoryPath

CReposPath | Where $_Category -eq Policy

Page 56

Set-MBCAResult -Exclude $true -RepositoryPath CReposPath -Results

$rcPolicy

Description

The first line of the preceding example to the left of the pipe character (|) instructs the Get-

MBCAResult cmdlet to retrieve Baseline Configuration Analyzer scan results for the model that is

represented by Specified Model Id from the specified non-default repository path

The second section of the example after the pipe character filters the results of the Get-MBCAResult

cmdlet to return only those scan results for which the category name is equal to (note the -eq option)

Policy The variable $rcPolicy is created to store the filtered results of the Get-MBCAResult cmdlet this

variable can be used in subsequent commands to represent those results

The second line of the command uses the Set-MBCAResult cmdlet to exclude the set of results that

are stored in the $rcPolicy variable In this example the -Results parameter is added because the

administrator wants to exclude a specific subset of scan results for that model and has created the

variable $rcPolicy to represent that subset of results The repository root is specified in the second line

because the administrator wants to modify the results in the same non-default repository from which

the data in $rcPolicy was retrieved

915 MBCA Model Authoring

Further information about configuration and usage of MBCA models you can in the

MBCA_ModelAuthoringGuidedocx

Page 57

Did this paper help you Please give us your feedback Tell us on a scale of 1 (poor) to 5 (excellent)

how would you rate this paper and why have you given it this rating For example

Are you rating it high due to having good examples excellent screen shots clear writing or

another reason

Are you rating it low due to poor examples fuzzy screen shots or unclear writing

This feedback will help us improve the quality of white papers we release

Send feedback

Page 21: SQL2008R2 BPA Whitepaper v10

Page 21

ComputerNamePortNumber

IP address nnnn

IPv6 address [nnnnnnnn]

IPv4 address with port number nnnnPortNumber

IPv6 address with port number [nnnnnnnn]PortNumber

Note If an administrator has changed the computerrsquos default port number any port other than the

default port must be opened in Windows Firewall to allow incoming connections on that port Port

5985 is opened by default when WinRM is configured All other ports remain blocked until opened

For more information about how to unblock a port in Windows Firewall see the Help for Windows

Firewall For more information about how to configure WinRM in a Command Prompt session type

winrm help and then press Enter

2 Additionally you must supply credentials

3 CredSSP

Windows Remote Management (WinRM) supports the delegation of user credentials across

multiple remote computers The multi-hop support functionality can now use Credential Security

Service Provider (CredSSP) for authentication CredSSP enables an application to delegate the

userrsquos credentials from the client computer to the target server

CredSSP authentication is intended for environments where Kerberos delegation cannot be used

Support for CredSSP was added to allow a user to connect to a remote server and have the ability

to access a second-hop machine such as a file share

Note WinRM clients and servers will support CredSSP authentication only with explicit credentials

Windows XP Windows Server 2003 and earlier CredSSP is not supported

First you must set CredSSP on both the client and the server

Using the Group Policy Editor (gpeditmsc) make sure to enable ldquoAllow Delegating Fresh

Credentialsrdquo and check ldquoConcatenate OS defaults with input aboverdquo

Add the server or domain to the list of servers in the format ldquoWSMANdomainnamecomrdquo

Next enable and configure PowerShell Remoting on both the Client and Server by running the

following commands in a PowerShell command window opened with elevated permissions Note

Page 22

You can configure a single machine as both a client and a server simultaneously so that you can

scan from either computer

Enable PowerShell Remoting

o Enable-psremoting ndashf

Settings for a client

o Enable-WSManCredSSP ndashrole Client ndashDelegateComputer [NetBiosNameOfServer]

or

o Enable-WSManCredSSP ndashrole Client ndashDelegateComputer [FQDN OF SERVER]

Settings for the server

o Enable-WSManCredSSP ndashrole Server

o set-item WSManlocalhostShellMaxMemoryPerShellMB ndashValue 20000

o set-item WSManlocalhostShellMaxShellsPerUser ndashvalue 20

44 PowerShell

Details see 91 PowerShell

To use the functionality of the Microsoft Baseline Configuration Analyzer you must import this module

first

Import-module BaselineConfigurationAnalyzer

You can list the commands of this module with the following syntax

$x=Get-Module BaselineConfigurationAnalyzer

$xExportedCommands

441 Run Scan

To run a full scan of the BPA on the alternate server on a named instance you can use the following

command line

Invoke-MBCAModel -ModelId SQL2008R2BPA -Alternate_Server_to_scan

servername -SQL_Server_Instance_Name instancename -

Analyze_SQL_Server_Engine -Analyze_SQL_Server_Replication -

Page 23

Analyze_SQL_Server_Setup -Analyze_SQL_Analysis_Services -

Analyze_SQL_Integration_Services -Analyze_SQL_Reporting_Services

The result looks like this part

ModelId SQL2008R2BPA

SubModelId

Success True

ScanTime

Success = True is important This is the indicator that your scan was successful

Parameter description

-Alternate_Server_to_scan servername

-SQL_Server_Instance_Name instancename

-Analyze_SQL_Server_Engine

-Analyze_SQL_Server_Replication

-Analyze_SQL_Server_Setup

-Analyze_SQL_Analysis_Services

-Analyze_SQL_Integration_Services

-Analyze_SQL_Reporting_Services

The parameter list is equal the parameter screen in the GUI

The scans of the different services are optional You can remove technologies which you do not need

to scan

The next example starts the scan only for the Analysis Services on the alternate server ldquoservernamerdquo

and for the named instance ldquoinstancerdquo A log file will be written to ldquoctempssastxtrdquo

Invoke-MbcaModel -ModelId SQL2008R2BPA -SubModelId AnalysisServices -

ComputerName servername -SqlServerInstance instance -SSASLogFile

ctempssastxt

Invoke-MbcaModel -ModelId SQL2008R2BPA -SubModelId Engine -ComputerName

computername -SqlServerInstance servername -CurrentLoginName

($EnvUSERDOMAIN + + $EnvUSERNAME)ToString() -EngineLogFile

ctempenginetxt ndashRepositoryPath (CTEMPSQL2008 + (Get-

Date)ToString(yyyyMMdd))ToString()

442 Create Report

model = get-MbcaModel ndashModelId sql2008r2bpa

$scanResult = get-MbcaResult ndashModelId sql2008r2bpa

$collectedConfig = get-MbcaResult ndashModelId sql2008r2bpa ndash

CollectedConfiguration

$model $scanResult $collectedConfig | export-CliXml ctempasxml

Get-MBCAResult -ModelId SQL2008R2BPA -SubModelId AnalysisServices |

ConvertTo-Html | Add-Content -Path ctesthtml

The next command retrieves the results of the most recent BPA scan for the specified model and

saves them in HTML format applying the standard cascading style sheets that are stored in the path

windirsystem32WindowsPowerShellv10ModulesBestPracticesBestPracticesReportFormatc

Page 24

ss If you want to substitute cascading style sheets provide the path to the different cascading style

sheets

Get-MBCAResult -ModelId SQL2008R2BPA | $_Severity -eq Warning -or

$_Severity -eq Error | ConvertTo-Html -As Table -property ResultNumber

SubModelID ComputerName Severity Category Title Problem Impact

Resolution Help -Head lth1gtSQL Server 2008 (R2) Best Practice Analyzer

Reportlth1gtrdquo -Title SQL Server 2008 Best Practice Analyzer -body

(ltpgtReport creation date + (Get-Date)ToString(ddMMyyyy hhmmss) +

ltpgt)toString() -pre ltPgtGenerated by user $envusername on computer

$envcomputernameltPgt -post For details contact Microsoft Premier-

CssUri $env BestPracticesReportFormatcss gt ctempsql2008r2bpahtm

443 Exporting and opening reports by using Get-MBCAResult

You can use the Get-MBCAResult cmdlet to export scan results and configuration data to an XML

report that you can open for viewing in the future either by using Get-MBCAResult or by using the

MBCA GUI Exporting reports allows you to compare older scans with more recent scans to measure

the progress of your best practice compliance

Example of exporting to XML

$results = Get-MBCAResult ltModel Idgt

$collectedconfig = Get-MBCAResult ltModel Idgt -CollectedConfiguration

$results $collectedconfig | Export-CliXml cexportxml

Example of opening archived XML report file

$loadedResults $loadedConfiguration = Import-CliXml cexportxml

444 Report Result Directory

The reporting result path

AppDataMicrosoftBaselineConfigurationAnalyzer

2ReportsSQL2008R2BPAResults

Will be overwritten during each run of the tool or invoke command

Solution save older results before you start the check

copy-item -path ($EnvLocalAppdata +

MicrosoftMicrosoftBaselineConfigurationAnalyzer 2Reports)ToString() -

destination ($EnvLocalAppdata +

MicrosoftMicrosoftBaselineConfigurationAnalyzer 2Reports_ + (Get-

Date)ToString(yyyyMMddhhmmss))ToString() ndashrecurse

Afterwards you can create a report with the following command

$prevrepPath = (Get-ChildItem ($EnvLocalAppdata +

MicrosoftMicrosoftBaselineConfigurationAnalyzer 2)ToString() -exclude

Reports | Sort-Object name -descending)[0]

Get-MBCAResult -ModelId SQL2008R2BPA ndashRepositoryPath ($EnvLocalAppdata +

MicrosoftMicrosoftBaselineConfigurationAnalyzer 2rdquo +

$prevrepPathname)ToString() | ConvertTo-Html -As Table -property

ResultNumberSubModelID ComputerName Severity Category Title Problem

Impact Resolution Help -Head lth1gtSQL Server 2008 (R2) Best Practice

Analyzer Reportlth1gtrdquo -Title SQL Server 2008 Best Practice Analyzer -body

(ltpgtReport creation date + (Get-Date)ToString(ddMMyyyy hhmmss) +

ltpgt)toString() -pre ltPgtGenerated by user $envusername on computer

Page 25

$envcomputernameltPgt -post For details contact Microsoft Premier gt

ctempsql2008r2bpahtm

Page 26

5 TROUBLESHOOTING

51 Application directories

To following directories are used by MBCA

Report output directory localappdataMicrosoftMicrosoftBaselineConfigurationAnalyzer 2ReportsSQL2008R2BPAResults

Model configuration path ProgramdataMicrosoftMicrosoft Baseline Configuration Analyzer 2ModelsSQL2008R2BPA

Temp and log files directory tempSQL2008R2BPASQL2008ltdategt_lttimegt

Registry [HKEY_LOCAL_MACHINESOFTWAREMicrosoftBaselineConfigurationAnalyzer]

Log Files

During Data Discovery SQL Server 2008 R2 BPA creates log files for troubleshooting The log file

contains the following information

Pre-requisite validation

Timestamp finished rules start and end times

Run-time scripting errors and exceptions from Power Shell Traps

Log Files Location

For every scan log files are created in userrsquos Local Temp directory (Temp) and follows the folder

structure SQL2008R2BPAlt Instance Name gtlt datestamp_timestamp gtlt Log files gt

Note In case of a remote scan the category log files are generated on the remote system at the same

path whereas the common log file is generated in the local system

Log Files Structure

A common log file gets generated and contains information about each categorys execution Apart

from this each category has its own log file which details the rule execution The names of the log files

are given below

Common File - ModelLogtxt

Engine Rules - EngineLogtxt

Replication Rules - ReplicationLogtxt

Setup Rules - SetupLogtxt

Analysis Services Rules - AnalysisServicesLogtxt

Reporting Services Rules - ReportingServicesLogtxt

Integration Services Rules - IntegrationServicesLogtxt

52 Windows Server 2003 ndash NumberOfLogicalProcessors

Analysis Services RID2803 and RID2804 ndash NumberOfLogicalProcessors property is unavailable in

Win32_Processor for with Windows Server 2003

Solution The NumberOfLogicalProcessors property does not exist in the WIN32_PROCESSOR object

in Windows Server 2003 It has been implemented in the hotfix

httpsupportmicrosoftcomkb932370

Both of the rules below will function properly if you apply this hotfix For more information look here

Page 27

53 MBCA

This message indicates that on prerequisite is not installed

Please install the version 2 of the MBCA

54 Where can I find the Instance name in result set of the analyzer

report

The instance name is in the collected data option of the analyzer report in the BPA GUI

55 Memory limit of remote PowerShell process

By default remote PowerShell process can consume only 150 MB or less memory This default limit is

significantly small and once this limit is reached there could be a WinRM exception causing and remote

connection immediately terminates Any application or Cmdlet which is involved in PowerShell

remoting should be tested for this memory limit this may cause some of the command to fail for

example site collection creation

Solution Increase the memory limit for the remote shell Use the following command to increase this

limitation to 1000MB This is only necessary if you need to run those commands on that server

Set-Item WSManlocalhostShellMaxMemoryPerShellMB 1000

56 Remote connect

If you try to ldquoConnect to another computerrdquo from MBCA and you receive the following message

Page 28

You should check first if the Hotfix KB968930 is installed

Afterwards validate that the ldquoWindows Remote Managementrdquo service is started

Enable-PSRemoting

If CredSSP is unsupported or unavailable you will see the following message

Page 29

If you have no permission to access the remote server you get the error message

Page 30

57 Installation

571 PowerShell error

After getting through the Pre-Reqs for BPA (PowerShell 20 MBCA NET Framework) you may hit

one of two scenarios when installing BPA

In all of the cases of an install failure you will see the following error

There is a problem with this Windows Installer package A program run as part of the setup did not

finish as expected Contact your support personnel or package vendor

In your Application Event Log for both of these scenarios you will also see the following entry

Log Name Application

Source MsiInstaller

Date 6102010 83818 AM

Event ID 11722

Task Category None

Level Error

Keywords Classic

User ltUsernamegt

Computer ltMachine namegt

Description

Product Microsoft SQL Server 2008 R2 BPA -- Error 1722 There is a problem

with this Windows Installer package A program run as part of the setup did

not finish as expected Contact your support personnel or package

vendor Action EnablePSRemoting location powershellexe command -NoLogo

-NoProfile -Command Enable-PSRemoting ndashforce

Page 31

This is an indicator that PowerShell is not configured You must run the following command

powershellexe -NoLogo -NoProfile -Command Enable-PSRemoting ndashforce

572 Workgroup or Non-Domain computer

In this scenario the Enable-PSRemoting command should execute fine from a PowerShell prompt

The actual error coming back from the PowerShell command within the Installer is ldquoAccess Deniedrdquo

To work around this issue you can do the following

1 Open a command prompt with Administrative Privileges

2 Change to the directory where the msi file resides

3 Type msiexec i ltMSI Namegt SKIPCA=1

4 MSI Name will either be SQL2008R2BPA_Setup32msi or SQL2008R2BPA_Setup64msi

depending on your platform

5 Once BPA is installed open a PowerShell prompt with Administrative Privileges

6 Execute the following commands

a Enable-PSRemoting

b winrm set winrmconfigwinrs ``MaxShellsPerUser=`10``

This should allow BPA to be successfully installed in the workgroup scenario

573 Kerberos Failure

This scenario is that you are failing with the above due to a Kerberos issue This particular issue could

actually show up after you have installed BPA depending on how you have configured your

environment

The issue stems from the fact that the Windows Remoting Windows Service uses the Network Service

account Windows Remoting also uses SOAP calls over HTTP and defaults to using Kerberos As a

result it will be using the HOST Service Principal Name (SPN) that is on the Machine Account as it is

running under that context You may have an HTTP SPN that resides on a different account with that

host name For example if you are running an IIS Web Application such as SharePoint or if you are

using Reporting Services and the service account is set to a Domain User account instead of Network

Service or Local System If your URL of your application matches the machine name then your HTTP

SPN will be the same Thatrsquos where this problem comes in WinRM will stop working at that point and

give you a message similar to the following

Set-WSManQuickConfig WinRM cannot process the request The following error

occured while using Negotiate authentication An unknown security error

occurred

Possible causes are

-The user name or password specified are invalid

-Kerberos is used when no authentication method and no user name are

specified

-Kerberos accepts domain user names but not local user names

-The Service Principal Name (SPN) for the remote computer name and port

does not exist

-The client and remote computers are in different domains and there is no

trust between the two domains

After checking for the above issues try the following

-Check the Event Viewer for events related to authentication

-Change the authentication method add the destination computer to the

WinRM TrustedHosts configuration setting or use HTTPS transport

Note that computers in the TrustedHosts list might not be authenticated

-For more information about WinRM configuration run the following

Page 32

command winrm help config

At line50 char33

+ Set-WSManQuickConfig ltltltlt -force

+ CategoryInfo InvalidOperation () [Set-WSManQuickConfig]

InvalidOperationException

+ FullyQualifiedErrorId

WsManErrorMicrosoftWSManManagementSetWSManQuickConfigCommand

You can get this type of error from WinRM for muliple reasons The one that

we saw in our testing was the HTTP SPN scenario

If you do have an HTTP SPN defined on a Domain Account that is using the name of your machine

you have some options First you can follow the steps mentioned above to get BPA installed The

Enable-PSRemoting command will give you the above error You can temporarily remove the HTTP

SPN to get remoting enabled and then re-add the HTTP SPN

Once BPA is setup you will still not be able to run BPA if you put the HTTP SPN back in place You will

see the following when you attempt to perform a scan

This will occur regardless of which component you try to scan It could be the Engine Setup RS etchellip

One option to perform the scan successfully is to temporarily remove the HTTP SPN again run the

scan and then put the HTTP SPN back in place Another option but one that will probably require

further testing from your applicationrsquos end would be to run the application under a Host Header and

then your HTTP SPN would not include the machine name allowing BPA to run without issue

Page 33

6 RULES

Searching for ldquoSQL Server 20087 R2 BPArdquo at Microsoftcom reveals

Here is an example of one of these articles that talks about a rule to check for a recent ldquocleanrdquo

CHECKDB

Page 34

BPA works by measuring a rolersquos compliance with best practice rules in eight different categories of a

rolersquos effectiveness trustworthiness and reliability Results of measurements can be any of the three

severity levels described in the following table

Severity level Description

Noncompliant Noncompliant results are returned when a role does not satisfy the conditions of a rule

Compliant Compliant results are returned when a role satisfies the conditions of a rule

Warning Warning results are returned when a role is compliant as operating currently but may not satisfy the conditions of a

rule if changes are not made to its configuration or policy settings For example a scan of Remote Desktop Services

might show a warning result if a license server is unavailable to the role because even if no remote connections are

active at the time of the scan not having the license server prevents new remote connections from obtaining valid

client access licenses

Page 35

BPA rule categories

The following table describes the categories of best practice rules against which roles are measured

during a BPA scan

Category Name Description

Security Security rules are applied to measure a rolersquos relative risk for exposure to threats such as unauthorized or malicious

users or loss or theft of confidential or proprietary data

Performance Performance rules are applied to measure a rolersquos ability to process requests and perform its prescribed duties in

the enterprise within expected periods of time given the rolersquos workload

Configuration Configuration rules are applied to identify role settings that might require modification for the role to perform

optimally Configuration rules can help prevent setting conflicts that can result in error messages or prevent the role

from performing its prescribed duties in an enterprise

Policy Policy rules are applied to identify Group Policy or Windows Registry settings that might require modification for the

role to operate optimally and securely

Operation Operation rules are applied to identify possible failures of a role to perform its prescribed tasks in the enterprise

Predeployment Predeployment rules are applied before an installed role is deployed in the enterprise to let administrators to

evaluate whether best practices were satisfied before you use the role in production

Postdeployment Postdeployment rules are applied after all required services have started for a role and the role is running in the

enterprise

BPA Prerequisites BPA Prerequisite rules explain configuration settings policy settings and features that are required for the role

before BPA can apply specific rules from other categories A prerequisite in scan results indicates that an incorrect

setting a missing role role service or feature an incorrectly enabled or disabled policy a registry key setting or

other configuration has prevented BPA from applying one or more rules during a scan A prerequisite result does

not imply compliance or noncompliance It means that a rule could not be applied and therefore is not part of the

scan results

61 Engine Rules

Please find below a summary of the 74 Engine Rules with the links to the rule descriptions These rules

are checking that you have a secure resilient and well performing SQL configuration

Authentication Mode (httpsupportmicrosoftcomkb2028697)

Lightweight Pooling is enabled (httpsupportmicrosoftcomkb2160691)

Locks Configuration Not Dynamic (httpsupportmicrosoftcomkb2199576)

non-default network packet size in use (httpsupportmicrosoftcomkb2157175)

degree of parallelism not set to recommended value (httpsupportmicrosoftcomkb2023536)

Use Database Mail instead of SQL Mail (httpsupportmicrosoftcomkb2028584)

SQL Server Agent Proxy Account (httpsupportmicrosoftcomkb2160741)

SQL Login Password Policy Strength and password expiry

(httpsupportmicrosoftcomkb2028712)

Trustworthy Bit (httpsupportmicrosoftcomkb2183687)

Symmetric Keys Check (httpsupportmicrosoftcomkb2162020)

Asymmetric Keys Check (httpsupportmicrosoftcomkb2162020)

SQL Server installed on PDC BDC (httpsupportmicrosoftcomkb2032911)

Page 36

SQL Server Admin role membership check (httpsupportmicrosoftcomkb2184138)

Windows API calls intercepted (httpsupportmicrosoftcomkb2033238)

unsupported DotNET framework assemblies present (httpsupportmicrosoftcomkb2033344)

Disk partition starting offset may be incorrect (httpsupportmicrosoftcomkb2023571)

non-default max worker threads value configured (httpsupportmicrosoftcomkb2157129)

Guest Permissions (httpsupportmicrosoftcomkb2186935)

Data and Log files on the same volume (httpsupportmicrosoftcomkb2033523)

IO timeouts and IO controller errors detected (httpsupportmicrosoftcomkb2091098)

IO device errors detected (httpsupportmicrosoftcomkb2091098)

IO errors during page faults detected (httpsupportmicrosoftcomkb2091098)

cluster disk corruption encountered (httpsupportmicrosoftcomkb2091098)

disk defragmentation encountered corruption (httpsupportmicrosoftcomkb2091098)

failed IO requests detected (httpsupportmicrosoftcomkb2091098)

IO requests are successful when retried (httpsupportmicrosoftcomkb2015757)

IO Delay Problems reported by SQL Server (httpsupportmicrosoftcomkb2137408)

This system experienced unexpected shutdowns (httpsupportmicrosoftcomkb2091098)

tempdb corruption errors fix missing (httpsupportmicrosoftcomkb960770)

Critical SQL database inconsistency errors found (httpsupportmicrosoftcomkb2152734)

Logical consistency errors detected (httpsupportmicrosoftcomkb2152472)

Database have auto shrink option enabled (httpsupportmicrosoftcomkb2160663)

SQL Server Error logs are very big (httpsupportmicrosoftcomkb2199578)

incorrect affinity mask settings detected httpsupportmicrosoftcomkb2157114

Very low blocked process threshold setting detected httpsupportmicrosoftcomkb2157154

Potential security issue with legacy DTS stored procedures

httpsupportmicrosoftcomkb2202875

Winsock LSP loaded into SQL httpsupportmicrosoftcomkb2033448

Databases using simple recovery model httpsupportmicrosoftcomkb2137539

User database collation different from model httpsupportmicrosoftcomkb2026108

Database files and backups exist on the same volume httpsupportmicrosoftcomkb2027537

Databases have auto close option enabled httpsupportmicrosoftcomkb2160685

LSI SAS drivers needs update httpsupportmicrosoftcomkb2121098

SQL tempdb database not configured optimally httpsupportmicrosoftcomkb2154845

SQL Database file has sparse attribute set httpsupportmicrosoftcomkb2028447

Invalid startup parameters httpsupportmicrosoftcomkb2028433

MSDTC settings not configured optimally httpsupportmicrosoftcomkb2027550

sql incorrect results fix missing httpsupportmicrosoftcomkb971780

File System needs tuning for better FileStream performance

httpsupportmicrosoftcomkb2160002

linked server memory leak fix missing httpsupportmicrosoftcomkb971622EN-US

Windows service pack is not at recommended level httpsupportmicrosoftcomkb2121098

default extended event health session not in expected state

httpsupportmicrosoftcomkb2160570

TcpSysAndChimneyCheck httpsupportmicrosoftcomKB918483

FDHOST Launcher service is not configured properly httpsupportmicrosoftcomkb2160720

Unrecommended SQL Server Agent service account httpsupportmicrosoftcomkb2160720

A required Windows fix to avoid sparse file related problems is missing

httpsupportmicrosoftcomkb2002606

Page 37

Significant Portion of SQL Server Memory Has Been Paged Out

httpsupportmicrosoftcomkb2028324

Server Exception or Hang Detected on Server httpsupportmicrosoftcomkb2028589

Databases exist without CHECKSUM protection httpsupportmicrosoftcomkb2078345

backups outdated for databases httpsupportmicrosoftcomkb2027537

Database consistency check not current httpsupportmicrosoftcomkb2033590

SQL Server Memory settings are incorrect httpsupportmicrosoftcomKB918483EN-US

Autogrow Failed or took a long time httpsupportmicrosoftcomkb2091024

Storport driver fix from KBA 940467 missing httpsupportmicrosoftcomkb2121098

Storport driver fix from KBA 950903 missing httpsupportmicrosoftcomkb2121098

SQLCLR needs additional memory configuration httpsupportmicrosoftcomkb969962EN-US

Operating System files and drivers needs update for working set trimming

httpsupportmicrosoftcomkb2121098

Agent Token Replacement httpsupportmicrosoftcomkb2202637

Auditing Log in failures httpsupportmicrosoftcomkb2187161

Databases with high number of VLF present httpsupportmicrosoftcomkb2028436

Transparent Data Encryption Certificate httpsupportmicrosoftcomkb2201900

Permission on the Binn folder httpsupportmicrosoftcomkb2029023

Index Statistics Are Outdated

Server public permissions httpsupportmicrosoftcomkb2160698

Detected use of older versions of SQLNCLI httpsupportmicrosoftcomkb979779

62 AS Rules

Please find below a summary of the 34 Analysis Server Rules with the links to the rule descriptions

Flight Recorder Enabled for SQL Server Analysis Services

httpsupportmicrosoftcomkb2128005

Excessive amount of memory preallocated to Analysis Services

httpsupportmicrosoftcomkb2027474

Server not configured for optimal concurrent query throughput

httpsupportmicrosoftcomkb2135031

Non standard value detected for Analysis Services memory configuration

httpsupportmicrosoftcomkb2027472

Process Thread Pool Max limit above recommended limit

httpsupportmicrosoftcomkb2134497

Process Thread Pool Minimum is below the recommended limit

httpsupportmicrosoftcomkb2134855

Server is running a build with a known regression httpsupportmicrosoftcomkb2157941

Slice not set on a ROLAP partition or a partition where proactive caching is enabled and

ROLAP storage ay occur httpsupportmicrosoftcomkb2027754

Server is ignoring duplicate key errors httpsupportmicrosoftcomkb2027761

No default member defined for non-aggregatable attribute

httpsupportmicrosoftcomkb2027769

UnknownMember set to hidden httpsupportmicrosoftcomkb2027628

Non-numeric key column for high cardinality attribute httpsupportmicrosoftcomkb2028138

Attribute hiearchy enabled for high cardinality non-key attribute

httpsupportmicrosoftcomkb2028143

ROLAP storage or OnlineMode set to immediate for dimension with custom rollup definition

detected httpsupportmicrosoftcomkb2132742

Page 38

Account or Time attribute types defined in a non-matching dimension type

httpsupportmicrosoftcomkb2157299

An Account or Time dimension has no matching attribute defined

httpsupportmicrosoftcomkb2027418

Dimension has no attribute defined with the same type

httpsupportmicrosoftcomkb2027443

Attribute Dimension type mismatch httpsupportmicrosoftcomkb2157327

Mismatched dimension attribute types detected in dimension

httpsupportmicrosoftcomkb2027459

Possible incorrect order of levels defined in hierarchy httpsupportmicrosoftcomkb2027460

Define attribute relationships as Rigid where possible httpsupportmicrosoftcomkb2027468

Redundant attribute relationships detected httpsupportmicrosoftcomkb2127437

Diamond-shape relationship detected httpsupportmicrosoftcomkb2127570

Non-Standard Attribute Relationship name detected httpsupportmicrosoftcomkb2127862

Proactive Caching set for dimension without a processing query

httpsupportmicrosoftcomkb2027541

No Time dimension detected httpsupportmicrosoftcomkb2027532

More than 3 parent-child dimensions with custom rollups defined

httpsupportmicrosoftcomkb2134431

Encountered a parent-child dimension with more than 500000 members

httpsupportmicrosoftcomkb2131918

Single attribute dimensions detected httpsupportmicrosoftcomkb2141654

Measure groups with zero dimensional overlap detected in cube

httpsupportmicrosoftcomkb2027609

Proactive Caching set for a partition without a processing query

Default measure for perspective not in the perspective

httpsupportmicrosoftcomkb2027603

Use MOLAP storage for dimensions that participate in semi-additive measure groups

httpsupportmicrosoftcomkb2135112

Measure group defined with no partition httpsupportmicrosoftcomkb2027545

63 RS Rules

RSWindowsNegotiate is missing from your configuration

httpsupportmicrosoftcomkb2145506

HTTP Logging is not enabled httpsupportmicrosoftcomkb2145909

Verbose logging is enabled httpsupportmicrosoftcomkb2146315

NTLM authentication may fail for local httpsupportmicrosoftcomkb2146369

Missing extended protection settings httpsupportmicrosoftcomkb2146062

64 IS Rules

Logging task missing for package httpsupportmicrosoftcomkb2027723

ActiveX Script task detected in package httpsupportmicrosoftcomkb2027712

Unrecommended Integration Services service account detected

httpsupportmicrosoftcomkb2027684

Integration Services logging table found in system database master and or msdb

httpsupportmicrosoftcomkb2027706

Integration Services memory dump detected httpsupportmicrosoftcomkb2027727

Page 39

65 Setup Rules

Unsupported Operating System Version Detected httpsupportmicrosoftcomkb2022909

WOW64 not supported for SQL Failover Clustering httpsupportmicrosoftcomkb2157198

Installer cache is missing for the SQL Installation httpsupportmicrosoftcomkb2015100

SQL Server WMI Provider Health Check

66 Replication Rules

Replication Timeout Alerts Type httpsupportmicrosoftcomkb2118349

Replication Pub and Sub out of sync (Data Validation) httpsupportmicrosoftcomkb2118386

Replication Pub and Sub out of sync (Constraint Violations)

httpsupportmicrosoftcomkb2118410

Replication Pub and Sub out of sync (Skipped Transactions)

httpsupportmicrosoftcomkb2194498

Merge Replication Health Check httpsupportmicrosoftcomkb2118445

Subscriptions Approaching Expiration httpgomicrosoftcomfwlinkLinkId=184483

Replication Cleanup and Retention Health Check httpsupportmicrosoftcomkb2118485

Replication Latency Threshold violations httpsupportmicrosoftcomkb2118425

Page 40

7 HOW TO DEAL WITH DEVIATIONS

Deviations from these Best Practices may indicate potential issues and configuration changes may be

necessary Make sure you have tested any intended changes in a test environment before deploying

them to a production environment You could also find deviations from Best Practices that are

acceptable or even necessary for your environment For example

SAP has its special Network Packet Size of 8 KB

Existing Non-Microsoft Clients ndash would require Mixed Mode Authentication

Page 41

8 MOTIVATION TO USE SQL BPA R2

Bob Ward explained in his Article ldquoWhy use SQL Server 2008 R2 BPA Case 1 Missing Updatesrdquo

the common pitfalls during maintenance and operation of SQL Server and how address them by using

the SQL BPA

In brief itrsquos a customer scenario where the customer is facing an issue after a major update to

SQL2008 After some troubleshooting and an update to a certain CU (that is meant to fix the issue) the

problem still occurs Bobs article states the common resulting consequences ndash the involvement of

Microsoft Support and the final solution ndash adding a needed traceflag

The good news in this story is that the customer would not have needed to go to all that effort if they

would have run the SQL BPA It would have told them about the update and instructed them to put the

traceflag in place BPA is a mechanism that proactively advises you and instructs you on dealing with

common known issues

Page 42

9 ADDITIONAL INFORMATION

91 PowerShell

To use the functionality of the Baseline Configuration Analyzer with PowerShell you must import this

module first

Import-module BaselineConfigurationAnalyzer

You can list the commands of this module with the following syntax

$x=Get-Module BaselineConfigurationAnalyzer

$xExportedCommands

The following commands are stored in this module

Get-MbcaModel

Get-MbcaResult

Invoke-MbcaModel

Set-MbcaResult

You get help of this command with the following syntax

Get-help ltcommandgt -full

911 Get-MBCAModel

SYNOPSIS

The Get-MBCAModel cmdlet lets you retrieve and view the list of models that are supported by

Microsoft Baseline Configuration Analyzer (MBCA) and that are installed on a computer

SYNTAX

Get-MBCAModel [[-ModelId] ltstring[]gt] [[-SubModelId] ltstringgt] [ltCommonParametersgt]

DESCRIPTION

The Get-MBCAModel cmdlet lets you retrieve and view the list of models that are supported by

Microsoft Baseline Configuration Analyzer (MBCA) and installed on the computer If no parameter is

specified Get-MBCAModel returns all models that are installed on the computer If a model is specified

by using the -ModelId parameter information about the specified model is returned

You must be a member of the Administrators group on the computer on which you want to run this

cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with

elevated user rights that is Run as Administrator

The results of the Get-MBCAModel cmdlet include the following details about models

1 Branding information (manufacturer or company display names version number) that is found in

the model manifest

2 Dynamic parameters that are included with the model

3 Submodels that are included with the model

PARAMETERS

-ModelId ltstring[]gt

The -ModelId parameter specifies the ID of the MBCA model about which you want to view

details You can obtain valid values for the ModelId parameter by running the Get-MBCAModel

cmdlet with no parameters and targeted at a computer on which MBCA models are installed

Page 43

This parameter supports wild card characters

Required false

Position 2

Default value

Accept pipeline input true (By Value By Property Name)

Accept wildcard characters False

This must be SQL2008R2BPA for SQL Server 2008 R2 Best Practice Analyzer

-SubModelId ltstringgt

The -SubModelId parameter specifies the ID of the submodel of an MBCA model about which you

want to view details You can obtain valid values for the -SubModelId parameter by running the

Get-MBCAModel cmdlet without parameters and targeted at a computer on which MBCA models

are installed Not all models have submodels

The -ModelId parameter is required with the -SubModelId parameter

Required false

Position 3

Default value

Accept pipeline input false

Accept wildcard characters false

ltCommonParametersgt

This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable

WarningAction WarningVariable OutBuffer and OutVariable For more information type get-

help about_commonparameters

Examples

Get-MBCAModel

In the preceding example Get-MBCAModel with no parameters added returns details about all MBCA

models that are installed on the computer

Get-MBCAModel -ModelId SQL2008R2BPA

The preceding example can be used to return details about the MBCA model that is specified in the -

ModelId parameter represented by Model Id

$model= Get-MBCAModel -ModelId SQL2008R2BPA

$modelParameters

In the preceding example Get-MBCAModel returns details about the specified MBCA model that is

represented by Model Id The results of the cmdlet are stored in the variable $model

In the next line of the example the Parameters property of the model details that were stored in the

$model object returns details about which parameters are supported by the model

Get-MBCAModel -ModelId SQL2008R2BPA -SubModelId ltSubModel Idgt

The preceding example can be used to return details about the MBCA sub-model that is specified by

the -SubModelId parameter represented by SubModel Id Note that the -ModelId parameter is

required by the -SubModelId parameter

$model= Get-MBCAModel -ModelId SQL2008R2BPA

Page 44

$modelSubModels

In the preceding example Get-MBCAModel returns details about the specified MBCA model that is

represented by Model Id The results of the cmdlet are stored in the variable $model

In the next line of the example the SubModels property of the model details that were stored in the

$model object returns a list of the submodels of the model specified in the first line

912 Invoke-MBCAModel

SYNOPSIS

The Invoke-MBCAModel cmdlet lets you start a Microsoft Baseline Configuration Analyzer (MBCA)

scan for a specific model that is installed on your computer

SYNTAX

Invoke-MBCAModel [-ModelId] ltstringgt -SubModelId ltstringgt [-Authentication

ltAuthenticationMechanismgt] [-CertificateThumbprint ltstringgt] [-ComputerName

ltstring[]gt] [-ConfigurationName ltstringgt] [-Context ltstringgt] [-Credential

ltstringgt] [-Mode ltModeEnumgt] [-Port ltintgt] [-RepositoryPath ltstringgt] [-

ThrottleLimit ltintgt] [-UseSSL] [ltCommonParametersgt]

DESCRIPTION

The Invoke-MBCAModel cmdlet allows you to start a Microsoft Baseline Configuration Analyzer

(MBCA) scan for a specific model that is installed on your computer The model is specified either by

using the parameter -ModelId or by piping the results of the Get-MBCAModel cmdlet into an Invoke-

MBCAMode cmdlet

After the MBCA scan has been performed the results of the scan are available to be retrieved by Get-

MBCAResult cmdlet

You must be a member of the Administrators group on the computer on which you want to run this

cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with

elevated user rights that is Run as Administrator

PARAMETERS

-Authentication ltAuthenticationMechanismgt

Specifies the authentication mechanism that is used to authenticate the users credentials Valid

values include Default Basic CredSSP Digest Kerberos Negotiate and

NegotiateWithImplicitCredential The default value is Default

For more information about the -Authentication parameter type the following and then press

Enter

Get-Help Invoke-Command -Parameter Authentication

Required false

Position named

Default value Default

Accept pipeline input false

Accept wildcard characters false

-CertificateThumbprint ltstringgt

Page 45

Specifies the digital public key certificate (X509) of a user account that has rights to perform the

cmdlet action The valid value is the certificate thumbprint of the certificate

For more information about this parameter type the following and then press Enter

Get-Help Invoke-Command -Parameter Certificate Thumbprint

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-ComputerName ltstring[]gt

The Invoke-MBCAModel cmdlet lets you run an MBCA scan of a submodel on a specific

computer by adding this parameter Valid values include NETBOS names IP addresses or fully-

qualified domain names of one or more computers in a comma-separated list To specify the local

computer type the computer name or localhost

All formats that are accepted by the -ComputerName parameter in Invoke-Command are

accepted

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-ConfigurationName ltstringgt

Specifies the session configuration that is used for a new PSSession

Enter a configuration name or the fully-qualified resource URI for a session configuration

Session configuration data is found on the remote computer on which you want to run a cmdlet

For more information about this parameter type the following and then press Enter

Get-Help Invoke-Command -Parameter ConfigurationName

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-Context ltstringgt

The -Context parameter lets you run scans on a submodel in the context of a specific model (one

that is different from the parent model of the submodel) For example an administrator might

want to run a scan on the Backend submodel of the SQL model but only those in the context

of a third model a technology that relies upon SQL Server

The -SubModelId parameter is required by the -Context parameter

Page 46

A model ID is the valid value of the -Context parameter

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-Credential ltstringgt

Specifies a user account that has permission to run this cmdlet The default value is the current

user

For more information about this parameter type the following and then press Enter

Get-Help Invoke-Command -Parameter Credential

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-Mode ltModeEnumgt

The -Mode parameter lets you run a scan that is exclusively either analysis of existing discovered

documents or discovery The default is to perform both discovery and analysis or All

If you do not add the -Mode parameter to the Invoke-MBCAModel cmdlet both discovery and

analysis are performed during a scan

Valid values are Discovery Analysis and All

Required false

Position named

Default value All

Accept pipeline input false

Accept wildcard characters false

-ModelId ltstringgt

The -ModelId parameter specifies the ID of the MBCA model that you want to scan You can

obtain valid values for the ModelId parameter by running the Get-MBCAModel cmdlet targeted at

a computer on which MBCA models are installed

Required true

Position 2

Default value

Accept pipeline input true (By Value By Property Name)

Accept wildcard characters False

Page 47

This must be SQL2008R2BPA for SQL Server 2008 R2 Best Practice Analyzer

-Port ltintgt

Specifies the network port on a remote computer on which you want to run a scan The default

value is port 80

For more information on this parameter type the following and then press Enter

Get-Help Invoke-Command -Parameter Port

Required false

Position named

Default value 80

Accept pipeline input false

Accept wildcard characters false

-RepositoryPath ltstringgt

The -RepositoryPath parameter is used to specify a non-default location of the results repository

The valid value for this parameter is a pathname If the parameter is not used the cmdlet writes

results to the default result repository

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-SubModelId ltstringgt

The -SubModelId parameter specifies the ID of the submodel of an MBCA model that you want to

scan You can obtain valid values for the -SubModelId parameter by running the Get-MBCAModel

cmdlet targeted at a computer on which MBCA models are installed Not all models have

submodels

The -ModelId parameter is required with the -SubModelId parameter

Required true

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-ThrottleLimit ltintgt

Specifies the maximum number of concurrent connections that can be established to run the

cmdlet If you omit this parameter or enter a value of 0 the default value of 32 is used

For more information about this parameter type the following and then press Enter

Get-Help Invoke-Command -Parameter ThrottleLimit

Required false

Page 48

Position named

Default value 32

Accept pipeline input false

Accept wildcard characters false

-UseSSL [ltSwitchParametergt]

Uses the Secure Sockets Layer (SSL) protocol to establish a connection on a remote computer

By default SSL is not used

For more information about this parameter type the following and then press Enter

Get-Help Invoke-Command -Parameter UseSSL

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

ltCommonParametersgt

This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable

WarningAction WarningVariable OutBuffer and OutVariable For more information type get-

help about_commonparameters

OUTPUTS

SystemCollectionsGenericListltMicrosoftBestPracticesCoreInterfaceInvokeBpaModelOutputgt

The output object encapsulates the results of the cmdlet that you entered It contains information such

as the MBCA model ID the success or failure of the cmdlet and other details

NOTES

If the cmdlet is used to perform a single-model scan and the cmdlet is cancelled (by using CTRL+C)

before the temporary results file is copied to its final location the temporary file is discarded and any

previous scan results file for the role are preserved The message Processing of Invoke-MBCAModel

cancelled by user is displayed if the command is cancelled before existing scan results files are

overwritten

If the cmdlet is used to perform a scan of multiple models by piping in results from the Get-MBCAModel

cmdlet and the command is cancelled scans that were completed before the cancel command was

entered cannot be cancelled A scan in progress behaves as described above in the single-model scan

cancellation scenario Subsequent scans in the pipeline are cancelled

If a concurrent scan of the same model is attempted the cmdlet returns the following error message

Another scan for this MBCA model is in progress Only one scan is allowed at a time

-------------------------- EXAMPLE 1 --------------------------

Invoke-MBCAModel -ModelId SQL2008R2BPA

Description

The preceding example starts a MBCA scan on the model that is represented by ltModel Idgt

-------------------------- EXAMPLE 2 --------------------------

Page 49

Invoke-MBCAModel -ModelId SQL2008R2BPA -Scope domain -Name

redmondmicrosoftcom

Description

The preceding example starts an MBCA scan on the model ID that is specified by Model Id

The administrator starts the MBCA scan with additional model-specific parameters that are exposed by

the model (For an example of how to obtain model-specific parameters see the examples for the Get-

MBCAModel cmdlet)

For example to scan a model that requires model-specific parameters (such as -Scope and -Name) to

be passed to the command the administrator can specify the values of these model-specific

parameters with the Invoke-MBCAModel cmdlet

-------------------------- EXAMPLE 3 --------------------------

Invoke-MBCAModel -ModelId SQL2008R2BPA -Mode Discovery

Description

The preceding example starts an MBCA scan on the model that is represented by Model Id The

cmdlet is instructed by the -Mode parameter to perform only the discovery -- not the analysis -- portion

of the scan

-------------------------- EXAMPLE 4 --------------------------

Invoke-MBCAModel -ModelId SQL2008R2BPA -Mode Analysis -RepositoryPath

ltRepository Pathgt

Description

The preceding example starts an MBCA scan on the model that is represented by Model Id The -

Mode parameter value of Analysis indicates that the scan will perform analysis -- not discovery -- on

existing documents that are specified in the non-default repository path provided with the -Repository

Path parameter

-------------------------- EXAMPLE 5 --------------------------

Invoke-MBCAModel -Id ltModel Idgt -SubModelId ltSubModel Idgt -ComputerName

ltServergt -Context ltContext Model Idgt -RepositoryPath ltRespository Pathgt -

AsJob -Authentication ltAuthenticatonMechanismgt -Port ltPort Numbergt -UseSSL -

ThrottleLimit ltThrottle Limitgt

Description

The preceding example starts an MBCA scan on the submodel that is represented by SubModel Id

and on the computer that is represented by Server

Because the administrator only wants to see results from the submodel that apply in the context of a

third model the administrator runs the scan within the context of the model ID that is specified in the -

Context parameter The cmdlet results are saved to the non-default repository path that is specified in

the -RepositoryPath parameter

Because the -AsJob parameter is added the scan runs in the background The -AsJob -

Authentication -Port -UseSSL and -ThrottleLimit parameters are passed through for use by the

Invoke-Command cmdlet to perform discovery on a remote computer For more information about

these parameters see the Help for the Invoke-Command cmdlet available in Windows PowerShell V2

913 Get-MBCAResult

SYNOPSIS

Page 50

The Get-MBCAResult cmdlet lets you retrieve and view the results of a Microsoft Baseline

Configuration Analyzer scan on a specific model or the configuration data that was used to run a scan

SYNTAX

Get-MBCAResult [-ModelId] ltstringgt [[-CollectedConfiguration]] -SubModelId

ltstringgt [-ComputerName ltstring[]gt] [-Context ltstringgt] [-Filter

ltFilterEnumgt] [-RepositoryPath ltstringgt] [ltCommonParametersgt]

DESCRIPTION

The Get-MBCAResult cmdlet lets you retrieve and view the results of a Microsoft Baseline

Configuration Analyzer scan on a specific model or the configuration data that was used to run a scan

To use the command add the -ModelId parameter and then specify the model ID for which you want

to view the most recent MBCA scan results or collected configuration data If you want to retrieve the

configuration data collected add the -CollectedConfiguration switch parameter

You must be a member of the Administrators group on the computer on which you want to run this

cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with

elevated user rights that is Run as Administrator

PARAMETERS

-CollectedConfiguration [ltSwitchParametergt]

The -CollectedConfiguration parameter allows you to obtain the configuration data that was

collected for the most recent MBCA scan If this switch parameter is added to Get-MBCAResults

the cmdlet returns only the configuration data that was collected for a scan

Required false

Position 3

Default value

Accept pipeline input false

Accept wildcard characters false

-ComputerName ltstring[]gt

The -ComputerName parameter lets you obtain scan results that were collected for the most

recent MBCA scan of a submodel on a specific computer To specify the local computer type the

computer name or localhost Multiple values for -ComputerName can be separated by

commas

The -SubModelId parameter is required by the -ComputerName parameter

Valid values for the -ComputerName parameter include localhost a NET BIOS name an IP

address or a fully-qualified domain name (FQDN) of one or more computers in a comma-

separated list

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-Context ltstringgt

Page 51

The -Context parameter lets you obtain scan results that were collected for the most recent

MBCA scan of a submodel in the context of a specific model (one that is different from the parent

model of the submodel) For example an administrator might want to display scan results for the

Backend submodel of the SQL model but only those in the context of a third model a

technology that relies upon SQL Server

The -SubModelId parameter is required by the -Context parameter

A model ID is the valid value of the -Context parameter

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-Filter ltFilterEnumgt

The -Filter parameter lets you instruct the Get-MBCAResult cmdlet to return only Compliant

Noncompliant or All results Valid values are Noncompliant Compliant or All The default value

is All

The -Filter parameter is ignored if the -CollectedConfiguration switch parameter is added

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-ModelId ltstringgt

The -ModelId parameter specifies the ID of the MBCA model for which you want to view scan

results You can obtain valid values for the ModelId parameter by running the Get-MBCAModel

cmdlet targeted at a computer on which MBCA models are installed

Required true

Position 2

Default value

Accept pipeline input true (By Value By Property Name)

Accept wildcard characters False

This must be SQL2008R2BPA for SQL Server 2008 R2 Best Practice Analyzer

-RepositoryPath ltstringgt

The -RepositoryPath parameter is used to specify a non-default location of the results repository

The valid value for this parameter is a path name If the parameter is not used the cmdlet obtains

results from the default result repository

Required false

Position named

Page 52

Default value

Accept pipeline input false

Accept wildcard characters false

-SubModelId ltstringgt

The -SubModelId parameter specifies the ID of the submodel of an MBCA model for which you

want to view scan results You can obtain valid values for the -SubModelId parameter by running

the Get-MBCAModel cmdlet targeted at a computer on which MBCA models are installed Not all

models have submodels

The -ModelId parameter is required with the -SubModelId parameter

Required true

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

ltCommonParametersgt

This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable

WarningAction WarningVariable OutBuffer and OutVariable For more information type get-

help about_commonparameters

OUTPUTS

SystemCollectionsGenericListltMicrosoftBestPracticesCoreInterfaceResultgt OR

SystemXmlXmlDocument (if -CollectedData specified)

If you do not use the -CollectedConfiguration parameter verbose output can be any of the following

1 Initializing MBCA engine for getting MBCA Results

2 Attempting to get MBCA results for Model Id = 0

3 Completed getting MBCA results for Model Id = 0 Number of Results = 1

If you add the -CollectedConfiguration parameter to display configuration data that was used for a

scan verbose output can be any of the following

1 Initializing MBCA engine for getting MBCA Configuration Data

2 Attempting to get MBCA collected configuration data for Model Id = 0

3 Completed getting MBCA collected configuration data for Model Id = 0

NOTES

The Get-MBCAResult cmdlet must be run by a member of the Administrators group and it does not

start a new scan

Cancellation behaviour

Single Model - To cancel this cmdlet you must press Ctrl+C before the ResultCollection is displayed

on the console The operation is cancelled and results are not displayed on the console

Multiple Models or Pipelining - If you cancel this cmdlet while it is retrieving results for multiple models

the cmdlet generates only those results that were displayed on the console before the cancellation

Any subsequent results in the pipeline are cancelled and not displayed

Page 53

-------------------------- EXAMPLE 1 --------------------------

Get-MBCAResult -Id SQL2008R2BPA

Description

The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results

for the model that is represented by Model Id

-------------------------- EXAMPLE 2 --------------------------

Get-MBCAModel | Get-MBCAResult

In the preceding example Get-MBCAModel is used to return a list of all MBCA models that are

installed on the computer The results of the Get-MBCAModel cmdlet are piped to the Get-

MBCAResult cmdlet to retrieve the most recent MBCA scan results for all models that are both

supported by MBCA and installed on the computer at which the cmdlet is targeted

-------------------------- EXAMPLE 3 --------------------------

$result = Get-MBCAResult SQL2008R2BPA -CollectedConfiguration

$resultDiscoveryDocument

Description

In the preceding example configuration data (in XML form) that was collected during the most recent

Microsoft Baseline Configuration Analyzer scan of the model that is represented by Model Id is

retrieved and stored as a property in the variable $result $resultDiscoveryDocument is of type

SystemXmlXmlDocument

-------------------------- EXAMPLE 4 --------------------------

Get-MBCAResult SQL2008R2BPA -Filter Noncompliant

Description

The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results

for the model that is represented by Model Id and then applies a filter to show only Noncompliant

results

------------------------- EXAMPLE 5 --------------------------

Get-MBCAResult SQL2008R2BPA -SubModelId ltSubModel Idgt

Description

The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results

for the submodel that is represented by SubModelId Note that the parent model ID must be specified

to use the -SubModelId parameter

------------------------- EXAMPLE 6 --------------------------

Get-MBCAResult SQL2008R2BPA -SubModelId ltSubModel Idgt -ComputerName ltServergt

-Context ltContext Model Idgt -RepositoryPath ltRepository Pathgt

Description

The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results

for the submodel that is represented by SubModelId The parent model ID is provided as required by

the -SubModelID parameter

The -Context parameter indicates that the administrator wants to see only those scan results that are in

the context of the model that is represented by Context Model Id for example only those results from

a SQL Server scan that specifically apply to another technology such as Web Server (IIS)

Page 54

The scan results are further narrowed to only those from a computer that is specified in the -

ComputerName parameter as Server and only those results found in the non-default results

repository that is represented by Repository Path

914 Set-MBCAResult

SYNOPSIS

The Set-MBCAResult cmdlet lets you exclude or include existing results of a Microsoft Baseline

Configuration Analyzer (MBCA) scan to show you only the scan results that you want to see

SYNTAX

Set-MBCAResult [[-Exclude] ltBooleangt] [-Results] ltResultgtgt [[-

RepostitoryPath] ltstringgt] [ltCommonParametersgt]

DESCRIPTION

The Set-MBCAResult cmdlet lets you exclude or include existing results of a Microsoft Baseline

Configuration Analyzer (MBCA) scan to show you only the scan results that you want to see

The action specified in the cmdlet (Exclude for example) determines how the existing results of an

MBCA scan are updated Set-MBCAResult is typically applied after using the Get-MBCAResult cmdlet

to return a collection of scan results

You can apply filters to results that are returned by the Get-MBCAResult cmdlet and then pipe the

filtered collection of results to the Set-MBCAResult cmdlet specifying either to include or exclude

filtered scan results

You must be a member of the Administrators group on the computer on which you want to run this

cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with

elevated user rights that is Run as Administrator

PARAMETERS

-Exclude ltBooleangt

Excludes scan results from the results collection that were previously obtained by the Get-

MBCAResult command To exclude results by using the -Exclude parameter add the value $true

following the parameter as shown

-Exclude $true

To include results that have been excluded use the $false value for the -Exclude parameter

Required false

Position 2

Default value

Accept pipeline input false

Accept wildcard characters false

-RepostitoryPath ltstringgt

The -RepositoryPath parameter is used to specify a non-default location of the results repository

The valid value for this parameter is a path name If the parameter is not used the cmdlet

modifies results from the default result repository

Required false

Page 55

Position 4

Default value

Accept pipeline input false

Accept wildcard characters false

-Results ltResultgtgt

Specifies the result collection to be updated by the Set-MBCAResult cmdlet The -Results

parameter is typically used to specify a filtered subset of scan results that has already been

stored in a variable the variable name is provided as the valid value for the -Results parameter

For example if you have created a variable $allPerformance to store all the Performance

category results for an MBCA scan of all models on a computer and you want to exclude those

Performance results from the complete collection of scan results you add the parameter -Results

$all Performance to a Set-MBCAResult cmdlet

For a more detailed example see the Examples section of the Help for this cmdlet

Required true

Position 3

Default value

Accept pipeline input true (ByValue)

Accept wildcard characters false

ltCommonParametersgt

This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable

WarningAction WarningVariable OutBuffer and OutVariable For more information type ldquoget-

help about_commonparameters

NOTES

If the Set-MBCAResult command is cancelled before the results are written to a file the operation is

cancelled and the results file is not modified If cancellation occurs after the results file has been

modified the commands actions are carried out and the command cannot be cancelled

-------------------------- EXAMPLE 1 --------------------------

Get-MBCAResult -ModelId SQL2008R2BPA | Where $_Category -eq

Performance | Set-MBCAResult -Exclude $true

Description

The first section of the preceding example to the left of the first pipe character (|) uses the Get-

MBCAResult cmdlet to retrieve Baseline Configuration Analyzer scan results for the model ID that is

represented by Model Id

The second section of the command filters the results of the Get-MBCAResult cmdlet to get only those

scan results for which the category name is equal to Performance

The final section of the example following the second pipe character excludes the Performance

results that were filtered by the previous section of the example

-------------------------- EXAMPLE 2 --------------------------

$rcPolicy = Get-MBCAResult -ModelId SQL2008R2BPA -RepositoryPath

CReposPath | Where $_Category -eq Policy

Page 56

Set-MBCAResult -Exclude $true -RepositoryPath CReposPath -Results

$rcPolicy

Description

The first line of the preceding example to the left of the pipe character (|) instructs the Get-

MBCAResult cmdlet to retrieve Baseline Configuration Analyzer scan results for the model that is

represented by Specified Model Id from the specified non-default repository path

The second section of the example after the pipe character filters the results of the Get-MBCAResult

cmdlet to return only those scan results for which the category name is equal to (note the -eq option)

Policy The variable $rcPolicy is created to store the filtered results of the Get-MBCAResult cmdlet this

variable can be used in subsequent commands to represent those results

The second line of the command uses the Set-MBCAResult cmdlet to exclude the set of results that

are stored in the $rcPolicy variable In this example the -Results parameter is added because the

administrator wants to exclude a specific subset of scan results for that model and has created the

variable $rcPolicy to represent that subset of results The repository root is specified in the second line

because the administrator wants to modify the results in the same non-default repository from which

the data in $rcPolicy was retrieved

915 MBCA Model Authoring

Further information about configuration and usage of MBCA models you can in the

MBCA_ModelAuthoringGuidedocx

Page 57

Did this paper help you Please give us your feedback Tell us on a scale of 1 (poor) to 5 (excellent)

how would you rate this paper and why have you given it this rating For example

Are you rating it high due to having good examples excellent screen shots clear writing or

another reason

Are you rating it low due to poor examples fuzzy screen shots or unclear writing

This feedback will help us improve the quality of white papers we release

Send feedback

Page 22: SQL2008R2 BPA Whitepaper v10

Page 22

You can configure a single machine as both a client and a server simultaneously so that you can

scan from either computer

Enable PowerShell Remoting

o Enable-psremoting ndashf

Settings for a client

o Enable-WSManCredSSP ndashrole Client ndashDelegateComputer [NetBiosNameOfServer]

or

o Enable-WSManCredSSP ndashrole Client ndashDelegateComputer [FQDN OF SERVER]

Settings for the server

o Enable-WSManCredSSP ndashrole Server

o set-item WSManlocalhostShellMaxMemoryPerShellMB ndashValue 20000

o set-item WSManlocalhostShellMaxShellsPerUser ndashvalue 20

44 PowerShell

Details see 91 PowerShell

To use the functionality of the Microsoft Baseline Configuration Analyzer you must import this module

first

Import-module BaselineConfigurationAnalyzer

You can list the commands of this module with the following syntax

$x=Get-Module BaselineConfigurationAnalyzer

$xExportedCommands

441 Run Scan

To run a full scan of the BPA on the alternate server on a named instance you can use the following

command line

Invoke-MBCAModel -ModelId SQL2008R2BPA -Alternate_Server_to_scan

servername -SQL_Server_Instance_Name instancename -

Analyze_SQL_Server_Engine -Analyze_SQL_Server_Replication -

Page 23

Analyze_SQL_Server_Setup -Analyze_SQL_Analysis_Services -

Analyze_SQL_Integration_Services -Analyze_SQL_Reporting_Services

The result looks like this part

ModelId SQL2008R2BPA

SubModelId

Success True

ScanTime

Success = True is important This is the indicator that your scan was successful

Parameter description

-Alternate_Server_to_scan servername

-SQL_Server_Instance_Name instancename

-Analyze_SQL_Server_Engine

-Analyze_SQL_Server_Replication

-Analyze_SQL_Server_Setup

-Analyze_SQL_Analysis_Services

-Analyze_SQL_Integration_Services

-Analyze_SQL_Reporting_Services

The parameter list is equal the parameter screen in the GUI

The scans of the different services are optional You can remove technologies which you do not need

to scan

The next example starts the scan only for the Analysis Services on the alternate server ldquoservernamerdquo

and for the named instance ldquoinstancerdquo A log file will be written to ldquoctempssastxtrdquo

Invoke-MbcaModel -ModelId SQL2008R2BPA -SubModelId AnalysisServices -

ComputerName servername -SqlServerInstance instance -SSASLogFile

ctempssastxt

Invoke-MbcaModel -ModelId SQL2008R2BPA -SubModelId Engine -ComputerName

computername -SqlServerInstance servername -CurrentLoginName

($EnvUSERDOMAIN + + $EnvUSERNAME)ToString() -EngineLogFile

ctempenginetxt ndashRepositoryPath (CTEMPSQL2008 + (Get-

Date)ToString(yyyyMMdd))ToString()

442 Create Report

model = get-MbcaModel ndashModelId sql2008r2bpa

$scanResult = get-MbcaResult ndashModelId sql2008r2bpa

$collectedConfig = get-MbcaResult ndashModelId sql2008r2bpa ndash

CollectedConfiguration

$model $scanResult $collectedConfig | export-CliXml ctempasxml

Get-MBCAResult -ModelId SQL2008R2BPA -SubModelId AnalysisServices |

ConvertTo-Html | Add-Content -Path ctesthtml

The next command retrieves the results of the most recent BPA scan for the specified model and

saves them in HTML format applying the standard cascading style sheets that are stored in the path

windirsystem32WindowsPowerShellv10ModulesBestPracticesBestPracticesReportFormatc

Page 24

ss If you want to substitute cascading style sheets provide the path to the different cascading style

sheets

Get-MBCAResult -ModelId SQL2008R2BPA | $_Severity -eq Warning -or

$_Severity -eq Error | ConvertTo-Html -As Table -property ResultNumber

SubModelID ComputerName Severity Category Title Problem Impact

Resolution Help -Head lth1gtSQL Server 2008 (R2) Best Practice Analyzer

Reportlth1gtrdquo -Title SQL Server 2008 Best Practice Analyzer -body

(ltpgtReport creation date + (Get-Date)ToString(ddMMyyyy hhmmss) +

ltpgt)toString() -pre ltPgtGenerated by user $envusername on computer

$envcomputernameltPgt -post For details contact Microsoft Premier-

CssUri $env BestPracticesReportFormatcss gt ctempsql2008r2bpahtm

443 Exporting and opening reports by using Get-MBCAResult

You can use the Get-MBCAResult cmdlet to export scan results and configuration data to an XML

report that you can open for viewing in the future either by using Get-MBCAResult or by using the

MBCA GUI Exporting reports allows you to compare older scans with more recent scans to measure

the progress of your best practice compliance

Example of exporting to XML

$results = Get-MBCAResult ltModel Idgt

$collectedconfig = Get-MBCAResult ltModel Idgt -CollectedConfiguration

$results $collectedconfig | Export-CliXml cexportxml

Example of opening archived XML report file

$loadedResults $loadedConfiguration = Import-CliXml cexportxml

444 Report Result Directory

The reporting result path

AppDataMicrosoftBaselineConfigurationAnalyzer

2ReportsSQL2008R2BPAResults

Will be overwritten during each run of the tool or invoke command

Solution save older results before you start the check

copy-item -path ($EnvLocalAppdata +

MicrosoftMicrosoftBaselineConfigurationAnalyzer 2Reports)ToString() -

destination ($EnvLocalAppdata +

MicrosoftMicrosoftBaselineConfigurationAnalyzer 2Reports_ + (Get-

Date)ToString(yyyyMMddhhmmss))ToString() ndashrecurse

Afterwards you can create a report with the following command

$prevrepPath = (Get-ChildItem ($EnvLocalAppdata +

MicrosoftMicrosoftBaselineConfigurationAnalyzer 2)ToString() -exclude

Reports | Sort-Object name -descending)[0]

Get-MBCAResult -ModelId SQL2008R2BPA ndashRepositoryPath ($EnvLocalAppdata +

MicrosoftMicrosoftBaselineConfigurationAnalyzer 2rdquo +

$prevrepPathname)ToString() | ConvertTo-Html -As Table -property

ResultNumberSubModelID ComputerName Severity Category Title Problem

Impact Resolution Help -Head lth1gtSQL Server 2008 (R2) Best Practice

Analyzer Reportlth1gtrdquo -Title SQL Server 2008 Best Practice Analyzer -body

(ltpgtReport creation date + (Get-Date)ToString(ddMMyyyy hhmmss) +

ltpgt)toString() -pre ltPgtGenerated by user $envusername on computer

Page 25

$envcomputernameltPgt -post For details contact Microsoft Premier gt

ctempsql2008r2bpahtm

Page 26

5 TROUBLESHOOTING

51 Application directories

To following directories are used by MBCA

Report output directory localappdataMicrosoftMicrosoftBaselineConfigurationAnalyzer 2ReportsSQL2008R2BPAResults

Model configuration path ProgramdataMicrosoftMicrosoft Baseline Configuration Analyzer 2ModelsSQL2008R2BPA

Temp and log files directory tempSQL2008R2BPASQL2008ltdategt_lttimegt

Registry [HKEY_LOCAL_MACHINESOFTWAREMicrosoftBaselineConfigurationAnalyzer]

Log Files

During Data Discovery SQL Server 2008 R2 BPA creates log files for troubleshooting The log file

contains the following information

Pre-requisite validation

Timestamp finished rules start and end times

Run-time scripting errors and exceptions from Power Shell Traps

Log Files Location

For every scan log files are created in userrsquos Local Temp directory (Temp) and follows the folder

structure SQL2008R2BPAlt Instance Name gtlt datestamp_timestamp gtlt Log files gt

Note In case of a remote scan the category log files are generated on the remote system at the same

path whereas the common log file is generated in the local system

Log Files Structure

A common log file gets generated and contains information about each categorys execution Apart

from this each category has its own log file which details the rule execution The names of the log files

are given below

Common File - ModelLogtxt

Engine Rules - EngineLogtxt

Replication Rules - ReplicationLogtxt

Setup Rules - SetupLogtxt

Analysis Services Rules - AnalysisServicesLogtxt

Reporting Services Rules - ReportingServicesLogtxt

Integration Services Rules - IntegrationServicesLogtxt

52 Windows Server 2003 ndash NumberOfLogicalProcessors

Analysis Services RID2803 and RID2804 ndash NumberOfLogicalProcessors property is unavailable in

Win32_Processor for with Windows Server 2003

Solution The NumberOfLogicalProcessors property does not exist in the WIN32_PROCESSOR object

in Windows Server 2003 It has been implemented in the hotfix

httpsupportmicrosoftcomkb932370

Both of the rules below will function properly if you apply this hotfix For more information look here

Page 27

53 MBCA

This message indicates that on prerequisite is not installed

Please install the version 2 of the MBCA

54 Where can I find the Instance name in result set of the analyzer

report

The instance name is in the collected data option of the analyzer report in the BPA GUI

55 Memory limit of remote PowerShell process

By default remote PowerShell process can consume only 150 MB or less memory This default limit is

significantly small and once this limit is reached there could be a WinRM exception causing and remote

connection immediately terminates Any application or Cmdlet which is involved in PowerShell

remoting should be tested for this memory limit this may cause some of the command to fail for

example site collection creation

Solution Increase the memory limit for the remote shell Use the following command to increase this

limitation to 1000MB This is only necessary if you need to run those commands on that server

Set-Item WSManlocalhostShellMaxMemoryPerShellMB 1000

56 Remote connect

If you try to ldquoConnect to another computerrdquo from MBCA and you receive the following message

Page 28

You should check first if the Hotfix KB968930 is installed

Afterwards validate that the ldquoWindows Remote Managementrdquo service is started

Enable-PSRemoting

If CredSSP is unsupported or unavailable you will see the following message

Page 29

If you have no permission to access the remote server you get the error message

Page 30

57 Installation

571 PowerShell error

After getting through the Pre-Reqs for BPA (PowerShell 20 MBCA NET Framework) you may hit

one of two scenarios when installing BPA

In all of the cases of an install failure you will see the following error

There is a problem with this Windows Installer package A program run as part of the setup did not

finish as expected Contact your support personnel or package vendor

In your Application Event Log for both of these scenarios you will also see the following entry

Log Name Application

Source MsiInstaller

Date 6102010 83818 AM

Event ID 11722

Task Category None

Level Error

Keywords Classic

User ltUsernamegt

Computer ltMachine namegt

Description

Product Microsoft SQL Server 2008 R2 BPA -- Error 1722 There is a problem

with this Windows Installer package A program run as part of the setup did

not finish as expected Contact your support personnel or package

vendor Action EnablePSRemoting location powershellexe command -NoLogo

-NoProfile -Command Enable-PSRemoting ndashforce

Page 31

This is an indicator that PowerShell is not configured You must run the following command

powershellexe -NoLogo -NoProfile -Command Enable-PSRemoting ndashforce

572 Workgroup or Non-Domain computer

In this scenario the Enable-PSRemoting command should execute fine from a PowerShell prompt

The actual error coming back from the PowerShell command within the Installer is ldquoAccess Deniedrdquo

To work around this issue you can do the following

1 Open a command prompt with Administrative Privileges

2 Change to the directory where the msi file resides

3 Type msiexec i ltMSI Namegt SKIPCA=1

4 MSI Name will either be SQL2008R2BPA_Setup32msi or SQL2008R2BPA_Setup64msi

depending on your platform

5 Once BPA is installed open a PowerShell prompt with Administrative Privileges

6 Execute the following commands

a Enable-PSRemoting

b winrm set winrmconfigwinrs ``MaxShellsPerUser=`10``

This should allow BPA to be successfully installed in the workgroup scenario

573 Kerberos Failure

This scenario is that you are failing with the above due to a Kerberos issue This particular issue could

actually show up after you have installed BPA depending on how you have configured your

environment

The issue stems from the fact that the Windows Remoting Windows Service uses the Network Service

account Windows Remoting also uses SOAP calls over HTTP and defaults to using Kerberos As a

result it will be using the HOST Service Principal Name (SPN) that is on the Machine Account as it is

running under that context You may have an HTTP SPN that resides on a different account with that

host name For example if you are running an IIS Web Application such as SharePoint or if you are

using Reporting Services and the service account is set to a Domain User account instead of Network

Service or Local System If your URL of your application matches the machine name then your HTTP

SPN will be the same Thatrsquos where this problem comes in WinRM will stop working at that point and

give you a message similar to the following

Set-WSManQuickConfig WinRM cannot process the request The following error

occured while using Negotiate authentication An unknown security error

occurred

Possible causes are

-The user name or password specified are invalid

-Kerberos is used when no authentication method and no user name are

specified

-Kerberos accepts domain user names but not local user names

-The Service Principal Name (SPN) for the remote computer name and port

does not exist

-The client and remote computers are in different domains and there is no

trust between the two domains

After checking for the above issues try the following

-Check the Event Viewer for events related to authentication

-Change the authentication method add the destination computer to the

WinRM TrustedHosts configuration setting or use HTTPS transport

Note that computers in the TrustedHosts list might not be authenticated

-For more information about WinRM configuration run the following

Page 32

command winrm help config

At line50 char33

+ Set-WSManQuickConfig ltltltlt -force

+ CategoryInfo InvalidOperation () [Set-WSManQuickConfig]

InvalidOperationException

+ FullyQualifiedErrorId

WsManErrorMicrosoftWSManManagementSetWSManQuickConfigCommand

You can get this type of error from WinRM for muliple reasons The one that

we saw in our testing was the HTTP SPN scenario

If you do have an HTTP SPN defined on a Domain Account that is using the name of your machine

you have some options First you can follow the steps mentioned above to get BPA installed The

Enable-PSRemoting command will give you the above error You can temporarily remove the HTTP

SPN to get remoting enabled and then re-add the HTTP SPN

Once BPA is setup you will still not be able to run BPA if you put the HTTP SPN back in place You will

see the following when you attempt to perform a scan

This will occur regardless of which component you try to scan It could be the Engine Setup RS etchellip

One option to perform the scan successfully is to temporarily remove the HTTP SPN again run the

scan and then put the HTTP SPN back in place Another option but one that will probably require

further testing from your applicationrsquos end would be to run the application under a Host Header and

then your HTTP SPN would not include the machine name allowing BPA to run without issue

Page 33

6 RULES

Searching for ldquoSQL Server 20087 R2 BPArdquo at Microsoftcom reveals

Here is an example of one of these articles that talks about a rule to check for a recent ldquocleanrdquo

CHECKDB

Page 34

BPA works by measuring a rolersquos compliance with best practice rules in eight different categories of a

rolersquos effectiveness trustworthiness and reliability Results of measurements can be any of the three

severity levels described in the following table

Severity level Description

Noncompliant Noncompliant results are returned when a role does not satisfy the conditions of a rule

Compliant Compliant results are returned when a role satisfies the conditions of a rule

Warning Warning results are returned when a role is compliant as operating currently but may not satisfy the conditions of a

rule if changes are not made to its configuration or policy settings For example a scan of Remote Desktop Services

might show a warning result if a license server is unavailable to the role because even if no remote connections are

active at the time of the scan not having the license server prevents new remote connections from obtaining valid

client access licenses

Page 35

BPA rule categories

The following table describes the categories of best practice rules against which roles are measured

during a BPA scan

Category Name Description

Security Security rules are applied to measure a rolersquos relative risk for exposure to threats such as unauthorized or malicious

users or loss or theft of confidential or proprietary data

Performance Performance rules are applied to measure a rolersquos ability to process requests and perform its prescribed duties in

the enterprise within expected periods of time given the rolersquos workload

Configuration Configuration rules are applied to identify role settings that might require modification for the role to perform

optimally Configuration rules can help prevent setting conflicts that can result in error messages or prevent the role

from performing its prescribed duties in an enterprise

Policy Policy rules are applied to identify Group Policy or Windows Registry settings that might require modification for the

role to operate optimally and securely

Operation Operation rules are applied to identify possible failures of a role to perform its prescribed tasks in the enterprise

Predeployment Predeployment rules are applied before an installed role is deployed in the enterprise to let administrators to

evaluate whether best practices were satisfied before you use the role in production

Postdeployment Postdeployment rules are applied after all required services have started for a role and the role is running in the

enterprise

BPA Prerequisites BPA Prerequisite rules explain configuration settings policy settings and features that are required for the role

before BPA can apply specific rules from other categories A prerequisite in scan results indicates that an incorrect

setting a missing role role service or feature an incorrectly enabled or disabled policy a registry key setting or

other configuration has prevented BPA from applying one or more rules during a scan A prerequisite result does

not imply compliance or noncompliance It means that a rule could not be applied and therefore is not part of the

scan results

61 Engine Rules

Please find below a summary of the 74 Engine Rules with the links to the rule descriptions These rules

are checking that you have a secure resilient and well performing SQL configuration

Authentication Mode (httpsupportmicrosoftcomkb2028697)

Lightweight Pooling is enabled (httpsupportmicrosoftcomkb2160691)

Locks Configuration Not Dynamic (httpsupportmicrosoftcomkb2199576)

non-default network packet size in use (httpsupportmicrosoftcomkb2157175)

degree of parallelism not set to recommended value (httpsupportmicrosoftcomkb2023536)

Use Database Mail instead of SQL Mail (httpsupportmicrosoftcomkb2028584)

SQL Server Agent Proxy Account (httpsupportmicrosoftcomkb2160741)

SQL Login Password Policy Strength and password expiry

(httpsupportmicrosoftcomkb2028712)

Trustworthy Bit (httpsupportmicrosoftcomkb2183687)

Symmetric Keys Check (httpsupportmicrosoftcomkb2162020)

Asymmetric Keys Check (httpsupportmicrosoftcomkb2162020)

SQL Server installed on PDC BDC (httpsupportmicrosoftcomkb2032911)

Page 36

SQL Server Admin role membership check (httpsupportmicrosoftcomkb2184138)

Windows API calls intercepted (httpsupportmicrosoftcomkb2033238)

unsupported DotNET framework assemblies present (httpsupportmicrosoftcomkb2033344)

Disk partition starting offset may be incorrect (httpsupportmicrosoftcomkb2023571)

non-default max worker threads value configured (httpsupportmicrosoftcomkb2157129)

Guest Permissions (httpsupportmicrosoftcomkb2186935)

Data and Log files on the same volume (httpsupportmicrosoftcomkb2033523)

IO timeouts and IO controller errors detected (httpsupportmicrosoftcomkb2091098)

IO device errors detected (httpsupportmicrosoftcomkb2091098)

IO errors during page faults detected (httpsupportmicrosoftcomkb2091098)

cluster disk corruption encountered (httpsupportmicrosoftcomkb2091098)

disk defragmentation encountered corruption (httpsupportmicrosoftcomkb2091098)

failed IO requests detected (httpsupportmicrosoftcomkb2091098)

IO requests are successful when retried (httpsupportmicrosoftcomkb2015757)

IO Delay Problems reported by SQL Server (httpsupportmicrosoftcomkb2137408)

This system experienced unexpected shutdowns (httpsupportmicrosoftcomkb2091098)

tempdb corruption errors fix missing (httpsupportmicrosoftcomkb960770)

Critical SQL database inconsistency errors found (httpsupportmicrosoftcomkb2152734)

Logical consistency errors detected (httpsupportmicrosoftcomkb2152472)

Database have auto shrink option enabled (httpsupportmicrosoftcomkb2160663)

SQL Server Error logs are very big (httpsupportmicrosoftcomkb2199578)

incorrect affinity mask settings detected httpsupportmicrosoftcomkb2157114

Very low blocked process threshold setting detected httpsupportmicrosoftcomkb2157154

Potential security issue with legacy DTS stored procedures

httpsupportmicrosoftcomkb2202875

Winsock LSP loaded into SQL httpsupportmicrosoftcomkb2033448

Databases using simple recovery model httpsupportmicrosoftcomkb2137539

User database collation different from model httpsupportmicrosoftcomkb2026108

Database files and backups exist on the same volume httpsupportmicrosoftcomkb2027537

Databases have auto close option enabled httpsupportmicrosoftcomkb2160685

LSI SAS drivers needs update httpsupportmicrosoftcomkb2121098

SQL tempdb database not configured optimally httpsupportmicrosoftcomkb2154845

SQL Database file has sparse attribute set httpsupportmicrosoftcomkb2028447

Invalid startup parameters httpsupportmicrosoftcomkb2028433

MSDTC settings not configured optimally httpsupportmicrosoftcomkb2027550

sql incorrect results fix missing httpsupportmicrosoftcomkb971780

File System needs tuning for better FileStream performance

httpsupportmicrosoftcomkb2160002

linked server memory leak fix missing httpsupportmicrosoftcomkb971622EN-US

Windows service pack is not at recommended level httpsupportmicrosoftcomkb2121098

default extended event health session not in expected state

httpsupportmicrosoftcomkb2160570

TcpSysAndChimneyCheck httpsupportmicrosoftcomKB918483

FDHOST Launcher service is not configured properly httpsupportmicrosoftcomkb2160720

Unrecommended SQL Server Agent service account httpsupportmicrosoftcomkb2160720

A required Windows fix to avoid sparse file related problems is missing

httpsupportmicrosoftcomkb2002606

Page 37

Significant Portion of SQL Server Memory Has Been Paged Out

httpsupportmicrosoftcomkb2028324

Server Exception or Hang Detected on Server httpsupportmicrosoftcomkb2028589

Databases exist without CHECKSUM protection httpsupportmicrosoftcomkb2078345

backups outdated for databases httpsupportmicrosoftcomkb2027537

Database consistency check not current httpsupportmicrosoftcomkb2033590

SQL Server Memory settings are incorrect httpsupportmicrosoftcomKB918483EN-US

Autogrow Failed or took a long time httpsupportmicrosoftcomkb2091024

Storport driver fix from KBA 940467 missing httpsupportmicrosoftcomkb2121098

Storport driver fix from KBA 950903 missing httpsupportmicrosoftcomkb2121098

SQLCLR needs additional memory configuration httpsupportmicrosoftcomkb969962EN-US

Operating System files and drivers needs update for working set trimming

httpsupportmicrosoftcomkb2121098

Agent Token Replacement httpsupportmicrosoftcomkb2202637

Auditing Log in failures httpsupportmicrosoftcomkb2187161

Databases with high number of VLF present httpsupportmicrosoftcomkb2028436

Transparent Data Encryption Certificate httpsupportmicrosoftcomkb2201900

Permission on the Binn folder httpsupportmicrosoftcomkb2029023

Index Statistics Are Outdated

Server public permissions httpsupportmicrosoftcomkb2160698

Detected use of older versions of SQLNCLI httpsupportmicrosoftcomkb979779

62 AS Rules

Please find below a summary of the 34 Analysis Server Rules with the links to the rule descriptions

Flight Recorder Enabled for SQL Server Analysis Services

httpsupportmicrosoftcomkb2128005

Excessive amount of memory preallocated to Analysis Services

httpsupportmicrosoftcomkb2027474

Server not configured for optimal concurrent query throughput

httpsupportmicrosoftcomkb2135031

Non standard value detected for Analysis Services memory configuration

httpsupportmicrosoftcomkb2027472

Process Thread Pool Max limit above recommended limit

httpsupportmicrosoftcomkb2134497

Process Thread Pool Minimum is below the recommended limit

httpsupportmicrosoftcomkb2134855

Server is running a build with a known regression httpsupportmicrosoftcomkb2157941

Slice not set on a ROLAP partition or a partition where proactive caching is enabled and

ROLAP storage ay occur httpsupportmicrosoftcomkb2027754

Server is ignoring duplicate key errors httpsupportmicrosoftcomkb2027761

No default member defined for non-aggregatable attribute

httpsupportmicrosoftcomkb2027769

UnknownMember set to hidden httpsupportmicrosoftcomkb2027628

Non-numeric key column for high cardinality attribute httpsupportmicrosoftcomkb2028138

Attribute hiearchy enabled for high cardinality non-key attribute

httpsupportmicrosoftcomkb2028143

ROLAP storage or OnlineMode set to immediate for dimension with custom rollup definition

detected httpsupportmicrosoftcomkb2132742

Page 38

Account or Time attribute types defined in a non-matching dimension type

httpsupportmicrosoftcomkb2157299

An Account or Time dimension has no matching attribute defined

httpsupportmicrosoftcomkb2027418

Dimension has no attribute defined with the same type

httpsupportmicrosoftcomkb2027443

Attribute Dimension type mismatch httpsupportmicrosoftcomkb2157327

Mismatched dimension attribute types detected in dimension

httpsupportmicrosoftcomkb2027459

Possible incorrect order of levels defined in hierarchy httpsupportmicrosoftcomkb2027460

Define attribute relationships as Rigid where possible httpsupportmicrosoftcomkb2027468

Redundant attribute relationships detected httpsupportmicrosoftcomkb2127437

Diamond-shape relationship detected httpsupportmicrosoftcomkb2127570

Non-Standard Attribute Relationship name detected httpsupportmicrosoftcomkb2127862

Proactive Caching set for dimension without a processing query

httpsupportmicrosoftcomkb2027541

No Time dimension detected httpsupportmicrosoftcomkb2027532

More than 3 parent-child dimensions with custom rollups defined

httpsupportmicrosoftcomkb2134431

Encountered a parent-child dimension with more than 500000 members

httpsupportmicrosoftcomkb2131918

Single attribute dimensions detected httpsupportmicrosoftcomkb2141654

Measure groups with zero dimensional overlap detected in cube

httpsupportmicrosoftcomkb2027609

Proactive Caching set for a partition without a processing query

Default measure for perspective not in the perspective

httpsupportmicrosoftcomkb2027603

Use MOLAP storage for dimensions that participate in semi-additive measure groups

httpsupportmicrosoftcomkb2135112

Measure group defined with no partition httpsupportmicrosoftcomkb2027545

63 RS Rules

RSWindowsNegotiate is missing from your configuration

httpsupportmicrosoftcomkb2145506

HTTP Logging is not enabled httpsupportmicrosoftcomkb2145909

Verbose logging is enabled httpsupportmicrosoftcomkb2146315

NTLM authentication may fail for local httpsupportmicrosoftcomkb2146369

Missing extended protection settings httpsupportmicrosoftcomkb2146062

64 IS Rules

Logging task missing for package httpsupportmicrosoftcomkb2027723

ActiveX Script task detected in package httpsupportmicrosoftcomkb2027712

Unrecommended Integration Services service account detected

httpsupportmicrosoftcomkb2027684

Integration Services logging table found in system database master and or msdb

httpsupportmicrosoftcomkb2027706

Integration Services memory dump detected httpsupportmicrosoftcomkb2027727

Page 39

65 Setup Rules

Unsupported Operating System Version Detected httpsupportmicrosoftcomkb2022909

WOW64 not supported for SQL Failover Clustering httpsupportmicrosoftcomkb2157198

Installer cache is missing for the SQL Installation httpsupportmicrosoftcomkb2015100

SQL Server WMI Provider Health Check

66 Replication Rules

Replication Timeout Alerts Type httpsupportmicrosoftcomkb2118349

Replication Pub and Sub out of sync (Data Validation) httpsupportmicrosoftcomkb2118386

Replication Pub and Sub out of sync (Constraint Violations)

httpsupportmicrosoftcomkb2118410

Replication Pub and Sub out of sync (Skipped Transactions)

httpsupportmicrosoftcomkb2194498

Merge Replication Health Check httpsupportmicrosoftcomkb2118445

Subscriptions Approaching Expiration httpgomicrosoftcomfwlinkLinkId=184483

Replication Cleanup and Retention Health Check httpsupportmicrosoftcomkb2118485

Replication Latency Threshold violations httpsupportmicrosoftcomkb2118425

Page 40

7 HOW TO DEAL WITH DEVIATIONS

Deviations from these Best Practices may indicate potential issues and configuration changes may be

necessary Make sure you have tested any intended changes in a test environment before deploying

them to a production environment You could also find deviations from Best Practices that are

acceptable or even necessary for your environment For example

SAP has its special Network Packet Size of 8 KB

Existing Non-Microsoft Clients ndash would require Mixed Mode Authentication

Page 41

8 MOTIVATION TO USE SQL BPA R2

Bob Ward explained in his Article ldquoWhy use SQL Server 2008 R2 BPA Case 1 Missing Updatesrdquo

the common pitfalls during maintenance and operation of SQL Server and how address them by using

the SQL BPA

In brief itrsquos a customer scenario where the customer is facing an issue after a major update to

SQL2008 After some troubleshooting and an update to a certain CU (that is meant to fix the issue) the

problem still occurs Bobs article states the common resulting consequences ndash the involvement of

Microsoft Support and the final solution ndash adding a needed traceflag

The good news in this story is that the customer would not have needed to go to all that effort if they

would have run the SQL BPA It would have told them about the update and instructed them to put the

traceflag in place BPA is a mechanism that proactively advises you and instructs you on dealing with

common known issues

Page 42

9 ADDITIONAL INFORMATION

91 PowerShell

To use the functionality of the Baseline Configuration Analyzer with PowerShell you must import this

module first

Import-module BaselineConfigurationAnalyzer

You can list the commands of this module with the following syntax

$x=Get-Module BaselineConfigurationAnalyzer

$xExportedCommands

The following commands are stored in this module

Get-MbcaModel

Get-MbcaResult

Invoke-MbcaModel

Set-MbcaResult

You get help of this command with the following syntax

Get-help ltcommandgt -full

911 Get-MBCAModel

SYNOPSIS

The Get-MBCAModel cmdlet lets you retrieve and view the list of models that are supported by

Microsoft Baseline Configuration Analyzer (MBCA) and that are installed on a computer

SYNTAX

Get-MBCAModel [[-ModelId] ltstring[]gt] [[-SubModelId] ltstringgt] [ltCommonParametersgt]

DESCRIPTION

The Get-MBCAModel cmdlet lets you retrieve and view the list of models that are supported by

Microsoft Baseline Configuration Analyzer (MBCA) and installed on the computer If no parameter is

specified Get-MBCAModel returns all models that are installed on the computer If a model is specified

by using the -ModelId parameter information about the specified model is returned

You must be a member of the Administrators group on the computer on which you want to run this

cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with

elevated user rights that is Run as Administrator

The results of the Get-MBCAModel cmdlet include the following details about models

1 Branding information (manufacturer or company display names version number) that is found in

the model manifest

2 Dynamic parameters that are included with the model

3 Submodels that are included with the model

PARAMETERS

-ModelId ltstring[]gt

The -ModelId parameter specifies the ID of the MBCA model about which you want to view

details You can obtain valid values for the ModelId parameter by running the Get-MBCAModel

cmdlet with no parameters and targeted at a computer on which MBCA models are installed

Page 43

This parameter supports wild card characters

Required false

Position 2

Default value

Accept pipeline input true (By Value By Property Name)

Accept wildcard characters False

This must be SQL2008R2BPA for SQL Server 2008 R2 Best Practice Analyzer

-SubModelId ltstringgt

The -SubModelId parameter specifies the ID of the submodel of an MBCA model about which you

want to view details You can obtain valid values for the -SubModelId parameter by running the

Get-MBCAModel cmdlet without parameters and targeted at a computer on which MBCA models

are installed Not all models have submodels

The -ModelId parameter is required with the -SubModelId parameter

Required false

Position 3

Default value

Accept pipeline input false

Accept wildcard characters false

ltCommonParametersgt

This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable

WarningAction WarningVariable OutBuffer and OutVariable For more information type get-

help about_commonparameters

Examples

Get-MBCAModel

In the preceding example Get-MBCAModel with no parameters added returns details about all MBCA

models that are installed on the computer

Get-MBCAModel -ModelId SQL2008R2BPA

The preceding example can be used to return details about the MBCA model that is specified in the -

ModelId parameter represented by Model Id

$model= Get-MBCAModel -ModelId SQL2008R2BPA

$modelParameters

In the preceding example Get-MBCAModel returns details about the specified MBCA model that is

represented by Model Id The results of the cmdlet are stored in the variable $model

In the next line of the example the Parameters property of the model details that were stored in the

$model object returns details about which parameters are supported by the model

Get-MBCAModel -ModelId SQL2008R2BPA -SubModelId ltSubModel Idgt

The preceding example can be used to return details about the MBCA sub-model that is specified by

the -SubModelId parameter represented by SubModel Id Note that the -ModelId parameter is

required by the -SubModelId parameter

$model= Get-MBCAModel -ModelId SQL2008R2BPA

Page 44

$modelSubModels

In the preceding example Get-MBCAModel returns details about the specified MBCA model that is

represented by Model Id The results of the cmdlet are stored in the variable $model

In the next line of the example the SubModels property of the model details that were stored in the

$model object returns a list of the submodels of the model specified in the first line

912 Invoke-MBCAModel

SYNOPSIS

The Invoke-MBCAModel cmdlet lets you start a Microsoft Baseline Configuration Analyzer (MBCA)

scan for a specific model that is installed on your computer

SYNTAX

Invoke-MBCAModel [-ModelId] ltstringgt -SubModelId ltstringgt [-Authentication

ltAuthenticationMechanismgt] [-CertificateThumbprint ltstringgt] [-ComputerName

ltstring[]gt] [-ConfigurationName ltstringgt] [-Context ltstringgt] [-Credential

ltstringgt] [-Mode ltModeEnumgt] [-Port ltintgt] [-RepositoryPath ltstringgt] [-

ThrottleLimit ltintgt] [-UseSSL] [ltCommonParametersgt]

DESCRIPTION

The Invoke-MBCAModel cmdlet allows you to start a Microsoft Baseline Configuration Analyzer

(MBCA) scan for a specific model that is installed on your computer The model is specified either by

using the parameter -ModelId or by piping the results of the Get-MBCAModel cmdlet into an Invoke-

MBCAMode cmdlet

After the MBCA scan has been performed the results of the scan are available to be retrieved by Get-

MBCAResult cmdlet

You must be a member of the Administrators group on the computer on which you want to run this

cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with

elevated user rights that is Run as Administrator

PARAMETERS

-Authentication ltAuthenticationMechanismgt

Specifies the authentication mechanism that is used to authenticate the users credentials Valid

values include Default Basic CredSSP Digest Kerberos Negotiate and

NegotiateWithImplicitCredential The default value is Default

For more information about the -Authentication parameter type the following and then press

Enter

Get-Help Invoke-Command -Parameter Authentication

Required false

Position named

Default value Default

Accept pipeline input false

Accept wildcard characters false

-CertificateThumbprint ltstringgt

Page 45

Specifies the digital public key certificate (X509) of a user account that has rights to perform the

cmdlet action The valid value is the certificate thumbprint of the certificate

For more information about this parameter type the following and then press Enter

Get-Help Invoke-Command -Parameter Certificate Thumbprint

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-ComputerName ltstring[]gt

The Invoke-MBCAModel cmdlet lets you run an MBCA scan of a submodel on a specific

computer by adding this parameter Valid values include NETBOS names IP addresses or fully-

qualified domain names of one or more computers in a comma-separated list To specify the local

computer type the computer name or localhost

All formats that are accepted by the -ComputerName parameter in Invoke-Command are

accepted

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-ConfigurationName ltstringgt

Specifies the session configuration that is used for a new PSSession

Enter a configuration name or the fully-qualified resource URI for a session configuration

Session configuration data is found on the remote computer on which you want to run a cmdlet

For more information about this parameter type the following and then press Enter

Get-Help Invoke-Command -Parameter ConfigurationName

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-Context ltstringgt

The -Context parameter lets you run scans on a submodel in the context of a specific model (one

that is different from the parent model of the submodel) For example an administrator might

want to run a scan on the Backend submodel of the SQL model but only those in the context

of a third model a technology that relies upon SQL Server

The -SubModelId parameter is required by the -Context parameter

Page 46

A model ID is the valid value of the -Context parameter

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-Credential ltstringgt

Specifies a user account that has permission to run this cmdlet The default value is the current

user

For more information about this parameter type the following and then press Enter

Get-Help Invoke-Command -Parameter Credential

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-Mode ltModeEnumgt

The -Mode parameter lets you run a scan that is exclusively either analysis of existing discovered

documents or discovery The default is to perform both discovery and analysis or All

If you do not add the -Mode parameter to the Invoke-MBCAModel cmdlet both discovery and

analysis are performed during a scan

Valid values are Discovery Analysis and All

Required false

Position named

Default value All

Accept pipeline input false

Accept wildcard characters false

-ModelId ltstringgt

The -ModelId parameter specifies the ID of the MBCA model that you want to scan You can

obtain valid values for the ModelId parameter by running the Get-MBCAModel cmdlet targeted at

a computer on which MBCA models are installed

Required true

Position 2

Default value

Accept pipeline input true (By Value By Property Name)

Accept wildcard characters False

Page 47

This must be SQL2008R2BPA for SQL Server 2008 R2 Best Practice Analyzer

-Port ltintgt

Specifies the network port on a remote computer on which you want to run a scan The default

value is port 80

For more information on this parameter type the following and then press Enter

Get-Help Invoke-Command -Parameter Port

Required false

Position named

Default value 80

Accept pipeline input false

Accept wildcard characters false

-RepositoryPath ltstringgt

The -RepositoryPath parameter is used to specify a non-default location of the results repository

The valid value for this parameter is a pathname If the parameter is not used the cmdlet writes

results to the default result repository

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-SubModelId ltstringgt

The -SubModelId parameter specifies the ID of the submodel of an MBCA model that you want to

scan You can obtain valid values for the -SubModelId parameter by running the Get-MBCAModel

cmdlet targeted at a computer on which MBCA models are installed Not all models have

submodels

The -ModelId parameter is required with the -SubModelId parameter

Required true

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-ThrottleLimit ltintgt

Specifies the maximum number of concurrent connections that can be established to run the

cmdlet If you omit this parameter or enter a value of 0 the default value of 32 is used

For more information about this parameter type the following and then press Enter

Get-Help Invoke-Command -Parameter ThrottleLimit

Required false

Page 48

Position named

Default value 32

Accept pipeline input false

Accept wildcard characters false

-UseSSL [ltSwitchParametergt]

Uses the Secure Sockets Layer (SSL) protocol to establish a connection on a remote computer

By default SSL is not used

For more information about this parameter type the following and then press Enter

Get-Help Invoke-Command -Parameter UseSSL

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

ltCommonParametersgt

This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable

WarningAction WarningVariable OutBuffer and OutVariable For more information type get-

help about_commonparameters

OUTPUTS

SystemCollectionsGenericListltMicrosoftBestPracticesCoreInterfaceInvokeBpaModelOutputgt

The output object encapsulates the results of the cmdlet that you entered It contains information such

as the MBCA model ID the success or failure of the cmdlet and other details

NOTES

If the cmdlet is used to perform a single-model scan and the cmdlet is cancelled (by using CTRL+C)

before the temporary results file is copied to its final location the temporary file is discarded and any

previous scan results file for the role are preserved The message Processing of Invoke-MBCAModel

cancelled by user is displayed if the command is cancelled before existing scan results files are

overwritten

If the cmdlet is used to perform a scan of multiple models by piping in results from the Get-MBCAModel

cmdlet and the command is cancelled scans that were completed before the cancel command was

entered cannot be cancelled A scan in progress behaves as described above in the single-model scan

cancellation scenario Subsequent scans in the pipeline are cancelled

If a concurrent scan of the same model is attempted the cmdlet returns the following error message

Another scan for this MBCA model is in progress Only one scan is allowed at a time

-------------------------- EXAMPLE 1 --------------------------

Invoke-MBCAModel -ModelId SQL2008R2BPA

Description

The preceding example starts a MBCA scan on the model that is represented by ltModel Idgt

-------------------------- EXAMPLE 2 --------------------------

Page 49

Invoke-MBCAModel -ModelId SQL2008R2BPA -Scope domain -Name

redmondmicrosoftcom

Description

The preceding example starts an MBCA scan on the model ID that is specified by Model Id

The administrator starts the MBCA scan with additional model-specific parameters that are exposed by

the model (For an example of how to obtain model-specific parameters see the examples for the Get-

MBCAModel cmdlet)

For example to scan a model that requires model-specific parameters (such as -Scope and -Name) to

be passed to the command the administrator can specify the values of these model-specific

parameters with the Invoke-MBCAModel cmdlet

-------------------------- EXAMPLE 3 --------------------------

Invoke-MBCAModel -ModelId SQL2008R2BPA -Mode Discovery

Description

The preceding example starts an MBCA scan on the model that is represented by Model Id The

cmdlet is instructed by the -Mode parameter to perform only the discovery -- not the analysis -- portion

of the scan

-------------------------- EXAMPLE 4 --------------------------

Invoke-MBCAModel -ModelId SQL2008R2BPA -Mode Analysis -RepositoryPath

ltRepository Pathgt

Description

The preceding example starts an MBCA scan on the model that is represented by Model Id The -

Mode parameter value of Analysis indicates that the scan will perform analysis -- not discovery -- on

existing documents that are specified in the non-default repository path provided with the -Repository

Path parameter

-------------------------- EXAMPLE 5 --------------------------

Invoke-MBCAModel -Id ltModel Idgt -SubModelId ltSubModel Idgt -ComputerName

ltServergt -Context ltContext Model Idgt -RepositoryPath ltRespository Pathgt -

AsJob -Authentication ltAuthenticatonMechanismgt -Port ltPort Numbergt -UseSSL -

ThrottleLimit ltThrottle Limitgt

Description

The preceding example starts an MBCA scan on the submodel that is represented by SubModel Id

and on the computer that is represented by Server

Because the administrator only wants to see results from the submodel that apply in the context of a

third model the administrator runs the scan within the context of the model ID that is specified in the -

Context parameter The cmdlet results are saved to the non-default repository path that is specified in

the -RepositoryPath parameter

Because the -AsJob parameter is added the scan runs in the background The -AsJob -

Authentication -Port -UseSSL and -ThrottleLimit parameters are passed through for use by the

Invoke-Command cmdlet to perform discovery on a remote computer For more information about

these parameters see the Help for the Invoke-Command cmdlet available in Windows PowerShell V2

913 Get-MBCAResult

SYNOPSIS

Page 50

The Get-MBCAResult cmdlet lets you retrieve and view the results of a Microsoft Baseline

Configuration Analyzer scan on a specific model or the configuration data that was used to run a scan

SYNTAX

Get-MBCAResult [-ModelId] ltstringgt [[-CollectedConfiguration]] -SubModelId

ltstringgt [-ComputerName ltstring[]gt] [-Context ltstringgt] [-Filter

ltFilterEnumgt] [-RepositoryPath ltstringgt] [ltCommonParametersgt]

DESCRIPTION

The Get-MBCAResult cmdlet lets you retrieve and view the results of a Microsoft Baseline

Configuration Analyzer scan on a specific model or the configuration data that was used to run a scan

To use the command add the -ModelId parameter and then specify the model ID for which you want

to view the most recent MBCA scan results or collected configuration data If you want to retrieve the

configuration data collected add the -CollectedConfiguration switch parameter

You must be a member of the Administrators group on the computer on which you want to run this

cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with

elevated user rights that is Run as Administrator

PARAMETERS

-CollectedConfiguration [ltSwitchParametergt]

The -CollectedConfiguration parameter allows you to obtain the configuration data that was

collected for the most recent MBCA scan If this switch parameter is added to Get-MBCAResults

the cmdlet returns only the configuration data that was collected for a scan

Required false

Position 3

Default value

Accept pipeline input false

Accept wildcard characters false

-ComputerName ltstring[]gt

The -ComputerName parameter lets you obtain scan results that were collected for the most

recent MBCA scan of a submodel on a specific computer To specify the local computer type the

computer name or localhost Multiple values for -ComputerName can be separated by

commas

The -SubModelId parameter is required by the -ComputerName parameter

Valid values for the -ComputerName parameter include localhost a NET BIOS name an IP

address or a fully-qualified domain name (FQDN) of one or more computers in a comma-

separated list

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-Context ltstringgt

Page 51

The -Context parameter lets you obtain scan results that were collected for the most recent

MBCA scan of a submodel in the context of a specific model (one that is different from the parent

model of the submodel) For example an administrator might want to display scan results for the

Backend submodel of the SQL model but only those in the context of a third model a

technology that relies upon SQL Server

The -SubModelId parameter is required by the -Context parameter

A model ID is the valid value of the -Context parameter

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-Filter ltFilterEnumgt

The -Filter parameter lets you instruct the Get-MBCAResult cmdlet to return only Compliant

Noncompliant or All results Valid values are Noncompliant Compliant or All The default value

is All

The -Filter parameter is ignored if the -CollectedConfiguration switch parameter is added

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-ModelId ltstringgt

The -ModelId parameter specifies the ID of the MBCA model for which you want to view scan

results You can obtain valid values for the ModelId parameter by running the Get-MBCAModel

cmdlet targeted at a computer on which MBCA models are installed

Required true

Position 2

Default value

Accept pipeline input true (By Value By Property Name)

Accept wildcard characters False

This must be SQL2008R2BPA for SQL Server 2008 R2 Best Practice Analyzer

-RepositoryPath ltstringgt

The -RepositoryPath parameter is used to specify a non-default location of the results repository

The valid value for this parameter is a path name If the parameter is not used the cmdlet obtains

results from the default result repository

Required false

Position named

Page 52

Default value

Accept pipeline input false

Accept wildcard characters false

-SubModelId ltstringgt

The -SubModelId parameter specifies the ID of the submodel of an MBCA model for which you

want to view scan results You can obtain valid values for the -SubModelId parameter by running

the Get-MBCAModel cmdlet targeted at a computer on which MBCA models are installed Not all

models have submodels

The -ModelId parameter is required with the -SubModelId parameter

Required true

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

ltCommonParametersgt

This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable

WarningAction WarningVariable OutBuffer and OutVariable For more information type get-

help about_commonparameters

OUTPUTS

SystemCollectionsGenericListltMicrosoftBestPracticesCoreInterfaceResultgt OR

SystemXmlXmlDocument (if -CollectedData specified)

If you do not use the -CollectedConfiguration parameter verbose output can be any of the following

1 Initializing MBCA engine for getting MBCA Results

2 Attempting to get MBCA results for Model Id = 0

3 Completed getting MBCA results for Model Id = 0 Number of Results = 1

If you add the -CollectedConfiguration parameter to display configuration data that was used for a

scan verbose output can be any of the following

1 Initializing MBCA engine for getting MBCA Configuration Data

2 Attempting to get MBCA collected configuration data for Model Id = 0

3 Completed getting MBCA collected configuration data for Model Id = 0

NOTES

The Get-MBCAResult cmdlet must be run by a member of the Administrators group and it does not

start a new scan

Cancellation behaviour

Single Model - To cancel this cmdlet you must press Ctrl+C before the ResultCollection is displayed

on the console The operation is cancelled and results are not displayed on the console

Multiple Models or Pipelining - If you cancel this cmdlet while it is retrieving results for multiple models

the cmdlet generates only those results that were displayed on the console before the cancellation

Any subsequent results in the pipeline are cancelled and not displayed

Page 53

-------------------------- EXAMPLE 1 --------------------------

Get-MBCAResult -Id SQL2008R2BPA

Description

The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results

for the model that is represented by Model Id

-------------------------- EXAMPLE 2 --------------------------

Get-MBCAModel | Get-MBCAResult

In the preceding example Get-MBCAModel is used to return a list of all MBCA models that are

installed on the computer The results of the Get-MBCAModel cmdlet are piped to the Get-

MBCAResult cmdlet to retrieve the most recent MBCA scan results for all models that are both

supported by MBCA and installed on the computer at which the cmdlet is targeted

-------------------------- EXAMPLE 3 --------------------------

$result = Get-MBCAResult SQL2008R2BPA -CollectedConfiguration

$resultDiscoveryDocument

Description

In the preceding example configuration data (in XML form) that was collected during the most recent

Microsoft Baseline Configuration Analyzer scan of the model that is represented by Model Id is

retrieved and stored as a property in the variable $result $resultDiscoveryDocument is of type

SystemXmlXmlDocument

-------------------------- EXAMPLE 4 --------------------------

Get-MBCAResult SQL2008R2BPA -Filter Noncompliant

Description

The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results

for the model that is represented by Model Id and then applies a filter to show only Noncompliant

results

------------------------- EXAMPLE 5 --------------------------

Get-MBCAResult SQL2008R2BPA -SubModelId ltSubModel Idgt

Description

The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results

for the submodel that is represented by SubModelId Note that the parent model ID must be specified

to use the -SubModelId parameter

------------------------- EXAMPLE 6 --------------------------

Get-MBCAResult SQL2008R2BPA -SubModelId ltSubModel Idgt -ComputerName ltServergt

-Context ltContext Model Idgt -RepositoryPath ltRepository Pathgt

Description

The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results

for the submodel that is represented by SubModelId The parent model ID is provided as required by

the -SubModelID parameter

The -Context parameter indicates that the administrator wants to see only those scan results that are in

the context of the model that is represented by Context Model Id for example only those results from

a SQL Server scan that specifically apply to another technology such as Web Server (IIS)

Page 54

The scan results are further narrowed to only those from a computer that is specified in the -

ComputerName parameter as Server and only those results found in the non-default results

repository that is represented by Repository Path

914 Set-MBCAResult

SYNOPSIS

The Set-MBCAResult cmdlet lets you exclude or include existing results of a Microsoft Baseline

Configuration Analyzer (MBCA) scan to show you only the scan results that you want to see

SYNTAX

Set-MBCAResult [[-Exclude] ltBooleangt] [-Results] ltResultgtgt [[-

RepostitoryPath] ltstringgt] [ltCommonParametersgt]

DESCRIPTION

The Set-MBCAResult cmdlet lets you exclude or include existing results of a Microsoft Baseline

Configuration Analyzer (MBCA) scan to show you only the scan results that you want to see

The action specified in the cmdlet (Exclude for example) determines how the existing results of an

MBCA scan are updated Set-MBCAResult is typically applied after using the Get-MBCAResult cmdlet

to return a collection of scan results

You can apply filters to results that are returned by the Get-MBCAResult cmdlet and then pipe the

filtered collection of results to the Set-MBCAResult cmdlet specifying either to include or exclude

filtered scan results

You must be a member of the Administrators group on the computer on which you want to run this

cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with

elevated user rights that is Run as Administrator

PARAMETERS

-Exclude ltBooleangt

Excludes scan results from the results collection that were previously obtained by the Get-

MBCAResult command To exclude results by using the -Exclude parameter add the value $true

following the parameter as shown

-Exclude $true

To include results that have been excluded use the $false value for the -Exclude parameter

Required false

Position 2

Default value

Accept pipeline input false

Accept wildcard characters false

-RepostitoryPath ltstringgt

The -RepositoryPath parameter is used to specify a non-default location of the results repository

The valid value for this parameter is a path name If the parameter is not used the cmdlet

modifies results from the default result repository

Required false

Page 55

Position 4

Default value

Accept pipeline input false

Accept wildcard characters false

-Results ltResultgtgt

Specifies the result collection to be updated by the Set-MBCAResult cmdlet The -Results

parameter is typically used to specify a filtered subset of scan results that has already been

stored in a variable the variable name is provided as the valid value for the -Results parameter

For example if you have created a variable $allPerformance to store all the Performance

category results for an MBCA scan of all models on a computer and you want to exclude those

Performance results from the complete collection of scan results you add the parameter -Results

$all Performance to a Set-MBCAResult cmdlet

For a more detailed example see the Examples section of the Help for this cmdlet

Required true

Position 3

Default value

Accept pipeline input true (ByValue)

Accept wildcard characters false

ltCommonParametersgt

This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable

WarningAction WarningVariable OutBuffer and OutVariable For more information type ldquoget-

help about_commonparameters

NOTES

If the Set-MBCAResult command is cancelled before the results are written to a file the operation is

cancelled and the results file is not modified If cancellation occurs after the results file has been

modified the commands actions are carried out and the command cannot be cancelled

-------------------------- EXAMPLE 1 --------------------------

Get-MBCAResult -ModelId SQL2008R2BPA | Where $_Category -eq

Performance | Set-MBCAResult -Exclude $true

Description

The first section of the preceding example to the left of the first pipe character (|) uses the Get-

MBCAResult cmdlet to retrieve Baseline Configuration Analyzer scan results for the model ID that is

represented by Model Id

The second section of the command filters the results of the Get-MBCAResult cmdlet to get only those

scan results for which the category name is equal to Performance

The final section of the example following the second pipe character excludes the Performance

results that were filtered by the previous section of the example

-------------------------- EXAMPLE 2 --------------------------

$rcPolicy = Get-MBCAResult -ModelId SQL2008R2BPA -RepositoryPath

CReposPath | Where $_Category -eq Policy

Page 56

Set-MBCAResult -Exclude $true -RepositoryPath CReposPath -Results

$rcPolicy

Description

The first line of the preceding example to the left of the pipe character (|) instructs the Get-

MBCAResult cmdlet to retrieve Baseline Configuration Analyzer scan results for the model that is

represented by Specified Model Id from the specified non-default repository path

The second section of the example after the pipe character filters the results of the Get-MBCAResult

cmdlet to return only those scan results for which the category name is equal to (note the -eq option)

Policy The variable $rcPolicy is created to store the filtered results of the Get-MBCAResult cmdlet this

variable can be used in subsequent commands to represent those results

The second line of the command uses the Set-MBCAResult cmdlet to exclude the set of results that

are stored in the $rcPolicy variable In this example the -Results parameter is added because the

administrator wants to exclude a specific subset of scan results for that model and has created the

variable $rcPolicy to represent that subset of results The repository root is specified in the second line

because the administrator wants to modify the results in the same non-default repository from which

the data in $rcPolicy was retrieved

915 MBCA Model Authoring

Further information about configuration and usage of MBCA models you can in the

MBCA_ModelAuthoringGuidedocx

Page 57

Did this paper help you Please give us your feedback Tell us on a scale of 1 (poor) to 5 (excellent)

how would you rate this paper and why have you given it this rating For example

Are you rating it high due to having good examples excellent screen shots clear writing or

another reason

Are you rating it low due to poor examples fuzzy screen shots or unclear writing

This feedback will help us improve the quality of white papers we release

Send feedback

Page 23: SQL2008R2 BPA Whitepaper v10

Page 23

Analyze_SQL_Server_Setup -Analyze_SQL_Analysis_Services -

Analyze_SQL_Integration_Services -Analyze_SQL_Reporting_Services

The result looks like this part

ModelId SQL2008R2BPA

SubModelId

Success True

ScanTime

Success = True is important This is the indicator that your scan was successful

Parameter description

-Alternate_Server_to_scan servername

-SQL_Server_Instance_Name instancename

-Analyze_SQL_Server_Engine

-Analyze_SQL_Server_Replication

-Analyze_SQL_Server_Setup

-Analyze_SQL_Analysis_Services

-Analyze_SQL_Integration_Services

-Analyze_SQL_Reporting_Services

The parameter list is equal the parameter screen in the GUI

The scans of the different services are optional You can remove technologies which you do not need

to scan

The next example starts the scan only for the Analysis Services on the alternate server ldquoservernamerdquo

and for the named instance ldquoinstancerdquo A log file will be written to ldquoctempssastxtrdquo

Invoke-MbcaModel -ModelId SQL2008R2BPA -SubModelId AnalysisServices -

ComputerName servername -SqlServerInstance instance -SSASLogFile

ctempssastxt

Invoke-MbcaModel -ModelId SQL2008R2BPA -SubModelId Engine -ComputerName

computername -SqlServerInstance servername -CurrentLoginName

($EnvUSERDOMAIN + + $EnvUSERNAME)ToString() -EngineLogFile

ctempenginetxt ndashRepositoryPath (CTEMPSQL2008 + (Get-

Date)ToString(yyyyMMdd))ToString()

442 Create Report

model = get-MbcaModel ndashModelId sql2008r2bpa

$scanResult = get-MbcaResult ndashModelId sql2008r2bpa

$collectedConfig = get-MbcaResult ndashModelId sql2008r2bpa ndash

CollectedConfiguration

$model $scanResult $collectedConfig | export-CliXml ctempasxml

Get-MBCAResult -ModelId SQL2008R2BPA -SubModelId AnalysisServices |

ConvertTo-Html | Add-Content -Path ctesthtml

The next command retrieves the results of the most recent BPA scan for the specified model and

saves them in HTML format applying the standard cascading style sheets that are stored in the path

windirsystem32WindowsPowerShellv10ModulesBestPracticesBestPracticesReportFormatc

Page 24

ss If you want to substitute cascading style sheets provide the path to the different cascading style

sheets

Get-MBCAResult -ModelId SQL2008R2BPA | $_Severity -eq Warning -or

$_Severity -eq Error | ConvertTo-Html -As Table -property ResultNumber

SubModelID ComputerName Severity Category Title Problem Impact

Resolution Help -Head lth1gtSQL Server 2008 (R2) Best Practice Analyzer

Reportlth1gtrdquo -Title SQL Server 2008 Best Practice Analyzer -body

(ltpgtReport creation date + (Get-Date)ToString(ddMMyyyy hhmmss) +

ltpgt)toString() -pre ltPgtGenerated by user $envusername on computer

$envcomputernameltPgt -post For details contact Microsoft Premier-

CssUri $env BestPracticesReportFormatcss gt ctempsql2008r2bpahtm

443 Exporting and opening reports by using Get-MBCAResult

You can use the Get-MBCAResult cmdlet to export scan results and configuration data to an XML

report that you can open for viewing in the future either by using Get-MBCAResult or by using the

MBCA GUI Exporting reports allows you to compare older scans with more recent scans to measure

the progress of your best practice compliance

Example of exporting to XML

$results = Get-MBCAResult ltModel Idgt

$collectedconfig = Get-MBCAResult ltModel Idgt -CollectedConfiguration

$results $collectedconfig | Export-CliXml cexportxml

Example of opening archived XML report file

$loadedResults $loadedConfiguration = Import-CliXml cexportxml

444 Report Result Directory

The reporting result path

AppDataMicrosoftBaselineConfigurationAnalyzer

2ReportsSQL2008R2BPAResults

Will be overwritten during each run of the tool or invoke command

Solution save older results before you start the check

copy-item -path ($EnvLocalAppdata +

MicrosoftMicrosoftBaselineConfigurationAnalyzer 2Reports)ToString() -

destination ($EnvLocalAppdata +

MicrosoftMicrosoftBaselineConfigurationAnalyzer 2Reports_ + (Get-

Date)ToString(yyyyMMddhhmmss))ToString() ndashrecurse

Afterwards you can create a report with the following command

$prevrepPath = (Get-ChildItem ($EnvLocalAppdata +

MicrosoftMicrosoftBaselineConfigurationAnalyzer 2)ToString() -exclude

Reports | Sort-Object name -descending)[0]

Get-MBCAResult -ModelId SQL2008R2BPA ndashRepositoryPath ($EnvLocalAppdata +

MicrosoftMicrosoftBaselineConfigurationAnalyzer 2rdquo +

$prevrepPathname)ToString() | ConvertTo-Html -As Table -property

ResultNumberSubModelID ComputerName Severity Category Title Problem

Impact Resolution Help -Head lth1gtSQL Server 2008 (R2) Best Practice

Analyzer Reportlth1gtrdquo -Title SQL Server 2008 Best Practice Analyzer -body

(ltpgtReport creation date + (Get-Date)ToString(ddMMyyyy hhmmss) +

ltpgt)toString() -pre ltPgtGenerated by user $envusername on computer

Page 25

$envcomputernameltPgt -post For details contact Microsoft Premier gt

ctempsql2008r2bpahtm

Page 26

5 TROUBLESHOOTING

51 Application directories

To following directories are used by MBCA

Report output directory localappdataMicrosoftMicrosoftBaselineConfigurationAnalyzer 2ReportsSQL2008R2BPAResults

Model configuration path ProgramdataMicrosoftMicrosoft Baseline Configuration Analyzer 2ModelsSQL2008R2BPA

Temp and log files directory tempSQL2008R2BPASQL2008ltdategt_lttimegt

Registry [HKEY_LOCAL_MACHINESOFTWAREMicrosoftBaselineConfigurationAnalyzer]

Log Files

During Data Discovery SQL Server 2008 R2 BPA creates log files for troubleshooting The log file

contains the following information

Pre-requisite validation

Timestamp finished rules start and end times

Run-time scripting errors and exceptions from Power Shell Traps

Log Files Location

For every scan log files are created in userrsquos Local Temp directory (Temp) and follows the folder

structure SQL2008R2BPAlt Instance Name gtlt datestamp_timestamp gtlt Log files gt

Note In case of a remote scan the category log files are generated on the remote system at the same

path whereas the common log file is generated in the local system

Log Files Structure

A common log file gets generated and contains information about each categorys execution Apart

from this each category has its own log file which details the rule execution The names of the log files

are given below

Common File - ModelLogtxt

Engine Rules - EngineLogtxt

Replication Rules - ReplicationLogtxt

Setup Rules - SetupLogtxt

Analysis Services Rules - AnalysisServicesLogtxt

Reporting Services Rules - ReportingServicesLogtxt

Integration Services Rules - IntegrationServicesLogtxt

52 Windows Server 2003 ndash NumberOfLogicalProcessors

Analysis Services RID2803 and RID2804 ndash NumberOfLogicalProcessors property is unavailable in

Win32_Processor for with Windows Server 2003

Solution The NumberOfLogicalProcessors property does not exist in the WIN32_PROCESSOR object

in Windows Server 2003 It has been implemented in the hotfix

httpsupportmicrosoftcomkb932370

Both of the rules below will function properly if you apply this hotfix For more information look here

Page 27

53 MBCA

This message indicates that on prerequisite is not installed

Please install the version 2 of the MBCA

54 Where can I find the Instance name in result set of the analyzer

report

The instance name is in the collected data option of the analyzer report in the BPA GUI

55 Memory limit of remote PowerShell process

By default remote PowerShell process can consume only 150 MB or less memory This default limit is

significantly small and once this limit is reached there could be a WinRM exception causing and remote

connection immediately terminates Any application or Cmdlet which is involved in PowerShell

remoting should be tested for this memory limit this may cause some of the command to fail for

example site collection creation

Solution Increase the memory limit for the remote shell Use the following command to increase this

limitation to 1000MB This is only necessary if you need to run those commands on that server

Set-Item WSManlocalhostShellMaxMemoryPerShellMB 1000

56 Remote connect

If you try to ldquoConnect to another computerrdquo from MBCA and you receive the following message

Page 28

You should check first if the Hotfix KB968930 is installed

Afterwards validate that the ldquoWindows Remote Managementrdquo service is started

Enable-PSRemoting

If CredSSP is unsupported or unavailable you will see the following message

Page 29

If you have no permission to access the remote server you get the error message

Page 30

57 Installation

571 PowerShell error

After getting through the Pre-Reqs for BPA (PowerShell 20 MBCA NET Framework) you may hit

one of two scenarios when installing BPA

In all of the cases of an install failure you will see the following error

There is a problem with this Windows Installer package A program run as part of the setup did not

finish as expected Contact your support personnel or package vendor

In your Application Event Log for both of these scenarios you will also see the following entry

Log Name Application

Source MsiInstaller

Date 6102010 83818 AM

Event ID 11722

Task Category None

Level Error

Keywords Classic

User ltUsernamegt

Computer ltMachine namegt

Description

Product Microsoft SQL Server 2008 R2 BPA -- Error 1722 There is a problem

with this Windows Installer package A program run as part of the setup did

not finish as expected Contact your support personnel or package

vendor Action EnablePSRemoting location powershellexe command -NoLogo

-NoProfile -Command Enable-PSRemoting ndashforce

Page 31

This is an indicator that PowerShell is not configured You must run the following command

powershellexe -NoLogo -NoProfile -Command Enable-PSRemoting ndashforce

572 Workgroup or Non-Domain computer

In this scenario the Enable-PSRemoting command should execute fine from a PowerShell prompt

The actual error coming back from the PowerShell command within the Installer is ldquoAccess Deniedrdquo

To work around this issue you can do the following

1 Open a command prompt with Administrative Privileges

2 Change to the directory where the msi file resides

3 Type msiexec i ltMSI Namegt SKIPCA=1

4 MSI Name will either be SQL2008R2BPA_Setup32msi or SQL2008R2BPA_Setup64msi

depending on your platform

5 Once BPA is installed open a PowerShell prompt with Administrative Privileges

6 Execute the following commands

a Enable-PSRemoting

b winrm set winrmconfigwinrs ``MaxShellsPerUser=`10``

This should allow BPA to be successfully installed in the workgroup scenario

573 Kerberos Failure

This scenario is that you are failing with the above due to a Kerberos issue This particular issue could

actually show up after you have installed BPA depending on how you have configured your

environment

The issue stems from the fact that the Windows Remoting Windows Service uses the Network Service

account Windows Remoting also uses SOAP calls over HTTP and defaults to using Kerberos As a

result it will be using the HOST Service Principal Name (SPN) that is on the Machine Account as it is

running under that context You may have an HTTP SPN that resides on a different account with that

host name For example if you are running an IIS Web Application such as SharePoint or if you are

using Reporting Services and the service account is set to a Domain User account instead of Network

Service or Local System If your URL of your application matches the machine name then your HTTP

SPN will be the same Thatrsquos where this problem comes in WinRM will stop working at that point and

give you a message similar to the following

Set-WSManQuickConfig WinRM cannot process the request The following error

occured while using Negotiate authentication An unknown security error

occurred

Possible causes are

-The user name or password specified are invalid

-Kerberos is used when no authentication method and no user name are

specified

-Kerberos accepts domain user names but not local user names

-The Service Principal Name (SPN) for the remote computer name and port

does not exist

-The client and remote computers are in different domains and there is no

trust between the two domains

After checking for the above issues try the following

-Check the Event Viewer for events related to authentication

-Change the authentication method add the destination computer to the

WinRM TrustedHosts configuration setting or use HTTPS transport

Note that computers in the TrustedHosts list might not be authenticated

-For more information about WinRM configuration run the following

Page 32

command winrm help config

At line50 char33

+ Set-WSManQuickConfig ltltltlt -force

+ CategoryInfo InvalidOperation () [Set-WSManQuickConfig]

InvalidOperationException

+ FullyQualifiedErrorId

WsManErrorMicrosoftWSManManagementSetWSManQuickConfigCommand

You can get this type of error from WinRM for muliple reasons The one that

we saw in our testing was the HTTP SPN scenario

If you do have an HTTP SPN defined on a Domain Account that is using the name of your machine

you have some options First you can follow the steps mentioned above to get BPA installed The

Enable-PSRemoting command will give you the above error You can temporarily remove the HTTP

SPN to get remoting enabled and then re-add the HTTP SPN

Once BPA is setup you will still not be able to run BPA if you put the HTTP SPN back in place You will

see the following when you attempt to perform a scan

This will occur regardless of which component you try to scan It could be the Engine Setup RS etchellip

One option to perform the scan successfully is to temporarily remove the HTTP SPN again run the

scan and then put the HTTP SPN back in place Another option but one that will probably require

further testing from your applicationrsquos end would be to run the application under a Host Header and

then your HTTP SPN would not include the machine name allowing BPA to run without issue

Page 33

6 RULES

Searching for ldquoSQL Server 20087 R2 BPArdquo at Microsoftcom reveals

Here is an example of one of these articles that talks about a rule to check for a recent ldquocleanrdquo

CHECKDB

Page 34

BPA works by measuring a rolersquos compliance with best practice rules in eight different categories of a

rolersquos effectiveness trustworthiness and reliability Results of measurements can be any of the three

severity levels described in the following table

Severity level Description

Noncompliant Noncompliant results are returned when a role does not satisfy the conditions of a rule

Compliant Compliant results are returned when a role satisfies the conditions of a rule

Warning Warning results are returned when a role is compliant as operating currently but may not satisfy the conditions of a

rule if changes are not made to its configuration or policy settings For example a scan of Remote Desktop Services

might show a warning result if a license server is unavailable to the role because even if no remote connections are

active at the time of the scan not having the license server prevents new remote connections from obtaining valid

client access licenses

Page 35

BPA rule categories

The following table describes the categories of best practice rules against which roles are measured

during a BPA scan

Category Name Description

Security Security rules are applied to measure a rolersquos relative risk for exposure to threats such as unauthorized or malicious

users or loss or theft of confidential or proprietary data

Performance Performance rules are applied to measure a rolersquos ability to process requests and perform its prescribed duties in

the enterprise within expected periods of time given the rolersquos workload

Configuration Configuration rules are applied to identify role settings that might require modification for the role to perform

optimally Configuration rules can help prevent setting conflicts that can result in error messages or prevent the role

from performing its prescribed duties in an enterprise

Policy Policy rules are applied to identify Group Policy or Windows Registry settings that might require modification for the

role to operate optimally and securely

Operation Operation rules are applied to identify possible failures of a role to perform its prescribed tasks in the enterprise

Predeployment Predeployment rules are applied before an installed role is deployed in the enterprise to let administrators to

evaluate whether best practices were satisfied before you use the role in production

Postdeployment Postdeployment rules are applied after all required services have started for a role and the role is running in the

enterprise

BPA Prerequisites BPA Prerequisite rules explain configuration settings policy settings and features that are required for the role

before BPA can apply specific rules from other categories A prerequisite in scan results indicates that an incorrect

setting a missing role role service or feature an incorrectly enabled or disabled policy a registry key setting or

other configuration has prevented BPA from applying one or more rules during a scan A prerequisite result does

not imply compliance or noncompliance It means that a rule could not be applied and therefore is not part of the

scan results

61 Engine Rules

Please find below a summary of the 74 Engine Rules with the links to the rule descriptions These rules

are checking that you have a secure resilient and well performing SQL configuration

Authentication Mode (httpsupportmicrosoftcomkb2028697)

Lightweight Pooling is enabled (httpsupportmicrosoftcomkb2160691)

Locks Configuration Not Dynamic (httpsupportmicrosoftcomkb2199576)

non-default network packet size in use (httpsupportmicrosoftcomkb2157175)

degree of parallelism not set to recommended value (httpsupportmicrosoftcomkb2023536)

Use Database Mail instead of SQL Mail (httpsupportmicrosoftcomkb2028584)

SQL Server Agent Proxy Account (httpsupportmicrosoftcomkb2160741)

SQL Login Password Policy Strength and password expiry

(httpsupportmicrosoftcomkb2028712)

Trustworthy Bit (httpsupportmicrosoftcomkb2183687)

Symmetric Keys Check (httpsupportmicrosoftcomkb2162020)

Asymmetric Keys Check (httpsupportmicrosoftcomkb2162020)

SQL Server installed on PDC BDC (httpsupportmicrosoftcomkb2032911)

Page 36

SQL Server Admin role membership check (httpsupportmicrosoftcomkb2184138)

Windows API calls intercepted (httpsupportmicrosoftcomkb2033238)

unsupported DotNET framework assemblies present (httpsupportmicrosoftcomkb2033344)

Disk partition starting offset may be incorrect (httpsupportmicrosoftcomkb2023571)

non-default max worker threads value configured (httpsupportmicrosoftcomkb2157129)

Guest Permissions (httpsupportmicrosoftcomkb2186935)

Data and Log files on the same volume (httpsupportmicrosoftcomkb2033523)

IO timeouts and IO controller errors detected (httpsupportmicrosoftcomkb2091098)

IO device errors detected (httpsupportmicrosoftcomkb2091098)

IO errors during page faults detected (httpsupportmicrosoftcomkb2091098)

cluster disk corruption encountered (httpsupportmicrosoftcomkb2091098)

disk defragmentation encountered corruption (httpsupportmicrosoftcomkb2091098)

failed IO requests detected (httpsupportmicrosoftcomkb2091098)

IO requests are successful when retried (httpsupportmicrosoftcomkb2015757)

IO Delay Problems reported by SQL Server (httpsupportmicrosoftcomkb2137408)

This system experienced unexpected shutdowns (httpsupportmicrosoftcomkb2091098)

tempdb corruption errors fix missing (httpsupportmicrosoftcomkb960770)

Critical SQL database inconsistency errors found (httpsupportmicrosoftcomkb2152734)

Logical consistency errors detected (httpsupportmicrosoftcomkb2152472)

Database have auto shrink option enabled (httpsupportmicrosoftcomkb2160663)

SQL Server Error logs are very big (httpsupportmicrosoftcomkb2199578)

incorrect affinity mask settings detected httpsupportmicrosoftcomkb2157114

Very low blocked process threshold setting detected httpsupportmicrosoftcomkb2157154

Potential security issue with legacy DTS stored procedures

httpsupportmicrosoftcomkb2202875

Winsock LSP loaded into SQL httpsupportmicrosoftcomkb2033448

Databases using simple recovery model httpsupportmicrosoftcomkb2137539

User database collation different from model httpsupportmicrosoftcomkb2026108

Database files and backups exist on the same volume httpsupportmicrosoftcomkb2027537

Databases have auto close option enabled httpsupportmicrosoftcomkb2160685

LSI SAS drivers needs update httpsupportmicrosoftcomkb2121098

SQL tempdb database not configured optimally httpsupportmicrosoftcomkb2154845

SQL Database file has sparse attribute set httpsupportmicrosoftcomkb2028447

Invalid startup parameters httpsupportmicrosoftcomkb2028433

MSDTC settings not configured optimally httpsupportmicrosoftcomkb2027550

sql incorrect results fix missing httpsupportmicrosoftcomkb971780

File System needs tuning for better FileStream performance

httpsupportmicrosoftcomkb2160002

linked server memory leak fix missing httpsupportmicrosoftcomkb971622EN-US

Windows service pack is not at recommended level httpsupportmicrosoftcomkb2121098

default extended event health session not in expected state

httpsupportmicrosoftcomkb2160570

TcpSysAndChimneyCheck httpsupportmicrosoftcomKB918483

FDHOST Launcher service is not configured properly httpsupportmicrosoftcomkb2160720

Unrecommended SQL Server Agent service account httpsupportmicrosoftcomkb2160720

A required Windows fix to avoid sparse file related problems is missing

httpsupportmicrosoftcomkb2002606

Page 37

Significant Portion of SQL Server Memory Has Been Paged Out

httpsupportmicrosoftcomkb2028324

Server Exception or Hang Detected on Server httpsupportmicrosoftcomkb2028589

Databases exist without CHECKSUM protection httpsupportmicrosoftcomkb2078345

backups outdated for databases httpsupportmicrosoftcomkb2027537

Database consistency check not current httpsupportmicrosoftcomkb2033590

SQL Server Memory settings are incorrect httpsupportmicrosoftcomKB918483EN-US

Autogrow Failed or took a long time httpsupportmicrosoftcomkb2091024

Storport driver fix from KBA 940467 missing httpsupportmicrosoftcomkb2121098

Storport driver fix from KBA 950903 missing httpsupportmicrosoftcomkb2121098

SQLCLR needs additional memory configuration httpsupportmicrosoftcomkb969962EN-US

Operating System files and drivers needs update for working set trimming

httpsupportmicrosoftcomkb2121098

Agent Token Replacement httpsupportmicrosoftcomkb2202637

Auditing Log in failures httpsupportmicrosoftcomkb2187161

Databases with high number of VLF present httpsupportmicrosoftcomkb2028436

Transparent Data Encryption Certificate httpsupportmicrosoftcomkb2201900

Permission on the Binn folder httpsupportmicrosoftcomkb2029023

Index Statistics Are Outdated

Server public permissions httpsupportmicrosoftcomkb2160698

Detected use of older versions of SQLNCLI httpsupportmicrosoftcomkb979779

62 AS Rules

Please find below a summary of the 34 Analysis Server Rules with the links to the rule descriptions

Flight Recorder Enabled for SQL Server Analysis Services

httpsupportmicrosoftcomkb2128005

Excessive amount of memory preallocated to Analysis Services

httpsupportmicrosoftcomkb2027474

Server not configured for optimal concurrent query throughput

httpsupportmicrosoftcomkb2135031

Non standard value detected for Analysis Services memory configuration

httpsupportmicrosoftcomkb2027472

Process Thread Pool Max limit above recommended limit

httpsupportmicrosoftcomkb2134497

Process Thread Pool Minimum is below the recommended limit

httpsupportmicrosoftcomkb2134855

Server is running a build with a known regression httpsupportmicrosoftcomkb2157941

Slice not set on a ROLAP partition or a partition where proactive caching is enabled and

ROLAP storage ay occur httpsupportmicrosoftcomkb2027754

Server is ignoring duplicate key errors httpsupportmicrosoftcomkb2027761

No default member defined for non-aggregatable attribute

httpsupportmicrosoftcomkb2027769

UnknownMember set to hidden httpsupportmicrosoftcomkb2027628

Non-numeric key column for high cardinality attribute httpsupportmicrosoftcomkb2028138

Attribute hiearchy enabled for high cardinality non-key attribute

httpsupportmicrosoftcomkb2028143

ROLAP storage or OnlineMode set to immediate for dimension with custom rollup definition

detected httpsupportmicrosoftcomkb2132742

Page 38

Account or Time attribute types defined in a non-matching dimension type

httpsupportmicrosoftcomkb2157299

An Account or Time dimension has no matching attribute defined

httpsupportmicrosoftcomkb2027418

Dimension has no attribute defined with the same type

httpsupportmicrosoftcomkb2027443

Attribute Dimension type mismatch httpsupportmicrosoftcomkb2157327

Mismatched dimension attribute types detected in dimension

httpsupportmicrosoftcomkb2027459

Possible incorrect order of levels defined in hierarchy httpsupportmicrosoftcomkb2027460

Define attribute relationships as Rigid where possible httpsupportmicrosoftcomkb2027468

Redundant attribute relationships detected httpsupportmicrosoftcomkb2127437

Diamond-shape relationship detected httpsupportmicrosoftcomkb2127570

Non-Standard Attribute Relationship name detected httpsupportmicrosoftcomkb2127862

Proactive Caching set for dimension without a processing query

httpsupportmicrosoftcomkb2027541

No Time dimension detected httpsupportmicrosoftcomkb2027532

More than 3 parent-child dimensions with custom rollups defined

httpsupportmicrosoftcomkb2134431

Encountered a parent-child dimension with more than 500000 members

httpsupportmicrosoftcomkb2131918

Single attribute dimensions detected httpsupportmicrosoftcomkb2141654

Measure groups with zero dimensional overlap detected in cube

httpsupportmicrosoftcomkb2027609

Proactive Caching set for a partition without a processing query

Default measure for perspective not in the perspective

httpsupportmicrosoftcomkb2027603

Use MOLAP storage for dimensions that participate in semi-additive measure groups

httpsupportmicrosoftcomkb2135112

Measure group defined with no partition httpsupportmicrosoftcomkb2027545

63 RS Rules

RSWindowsNegotiate is missing from your configuration

httpsupportmicrosoftcomkb2145506

HTTP Logging is not enabled httpsupportmicrosoftcomkb2145909

Verbose logging is enabled httpsupportmicrosoftcomkb2146315

NTLM authentication may fail for local httpsupportmicrosoftcomkb2146369

Missing extended protection settings httpsupportmicrosoftcomkb2146062

64 IS Rules

Logging task missing for package httpsupportmicrosoftcomkb2027723

ActiveX Script task detected in package httpsupportmicrosoftcomkb2027712

Unrecommended Integration Services service account detected

httpsupportmicrosoftcomkb2027684

Integration Services logging table found in system database master and or msdb

httpsupportmicrosoftcomkb2027706

Integration Services memory dump detected httpsupportmicrosoftcomkb2027727

Page 39

65 Setup Rules

Unsupported Operating System Version Detected httpsupportmicrosoftcomkb2022909

WOW64 not supported for SQL Failover Clustering httpsupportmicrosoftcomkb2157198

Installer cache is missing for the SQL Installation httpsupportmicrosoftcomkb2015100

SQL Server WMI Provider Health Check

66 Replication Rules

Replication Timeout Alerts Type httpsupportmicrosoftcomkb2118349

Replication Pub and Sub out of sync (Data Validation) httpsupportmicrosoftcomkb2118386

Replication Pub and Sub out of sync (Constraint Violations)

httpsupportmicrosoftcomkb2118410

Replication Pub and Sub out of sync (Skipped Transactions)

httpsupportmicrosoftcomkb2194498

Merge Replication Health Check httpsupportmicrosoftcomkb2118445

Subscriptions Approaching Expiration httpgomicrosoftcomfwlinkLinkId=184483

Replication Cleanup and Retention Health Check httpsupportmicrosoftcomkb2118485

Replication Latency Threshold violations httpsupportmicrosoftcomkb2118425

Page 40

7 HOW TO DEAL WITH DEVIATIONS

Deviations from these Best Practices may indicate potential issues and configuration changes may be

necessary Make sure you have tested any intended changes in a test environment before deploying

them to a production environment You could also find deviations from Best Practices that are

acceptable or even necessary for your environment For example

SAP has its special Network Packet Size of 8 KB

Existing Non-Microsoft Clients ndash would require Mixed Mode Authentication

Page 41

8 MOTIVATION TO USE SQL BPA R2

Bob Ward explained in his Article ldquoWhy use SQL Server 2008 R2 BPA Case 1 Missing Updatesrdquo

the common pitfalls during maintenance and operation of SQL Server and how address them by using

the SQL BPA

In brief itrsquos a customer scenario where the customer is facing an issue after a major update to

SQL2008 After some troubleshooting and an update to a certain CU (that is meant to fix the issue) the

problem still occurs Bobs article states the common resulting consequences ndash the involvement of

Microsoft Support and the final solution ndash adding a needed traceflag

The good news in this story is that the customer would not have needed to go to all that effort if they

would have run the SQL BPA It would have told them about the update and instructed them to put the

traceflag in place BPA is a mechanism that proactively advises you and instructs you on dealing with

common known issues

Page 42

9 ADDITIONAL INFORMATION

91 PowerShell

To use the functionality of the Baseline Configuration Analyzer with PowerShell you must import this

module first

Import-module BaselineConfigurationAnalyzer

You can list the commands of this module with the following syntax

$x=Get-Module BaselineConfigurationAnalyzer

$xExportedCommands

The following commands are stored in this module

Get-MbcaModel

Get-MbcaResult

Invoke-MbcaModel

Set-MbcaResult

You get help of this command with the following syntax

Get-help ltcommandgt -full

911 Get-MBCAModel

SYNOPSIS

The Get-MBCAModel cmdlet lets you retrieve and view the list of models that are supported by

Microsoft Baseline Configuration Analyzer (MBCA) and that are installed on a computer

SYNTAX

Get-MBCAModel [[-ModelId] ltstring[]gt] [[-SubModelId] ltstringgt] [ltCommonParametersgt]

DESCRIPTION

The Get-MBCAModel cmdlet lets you retrieve and view the list of models that are supported by

Microsoft Baseline Configuration Analyzer (MBCA) and installed on the computer If no parameter is

specified Get-MBCAModel returns all models that are installed on the computer If a model is specified

by using the -ModelId parameter information about the specified model is returned

You must be a member of the Administrators group on the computer on which you want to run this

cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with

elevated user rights that is Run as Administrator

The results of the Get-MBCAModel cmdlet include the following details about models

1 Branding information (manufacturer or company display names version number) that is found in

the model manifest

2 Dynamic parameters that are included with the model

3 Submodels that are included with the model

PARAMETERS

-ModelId ltstring[]gt

The -ModelId parameter specifies the ID of the MBCA model about which you want to view

details You can obtain valid values for the ModelId parameter by running the Get-MBCAModel

cmdlet with no parameters and targeted at a computer on which MBCA models are installed

Page 43

This parameter supports wild card characters

Required false

Position 2

Default value

Accept pipeline input true (By Value By Property Name)

Accept wildcard characters False

This must be SQL2008R2BPA for SQL Server 2008 R2 Best Practice Analyzer

-SubModelId ltstringgt

The -SubModelId parameter specifies the ID of the submodel of an MBCA model about which you

want to view details You can obtain valid values for the -SubModelId parameter by running the

Get-MBCAModel cmdlet without parameters and targeted at a computer on which MBCA models

are installed Not all models have submodels

The -ModelId parameter is required with the -SubModelId parameter

Required false

Position 3

Default value

Accept pipeline input false

Accept wildcard characters false

ltCommonParametersgt

This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable

WarningAction WarningVariable OutBuffer and OutVariable For more information type get-

help about_commonparameters

Examples

Get-MBCAModel

In the preceding example Get-MBCAModel with no parameters added returns details about all MBCA

models that are installed on the computer

Get-MBCAModel -ModelId SQL2008R2BPA

The preceding example can be used to return details about the MBCA model that is specified in the -

ModelId parameter represented by Model Id

$model= Get-MBCAModel -ModelId SQL2008R2BPA

$modelParameters

In the preceding example Get-MBCAModel returns details about the specified MBCA model that is

represented by Model Id The results of the cmdlet are stored in the variable $model

In the next line of the example the Parameters property of the model details that were stored in the

$model object returns details about which parameters are supported by the model

Get-MBCAModel -ModelId SQL2008R2BPA -SubModelId ltSubModel Idgt

The preceding example can be used to return details about the MBCA sub-model that is specified by

the -SubModelId parameter represented by SubModel Id Note that the -ModelId parameter is

required by the -SubModelId parameter

$model= Get-MBCAModel -ModelId SQL2008R2BPA

Page 44

$modelSubModels

In the preceding example Get-MBCAModel returns details about the specified MBCA model that is

represented by Model Id The results of the cmdlet are stored in the variable $model

In the next line of the example the SubModels property of the model details that were stored in the

$model object returns a list of the submodels of the model specified in the first line

912 Invoke-MBCAModel

SYNOPSIS

The Invoke-MBCAModel cmdlet lets you start a Microsoft Baseline Configuration Analyzer (MBCA)

scan for a specific model that is installed on your computer

SYNTAX

Invoke-MBCAModel [-ModelId] ltstringgt -SubModelId ltstringgt [-Authentication

ltAuthenticationMechanismgt] [-CertificateThumbprint ltstringgt] [-ComputerName

ltstring[]gt] [-ConfigurationName ltstringgt] [-Context ltstringgt] [-Credential

ltstringgt] [-Mode ltModeEnumgt] [-Port ltintgt] [-RepositoryPath ltstringgt] [-

ThrottleLimit ltintgt] [-UseSSL] [ltCommonParametersgt]

DESCRIPTION

The Invoke-MBCAModel cmdlet allows you to start a Microsoft Baseline Configuration Analyzer

(MBCA) scan for a specific model that is installed on your computer The model is specified either by

using the parameter -ModelId or by piping the results of the Get-MBCAModel cmdlet into an Invoke-

MBCAMode cmdlet

After the MBCA scan has been performed the results of the scan are available to be retrieved by Get-

MBCAResult cmdlet

You must be a member of the Administrators group on the computer on which you want to run this

cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with

elevated user rights that is Run as Administrator

PARAMETERS

-Authentication ltAuthenticationMechanismgt

Specifies the authentication mechanism that is used to authenticate the users credentials Valid

values include Default Basic CredSSP Digest Kerberos Negotiate and

NegotiateWithImplicitCredential The default value is Default

For more information about the -Authentication parameter type the following and then press

Enter

Get-Help Invoke-Command -Parameter Authentication

Required false

Position named

Default value Default

Accept pipeline input false

Accept wildcard characters false

-CertificateThumbprint ltstringgt

Page 45

Specifies the digital public key certificate (X509) of a user account that has rights to perform the

cmdlet action The valid value is the certificate thumbprint of the certificate

For more information about this parameter type the following and then press Enter

Get-Help Invoke-Command -Parameter Certificate Thumbprint

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-ComputerName ltstring[]gt

The Invoke-MBCAModel cmdlet lets you run an MBCA scan of a submodel on a specific

computer by adding this parameter Valid values include NETBOS names IP addresses or fully-

qualified domain names of one or more computers in a comma-separated list To specify the local

computer type the computer name or localhost

All formats that are accepted by the -ComputerName parameter in Invoke-Command are

accepted

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-ConfigurationName ltstringgt

Specifies the session configuration that is used for a new PSSession

Enter a configuration name or the fully-qualified resource URI for a session configuration

Session configuration data is found on the remote computer on which you want to run a cmdlet

For more information about this parameter type the following and then press Enter

Get-Help Invoke-Command -Parameter ConfigurationName

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-Context ltstringgt

The -Context parameter lets you run scans on a submodel in the context of a specific model (one

that is different from the parent model of the submodel) For example an administrator might

want to run a scan on the Backend submodel of the SQL model but only those in the context

of a third model a technology that relies upon SQL Server

The -SubModelId parameter is required by the -Context parameter

Page 46

A model ID is the valid value of the -Context parameter

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-Credential ltstringgt

Specifies a user account that has permission to run this cmdlet The default value is the current

user

For more information about this parameter type the following and then press Enter

Get-Help Invoke-Command -Parameter Credential

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-Mode ltModeEnumgt

The -Mode parameter lets you run a scan that is exclusively either analysis of existing discovered

documents or discovery The default is to perform both discovery and analysis or All

If you do not add the -Mode parameter to the Invoke-MBCAModel cmdlet both discovery and

analysis are performed during a scan

Valid values are Discovery Analysis and All

Required false

Position named

Default value All

Accept pipeline input false

Accept wildcard characters false

-ModelId ltstringgt

The -ModelId parameter specifies the ID of the MBCA model that you want to scan You can

obtain valid values for the ModelId parameter by running the Get-MBCAModel cmdlet targeted at

a computer on which MBCA models are installed

Required true

Position 2

Default value

Accept pipeline input true (By Value By Property Name)

Accept wildcard characters False

Page 47

This must be SQL2008R2BPA for SQL Server 2008 R2 Best Practice Analyzer

-Port ltintgt

Specifies the network port on a remote computer on which you want to run a scan The default

value is port 80

For more information on this parameter type the following and then press Enter

Get-Help Invoke-Command -Parameter Port

Required false

Position named

Default value 80

Accept pipeline input false

Accept wildcard characters false

-RepositoryPath ltstringgt

The -RepositoryPath parameter is used to specify a non-default location of the results repository

The valid value for this parameter is a pathname If the parameter is not used the cmdlet writes

results to the default result repository

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-SubModelId ltstringgt

The -SubModelId parameter specifies the ID of the submodel of an MBCA model that you want to

scan You can obtain valid values for the -SubModelId parameter by running the Get-MBCAModel

cmdlet targeted at a computer on which MBCA models are installed Not all models have

submodels

The -ModelId parameter is required with the -SubModelId parameter

Required true

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-ThrottleLimit ltintgt

Specifies the maximum number of concurrent connections that can be established to run the

cmdlet If you omit this parameter or enter a value of 0 the default value of 32 is used

For more information about this parameter type the following and then press Enter

Get-Help Invoke-Command -Parameter ThrottleLimit

Required false

Page 48

Position named

Default value 32

Accept pipeline input false

Accept wildcard characters false

-UseSSL [ltSwitchParametergt]

Uses the Secure Sockets Layer (SSL) protocol to establish a connection on a remote computer

By default SSL is not used

For more information about this parameter type the following and then press Enter

Get-Help Invoke-Command -Parameter UseSSL

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

ltCommonParametersgt

This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable

WarningAction WarningVariable OutBuffer and OutVariable For more information type get-

help about_commonparameters

OUTPUTS

SystemCollectionsGenericListltMicrosoftBestPracticesCoreInterfaceInvokeBpaModelOutputgt

The output object encapsulates the results of the cmdlet that you entered It contains information such

as the MBCA model ID the success or failure of the cmdlet and other details

NOTES

If the cmdlet is used to perform a single-model scan and the cmdlet is cancelled (by using CTRL+C)

before the temporary results file is copied to its final location the temporary file is discarded and any

previous scan results file for the role are preserved The message Processing of Invoke-MBCAModel

cancelled by user is displayed if the command is cancelled before existing scan results files are

overwritten

If the cmdlet is used to perform a scan of multiple models by piping in results from the Get-MBCAModel

cmdlet and the command is cancelled scans that were completed before the cancel command was

entered cannot be cancelled A scan in progress behaves as described above in the single-model scan

cancellation scenario Subsequent scans in the pipeline are cancelled

If a concurrent scan of the same model is attempted the cmdlet returns the following error message

Another scan for this MBCA model is in progress Only one scan is allowed at a time

-------------------------- EXAMPLE 1 --------------------------

Invoke-MBCAModel -ModelId SQL2008R2BPA

Description

The preceding example starts a MBCA scan on the model that is represented by ltModel Idgt

-------------------------- EXAMPLE 2 --------------------------

Page 49

Invoke-MBCAModel -ModelId SQL2008R2BPA -Scope domain -Name

redmondmicrosoftcom

Description

The preceding example starts an MBCA scan on the model ID that is specified by Model Id

The administrator starts the MBCA scan with additional model-specific parameters that are exposed by

the model (For an example of how to obtain model-specific parameters see the examples for the Get-

MBCAModel cmdlet)

For example to scan a model that requires model-specific parameters (such as -Scope and -Name) to

be passed to the command the administrator can specify the values of these model-specific

parameters with the Invoke-MBCAModel cmdlet

-------------------------- EXAMPLE 3 --------------------------

Invoke-MBCAModel -ModelId SQL2008R2BPA -Mode Discovery

Description

The preceding example starts an MBCA scan on the model that is represented by Model Id The

cmdlet is instructed by the -Mode parameter to perform only the discovery -- not the analysis -- portion

of the scan

-------------------------- EXAMPLE 4 --------------------------

Invoke-MBCAModel -ModelId SQL2008R2BPA -Mode Analysis -RepositoryPath

ltRepository Pathgt

Description

The preceding example starts an MBCA scan on the model that is represented by Model Id The -

Mode parameter value of Analysis indicates that the scan will perform analysis -- not discovery -- on

existing documents that are specified in the non-default repository path provided with the -Repository

Path parameter

-------------------------- EXAMPLE 5 --------------------------

Invoke-MBCAModel -Id ltModel Idgt -SubModelId ltSubModel Idgt -ComputerName

ltServergt -Context ltContext Model Idgt -RepositoryPath ltRespository Pathgt -

AsJob -Authentication ltAuthenticatonMechanismgt -Port ltPort Numbergt -UseSSL -

ThrottleLimit ltThrottle Limitgt

Description

The preceding example starts an MBCA scan on the submodel that is represented by SubModel Id

and on the computer that is represented by Server

Because the administrator only wants to see results from the submodel that apply in the context of a

third model the administrator runs the scan within the context of the model ID that is specified in the -

Context parameter The cmdlet results are saved to the non-default repository path that is specified in

the -RepositoryPath parameter

Because the -AsJob parameter is added the scan runs in the background The -AsJob -

Authentication -Port -UseSSL and -ThrottleLimit parameters are passed through for use by the

Invoke-Command cmdlet to perform discovery on a remote computer For more information about

these parameters see the Help for the Invoke-Command cmdlet available in Windows PowerShell V2

913 Get-MBCAResult

SYNOPSIS

Page 50

The Get-MBCAResult cmdlet lets you retrieve and view the results of a Microsoft Baseline

Configuration Analyzer scan on a specific model or the configuration data that was used to run a scan

SYNTAX

Get-MBCAResult [-ModelId] ltstringgt [[-CollectedConfiguration]] -SubModelId

ltstringgt [-ComputerName ltstring[]gt] [-Context ltstringgt] [-Filter

ltFilterEnumgt] [-RepositoryPath ltstringgt] [ltCommonParametersgt]

DESCRIPTION

The Get-MBCAResult cmdlet lets you retrieve and view the results of a Microsoft Baseline

Configuration Analyzer scan on a specific model or the configuration data that was used to run a scan

To use the command add the -ModelId parameter and then specify the model ID for which you want

to view the most recent MBCA scan results or collected configuration data If you want to retrieve the

configuration data collected add the -CollectedConfiguration switch parameter

You must be a member of the Administrators group on the computer on which you want to run this

cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with

elevated user rights that is Run as Administrator

PARAMETERS

-CollectedConfiguration [ltSwitchParametergt]

The -CollectedConfiguration parameter allows you to obtain the configuration data that was

collected for the most recent MBCA scan If this switch parameter is added to Get-MBCAResults

the cmdlet returns only the configuration data that was collected for a scan

Required false

Position 3

Default value

Accept pipeline input false

Accept wildcard characters false

-ComputerName ltstring[]gt

The -ComputerName parameter lets you obtain scan results that were collected for the most

recent MBCA scan of a submodel on a specific computer To specify the local computer type the

computer name or localhost Multiple values for -ComputerName can be separated by

commas

The -SubModelId parameter is required by the -ComputerName parameter

Valid values for the -ComputerName parameter include localhost a NET BIOS name an IP

address or a fully-qualified domain name (FQDN) of one or more computers in a comma-

separated list

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-Context ltstringgt

Page 51

The -Context parameter lets you obtain scan results that were collected for the most recent

MBCA scan of a submodel in the context of a specific model (one that is different from the parent

model of the submodel) For example an administrator might want to display scan results for the

Backend submodel of the SQL model but only those in the context of a third model a

technology that relies upon SQL Server

The -SubModelId parameter is required by the -Context parameter

A model ID is the valid value of the -Context parameter

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-Filter ltFilterEnumgt

The -Filter parameter lets you instruct the Get-MBCAResult cmdlet to return only Compliant

Noncompliant or All results Valid values are Noncompliant Compliant or All The default value

is All

The -Filter parameter is ignored if the -CollectedConfiguration switch parameter is added

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-ModelId ltstringgt

The -ModelId parameter specifies the ID of the MBCA model for which you want to view scan

results You can obtain valid values for the ModelId parameter by running the Get-MBCAModel

cmdlet targeted at a computer on which MBCA models are installed

Required true

Position 2

Default value

Accept pipeline input true (By Value By Property Name)

Accept wildcard characters False

This must be SQL2008R2BPA for SQL Server 2008 R2 Best Practice Analyzer

-RepositoryPath ltstringgt

The -RepositoryPath parameter is used to specify a non-default location of the results repository

The valid value for this parameter is a path name If the parameter is not used the cmdlet obtains

results from the default result repository

Required false

Position named

Page 52

Default value

Accept pipeline input false

Accept wildcard characters false

-SubModelId ltstringgt

The -SubModelId parameter specifies the ID of the submodel of an MBCA model for which you

want to view scan results You can obtain valid values for the -SubModelId parameter by running

the Get-MBCAModel cmdlet targeted at a computer on which MBCA models are installed Not all

models have submodels

The -ModelId parameter is required with the -SubModelId parameter

Required true

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

ltCommonParametersgt

This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable

WarningAction WarningVariable OutBuffer and OutVariable For more information type get-

help about_commonparameters

OUTPUTS

SystemCollectionsGenericListltMicrosoftBestPracticesCoreInterfaceResultgt OR

SystemXmlXmlDocument (if -CollectedData specified)

If you do not use the -CollectedConfiguration parameter verbose output can be any of the following

1 Initializing MBCA engine for getting MBCA Results

2 Attempting to get MBCA results for Model Id = 0

3 Completed getting MBCA results for Model Id = 0 Number of Results = 1

If you add the -CollectedConfiguration parameter to display configuration data that was used for a

scan verbose output can be any of the following

1 Initializing MBCA engine for getting MBCA Configuration Data

2 Attempting to get MBCA collected configuration data for Model Id = 0

3 Completed getting MBCA collected configuration data for Model Id = 0

NOTES

The Get-MBCAResult cmdlet must be run by a member of the Administrators group and it does not

start a new scan

Cancellation behaviour

Single Model - To cancel this cmdlet you must press Ctrl+C before the ResultCollection is displayed

on the console The operation is cancelled and results are not displayed on the console

Multiple Models or Pipelining - If you cancel this cmdlet while it is retrieving results for multiple models

the cmdlet generates only those results that were displayed on the console before the cancellation

Any subsequent results in the pipeline are cancelled and not displayed

Page 53

-------------------------- EXAMPLE 1 --------------------------

Get-MBCAResult -Id SQL2008R2BPA

Description

The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results

for the model that is represented by Model Id

-------------------------- EXAMPLE 2 --------------------------

Get-MBCAModel | Get-MBCAResult

In the preceding example Get-MBCAModel is used to return a list of all MBCA models that are

installed on the computer The results of the Get-MBCAModel cmdlet are piped to the Get-

MBCAResult cmdlet to retrieve the most recent MBCA scan results for all models that are both

supported by MBCA and installed on the computer at which the cmdlet is targeted

-------------------------- EXAMPLE 3 --------------------------

$result = Get-MBCAResult SQL2008R2BPA -CollectedConfiguration

$resultDiscoveryDocument

Description

In the preceding example configuration data (in XML form) that was collected during the most recent

Microsoft Baseline Configuration Analyzer scan of the model that is represented by Model Id is

retrieved and stored as a property in the variable $result $resultDiscoveryDocument is of type

SystemXmlXmlDocument

-------------------------- EXAMPLE 4 --------------------------

Get-MBCAResult SQL2008R2BPA -Filter Noncompliant

Description

The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results

for the model that is represented by Model Id and then applies a filter to show only Noncompliant

results

------------------------- EXAMPLE 5 --------------------------

Get-MBCAResult SQL2008R2BPA -SubModelId ltSubModel Idgt

Description

The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results

for the submodel that is represented by SubModelId Note that the parent model ID must be specified

to use the -SubModelId parameter

------------------------- EXAMPLE 6 --------------------------

Get-MBCAResult SQL2008R2BPA -SubModelId ltSubModel Idgt -ComputerName ltServergt

-Context ltContext Model Idgt -RepositoryPath ltRepository Pathgt

Description

The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results

for the submodel that is represented by SubModelId The parent model ID is provided as required by

the -SubModelID parameter

The -Context parameter indicates that the administrator wants to see only those scan results that are in

the context of the model that is represented by Context Model Id for example only those results from

a SQL Server scan that specifically apply to another technology such as Web Server (IIS)

Page 54

The scan results are further narrowed to only those from a computer that is specified in the -

ComputerName parameter as Server and only those results found in the non-default results

repository that is represented by Repository Path

914 Set-MBCAResult

SYNOPSIS

The Set-MBCAResult cmdlet lets you exclude or include existing results of a Microsoft Baseline

Configuration Analyzer (MBCA) scan to show you only the scan results that you want to see

SYNTAX

Set-MBCAResult [[-Exclude] ltBooleangt] [-Results] ltResultgtgt [[-

RepostitoryPath] ltstringgt] [ltCommonParametersgt]

DESCRIPTION

The Set-MBCAResult cmdlet lets you exclude or include existing results of a Microsoft Baseline

Configuration Analyzer (MBCA) scan to show you only the scan results that you want to see

The action specified in the cmdlet (Exclude for example) determines how the existing results of an

MBCA scan are updated Set-MBCAResult is typically applied after using the Get-MBCAResult cmdlet

to return a collection of scan results

You can apply filters to results that are returned by the Get-MBCAResult cmdlet and then pipe the

filtered collection of results to the Set-MBCAResult cmdlet specifying either to include or exclude

filtered scan results

You must be a member of the Administrators group on the computer on which you want to run this

cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with

elevated user rights that is Run as Administrator

PARAMETERS

-Exclude ltBooleangt

Excludes scan results from the results collection that were previously obtained by the Get-

MBCAResult command To exclude results by using the -Exclude parameter add the value $true

following the parameter as shown

-Exclude $true

To include results that have been excluded use the $false value for the -Exclude parameter

Required false

Position 2

Default value

Accept pipeline input false

Accept wildcard characters false

-RepostitoryPath ltstringgt

The -RepositoryPath parameter is used to specify a non-default location of the results repository

The valid value for this parameter is a path name If the parameter is not used the cmdlet

modifies results from the default result repository

Required false

Page 55

Position 4

Default value

Accept pipeline input false

Accept wildcard characters false

-Results ltResultgtgt

Specifies the result collection to be updated by the Set-MBCAResult cmdlet The -Results

parameter is typically used to specify a filtered subset of scan results that has already been

stored in a variable the variable name is provided as the valid value for the -Results parameter

For example if you have created a variable $allPerformance to store all the Performance

category results for an MBCA scan of all models on a computer and you want to exclude those

Performance results from the complete collection of scan results you add the parameter -Results

$all Performance to a Set-MBCAResult cmdlet

For a more detailed example see the Examples section of the Help for this cmdlet

Required true

Position 3

Default value

Accept pipeline input true (ByValue)

Accept wildcard characters false

ltCommonParametersgt

This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable

WarningAction WarningVariable OutBuffer and OutVariable For more information type ldquoget-

help about_commonparameters

NOTES

If the Set-MBCAResult command is cancelled before the results are written to a file the operation is

cancelled and the results file is not modified If cancellation occurs after the results file has been

modified the commands actions are carried out and the command cannot be cancelled

-------------------------- EXAMPLE 1 --------------------------

Get-MBCAResult -ModelId SQL2008R2BPA | Where $_Category -eq

Performance | Set-MBCAResult -Exclude $true

Description

The first section of the preceding example to the left of the first pipe character (|) uses the Get-

MBCAResult cmdlet to retrieve Baseline Configuration Analyzer scan results for the model ID that is

represented by Model Id

The second section of the command filters the results of the Get-MBCAResult cmdlet to get only those

scan results for which the category name is equal to Performance

The final section of the example following the second pipe character excludes the Performance

results that were filtered by the previous section of the example

-------------------------- EXAMPLE 2 --------------------------

$rcPolicy = Get-MBCAResult -ModelId SQL2008R2BPA -RepositoryPath

CReposPath | Where $_Category -eq Policy

Page 56

Set-MBCAResult -Exclude $true -RepositoryPath CReposPath -Results

$rcPolicy

Description

The first line of the preceding example to the left of the pipe character (|) instructs the Get-

MBCAResult cmdlet to retrieve Baseline Configuration Analyzer scan results for the model that is

represented by Specified Model Id from the specified non-default repository path

The second section of the example after the pipe character filters the results of the Get-MBCAResult

cmdlet to return only those scan results for which the category name is equal to (note the -eq option)

Policy The variable $rcPolicy is created to store the filtered results of the Get-MBCAResult cmdlet this

variable can be used in subsequent commands to represent those results

The second line of the command uses the Set-MBCAResult cmdlet to exclude the set of results that

are stored in the $rcPolicy variable In this example the -Results parameter is added because the

administrator wants to exclude a specific subset of scan results for that model and has created the

variable $rcPolicy to represent that subset of results The repository root is specified in the second line

because the administrator wants to modify the results in the same non-default repository from which

the data in $rcPolicy was retrieved

915 MBCA Model Authoring

Further information about configuration and usage of MBCA models you can in the

MBCA_ModelAuthoringGuidedocx

Page 57

Did this paper help you Please give us your feedback Tell us on a scale of 1 (poor) to 5 (excellent)

how would you rate this paper and why have you given it this rating For example

Are you rating it high due to having good examples excellent screen shots clear writing or

another reason

Are you rating it low due to poor examples fuzzy screen shots or unclear writing

This feedback will help us improve the quality of white papers we release

Send feedback

Page 24: SQL2008R2 BPA Whitepaper v10

Page 24

ss If you want to substitute cascading style sheets provide the path to the different cascading style

sheets

Get-MBCAResult -ModelId SQL2008R2BPA | $_Severity -eq Warning -or

$_Severity -eq Error | ConvertTo-Html -As Table -property ResultNumber

SubModelID ComputerName Severity Category Title Problem Impact

Resolution Help -Head lth1gtSQL Server 2008 (R2) Best Practice Analyzer

Reportlth1gtrdquo -Title SQL Server 2008 Best Practice Analyzer -body

(ltpgtReport creation date + (Get-Date)ToString(ddMMyyyy hhmmss) +

ltpgt)toString() -pre ltPgtGenerated by user $envusername on computer

$envcomputernameltPgt -post For details contact Microsoft Premier-

CssUri $env BestPracticesReportFormatcss gt ctempsql2008r2bpahtm

443 Exporting and opening reports by using Get-MBCAResult

You can use the Get-MBCAResult cmdlet to export scan results and configuration data to an XML

report that you can open for viewing in the future either by using Get-MBCAResult or by using the

MBCA GUI Exporting reports allows you to compare older scans with more recent scans to measure

the progress of your best practice compliance

Example of exporting to XML

$results = Get-MBCAResult ltModel Idgt

$collectedconfig = Get-MBCAResult ltModel Idgt -CollectedConfiguration

$results $collectedconfig | Export-CliXml cexportxml

Example of opening archived XML report file

$loadedResults $loadedConfiguration = Import-CliXml cexportxml

444 Report Result Directory

The reporting result path

AppDataMicrosoftBaselineConfigurationAnalyzer

2ReportsSQL2008R2BPAResults

Will be overwritten during each run of the tool or invoke command

Solution save older results before you start the check

copy-item -path ($EnvLocalAppdata +

MicrosoftMicrosoftBaselineConfigurationAnalyzer 2Reports)ToString() -

destination ($EnvLocalAppdata +

MicrosoftMicrosoftBaselineConfigurationAnalyzer 2Reports_ + (Get-

Date)ToString(yyyyMMddhhmmss))ToString() ndashrecurse

Afterwards you can create a report with the following command

$prevrepPath = (Get-ChildItem ($EnvLocalAppdata +

MicrosoftMicrosoftBaselineConfigurationAnalyzer 2)ToString() -exclude

Reports | Sort-Object name -descending)[0]

Get-MBCAResult -ModelId SQL2008R2BPA ndashRepositoryPath ($EnvLocalAppdata +

MicrosoftMicrosoftBaselineConfigurationAnalyzer 2rdquo +

$prevrepPathname)ToString() | ConvertTo-Html -As Table -property

ResultNumberSubModelID ComputerName Severity Category Title Problem

Impact Resolution Help -Head lth1gtSQL Server 2008 (R2) Best Practice

Analyzer Reportlth1gtrdquo -Title SQL Server 2008 Best Practice Analyzer -body

(ltpgtReport creation date + (Get-Date)ToString(ddMMyyyy hhmmss) +

ltpgt)toString() -pre ltPgtGenerated by user $envusername on computer

Page 25

$envcomputernameltPgt -post For details contact Microsoft Premier gt

ctempsql2008r2bpahtm

Page 26

5 TROUBLESHOOTING

51 Application directories

To following directories are used by MBCA

Report output directory localappdataMicrosoftMicrosoftBaselineConfigurationAnalyzer 2ReportsSQL2008R2BPAResults

Model configuration path ProgramdataMicrosoftMicrosoft Baseline Configuration Analyzer 2ModelsSQL2008R2BPA

Temp and log files directory tempSQL2008R2BPASQL2008ltdategt_lttimegt

Registry [HKEY_LOCAL_MACHINESOFTWAREMicrosoftBaselineConfigurationAnalyzer]

Log Files

During Data Discovery SQL Server 2008 R2 BPA creates log files for troubleshooting The log file

contains the following information

Pre-requisite validation

Timestamp finished rules start and end times

Run-time scripting errors and exceptions from Power Shell Traps

Log Files Location

For every scan log files are created in userrsquos Local Temp directory (Temp) and follows the folder

structure SQL2008R2BPAlt Instance Name gtlt datestamp_timestamp gtlt Log files gt

Note In case of a remote scan the category log files are generated on the remote system at the same

path whereas the common log file is generated in the local system

Log Files Structure

A common log file gets generated and contains information about each categorys execution Apart

from this each category has its own log file which details the rule execution The names of the log files

are given below

Common File - ModelLogtxt

Engine Rules - EngineLogtxt

Replication Rules - ReplicationLogtxt

Setup Rules - SetupLogtxt

Analysis Services Rules - AnalysisServicesLogtxt

Reporting Services Rules - ReportingServicesLogtxt

Integration Services Rules - IntegrationServicesLogtxt

52 Windows Server 2003 ndash NumberOfLogicalProcessors

Analysis Services RID2803 and RID2804 ndash NumberOfLogicalProcessors property is unavailable in

Win32_Processor for with Windows Server 2003

Solution The NumberOfLogicalProcessors property does not exist in the WIN32_PROCESSOR object

in Windows Server 2003 It has been implemented in the hotfix

httpsupportmicrosoftcomkb932370

Both of the rules below will function properly if you apply this hotfix For more information look here

Page 27

53 MBCA

This message indicates that on prerequisite is not installed

Please install the version 2 of the MBCA

54 Where can I find the Instance name in result set of the analyzer

report

The instance name is in the collected data option of the analyzer report in the BPA GUI

55 Memory limit of remote PowerShell process

By default remote PowerShell process can consume only 150 MB or less memory This default limit is

significantly small and once this limit is reached there could be a WinRM exception causing and remote

connection immediately terminates Any application or Cmdlet which is involved in PowerShell

remoting should be tested for this memory limit this may cause some of the command to fail for

example site collection creation

Solution Increase the memory limit for the remote shell Use the following command to increase this

limitation to 1000MB This is only necessary if you need to run those commands on that server

Set-Item WSManlocalhostShellMaxMemoryPerShellMB 1000

56 Remote connect

If you try to ldquoConnect to another computerrdquo from MBCA and you receive the following message

Page 28

You should check first if the Hotfix KB968930 is installed

Afterwards validate that the ldquoWindows Remote Managementrdquo service is started

Enable-PSRemoting

If CredSSP is unsupported or unavailable you will see the following message

Page 29

If you have no permission to access the remote server you get the error message

Page 30

57 Installation

571 PowerShell error

After getting through the Pre-Reqs for BPA (PowerShell 20 MBCA NET Framework) you may hit

one of two scenarios when installing BPA

In all of the cases of an install failure you will see the following error

There is a problem with this Windows Installer package A program run as part of the setup did not

finish as expected Contact your support personnel or package vendor

In your Application Event Log for both of these scenarios you will also see the following entry

Log Name Application

Source MsiInstaller

Date 6102010 83818 AM

Event ID 11722

Task Category None

Level Error

Keywords Classic

User ltUsernamegt

Computer ltMachine namegt

Description

Product Microsoft SQL Server 2008 R2 BPA -- Error 1722 There is a problem

with this Windows Installer package A program run as part of the setup did

not finish as expected Contact your support personnel or package

vendor Action EnablePSRemoting location powershellexe command -NoLogo

-NoProfile -Command Enable-PSRemoting ndashforce

Page 31

This is an indicator that PowerShell is not configured You must run the following command

powershellexe -NoLogo -NoProfile -Command Enable-PSRemoting ndashforce

572 Workgroup or Non-Domain computer

In this scenario the Enable-PSRemoting command should execute fine from a PowerShell prompt

The actual error coming back from the PowerShell command within the Installer is ldquoAccess Deniedrdquo

To work around this issue you can do the following

1 Open a command prompt with Administrative Privileges

2 Change to the directory where the msi file resides

3 Type msiexec i ltMSI Namegt SKIPCA=1

4 MSI Name will either be SQL2008R2BPA_Setup32msi or SQL2008R2BPA_Setup64msi

depending on your platform

5 Once BPA is installed open a PowerShell prompt with Administrative Privileges

6 Execute the following commands

a Enable-PSRemoting

b winrm set winrmconfigwinrs ``MaxShellsPerUser=`10``

This should allow BPA to be successfully installed in the workgroup scenario

573 Kerberos Failure

This scenario is that you are failing with the above due to a Kerberos issue This particular issue could

actually show up after you have installed BPA depending on how you have configured your

environment

The issue stems from the fact that the Windows Remoting Windows Service uses the Network Service

account Windows Remoting also uses SOAP calls over HTTP and defaults to using Kerberos As a

result it will be using the HOST Service Principal Name (SPN) that is on the Machine Account as it is

running under that context You may have an HTTP SPN that resides on a different account with that

host name For example if you are running an IIS Web Application such as SharePoint or if you are

using Reporting Services and the service account is set to a Domain User account instead of Network

Service or Local System If your URL of your application matches the machine name then your HTTP

SPN will be the same Thatrsquos where this problem comes in WinRM will stop working at that point and

give you a message similar to the following

Set-WSManQuickConfig WinRM cannot process the request The following error

occured while using Negotiate authentication An unknown security error

occurred

Possible causes are

-The user name or password specified are invalid

-Kerberos is used when no authentication method and no user name are

specified

-Kerberos accepts domain user names but not local user names

-The Service Principal Name (SPN) for the remote computer name and port

does not exist

-The client and remote computers are in different domains and there is no

trust between the two domains

After checking for the above issues try the following

-Check the Event Viewer for events related to authentication

-Change the authentication method add the destination computer to the

WinRM TrustedHosts configuration setting or use HTTPS transport

Note that computers in the TrustedHosts list might not be authenticated

-For more information about WinRM configuration run the following

Page 32

command winrm help config

At line50 char33

+ Set-WSManQuickConfig ltltltlt -force

+ CategoryInfo InvalidOperation () [Set-WSManQuickConfig]

InvalidOperationException

+ FullyQualifiedErrorId

WsManErrorMicrosoftWSManManagementSetWSManQuickConfigCommand

You can get this type of error from WinRM for muliple reasons The one that

we saw in our testing was the HTTP SPN scenario

If you do have an HTTP SPN defined on a Domain Account that is using the name of your machine

you have some options First you can follow the steps mentioned above to get BPA installed The

Enable-PSRemoting command will give you the above error You can temporarily remove the HTTP

SPN to get remoting enabled and then re-add the HTTP SPN

Once BPA is setup you will still not be able to run BPA if you put the HTTP SPN back in place You will

see the following when you attempt to perform a scan

This will occur regardless of which component you try to scan It could be the Engine Setup RS etchellip

One option to perform the scan successfully is to temporarily remove the HTTP SPN again run the

scan and then put the HTTP SPN back in place Another option but one that will probably require

further testing from your applicationrsquos end would be to run the application under a Host Header and

then your HTTP SPN would not include the machine name allowing BPA to run without issue

Page 33

6 RULES

Searching for ldquoSQL Server 20087 R2 BPArdquo at Microsoftcom reveals

Here is an example of one of these articles that talks about a rule to check for a recent ldquocleanrdquo

CHECKDB

Page 34

BPA works by measuring a rolersquos compliance with best practice rules in eight different categories of a

rolersquos effectiveness trustworthiness and reliability Results of measurements can be any of the three

severity levels described in the following table

Severity level Description

Noncompliant Noncompliant results are returned when a role does not satisfy the conditions of a rule

Compliant Compliant results are returned when a role satisfies the conditions of a rule

Warning Warning results are returned when a role is compliant as operating currently but may not satisfy the conditions of a

rule if changes are not made to its configuration or policy settings For example a scan of Remote Desktop Services

might show a warning result if a license server is unavailable to the role because even if no remote connections are

active at the time of the scan not having the license server prevents new remote connections from obtaining valid

client access licenses

Page 35

BPA rule categories

The following table describes the categories of best practice rules against which roles are measured

during a BPA scan

Category Name Description

Security Security rules are applied to measure a rolersquos relative risk for exposure to threats such as unauthorized or malicious

users or loss or theft of confidential or proprietary data

Performance Performance rules are applied to measure a rolersquos ability to process requests and perform its prescribed duties in

the enterprise within expected periods of time given the rolersquos workload

Configuration Configuration rules are applied to identify role settings that might require modification for the role to perform

optimally Configuration rules can help prevent setting conflicts that can result in error messages or prevent the role

from performing its prescribed duties in an enterprise

Policy Policy rules are applied to identify Group Policy or Windows Registry settings that might require modification for the

role to operate optimally and securely

Operation Operation rules are applied to identify possible failures of a role to perform its prescribed tasks in the enterprise

Predeployment Predeployment rules are applied before an installed role is deployed in the enterprise to let administrators to

evaluate whether best practices were satisfied before you use the role in production

Postdeployment Postdeployment rules are applied after all required services have started for a role and the role is running in the

enterprise

BPA Prerequisites BPA Prerequisite rules explain configuration settings policy settings and features that are required for the role

before BPA can apply specific rules from other categories A prerequisite in scan results indicates that an incorrect

setting a missing role role service or feature an incorrectly enabled or disabled policy a registry key setting or

other configuration has prevented BPA from applying one or more rules during a scan A prerequisite result does

not imply compliance or noncompliance It means that a rule could not be applied and therefore is not part of the

scan results

61 Engine Rules

Please find below a summary of the 74 Engine Rules with the links to the rule descriptions These rules

are checking that you have a secure resilient and well performing SQL configuration

Authentication Mode (httpsupportmicrosoftcomkb2028697)

Lightweight Pooling is enabled (httpsupportmicrosoftcomkb2160691)

Locks Configuration Not Dynamic (httpsupportmicrosoftcomkb2199576)

non-default network packet size in use (httpsupportmicrosoftcomkb2157175)

degree of parallelism not set to recommended value (httpsupportmicrosoftcomkb2023536)

Use Database Mail instead of SQL Mail (httpsupportmicrosoftcomkb2028584)

SQL Server Agent Proxy Account (httpsupportmicrosoftcomkb2160741)

SQL Login Password Policy Strength and password expiry

(httpsupportmicrosoftcomkb2028712)

Trustworthy Bit (httpsupportmicrosoftcomkb2183687)

Symmetric Keys Check (httpsupportmicrosoftcomkb2162020)

Asymmetric Keys Check (httpsupportmicrosoftcomkb2162020)

SQL Server installed on PDC BDC (httpsupportmicrosoftcomkb2032911)

Page 36

SQL Server Admin role membership check (httpsupportmicrosoftcomkb2184138)

Windows API calls intercepted (httpsupportmicrosoftcomkb2033238)

unsupported DotNET framework assemblies present (httpsupportmicrosoftcomkb2033344)

Disk partition starting offset may be incorrect (httpsupportmicrosoftcomkb2023571)

non-default max worker threads value configured (httpsupportmicrosoftcomkb2157129)

Guest Permissions (httpsupportmicrosoftcomkb2186935)

Data and Log files on the same volume (httpsupportmicrosoftcomkb2033523)

IO timeouts and IO controller errors detected (httpsupportmicrosoftcomkb2091098)

IO device errors detected (httpsupportmicrosoftcomkb2091098)

IO errors during page faults detected (httpsupportmicrosoftcomkb2091098)

cluster disk corruption encountered (httpsupportmicrosoftcomkb2091098)

disk defragmentation encountered corruption (httpsupportmicrosoftcomkb2091098)

failed IO requests detected (httpsupportmicrosoftcomkb2091098)

IO requests are successful when retried (httpsupportmicrosoftcomkb2015757)

IO Delay Problems reported by SQL Server (httpsupportmicrosoftcomkb2137408)

This system experienced unexpected shutdowns (httpsupportmicrosoftcomkb2091098)

tempdb corruption errors fix missing (httpsupportmicrosoftcomkb960770)

Critical SQL database inconsistency errors found (httpsupportmicrosoftcomkb2152734)

Logical consistency errors detected (httpsupportmicrosoftcomkb2152472)

Database have auto shrink option enabled (httpsupportmicrosoftcomkb2160663)

SQL Server Error logs are very big (httpsupportmicrosoftcomkb2199578)

incorrect affinity mask settings detected httpsupportmicrosoftcomkb2157114

Very low blocked process threshold setting detected httpsupportmicrosoftcomkb2157154

Potential security issue with legacy DTS stored procedures

httpsupportmicrosoftcomkb2202875

Winsock LSP loaded into SQL httpsupportmicrosoftcomkb2033448

Databases using simple recovery model httpsupportmicrosoftcomkb2137539

User database collation different from model httpsupportmicrosoftcomkb2026108

Database files and backups exist on the same volume httpsupportmicrosoftcomkb2027537

Databases have auto close option enabled httpsupportmicrosoftcomkb2160685

LSI SAS drivers needs update httpsupportmicrosoftcomkb2121098

SQL tempdb database not configured optimally httpsupportmicrosoftcomkb2154845

SQL Database file has sparse attribute set httpsupportmicrosoftcomkb2028447

Invalid startup parameters httpsupportmicrosoftcomkb2028433

MSDTC settings not configured optimally httpsupportmicrosoftcomkb2027550

sql incorrect results fix missing httpsupportmicrosoftcomkb971780

File System needs tuning for better FileStream performance

httpsupportmicrosoftcomkb2160002

linked server memory leak fix missing httpsupportmicrosoftcomkb971622EN-US

Windows service pack is not at recommended level httpsupportmicrosoftcomkb2121098

default extended event health session not in expected state

httpsupportmicrosoftcomkb2160570

TcpSysAndChimneyCheck httpsupportmicrosoftcomKB918483

FDHOST Launcher service is not configured properly httpsupportmicrosoftcomkb2160720

Unrecommended SQL Server Agent service account httpsupportmicrosoftcomkb2160720

A required Windows fix to avoid sparse file related problems is missing

httpsupportmicrosoftcomkb2002606

Page 37

Significant Portion of SQL Server Memory Has Been Paged Out

httpsupportmicrosoftcomkb2028324

Server Exception or Hang Detected on Server httpsupportmicrosoftcomkb2028589

Databases exist without CHECKSUM protection httpsupportmicrosoftcomkb2078345

backups outdated for databases httpsupportmicrosoftcomkb2027537

Database consistency check not current httpsupportmicrosoftcomkb2033590

SQL Server Memory settings are incorrect httpsupportmicrosoftcomKB918483EN-US

Autogrow Failed or took a long time httpsupportmicrosoftcomkb2091024

Storport driver fix from KBA 940467 missing httpsupportmicrosoftcomkb2121098

Storport driver fix from KBA 950903 missing httpsupportmicrosoftcomkb2121098

SQLCLR needs additional memory configuration httpsupportmicrosoftcomkb969962EN-US

Operating System files and drivers needs update for working set trimming

httpsupportmicrosoftcomkb2121098

Agent Token Replacement httpsupportmicrosoftcomkb2202637

Auditing Log in failures httpsupportmicrosoftcomkb2187161

Databases with high number of VLF present httpsupportmicrosoftcomkb2028436

Transparent Data Encryption Certificate httpsupportmicrosoftcomkb2201900

Permission on the Binn folder httpsupportmicrosoftcomkb2029023

Index Statistics Are Outdated

Server public permissions httpsupportmicrosoftcomkb2160698

Detected use of older versions of SQLNCLI httpsupportmicrosoftcomkb979779

62 AS Rules

Please find below a summary of the 34 Analysis Server Rules with the links to the rule descriptions

Flight Recorder Enabled for SQL Server Analysis Services

httpsupportmicrosoftcomkb2128005

Excessive amount of memory preallocated to Analysis Services

httpsupportmicrosoftcomkb2027474

Server not configured for optimal concurrent query throughput

httpsupportmicrosoftcomkb2135031

Non standard value detected for Analysis Services memory configuration

httpsupportmicrosoftcomkb2027472

Process Thread Pool Max limit above recommended limit

httpsupportmicrosoftcomkb2134497

Process Thread Pool Minimum is below the recommended limit

httpsupportmicrosoftcomkb2134855

Server is running a build with a known regression httpsupportmicrosoftcomkb2157941

Slice not set on a ROLAP partition or a partition where proactive caching is enabled and

ROLAP storage ay occur httpsupportmicrosoftcomkb2027754

Server is ignoring duplicate key errors httpsupportmicrosoftcomkb2027761

No default member defined for non-aggregatable attribute

httpsupportmicrosoftcomkb2027769

UnknownMember set to hidden httpsupportmicrosoftcomkb2027628

Non-numeric key column for high cardinality attribute httpsupportmicrosoftcomkb2028138

Attribute hiearchy enabled for high cardinality non-key attribute

httpsupportmicrosoftcomkb2028143

ROLAP storage or OnlineMode set to immediate for dimension with custom rollup definition

detected httpsupportmicrosoftcomkb2132742

Page 38

Account or Time attribute types defined in a non-matching dimension type

httpsupportmicrosoftcomkb2157299

An Account or Time dimension has no matching attribute defined

httpsupportmicrosoftcomkb2027418

Dimension has no attribute defined with the same type

httpsupportmicrosoftcomkb2027443

Attribute Dimension type mismatch httpsupportmicrosoftcomkb2157327

Mismatched dimension attribute types detected in dimension

httpsupportmicrosoftcomkb2027459

Possible incorrect order of levels defined in hierarchy httpsupportmicrosoftcomkb2027460

Define attribute relationships as Rigid where possible httpsupportmicrosoftcomkb2027468

Redundant attribute relationships detected httpsupportmicrosoftcomkb2127437

Diamond-shape relationship detected httpsupportmicrosoftcomkb2127570

Non-Standard Attribute Relationship name detected httpsupportmicrosoftcomkb2127862

Proactive Caching set for dimension without a processing query

httpsupportmicrosoftcomkb2027541

No Time dimension detected httpsupportmicrosoftcomkb2027532

More than 3 parent-child dimensions with custom rollups defined

httpsupportmicrosoftcomkb2134431

Encountered a parent-child dimension with more than 500000 members

httpsupportmicrosoftcomkb2131918

Single attribute dimensions detected httpsupportmicrosoftcomkb2141654

Measure groups with zero dimensional overlap detected in cube

httpsupportmicrosoftcomkb2027609

Proactive Caching set for a partition without a processing query

Default measure for perspective not in the perspective

httpsupportmicrosoftcomkb2027603

Use MOLAP storage for dimensions that participate in semi-additive measure groups

httpsupportmicrosoftcomkb2135112

Measure group defined with no partition httpsupportmicrosoftcomkb2027545

63 RS Rules

RSWindowsNegotiate is missing from your configuration

httpsupportmicrosoftcomkb2145506

HTTP Logging is not enabled httpsupportmicrosoftcomkb2145909

Verbose logging is enabled httpsupportmicrosoftcomkb2146315

NTLM authentication may fail for local httpsupportmicrosoftcomkb2146369

Missing extended protection settings httpsupportmicrosoftcomkb2146062

64 IS Rules

Logging task missing for package httpsupportmicrosoftcomkb2027723

ActiveX Script task detected in package httpsupportmicrosoftcomkb2027712

Unrecommended Integration Services service account detected

httpsupportmicrosoftcomkb2027684

Integration Services logging table found in system database master and or msdb

httpsupportmicrosoftcomkb2027706

Integration Services memory dump detected httpsupportmicrosoftcomkb2027727

Page 39

65 Setup Rules

Unsupported Operating System Version Detected httpsupportmicrosoftcomkb2022909

WOW64 not supported for SQL Failover Clustering httpsupportmicrosoftcomkb2157198

Installer cache is missing for the SQL Installation httpsupportmicrosoftcomkb2015100

SQL Server WMI Provider Health Check

66 Replication Rules

Replication Timeout Alerts Type httpsupportmicrosoftcomkb2118349

Replication Pub and Sub out of sync (Data Validation) httpsupportmicrosoftcomkb2118386

Replication Pub and Sub out of sync (Constraint Violations)

httpsupportmicrosoftcomkb2118410

Replication Pub and Sub out of sync (Skipped Transactions)

httpsupportmicrosoftcomkb2194498

Merge Replication Health Check httpsupportmicrosoftcomkb2118445

Subscriptions Approaching Expiration httpgomicrosoftcomfwlinkLinkId=184483

Replication Cleanup and Retention Health Check httpsupportmicrosoftcomkb2118485

Replication Latency Threshold violations httpsupportmicrosoftcomkb2118425

Page 40

7 HOW TO DEAL WITH DEVIATIONS

Deviations from these Best Practices may indicate potential issues and configuration changes may be

necessary Make sure you have tested any intended changes in a test environment before deploying

them to a production environment You could also find deviations from Best Practices that are

acceptable or even necessary for your environment For example

SAP has its special Network Packet Size of 8 KB

Existing Non-Microsoft Clients ndash would require Mixed Mode Authentication

Page 41

8 MOTIVATION TO USE SQL BPA R2

Bob Ward explained in his Article ldquoWhy use SQL Server 2008 R2 BPA Case 1 Missing Updatesrdquo

the common pitfalls during maintenance and operation of SQL Server and how address them by using

the SQL BPA

In brief itrsquos a customer scenario where the customer is facing an issue after a major update to

SQL2008 After some troubleshooting and an update to a certain CU (that is meant to fix the issue) the

problem still occurs Bobs article states the common resulting consequences ndash the involvement of

Microsoft Support and the final solution ndash adding a needed traceflag

The good news in this story is that the customer would not have needed to go to all that effort if they

would have run the SQL BPA It would have told them about the update and instructed them to put the

traceflag in place BPA is a mechanism that proactively advises you and instructs you on dealing with

common known issues

Page 42

9 ADDITIONAL INFORMATION

91 PowerShell

To use the functionality of the Baseline Configuration Analyzer with PowerShell you must import this

module first

Import-module BaselineConfigurationAnalyzer

You can list the commands of this module with the following syntax

$x=Get-Module BaselineConfigurationAnalyzer

$xExportedCommands

The following commands are stored in this module

Get-MbcaModel

Get-MbcaResult

Invoke-MbcaModel

Set-MbcaResult

You get help of this command with the following syntax

Get-help ltcommandgt -full

911 Get-MBCAModel

SYNOPSIS

The Get-MBCAModel cmdlet lets you retrieve and view the list of models that are supported by

Microsoft Baseline Configuration Analyzer (MBCA) and that are installed on a computer

SYNTAX

Get-MBCAModel [[-ModelId] ltstring[]gt] [[-SubModelId] ltstringgt] [ltCommonParametersgt]

DESCRIPTION

The Get-MBCAModel cmdlet lets you retrieve and view the list of models that are supported by

Microsoft Baseline Configuration Analyzer (MBCA) and installed on the computer If no parameter is

specified Get-MBCAModel returns all models that are installed on the computer If a model is specified

by using the -ModelId parameter information about the specified model is returned

You must be a member of the Administrators group on the computer on which you want to run this

cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with

elevated user rights that is Run as Administrator

The results of the Get-MBCAModel cmdlet include the following details about models

1 Branding information (manufacturer or company display names version number) that is found in

the model manifest

2 Dynamic parameters that are included with the model

3 Submodels that are included with the model

PARAMETERS

-ModelId ltstring[]gt

The -ModelId parameter specifies the ID of the MBCA model about which you want to view

details You can obtain valid values for the ModelId parameter by running the Get-MBCAModel

cmdlet with no parameters and targeted at a computer on which MBCA models are installed

Page 43

This parameter supports wild card characters

Required false

Position 2

Default value

Accept pipeline input true (By Value By Property Name)

Accept wildcard characters False

This must be SQL2008R2BPA for SQL Server 2008 R2 Best Practice Analyzer

-SubModelId ltstringgt

The -SubModelId parameter specifies the ID of the submodel of an MBCA model about which you

want to view details You can obtain valid values for the -SubModelId parameter by running the

Get-MBCAModel cmdlet without parameters and targeted at a computer on which MBCA models

are installed Not all models have submodels

The -ModelId parameter is required with the -SubModelId parameter

Required false

Position 3

Default value

Accept pipeline input false

Accept wildcard characters false

ltCommonParametersgt

This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable

WarningAction WarningVariable OutBuffer and OutVariable For more information type get-

help about_commonparameters

Examples

Get-MBCAModel

In the preceding example Get-MBCAModel with no parameters added returns details about all MBCA

models that are installed on the computer

Get-MBCAModel -ModelId SQL2008R2BPA

The preceding example can be used to return details about the MBCA model that is specified in the -

ModelId parameter represented by Model Id

$model= Get-MBCAModel -ModelId SQL2008R2BPA

$modelParameters

In the preceding example Get-MBCAModel returns details about the specified MBCA model that is

represented by Model Id The results of the cmdlet are stored in the variable $model

In the next line of the example the Parameters property of the model details that were stored in the

$model object returns details about which parameters are supported by the model

Get-MBCAModel -ModelId SQL2008R2BPA -SubModelId ltSubModel Idgt

The preceding example can be used to return details about the MBCA sub-model that is specified by

the -SubModelId parameter represented by SubModel Id Note that the -ModelId parameter is

required by the -SubModelId parameter

$model= Get-MBCAModel -ModelId SQL2008R2BPA

Page 44

$modelSubModels

In the preceding example Get-MBCAModel returns details about the specified MBCA model that is

represented by Model Id The results of the cmdlet are stored in the variable $model

In the next line of the example the SubModels property of the model details that were stored in the

$model object returns a list of the submodels of the model specified in the first line

912 Invoke-MBCAModel

SYNOPSIS

The Invoke-MBCAModel cmdlet lets you start a Microsoft Baseline Configuration Analyzer (MBCA)

scan for a specific model that is installed on your computer

SYNTAX

Invoke-MBCAModel [-ModelId] ltstringgt -SubModelId ltstringgt [-Authentication

ltAuthenticationMechanismgt] [-CertificateThumbprint ltstringgt] [-ComputerName

ltstring[]gt] [-ConfigurationName ltstringgt] [-Context ltstringgt] [-Credential

ltstringgt] [-Mode ltModeEnumgt] [-Port ltintgt] [-RepositoryPath ltstringgt] [-

ThrottleLimit ltintgt] [-UseSSL] [ltCommonParametersgt]

DESCRIPTION

The Invoke-MBCAModel cmdlet allows you to start a Microsoft Baseline Configuration Analyzer

(MBCA) scan for a specific model that is installed on your computer The model is specified either by

using the parameter -ModelId or by piping the results of the Get-MBCAModel cmdlet into an Invoke-

MBCAMode cmdlet

After the MBCA scan has been performed the results of the scan are available to be retrieved by Get-

MBCAResult cmdlet

You must be a member of the Administrators group on the computer on which you want to run this

cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with

elevated user rights that is Run as Administrator

PARAMETERS

-Authentication ltAuthenticationMechanismgt

Specifies the authentication mechanism that is used to authenticate the users credentials Valid

values include Default Basic CredSSP Digest Kerberos Negotiate and

NegotiateWithImplicitCredential The default value is Default

For more information about the -Authentication parameter type the following and then press

Enter

Get-Help Invoke-Command -Parameter Authentication

Required false

Position named

Default value Default

Accept pipeline input false

Accept wildcard characters false

-CertificateThumbprint ltstringgt

Page 45

Specifies the digital public key certificate (X509) of a user account that has rights to perform the

cmdlet action The valid value is the certificate thumbprint of the certificate

For more information about this parameter type the following and then press Enter

Get-Help Invoke-Command -Parameter Certificate Thumbprint

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-ComputerName ltstring[]gt

The Invoke-MBCAModel cmdlet lets you run an MBCA scan of a submodel on a specific

computer by adding this parameter Valid values include NETBOS names IP addresses or fully-

qualified domain names of one or more computers in a comma-separated list To specify the local

computer type the computer name or localhost

All formats that are accepted by the -ComputerName parameter in Invoke-Command are

accepted

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-ConfigurationName ltstringgt

Specifies the session configuration that is used for a new PSSession

Enter a configuration name or the fully-qualified resource URI for a session configuration

Session configuration data is found on the remote computer on which you want to run a cmdlet

For more information about this parameter type the following and then press Enter

Get-Help Invoke-Command -Parameter ConfigurationName

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-Context ltstringgt

The -Context parameter lets you run scans on a submodel in the context of a specific model (one

that is different from the parent model of the submodel) For example an administrator might

want to run a scan on the Backend submodel of the SQL model but only those in the context

of a third model a technology that relies upon SQL Server

The -SubModelId parameter is required by the -Context parameter

Page 46

A model ID is the valid value of the -Context parameter

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-Credential ltstringgt

Specifies a user account that has permission to run this cmdlet The default value is the current

user

For more information about this parameter type the following and then press Enter

Get-Help Invoke-Command -Parameter Credential

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-Mode ltModeEnumgt

The -Mode parameter lets you run a scan that is exclusively either analysis of existing discovered

documents or discovery The default is to perform both discovery and analysis or All

If you do not add the -Mode parameter to the Invoke-MBCAModel cmdlet both discovery and

analysis are performed during a scan

Valid values are Discovery Analysis and All

Required false

Position named

Default value All

Accept pipeline input false

Accept wildcard characters false

-ModelId ltstringgt

The -ModelId parameter specifies the ID of the MBCA model that you want to scan You can

obtain valid values for the ModelId parameter by running the Get-MBCAModel cmdlet targeted at

a computer on which MBCA models are installed

Required true

Position 2

Default value

Accept pipeline input true (By Value By Property Name)

Accept wildcard characters False

Page 47

This must be SQL2008R2BPA for SQL Server 2008 R2 Best Practice Analyzer

-Port ltintgt

Specifies the network port on a remote computer on which you want to run a scan The default

value is port 80

For more information on this parameter type the following and then press Enter

Get-Help Invoke-Command -Parameter Port

Required false

Position named

Default value 80

Accept pipeline input false

Accept wildcard characters false

-RepositoryPath ltstringgt

The -RepositoryPath parameter is used to specify a non-default location of the results repository

The valid value for this parameter is a pathname If the parameter is not used the cmdlet writes

results to the default result repository

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-SubModelId ltstringgt

The -SubModelId parameter specifies the ID of the submodel of an MBCA model that you want to

scan You can obtain valid values for the -SubModelId parameter by running the Get-MBCAModel

cmdlet targeted at a computer on which MBCA models are installed Not all models have

submodels

The -ModelId parameter is required with the -SubModelId parameter

Required true

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-ThrottleLimit ltintgt

Specifies the maximum number of concurrent connections that can be established to run the

cmdlet If you omit this parameter or enter a value of 0 the default value of 32 is used

For more information about this parameter type the following and then press Enter

Get-Help Invoke-Command -Parameter ThrottleLimit

Required false

Page 48

Position named

Default value 32

Accept pipeline input false

Accept wildcard characters false

-UseSSL [ltSwitchParametergt]

Uses the Secure Sockets Layer (SSL) protocol to establish a connection on a remote computer

By default SSL is not used

For more information about this parameter type the following and then press Enter

Get-Help Invoke-Command -Parameter UseSSL

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

ltCommonParametersgt

This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable

WarningAction WarningVariable OutBuffer and OutVariable For more information type get-

help about_commonparameters

OUTPUTS

SystemCollectionsGenericListltMicrosoftBestPracticesCoreInterfaceInvokeBpaModelOutputgt

The output object encapsulates the results of the cmdlet that you entered It contains information such

as the MBCA model ID the success or failure of the cmdlet and other details

NOTES

If the cmdlet is used to perform a single-model scan and the cmdlet is cancelled (by using CTRL+C)

before the temporary results file is copied to its final location the temporary file is discarded and any

previous scan results file for the role are preserved The message Processing of Invoke-MBCAModel

cancelled by user is displayed if the command is cancelled before existing scan results files are

overwritten

If the cmdlet is used to perform a scan of multiple models by piping in results from the Get-MBCAModel

cmdlet and the command is cancelled scans that were completed before the cancel command was

entered cannot be cancelled A scan in progress behaves as described above in the single-model scan

cancellation scenario Subsequent scans in the pipeline are cancelled

If a concurrent scan of the same model is attempted the cmdlet returns the following error message

Another scan for this MBCA model is in progress Only one scan is allowed at a time

-------------------------- EXAMPLE 1 --------------------------

Invoke-MBCAModel -ModelId SQL2008R2BPA

Description

The preceding example starts a MBCA scan on the model that is represented by ltModel Idgt

-------------------------- EXAMPLE 2 --------------------------

Page 49

Invoke-MBCAModel -ModelId SQL2008R2BPA -Scope domain -Name

redmondmicrosoftcom

Description

The preceding example starts an MBCA scan on the model ID that is specified by Model Id

The administrator starts the MBCA scan with additional model-specific parameters that are exposed by

the model (For an example of how to obtain model-specific parameters see the examples for the Get-

MBCAModel cmdlet)

For example to scan a model that requires model-specific parameters (such as -Scope and -Name) to

be passed to the command the administrator can specify the values of these model-specific

parameters with the Invoke-MBCAModel cmdlet

-------------------------- EXAMPLE 3 --------------------------

Invoke-MBCAModel -ModelId SQL2008R2BPA -Mode Discovery

Description

The preceding example starts an MBCA scan on the model that is represented by Model Id The

cmdlet is instructed by the -Mode parameter to perform only the discovery -- not the analysis -- portion

of the scan

-------------------------- EXAMPLE 4 --------------------------

Invoke-MBCAModel -ModelId SQL2008R2BPA -Mode Analysis -RepositoryPath

ltRepository Pathgt

Description

The preceding example starts an MBCA scan on the model that is represented by Model Id The -

Mode parameter value of Analysis indicates that the scan will perform analysis -- not discovery -- on

existing documents that are specified in the non-default repository path provided with the -Repository

Path parameter

-------------------------- EXAMPLE 5 --------------------------

Invoke-MBCAModel -Id ltModel Idgt -SubModelId ltSubModel Idgt -ComputerName

ltServergt -Context ltContext Model Idgt -RepositoryPath ltRespository Pathgt -

AsJob -Authentication ltAuthenticatonMechanismgt -Port ltPort Numbergt -UseSSL -

ThrottleLimit ltThrottle Limitgt

Description

The preceding example starts an MBCA scan on the submodel that is represented by SubModel Id

and on the computer that is represented by Server

Because the administrator only wants to see results from the submodel that apply in the context of a

third model the administrator runs the scan within the context of the model ID that is specified in the -

Context parameter The cmdlet results are saved to the non-default repository path that is specified in

the -RepositoryPath parameter

Because the -AsJob parameter is added the scan runs in the background The -AsJob -

Authentication -Port -UseSSL and -ThrottleLimit parameters are passed through for use by the

Invoke-Command cmdlet to perform discovery on a remote computer For more information about

these parameters see the Help for the Invoke-Command cmdlet available in Windows PowerShell V2

913 Get-MBCAResult

SYNOPSIS

Page 50

The Get-MBCAResult cmdlet lets you retrieve and view the results of a Microsoft Baseline

Configuration Analyzer scan on a specific model or the configuration data that was used to run a scan

SYNTAX

Get-MBCAResult [-ModelId] ltstringgt [[-CollectedConfiguration]] -SubModelId

ltstringgt [-ComputerName ltstring[]gt] [-Context ltstringgt] [-Filter

ltFilterEnumgt] [-RepositoryPath ltstringgt] [ltCommonParametersgt]

DESCRIPTION

The Get-MBCAResult cmdlet lets you retrieve and view the results of a Microsoft Baseline

Configuration Analyzer scan on a specific model or the configuration data that was used to run a scan

To use the command add the -ModelId parameter and then specify the model ID for which you want

to view the most recent MBCA scan results or collected configuration data If you want to retrieve the

configuration data collected add the -CollectedConfiguration switch parameter

You must be a member of the Administrators group on the computer on which you want to run this

cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with

elevated user rights that is Run as Administrator

PARAMETERS

-CollectedConfiguration [ltSwitchParametergt]

The -CollectedConfiguration parameter allows you to obtain the configuration data that was

collected for the most recent MBCA scan If this switch parameter is added to Get-MBCAResults

the cmdlet returns only the configuration data that was collected for a scan

Required false

Position 3

Default value

Accept pipeline input false

Accept wildcard characters false

-ComputerName ltstring[]gt

The -ComputerName parameter lets you obtain scan results that were collected for the most

recent MBCA scan of a submodel on a specific computer To specify the local computer type the

computer name or localhost Multiple values for -ComputerName can be separated by

commas

The -SubModelId parameter is required by the -ComputerName parameter

Valid values for the -ComputerName parameter include localhost a NET BIOS name an IP

address or a fully-qualified domain name (FQDN) of one or more computers in a comma-

separated list

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-Context ltstringgt

Page 51

The -Context parameter lets you obtain scan results that were collected for the most recent

MBCA scan of a submodel in the context of a specific model (one that is different from the parent

model of the submodel) For example an administrator might want to display scan results for the

Backend submodel of the SQL model but only those in the context of a third model a

technology that relies upon SQL Server

The -SubModelId parameter is required by the -Context parameter

A model ID is the valid value of the -Context parameter

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-Filter ltFilterEnumgt

The -Filter parameter lets you instruct the Get-MBCAResult cmdlet to return only Compliant

Noncompliant or All results Valid values are Noncompliant Compliant or All The default value

is All

The -Filter parameter is ignored if the -CollectedConfiguration switch parameter is added

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-ModelId ltstringgt

The -ModelId parameter specifies the ID of the MBCA model for which you want to view scan

results You can obtain valid values for the ModelId parameter by running the Get-MBCAModel

cmdlet targeted at a computer on which MBCA models are installed

Required true

Position 2

Default value

Accept pipeline input true (By Value By Property Name)

Accept wildcard characters False

This must be SQL2008R2BPA for SQL Server 2008 R2 Best Practice Analyzer

-RepositoryPath ltstringgt

The -RepositoryPath parameter is used to specify a non-default location of the results repository

The valid value for this parameter is a path name If the parameter is not used the cmdlet obtains

results from the default result repository

Required false

Position named

Page 52

Default value

Accept pipeline input false

Accept wildcard characters false

-SubModelId ltstringgt

The -SubModelId parameter specifies the ID of the submodel of an MBCA model for which you

want to view scan results You can obtain valid values for the -SubModelId parameter by running

the Get-MBCAModel cmdlet targeted at a computer on which MBCA models are installed Not all

models have submodels

The -ModelId parameter is required with the -SubModelId parameter

Required true

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

ltCommonParametersgt

This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable

WarningAction WarningVariable OutBuffer and OutVariable For more information type get-

help about_commonparameters

OUTPUTS

SystemCollectionsGenericListltMicrosoftBestPracticesCoreInterfaceResultgt OR

SystemXmlXmlDocument (if -CollectedData specified)

If you do not use the -CollectedConfiguration parameter verbose output can be any of the following

1 Initializing MBCA engine for getting MBCA Results

2 Attempting to get MBCA results for Model Id = 0

3 Completed getting MBCA results for Model Id = 0 Number of Results = 1

If you add the -CollectedConfiguration parameter to display configuration data that was used for a

scan verbose output can be any of the following

1 Initializing MBCA engine for getting MBCA Configuration Data

2 Attempting to get MBCA collected configuration data for Model Id = 0

3 Completed getting MBCA collected configuration data for Model Id = 0

NOTES

The Get-MBCAResult cmdlet must be run by a member of the Administrators group and it does not

start a new scan

Cancellation behaviour

Single Model - To cancel this cmdlet you must press Ctrl+C before the ResultCollection is displayed

on the console The operation is cancelled and results are not displayed on the console

Multiple Models or Pipelining - If you cancel this cmdlet while it is retrieving results for multiple models

the cmdlet generates only those results that were displayed on the console before the cancellation

Any subsequent results in the pipeline are cancelled and not displayed

Page 53

-------------------------- EXAMPLE 1 --------------------------

Get-MBCAResult -Id SQL2008R2BPA

Description

The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results

for the model that is represented by Model Id

-------------------------- EXAMPLE 2 --------------------------

Get-MBCAModel | Get-MBCAResult

In the preceding example Get-MBCAModel is used to return a list of all MBCA models that are

installed on the computer The results of the Get-MBCAModel cmdlet are piped to the Get-

MBCAResult cmdlet to retrieve the most recent MBCA scan results for all models that are both

supported by MBCA and installed on the computer at which the cmdlet is targeted

-------------------------- EXAMPLE 3 --------------------------

$result = Get-MBCAResult SQL2008R2BPA -CollectedConfiguration

$resultDiscoveryDocument

Description

In the preceding example configuration data (in XML form) that was collected during the most recent

Microsoft Baseline Configuration Analyzer scan of the model that is represented by Model Id is

retrieved and stored as a property in the variable $result $resultDiscoveryDocument is of type

SystemXmlXmlDocument

-------------------------- EXAMPLE 4 --------------------------

Get-MBCAResult SQL2008R2BPA -Filter Noncompliant

Description

The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results

for the model that is represented by Model Id and then applies a filter to show only Noncompliant

results

------------------------- EXAMPLE 5 --------------------------

Get-MBCAResult SQL2008R2BPA -SubModelId ltSubModel Idgt

Description

The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results

for the submodel that is represented by SubModelId Note that the parent model ID must be specified

to use the -SubModelId parameter

------------------------- EXAMPLE 6 --------------------------

Get-MBCAResult SQL2008R2BPA -SubModelId ltSubModel Idgt -ComputerName ltServergt

-Context ltContext Model Idgt -RepositoryPath ltRepository Pathgt

Description

The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results

for the submodel that is represented by SubModelId The parent model ID is provided as required by

the -SubModelID parameter

The -Context parameter indicates that the administrator wants to see only those scan results that are in

the context of the model that is represented by Context Model Id for example only those results from

a SQL Server scan that specifically apply to another technology such as Web Server (IIS)

Page 54

The scan results are further narrowed to only those from a computer that is specified in the -

ComputerName parameter as Server and only those results found in the non-default results

repository that is represented by Repository Path

914 Set-MBCAResult

SYNOPSIS

The Set-MBCAResult cmdlet lets you exclude or include existing results of a Microsoft Baseline

Configuration Analyzer (MBCA) scan to show you only the scan results that you want to see

SYNTAX

Set-MBCAResult [[-Exclude] ltBooleangt] [-Results] ltResultgtgt [[-

RepostitoryPath] ltstringgt] [ltCommonParametersgt]

DESCRIPTION

The Set-MBCAResult cmdlet lets you exclude or include existing results of a Microsoft Baseline

Configuration Analyzer (MBCA) scan to show you only the scan results that you want to see

The action specified in the cmdlet (Exclude for example) determines how the existing results of an

MBCA scan are updated Set-MBCAResult is typically applied after using the Get-MBCAResult cmdlet

to return a collection of scan results

You can apply filters to results that are returned by the Get-MBCAResult cmdlet and then pipe the

filtered collection of results to the Set-MBCAResult cmdlet specifying either to include or exclude

filtered scan results

You must be a member of the Administrators group on the computer on which you want to run this

cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with

elevated user rights that is Run as Administrator

PARAMETERS

-Exclude ltBooleangt

Excludes scan results from the results collection that were previously obtained by the Get-

MBCAResult command To exclude results by using the -Exclude parameter add the value $true

following the parameter as shown

-Exclude $true

To include results that have been excluded use the $false value for the -Exclude parameter

Required false

Position 2

Default value

Accept pipeline input false

Accept wildcard characters false

-RepostitoryPath ltstringgt

The -RepositoryPath parameter is used to specify a non-default location of the results repository

The valid value for this parameter is a path name If the parameter is not used the cmdlet

modifies results from the default result repository

Required false

Page 55

Position 4

Default value

Accept pipeline input false

Accept wildcard characters false

-Results ltResultgtgt

Specifies the result collection to be updated by the Set-MBCAResult cmdlet The -Results

parameter is typically used to specify a filtered subset of scan results that has already been

stored in a variable the variable name is provided as the valid value for the -Results parameter

For example if you have created a variable $allPerformance to store all the Performance

category results for an MBCA scan of all models on a computer and you want to exclude those

Performance results from the complete collection of scan results you add the parameter -Results

$all Performance to a Set-MBCAResult cmdlet

For a more detailed example see the Examples section of the Help for this cmdlet

Required true

Position 3

Default value

Accept pipeline input true (ByValue)

Accept wildcard characters false

ltCommonParametersgt

This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable

WarningAction WarningVariable OutBuffer and OutVariable For more information type ldquoget-

help about_commonparameters

NOTES

If the Set-MBCAResult command is cancelled before the results are written to a file the operation is

cancelled and the results file is not modified If cancellation occurs after the results file has been

modified the commands actions are carried out and the command cannot be cancelled

-------------------------- EXAMPLE 1 --------------------------

Get-MBCAResult -ModelId SQL2008R2BPA | Where $_Category -eq

Performance | Set-MBCAResult -Exclude $true

Description

The first section of the preceding example to the left of the first pipe character (|) uses the Get-

MBCAResult cmdlet to retrieve Baseline Configuration Analyzer scan results for the model ID that is

represented by Model Id

The second section of the command filters the results of the Get-MBCAResult cmdlet to get only those

scan results for which the category name is equal to Performance

The final section of the example following the second pipe character excludes the Performance

results that were filtered by the previous section of the example

-------------------------- EXAMPLE 2 --------------------------

$rcPolicy = Get-MBCAResult -ModelId SQL2008R2BPA -RepositoryPath

CReposPath | Where $_Category -eq Policy

Page 56

Set-MBCAResult -Exclude $true -RepositoryPath CReposPath -Results

$rcPolicy

Description

The first line of the preceding example to the left of the pipe character (|) instructs the Get-

MBCAResult cmdlet to retrieve Baseline Configuration Analyzer scan results for the model that is

represented by Specified Model Id from the specified non-default repository path

The second section of the example after the pipe character filters the results of the Get-MBCAResult

cmdlet to return only those scan results for which the category name is equal to (note the -eq option)

Policy The variable $rcPolicy is created to store the filtered results of the Get-MBCAResult cmdlet this

variable can be used in subsequent commands to represent those results

The second line of the command uses the Set-MBCAResult cmdlet to exclude the set of results that

are stored in the $rcPolicy variable In this example the -Results parameter is added because the

administrator wants to exclude a specific subset of scan results for that model and has created the

variable $rcPolicy to represent that subset of results The repository root is specified in the second line

because the administrator wants to modify the results in the same non-default repository from which

the data in $rcPolicy was retrieved

915 MBCA Model Authoring

Further information about configuration and usage of MBCA models you can in the

MBCA_ModelAuthoringGuidedocx

Page 57

Did this paper help you Please give us your feedback Tell us on a scale of 1 (poor) to 5 (excellent)

how would you rate this paper and why have you given it this rating For example

Are you rating it high due to having good examples excellent screen shots clear writing or

another reason

Are you rating it low due to poor examples fuzzy screen shots or unclear writing

This feedback will help us improve the quality of white papers we release

Send feedback

Page 25: SQL2008R2 BPA Whitepaper v10

Page 25

$envcomputernameltPgt -post For details contact Microsoft Premier gt

ctempsql2008r2bpahtm

Page 26

5 TROUBLESHOOTING

51 Application directories

To following directories are used by MBCA

Report output directory localappdataMicrosoftMicrosoftBaselineConfigurationAnalyzer 2ReportsSQL2008R2BPAResults

Model configuration path ProgramdataMicrosoftMicrosoft Baseline Configuration Analyzer 2ModelsSQL2008R2BPA

Temp and log files directory tempSQL2008R2BPASQL2008ltdategt_lttimegt

Registry [HKEY_LOCAL_MACHINESOFTWAREMicrosoftBaselineConfigurationAnalyzer]

Log Files

During Data Discovery SQL Server 2008 R2 BPA creates log files for troubleshooting The log file

contains the following information

Pre-requisite validation

Timestamp finished rules start and end times

Run-time scripting errors and exceptions from Power Shell Traps

Log Files Location

For every scan log files are created in userrsquos Local Temp directory (Temp) and follows the folder

structure SQL2008R2BPAlt Instance Name gtlt datestamp_timestamp gtlt Log files gt

Note In case of a remote scan the category log files are generated on the remote system at the same

path whereas the common log file is generated in the local system

Log Files Structure

A common log file gets generated and contains information about each categorys execution Apart

from this each category has its own log file which details the rule execution The names of the log files

are given below

Common File - ModelLogtxt

Engine Rules - EngineLogtxt

Replication Rules - ReplicationLogtxt

Setup Rules - SetupLogtxt

Analysis Services Rules - AnalysisServicesLogtxt

Reporting Services Rules - ReportingServicesLogtxt

Integration Services Rules - IntegrationServicesLogtxt

52 Windows Server 2003 ndash NumberOfLogicalProcessors

Analysis Services RID2803 and RID2804 ndash NumberOfLogicalProcessors property is unavailable in

Win32_Processor for with Windows Server 2003

Solution The NumberOfLogicalProcessors property does not exist in the WIN32_PROCESSOR object

in Windows Server 2003 It has been implemented in the hotfix

httpsupportmicrosoftcomkb932370

Both of the rules below will function properly if you apply this hotfix For more information look here

Page 27

53 MBCA

This message indicates that on prerequisite is not installed

Please install the version 2 of the MBCA

54 Where can I find the Instance name in result set of the analyzer

report

The instance name is in the collected data option of the analyzer report in the BPA GUI

55 Memory limit of remote PowerShell process

By default remote PowerShell process can consume only 150 MB or less memory This default limit is

significantly small and once this limit is reached there could be a WinRM exception causing and remote

connection immediately terminates Any application or Cmdlet which is involved in PowerShell

remoting should be tested for this memory limit this may cause some of the command to fail for

example site collection creation

Solution Increase the memory limit for the remote shell Use the following command to increase this

limitation to 1000MB This is only necessary if you need to run those commands on that server

Set-Item WSManlocalhostShellMaxMemoryPerShellMB 1000

56 Remote connect

If you try to ldquoConnect to another computerrdquo from MBCA and you receive the following message

Page 28

You should check first if the Hotfix KB968930 is installed

Afterwards validate that the ldquoWindows Remote Managementrdquo service is started

Enable-PSRemoting

If CredSSP is unsupported or unavailable you will see the following message

Page 29

If you have no permission to access the remote server you get the error message

Page 30

57 Installation

571 PowerShell error

After getting through the Pre-Reqs for BPA (PowerShell 20 MBCA NET Framework) you may hit

one of two scenarios when installing BPA

In all of the cases of an install failure you will see the following error

There is a problem with this Windows Installer package A program run as part of the setup did not

finish as expected Contact your support personnel or package vendor

In your Application Event Log for both of these scenarios you will also see the following entry

Log Name Application

Source MsiInstaller

Date 6102010 83818 AM

Event ID 11722

Task Category None

Level Error

Keywords Classic

User ltUsernamegt

Computer ltMachine namegt

Description

Product Microsoft SQL Server 2008 R2 BPA -- Error 1722 There is a problem

with this Windows Installer package A program run as part of the setup did

not finish as expected Contact your support personnel or package

vendor Action EnablePSRemoting location powershellexe command -NoLogo

-NoProfile -Command Enable-PSRemoting ndashforce

Page 31

This is an indicator that PowerShell is not configured You must run the following command

powershellexe -NoLogo -NoProfile -Command Enable-PSRemoting ndashforce

572 Workgroup or Non-Domain computer

In this scenario the Enable-PSRemoting command should execute fine from a PowerShell prompt

The actual error coming back from the PowerShell command within the Installer is ldquoAccess Deniedrdquo

To work around this issue you can do the following

1 Open a command prompt with Administrative Privileges

2 Change to the directory where the msi file resides

3 Type msiexec i ltMSI Namegt SKIPCA=1

4 MSI Name will either be SQL2008R2BPA_Setup32msi or SQL2008R2BPA_Setup64msi

depending on your platform

5 Once BPA is installed open a PowerShell prompt with Administrative Privileges

6 Execute the following commands

a Enable-PSRemoting

b winrm set winrmconfigwinrs ``MaxShellsPerUser=`10``

This should allow BPA to be successfully installed in the workgroup scenario

573 Kerberos Failure

This scenario is that you are failing with the above due to a Kerberos issue This particular issue could

actually show up after you have installed BPA depending on how you have configured your

environment

The issue stems from the fact that the Windows Remoting Windows Service uses the Network Service

account Windows Remoting also uses SOAP calls over HTTP and defaults to using Kerberos As a

result it will be using the HOST Service Principal Name (SPN) that is on the Machine Account as it is

running under that context You may have an HTTP SPN that resides on a different account with that

host name For example if you are running an IIS Web Application such as SharePoint or if you are

using Reporting Services and the service account is set to a Domain User account instead of Network

Service or Local System If your URL of your application matches the machine name then your HTTP

SPN will be the same Thatrsquos where this problem comes in WinRM will stop working at that point and

give you a message similar to the following

Set-WSManQuickConfig WinRM cannot process the request The following error

occured while using Negotiate authentication An unknown security error

occurred

Possible causes are

-The user name or password specified are invalid

-Kerberos is used when no authentication method and no user name are

specified

-Kerberos accepts domain user names but not local user names

-The Service Principal Name (SPN) for the remote computer name and port

does not exist

-The client and remote computers are in different domains and there is no

trust between the two domains

After checking for the above issues try the following

-Check the Event Viewer for events related to authentication

-Change the authentication method add the destination computer to the

WinRM TrustedHosts configuration setting or use HTTPS transport

Note that computers in the TrustedHosts list might not be authenticated

-For more information about WinRM configuration run the following

Page 32

command winrm help config

At line50 char33

+ Set-WSManQuickConfig ltltltlt -force

+ CategoryInfo InvalidOperation () [Set-WSManQuickConfig]

InvalidOperationException

+ FullyQualifiedErrorId

WsManErrorMicrosoftWSManManagementSetWSManQuickConfigCommand

You can get this type of error from WinRM for muliple reasons The one that

we saw in our testing was the HTTP SPN scenario

If you do have an HTTP SPN defined on a Domain Account that is using the name of your machine

you have some options First you can follow the steps mentioned above to get BPA installed The

Enable-PSRemoting command will give you the above error You can temporarily remove the HTTP

SPN to get remoting enabled and then re-add the HTTP SPN

Once BPA is setup you will still not be able to run BPA if you put the HTTP SPN back in place You will

see the following when you attempt to perform a scan

This will occur regardless of which component you try to scan It could be the Engine Setup RS etchellip

One option to perform the scan successfully is to temporarily remove the HTTP SPN again run the

scan and then put the HTTP SPN back in place Another option but one that will probably require

further testing from your applicationrsquos end would be to run the application under a Host Header and

then your HTTP SPN would not include the machine name allowing BPA to run without issue

Page 33

6 RULES

Searching for ldquoSQL Server 20087 R2 BPArdquo at Microsoftcom reveals

Here is an example of one of these articles that talks about a rule to check for a recent ldquocleanrdquo

CHECKDB

Page 34

BPA works by measuring a rolersquos compliance with best practice rules in eight different categories of a

rolersquos effectiveness trustworthiness and reliability Results of measurements can be any of the three

severity levels described in the following table

Severity level Description

Noncompliant Noncompliant results are returned when a role does not satisfy the conditions of a rule

Compliant Compliant results are returned when a role satisfies the conditions of a rule

Warning Warning results are returned when a role is compliant as operating currently but may not satisfy the conditions of a

rule if changes are not made to its configuration or policy settings For example a scan of Remote Desktop Services

might show a warning result if a license server is unavailable to the role because even if no remote connections are

active at the time of the scan not having the license server prevents new remote connections from obtaining valid

client access licenses

Page 35

BPA rule categories

The following table describes the categories of best practice rules against which roles are measured

during a BPA scan

Category Name Description

Security Security rules are applied to measure a rolersquos relative risk for exposure to threats such as unauthorized or malicious

users or loss or theft of confidential or proprietary data

Performance Performance rules are applied to measure a rolersquos ability to process requests and perform its prescribed duties in

the enterprise within expected periods of time given the rolersquos workload

Configuration Configuration rules are applied to identify role settings that might require modification for the role to perform

optimally Configuration rules can help prevent setting conflicts that can result in error messages or prevent the role

from performing its prescribed duties in an enterprise

Policy Policy rules are applied to identify Group Policy or Windows Registry settings that might require modification for the

role to operate optimally and securely

Operation Operation rules are applied to identify possible failures of a role to perform its prescribed tasks in the enterprise

Predeployment Predeployment rules are applied before an installed role is deployed in the enterprise to let administrators to

evaluate whether best practices were satisfied before you use the role in production

Postdeployment Postdeployment rules are applied after all required services have started for a role and the role is running in the

enterprise

BPA Prerequisites BPA Prerequisite rules explain configuration settings policy settings and features that are required for the role

before BPA can apply specific rules from other categories A prerequisite in scan results indicates that an incorrect

setting a missing role role service or feature an incorrectly enabled or disabled policy a registry key setting or

other configuration has prevented BPA from applying one or more rules during a scan A prerequisite result does

not imply compliance or noncompliance It means that a rule could not be applied and therefore is not part of the

scan results

61 Engine Rules

Please find below a summary of the 74 Engine Rules with the links to the rule descriptions These rules

are checking that you have a secure resilient and well performing SQL configuration

Authentication Mode (httpsupportmicrosoftcomkb2028697)

Lightweight Pooling is enabled (httpsupportmicrosoftcomkb2160691)

Locks Configuration Not Dynamic (httpsupportmicrosoftcomkb2199576)

non-default network packet size in use (httpsupportmicrosoftcomkb2157175)

degree of parallelism not set to recommended value (httpsupportmicrosoftcomkb2023536)

Use Database Mail instead of SQL Mail (httpsupportmicrosoftcomkb2028584)

SQL Server Agent Proxy Account (httpsupportmicrosoftcomkb2160741)

SQL Login Password Policy Strength and password expiry

(httpsupportmicrosoftcomkb2028712)

Trustworthy Bit (httpsupportmicrosoftcomkb2183687)

Symmetric Keys Check (httpsupportmicrosoftcomkb2162020)

Asymmetric Keys Check (httpsupportmicrosoftcomkb2162020)

SQL Server installed on PDC BDC (httpsupportmicrosoftcomkb2032911)

Page 36

SQL Server Admin role membership check (httpsupportmicrosoftcomkb2184138)

Windows API calls intercepted (httpsupportmicrosoftcomkb2033238)

unsupported DotNET framework assemblies present (httpsupportmicrosoftcomkb2033344)

Disk partition starting offset may be incorrect (httpsupportmicrosoftcomkb2023571)

non-default max worker threads value configured (httpsupportmicrosoftcomkb2157129)

Guest Permissions (httpsupportmicrosoftcomkb2186935)

Data and Log files on the same volume (httpsupportmicrosoftcomkb2033523)

IO timeouts and IO controller errors detected (httpsupportmicrosoftcomkb2091098)

IO device errors detected (httpsupportmicrosoftcomkb2091098)

IO errors during page faults detected (httpsupportmicrosoftcomkb2091098)

cluster disk corruption encountered (httpsupportmicrosoftcomkb2091098)

disk defragmentation encountered corruption (httpsupportmicrosoftcomkb2091098)

failed IO requests detected (httpsupportmicrosoftcomkb2091098)

IO requests are successful when retried (httpsupportmicrosoftcomkb2015757)

IO Delay Problems reported by SQL Server (httpsupportmicrosoftcomkb2137408)

This system experienced unexpected shutdowns (httpsupportmicrosoftcomkb2091098)

tempdb corruption errors fix missing (httpsupportmicrosoftcomkb960770)

Critical SQL database inconsistency errors found (httpsupportmicrosoftcomkb2152734)

Logical consistency errors detected (httpsupportmicrosoftcomkb2152472)

Database have auto shrink option enabled (httpsupportmicrosoftcomkb2160663)

SQL Server Error logs are very big (httpsupportmicrosoftcomkb2199578)

incorrect affinity mask settings detected httpsupportmicrosoftcomkb2157114

Very low blocked process threshold setting detected httpsupportmicrosoftcomkb2157154

Potential security issue with legacy DTS stored procedures

httpsupportmicrosoftcomkb2202875

Winsock LSP loaded into SQL httpsupportmicrosoftcomkb2033448

Databases using simple recovery model httpsupportmicrosoftcomkb2137539

User database collation different from model httpsupportmicrosoftcomkb2026108

Database files and backups exist on the same volume httpsupportmicrosoftcomkb2027537

Databases have auto close option enabled httpsupportmicrosoftcomkb2160685

LSI SAS drivers needs update httpsupportmicrosoftcomkb2121098

SQL tempdb database not configured optimally httpsupportmicrosoftcomkb2154845

SQL Database file has sparse attribute set httpsupportmicrosoftcomkb2028447

Invalid startup parameters httpsupportmicrosoftcomkb2028433

MSDTC settings not configured optimally httpsupportmicrosoftcomkb2027550

sql incorrect results fix missing httpsupportmicrosoftcomkb971780

File System needs tuning for better FileStream performance

httpsupportmicrosoftcomkb2160002

linked server memory leak fix missing httpsupportmicrosoftcomkb971622EN-US

Windows service pack is not at recommended level httpsupportmicrosoftcomkb2121098

default extended event health session not in expected state

httpsupportmicrosoftcomkb2160570

TcpSysAndChimneyCheck httpsupportmicrosoftcomKB918483

FDHOST Launcher service is not configured properly httpsupportmicrosoftcomkb2160720

Unrecommended SQL Server Agent service account httpsupportmicrosoftcomkb2160720

A required Windows fix to avoid sparse file related problems is missing

httpsupportmicrosoftcomkb2002606

Page 37

Significant Portion of SQL Server Memory Has Been Paged Out

httpsupportmicrosoftcomkb2028324

Server Exception or Hang Detected on Server httpsupportmicrosoftcomkb2028589

Databases exist without CHECKSUM protection httpsupportmicrosoftcomkb2078345

backups outdated for databases httpsupportmicrosoftcomkb2027537

Database consistency check not current httpsupportmicrosoftcomkb2033590

SQL Server Memory settings are incorrect httpsupportmicrosoftcomKB918483EN-US

Autogrow Failed or took a long time httpsupportmicrosoftcomkb2091024

Storport driver fix from KBA 940467 missing httpsupportmicrosoftcomkb2121098

Storport driver fix from KBA 950903 missing httpsupportmicrosoftcomkb2121098

SQLCLR needs additional memory configuration httpsupportmicrosoftcomkb969962EN-US

Operating System files and drivers needs update for working set trimming

httpsupportmicrosoftcomkb2121098

Agent Token Replacement httpsupportmicrosoftcomkb2202637

Auditing Log in failures httpsupportmicrosoftcomkb2187161

Databases with high number of VLF present httpsupportmicrosoftcomkb2028436

Transparent Data Encryption Certificate httpsupportmicrosoftcomkb2201900

Permission on the Binn folder httpsupportmicrosoftcomkb2029023

Index Statistics Are Outdated

Server public permissions httpsupportmicrosoftcomkb2160698

Detected use of older versions of SQLNCLI httpsupportmicrosoftcomkb979779

62 AS Rules

Please find below a summary of the 34 Analysis Server Rules with the links to the rule descriptions

Flight Recorder Enabled for SQL Server Analysis Services

httpsupportmicrosoftcomkb2128005

Excessive amount of memory preallocated to Analysis Services

httpsupportmicrosoftcomkb2027474

Server not configured for optimal concurrent query throughput

httpsupportmicrosoftcomkb2135031

Non standard value detected for Analysis Services memory configuration

httpsupportmicrosoftcomkb2027472

Process Thread Pool Max limit above recommended limit

httpsupportmicrosoftcomkb2134497

Process Thread Pool Minimum is below the recommended limit

httpsupportmicrosoftcomkb2134855

Server is running a build with a known regression httpsupportmicrosoftcomkb2157941

Slice not set on a ROLAP partition or a partition where proactive caching is enabled and

ROLAP storage ay occur httpsupportmicrosoftcomkb2027754

Server is ignoring duplicate key errors httpsupportmicrosoftcomkb2027761

No default member defined for non-aggregatable attribute

httpsupportmicrosoftcomkb2027769

UnknownMember set to hidden httpsupportmicrosoftcomkb2027628

Non-numeric key column for high cardinality attribute httpsupportmicrosoftcomkb2028138

Attribute hiearchy enabled for high cardinality non-key attribute

httpsupportmicrosoftcomkb2028143

ROLAP storage or OnlineMode set to immediate for dimension with custom rollup definition

detected httpsupportmicrosoftcomkb2132742

Page 38

Account or Time attribute types defined in a non-matching dimension type

httpsupportmicrosoftcomkb2157299

An Account or Time dimension has no matching attribute defined

httpsupportmicrosoftcomkb2027418

Dimension has no attribute defined with the same type

httpsupportmicrosoftcomkb2027443

Attribute Dimension type mismatch httpsupportmicrosoftcomkb2157327

Mismatched dimension attribute types detected in dimension

httpsupportmicrosoftcomkb2027459

Possible incorrect order of levels defined in hierarchy httpsupportmicrosoftcomkb2027460

Define attribute relationships as Rigid where possible httpsupportmicrosoftcomkb2027468

Redundant attribute relationships detected httpsupportmicrosoftcomkb2127437

Diamond-shape relationship detected httpsupportmicrosoftcomkb2127570

Non-Standard Attribute Relationship name detected httpsupportmicrosoftcomkb2127862

Proactive Caching set for dimension without a processing query

httpsupportmicrosoftcomkb2027541

No Time dimension detected httpsupportmicrosoftcomkb2027532

More than 3 parent-child dimensions with custom rollups defined

httpsupportmicrosoftcomkb2134431

Encountered a parent-child dimension with more than 500000 members

httpsupportmicrosoftcomkb2131918

Single attribute dimensions detected httpsupportmicrosoftcomkb2141654

Measure groups with zero dimensional overlap detected in cube

httpsupportmicrosoftcomkb2027609

Proactive Caching set for a partition without a processing query

Default measure for perspective not in the perspective

httpsupportmicrosoftcomkb2027603

Use MOLAP storage for dimensions that participate in semi-additive measure groups

httpsupportmicrosoftcomkb2135112

Measure group defined with no partition httpsupportmicrosoftcomkb2027545

63 RS Rules

RSWindowsNegotiate is missing from your configuration

httpsupportmicrosoftcomkb2145506

HTTP Logging is not enabled httpsupportmicrosoftcomkb2145909

Verbose logging is enabled httpsupportmicrosoftcomkb2146315

NTLM authentication may fail for local httpsupportmicrosoftcomkb2146369

Missing extended protection settings httpsupportmicrosoftcomkb2146062

64 IS Rules

Logging task missing for package httpsupportmicrosoftcomkb2027723

ActiveX Script task detected in package httpsupportmicrosoftcomkb2027712

Unrecommended Integration Services service account detected

httpsupportmicrosoftcomkb2027684

Integration Services logging table found in system database master and or msdb

httpsupportmicrosoftcomkb2027706

Integration Services memory dump detected httpsupportmicrosoftcomkb2027727

Page 39

65 Setup Rules

Unsupported Operating System Version Detected httpsupportmicrosoftcomkb2022909

WOW64 not supported for SQL Failover Clustering httpsupportmicrosoftcomkb2157198

Installer cache is missing for the SQL Installation httpsupportmicrosoftcomkb2015100

SQL Server WMI Provider Health Check

66 Replication Rules

Replication Timeout Alerts Type httpsupportmicrosoftcomkb2118349

Replication Pub and Sub out of sync (Data Validation) httpsupportmicrosoftcomkb2118386

Replication Pub and Sub out of sync (Constraint Violations)

httpsupportmicrosoftcomkb2118410

Replication Pub and Sub out of sync (Skipped Transactions)

httpsupportmicrosoftcomkb2194498

Merge Replication Health Check httpsupportmicrosoftcomkb2118445

Subscriptions Approaching Expiration httpgomicrosoftcomfwlinkLinkId=184483

Replication Cleanup and Retention Health Check httpsupportmicrosoftcomkb2118485

Replication Latency Threshold violations httpsupportmicrosoftcomkb2118425

Page 40

7 HOW TO DEAL WITH DEVIATIONS

Deviations from these Best Practices may indicate potential issues and configuration changes may be

necessary Make sure you have tested any intended changes in a test environment before deploying

them to a production environment You could also find deviations from Best Practices that are

acceptable or even necessary for your environment For example

SAP has its special Network Packet Size of 8 KB

Existing Non-Microsoft Clients ndash would require Mixed Mode Authentication

Page 41

8 MOTIVATION TO USE SQL BPA R2

Bob Ward explained in his Article ldquoWhy use SQL Server 2008 R2 BPA Case 1 Missing Updatesrdquo

the common pitfalls during maintenance and operation of SQL Server and how address them by using

the SQL BPA

In brief itrsquos a customer scenario where the customer is facing an issue after a major update to

SQL2008 After some troubleshooting and an update to a certain CU (that is meant to fix the issue) the

problem still occurs Bobs article states the common resulting consequences ndash the involvement of

Microsoft Support and the final solution ndash adding a needed traceflag

The good news in this story is that the customer would not have needed to go to all that effort if they

would have run the SQL BPA It would have told them about the update and instructed them to put the

traceflag in place BPA is a mechanism that proactively advises you and instructs you on dealing with

common known issues

Page 42

9 ADDITIONAL INFORMATION

91 PowerShell

To use the functionality of the Baseline Configuration Analyzer with PowerShell you must import this

module first

Import-module BaselineConfigurationAnalyzer

You can list the commands of this module with the following syntax

$x=Get-Module BaselineConfigurationAnalyzer

$xExportedCommands

The following commands are stored in this module

Get-MbcaModel

Get-MbcaResult

Invoke-MbcaModel

Set-MbcaResult

You get help of this command with the following syntax

Get-help ltcommandgt -full

911 Get-MBCAModel

SYNOPSIS

The Get-MBCAModel cmdlet lets you retrieve and view the list of models that are supported by

Microsoft Baseline Configuration Analyzer (MBCA) and that are installed on a computer

SYNTAX

Get-MBCAModel [[-ModelId] ltstring[]gt] [[-SubModelId] ltstringgt] [ltCommonParametersgt]

DESCRIPTION

The Get-MBCAModel cmdlet lets you retrieve and view the list of models that are supported by

Microsoft Baseline Configuration Analyzer (MBCA) and installed on the computer If no parameter is

specified Get-MBCAModel returns all models that are installed on the computer If a model is specified

by using the -ModelId parameter information about the specified model is returned

You must be a member of the Administrators group on the computer on which you want to run this

cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with

elevated user rights that is Run as Administrator

The results of the Get-MBCAModel cmdlet include the following details about models

1 Branding information (manufacturer or company display names version number) that is found in

the model manifest

2 Dynamic parameters that are included with the model

3 Submodels that are included with the model

PARAMETERS

-ModelId ltstring[]gt

The -ModelId parameter specifies the ID of the MBCA model about which you want to view

details You can obtain valid values for the ModelId parameter by running the Get-MBCAModel

cmdlet with no parameters and targeted at a computer on which MBCA models are installed

Page 43

This parameter supports wild card characters

Required false

Position 2

Default value

Accept pipeline input true (By Value By Property Name)

Accept wildcard characters False

This must be SQL2008R2BPA for SQL Server 2008 R2 Best Practice Analyzer

-SubModelId ltstringgt

The -SubModelId parameter specifies the ID of the submodel of an MBCA model about which you

want to view details You can obtain valid values for the -SubModelId parameter by running the

Get-MBCAModel cmdlet without parameters and targeted at a computer on which MBCA models

are installed Not all models have submodels

The -ModelId parameter is required with the -SubModelId parameter

Required false

Position 3

Default value

Accept pipeline input false

Accept wildcard characters false

ltCommonParametersgt

This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable

WarningAction WarningVariable OutBuffer and OutVariable For more information type get-

help about_commonparameters

Examples

Get-MBCAModel

In the preceding example Get-MBCAModel with no parameters added returns details about all MBCA

models that are installed on the computer

Get-MBCAModel -ModelId SQL2008R2BPA

The preceding example can be used to return details about the MBCA model that is specified in the -

ModelId parameter represented by Model Id

$model= Get-MBCAModel -ModelId SQL2008R2BPA

$modelParameters

In the preceding example Get-MBCAModel returns details about the specified MBCA model that is

represented by Model Id The results of the cmdlet are stored in the variable $model

In the next line of the example the Parameters property of the model details that were stored in the

$model object returns details about which parameters are supported by the model

Get-MBCAModel -ModelId SQL2008R2BPA -SubModelId ltSubModel Idgt

The preceding example can be used to return details about the MBCA sub-model that is specified by

the -SubModelId parameter represented by SubModel Id Note that the -ModelId parameter is

required by the -SubModelId parameter

$model= Get-MBCAModel -ModelId SQL2008R2BPA

Page 44

$modelSubModels

In the preceding example Get-MBCAModel returns details about the specified MBCA model that is

represented by Model Id The results of the cmdlet are stored in the variable $model

In the next line of the example the SubModels property of the model details that were stored in the

$model object returns a list of the submodels of the model specified in the first line

912 Invoke-MBCAModel

SYNOPSIS

The Invoke-MBCAModel cmdlet lets you start a Microsoft Baseline Configuration Analyzer (MBCA)

scan for a specific model that is installed on your computer

SYNTAX

Invoke-MBCAModel [-ModelId] ltstringgt -SubModelId ltstringgt [-Authentication

ltAuthenticationMechanismgt] [-CertificateThumbprint ltstringgt] [-ComputerName

ltstring[]gt] [-ConfigurationName ltstringgt] [-Context ltstringgt] [-Credential

ltstringgt] [-Mode ltModeEnumgt] [-Port ltintgt] [-RepositoryPath ltstringgt] [-

ThrottleLimit ltintgt] [-UseSSL] [ltCommonParametersgt]

DESCRIPTION

The Invoke-MBCAModel cmdlet allows you to start a Microsoft Baseline Configuration Analyzer

(MBCA) scan for a specific model that is installed on your computer The model is specified either by

using the parameter -ModelId or by piping the results of the Get-MBCAModel cmdlet into an Invoke-

MBCAMode cmdlet

After the MBCA scan has been performed the results of the scan are available to be retrieved by Get-

MBCAResult cmdlet

You must be a member of the Administrators group on the computer on which you want to run this

cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with

elevated user rights that is Run as Administrator

PARAMETERS

-Authentication ltAuthenticationMechanismgt

Specifies the authentication mechanism that is used to authenticate the users credentials Valid

values include Default Basic CredSSP Digest Kerberos Negotiate and

NegotiateWithImplicitCredential The default value is Default

For more information about the -Authentication parameter type the following and then press

Enter

Get-Help Invoke-Command -Parameter Authentication

Required false

Position named

Default value Default

Accept pipeline input false

Accept wildcard characters false

-CertificateThumbprint ltstringgt

Page 45

Specifies the digital public key certificate (X509) of a user account that has rights to perform the

cmdlet action The valid value is the certificate thumbprint of the certificate

For more information about this parameter type the following and then press Enter

Get-Help Invoke-Command -Parameter Certificate Thumbprint

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-ComputerName ltstring[]gt

The Invoke-MBCAModel cmdlet lets you run an MBCA scan of a submodel on a specific

computer by adding this parameter Valid values include NETBOS names IP addresses or fully-

qualified domain names of one or more computers in a comma-separated list To specify the local

computer type the computer name or localhost

All formats that are accepted by the -ComputerName parameter in Invoke-Command are

accepted

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-ConfigurationName ltstringgt

Specifies the session configuration that is used for a new PSSession

Enter a configuration name or the fully-qualified resource URI for a session configuration

Session configuration data is found on the remote computer on which you want to run a cmdlet

For more information about this parameter type the following and then press Enter

Get-Help Invoke-Command -Parameter ConfigurationName

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-Context ltstringgt

The -Context parameter lets you run scans on a submodel in the context of a specific model (one

that is different from the parent model of the submodel) For example an administrator might

want to run a scan on the Backend submodel of the SQL model but only those in the context

of a third model a technology that relies upon SQL Server

The -SubModelId parameter is required by the -Context parameter

Page 46

A model ID is the valid value of the -Context parameter

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-Credential ltstringgt

Specifies a user account that has permission to run this cmdlet The default value is the current

user

For more information about this parameter type the following and then press Enter

Get-Help Invoke-Command -Parameter Credential

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-Mode ltModeEnumgt

The -Mode parameter lets you run a scan that is exclusively either analysis of existing discovered

documents or discovery The default is to perform both discovery and analysis or All

If you do not add the -Mode parameter to the Invoke-MBCAModel cmdlet both discovery and

analysis are performed during a scan

Valid values are Discovery Analysis and All

Required false

Position named

Default value All

Accept pipeline input false

Accept wildcard characters false

-ModelId ltstringgt

The -ModelId parameter specifies the ID of the MBCA model that you want to scan You can

obtain valid values for the ModelId parameter by running the Get-MBCAModel cmdlet targeted at

a computer on which MBCA models are installed

Required true

Position 2

Default value

Accept pipeline input true (By Value By Property Name)

Accept wildcard characters False

Page 47

This must be SQL2008R2BPA for SQL Server 2008 R2 Best Practice Analyzer

-Port ltintgt

Specifies the network port on a remote computer on which you want to run a scan The default

value is port 80

For more information on this parameter type the following and then press Enter

Get-Help Invoke-Command -Parameter Port

Required false

Position named

Default value 80

Accept pipeline input false

Accept wildcard characters false

-RepositoryPath ltstringgt

The -RepositoryPath parameter is used to specify a non-default location of the results repository

The valid value for this parameter is a pathname If the parameter is not used the cmdlet writes

results to the default result repository

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-SubModelId ltstringgt

The -SubModelId parameter specifies the ID of the submodel of an MBCA model that you want to

scan You can obtain valid values for the -SubModelId parameter by running the Get-MBCAModel

cmdlet targeted at a computer on which MBCA models are installed Not all models have

submodels

The -ModelId parameter is required with the -SubModelId parameter

Required true

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-ThrottleLimit ltintgt

Specifies the maximum number of concurrent connections that can be established to run the

cmdlet If you omit this parameter or enter a value of 0 the default value of 32 is used

For more information about this parameter type the following and then press Enter

Get-Help Invoke-Command -Parameter ThrottleLimit

Required false

Page 48

Position named

Default value 32

Accept pipeline input false

Accept wildcard characters false

-UseSSL [ltSwitchParametergt]

Uses the Secure Sockets Layer (SSL) protocol to establish a connection on a remote computer

By default SSL is not used

For more information about this parameter type the following and then press Enter

Get-Help Invoke-Command -Parameter UseSSL

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

ltCommonParametersgt

This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable

WarningAction WarningVariable OutBuffer and OutVariable For more information type get-

help about_commonparameters

OUTPUTS

SystemCollectionsGenericListltMicrosoftBestPracticesCoreInterfaceInvokeBpaModelOutputgt

The output object encapsulates the results of the cmdlet that you entered It contains information such

as the MBCA model ID the success or failure of the cmdlet and other details

NOTES

If the cmdlet is used to perform a single-model scan and the cmdlet is cancelled (by using CTRL+C)

before the temporary results file is copied to its final location the temporary file is discarded and any

previous scan results file for the role are preserved The message Processing of Invoke-MBCAModel

cancelled by user is displayed if the command is cancelled before existing scan results files are

overwritten

If the cmdlet is used to perform a scan of multiple models by piping in results from the Get-MBCAModel

cmdlet and the command is cancelled scans that were completed before the cancel command was

entered cannot be cancelled A scan in progress behaves as described above in the single-model scan

cancellation scenario Subsequent scans in the pipeline are cancelled

If a concurrent scan of the same model is attempted the cmdlet returns the following error message

Another scan for this MBCA model is in progress Only one scan is allowed at a time

-------------------------- EXAMPLE 1 --------------------------

Invoke-MBCAModel -ModelId SQL2008R2BPA

Description

The preceding example starts a MBCA scan on the model that is represented by ltModel Idgt

-------------------------- EXAMPLE 2 --------------------------

Page 49

Invoke-MBCAModel -ModelId SQL2008R2BPA -Scope domain -Name

redmondmicrosoftcom

Description

The preceding example starts an MBCA scan on the model ID that is specified by Model Id

The administrator starts the MBCA scan with additional model-specific parameters that are exposed by

the model (For an example of how to obtain model-specific parameters see the examples for the Get-

MBCAModel cmdlet)

For example to scan a model that requires model-specific parameters (such as -Scope and -Name) to

be passed to the command the administrator can specify the values of these model-specific

parameters with the Invoke-MBCAModel cmdlet

-------------------------- EXAMPLE 3 --------------------------

Invoke-MBCAModel -ModelId SQL2008R2BPA -Mode Discovery

Description

The preceding example starts an MBCA scan on the model that is represented by Model Id The

cmdlet is instructed by the -Mode parameter to perform only the discovery -- not the analysis -- portion

of the scan

-------------------------- EXAMPLE 4 --------------------------

Invoke-MBCAModel -ModelId SQL2008R2BPA -Mode Analysis -RepositoryPath

ltRepository Pathgt

Description

The preceding example starts an MBCA scan on the model that is represented by Model Id The -

Mode parameter value of Analysis indicates that the scan will perform analysis -- not discovery -- on

existing documents that are specified in the non-default repository path provided with the -Repository

Path parameter

-------------------------- EXAMPLE 5 --------------------------

Invoke-MBCAModel -Id ltModel Idgt -SubModelId ltSubModel Idgt -ComputerName

ltServergt -Context ltContext Model Idgt -RepositoryPath ltRespository Pathgt -

AsJob -Authentication ltAuthenticatonMechanismgt -Port ltPort Numbergt -UseSSL -

ThrottleLimit ltThrottle Limitgt

Description

The preceding example starts an MBCA scan on the submodel that is represented by SubModel Id

and on the computer that is represented by Server

Because the administrator only wants to see results from the submodel that apply in the context of a

third model the administrator runs the scan within the context of the model ID that is specified in the -

Context parameter The cmdlet results are saved to the non-default repository path that is specified in

the -RepositoryPath parameter

Because the -AsJob parameter is added the scan runs in the background The -AsJob -

Authentication -Port -UseSSL and -ThrottleLimit parameters are passed through for use by the

Invoke-Command cmdlet to perform discovery on a remote computer For more information about

these parameters see the Help for the Invoke-Command cmdlet available in Windows PowerShell V2

913 Get-MBCAResult

SYNOPSIS

Page 50

The Get-MBCAResult cmdlet lets you retrieve and view the results of a Microsoft Baseline

Configuration Analyzer scan on a specific model or the configuration data that was used to run a scan

SYNTAX

Get-MBCAResult [-ModelId] ltstringgt [[-CollectedConfiguration]] -SubModelId

ltstringgt [-ComputerName ltstring[]gt] [-Context ltstringgt] [-Filter

ltFilterEnumgt] [-RepositoryPath ltstringgt] [ltCommonParametersgt]

DESCRIPTION

The Get-MBCAResult cmdlet lets you retrieve and view the results of a Microsoft Baseline

Configuration Analyzer scan on a specific model or the configuration data that was used to run a scan

To use the command add the -ModelId parameter and then specify the model ID for which you want

to view the most recent MBCA scan results or collected configuration data If you want to retrieve the

configuration data collected add the -CollectedConfiguration switch parameter

You must be a member of the Administrators group on the computer on which you want to run this

cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with

elevated user rights that is Run as Administrator

PARAMETERS

-CollectedConfiguration [ltSwitchParametergt]

The -CollectedConfiguration parameter allows you to obtain the configuration data that was

collected for the most recent MBCA scan If this switch parameter is added to Get-MBCAResults

the cmdlet returns only the configuration data that was collected for a scan

Required false

Position 3

Default value

Accept pipeline input false

Accept wildcard characters false

-ComputerName ltstring[]gt

The -ComputerName parameter lets you obtain scan results that were collected for the most

recent MBCA scan of a submodel on a specific computer To specify the local computer type the

computer name or localhost Multiple values for -ComputerName can be separated by

commas

The -SubModelId parameter is required by the -ComputerName parameter

Valid values for the -ComputerName parameter include localhost a NET BIOS name an IP

address or a fully-qualified domain name (FQDN) of one or more computers in a comma-

separated list

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-Context ltstringgt

Page 51

The -Context parameter lets you obtain scan results that were collected for the most recent

MBCA scan of a submodel in the context of a specific model (one that is different from the parent

model of the submodel) For example an administrator might want to display scan results for the

Backend submodel of the SQL model but only those in the context of a third model a

technology that relies upon SQL Server

The -SubModelId parameter is required by the -Context parameter

A model ID is the valid value of the -Context parameter

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-Filter ltFilterEnumgt

The -Filter parameter lets you instruct the Get-MBCAResult cmdlet to return only Compliant

Noncompliant or All results Valid values are Noncompliant Compliant or All The default value

is All

The -Filter parameter is ignored if the -CollectedConfiguration switch parameter is added

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-ModelId ltstringgt

The -ModelId parameter specifies the ID of the MBCA model for which you want to view scan

results You can obtain valid values for the ModelId parameter by running the Get-MBCAModel

cmdlet targeted at a computer on which MBCA models are installed

Required true

Position 2

Default value

Accept pipeline input true (By Value By Property Name)

Accept wildcard characters False

This must be SQL2008R2BPA for SQL Server 2008 R2 Best Practice Analyzer

-RepositoryPath ltstringgt

The -RepositoryPath parameter is used to specify a non-default location of the results repository

The valid value for this parameter is a path name If the parameter is not used the cmdlet obtains

results from the default result repository

Required false

Position named

Page 52

Default value

Accept pipeline input false

Accept wildcard characters false

-SubModelId ltstringgt

The -SubModelId parameter specifies the ID of the submodel of an MBCA model for which you

want to view scan results You can obtain valid values for the -SubModelId parameter by running

the Get-MBCAModel cmdlet targeted at a computer on which MBCA models are installed Not all

models have submodels

The -ModelId parameter is required with the -SubModelId parameter

Required true

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

ltCommonParametersgt

This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable

WarningAction WarningVariable OutBuffer and OutVariable For more information type get-

help about_commonparameters

OUTPUTS

SystemCollectionsGenericListltMicrosoftBestPracticesCoreInterfaceResultgt OR

SystemXmlXmlDocument (if -CollectedData specified)

If you do not use the -CollectedConfiguration parameter verbose output can be any of the following

1 Initializing MBCA engine for getting MBCA Results

2 Attempting to get MBCA results for Model Id = 0

3 Completed getting MBCA results for Model Id = 0 Number of Results = 1

If you add the -CollectedConfiguration parameter to display configuration data that was used for a

scan verbose output can be any of the following

1 Initializing MBCA engine for getting MBCA Configuration Data

2 Attempting to get MBCA collected configuration data for Model Id = 0

3 Completed getting MBCA collected configuration data for Model Id = 0

NOTES

The Get-MBCAResult cmdlet must be run by a member of the Administrators group and it does not

start a new scan

Cancellation behaviour

Single Model - To cancel this cmdlet you must press Ctrl+C before the ResultCollection is displayed

on the console The operation is cancelled and results are not displayed on the console

Multiple Models or Pipelining - If you cancel this cmdlet while it is retrieving results for multiple models

the cmdlet generates only those results that were displayed on the console before the cancellation

Any subsequent results in the pipeline are cancelled and not displayed

Page 53

-------------------------- EXAMPLE 1 --------------------------

Get-MBCAResult -Id SQL2008R2BPA

Description

The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results

for the model that is represented by Model Id

-------------------------- EXAMPLE 2 --------------------------

Get-MBCAModel | Get-MBCAResult

In the preceding example Get-MBCAModel is used to return a list of all MBCA models that are

installed on the computer The results of the Get-MBCAModel cmdlet are piped to the Get-

MBCAResult cmdlet to retrieve the most recent MBCA scan results for all models that are both

supported by MBCA and installed on the computer at which the cmdlet is targeted

-------------------------- EXAMPLE 3 --------------------------

$result = Get-MBCAResult SQL2008R2BPA -CollectedConfiguration

$resultDiscoveryDocument

Description

In the preceding example configuration data (in XML form) that was collected during the most recent

Microsoft Baseline Configuration Analyzer scan of the model that is represented by Model Id is

retrieved and stored as a property in the variable $result $resultDiscoveryDocument is of type

SystemXmlXmlDocument

-------------------------- EXAMPLE 4 --------------------------

Get-MBCAResult SQL2008R2BPA -Filter Noncompliant

Description

The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results

for the model that is represented by Model Id and then applies a filter to show only Noncompliant

results

------------------------- EXAMPLE 5 --------------------------

Get-MBCAResult SQL2008R2BPA -SubModelId ltSubModel Idgt

Description

The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results

for the submodel that is represented by SubModelId Note that the parent model ID must be specified

to use the -SubModelId parameter

------------------------- EXAMPLE 6 --------------------------

Get-MBCAResult SQL2008R2BPA -SubModelId ltSubModel Idgt -ComputerName ltServergt

-Context ltContext Model Idgt -RepositoryPath ltRepository Pathgt

Description

The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results

for the submodel that is represented by SubModelId The parent model ID is provided as required by

the -SubModelID parameter

The -Context parameter indicates that the administrator wants to see only those scan results that are in

the context of the model that is represented by Context Model Id for example only those results from

a SQL Server scan that specifically apply to another technology such as Web Server (IIS)

Page 54

The scan results are further narrowed to only those from a computer that is specified in the -

ComputerName parameter as Server and only those results found in the non-default results

repository that is represented by Repository Path

914 Set-MBCAResult

SYNOPSIS

The Set-MBCAResult cmdlet lets you exclude or include existing results of a Microsoft Baseline

Configuration Analyzer (MBCA) scan to show you only the scan results that you want to see

SYNTAX

Set-MBCAResult [[-Exclude] ltBooleangt] [-Results] ltResultgtgt [[-

RepostitoryPath] ltstringgt] [ltCommonParametersgt]

DESCRIPTION

The Set-MBCAResult cmdlet lets you exclude or include existing results of a Microsoft Baseline

Configuration Analyzer (MBCA) scan to show you only the scan results that you want to see

The action specified in the cmdlet (Exclude for example) determines how the existing results of an

MBCA scan are updated Set-MBCAResult is typically applied after using the Get-MBCAResult cmdlet

to return a collection of scan results

You can apply filters to results that are returned by the Get-MBCAResult cmdlet and then pipe the

filtered collection of results to the Set-MBCAResult cmdlet specifying either to include or exclude

filtered scan results

You must be a member of the Administrators group on the computer on which you want to run this

cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with

elevated user rights that is Run as Administrator

PARAMETERS

-Exclude ltBooleangt

Excludes scan results from the results collection that were previously obtained by the Get-

MBCAResult command To exclude results by using the -Exclude parameter add the value $true

following the parameter as shown

-Exclude $true

To include results that have been excluded use the $false value for the -Exclude parameter

Required false

Position 2

Default value

Accept pipeline input false

Accept wildcard characters false

-RepostitoryPath ltstringgt

The -RepositoryPath parameter is used to specify a non-default location of the results repository

The valid value for this parameter is a path name If the parameter is not used the cmdlet

modifies results from the default result repository

Required false

Page 55

Position 4

Default value

Accept pipeline input false

Accept wildcard characters false

-Results ltResultgtgt

Specifies the result collection to be updated by the Set-MBCAResult cmdlet The -Results

parameter is typically used to specify a filtered subset of scan results that has already been

stored in a variable the variable name is provided as the valid value for the -Results parameter

For example if you have created a variable $allPerformance to store all the Performance

category results for an MBCA scan of all models on a computer and you want to exclude those

Performance results from the complete collection of scan results you add the parameter -Results

$all Performance to a Set-MBCAResult cmdlet

For a more detailed example see the Examples section of the Help for this cmdlet

Required true

Position 3

Default value

Accept pipeline input true (ByValue)

Accept wildcard characters false

ltCommonParametersgt

This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable

WarningAction WarningVariable OutBuffer and OutVariable For more information type ldquoget-

help about_commonparameters

NOTES

If the Set-MBCAResult command is cancelled before the results are written to a file the operation is

cancelled and the results file is not modified If cancellation occurs after the results file has been

modified the commands actions are carried out and the command cannot be cancelled

-------------------------- EXAMPLE 1 --------------------------

Get-MBCAResult -ModelId SQL2008R2BPA | Where $_Category -eq

Performance | Set-MBCAResult -Exclude $true

Description

The first section of the preceding example to the left of the first pipe character (|) uses the Get-

MBCAResult cmdlet to retrieve Baseline Configuration Analyzer scan results for the model ID that is

represented by Model Id

The second section of the command filters the results of the Get-MBCAResult cmdlet to get only those

scan results for which the category name is equal to Performance

The final section of the example following the second pipe character excludes the Performance

results that were filtered by the previous section of the example

-------------------------- EXAMPLE 2 --------------------------

$rcPolicy = Get-MBCAResult -ModelId SQL2008R2BPA -RepositoryPath

CReposPath | Where $_Category -eq Policy

Page 56

Set-MBCAResult -Exclude $true -RepositoryPath CReposPath -Results

$rcPolicy

Description

The first line of the preceding example to the left of the pipe character (|) instructs the Get-

MBCAResult cmdlet to retrieve Baseline Configuration Analyzer scan results for the model that is

represented by Specified Model Id from the specified non-default repository path

The second section of the example after the pipe character filters the results of the Get-MBCAResult

cmdlet to return only those scan results for which the category name is equal to (note the -eq option)

Policy The variable $rcPolicy is created to store the filtered results of the Get-MBCAResult cmdlet this

variable can be used in subsequent commands to represent those results

The second line of the command uses the Set-MBCAResult cmdlet to exclude the set of results that

are stored in the $rcPolicy variable In this example the -Results parameter is added because the

administrator wants to exclude a specific subset of scan results for that model and has created the

variable $rcPolicy to represent that subset of results The repository root is specified in the second line

because the administrator wants to modify the results in the same non-default repository from which

the data in $rcPolicy was retrieved

915 MBCA Model Authoring

Further information about configuration and usage of MBCA models you can in the

MBCA_ModelAuthoringGuidedocx

Page 57

Did this paper help you Please give us your feedback Tell us on a scale of 1 (poor) to 5 (excellent)

how would you rate this paper and why have you given it this rating For example

Are you rating it high due to having good examples excellent screen shots clear writing or

another reason

Are you rating it low due to poor examples fuzzy screen shots or unclear writing

This feedback will help us improve the quality of white papers we release

Send feedback

Page 26: SQL2008R2 BPA Whitepaper v10

Page 26

5 TROUBLESHOOTING

51 Application directories

To following directories are used by MBCA

Report output directory localappdataMicrosoftMicrosoftBaselineConfigurationAnalyzer 2ReportsSQL2008R2BPAResults

Model configuration path ProgramdataMicrosoftMicrosoft Baseline Configuration Analyzer 2ModelsSQL2008R2BPA

Temp and log files directory tempSQL2008R2BPASQL2008ltdategt_lttimegt

Registry [HKEY_LOCAL_MACHINESOFTWAREMicrosoftBaselineConfigurationAnalyzer]

Log Files

During Data Discovery SQL Server 2008 R2 BPA creates log files for troubleshooting The log file

contains the following information

Pre-requisite validation

Timestamp finished rules start and end times

Run-time scripting errors and exceptions from Power Shell Traps

Log Files Location

For every scan log files are created in userrsquos Local Temp directory (Temp) and follows the folder

structure SQL2008R2BPAlt Instance Name gtlt datestamp_timestamp gtlt Log files gt

Note In case of a remote scan the category log files are generated on the remote system at the same

path whereas the common log file is generated in the local system

Log Files Structure

A common log file gets generated and contains information about each categorys execution Apart

from this each category has its own log file which details the rule execution The names of the log files

are given below

Common File - ModelLogtxt

Engine Rules - EngineLogtxt

Replication Rules - ReplicationLogtxt

Setup Rules - SetupLogtxt

Analysis Services Rules - AnalysisServicesLogtxt

Reporting Services Rules - ReportingServicesLogtxt

Integration Services Rules - IntegrationServicesLogtxt

52 Windows Server 2003 ndash NumberOfLogicalProcessors

Analysis Services RID2803 and RID2804 ndash NumberOfLogicalProcessors property is unavailable in

Win32_Processor for with Windows Server 2003

Solution The NumberOfLogicalProcessors property does not exist in the WIN32_PROCESSOR object

in Windows Server 2003 It has been implemented in the hotfix

httpsupportmicrosoftcomkb932370

Both of the rules below will function properly if you apply this hotfix For more information look here

Page 27

53 MBCA

This message indicates that on prerequisite is not installed

Please install the version 2 of the MBCA

54 Where can I find the Instance name in result set of the analyzer

report

The instance name is in the collected data option of the analyzer report in the BPA GUI

55 Memory limit of remote PowerShell process

By default remote PowerShell process can consume only 150 MB or less memory This default limit is

significantly small and once this limit is reached there could be a WinRM exception causing and remote

connection immediately terminates Any application or Cmdlet which is involved in PowerShell

remoting should be tested for this memory limit this may cause some of the command to fail for

example site collection creation

Solution Increase the memory limit for the remote shell Use the following command to increase this

limitation to 1000MB This is only necessary if you need to run those commands on that server

Set-Item WSManlocalhostShellMaxMemoryPerShellMB 1000

56 Remote connect

If you try to ldquoConnect to another computerrdquo from MBCA and you receive the following message

Page 28

You should check first if the Hotfix KB968930 is installed

Afterwards validate that the ldquoWindows Remote Managementrdquo service is started

Enable-PSRemoting

If CredSSP is unsupported or unavailable you will see the following message

Page 29

If you have no permission to access the remote server you get the error message

Page 30

57 Installation

571 PowerShell error

After getting through the Pre-Reqs for BPA (PowerShell 20 MBCA NET Framework) you may hit

one of two scenarios when installing BPA

In all of the cases of an install failure you will see the following error

There is a problem with this Windows Installer package A program run as part of the setup did not

finish as expected Contact your support personnel or package vendor

In your Application Event Log for both of these scenarios you will also see the following entry

Log Name Application

Source MsiInstaller

Date 6102010 83818 AM

Event ID 11722

Task Category None

Level Error

Keywords Classic

User ltUsernamegt

Computer ltMachine namegt

Description

Product Microsoft SQL Server 2008 R2 BPA -- Error 1722 There is a problem

with this Windows Installer package A program run as part of the setup did

not finish as expected Contact your support personnel or package

vendor Action EnablePSRemoting location powershellexe command -NoLogo

-NoProfile -Command Enable-PSRemoting ndashforce

Page 31

This is an indicator that PowerShell is not configured You must run the following command

powershellexe -NoLogo -NoProfile -Command Enable-PSRemoting ndashforce

572 Workgroup or Non-Domain computer

In this scenario the Enable-PSRemoting command should execute fine from a PowerShell prompt

The actual error coming back from the PowerShell command within the Installer is ldquoAccess Deniedrdquo

To work around this issue you can do the following

1 Open a command prompt with Administrative Privileges

2 Change to the directory where the msi file resides

3 Type msiexec i ltMSI Namegt SKIPCA=1

4 MSI Name will either be SQL2008R2BPA_Setup32msi or SQL2008R2BPA_Setup64msi

depending on your platform

5 Once BPA is installed open a PowerShell prompt with Administrative Privileges

6 Execute the following commands

a Enable-PSRemoting

b winrm set winrmconfigwinrs ``MaxShellsPerUser=`10``

This should allow BPA to be successfully installed in the workgroup scenario

573 Kerberos Failure

This scenario is that you are failing with the above due to a Kerberos issue This particular issue could

actually show up after you have installed BPA depending on how you have configured your

environment

The issue stems from the fact that the Windows Remoting Windows Service uses the Network Service

account Windows Remoting also uses SOAP calls over HTTP and defaults to using Kerberos As a

result it will be using the HOST Service Principal Name (SPN) that is on the Machine Account as it is

running under that context You may have an HTTP SPN that resides on a different account with that

host name For example if you are running an IIS Web Application such as SharePoint or if you are

using Reporting Services and the service account is set to a Domain User account instead of Network

Service or Local System If your URL of your application matches the machine name then your HTTP

SPN will be the same Thatrsquos where this problem comes in WinRM will stop working at that point and

give you a message similar to the following

Set-WSManQuickConfig WinRM cannot process the request The following error

occured while using Negotiate authentication An unknown security error

occurred

Possible causes are

-The user name or password specified are invalid

-Kerberos is used when no authentication method and no user name are

specified

-Kerberos accepts domain user names but not local user names

-The Service Principal Name (SPN) for the remote computer name and port

does not exist

-The client and remote computers are in different domains and there is no

trust between the two domains

After checking for the above issues try the following

-Check the Event Viewer for events related to authentication

-Change the authentication method add the destination computer to the

WinRM TrustedHosts configuration setting or use HTTPS transport

Note that computers in the TrustedHosts list might not be authenticated

-For more information about WinRM configuration run the following

Page 32

command winrm help config

At line50 char33

+ Set-WSManQuickConfig ltltltlt -force

+ CategoryInfo InvalidOperation () [Set-WSManQuickConfig]

InvalidOperationException

+ FullyQualifiedErrorId

WsManErrorMicrosoftWSManManagementSetWSManQuickConfigCommand

You can get this type of error from WinRM for muliple reasons The one that

we saw in our testing was the HTTP SPN scenario

If you do have an HTTP SPN defined on a Domain Account that is using the name of your machine

you have some options First you can follow the steps mentioned above to get BPA installed The

Enable-PSRemoting command will give you the above error You can temporarily remove the HTTP

SPN to get remoting enabled and then re-add the HTTP SPN

Once BPA is setup you will still not be able to run BPA if you put the HTTP SPN back in place You will

see the following when you attempt to perform a scan

This will occur regardless of which component you try to scan It could be the Engine Setup RS etchellip

One option to perform the scan successfully is to temporarily remove the HTTP SPN again run the

scan and then put the HTTP SPN back in place Another option but one that will probably require

further testing from your applicationrsquos end would be to run the application under a Host Header and

then your HTTP SPN would not include the machine name allowing BPA to run without issue

Page 33

6 RULES

Searching for ldquoSQL Server 20087 R2 BPArdquo at Microsoftcom reveals

Here is an example of one of these articles that talks about a rule to check for a recent ldquocleanrdquo

CHECKDB

Page 34

BPA works by measuring a rolersquos compliance with best practice rules in eight different categories of a

rolersquos effectiveness trustworthiness and reliability Results of measurements can be any of the three

severity levels described in the following table

Severity level Description

Noncompliant Noncompliant results are returned when a role does not satisfy the conditions of a rule

Compliant Compliant results are returned when a role satisfies the conditions of a rule

Warning Warning results are returned when a role is compliant as operating currently but may not satisfy the conditions of a

rule if changes are not made to its configuration or policy settings For example a scan of Remote Desktop Services

might show a warning result if a license server is unavailable to the role because even if no remote connections are

active at the time of the scan not having the license server prevents new remote connections from obtaining valid

client access licenses

Page 35

BPA rule categories

The following table describes the categories of best practice rules against which roles are measured

during a BPA scan

Category Name Description

Security Security rules are applied to measure a rolersquos relative risk for exposure to threats such as unauthorized or malicious

users or loss or theft of confidential or proprietary data

Performance Performance rules are applied to measure a rolersquos ability to process requests and perform its prescribed duties in

the enterprise within expected periods of time given the rolersquos workload

Configuration Configuration rules are applied to identify role settings that might require modification for the role to perform

optimally Configuration rules can help prevent setting conflicts that can result in error messages or prevent the role

from performing its prescribed duties in an enterprise

Policy Policy rules are applied to identify Group Policy or Windows Registry settings that might require modification for the

role to operate optimally and securely

Operation Operation rules are applied to identify possible failures of a role to perform its prescribed tasks in the enterprise

Predeployment Predeployment rules are applied before an installed role is deployed in the enterprise to let administrators to

evaluate whether best practices were satisfied before you use the role in production

Postdeployment Postdeployment rules are applied after all required services have started for a role and the role is running in the

enterprise

BPA Prerequisites BPA Prerequisite rules explain configuration settings policy settings and features that are required for the role

before BPA can apply specific rules from other categories A prerequisite in scan results indicates that an incorrect

setting a missing role role service or feature an incorrectly enabled or disabled policy a registry key setting or

other configuration has prevented BPA from applying one or more rules during a scan A prerequisite result does

not imply compliance or noncompliance It means that a rule could not be applied and therefore is not part of the

scan results

61 Engine Rules

Please find below a summary of the 74 Engine Rules with the links to the rule descriptions These rules

are checking that you have a secure resilient and well performing SQL configuration

Authentication Mode (httpsupportmicrosoftcomkb2028697)

Lightweight Pooling is enabled (httpsupportmicrosoftcomkb2160691)

Locks Configuration Not Dynamic (httpsupportmicrosoftcomkb2199576)

non-default network packet size in use (httpsupportmicrosoftcomkb2157175)

degree of parallelism not set to recommended value (httpsupportmicrosoftcomkb2023536)

Use Database Mail instead of SQL Mail (httpsupportmicrosoftcomkb2028584)

SQL Server Agent Proxy Account (httpsupportmicrosoftcomkb2160741)

SQL Login Password Policy Strength and password expiry

(httpsupportmicrosoftcomkb2028712)

Trustworthy Bit (httpsupportmicrosoftcomkb2183687)

Symmetric Keys Check (httpsupportmicrosoftcomkb2162020)

Asymmetric Keys Check (httpsupportmicrosoftcomkb2162020)

SQL Server installed on PDC BDC (httpsupportmicrosoftcomkb2032911)

Page 36

SQL Server Admin role membership check (httpsupportmicrosoftcomkb2184138)

Windows API calls intercepted (httpsupportmicrosoftcomkb2033238)

unsupported DotNET framework assemblies present (httpsupportmicrosoftcomkb2033344)

Disk partition starting offset may be incorrect (httpsupportmicrosoftcomkb2023571)

non-default max worker threads value configured (httpsupportmicrosoftcomkb2157129)

Guest Permissions (httpsupportmicrosoftcomkb2186935)

Data and Log files on the same volume (httpsupportmicrosoftcomkb2033523)

IO timeouts and IO controller errors detected (httpsupportmicrosoftcomkb2091098)

IO device errors detected (httpsupportmicrosoftcomkb2091098)

IO errors during page faults detected (httpsupportmicrosoftcomkb2091098)

cluster disk corruption encountered (httpsupportmicrosoftcomkb2091098)

disk defragmentation encountered corruption (httpsupportmicrosoftcomkb2091098)

failed IO requests detected (httpsupportmicrosoftcomkb2091098)

IO requests are successful when retried (httpsupportmicrosoftcomkb2015757)

IO Delay Problems reported by SQL Server (httpsupportmicrosoftcomkb2137408)

This system experienced unexpected shutdowns (httpsupportmicrosoftcomkb2091098)

tempdb corruption errors fix missing (httpsupportmicrosoftcomkb960770)

Critical SQL database inconsistency errors found (httpsupportmicrosoftcomkb2152734)

Logical consistency errors detected (httpsupportmicrosoftcomkb2152472)

Database have auto shrink option enabled (httpsupportmicrosoftcomkb2160663)

SQL Server Error logs are very big (httpsupportmicrosoftcomkb2199578)

incorrect affinity mask settings detected httpsupportmicrosoftcomkb2157114

Very low blocked process threshold setting detected httpsupportmicrosoftcomkb2157154

Potential security issue with legacy DTS stored procedures

httpsupportmicrosoftcomkb2202875

Winsock LSP loaded into SQL httpsupportmicrosoftcomkb2033448

Databases using simple recovery model httpsupportmicrosoftcomkb2137539

User database collation different from model httpsupportmicrosoftcomkb2026108

Database files and backups exist on the same volume httpsupportmicrosoftcomkb2027537

Databases have auto close option enabled httpsupportmicrosoftcomkb2160685

LSI SAS drivers needs update httpsupportmicrosoftcomkb2121098

SQL tempdb database not configured optimally httpsupportmicrosoftcomkb2154845

SQL Database file has sparse attribute set httpsupportmicrosoftcomkb2028447

Invalid startup parameters httpsupportmicrosoftcomkb2028433

MSDTC settings not configured optimally httpsupportmicrosoftcomkb2027550

sql incorrect results fix missing httpsupportmicrosoftcomkb971780

File System needs tuning for better FileStream performance

httpsupportmicrosoftcomkb2160002

linked server memory leak fix missing httpsupportmicrosoftcomkb971622EN-US

Windows service pack is not at recommended level httpsupportmicrosoftcomkb2121098

default extended event health session not in expected state

httpsupportmicrosoftcomkb2160570

TcpSysAndChimneyCheck httpsupportmicrosoftcomKB918483

FDHOST Launcher service is not configured properly httpsupportmicrosoftcomkb2160720

Unrecommended SQL Server Agent service account httpsupportmicrosoftcomkb2160720

A required Windows fix to avoid sparse file related problems is missing

httpsupportmicrosoftcomkb2002606

Page 37

Significant Portion of SQL Server Memory Has Been Paged Out

httpsupportmicrosoftcomkb2028324

Server Exception or Hang Detected on Server httpsupportmicrosoftcomkb2028589

Databases exist without CHECKSUM protection httpsupportmicrosoftcomkb2078345

backups outdated for databases httpsupportmicrosoftcomkb2027537

Database consistency check not current httpsupportmicrosoftcomkb2033590

SQL Server Memory settings are incorrect httpsupportmicrosoftcomKB918483EN-US

Autogrow Failed or took a long time httpsupportmicrosoftcomkb2091024

Storport driver fix from KBA 940467 missing httpsupportmicrosoftcomkb2121098

Storport driver fix from KBA 950903 missing httpsupportmicrosoftcomkb2121098

SQLCLR needs additional memory configuration httpsupportmicrosoftcomkb969962EN-US

Operating System files and drivers needs update for working set trimming

httpsupportmicrosoftcomkb2121098

Agent Token Replacement httpsupportmicrosoftcomkb2202637

Auditing Log in failures httpsupportmicrosoftcomkb2187161

Databases with high number of VLF present httpsupportmicrosoftcomkb2028436

Transparent Data Encryption Certificate httpsupportmicrosoftcomkb2201900

Permission on the Binn folder httpsupportmicrosoftcomkb2029023

Index Statistics Are Outdated

Server public permissions httpsupportmicrosoftcomkb2160698

Detected use of older versions of SQLNCLI httpsupportmicrosoftcomkb979779

62 AS Rules

Please find below a summary of the 34 Analysis Server Rules with the links to the rule descriptions

Flight Recorder Enabled for SQL Server Analysis Services

httpsupportmicrosoftcomkb2128005

Excessive amount of memory preallocated to Analysis Services

httpsupportmicrosoftcomkb2027474

Server not configured for optimal concurrent query throughput

httpsupportmicrosoftcomkb2135031

Non standard value detected for Analysis Services memory configuration

httpsupportmicrosoftcomkb2027472

Process Thread Pool Max limit above recommended limit

httpsupportmicrosoftcomkb2134497

Process Thread Pool Minimum is below the recommended limit

httpsupportmicrosoftcomkb2134855

Server is running a build with a known regression httpsupportmicrosoftcomkb2157941

Slice not set on a ROLAP partition or a partition where proactive caching is enabled and

ROLAP storage ay occur httpsupportmicrosoftcomkb2027754

Server is ignoring duplicate key errors httpsupportmicrosoftcomkb2027761

No default member defined for non-aggregatable attribute

httpsupportmicrosoftcomkb2027769

UnknownMember set to hidden httpsupportmicrosoftcomkb2027628

Non-numeric key column for high cardinality attribute httpsupportmicrosoftcomkb2028138

Attribute hiearchy enabled for high cardinality non-key attribute

httpsupportmicrosoftcomkb2028143

ROLAP storage or OnlineMode set to immediate for dimension with custom rollup definition

detected httpsupportmicrosoftcomkb2132742

Page 38

Account or Time attribute types defined in a non-matching dimension type

httpsupportmicrosoftcomkb2157299

An Account or Time dimension has no matching attribute defined

httpsupportmicrosoftcomkb2027418

Dimension has no attribute defined with the same type

httpsupportmicrosoftcomkb2027443

Attribute Dimension type mismatch httpsupportmicrosoftcomkb2157327

Mismatched dimension attribute types detected in dimension

httpsupportmicrosoftcomkb2027459

Possible incorrect order of levels defined in hierarchy httpsupportmicrosoftcomkb2027460

Define attribute relationships as Rigid where possible httpsupportmicrosoftcomkb2027468

Redundant attribute relationships detected httpsupportmicrosoftcomkb2127437

Diamond-shape relationship detected httpsupportmicrosoftcomkb2127570

Non-Standard Attribute Relationship name detected httpsupportmicrosoftcomkb2127862

Proactive Caching set for dimension without a processing query

httpsupportmicrosoftcomkb2027541

No Time dimension detected httpsupportmicrosoftcomkb2027532

More than 3 parent-child dimensions with custom rollups defined

httpsupportmicrosoftcomkb2134431

Encountered a parent-child dimension with more than 500000 members

httpsupportmicrosoftcomkb2131918

Single attribute dimensions detected httpsupportmicrosoftcomkb2141654

Measure groups with zero dimensional overlap detected in cube

httpsupportmicrosoftcomkb2027609

Proactive Caching set for a partition without a processing query

Default measure for perspective not in the perspective

httpsupportmicrosoftcomkb2027603

Use MOLAP storage for dimensions that participate in semi-additive measure groups

httpsupportmicrosoftcomkb2135112

Measure group defined with no partition httpsupportmicrosoftcomkb2027545

63 RS Rules

RSWindowsNegotiate is missing from your configuration

httpsupportmicrosoftcomkb2145506

HTTP Logging is not enabled httpsupportmicrosoftcomkb2145909

Verbose logging is enabled httpsupportmicrosoftcomkb2146315

NTLM authentication may fail for local httpsupportmicrosoftcomkb2146369

Missing extended protection settings httpsupportmicrosoftcomkb2146062

64 IS Rules

Logging task missing for package httpsupportmicrosoftcomkb2027723

ActiveX Script task detected in package httpsupportmicrosoftcomkb2027712

Unrecommended Integration Services service account detected

httpsupportmicrosoftcomkb2027684

Integration Services logging table found in system database master and or msdb

httpsupportmicrosoftcomkb2027706

Integration Services memory dump detected httpsupportmicrosoftcomkb2027727

Page 39

65 Setup Rules

Unsupported Operating System Version Detected httpsupportmicrosoftcomkb2022909

WOW64 not supported for SQL Failover Clustering httpsupportmicrosoftcomkb2157198

Installer cache is missing for the SQL Installation httpsupportmicrosoftcomkb2015100

SQL Server WMI Provider Health Check

66 Replication Rules

Replication Timeout Alerts Type httpsupportmicrosoftcomkb2118349

Replication Pub and Sub out of sync (Data Validation) httpsupportmicrosoftcomkb2118386

Replication Pub and Sub out of sync (Constraint Violations)

httpsupportmicrosoftcomkb2118410

Replication Pub and Sub out of sync (Skipped Transactions)

httpsupportmicrosoftcomkb2194498

Merge Replication Health Check httpsupportmicrosoftcomkb2118445

Subscriptions Approaching Expiration httpgomicrosoftcomfwlinkLinkId=184483

Replication Cleanup and Retention Health Check httpsupportmicrosoftcomkb2118485

Replication Latency Threshold violations httpsupportmicrosoftcomkb2118425

Page 40

7 HOW TO DEAL WITH DEVIATIONS

Deviations from these Best Practices may indicate potential issues and configuration changes may be

necessary Make sure you have tested any intended changes in a test environment before deploying

them to a production environment You could also find deviations from Best Practices that are

acceptable or even necessary for your environment For example

SAP has its special Network Packet Size of 8 KB

Existing Non-Microsoft Clients ndash would require Mixed Mode Authentication

Page 41

8 MOTIVATION TO USE SQL BPA R2

Bob Ward explained in his Article ldquoWhy use SQL Server 2008 R2 BPA Case 1 Missing Updatesrdquo

the common pitfalls during maintenance and operation of SQL Server and how address them by using

the SQL BPA

In brief itrsquos a customer scenario where the customer is facing an issue after a major update to

SQL2008 After some troubleshooting and an update to a certain CU (that is meant to fix the issue) the

problem still occurs Bobs article states the common resulting consequences ndash the involvement of

Microsoft Support and the final solution ndash adding a needed traceflag

The good news in this story is that the customer would not have needed to go to all that effort if they

would have run the SQL BPA It would have told them about the update and instructed them to put the

traceflag in place BPA is a mechanism that proactively advises you and instructs you on dealing with

common known issues

Page 42

9 ADDITIONAL INFORMATION

91 PowerShell

To use the functionality of the Baseline Configuration Analyzer with PowerShell you must import this

module first

Import-module BaselineConfigurationAnalyzer

You can list the commands of this module with the following syntax

$x=Get-Module BaselineConfigurationAnalyzer

$xExportedCommands

The following commands are stored in this module

Get-MbcaModel

Get-MbcaResult

Invoke-MbcaModel

Set-MbcaResult

You get help of this command with the following syntax

Get-help ltcommandgt -full

911 Get-MBCAModel

SYNOPSIS

The Get-MBCAModel cmdlet lets you retrieve and view the list of models that are supported by

Microsoft Baseline Configuration Analyzer (MBCA) and that are installed on a computer

SYNTAX

Get-MBCAModel [[-ModelId] ltstring[]gt] [[-SubModelId] ltstringgt] [ltCommonParametersgt]

DESCRIPTION

The Get-MBCAModel cmdlet lets you retrieve and view the list of models that are supported by

Microsoft Baseline Configuration Analyzer (MBCA) and installed on the computer If no parameter is

specified Get-MBCAModel returns all models that are installed on the computer If a model is specified

by using the -ModelId parameter information about the specified model is returned

You must be a member of the Administrators group on the computer on which you want to run this

cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with

elevated user rights that is Run as Administrator

The results of the Get-MBCAModel cmdlet include the following details about models

1 Branding information (manufacturer or company display names version number) that is found in

the model manifest

2 Dynamic parameters that are included with the model

3 Submodels that are included with the model

PARAMETERS

-ModelId ltstring[]gt

The -ModelId parameter specifies the ID of the MBCA model about which you want to view

details You can obtain valid values for the ModelId parameter by running the Get-MBCAModel

cmdlet with no parameters and targeted at a computer on which MBCA models are installed

Page 43

This parameter supports wild card characters

Required false

Position 2

Default value

Accept pipeline input true (By Value By Property Name)

Accept wildcard characters False

This must be SQL2008R2BPA for SQL Server 2008 R2 Best Practice Analyzer

-SubModelId ltstringgt

The -SubModelId parameter specifies the ID of the submodel of an MBCA model about which you

want to view details You can obtain valid values for the -SubModelId parameter by running the

Get-MBCAModel cmdlet without parameters and targeted at a computer on which MBCA models

are installed Not all models have submodels

The -ModelId parameter is required with the -SubModelId parameter

Required false

Position 3

Default value

Accept pipeline input false

Accept wildcard characters false

ltCommonParametersgt

This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable

WarningAction WarningVariable OutBuffer and OutVariable For more information type get-

help about_commonparameters

Examples

Get-MBCAModel

In the preceding example Get-MBCAModel with no parameters added returns details about all MBCA

models that are installed on the computer

Get-MBCAModel -ModelId SQL2008R2BPA

The preceding example can be used to return details about the MBCA model that is specified in the -

ModelId parameter represented by Model Id

$model= Get-MBCAModel -ModelId SQL2008R2BPA

$modelParameters

In the preceding example Get-MBCAModel returns details about the specified MBCA model that is

represented by Model Id The results of the cmdlet are stored in the variable $model

In the next line of the example the Parameters property of the model details that were stored in the

$model object returns details about which parameters are supported by the model

Get-MBCAModel -ModelId SQL2008R2BPA -SubModelId ltSubModel Idgt

The preceding example can be used to return details about the MBCA sub-model that is specified by

the -SubModelId parameter represented by SubModel Id Note that the -ModelId parameter is

required by the -SubModelId parameter

$model= Get-MBCAModel -ModelId SQL2008R2BPA

Page 44

$modelSubModels

In the preceding example Get-MBCAModel returns details about the specified MBCA model that is

represented by Model Id The results of the cmdlet are stored in the variable $model

In the next line of the example the SubModels property of the model details that were stored in the

$model object returns a list of the submodels of the model specified in the first line

912 Invoke-MBCAModel

SYNOPSIS

The Invoke-MBCAModel cmdlet lets you start a Microsoft Baseline Configuration Analyzer (MBCA)

scan for a specific model that is installed on your computer

SYNTAX

Invoke-MBCAModel [-ModelId] ltstringgt -SubModelId ltstringgt [-Authentication

ltAuthenticationMechanismgt] [-CertificateThumbprint ltstringgt] [-ComputerName

ltstring[]gt] [-ConfigurationName ltstringgt] [-Context ltstringgt] [-Credential

ltstringgt] [-Mode ltModeEnumgt] [-Port ltintgt] [-RepositoryPath ltstringgt] [-

ThrottleLimit ltintgt] [-UseSSL] [ltCommonParametersgt]

DESCRIPTION

The Invoke-MBCAModel cmdlet allows you to start a Microsoft Baseline Configuration Analyzer

(MBCA) scan for a specific model that is installed on your computer The model is specified either by

using the parameter -ModelId or by piping the results of the Get-MBCAModel cmdlet into an Invoke-

MBCAMode cmdlet

After the MBCA scan has been performed the results of the scan are available to be retrieved by Get-

MBCAResult cmdlet

You must be a member of the Administrators group on the computer on which you want to run this

cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with

elevated user rights that is Run as Administrator

PARAMETERS

-Authentication ltAuthenticationMechanismgt

Specifies the authentication mechanism that is used to authenticate the users credentials Valid

values include Default Basic CredSSP Digest Kerberos Negotiate and

NegotiateWithImplicitCredential The default value is Default

For more information about the -Authentication parameter type the following and then press

Enter

Get-Help Invoke-Command -Parameter Authentication

Required false

Position named

Default value Default

Accept pipeline input false

Accept wildcard characters false

-CertificateThumbprint ltstringgt

Page 45

Specifies the digital public key certificate (X509) of a user account that has rights to perform the

cmdlet action The valid value is the certificate thumbprint of the certificate

For more information about this parameter type the following and then press Enter

Get-Help Invoke-Command -Parameter Certificate Thumbprint

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-ComputerName ltstring[]gt

The Invoke-MBCAModel cmdlet lets you run an MBCA scan of a submodel on a specific

computer by adding this parameter Valid values include NETBOS names IP addresses or fully-

qualified domain names of one or more computers in a comma-separated list To specify the local

computer type the computer name or localhost

All formats that are accepted by the -ComputerName parameter in Invoke-Command are

accepted

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-ConfigurationName ltstringgt

Specifies the session configuration that is used for a new PSSession

Enter a configuration name or the fully-qualified resource URI for a session configuration

Session configuration data is found on the remote computer on which you want to run a cmdlet

For more information about this parameter type the following and then press Enter

Get-Help Invoke-Command -Parameter ConfigurationName

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-Context ltstringgt

The -Context parameter lets you run scans on a submodel in the context of a specific model (one

that is different from the parent model of the submodel) For example an administrator might

want to run a scan on the Backend submodel of the SQL model but only those in the context

of a third model a technology that relies upon SQL Server

The -SubModelId parameter is required by the -Context parameter

Page 46

A model ID is the valid value of the -Context parameter

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-Credential ltstringgt

Specifies a user account that has permission to run this cmdlet The default value is the current

user

For more information about this parameter type the following and then press Enter

Get-Help Invoke-Command -Parameter Credential

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-Mode ltModeEnumgt

The -Mode parameter lets you run a scan that is exclusively either analysis of existing discovered

documents or discovery The default is to perform both discovery and analysis or All

If you do not add the -Mode parameter to the Invoke-MBCAModel cmdlet both discovery and

analysis are performed during a scan

Valid values are Discovery Analysis and All

Required false

Position named

Default value All

Accept pipeline input false

Accept wildcard characters false

-ModelId ltstringgt

The -ModelId parameter specifies the ID of the MBCA model that you want to scan You can

obtain valid values for the ModelId parameter by running the Get-MBCAModel cmdlet targeted at

a computer on which MBCA models are installed

Required true

Position 2

Default value

Accept pipeline input true (By Value By Property Name)

Accept wildcard characters False

Page 47

This must be SQL2008R2BPA for SQL Server 2008 R2 Best Practice Analyzer

-Port ltintgt

Specifies the network port on a remote computer on which you want to run a scan The default

value is port 80

For more information on this parameter type the following and then press Enter

Get-Help Invoke-Command -Parameter Port

Required false

Position named

Default value 80

Accept pipeline input false

Accept wildcard characters false

-RepositoryPath ltstringgt

The -RepositoryPath parameter is used to specify a non-default location of the results repository

The valid value for this parameter is a pathname If the parameter is not used the cmdlet writes

results to the default result repository

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-SubModelId ltstringgt

The -SubModelId parameter specifies the ID of the submodel of an MBCA model that you want to

scan You can obtain valid values for the -SubModelId parameter by running the Get-MBCAModel

cmdlet targeted at a computer on which MBCA models are installed Not all models have

submodels

The -ModelId parameter is required with the -SubModelId parameter

Required true

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-ThrottleLimit ltintgt

Specifies the maximum number of concurrent connections that can be established to run the

cmdlet If you omit this parameter or enter a value of 0 the default value of 32 is used

For more information about this parameter type the following and then press Enter

Get-Help Invoke-Command -Parameter ThrottleLimit

Required false

Page 48

Position named

Default value 32

Accept pipeline input false

Accept wildcard characters false

-UseSSL [ltSwitchParametergt]

Uses the Secure Sockets Layer (SSL) protocol to establish a connection on a remote computer

By default SSL is not used

For more information about this parameter type the following and then press Enter

Get-Help Invoke-Command -Parameter UseSSL

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

ltCommonParametersgt

This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable

WarningAction WarningVariable OutBuffer and OutVariable For more information type get-

help about_commonparameters

OUTPUTS

SystemCollectionsGenericListltMicrosoftBestPracticesCoreInterfaceInvokeBpaModelOutputgt

The output object encapsulates the results of the cmdlet that you entered It contains information such

as the MBCA model ID the success or failure of the cmdlet and other details

NOTES

If the cmdlet is used to perform a single-model scan and the cmdlet is cancelled (by using CTRL+C)

before the temporary results file is copied to its final location the temporary file is discarded and any

previous scan results file for the role are preserved The message Processing of Invoke-MBCAModel

cancelled by user is displayed if the command is cancelled before existing scan results files are

overwritten

If the cmdlet is used to perform a scan of multiple models by piping in results from the Get-MBCAModel

cmdlet and the command is cancelled scans that were completed before the cancel command was

entered cannot be cancelled A scan in progress behaves as described above in the single-model scan

cancellation scenario Subsequent scans in the pipeline are cancelled

If a concurrent scan of the same model is attempted the cmdlet returns the following error message

Another scan for this MBCA model is in progress Only one scan is allowed at a time

-------------------------- EXAMPLE 1 --------------------------

Invoke-MBCAModel -ModelId SQL2008R2BPA

Description

The preceding example starts a MBCA scan on the model that is represented by ltModel Idgt

-------------------------- EXAMPLE 2 --------------------------

Page 49

Invoke-MBCAModel -ModelId SQL2008R2BPA -Scope domain -Name

redmondmicrosoftcom

Description

The preceding example starts an MBCA scan on the model ID that is specified by Model Id

The administrator starts the MBCA scan with additional model-specific parameters that are exposed by

the model (For an example of how to obtain model-specific parameters see the examples for the Get-

MBCAModel cmdlet)

For example to scan a model that requires model-specific parameters (such as -Scope and -Name) to

be passed to the command the administrator can specify the values of these model-specific

parameters with the Invoke-MBCAModel cmdlet

-------------------------- EXAMPLE 3 --------------------------

Invoke-MBCAModel -ModelId SQL2008R2BPA -Mode Discovery

Description

The preceding example starts an MBCA scan on the model that is represented by Model Id The

cmdlet is instructed by the -Mode parameter to perform only the discovery -- not the analysis -- portion

of the scan

-------------------------- EXAMPLE 4 --------------------------

Invoke-MBCAModel -ModelId SQL2008R2BPA -Mode Analysis -RepositoryPath

ltRepository Pathgt

Description

The preceding example starts an MBCA scan on the model that is represented by Model Id The -

Mode parameter value of Analysis indicates that the scan will perform analysis -- not discovery -- on

existing documents that are specified in the non-default repository path provided with the -Repository

Path parameter

-------------------------- EXAMPLE 5 --------------------------

Invoke-MBCAModel -Id ltModel Idgt -SubModelId ltSubModel Idgt -ComputerName

ltServergt -Context ltContext Model Idgt -RepositoryPath ltRespository Pathgt -

AsJob -Authentication ltAuthenticatonMechanismgt -Port ltPort Numbergt -UseSSL -

ThrottleLimit ltThrottle Limitgt

Description

The preceding example starts an MBCA scan on the submodel that is represented by SubModel Id

and on the computer that is represented by Server

Because the administrator only wants to see results from the submodel that apply in the context of a

third model the administrator runs the scan within the context of the model ID that is specified in the -

Context parameter The cmdlet results are saved to the non-default repository path that is specified in

the -RepositoryPath parameter

Because the -AsJob parameter is added the scan runs in the background The -AsJob -

Authentication -Port -UseSSL and -ThrottleLimit parameters are passed through for use by the

Invoke-Command cmdlet to perform discovery on a remote computer For more information about

these parameters see the Help for the Invoke-Command cmdlet available in Windows PowerShell V2

913 Get-MBCAResult

SYNOPSIS

Page 50

The Get-MBCAResult cmdlet lets you retrieve and view the results of a Microsoft Baseline

Configuration Analyzer scan on a specific model or the configuration data that was used to run a scan

SYNTAX

Get-MBCAResult [-ModelId] ltstringgt [[-CollectedConfiguration]] -SubModelId

ltstringgt [-ComputerName ltstring[]gt] [-Context ltstringgt] [-Filter

ltFilterEnumgt] [-RepositoryPath ltstringgt] [ltCommonParametersgt]

DESCRIPTION

The Get-MBCAResult cmdlet lets you retrieve and view the results of a Microsoft Baseline

Configuration Analyzer scan on a specific model or the configuration data that was used to run a scan

To use the command add the -ModelId parameter and then specify the model ID for which you want

to view the most recent MBCA scan results or collected configuration data If you want to retrieve the

configuration data collected add the -CollectedConfiguration switch parameter

You must be a member of the Administrators group on the computer on which you want to run this

cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with

elevated user rights that is Run as Administrator

PARAMETERS

-CollectedConfiguration [ltSwitchParametergt]

The -CollectedConfiguration parameter allows you to obtain the configuration data that was

collected for the most recent MBCA scan If this switch parameter is added to Get-MBCAResults

the cmdlet returns only the configuration data that was collected for a scan

Required false

Position 3

Default value

Accept pipeline input false

Accept wildcard characters false

-ComputerName ltstring[]gt

The -ComputerName parameter lets you obtain scan results that were collected for the most

recent MBCA scan of a submodel on a specific computer To specify the local computer type the

computer name or localhost Multiple values for -ComputerName can be separated by

commas

The -SubModelId parameter is required by the -ComputerName parameter

Valid values for the -ComputerName parameter include localhost a NET BIOS name an IP

address or a fully-qualified domain name (FQDN) of one or more computers in a comma-

separated list

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-Context ltstringgt

Page 51

The -Context parameter lets you obtain scan results that were collected for the most recent

MBCA scan of a submodel in the context of a specific model (one that is different from the parent

model of the submodel) For example an administrator might want to display scan results for the

Backend submodel of the SQL model but only those in the context of a third model a

technology that relies upon SQL Server

The -SubModelId parameter is required by the -Context parameter

A model ID is the valid value of the -Context parameter

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-Filter ltFilterEnumgt

The -Filter parameter lets you instruct the Get-MBCAResult cmdlet to return only Compliant

Noncompliant or All results Valid values are Noncompliant Compliant or All The default value

is All

The -Filter parameter is ignored if the -CollectedConfiguration switch parameter is added

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-ModelId ltstringgt

The -ModelId parameter specifies the ID of the MBCA model for which you want to view scan

results You can obtain valid values for the ModelId parameter by running the Get-MBCAModel

cmdlet targeted at a computer on which MBCA models are installed

Required true

Position 2

Default value

Accept pipeline input true (By Value By Property Name)

Accept wildcard characters False

This must be SQL2008R2BPA for SQL Server 2008 R2 Best Practice Analyzer

-RepositoryPath ltstringgt

The -RepositoryPath parameter is used to specify a non-default location of the results repository

The valid value for this parameter is a path name If the parameter is not used the cmdlet obtains

results from the default result repository

Required false

Position named

Page 52

Default value

Accept pipeline input false

Accept wildcard characters false

-SubModelId ltstringgt

The -SubModelId parameter specifies the ID of the submodel of an MBCA model for which you

want to view scan results You can obtain valid values for the -SubModelId parameter by running

the Get-MBCAModel cmdlet targeted at a computer on which MBCA models are installed Not all

models have submodels

The -ModelId parameter is required with the -SubModelId parameter

Required true

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

ltCommonParametersgt

This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable

WarningAction WarningVariable OutBuffer and OutVariable For more information type get-

help about_commonparameters

OUTPUTS

SystemCollectionsGenericListltMicrosoftBestPracticesCoreInterfaceResultgt OR

SystemXmlXmlDocument (if -CollectedData specified)

If you do not use the -CollectedConfiguration parameter verbose output can be any of the following

1 Initializing MBCA engine for getting MBCA Results

2 Attempting to get MBCA results for Model Id = 0

3 Completed getting MBCA results for Model Id = 0 Number of Results = 1

If you add the -CollectedConfiguration parameter to display configuration data that was used for a

scan verbose output can be any of the following

1 Initializing MBCA engine for getting MBCA Configuration Data

2 Attempting to get MBCA collected configuration data for Model Id = 0

3 Completed getting MBCA collected configuration data for Model Id = 0

NOTES

The Get-MBCAResult cmdlet must be run by a member of the Administrators group and it does not

start a new scan

Cancellation behaviour

Single Model - To cancel this cmdlet you must press Ctrl+C before the ResultCollection is displayed

on the console The operation is cancelled and results are not displayed on the console

Multiple Models or Pipelining - If you cancel this cmdlet while it is retrieving results for multiple models

the cmdlet generates only those results that were displayed on the console before the cancellation

Any subsequent results in the pipeline are cancelled and not displayed

Page 53

-------------------------- EXAMPLE 1 --------------------------

Get-MBCAResult -Id SQL2008R2BPA

Description

The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results

for the model that is represented by Model Id

-------------------------- EXAMPLE 2 --------------------------

Get-MBCAModel | Get-MBCAResult

In the preceding example Get-MBCAModel is used to return a list of all MBCA models that are

installed on the computer The results of the Get-MBCAModel cmdlet are piped to the Get-

MBCAResult cmdlet to retrieve the most recent MBCA scan results for all models that are both

supported by MBCA and installed on the computer at which the cmdlet is targeted

-------------------------- EXAMPLE 3 --------------------------

$result = Get-MBCAResult SQL2008R2BPA -CollectedConfiguration

$resultDiscoveryDocument

Description

In the preceding example configuration data (in XML form) that was collected during the most recent

Microsoft Baseline Configuration Analyzer scan of the model that is represented by Model Id is

retrieved and stored as a property in the variable $result $resultDiscoveryDocument is of type

SystemXmlXmlDocument

-------------------------- EXAMPLE 4 --------------------------

Get-MBCAResult SQL2008R2BPA -Filter Noncompliant

Description

The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results

for the model that is represented by Model Id and then applies a filter to show only Noncompliant

results

------------------------- EXAMPLE 5 --------------------------

Get-MBCAResult SQL2008R2BPA -SubModelId ltSubModel Idgt

Description

The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results

for the submodel that is represented by SubModelId Note that the parent model ID must be specified

to use the -SubModelId parameter

------------------------- EXAMPLE 6 --------------------------

Get-MBCAResult SQL2008R2BPA -SubModelId ltSubModel Idgt -ComputerName ltServergt

-Context ltContext Model Idgt -RepositoryPath ltRepository Pathgt

Description

The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results

for the submodel that is represented by SubModelId The parent model ID is provided as required by

the -SubModelID parameter

The -Context parameter indicates that the administrator wants to see only those scan results that are in

the context of the model that is represented by Context Model Id for example only those results from

a SQL Server scan that specifically apply to another technology such as Web Server (IIS)

Page 54

The scan results are further narrowed to only those from a computer that is specified in the -

ComputerName parameter as Server and only those results found in the non-default results

repository that is represented by Repository Path

914 Set-MBCAResult

SYNOPSIS

The Set-MBCAResult cmdlet lets you exclude or include existing results of a Microsoft Baseline

Configuration Analyzer (MBCA) scan to show you only the scan results that you want to see

SYNTAX

Set-MBCAResult [[-Exclude] ltBooleangt] [-Results] ltResultgtgt [[-

RepostitoryPath] ltstringgt] [ltCommonParametersgt]

DESCRIPTION

The Set-MBCAResult cmdlet lets you exclude or include existing results of a Microsoft Baseline

Configuration Analyzer (MBCA) scan to show you only the scan results that you want to see

The action specified in the cmdlet (Exclude for example) determines how the existing results of an

MBCA scan are updated Set-MBCAResult is typically applied after using the Get-MBCAResult cmdlet

to return a collection of scan results

You can apply filters to results that are returned by the Get-MBCAResult cmdlet and then pipe the

filtered collection of results to the Set-MBCAResult cmdlet specifying either to include or exclude

filtered scan results

You must be a member of the Administrators group on the computer on which you want to run this

cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with

elevated user rights that is Run as Administrator

PARAMETERS

-Exclude ltBooleangt

Excludes scan results from the results collection that were previously obtained by the Get-

MBCAResult command To exclude results by using the -Exclude parameter add the value $true

following the parameter as shown

-Exclude $true

To include results that have been excluded use the $false value for the -Exclude parameter

Required false

Position 2

Default value

Accept pipeline input false

Accept wildcard characters false

-RepostitoryPath ltstringgt

The -RepositoryPath parameter is used to specify a non-default location of the results repository

The valid value for this parameter is a path name If the parameter is not used the cmdlet

modifies results from the default result repository

Required false

Page 55

Position 4

Default value

Accept pipeline input false

Accept wildcard characters false

-Results ltResultgtgt

Specifies the result collection to be updated by the Set-MBCAResult cmdlet The -Results

parameter is typically used to specify a filtered subset of scan results that has already been

stored in a variable the variable name is provided as the valid value for the -Results parameter

For example if you have created a variable $allPerformance to store all the Performance

category results for an MBCA scan of all models on a computer and you want to exclude those

Performance results from the complete collection of scan results you add the parameter -Results

$all Performance to a Set-MBCAResult cmdlet

For a more detailed example see the Examples section of the Help for this cmdlet

Required true

Position 3

Default value

Accept pipeline input true (ByValue)

Accept wildcard characters false

ltCommonParametersgt

This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable

WarningAction WarningVariable OutBuffer and OutVariable For more information type ldquoget-

help about_commonparameters

NOTES

If the Set-MBCAResult command is cancelled before the results are written to a file the operation is

cancelled and the results file is not modified If cancellation occurs after the results file has been

modified the commands actions are carried out and the command cannot be cancelled

-------------------------- EXAMPLE 1 --------------------------

Get-MBCAResult -ModelId SQL2008R2BPA | Where $_Category -eq

Performance | Set-MBCAResult -Exclude $true

Description

The first section of the preceding example to the left of the first pipe character (|) uses the Get-

MBCAResult cmdlet to retrieve Baseline Configuration Analyzer scan results for the model ID that is

represented by Model Id

The second section of the command filters the results of the Get-MBCAResult cmdlet to get only those

scan results for which the category name is equal to Performance

The final section of the example following the second pipe character excludes the Performance

results that were filtered by the previous section of the example

-------------------------- EXAMPLE 2 --------------------------

$rcPolicy = Get-MBCAResult -ModelId SQL2008R2BPA -RepositoryPath

CReposPath | Where $_Category -eq Policy

Page 56

Set-MBCAResult -Exclude $true -RepositoryPath CReposPath -Results

$rcPolicy

Description

The first line of the preceding example to the left of the pipe character (|) instructs the Get-

MBCAResult cmdlet to retrieve Baseline Configuration Analyzer scan results for the model that is

represented by Specified Model Id from the specified non-default repository path

The second section of the example after the pipe character filters the results of the Get-MBCAResult

cmdlet to return only those scan results for which the category name is equal to (note the -eq option)

Policy The variable $rcPolicy is created to store the filtered results of the Get-MBCAResult cmdlet this

variable can be used in subsequent commands to represent those results

The second line of the command uses the Set-MBCAResult cmdlet to exclude the set of results that

are stored in the $rcPolicy variable In this example the -Results parameter is added because the

administrator wants to exclude a specific subset of scan results for that model and has created the

variable $rcPolicy to represent that subset of results The repository root is specified in the second line

because the administrator wants to modify the results in the same non-default repository from which

the data in $rcPolicy was retrieved

915 MBCA Model Authoring

Further information about configuration and usage of MBCA models you can in the

MBCA_ModelAuthoringGuidedocx

Page 57

Did this paper help you Please give us your feedback Tell us on a scale of 1 (poor) to 5 (excellent)

how would you rate this paper and why have you given it this rating For example

Are you rating it high due to having good examples excellent screen shots clear writing or

another reason

Are you rating it low due to poor examples fuzzy screen shots or unclear writing

This feedback will help us improve the quality of white papers we release

Send feedback

Page 27: SQL2008R2 BPA Whitepaper v10

Page 27

53 MBCA

This message indicates that on prerequisite is not installed

Please install the version 2 of the MBCA

54 Where can I find the Instance name in result set of the analyzer

report

The instance name is in the collected data option of the analyzer report in the BPA GUI

55 Memory limit of remote PowerShell process

By default remote PowerShell process can consume only 150 MB or less memory This default limit is

significantly small and once this limit is reached there could be a WinRM exception causing and remote

connection immediately terminates Any application or Cmdlet which is involved in PowerShell

remoting should be tested for this memory limit this may cause some of the command to fail for

example site collection creation

Solution Increase the memory limit for the remote shell Use the following command to increase this

limitation to 1000MB This is only necessary if you need to run those commands on that server

Set-Item WSManlocalhostShellMaxMemoryPerShellMB 1000

56 Remote connect

If you try to ldquoConnect to another computerrdquo from MBCA and you receive the following message

Page 28

You should check first if the Hotfix KB968930 is installed

Afterwards validate that the ldquoWindows Remote Managementrdquo service is started

Enable-PSRemoting

If CredSSP is unsupported or unavailable you will see the following message

Page 29

If you have no permission to access the remote server you get the error message

Page 30

57 Installation

571 PowerShell error

After getting through the Pre-Reqs for BPA (PowerShell 20 MBCA NET Framework) you may hit

one of two scenarios when installing BPA

In all of the cases of an install failure you will see the following error

There is a problem with this Windows Installer package A program run as part of the setup did not

finish as expected Contact your support personnel or package vendor

In your Application Event Log for both of these scenarios you will also see the following entry

Log Name Application

Source MsiInstaller

Date 6102010 83818 AM

Event ID 11722

Task Category None

Level Error

Keywords Classic

User ltUsernamegt

Computer ltMachine namegt

Description

Product Microsoft SQL Server 2008 R2 BPA -- Error 1722 There is a problem

with this Windows Installer package A program run as part of the setup did

not finish as expected Contact your support personnel or package

vendor Action EnablePSRemoting location powershellexe command -NoLogo

-NoProfile -Command Enable-PSRemoting ndashforce

Page 31

This is an indicator that PowerShell is not configured You must run the following command

powershellexe -NoLogo -NoProfile -Command Enable-PSRemoting ndashforce

572 Workgroup or Non-Domain computer

In this scenario the Enable-PSRemoting command should execute fine from a PowerShell prompt

The actual error coming back from the PowerShell command within the Installer is ldquoAccess Deniedrdquo

To work around this issue you can do the following

1 Open a command prompt with Administrative Privileges

2 Change to the directory where the msi file resides

3 Type msiexec i ltMSI Namegt SKIPCA=1

4 MSI Name will either be SQL2008R2BPA_Setup32msi or SQL2008R2BPA_Setup64msi

depending on your platform

5 Once BPA is installed open a PowerShell prompt with Administrative Privileges

6 Execute the following commands

a Enable-PSRemoting

b winrm set winrmconfigwinrs ``MaxShellsPerUser=`10``

This should allow BPA to be successfully installed in the workgroup scenario

573 Kerberos Failure

This scenario is that you are failing with the above due to a Kerberos issue This particular issue could

actually show up after you have installed BPA depending on how you have configured your

environment

The issue stems from the fact that the Windows Remoting Windows Service uses the Network Service

account Windows Remoting also uses SOAP calls over HTTP and defaults to using Kerberos As a

result it will be using the HOST Service Principal Name (SPN) that is on the Machine Account as it is

running under that context You may have an HTTP SPN that resides on a different account with that

host name For example if you are running an IIS Web Application such as SharePoint or if you are

using Reporting Services and the service account is set to a Domain User account instead of Network

Service or Local System If your URL of your application matches the machine name then your HTTP

SPN will be the same Thatrsquos where this problem comes in WinRM will stop working at that point and

give you a message similar to the following

Set-WSManQuickConfig WinRM cannot process the request The following error

occured while using Negotiate authentication An unknown security error

occurred

Possible causes are

-The user name or password specified are invalid

-Kerberos is used when no authentication method and no user name are

specified

-Kerberos accepts domain user names but not local user names

-The Service Principal Name (SPN) for the remote computer name and port

does not exist

-The client and remote computers are in different domains and there is no

trust between the two domains

After checking for the above issues try the following

-Check the Event Viewer for events related to authentication

-Change the authentication method add the destination computer to the

WinRM TrustedHosts configuration setting or use HTTPS transport

Note that computers in the TrustedHosts list might not be authenticated

-For more information about WinRM configuration run the following

Page 32

command winrm help config

At line50 char33

+ Set-WSManQuickConfig ltltltlt -force

+ CategoryInfo InvalidOperation () [Set-WSManQuickConfig]

InvalidOperationException

+ FullyQualifiedErrorId

WsManErrorMicrosoftWSManManagementSetWSManQuickConfigCommand

You can get this type of error from WinRM for muliple reasons The one that

we saw in our testing was the HTTP SPN scenario

If you do have an HTTP SPN defined on a Domain Account that is using the name of your machine

you have some options First you can follow the steps mentioned above to get BPA installed The

Enable-PSRemoting command will give you the above error You can temporarily remove the HTTP

SPN to get remoting enabled and then re-add the HTTP SPN

Once BPA is setup you will still not be able to run BPA if you put the HTTP SPN back in place You will

see the following when you attempt to perform a scan

This will occur regardless of which component you try to scan It could be the Engine Setup RS etchellip

One option to perform the scan successfully is to temporarily remove the HTTP SPN again run the

scan and then put the HTTP SPN back in place Another option but one that will probably require

further testing from your applicationrsquos end would be to run the application under a Host Header and

then your HTTP SPN would not include the machine name allowing BPA to run without issue

Page 33

6 RULES

Searching for ldquoSQL Server 20087 R2 BPArdquo at Microsoftcom reveals

Here is an example of one of these articles that talks about a rule to check for a recent ldquocleanrdquo

CHECKDB

Page 34

BPA works by measuring a rolersquos compliance with best practice rules in eight different categories of a

rolersquos effectiveness trustworthiness and reliability Results of measurements can be any of the three

severity levels described in the following table

Severity level Description

Noncompliant Noncompliant results are returned when a role does not satisfy the conditions of a rule

Compliant Compliant results are returned when a role satisfies the conditions of a rule

Warning Warning results are returned when a role is compliant as operating currently but may not satisfy the conditions of a

rule if changes are not made to its configuration or policy settings For example a scan of Remote Desktop Services

might show a warning result if a license server is unavailable to the role because even if no remote connections are

active at the time of the scan not having the license server prevents new remote connections from obtaining valid

client access licenses

Page 35

BPA rule categories

The following table describes the categories of best practice rules against which roles are measured

during a BPA scan

Category Name Description

Security Security rules are applied to measure a rolersquos relative risk for exposure to threats such as unauthorized or malicious

users or loss or theft of confidential or proprietary data

Performance Performance rules are applied to measure a rolersquos ability to process requests and perform its prescribed duties in

the enterprise within expected periods of time given the rolersquos workload

Configuration Configuration rules are applied to identify role settings that might require modification for the role to perform

optimally Configuration rules can help prevent setting conflicts that can result in error messages or prevent the role

from performing its prescribed duties in an enterprise

Policy Policy rules are applied to identify Group Policy or Windows Registry settings that might require modification for the

role to operate optimally and securely

Operation Operation rules are applied to identify possible failures of a role to perform its prescribed tasks in the enterprise

Predeployment Predeployment rules are applied before an installed role is deployed in the enterprise to let administrators to

evaluate whether best practices were satisfied before you use the role in production

Postdeployment Postdeployment rules are applied after all required services have started for a role and the role is running in the

enterprise

BPA Prerequisites BPA Prerequisite rules explain configuration settings policy settings and features that are required for the role

before BPA can apply specific rules from other categories A prerequisite in scan results indicates that an incorrect

setting a missing role role service or feature an incorrectly enabled or disabled policy a registry key setting or

other configuration has prevented BPA from applying one or more rules during a scan A prerequisite result does

not imply compliance or noncompliance It means that a rule could not be applied and therefore is not part of the

scan results

61 Engine Rules

Please find below a summary of the 74 Engine Rules with the links to the rule descriptions These rules

are checking that you have a secure resilient and well performing SQL configuration

Authentication Mode (httpsupportmicrosoftcomkb2028697)

Lightweight Pooling is enabled (httpsupportmicrosoftcomkb2160691)

Locks Configuration Not Dynamic (httpsupportmicrosoftcomkb2199576)

non-default network packet size in use (httpsupportmicrosoftcomkb2157175)

degree of parallelism not set to recommended value (httpsupportmicrosoftcomkb2023536)

Use Database Mail instead of SQL Mail (httpsupportmicrosoftcomkb2028584)

SQL Server Agent Proxy Account (httpsupportmicrosoftcomkb2160741)

SQL Login Password Policy Strength and password expiry

(httpsupportmicrosoftcomkb2028712)

Trustworthy Bit (httpsupportmicrosoftcomkb2183687)

Symmetric Keys Check (httpsupportmicrosoftcomkb2162020)

Asymmetric Keys Check (httpsupportmicrosoftcomkb2162020)

SQL Server installed on PDC BDC (httpsupportmicrosoftcomkb2032911)

Page 36

SQL Server Admin role membership check (httpsupportmicrosoftcomkb2184138)

Windows API calls intercepted (httpsupportmicrosoftcomkb2033238)

unsupported DotNET framework assemblies present (httpsupportmicrosoftcomkb2033344)

Disk partition starting offset may be incorrect (httpsupportmicrosoftcomkb2023571)

non-default max worker threads value configured (httpsupportmicrosoftcomkb2157129)

Guest Permissions (httpsupportmicrosoftcomkb2186935)

Data and Log files on the same volume (httpsupportmicrosoftcomkb2033523)

IO timeouts and IO controller errors detected (httpsupportmicrosoftcomkb2091098)

IO device errors detected (httpsupportmicrosoftcomkb2091098)

IO errors during page faults detected (httpsupportmicrosoftcomkb2091098)

cluster disk corruption encountered (httpsupportmicrosoftcomkb2091098)

disk defragmentation encountered corruption (httpsupportmicrosoftcomkb2091098)

failed IO requests detected (httpsupportmicrosoftcomkb2091098)

IO requests are successful when retried (httpsupportmicrosoftcomkb2015757)

IO Delay Problems reported by SQL Server (httpsupportmicrosoftcomkb2137408)

This system experienced unexpected shutdowns (httpsupportmicrosoftcomkb2091098)

tempdb corruption errors fix missing (httpsupportmicrosoftcomkb960770)

Critical SQL database inconsistency errors found (httpsupportmicrosoftcomkb2152734)

Logical consistency errors detected (httpsupportmicrosoftcomkb2152472)

Database have auto shrink option enabled (httpsupportmicrosoftcomkb2160663)

SQL Server Error logs are very big (httpsupportmicrosoftcomkb2199578)

incorrect affinity mask settings detected httpsupportmicrosoftcomkb2157114

Very low blocked process threshold setting detected httpsupportmicrosoftcomkb2157154

Potential security issue with legacy DTS stored procedures

httpsupportmicrosoftcomkb2202875

Winsock LSP loaded into SQL httpsupportmicrosoftcomkb2033448

Databases using simple recovery model httpsupportmicrosoftcomkb2137539

User database collation different from model httpsupportmicrosoftcomkb2026108

Database files and backups exist on the same volume httpsupportmicrosoftcomkb2027537

Databases have auto close option enabled httpsupportmicrosoftcomkb2160685

LSI SAS drivers needs update httpsupportmicrosoftcomkb2121098

SQL tempdb database not configured optimally httpsupportmicrosoftcomkb2154845

SQL Database file has sparse attribute set httpsupportmicrosoftcomkb2028447

Invalid startup parameters httpsupportmicrosoftcomkb2028433

MSDTC settings not configured optimally httpsupportmicrosoftcomkb2027550

sql incorrect results fix missing httpsupportmicrosoftcomkb971780

File System needs tuning for better FileStream performance

httpsupportmicrosoftcomkb2160002

linked server memory leak fix missing httpsupportmicrosoftcomkb971622EN-US

Windows service pack is not at recommended level httpsupportmicrosoftcomkb2121098

default extended event health session not in expected state

httpsupportmicrosoftcomkb2160570

TcpSysAndChimneyCheck httpsupportmicrosoftcomKB918483

FDHOST Launcher service is not configured properly httpsupportmicrosoftcomkb2160720

Unrecommended SQL Server Agent service account httpsupportmicrosoftcomkb2160720

A required Windows fix to avoid sparse file related problems is missing

httpsupportmicrosoftcomkb2002606

Page 37

Significant Portion of SQL Server Memory Has Been Paged Out

httpsupportmicrosoftcomkb2028324

Server Exception or Hang Detected on Server httpsupportmicrosoftcomkb2028589

Databases exist without CHECKSUM protection httpsupportmicrosoftcomkb2078345

backups outdated for databases httpsupportmicrosoftcomkb2027537

Database consistency check not current httpsupportmicrosoftcomkb2033590

SQL Server Memory settings are incorrect httpsupportmicrosoftcomKB918483EN-US

Autogrow Failed or took a long time httpsupportmicrosoftcomkb2091024

Storport driver fix from KBA 940467 missing httpsupportmicrosoftcomkb2121098

Storport driver fix from KBA 950903 missing httpsupportmicrosoftcomkb2121098

SQLCLR needs additional memory configuration httpsupportmicrosoftcomkb969962EN-US

Operating System files and drivers needs update for working set trimming

httpsupportmicrosoftcomkb2121098

Agent Token Replacement httpsupportmicrosoftcomkb2202637

Auditing Log in failures httpsupportmicrosoftcomkb2187161

Databases with high number of VLF present httpsupportmicrosoftcomkb2028436

Transparent Data Encryption Certificate httpsupportmicrosoftcomkb2201900

Permission on the Binn folder httpsupportmicrosoftcomkb2029023

Index Statistics Are Outdated

Server public permissions httpsupportmicrosoftcomkb2160698

Detected use of older versions of SQLNCLI httpsupportmicrosoftcomkb979779

62 AS Rules

Please find below a summary of the 34 Analysis Server Rules with the links to the rule descriptions

Flight Recorder Enabled for SQL Server Analysis Services

httpsupportmicrosoftcomkb2128005

Excessive amount of memory preallocated to Analysis Services

httpsupportmicrosoftcomkb2027474

Server not configured for optimal concurrent query throughput

httpsupportmicrosoftcomkb2135031

Non standard value detected for Analysis Services memory configuration

httpsupportmicrosoftcomkb2027472

Process Thread Pool Max limit above recommended limit

httpsupportmicrosoftcomkb2134497

Process Thread Pool Minimum is below the recommended limit

httpsupportmicrosoftcomkb2134855

Server is running a build with a known regression httpsupportmicrosoftcomkb2157941

Slice not set on a ROLAP partition or a partition where proactive caching is enabled and

ROLAP storage ay occur httpsupportmicrosoftcomkb2027754

Server is ignoring duplicate key errors httpsupportmicrosoftcomkb2027761

No default member defined for non-aggregatable attribute

httpsupportmicrosoftcomkb2027769

UnknownMember set to hidden httpsupportmicrosoftcomkb2027628

Non-numeric key column for high cardinality attribute httpsupportmicrosoftcomkb2028138

Attribute hiearchy enabled for high cardinality non-key attribute

httpsupportmicrosoftcomkb2028143

ROLAP storage or OnlineMode set to immediate for dimension with custom rollup definition

detected httpsupportmicrosoftcomkb2132742

Page 38

Account or Time attribute types defined in a non-matching dimension type

httpsupportmicrosoftcomkb2157299

An Account or Time dimension has no matching attribute defined

httpsupportmicrosoftcomkb2027418

Dimension has no attribute defined with the same type

httpsupportmicrosoftcomkb2027443

Attribute Dimension type mismatch httpsupportmicrosoftcomkb2157327

Mismatched dimension attribute types detected in dimension

httpsupportmicrosoftcomkb2027459

Possible incorrect order of levels defined in hierarchy httpsupportmicrosoftcomkb2027460

Define attribute relationships as Rigid where possible httpsupportmicrosoftcomkb2027468

Redundant attribute relationships detected httpsupportmicrosoftcomkb2127437

Diamond-shape relationship detected httpsupportmicrosoftcomkb2127570

Non-Standard Attribute Relationship name detected httpsupportmicrosoftcomkb2127862

Proactive Caching set for dimension without a processing query

httpsupportmicrosoftcomkb2027541

No Time dimension detected httpsupportmicrosoftcomkb2027532

More than 3 parent-child dimensions with custom rollups defined

httpsupportmicrosoftcomkb2134431

Encountered a parent-child dimension with more than 500000 members

httpsupportmicrosoftcomkb2131918

Single attribute dimensions detected httpsupportmicrosoftcomkb2141654

Measure groups with zero dimensional overlap detected in cube

httpsupportmicrosoftcomkb2027609

Proactive Caching set for a partition without a processing query

Default measure for perspective not in the perspective

httpsupportmicrosoftcomkb2027603

Use MOLAP storage for dimensions that participate in semi-additive measure groups

httpsupportmicrosoftcomkb2135112

Measure group defined with no partition httpsupportmicrosoftcomkb2027545

63 RS Rules

RSWindowsNegotiate is missing from your configuration

httpsupportmicrosoftcomkb2145506

HTTP Logging is not enabled httpsupportmicrosoftcomkb2145909

Verbose logging is enabled httpsupportmicrosoftcomkb2146315

NTLM authentication may fail for local httpsupportmicrosoftcomkb2146369

Missing extended protection settings httpsupportmicrosoftcomkb2146062

64 IS Rules

Logging task missing for package httpsupportmicrosoftcomkb2027723

ActiveX Script task detected in package httpsupportmicrosoftcomkb2027712

Unrecommended Integration Services service account detected

httpsupportmicrosoftcomkb2027684

Integration Services logging table found in system database master and or msdb

httpsupportmicrosoftcomkb2027706

Integration Services memory dump detected httpsupportmicrosoftcomkb2027727

Page 39

65 Setup Rules

Unsupported Operating System Version Detected httpsupportmicrosoftcomkb2022909

WOW64 not supported for SQL Failover Clustering httpsupportmicrosoftcomkb2157198

Installer cache is missing for the SQL Installation httpsupportmicrosoftcomkb2015100

SQL Server WMI Provider Health Check

66 Replication Rules

Replication Timeout Alerts Type httpsupportmicrosoftcomkb2118349

Replication Pub and Sub out of sync (Data Validation) httpsupportmicrosoftcomkb2118386

Replication Pub and Sub out of sync (Constraint Violations)

httpsupportmicrosoftcomkb2118410

Replication Pub and Sub out of sync (Skipped Transactions)

httpsupportmicrosoftcomkb2194498

Merge Replication Health Check httpsupportmicrosoftcomkb2118445

Subscriptions Approaching Expiration httpgomicrosoftcomfwlinkLinkId=184483

Replication Cleanup and Retention Health Check httpsupportmicrosoftcomkb2118485

Replication Latency Threshold violations httpsupportmicrosoftcomkb2118425

Page 40

7 HOW TO DEAL WITH DEVIATIONS

Deviations from these Best Practices may indicate potential issues and configuration changes may be

necessary Make sure you have tested any intended changes in a test environment before deploying

them to a production environment You could also find deviations from Best Practices that are

acceptable or even necessary for your environment For example

SAP has its special Network Packet Size of 8 KB

Existing Non-Microsoft Clients ndash would require Mixed Mode Authentication

Page 41

8 MOTIVATION TO USE SQL BPA R2

Bob Ward explained in his Article ldquoWhy use SQL Server 2008 R2 BPA Case 1 Missing Updatesrdquo

the common pitfalls during maintenance and operation of SQL Server and how address them by using

the SQL BPA

In brief itrsquos a customer scenario where the customer is facing an issue after a major update to

SQL2008 After some troubleshooting and an update to a certain CU (that is meant to fix the issue) the

problem still occurs Bobs article states the common resulting consequences ndash the involvement of

Microsoft Support and the final solution ndash adding a needed traceflag

The good news in this story is that the customer would not have needed to go to all that effort if they

would have run the SQL BPA It would have told them about the update and instructed them to put the

traceflag in place BPA is a mechanism that proactively advises you and instructs you on dealing with

common known issues

Page 42

9 ADDITIONAL INFORMATION

91 PowerShell

To use the functionality of the Baseline Configuration Analyzer with PowerShell you must import this

module first

Import-module BaselineConfigurationAnalyzer

You can list the commands of this module with the following syntax

$x=Get-Module BaselineConfigurationAnalyzer

$xExportedCommands

The following commands are stored in this module

Get-MbcaModel

Get-MbcaResult

Invoke-MbcaModel

Set-MbcaResult

You get help of this command with the following syntax

Get-help ltcommandgt -full

911 Get-MBCAModel

SYNOPSIS

The Get-MBCAModel cmdlet lets you retrieve and view the list of models that are supported by

Microsoft Baseline Configuration Analyzer (MBCA) and that are installed on a computer

SYNTAX

Get-MBCAModel [[-ModelId] ltstring[]gt] [[-SubModelId] ltstringgt] [ltCommonParametersgt]

DESCRIPTION

The Get-MBCAModel cmdlet lets you retrieve and view the list of models that are supported by

Microsoft Baseline Configuration Analyzer (MBCA) and installed on the computer If no parameter is

specified Get-MBCAModel returns all models that are installed on the computer If a model is specified

by using the -ModelId parameter information about the specified model is returned

You must be a member of the Administrators group on the computer on which you want to run this

cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with

elevated user rights that is Run as Administrator

The results of the Get-MBCAModel cmdlet include the following details about models

1 Branding information (manufacturer or company display names version number) that is found in

the model manifest

2 Dynamic parameters that are included with the model

3 Submodels that are included with the model

PARAMETERS

-ModelId ltstring[]gt

The -ModelId parameter specifies the ID of the MBCA model about which you want to view

details You can obtain valid values for the ModelId parameter by running the Get-MBCAModel

cmdlet with no parameters and targeted at a computer on which MBCA models are installed

Page 43

This parameter supports wild card characters

Required false

Position 2

Default value

Accept pipeline input true (By Value By Property Name)

Accept wildcard characters False

This must be SQL2008R2BPA for SQL Server 2008 R2 Best Practice Analyzer

-SubModelId ltstringgt

The -SubModelId parameter specifies the ID of the submodel of an MBCA model about which you

want to view details You can obtain valid values for the -SubModelId parameter by running the

Get-MBCAModel cmdlet without parameters and targeted at a computer on which MBCA models

are installed Not all models have submodels

The -ModelId parameter is required with the -SubModelId parameter

Required false

Position 3

Default value

Accept pipeline input false

Accept wildcard characters false

ltCommonParametersgt

This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable

WarningAction WarningVariable OutBuffer and OutVariable For more information type get-

help about_commonparameters

Examples

Get-MBCAModel

In the preceding example Get-MBCAModel with no parameters added returns details about all MBCA

models that are installed on the computer

Get-MBCAModel -ModelId SQL2008R2BPA

The preceding example can be used to return details about the MBCA model that is specified in the -

ModelId parameter represented by Model Id

$model= Get-MBCAModel -ModelId SQL2008R2BPA

$modelParameters

In the preceding example Get-MBCAModel returns details about the specified MBCA model that is

represented by Model Id The results of the cmdlet are stored in the variable $model

In the next line of the example the Parameters property of the model details that were stored in the

$model object returns details about which parameters are supported by the model

Get-MBCAModel -ModelId SQL2008R2BPA -SubModelId ltSubModel Idgt

The preceding example can be used to return details about the MBCA sub-model that is specified by

the -SubModelId parameter represented by SubModel Id Note that the -ModelId parameter is

required by the -SubModelId parameter

$model= Get-MBCAModel -ModelId SQL2008R2BPA

Page 44

$modelSubModels

In the preceding example Get-MBCAModel returns details about the specified MBCA model that is

represented by Model Id The results of the cmdlet are stored in the variable $model

In the next line of the example the SubModels property of the model details that were stored in the

$model object returns a list of the submodels of the model specified in the first line

912 Invoke-MBCAModel

SYNOPSIS

The Invoke-MBCAModel cmdlet lets you start a Microsoft Baseline Configuration Analyzer (MBCA)

scan for a specific model that is installed on your computer

SYNTAX

Invoke-MBCAModel [-ModelId] ltstringgt -SubModelId ltstringgt [-Authentication

ltAuthenticationMechanismgt] [-CertificateThumbprint ltstringgt] [-ComputerName

ltstring[]gt] [-ConfigurationName ltstringgt] [-Context ltstringgt] [-Credential

ltstringgt] [-Mode ltModeEnumgt] [-Port ltintgt] [-RepositoryPath ltstringgt] [-

ThrottleLimit ltintgt] [-UseSSL] [ltCommonParametersgt]

DESCRIPTION

The Invoke-MBCAModel cmdlet allows you to start a Microsoft Baseline Configuration Analyzer

(MBCA) scan for a specific model that is installed on your computer The model is specified either by

using the parameter -ModelId or by piping the results of the Get-MBCAModel cmdlet into an Invoke-

MBCAMode cmdlet

After the MBCA scan has been performed the results of the scan are available to be retrieved by Get-

MBCAResult cmdlet

You must be a member of the Administrators group on the computer on which you want to run this

cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with

elevated user rights that is Run as Administrator

PARAMETERS

-Authentication ltAuthenticationMechanismgt

Specifies the authentication mechanism that is used to authenticate the users credentials Valid

values include Default Basic CredSSP Digest Kerberos Negotiate and

NegotiateWithImplicitCredential The default value is Default

For more information about the -Authentication parameter type the following and then press

Enter

Get-Help Invoke-Command -Parameter Authentication

Required false

Position named

Default value Default

Accept pipeline input false

Accept wildcard characters false

-CertificateThumbprint ltstringgt

Page 45

Specifies the digital public key certificate (X509) of a user account that has rights to perform the

cmdlet action The valid value is the certificate thumbprint of the certificate

For more information about this parameter type the following and then press Enter

Get-Help Invoke-Command -Parameter Certificate Thumbprint

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-ComputerName ltstring[]gt

The Invoke-MBCAModel cmdlet lets you run an MBCA scan of a submodel on a specific

computer by adding this parameter Valid values include NETBOS names IP addresses or fully-

qualified domain names of one or more computers in a comma-separated list To specify the local

computer type the computer name or localhost

All formats that are accepted by the -ComputerName parameter in Invoke-Command are

accepted

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-ConfigurationName ltstringgt

Specifies the session configuration that is used for a new PSSession

Enter a configuration name or the fully-qualified resource URI for a session configuration

Session configuration data is found on the remote computer on which you want to run a cmdlet

For more information about this parameter type the following and then press Enter

Get-Help Invoke-Command -Parameter ConfigurationName

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-Context ltstringgt

The -Context parameter lets you run scans on a submodel in the context of a specific model (one

that is different from the parent model of the submodel) For example an administrator might

want to run a scan on the Backend submodel of the SQL model but only those in the context

of a third model a technology that relies upon SQL Server

The -SubModelId parameter is required by the -Context parameter

Page 46

A model ID is the valid value of the -Context parameter

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-Credential ltstringgt

Specifies a user account that has permission to run this cmdlet The default value is the current

user

For more information about this parameter type the following and then press Enter

Get-Help Invoke-Command -Parameter Credential

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-Mode ltModeEnumgt

The -Mode parameter lets you run a scan that is exclusively either analysis of existing discovered

documents or discovery The default is to perform both discovery and analysis or All

If you do not add the -Mode parameter to the Invoke-MBCAModel cmdlet both discovery and

analysis are performed during a scan

Valid values are Discovery Analysis and All

Required false

Position named

Default value All

Accept pipeline input false

Accept wildcard characters false

-ModelId ltstringgt

The -ModelId parameter specifies the ID of the MBCA model that you want to scan You can

obtain valid values for the ModelId parameter by running the Get-MBCAModel cmdlet targeted at

a computer on which MBCA models are installed

Required true

Position 2

Default value

Accept pipeline input true (By Value By Property Name)

Accept wildcard characters False

Page 47

This must be SQL2008R2BPA for SQL Server 2008 R2 Best Practice Analyzer

-Port ltintgt

Specifies the network port on a remote computer on which you want to run a scan The default

value is port 80

For more information on this parameter type the following and then press Enter

Get-Help Invoke-Command -Parameter Port

Required false

Position named

Default value 80

Accept pipeline input false

Accept wildcard characters false

-RepositoryPath ltstringgt

The -RepositoryPath parameter is used to specify a non-default location of the results repository

The valid value for this parameter is a pathname If the parameter is not used the cmdlet writes

results to the default result repository

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-SubModelId ltstringgt

The -SubModelId parameter specifies the ID of the submodel of an MBCA model that you want to

scan You can obtain valid values for the -SubModelId parameter by running the Get-MBCAModel

cmdlet targeted at a computer on which MBCA models are installed Not all models have

submodels

The -ModelId parameter is required with the -SubModelId parameter

Required true

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-ThrottleLimit ltintgt

Specifies the maximum number of concurrent connections that can be established to run the

cmdlet If you omit this parameter or enter a value of 0 the default value of 32 is used

For more information about this parameter type the following and then press Enter

Get-Help Invoke-Command -Parameter ThrottleLimit

Required false

Page 48

Position named

Default value 32

Accept pipeline input false

Accept wildcard characters false

-UseSSL [ltSwitchParametergt]

Uses the Secure Sockets Layer (SSL) protocol to establish a connection on a remote computer

By default SSL is not used

For more information about this parameter type the following and then press Enter

Get-Help Invoke-Command -Parameter UseSSL

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

ltCommonParametersgt

This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable

WarningAction WarningVariable OutBuffer and OutVariable For more information type get-

help about_commonparameters

OUTPUTS

SystemCollectionsGenericListltMicrosoftBestPracticesCoreInterfaceInvokeBpaModelOutputgt

The output object encapsulates the results of the cmdlet that you entered It contains information such

as the MBCA model ID the success or failure of the cmdlet and other details

NOTES

If the cmdlet is used to perform a single-model scan and the cmdlet is cancelled (by using CTRL+C)

before the temporary results file is copied to its final location the temporary file is discarded and any

previous scan results file for the role are preserved The message Processing of Invoke-MBCAModel

cancelled by user is displayed if the command is cancelled before existing scan results files are

overwritten

If the cmdlet is used to perform a scan of multiple models by piping in results from the Get-MBCAModel

cmdlet and the command is cancelled scans that were completed before the cancel command was

entered cannot be cancelled A scan in progress behaves as described above in the single-model scan

cancellation scenario Subsequent scans in the pipeline are cancelled

If a concurrent scan of the same model is attempted the cmdlet returns the following error message

Another scan for this MBCA model is in progress Only one scan is allowed at a time

-------------------------- EXAMPLE 1 --------------------------

Invoke-MBCAModel -ModelId SQL2008R2BPA

Description

The preceding example starts a MBCA scan on the model that is represented by ltModel Idgt

-------------------------- EXAMPLE 2 --------------------------

Page 49

Invoke-MBCAModel -ModelId SQL2008R2BPA -Scope domain -Name

redmondmicrosoftcom

Description

The preceding example starts an MBCA scan on the model ID that is specified by Model Id

The administrator starts the MBCA scan with additional model-specific parameters that are exposed by

the model (For an example of how to obtain model-specific parameters see the examples for the Get-

MBCAModel cmdlet)

For example to scan a model that requires model-specific parameters (such as -Scope and -Name) to

be passed to the command the administrator can specify the values of these model-specific

parameters with the Invoke-MBCAModel cmdlet

-------------------------- EXAMPLE 3 --------------------------

Invoke-MBCAModel -ModelId SQL2008R2BPA -Mode Discovery

Description

The preceding example starts an MBCA scan on the model that is represented by Model Id The

cmdlet is instructed by the -Mode parameter to perform only the discovery -- not the analysis -- portion

of the scan

-------------------------- EXAMPLE 4 --------------------------

Invoke-MBCAModel -ModelId SQL2008R2BPA -Mode Analysis -RepositoryPath

ltRepository Pathgt

Description

The preceding example starts an MBCA scan on the model that is represented by Model Id The -

Mode parameter value of Analysis indicates that the scan will perform analysis -- not discovery -- on

existing documents that are specified in the non-default repository path provided with the -Repository

Path parameter

-------------------------- EXAMPLE 5 --------------------------

Invoke-MBCAModel -Id ltModel Idgt -SubModelId ltSubModel Idgt -ComputerName

ltServergt -Context ltContext Model Idgt -RepositoryPath ltRespository Pathgt -

AsJob -Authentication ltAuthenticatonMechanismgt -Port ltPort Numbergt -UseSSL -

ThrottleLimit ltThrottle Limitgt

Description

The preceding example starts an MBCA scan on the submodel that is represented by SubModel Id

and on the computer that is represented by Server

Because the administrator only wants to see results from the submodel that apply in the context of a

third model the administrator runs the scan within the context of the model ID that is specified in the -

Context parameter The cmdlet results are saved to the non-default repository path that is specified in

the -RepositoryPath parameter

Because the -AsJob parameter is added the scan runs in the background The -AsJob -

Authentication -Port -UseSSL and -ThrottleLimit parameters are passed through for use by the

Invoke-Command cmdlet to perform discovery on a remote computer For more information about

these parameters see the Help for the Invoke-Command cmdlet available in Windows PowerShell V2

913 Get-MBCAResult

SYNOPSIS

Page 50

The Get-MBCAResult cmdlet lets you retrieve and view the results of a Microsoft Baseline

Configuration Analyzer scan on a specific model or the configuration data that was used to run a scan

SYNTAX

Get-MBCAResult [-ModelId] ltstringgt [[-CollectedConfiguration]] -SubModelId

ltstringgt [-ComputerName ltstring[]gt] [-Context ltstringgt] [-Filter

ltFilterEnumgt] [-RepositoryPath ltstringgt] [ltCommonParametersgt]

DESCRIPTION

The Get-MBCAResult cmdlet lets you retrieve and view the results of a Microsoft Baseline

Configuration Analyzer scan on a specific model or the configuration data that was used to run a scan

To use the command add the -ModelId parameter and then specify the model ID for which you want

to view the most recent MBCA scan results or collected configuration data If you want to retrieve the

configuration data collected add the -CollectedConfiguration switch parameter

You must be a member of the Administrators group on the computer on which you want to run this

cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with

elevated user rights that is Run as Administrator

PARAMETERS

-CollectedConfiguration [ltSwitchParametergt]

The -CollectedConfiguration parameter allows you to obtain the configuration data that was

collected for the most recent MBCA scan If this switch parameter is added to Get-MBCAResults

the cmdlet returns only the configuration data that was collected for a scan

Required false

Position 3

Default value

Accept pipeline input false

Accept wildcard characters false

-ComputerName ltstring[]gt

The -ComputerName parameter lets you obtain scan results that were collected for the most

recent MBCA scan of a submodel on a specific computer To specify the local computer type the

computer name or localhost Multiple values for -ComputerName can be separated by

commas

The -SubModelId parameter is required by the -ComputerName parameter

Valid values for the -ComputerName parameter include localhost a NET BIOS name an IP

address or a fully-qualified domain name (FQDN) of one or more computers in a comma-

separated list

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-Context ltstringgt

Page 51

The -Context parameter lets you obtain scan results that were collected for the most recent

MBCA scan of a submodel in the context of a specific model (one that is different from the parent

model of the submodel) For example an administrator might want to display scan results for the

Backend submodel of the SQL model but only those in the context of a third model a

technology that relies upon SQL Server

The -SubModelId parameter is required by the -Context parameter

A model ID is the valid value of the -Context parameter

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-Filter ltFilterEnumgt

The -Filter parameter lets you instruct the Get-MBCAResult cmdlet to return only Compliant

Noncompliant or All results Valid values are Noncompliant Compliant or All The default value

is All

The -Filter parameter is ignored if the -CollectedConfiguration switch parameter is added

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-ModelId ltstringgt

The -ModelId parameter specifies the ID of the MBCA model for which you want to view scan

results You can obtain valid values for the ModelId parameter by running the Get-MBCAModel

cmdlet targeted at a computer on which MBCA models are installed

Required true

Position 2

Default value

Accept pipeline input true (By Value By Property Name)

Accept wildcard characters False

This must be SQL2008R2BPA for SQL Server 2008 R2 Best Practice Analyzer

-RepositoryPath ltstringgt

The -RepositoryPath parameter is used to specify a non-default location of the results repository

The valid value for this parameter is a path name If the parameter is not used the cmdlet obtains

results from the default result repository

Required false

Position named

Page 52

Default value

Accept pipeline input false

Accept wildcard characters false

-SubModelId ltstringgt

The -SubModelId parameter specifies the ID of the submodel of an MBCA model for which you

want to view scan results You can obtain valid values for the -SubModelId parameter by running

the Get-MBCAModel cmdlet targeted at a computer on which MBCA models are installed Not all

models have submodels

The -ModelId parameter is required with the -SubModelId parameter

Required true

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

ltCommonParametersgt

This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable

WarningAction WarningVariable OutBuffer and OutVariable For more information type get-

help about_commonparameters

OUTPUTS

SystemCollectionsGenericListltMicrosoftBestPracticesCoreInterfaceResultgt OR

SystemXmlXmlDocument (if -CollectedData specified)

If you do not use the -CollectedConfiguration parameter verbose output can be any of the following

1 Initializing MBCA engine for getting MBCA Results

2 Attempting to get MBCA results for Model Id = 0

3 Completed getting MBCA results for Model Id = 0 Number of Results = 1

If you add the -CollectedConfiguration parameter to display configuration data that was used for a

scan verbose output can be any of the following

1 Initializing MBCA engine for getting MBCA Configuration Data

2 Attempting to get MBCA collected configuration data for Model Id = 0

3 Completed getting MBCA collected configuration data for Model Id = 0

NOTES

The Get-MBCAResult cmdlet must be run by a member of the Administrators group and it does not

start a new scan

Cancellation behaviour

Single Model - To cancel this cmdlet you must press Ctrl+C before the ResultCollection is displayed

on the console The operation is cancelled and results are not displayed on the console

Multiple Models or Pipelining - If you cancel this cmdlet while it is retrieving results for multiple models

the cmdlet generates only those results that were displayed on the console before the cancellation

Any subsequent results in the pipeline are cancelled and not displayed

Page 53

-------------------------- EXAMPLE 1 --------------------------

Get-MBCAResult -Id SQL2008R2BPA

Description

The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results

for the model that is represented by Model Id

-------------------------- EXAMPLE 2 --------------------------

Get-MBCAModel | Get-MBCAResult

In the preceding example Get-MBCAModel is used to return a list of all MBCA models that are

installed on the computer The results of the Get-MBCAModel cmdlet are piped to the Get-

MBCAResult cmdlet to retrieve the most recent MBCA scan results for all models that are both

supported by MBCA and installed on the computer at which the cmdlet is targeted

-------------------------- EXAMPLE 3 --------------------------

$result = Get-MBCAResult SQL2008R2BPA -CollectedConfiguration

$resultDiscoveryDocument

Description

In the preceding example configuration data (in XML form) that was collected during the most recent

Microsoft Baseline Configuration Analyzer scan of the model that is represented by Model Id is

retrieved and stored as a property in the variable $result $resultDiscoveryDocument is of type

SystemXmlXmlDocument

-------------------------- EXAMPLE 4 --------------------------

Get-MBCAResult SQL2008R2BPA -Filter Noncompliant

Description

The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results

for the model that is represented by Model Id and then applies a filter to show only Noncompliant

results

------------------------- EXAMPLE 5 --------------------------

Get-MBCAResult SQL2008R2BPA -SubModelId ltSubModel Idgt

Description

The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results

for the submodel that is represented by SubModelId Note that the parent model ID must be specified

to use the -SubModelId parameter

------------------------- EXAMPLE 6 --------------------------

Get-MBCAResult SQL2008R2BPA -SubModelId ltSubModel Idgt -ComputerName ltServergt

-Context ltContext Model Idgt -RepositoryPath ltRepository Pathgt

Description

The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results

for the submodel that is represented by SubModelId The parent model ID is provided as required by

the -SubModelID parameter

The -Context parameter indicates that the administrator wants to see only those scan results that are in

the context of the model that is represented by Context Model Id for example only those results from

a SQL Server scan that specifically apply to another technology such as Web Server (IIS)

Page 54

The scan results are further narrowed to only those from a computer that is specified in the -

ComputerName parameter as Server and only those results found in the non-default results

repository that is represented by Repository Path

914 Set-MBCAResult

SYNOPSIS

The Set-MBCAResult cmdlet lets you exclude or include existing results of a Microsoft Baseline

Configuration Analyzer (MBCA) scan to show you only the scan results that you want to see

SYNTAX

Set-MBCAResult [[-Exclude] ltBooleangt] [-Results] ltResultgtgt [[-

RepostitoryPath] ltstringgt] [ltCommonParametersgt]

DESCRIPTION

The Set-MBCAResult cmdlet lets you exclude or include existing results of a Microsoft Baseline

Configuration Analyzer (MBCA) scan to show you only the scan results that you want to see

The action specified in the cmdlet (Exclude for example) determines how the existing results of an

MBCA scan are updated Set-MBCAResult is typically applied after using the Get-MBCAResult cmdlet

to return a collection of scan results

You can apply filters to results that are returned by the Get-MBCAResult cmdlet and then pipe the

filtered collection of results to the Set-MBCAResult cmdlet specifying either to include or exclude

filtered scan results

You must be a member of the Administrators group on the computer on which you want to run this

cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with

elevated user rights that is Run as Administrator

PARAMETERS

-Exclude ltBooleangt

Excludes scan results from the results collection that were previously obtained by the Get-

MBCAResult command To exclude results by using the -Exclude parameter add the value $true

following the parameter as shown

-Exclude $true

To include results that have been excluded use the $false value for the -Exclude parameter

Required false

Position 2

Default value

Accept pipeline input false

Accept wildcard characters false

-RepostitoryPath ltstringgt

The -RepositoryPath parameter is used to specify a non-default location of the results repository

The valid value for this parameter is a path name If the parameter is not used the cmdlet

modifies results from the default result repository

Required false

Page 55

Position 4

Default value

Accept pipeline input false

Accept wildcard characters false

-Results ltResultgtgt

Specifies the result collection to be updated by the Set-MBCAResult cmdlet The -Results

parameter is typically used to specify a filtered subset of scan results that has already been

stored in a variable the variable name is provided as the valid value for the -Results parameter

For example if you have created a variable $allPerformance to store all the Performance

category results for an MBCA scan of all models on a computer and you want to exclude those

Performance results from the complete collection of scan results you add the parameter -Results

$all Performance to a Set-MBCAResult cmdlet

For a more detailed example see the Examples section of the Help for this cmdlet

Required true

Position 3

Default value

Accept pipeline input true (ByValue)

Accept wildcard characters false

ltCommonParametersgt

This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable

WarningAction WarningVariable OutBuffer and OutVariable For more information type ldquoget-

help about_commonparameters

NOTES

If the Set-MBCAResult command is cancelled before the results are written to a file the operation is

cancelled and the results file is not modified If cancellation occurs after the results file has been

modified the commands actions are carried out and the command cannot be cancelled

-------------------------- EXAMPLE 1 --------------------------

Get-MBCAResult -ModelId SQL2008R2BPA | Where $_Category -eq

Performance | Set-MBCAResult -Exclude $true

Description

The first section of the preceding example to the left of the first pipe character (|) uses the Get-

MBCAResult cmdlet to retrieve Baseline Configuration Analyzer scan results for the model ID that is

represented by Model Id

The second section of the command filters the results of the Get-MBCAResult cmdlet to get only those

scan results for which the category name is equal to Performance

The final section of the example following the second pipe character excludes the Performance

results that were filtered by the previous section of the example

-------------------------- EXAMPLE 2 --------------------------

$rcPolicy = Get-MBCAResult -ModelId SQL2008R2BPA -RepositoryPath

CReposPath | Where $_Category -eq Policy

Page 56

Set-MBCAResult -Exclude $true -RepositoryPath CReposPath -Results

$rcPolicy

Description

The first line of the preceding example to the left of the pipe character (|) instructs the Get-

MBCAResult cmdlet to retrieve Baseline Configuration Analyzer scan results for the model that is

represented by Specified Model Id from the specified non-default repository path

The second section of the example after the pipe character filters the results of the Get-MBCAResult

cmdlet to return only those scan results for which the category name is equal to (note the -eq option)

Policy The variable $rcPolicy is created to store the filtered results of the Get-MBCAResult cmdlet this

variable can be used in subsequent commands to represent those results

The second line of the command uses the Set-MBCAResult cmdlet to exclude the set of results that

are stored in the $rcPolicy variable In this example the -Results parameter is added because the

administrator wants to exclude a specific subset of scan results for that model and has created the

variable $rcPolicy to represent that subset of results The repository root is specified in the second line

because the administrator wants to modify the results in the same non-default repository from which

the data in $rcPolicy was retrieved

915 MBCA Model Authoring

Further information about configuration and usage of MBCA models you can in the

MBCA_ModelAuthoringGuidedocx

Page 57

Did this paper help you Please give us your feedback Tell us on a scale of 1 (poor) to 5 (excellent)

how would you rate this paper and why have you given it this rating For example

Are you rating it high due to having good examples excellent screen shots clear writing or

another reason

Are you rating it low due to poor examples fuzzy screen shots or unclear writing

This feedback will help us improve the quality of white papers we release

Send feedback

Page 28: SQL2008R2 BPA Whitepaper v10

Page 28

You should check first if the Hotfix KB968930 is installed

Afterwards validate that the ldquoWindows Remote Managementrdquo service is started

Enable-PSRemoting

If CredSSP is unsupported or unavailable you will see the following message

Page 29

If you have no permission to access the remote server you get the error message

Page 30

57 Installation

571 PowerShell error

After getting through the Pre-Reqs for BPA (PowerShell 20 MBCA NET Framework) you may hit

one of two scenarios when installing BPA

In all of the cases of an install failure you will see the following error

There is a problem with this Windows Installer package A program run as part of the setup did not

finish as expected Contact your support personnel or package vendor

In your Application Event Log for both of these scenarios you will also see the following entry

Log Name Application

Source MsiInstaller

Date 6102010 83818 AM

Event ID 11722

Task Category None

Level Error

Keywords Classic

User ltUsernamegt

Computer ltMachine namegt

Description

Product Microsoft SQL Server 2008 R2 BPA -- Error 1722 There is a problem

with this Windows Installer package A program run as part of the setup did

not finish as expected Contact your support personnel or package

vendor Action EnablePSRemoting location powershellexe command -NoLogo

-NoProfile -Command Enable-PSRemoting ndashforce

Page 31

This is an indicator that PowerShell is not configured You must run the following command

powershellexe -NoLogo -NoProfile -Command Enable-PSRemoting ndashforce

572 Workgroup or Non-Domain computer

In this scenario the Enable-PSRemoting command should execute fine from a PowerShell prompt

The actual error coming back from the PowerShell command within the Installer is ldquoAccess Deniedrdquo

To work around this issue you can do the following

1 Open a command prompt with Administrative Privileges

2 Change to the directory where the msi file resides

3 Type msiexec i ltMSI Namegt SKIPCA=1

4 MSI Name will either be SQL2008R2BPA_Setup32msi or SQL2008R2BPA_Setup64msi

depending on your platform

5 Once BPA is installed open a PowerShell prompt with Administrative Privileges

6 Execute the following commands

a Enable-PSRemoting

b winrm set winrmconfigwinrs ``MaxShellsPerUser=`10``

This should allow BPA to be successfully installed in the workgroup scenario

573 Kerberos Failure

This scenario is that you are failing with the above due to a Kerberos issue This particular issue could

actually show up after you have installed BPA depending on how you have configured your

environment

The issue stems from the fact that the Windows Remoting Windows Service uses the Network Service

account Windows Remoting also uses SOAP calls over HTTP and defaults to using Kerberos As a

result it will be using the HOST Service Principal Name (SPN) that is on the Machine Account as it is

running under that context You may have an HTTP SPN that resides on a different account with that

host name For example if you are running an IIS Web Application such as SharePoint or if you are

using Reporting Services and the service account is set to a Domain User account instead of Network

Service or Local System If your URL of your application matches the machine name then your HTTP

SPN will be the same Thatrsquos where this problem comes in WinRM will stop working at that point and

give you a message similar to the following

Set-WSManQuickConfig WinRM cannot process the request The following error

occured while using Negotiate authentication An unknown security error

occurred

Possible causes are

-The user name or password specified are invalid

-Kerberos is used when no authentication method and no user name are

specified

-Kerberos accepts domain user names but not local user names

-The Service Principal Name (SPN) for the remote computer name and port

does not exist

-The client and remote computers are in different domains and there is no

trust between the two domains

After checking for the above issues try the following

-Check the Event Viewer for events related to authentication

-Change the authentication method add the destination computer to the

WinRM TrustedHosts configuration setting or use HTTPS transport

Note that computers in the TrustedHosts list might not be authenticated

-For more information about WinRM configuration run the following

Page 32

command winrm help config

At line50 char33

+ Set-WSManQuickConfig ltltltlt -force

+ CategoryInfo InvalidOperation () [Set-WSManQuickConfig]

InvalidOperationException

+ FullyQualifiedErrorId

WsManErrorMicrosoftWSManManagementSetWSManQuickConfigCommand

You can get this type of error from WinRM for muliple reasons The one that

we saw in our testing was the HTTP SPN scenario

If you do have an HTTP SPN defined on a Domain Account that is using the name of your machine

you have some options First you can follow the steps mentioned above to get BPA installed The

Enable-PSRemoting command will give you the above error You can temporarily remove the HTTP

SPN to get remoting enabled and then re-add the HTTP SPN

Once BPA is setup you will still not be able to run BPA if you put the HTTP SPN back in place You will

see the following when you attempt to perform a scan

This will occur regardless of which component you try to scan It could be the Engine Setup RS etchellip

One option to perform the scan successfully is to temporarily remove the HTTP SPN again run the

scan and then put the HTTP SPN back in place Another option but one that will probably require

further testing from your applicationrsquos end would be to run the application under a Host Header and

then your HTTP SPN would not include the machine name allowing BPA to run without issue

Page 33

6 RULES

Searching for ldquoSQL Server 20087 R2 BPArdquo at Microsoftcom reveals

Here is an example of one of these articles that talks about a rule to check for a recent ldquocleanrdquo

CHECKDB

Page 34

BPA works by measuring a rolersquos compliance with best practice rules in eight different categories of a

rolersquos effectiveness trustworthiness and reliability Results of measurements can be any of the three

severity levels described in the following table

Severity level Description

Noncompliant Noncompliant results are returned when a role does not satisfy the conditions of a rule

Compliant Compliant results are returned when a role satisfies the conditions of a rule

Warning Warning results are returned when a role is compliant as operating currently but may not satisfy the conditions of a

rule if changes are not made to its configuration or policy settings For example a scan of Remote Desktop Services

might show a warning result if a license server is unavailable to the role because even if no remote connections are

active at the time of the scan not having the license server prevents new remote connections from obtaining valid

client access licenses

Page 35

BPA rule categories

The following table describes the categories of best practice rules against which roles are measured

during a BPA scan

Category Name Description

Security Security rules are applied to measure a rolersquos relative risk for exposure to threats such as unauthorized or malicious

users or loss or theft of confidential or proprietary data

Performance Performance rules are applied to measure a rolersquos ability to process requests and perform its prescribed duties in

the enterprise within expected periods of time given the rolersquos workload

Configuration Configuration rules are applied to identify role settings that might require modification for the role to perform

optimally Configuration rules can help prevent setting conflicts that can result in error messages or prevent the role

from performing its prescribed duties in an enterprise

Policy Policy rules are applied to identify Group Policy or Windows Registry settings that might require modification for the

role to operate optimally and securely

Operation Operation rules are applied to identify possible failures of a role to perform its prescribed tasks in the enterprise

Predeployment Predeployment rules are applied before an installed role is deployed in the enterprise to let administrators to

evaluate whether best practices were satisfied before you use the role in production

Postdeployment Postdeployment rules are applied after all required services have started for a role and the role is running in the

enterprise

BPA Prerequisites BPA Prerequisite rules explain configuration settings policy settings and features that are required for the role

before BPA can apply specific rules from other categories A prerequisite in scan results indicates that an incorrect

setting a missing role role service or feature an incorrectly enabled or disabled policy a registry key setting or

other configuration has prevented BPA from applying one or more rules during a scan A prerequisite result does

not imply compliance or noncompliance It means that a rule could not be applied and therefore is not part of the

scan results

61 Engine Rules

Please find below a summary of the 74 Engine Rules with the links to the rule descriptions These rules

are checking that you have a secure resilient and well performing SQL configuration

Authentication Mode (httpsupportmicrosoftcomkb2028697)

Lightweight Pooling is enabled (httpsupportmicrosoftcomkb2160691)

Locks Configuration Not Dynamic (httpsupportmicrosoftcomkb2199576)

non-default network packet size in use (httpsupportmicrosoftcomkb2157175)

degree of parallelism not set to recommended value (httpsupportmicrosoftcomkb2023536)

Use Database Mail instead of SQL Mail (httpsupportmicrosoftcomkb2028584)

SQL Server Agent Proxy Account (httpsupportmicrosoftcomkb2160741)

SQL Login Password Policy Strength and password expiry

(httpsupportmicrosoftcomkb2028712)

Trustworthy Bit (httpsupportmicrosoftcomkb2183687)

Symmetric Keys Check (httpsupportmicrosoftcomkb2162020)

Asymmetric Keys Check (httpsupportmicrosoftcomkb2162020)

SQL Server installed on PDC BDC (httpsupportmicrosoftcomkb2032911)

Page 36

SQL Server Admin role membership check (httpsupportmicrosoftcomkb2184138)

Windows API calls intercepted (httpsupportmicrosoftcomkb2033238)

unsupported DotNET framework assemblies present (httpsupportmicrosoftcomkb2033344)

Disk partition starting offset may be incorrect (httpsupportmicrosoftcomkb2023571)

non-default max worker threads value configured (httpsupportmicrosoftcomkb2157129)

Guest Permissions (httpsupportmicrosoftcomkb2186935)

Data and Log files on the same volume (httpsupportmicrosoftcomkb2033523)

IO timeouts and IO controller errors detected (httpsupportmicrosoftcomkb2091098)

IO device errors detected (httpsupportmicrosoftcomkb2091098)

IO errors during page faults detected (httpsupportmicrosoftcomkb2091098)

cluster disk corruption encountered (httpsupportmicrosoftcomkb2091098)

disk defragmentation encountered corruption (httpsupportmicrosoftcomkb2091098)

failed IO requests detected (httpsupportmicrosoftcomkb2091098)

IO requests are successful when retried (httpsupportmicrosoftcomkb2015757)

IO Delay Problems reported by SQL Server (httpsupportmicrosoftcomkb2137408)

This system experienced unexpected shutdowns (httpsupportmicrosoftcomkb2091098)

tempdb corruption errors fix missing (httpsupportmicrosoftcomkb960770)

Critical SQL database inconsistency errors found (httpsupportmicrosoftcomkb2152734)

Logical consistency errors detected (httpsupportmicrosoftcomkb2152472)

Database have auto shrink option enabled (httpsupportmicrosoftcomkb2160663)

SQL Server Error logs are very big (httpsupportmicrosoftcomkb2199578)

incorrect affinity mask settings detected httpsupportmicrosoftcomkb2157114

Very low blocked process threshold setting detected httpsupportmicrosoftcomkb2157154

Potential security issue with legacy DTS stored procedures

httpsupportmicrosoftcomkb2202875

Winsock LSP loaded into SQL httpsupportmicrosoftcomkb2033448

Databases using simple recovery model httpsupportmicrosoftcomkb2137539

User database collation different from model httpsupportmicrosoftcomkb2026108

Database files and backups exist on the same volume httpsupportmicrosoftcomkb2027537

Databases have auto close option enabled httpsupportmicrosoftcomkb2160685

LSI SAS drivers needs update httpsupportmicrosoftcomkb2121098

SQL tempdb database not configured optimally httpsupportmicrosoftcomkb2154845

SQL Database file has sparse attribute set httpsupportmicrosoftcomkb2028447

Invalid startup parameters httpsupportmicrosoftcomkb2028433

MSDTC settings not configured optimally httpsupportmicrosoftcomkb2027550

sql incorrect results fix missing httpsupportmicrosoftcomkb971780

File System needs tuning for better FileStream performance

httpsupportmicrosoftcomkb2160002

linked server memory leak fix missing httpsupportmicrosoftcomkb971622EN-US

Windows service pack is not at recommended level httpsupportmicrosoftcomkb2121098

default extended event health session not in expected state

httpsupportmicrosoftcomkb2160570

TcpSysAndChimneyCheck httpsupportmicrosoftcomKB918483

FDHOST Launcher service is not configured properly httpsupportmicrosoftcomkb2160720

Unrecommended SQL Server Agent service account httpsupportmicrosoftcomkb2160720

A required Windows fix to avoid sparse file related problems is missing

httpsupportmicrosoftcomkb2002606

Page 37

Significant Portion of SQL Server Memory Has Been Paged Out

httpsupportmicrosoftcomkb2028324

Server Exception or Hang Detected on Server httpsupportmicrosoftcomkb2028589

Databases exist without CHECKSUM protection httpsupportmicrosoftcomkb2078345

backups outdated for databases httpsupportmicrosoftcomkb2027537

Database consistency check not current httpsupportmicrosoftcomkb2033590

SQL Server Memory settings are incorrect httpsupportmicrosoftcomKB918483EN-US

Autogrow Failed or took a long time httpsupportmicrosoftcomkb2091024

Storport driver fix from KBA 940467 missing httpsupportmicrosoftcomkb2121098

Storport driver fix from KBA 950903 missing httpsupportmicrosoftcomkb2121098

SQLCLR needs additional memory configuration httpsupportmicrosoftcomkb969962EN-US

Operating System files and drivers needs update for working set trimming

httpsupportmicrosoftcomkb2121098

Agent Token Replacement httpsupportmicrosoftcomkb2202637

Auditing Log in failures httpsupportmicrosoftcomkb2187161

Databases with high number of VLF present httpsupportmicrosoftcomkb2028436

Transparent Data Encryption Certificate httpsupportmicrosoftcomkb2201900

Permission on the Binn folder httpsupportmicrosoftcomkb2029023

Index Statistics Are Outdated

Server public permissions httpsupportmicrosoftcomkb2160698

Detected use of older versions of SQLNCLI httpsupportmicrosoftcomkb979779

62 AS Rules

Please find below a summary of the 34 Analysis Server Rules with the links to the rule descriptions

Flight Recorder Enabled for SQL Server Analysis Services

httpsupportmicrosoftcomkb2128005

Excessive amount of memory preallocated to Analysis Services

httpsupportmicrosoftcomkb2027474

Server not configured for optimal concurrent query throughput

httpsupportmicrosoftcomkb2135031

Non standard value detected for Analysis Services memory configuration

httpsupportmicrosoftcomkb2027472

Process Thread Pool Max limit above recommended limit

httpsupportmicrosoftcomkb2134497

Process Thread Pool Minimum is below the recommended limit

httpsupportmicrosoftcomkb2134855

Server is running a build with a known regression httpsupportmicrosoftcomkb2157941

Slice not set on a ROLAP partition or a partition where proactive caching is enabled and

ROLAP storage ay occur httpsupportmicrosoftcomkb2027754

Server is ignoring duplicate key errors httpsupportmicrosoftcomkb2027761

No default member defined for non-aggregatable attribute

httpsupportmicrosoftcomkb2027769

UnknownMember set to hidden httpsupportmicrosoftcomkb2027628

Non-numeric key column for high cardinality attribute httpsupportmicrosoftcomkb2028138

Attribute hiearchy enabled for high cardinality non-key attribute

httpsupportmicrosoftcomkb2028143

ROLAP storage or OnlineMode set to immediate for dimension with custom rollup definition

detected httpsupportmicrosoftcomkb2132742

Page 38

Account or Time attribute types defined in a non-matching dimension type

httpsupportmicrosoftcomkb2157299

An Account or Time dimension has no matching attribute defined

httpsupportmicrosoftcomkb2027418

Dimension has no attribute defined with the same type

httpsupportmicrosoftcomkb2027443

Attribute Dimension type mismatch httpsupportmicrosoftcomkb2157327

Mismatched dimension attribute types detected in dimension

httpsupportmicrosoftcomkb2027459

Possible incorrect order of levels defined in hierarchy httpsupportmicrosoftcomkb2027460

Define attribute relationships as Rigid where possible httpsupportmicrosoftcomkb2027468

Redundant attribute relationships detected httpsupportmicrosoftcomkb2127437

Diamond-shape relationship detected httpsupportmicrosoftcomkb2127570

Non-Standard Attribute Relationship name detected httpsupportmicrosoftcomkb2127862

Proactive Caching set for dimension without a processing query

httpsupportmicrosoftcomkb2027541

No Time dimension detected httpsupportmicrosoftcomkb2027532

More than 3 parent-child dimensions with custom rollups defined

httpsupportmicrosoftcomkb2134431

Encountered a parent-child dimension with more than 500000 members

httpsupportmicrosoftcomkb2131918

Single attribute dimensions detected httpsupportmicrosoftcomkb2141654

Measure groups with zero dimensional overlap detected in cube

httpsupportmicrosoftcomkb2027609

Proactive Caching set for a partition without a processing query

Default measure for perspective not in the perspective

httpsupportmicrosoftcomkb2027603

Use MOLAP storage for dimensions that participate in semi-additive measure groups

httpsupportmicrosoftcomkb2135112

Measure group defined with no partition httpsupportmicrosoftcomkb2027545

63 RS Rules

RSWindowsNegotiate is missing from your configuration

httpsupportmicrosoftcomkb2145506

HTTP Logging is not enabled httpsupportmicrosoftcomkb2145909

Verbose logging is enabled httpsupportmicrosoftcomkb2146315

NTLM authentication may fail for local httpsupportmicrosoftcomkb2146369

Missing extended protection settings httpsupportmicrosoftcomkb2146062

64 IS Rules

Logging task missing for package httpsupportmicrosoftcomkb2027723

ActiveX Script task detected in package httpsupportmicrosoftcomkb2027712

Unrecommended Integration Services service account detected

httpsupportmicrosoftcomkb2027684

Integration Services logging table found in system database master and or msdb

httpsupportmicrosoftcomkb2027706

Integration Services memory dump detected httpsupportmicrosoftcomkb2027727

Page 39

65 Setup Rules

Unsupported Operating System Version Detected httpsupportmicrosoftcomkb2022909

WOW64 not supported for SQL Failover Clustering httpsupportmicrosoftcomkb2157198

Installer cache is missing for the SQL Installation httpsupportmicrosoftcomkb2015100

SQL Server WMI Provider Health Check

66 Replication Rules

Replication Timeout Alerts Type httpsupportmicrosoftcomkb2118349

Replication Pub and Sub out of sync (Data Validation) httpsupportmicrosoftcomkb2118386

Replication Pub and Sub out of sync (Constraint Violations)

httpsupportmicrosoftcomkb2118410

Replication Pub and Sub out of sync (Skipped Transactions)

httpsupportmicrosoftcomkb2194498

Merge Replication Health Check httpsupportmicrosoftcomkb2118445

Subscriptions Approaching Expiration httpgomicrosoftcomfwlinkLinkId=184483

Replication Cleanup and Retention Health Check httpsupportmicrosoftcomkb2118485

Replication Latency Threshold violations httpsupportmicrosoftcomkb2118425

Page 40

7 HOW TO DEAL WITH DEVIATIONS

Deviations from these Best Practices may indicate potential issues and configuration changes may be

necessary Make sure you have tested any intended changes in a test environment before deploying

them to a production environment You could also find deviations from Best Practices that are

acceptable or even necessary for your environment For example

SAP has its special Network Packet Size of 8 KB

Existing Non-Microsoft Clients ndash would require Mixed Mode Authentication

Page 41

8 MOTIVATION TO USE SQL BPA R2

Bob Ward explained in his Article ldquoWhy use SQL Server 2008 R2 BPA Case 1 Missing Updatesrdquo

the common pitfalls during maintenance and operation of SQL Server and how address them by using

the SQL BPA

In brief itrsquos a customer scenario where the customer is facing an issue after a major update to

SQL2008 After some troubleshooting and an update to a certain CU (that is meant to fix the issue) the

problem still occurs Bobs article states the common resulting consequences ndash the involvement of

Microsoft Support and the final solution ndash adding a needed traceflag

The good news in this story is that the customer would not have needed to go to all that effort if they

would have run the SQL BPA It would have told them about the update and instructed them to put the

traceflag in place BPA is a mechanism that proactively advises you and instructs you on dealing with

common known issues

Page 42

9 ADDITIONAL INFORMATION

91 PowerShell

To use the functionality of the Baseline Configuration Analyzer with PowerShell you must import this

module first

Import-module BaselineConfigurationAnalyzer

You can list the commands of this module with the following syntax

$x=Get-Module BaselineConfigurationAnalyzer

$xExportedCommands

The following commands are stored in this module

Get-MbcaModel

Get-MbcaResult

Invoke-MbcaModel

Set-MbcaResult

You get help of this command with the following syntax

Get-help ltcommandgt -full

911 Get-MBCAModel

SYNOPSIS

The Get-MBCAModel cmdlet lets you retrieve and view the list of models that are supported by

Microsoft Baseline Configuration Analyzer (MBCA) and that are installed on a computer

SYNTAX

Get-MBCAModel [[-ModelId] ltstring[]gt] [[-SubModelId] ltstringgt] [ltCommonParametersgt]

DESCRIPTION

The Get-MBCAModel cmdlet lets you retrieve and view the list of models that are supported by

Microsoft Baseline Configuration Analyzer (MBCA) and installed on the computer If no parameter is

specified Get-MBCAModel returns all models that are installed on the computer If a model is specified

by using the -ModelId parameter information about the specified model is returned

You must be a member of the Administrators group on the computer on which you want to run this

cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with

elevated user rights that is Run as Administrator

The results of the Get-MBCAModel cmdlet include the following details about models

1 Branding information (manufacturer or company display names version number) that is found in

the model manifest

2 Dynamic parameters that are included with the model

3 Submodels that are included with the model

PARAMETERS

-ModelId ltstring[]gt

The -ModelId parameter specifies the ID of the MBCA model about which you want to view

details You can obtain valid values for the ModelId parameter by running the Get-MBCAModel

cmdlet with no parameters and targeted at a computer on which MBCA models are installed

Page 43

This parameter supports wild card characters

Required false

Position 2

Default value

Accept pipeline input true (By Value By Property Name)

Accept wildcard characters False

This must be SQL2008R2BPA for SQL Server 2008 R2 Best Practice Analyzer

-SubModelId ltstringgt

The -SubModelId parameter specifies the ID of the submodel of an MBCA model about which you

want to view details You can obtain valid values for the -SubModelId parameter by running the

Get-MBCAModel cmdlet without parameters and targeted at a computer on which MBCA models

are installed Not all models have submodels

The -ModelId parameter is required with the -SubModelId parameter

Required false

Position 3

Default value

Accept pipeline input false

Accept wildcard characters false

ltCommonParametersgt

This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable

WarningAction WarningVariable OutBuffer and OutVariable For more information type get-

help about_commonparameters

Examples

Get-MBCAModel

In the preceding example Get-MBCAModel with no parameters added returns details about all MBCA

models that are installed on the computer

Get-MBCAModel -ModelId SQL2008R2BPA

The preceding example can be used to return details about the MBCA model that is specified in the -

ModelId parameter represented by Model Id

$model= Get-MBCAModel -ModelId SQL2008R2BPA

$modelParameters

In the preceding example Get-MBCAModel returns details about the specified MBCA model that is

represented by Model Id The results of the cmdlet are stored in the variable $model

In the next line of the example the Parameters property of the model details that were stored in the

$model object returns details about which parameters are supported by the model

Get-MBCAModel -ModelId SQL2008R2BPA -SubModelId ltSubModel Idgt

The preceding example can be used to return details about the MBCA sub-model that is specified by

the -SubModelId parameter represented by SubModel Id Note that the -ModelId parameter is

required by the -SubModelId parameter

$model= Get-MBCAModel -ModelId SQL2008R2BPA

Page 44

$modelSubModels

In the preceding example Get-MBCAModel returns details about the specified MBCA model that is

represented by Model Id The results of the cmdlet are stored in the variable $model

In the next line of the example the SubModels property of the model details that were stored in the

$model object returns a list of the submodels of the model specified in the first line

912 Invoke-MBCAModel

SYNOPSIS

The Invoke-MBCAModel cmdlet lets you start a Microsoft Baseline Configuration Analyzer (MBCA)

scan for a specific model that is installed on your computer

SYNTAX

Invoke-MBCAModel [-ModelId] ltstringgt -SubModelId ltstringgt [-Authentication

ltAuthenticationMechanismgt] [-CertificateThumbprint ltstringgt] [-ComputerName

ltstring[]gt] [-ConfigurationName ltstringgt] [-Context ltstringgt] [-Credential

ltstringgt] [-Mode ltModeEnumgt] [-Port ltintgt] [-RepositoryPath ltstringgt] [-

ThrottleLimit ltintgt] [-UseSSL] [ltCommonParametersgt]

DESCRIPTION

The Invoke-MBCAModel cmdlet allows you to start a Microsoft Baseline Configuration Analyzer

(MBCA) scan for a specific model that is installed on your computer The model is specified either by

using the parameter -ModelId or by piping the results of the Get-MBCAModel cmdlet into an Invoke-

MBCAMode cmdlet

After the MBCA scan has been performed the results of the scan are available to be retrieved by Get-

MBCAResult cmdlet

You must be a member of the Administrators group on the computer on which you want to run this

cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with

elevated user rights that is Run as Administrator

PARAMETERS

-Authentication ltAuthenticationMechanismgt

Specifies the authentication mechanism that is used to authenticate the users credentials Valid

values include Default Basic CredSSP Digest Kerberos Negotiate and

NegotiateWithImplicitCredential The default value is Default

For more information about the -Authentication parameter type the following and then press

Enter

Get-Help Invoke-Command -Parameter Authentication

Required false

Position named

Default value Default

Accept pipeline input false

Accept wildcard characters false

-CertificateThumbprint ltstringgt

Page 45

Specifies the digital public key certificate (X509) of a user account that has rights to perform the

cmdlet action The valid value is the certificate thumbprint of the certificate

For more information about this parameter type the following and then press Enter

Get-Help Invoke-Command -Parameter Certificate Thumbprint

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-ComputerName ltstring[]gt

The Invoke-MBCAModel cmdlet lets you run an MBCA scan of a submodel on a specific

computer by adding this parameter Valid values include NETBOS names IP addresses or fully-

qualified domain names of one or more computers in a comma-separated list To specify the local

computer type the computer name or localhost

All formats that are accepted by the -ComputerName parameter in Invoke-Command are

accepted

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-ConfigurationName ltstringgt

Specifies the session configuration that is used for a new PSSession

Enter a configuration name or the fully-qualified resource URI for a session configuration

Session configuration data is found on the remote computer on which you want to run a cmdlet

For more information about this parameter type the following and then press Enter

Get-Help Invoke-Command -Parameter ConfigurationName

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-Context ltstringgt

The -Context parameter lets you run scans on a submodel in the context of a specific model (one

that is different from the parent model of the submodel) For example an administrator might

want to run a scan on the Backend submodel of the SQL model but only those in the context

of a third model a technology that relies upon SQL Server

The -SubModelId parameter is required by the -Context parameter

Page 46

A model ID is the valid value of the -Context parameter

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-Credential ltstringgt

Specifies a user account that has permission to run this cmdlet The default value is the current

user

For more information about this parameter type the following and then press Enter

Get-Help Invoke-Command -Parameter Credential

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-Mode ltModeEnumgt

The -Mode parameter lets you run a scan that is exclusively either analysis of existing discovered

documents or discovery The default is to perform both discovery and analysis or All

If you do not add the -Mode parameter to the Invoke-MBCAModel cmdlet both discovery and

analysis are performed during a scan

Valid values are Discovery Analysis and All

Required false

Position named

Default value All

Accept pipeline input false

Accept wildcard characters false

-ModelId ltstringgt

The -ModelId parameter specifies the ID of the MBCA model that you want to scan You can

obtain valid values for the ModelId parameter by running the Get-MBCAModel cmdlet targeted at

a computer on which MBCA models are installed

Required true

Position 2

Default value

Accept pipeline input true (By Value By Property Name)

Accept wildcard characters False

Page 47

This must be SQL2008R2BPA for SQL Server 2008 R2 Best Practice Analyzer

-Port ltintgt

Specifies the network port on a remote computer on which you want to run a scan The default

value is port 80

For more information on this parameter type the following and then press Enter

Get-Help Invoke-Command -Parameter Port

Required false

Position named

Default value 80

Accept pipeline input false

Accept wildcard characters false

-RepositoryPath ltstringgt

The -RepositoryPath parameter is used to specify a non-default location of the results repository

The valid value for this parameter is a pathname If the parameter is not used the cmdlet writes

results to the default result repository

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-SubModelId ltstringgt

The -SubModelId parameter specifies the ID of the submodel of an MBCA model that you want to

scan You can obtain valid values for the -SubModelId parameter by running the Get-MBCAModel

cmdlet targeted at a computer on which MBCA models are installed Not all models have

submodels

The -ModelId parameter is required with the -SubModelId parameter

Required true

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-ThrottleLimit ltintgt

Specifies the maximum number of concurrent connections that can be established to run the

cmdlet If you omit this parameter or enter a value of 0 the default value of 32 is used

For more information about this parameter type the following and then press Enter

Get-Help Invoke-Command -Parameter ThrottleLimit

Required false

Page 48

Position named

Default value 32

Accept pipeline input false

Accept wildcard characters false

-UseSSL [ltSwitchParametergt]

Uses the Secure Sockets Layer (SSL) protocol to establish a connection on a remote computer

By default SSL is not used

For more information about this parameter type the following and then press Enter

Get-Help Invoke-Command -Parameter UseSSL

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

ltCommonParametersgt

This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable

WarningAction WarningVariable OutBuffer and OutVariable For more information type get-

help about_commonparameters

OUTPUTS

SystemCollectionsGenericListltMicrosoftBestPracticesCoreInterfaceInvokeBpaModelOutputgt

The output object encapsulates the results of the cmdlet that you entered It contains information such

as the MBCA model ID the success or failure of the cmdlet and other details

NOTES

If the cmdlet is used to perform a single-model scan and the cmdlet is cancelled (by using CTRL+C)

before the temporary results file is copied to its final location the temporary file is discarded and any

previous scan results file for the role are preserved The message Processing of Invoke-MBCAModel

cancelled by user is displayed if the command is cancelled before existing scan results files are

overwritten

If the cmdlet is used to perform a scan of multiple models by piping in results from the Get-MBCAModel

cmdlet and the command is cancelled scans that were completed before the cancel command was

entered cannot be cancelled A scan in progress behaves as described above in the single-model scan

cancellation scenario Subsequent scans in the pipeline are cancelled

If a concurrent scan of the same model is attempted the cmdlet returns the following error message

Another scan for this MBCA model is in progress Only one scan is allowed at a time

-------------------------- EXAMPLE 1 --------------------------

Invoke-MBCAModel -ModelId SQL2008R2BPA

Description

The preceding example starts a MBCA scan on the model that is represented by ltModel Idgt

-------------------------- EXAMPLE 2 --------------------------

Page 49

Invoke-MBCAModel -ModelId SQL2008R2BPA -Scope domain -Name

redmondmicrosoftcom

Description

The preceding example starts an MBCA scan on the model ID that is specified by Model Id

The administrator starts the MBCA scan with additional model-specific parameters that are exposed by

the model (For an example of how to obtain model-specific parameters see the examples for the Get-

MBCAModel cmdlet)

For example to scan a model that requires model-specific parameters (such as -Scope and -Name) to

be passed to the command the administrator can specify the values of these model-specific

parameters with the Invoke-MBCAModel cmdlet

-------------------------- EXAMPLE 3 --------------------------

Invoke-MBCAModel -ModelId SQL2008R2BPA -Mode Discovery

Description

The preceding example starts an MBCA scan on the model that is represented by Model Id The

cmdlet is instructed by the -Mode parameter to perform only the discovery -- not the analysis -- portion

of the scan

-------------------------- EXAMPLE 4 --------------------------

Invoke-MBCAModel -ModelId SQL2008R2BPA -Mode Analysis -RepositoryPath

ltRepository Pathgt

Description

The preceding example starts an MBCA scan on the model that is represented by Model Id The -

Mode parameter value of Analysis indicates that the scan will perform analysis -- not discovery -- on

existing documents that are specified in the non-default repository path provided with the -Repository

Path parameter

-------------------------- EXAMPLE 5 --------------------------

Invoke-MBCAModel -Id ltModel Idgt -SubModelId ltSubModel Idgt -ComputerName

ltServergt -Context ltContext Model Idgt -RepositoryPath ltRespository Pathgt -

AsJob -Authentication ltAuthenticatonMechanismgt -Port ltPort Numbergt -UseSSL -

ThrottleLimit ltThrottle Limitgt

Description

The preceding example starts an MBCA scan on the submodel that is represented by SubModel Id

and on the computer that is represented by Server

Because the administrator only wants to see results from the submodel that apply in the context of a

third model the administrator runs the scan within the context of the model ID that is specified in the -

Context parameter The cmdlet results are saved to the non-default repository path that is specified in

the -RepositoryPath parameter

Because the -AsJob parameter is added the scan runs in the background The -AsJob -

Authentication -Port -UseSSL and -ThrottleLimit parameters are passed through for use by the

Invoke-Command cmdlet to perform discovery on a remote computer For more information about

these parameters see the Help for the Invoke-Command cmdlet available in Windows PowerShell V2

913 Get-MBCAResult

SYNOPSIS

Page 50

The Get-MBCAResult cmdlet lets you retrieve and view the results of a Microsoft Baseline

Configuration Analyzer scan on a specific model or the configuration data that was used to run a scan

SYNTAX

Get-MBCAResult [-ModelId] ltstringgt [[-CollectedConfiguration]] -SubModelId

ltstringgt [-ComputerName ltstring[]gt] [-Context ltstringgt] [-Filter

ltFilterEnumgt] [-RepositoryPath ltstringgt] [ltCommonParametersgt]

DESCRIPTION

The Get-MBCAResult cmdlet lets you retrieve and view the results of a Microsoft Baseline

Configuration Analyzer scan on a specific model or the configuration data that was used to run a scan

To use the command add the -ModelId parameter and then specify the model ID for which you want

to view the most recent MBCA scan results or collected configuration data If you want to retrieve the

configuration data collected add the -CollectedConfiguration switch parameter

You must be a member of the Administrators group on the computer on which you want to run this

cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with

elevated user rights that is Run as Administrator

PARAMETERS

-CollectedConfiguration [ltSwitchParametergt]

The -CollectedConfiguration parameter allows you to obtain the configuration data that was

collected for the most recent MBCA scan If this switch parameter is added to Get-MBCAResults

the cmdlet returns only the configuration data that was collected for a scan

Required false

Position 3

Default value

Accept pipeline input false

Accept wildcard characters false

-ComputerName ltstring[]gt

The -ComputerName parameter lets you obtain scan results that were collected for the most

recent MBCA scan of a submodel on a specific computer To specify the local computer type the

computer name or localhost Multiple values for -ComputerName can be separated by

commas

The -SubModelId parameter is required by the -ComputerName parameter

Valid values for the -ComputerName parameter include localhost a NET BIOS name an IP

address or a fully-qualified domain name (FQDN) of one or more computers in a comma-

separated list

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-Context ltstringgt

Page 51

The -Context parameter lets you obtain scan results that were collected for the most recent

MBCA scan of a submodel in the context of a specific model (one that is different from the parent

model of the submodel) For example an administrator might want to display scan results for the

Backend submodel of the SQL model but only those in the context of a third model a

technology that relies upon SQL Server

The -SubModelId parameter is required by the -Context parameter

A model ID is the valid value of the -Context parameter

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-Filter ltFilterEnumgt

The -Filter parameter lets you instruct the Get-MBCAResult cmdlet to return only Compliant

Noncompliant or All results Valid values are Noncompliant Compliant or All The default value

is All

The -Filter parameter is ignored if the -CollectedConfiguration switch parameter is added

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-ModelId ltstringgt

The -ModelId parameter specifies the ID of the MBCA model for which you want to view scan

results You can obtain valid values for the ModelId parameter by running the Get-MBCAModel

cmdlet targeted at a computer on which MBCA models are installed

Required true

Position 2

Default value

Accept pipeline input true (By Value By Property Name)

Accept wildcard characters False

This must be SQL2008R2BPA for SQL Server 2008 R2 Best Practice Analyzer

-RepositoryPath ltstringgt

The -RepositoryPath parameter is used to specify a non-default location of the results repository

The valid value for this parameter is a path name If the parameter is not used the cmdlet obtains

results from the default result repository

Required false

Position named

Page 52

Default value

Accept pipeline input false

Accept wildcard characters false

-SubModelId ltstringgt

The -SubModelId parameter specifies the ID of the submodel of an MBCA model for which you

want to view scan results You can obtain valid values for the -SubModelId parameter by running

the Get-MBCAModel cmdlet targeted at a computer on which MBCA models are installed Not all

models have submodels

The -ModelId parameter is required with the -SubModelId parameter

Required true

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

ltCommonParametersgt

This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable

WarningAction WarningVariable OutBuffer and OutVariable For more information type get-

help about_commonparameters

OUTPUTS

SystemCollectionsGenericListltMicrosoftBestPracticesCoreInterfaceResultgt OR

SystemXmlXmlDocument (if -CollectedData specified)

If you do not use the -CollectedConfiguration parameter verbose output can be any of the following

1 Initializing MBCA engine for getting MBCA Results

2 Attempting to get MBCA results for Model Id = 0

3 Completed getting MBCA results for Model Id = 0 Number of Results = 1

If you add the -CollectedConfiguration parameter to display configuration data that was used for a

scan verbose output can be any of the following

1 Initializing MBCA engine for getting MBCA Configuration Data

2 Attempting to get MBCA collected configuration data for Model Id = 0

3 Completed getting MBCA collected configuration data for Model Id = 0

NOTES

The Get-MBCAResult cmdlet must be run by a member of the Administrators group and it does not

start a new scan

Cancellation behaviour

Single Model - To cancel this cmdlet you must press Ctrl+C before the ResultCollection is displayed

on the console The operation is cancelled and results are not displayed on the console

Multiple Models or Pipelining - If you cancel this cmdlet while it is retrieving results for multiple models

the cmdlet generates only those results that were displayed on the console before the cancellation

Any subsequent results in the pipeline are cancelled and not displayed

Page 53

-------------------------- EXAMPLE 1 --------------------------

Get-MBCAResult -Id SQL2008R2BPA

Description

The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results

for the model that is represented by Model Id

-------------------------- EXAMPLE 2 --------------------------

Get-MBCAModel | Get-MBCAResult

In the preceding example Get-MBCAModel is used to return a list of all MBCA models that are

installed on the computer The results of the Get-MBCAModel cmdlet are piped to the Get-

MBCAResult cmdlet to retrieve the most recent MBCA scan results for all models that are both

supported by MBCA and installed on the computer at which the cmdlet is targeted

-------------------------- EXAMPLE 3 --------------------------

$result = Get-MBCAResult SQL2008R2BPA -CollectedConfiguration

$resultDiscoveryDocument

Description

In the preceding example configuration data (in XML form) that was collected during the most recent

Microsoft Baseline Configuration Analyzer scan of the model that is represented by Model Id is

retrieved and stored as a property in the variable $result $resultDiscoveryDocument is of type

SystemXmlXmlDocument

-------------------------- EXAMPLE 4 --------------------------

Get-MBCAResult SQL2008R2BPA -Filter Noncompliant

Description

The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results

for the model that is represented by Model Id and then applies a filter to show only Noncompliant

results

------------------------- EXAMPLE 5 --------------------------

Get-MBCAResult SQL2008R2BPA -SubModelId ltSubModel Idgt

Description

The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results

for the submodel that is represented by SubModelId Note that the parent model ID must be specified

to use the -SubModelId parameter

------------------------- EXAMPLE 6 --------------------------

Get-MBCAResult SQL2008R2BPA -SubModelId ltSubModel Idgt -ComputerName ltServergt

-Context ltContext Model Idgt -RepositoryPath ltRepository Pathgt

Description

The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results

for the submodel that is represented by SubModelId The parent model ID is provided as required by

the -SubModelID parameter

The -Context parameter indicates that the administrator wants to see only those scan results that are in

the context of the model that is represented by Context Model Id for example only those results from

a SQL Server scan that specifically apply to another technology such as Web Server (IIS)

Page 54

The scan results are further narrowed to only those from a computer that is specified in the -

ComputerName parameter as Server and only those results found in the non-default results

repository that is represented by Repository Path

914 Set-MBCAResult

SYNOPSIS

The Set-MBCAResult cmdlet lets you exclude or include existing results of a Microsoft Baseline

Configuration Analyzer (MBCA) scan to show you only the scan results that you want to see

SYNTAX

Set-MBCAResult [[-Exclude] ltBooleangt] [-Results] ltResultgtgt [[-

RepostitoryPath] ltstringgt] [ltCommonParametersgt]

DESCRIPTION

The Set-MBCAResult cmdlet lets you exclude or include existing results of a Microsoft Baseline

Configuration Analyzer (MBCA) scan to show you only the scan results that you want to see

The action specified in the cmdlet (Exclude for example) determines how the existing results of an

MBCA scan are updated Set-MBCAResult is typically applied after using the Get-MBCAResult cmdlet

to return a collection of scan results

You can apply filters to results that are returned by the Get-MBCAResult cmdlet and then pipe the

filtered collection of results to the Set-MBCAResult cmdlet specifying either to include or exclude

filtered scan results

You must be a member of the Administrators group on the computer on which you want to run this

cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with

elevated user rights that is Run as Administrator

PARAMETERS

-Exclude ltBooleangt

Excludes scan results from the results collection that were previously obtained by the Get-

MBCAResult command To exclude results by using the -Exclude parameter add the value $true

following the parameter as shown

-Exclude $true

To include results that have been excluded use the $false value for the -Exclude parameter

Required false

Position 2

Default value

Accept pipeline input false

Accept wildcard characters false

-RepostitoryPath ltstringgt

The -RepositoryPath parameter is used to specify a non-default location of the results repository

The valid value for this parameter is a path name If the parameter is not used the cmdlet

modifies results from the default result repository

Required false

Page 55

Position 4

Default value

Accept pipeline input false

Accept wildcard characters false

-Results ltResultgtgt

Specifies the result collection to be updated by the Set-MBCAResult cmdlet The -Results

parameter is typically used to specify a filtered subset of scan results that has already been

stored in a variable the variable name is provided as the valid value for the -Results parameter

For example if you have created a variable $allPerformance to store all the Performance

category results for an MBCA scan of all models on a computer and you want to exclude those

Performance results from the complete collection of scan results you add the parameter -Results

$all Performance to a Set-MBCAResult cmdlet

For a more detailed example see the Examples section of the Help for this cmdlet

Required true

Position 3

Default value

Accept pipeline input true (ByValue)

Accept wildcard characters false

ltCommonParametersgt

This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable

WarningAction WarningVariable OutBuffer and OutVariable For more information type ldquoget-

help about_commonparameters

NOTES

If the Set-MBCAResult command is cancelled before the results are written to a file the operation is

cancelled and the results file is not modified If cancellation occurs after the results file has been

modified the commands actions are carried out and the command cannot be cancelled

-------------------------- EXAMPLE 1 --------------------------

Get-MBCAResult -ModelId SQL2008R2BPA | Where $_Category -eq

Performance | Set-MBCAResult -Exclude $true

Description

The first section of the preceding example to the left of the first pipe character (|) uses the Get-

MBCAResult cmdlet to retrieve Baseline Configuration Analyzer scan results for the model ID that is

represented by Model Id

The second section of the command filters the results of the Get-MBCAResult cmdlet to get only those

scan results for which the category name is equal to Performance

The final section of the example following the second pipe character excludes the Performance

results that were filtered by the previous section of the example

-------------------------- EXAMPLE 2 --------------------------

$rcPolicy = Get-MBCAResult -ModelId SQL2008R2BPA -RepositoryPath

CReposPath | Where $_Category -eq Policy

Page 56

Set-MBCAResult -Exclude $true -RepositoryPath CReposPath -Results

$rcPolicy

Description

The first line of the preceding example to the left of the pipe character (|) instructs the Get-

MBCAResult cmdlet to retrieve Baseline Configuration Analyzer scan results for the model that is

represented by Specified Model Id from the specified non-default repository path

The second section of the example after the pipe character filters the results of the Get-MBCAResult

cmdlet to return only those scan results for which the category name is equal to (note the -eq option)

Policy The variable $rcPolicy is created to store the filtered results of the Get-MBCAResult cmdlet this

variable can be used in subsequent commands to represent those results

The second line of the command uses the Set-MBCAResult cmdlet to exclude the set of results that

are stored in the $rcPolicy variable In this example the -Results parameter is added because the

administrator wants to exclude a specific subset of scan results for that model and has created the

variable $rcPolicy to represent that subset of results The repository root is specified in the second line

because the administrator wants to modify the results in the same non-default repository from which

the data in $rcPolicy was retrieved

915 MBCA Model Authoring

Further information about configuration and usage of MBCA models you can in the

MBCA_ModelAuthoringGuidedocx

Page 57

Did this paper help you Please give us your feedback Tell us on a scale of 1 (poor) to 5 (excellent)

how would you rate this paper and why have you given it this rating For example

Are you rating it high due to having good examples excellent screen shots clear writing or

another reason

Are you rating it low due to poor examples fuzzy screen shots or unclear writing

This feedback will help us improve the quality of white papers we release

Send feedback

Page 29: SQL2008R2 BPA Whitepaper v10

Page 29

If you have no permission to access the remote server you get the error message

Page 30

57 Installation

571 PowerShell error

After getting through the Pre-Reqs for BPA (PowerShell 20 MBCA NET Framework) you may hit

one of two scenarios when installing BPA

In all of the cases of an install failure you will see the following error

There is a problem with this Windows Installer package A program run as part of the setup did not

finish as expected Contact your support personnel or package vendor

In your Application Event Log for both of these scenarios you will also see the following entry

Log Name Application

Source MsiInstaller

Date 6102010 83818 AM

Event ID 11722

Task Category None

Level Error

Keywords Classic

User ltUsernamegt

Computer ltMachine namegt

Description

Product Microsoft SQL Server 2008 R2 BPA -- Error 1722 There is a problem

with this Windows Installer package A program run as part of the setup did

not finish as expected Contact your support personnel or package

vendor Action EnablePSRemoting location powershellexe command -NoLogo

-NoProfile -Command Enable-PSRemoting ndashforce

Page 31

This is an indicator that PowerShell is not configured You must run the following command

powershellexe -NoLogo -NoProfile -Command Enable-PSRemoting ndashforce

572 Workgroup or Non-Domain computer

In this scenario the Enable-PSRemoting command should execute fine from a PowerShell prompt

The actual error coming back from the PowerShell command within the Installer is ldquoAccess Deniedrdquo

To work around this issue you can do the following

1 Open a command prompt with Administrative Privileges

2 Change to the directory where the msi file resides

3 Type msiexec i ltMSI Namegt SKIPCA=1

4 MSI Name will either be SQL2008R2BPA_Setup32msi or SQL2008R2BPA_Setup64msi

depending on your platform

5 Once BPA is installed open a PowerShell prompt with Administrative Privileges

6 Execute the following commands

a Enable-PSRemoting

b winrm set winrmconfigwinrs ``MaxShellsPerUser=`10``

This should allow BPA to be successfully installed in the workgroup scenario

573 Kerberos Failure

This scenario is that you are failing with the above due to a Kerberos issue This particular issue could

actually show up after you have installed BPA depending on how you have configured your

environment

The issue stems from the fact that the Windows Remoting Windows Service uses the Network Service

account Windows Remoting also uses SOAP calls over HTTP and defaults to using Kerberos As a

result it will be using the HOST Service Principal Name (SPN) that is on the Machine Account as it is

running under that context You may have an HTTP SPN that resides on a different account with that

host name For example if you are running an IIS Web Application such as SharePoint or if you are

using Reporting Services and the service account is set to a Domain User account instead of Network

Service or Local System If your URL of your application matches the machine name then your HTTP

SPN will be the same Thatrsquos where this problem comes in WinRM will stop working at that point and

give you a message similar to the following

Set-WSManQuickConfig WinRM cannot process the request The following error

occured while using Negotiate authentication An unknown security error

occurred

Possible causes are

-The user name or password specified are invalid

-Kerberos is used when no authentication method and no user name are

specified

-Kerberos accepts domain user names but not local user names

-The Service Principal Name (SPN) for the remote computer name and port

does not exist

-The client and remote computers are in different domains and there is no

trust between the two domains

After checking for the above issues try the following

-Check the Event Viewer for events related to authentication

-Change the authentication method add the destination computer to the

WinRM TrustedHosts configuration setting or use HTTPS transport

Note that computers in the TrustedHosts list might not be authenticated

-For more information about WinRM configuration run the following

Page 32

command winrm help config

At line50 char33

+ Set-WSManQuickConfig ltltltlt -force

+ CategoryInfo InvalidOperation () [Set-WSManQuickConfig]

InvalidOperationException

+ FullyQualifiedErrorId

WsManErrorMicrosoftWSManManagementSetWSManQuickConfigCommand

You can get this type of error from WinRM for muliple reasons The one that

we saw in our testing was the HTTP SPN scenario

If you do have an HTTP SPN defined on a Domain Account that is using the name of your machine

you have some options First you can follow the steps mentioned above to get BPA installed The

Enable-PSRemoting command will give you the above error You can temporarily remove the HTTP

SPN to get remoting enabled and then re-add the HTTP SPN

Once BPA is setup you will still not be able to run BPA if you put the HTTP SPN back in place You will

see the following when you attempt to perform a scan

This will occur regardless of which component you try to scan It could be the Engine Setup RS etchellip

One option to perform the scan successfully is to temporarily remove the HTTP SPN again run the

scan and then put the HTTP SPN back in place Another option but one that will probably require

further testing from your applicationrsquos end would be to run the application under a Host Header and

then your HTTP SPN would not include the machine name allowing BPA to run without issue

Page 33

6 RULES

Searching for ldquoSQL Server 20087 R2 BPArdquo at Microsoftcom reveals

Here is an example of one of these articles that talks about a rule to check for a recent ldquocleanrdquo

CHECKDB

Page 34

BPA works by measuring a rolersquos compliance with best practice rules in eight different categories of a

rolersquos effectiveness trustworthiness and reliability Results of measurements can be any of the three

severity levels described in the following table

Severity level Description

Noncompliant Noncompliant results are returned when a role does not satisfy the conditions of a rule

Compliant Compliant results are returned when a role satisfies the conditions of a rule

Warning Warning results are returned when a role is compliant as operating currently but may not satisfy the conditions of a

rule if changes are not made to its configuration or policy settings For example a scan of Remote Desktop Services

might show a warning result if a license server is unavailable to the role because even if no remote connections are

active at the time of the scan not having the license server prevents new remote connections from obtaining valid

client access licenses

Page 35

BPA rule categories

The following table describes the categories of best practice rules against which roles are measured

during a BPA scan

Category Name Description

Security Security rules are applied to measure a rolersquos relative risk for exposure to threats such as unauthorized or malicious

users or loss or theft of confidential or proprietary data

Performance Performance rules are applied to measure a rolersquos ability to process requests and perform its prescribed duties in

the enterprise within expected periods of time given the rolersquos workload

Configuration Configuration rules are applied to identify role settings that might require modification for the role to perform

optimally Configuration rules can help prevent setting conflicts that can result in error messages or prevent the role

from performing its prescribed duties in an enterprise

Policy Policy rules are applied to identify Group Policy or Windows Registry settings that might require modification for the

role to operate optimally and securely

Operation Operation rules are applied to identify possible failures of a role to perform its prescribed tasks in the enterprise

Predeployment Predeployment rules are applied before an installed role is deployed in the enterprise to let administrators to

evaluate whether best practices were satisfied before you use the role in production

Postdeployment Postdeployment rules are applied after all required services have started for a role and the role is running in the

enterprise

BPA Prerequisites BPA Prerequisite rules explain configuration settings policy settings and features that are required for the role

before BPA can apply specific rules from other categories A prerequisite in scan results indicates that an incorrect

setting a missing role role service or feature an incorrectly enabled or disabled policy a registry key setting or

other configuration has prevented BPA from applying one or more rules during a scan A prerequisite result does

not imply compliance or noncompliance It means that a rule could not be applied and therefore is not part of the

scan results

61 Engine Rules

Please find below a summary of the 74 Engine Rules with the links to the rule descriptions These rules

are checking that you have a secure resilient and well performing SQL configuration

Authentication Mode (httpsupportmicrosoftcomkb2028697)

Lightweight Pooling is enabled (httpsupportmicrosoftcomkb2160691)

Locks Configuration Not Dynamic (httpsupportmicrosoftcomkb2199576)

non-default network packet size in use (httpsupportmicrosoftcomkb2157175)

degree of parallelism not set to recommended value (httpsupportmicrosoftcomkb2023536)

Use Database Mail instead of SQL Mail (httpsupportmicrosoftcomkb2028584)

SQL Server Agent Proxy Account (httpsupportmicrosoftcomkb2160741)

SQL Login Password Policy Strength and password expiry

(httpsupportmicrosoftcomkb2028712)

Trustworthy Bit (httpsupportmicrosoftcomkb2183687)

Symmetric Keys Check (httpsupportmicrosoftcomkb2162020)

Asymmetric Keys Check (httpsupportmicrosoftcomkb2162020)

SQL Server installed on PDC BDC (httpsupportmicrosoftcomkb2032911)

Page 36

SQL Server Admin role membership check (httpsupportmicrosoftcomkb2184138)

Windows API calls intercepted (httpsupportmicrosoftcomkb2033238)

unsupported DotNET framework assemblies present (httpsupportmicrosoftcomkb2033344)

Disk partition starting offset may be incorrect (httpsupportmicrosoftcomkb2023571)

non-default max worker threads value configured (httpsupportmicrosoftcomkb2157129)

Guest Permissions (httpsupportmicrosoftcomkb2186935)

Data and Log files on the same volume (httpsupportmicrosoftcomkb2033523)

IO timeouts and IO controller errors detected (httpsupportmicrosoftcomkb2091098)

IO device errors detected (httpsupportmicrosoftcomkb2091098)

IO errors during page faults detected (httpsupportmicrosoftcomkb2091098)

cluster disk corruption encountered (httpsupportmicrosoftcomkb2091098)

disk defragmentation encountered corruption (httpsupportmicrosoftcomkb2091098)

failed IO requests detected (httpsupportmicrosoftcomkb2091098)

IO requests are successful when retried (httpsupportmicrosoftcomkb2015757)

IO Delay Problems reported by SQL Server (httpsupportmicrosoftcomkb2137408)

This system experienced unexpected shutdowns (httpsupportmicrosoftcomkb2091098)

tempdb corruption errors fix missing (httpsupportmicrosoftcomkb960770)

Critical SQL database inconsistency errors found (httpsupportmicrosoftcomkb2152734)

Logical consistency errors detected (httpsupportmicrosoftcomkb2152472)

Database have auto shrink option enabled (httpsupportmicrosoftcomkb2160663)

SQL Server Error logs are very big (httpsupportmicrosoftcomkb2199578)

incorrect affinity mask settings detected httpsupportmicrosoftcomkb2157114

Very low blocked process threshold setting detected httpsupportmicrosoftcomkb2157154

Potential security issue with legacy DTS stored procedures

httpsupportmicrosoftcomkb2202875

Winsock LSP loaded into SQL httpsupportmicrosoftcomkb2033448

Databases using simple recovery model httpsupportmicrosoftcomkb2137539

User database collation different from model httpsupportmicrosoftcomkb2026108

Database files and backups exist on the same volume httpsupportmicrosoftcomkb2027537

Databases have auto close option enabled httpsupportmicrosoftcomkb2160685

LSI SAS drivers needs update httpsupportmicrosoftcomkb2121098

SQL tempdb database not configured optimally httpsupportmicrosoftcomkb2154845

SQL Database file has sparse attribute set httpsupportmicrosoftcomkb2028447

Invalid startup parameters httpsupportmicrosoftcomkb2028433

MSDTC settings not configured optimally httpsupportmicrosoftcomkb2027550

sql incorrect results fix missing httpsupportmicrosoftcomkb971780

File System needs tuning for better FileStream performance

httpsupportmicrosoftcomkb2160002

linked server memory leak fix missing httpsupportmicrosoftcomkb971622EN-US

Windows service pack is not at recommended level httpsupportmicrosoftcomkb2121098

default extended event health session not in expected state

httpsupportmicrosoftcomkb2160570

TcpSysAndChimneyCheck httpsupportmicrosoftcomKB918483

FDHOST Launcher service is not configured properly httpsupportmicrosoftcomkb2160720

Unrecommended SQL Server Agent service account httpsupportmicrosoftcomkb2160720

A required Windows fix to avoid sparse file related problems is missing

httpsupportmicrosoftcomkb2002606

Page 37

Significant Portion of SQL Server Memory Has Been Paged Out

httpsupportmicrosoftcomkb2028324

Server Exception or Hang Detected on Server httpsupportmicrosoftcomkb2028589

Databases exist without CHECKSUM protection httpsupportmicrosoftcomkb2078345

backups outdated for databases httpsupportmicrosoftcomkb2027537

Database consistency check not current httpsupportmicrosoftcomkb2033590

SQL Server Memory settings are incorrect httpsupportmicrosoftcomKB918483EN-US

Autogrow Failed or took a long time httpsupportmicrosoftcomkb2091024

Storport driver fix from KBA 940467 missing httpsupportmicrosoftcomkb2121098

Storport driver fix from KBA 950903 missing httpsupportmicrosoftcomkb2121098

SQLCLR needs additional memory configuration httpsupportmicrosoftcomkb969962EN-US

Operating System files and drivers needs update for working set trimming

httpsupportmicrosoftcomkb2121098

Agent Token Replacement httpsupportmicrosoftcomkb2202637

Auditing Log in failures httpsupportmicrosoftcomkb2187161

Databases with high number of VLF present httpsupportmicrosoftcomkb2028436

Transparent Data Encryption Certificate httpsupportmicrosoftcomkb2201900

Permission on the Binn folder httpsupportmicrosoftcomkb2029023

Index Statistics Are Outdated

Server public permissions httpsupportmicrosoftcomkb2160698

Detected use of older versions of SQLNCLI httpsupportmicrosoftcomkb979779

62 AS Rules

Please find below a summary of the 34 Analysis Server Rules with the links to the rule descriptions

Flight Recorder Enabled for SQL Server Analysis Services

httpsupportmicrosoftcomkb2128005

Excessive amount of memory preallocated to Analysis Services

httpsupportmicrosoftcomkb2027474

Server not configured for optimal concurrent query throughput

httpsupportmicrosoftcomkb2135031

Non standard value detected for Analysis Services memory configuration

httpsupportmicrosoftcomkb2027472

Process Thread Pool Max limit above recommended limit

httpsupportmicrosoftcomkb2134497

Process Thread Pool Minimum is below the recommended limit

httpsupportmicrosoftcomkb2134855

Server is running a build with a known regression httpsupportmicrosoftcomkb2157941

Slice not set on a ROLAP partition or a partition where proactive caching is enabled and

ROLAP storage ay occur httpsupportmicrosoftcomkb2027754

Server is ignoring duplicate key errors httpsupportmicrosoftcomkb2027761

No default member defined for non-aggregatable attribute

httpsupportmicrosoftcomkb2027769

UnknownMember set to hidden httpsupportmicrosoftcomkb2027628

Non-numeric key column for high cardinality attribute httpsupportmicrosoftcomkb2028138

Attribute hiearchy enabled for high cardinality non-key attribute

httpsupportmicrosoftcomkb2028143

ROLAP storage or OnlineMode set to immediate for dimension with custom rollup definition

detected httpsupportmicrosoftcomkb2132742

Page 38

Account or Time attribute types defined in a non-matching dimension type

httpsupportmicrosoftcomkb2157299

An Account or Time dimension has no matching attribute defined

httpsupportmicrosoftcomkb2027418

Dimension has no attribute defined with the same type

httpsupportmicrosoftcomkb2027443

Attribute Dimension type mismatch httpsupportmicrosoftcomkb2157327

Mismatched dimension attribute types detected in dimension

httpsupportmicrosoftcomkb2027459

Possible incorrect order of levels defined in hierarchy httpsupportmicrosoftcomkb2027460

Define attribute relationships as Rigid where possible httpsupportmicrosoftcomkb2027468

Redundant attribute relationships detected httpsupportmicrosoftcomkb2127437

Diamond-shape relationship detected httpsupportmicrosoftcomkb2127570

Non-Standard Attribute Relationship name detected httpsupportmicrosoftcomkb2127862

Proactive Caching set for dimension without a processing query

httpsupportmicrosoftcomkb2027541

No Time dimension detected httpsupportmicrosoftcomkb2027532

More than 3 parent-child dimensions with custom rollups defined

httpsupportmicrosoftcomkb2134431

Encountered a parent-child dimension with more than 500000 members

httpsupportmicrosoftcomkb2131918

Single attribute dimensions detected httpsupportmicrosoftcomkb2141654

Measure groups with zero dimensional overlap detected in cube

httpsupportmicrosoftcomkb2027609

Proactive Caching set for a partition without a processing query

Default measure for perspective not in the perspective

httpsupportmicrosoftcomkb2027603

Use MOLAP storage for dimensions that participate in semi-additive measure groups

httpsupportmicrosoftcomkb2135112

Measure group defined with no partition httpsupportmicrosoftcomkb2027545

63 RS Rules

RSWindowsNegotiate is missing from your configuration

httpsupportmicrosoftcomkb2145506

HTTP Logging is not enabled httpsupportmicrosoftcomkb2145909

Verbose logging is enabled httpsupportmicrosoftcomkb2146315

NTLM authentication may fail for local httpsupportmicrosoftcomkb2146369

Missing extended protection settings httpsupportmicrosoftcomkb2146062

64 IS Rules

Logging task missing for package httpsupportmicrosoftcomkb2027723

ActiveX Script task detected in package httpsupportmicrosoftcomkb2027712

Unrecommended Integration Services service account detected

httpsupportmicrosoftcomkb2027684

Integration Services logging table found in system database master and or msdb

httpsupportmicrosoftcomkb2027706

Integration Services memory dump detected httpsupportmicrosoftcomkb2027727

Page 39

65 Setup Rules

Unsupported Operating System Version Detected httpsupportmicrosoftcomkb2022909

WOW64 not supported for SQL Failover Clustering httpsupportmicrosoftcomkb2157198

Installer cache is missing for the SQL Installation httpsupportmicrosoftcomkb2015100

SQL Server WMI Provider Health Check

66 Replication Rules

Replication Timeout Alerts Type httpsupportmicrosoftcomkb2118349

Replication Pub and Sub out of sync (Data Validation) httpsupportmicrosoftcomkb2118386

Replication Pub and Sub out of sync (Constraint Violations)

httpsupportmicrosoftcomkb2118410

Replication Pub and Sub out of sync (Skipped Transactions)

httpsupportmicrosoftcomkb2194498

Merge Replication Health Check httpsupportmicrosoftcomkb2118445

Subscriptions Approaching Expiration httpgomicrosoftcomfwlinkLinkId=184483

Replication Cleanup and Retention Health Check httpsupportmicrosoftcomkb2118485

Replication Latency Threshold violations httpsupportmicrosoftcomkb2118425

Page 40

7 HOW TO DEAL WITH DEVIATIONS

Deviations from these Best Practices may indicate potential issues and configuration changes may be

necessary Make sure you have tested any intended changes in a test environment before deploying

them to a production environment You could also find deviations from Best Practices that are

acceptable or even necessary for your environment For example

SAP has its special Network Packet Size of 8 KB

Existing Non-Microsoft Clients ndash would require Mixed Mode Authentication

Page 41

8 MOTIVATION TO USE SQL BPA R2

Bob Ward explained in his Article ldquoWhy use SQL Server 2008 R2 BPA Case 1 Missing Updatesrdquo

the common pitfalls during maintenance and operation of SQL Server and how address them by using

the SQL BPA

In brief itrsquos a customer scenario where the customer is facing an issue after a major update to

SQL2008 After some troubleshooting and an update to a certain CU (that is meant to fix the issue) the

problem still occurs Bobs article states the common resulting consequences ndash the involvement of

Microsoft Support and the final solution ndash adding a needed traceflag

The good news in this story is that the customer would not have needed to go to all that effort if they

would have run the SQL BPA It would have told them about the update and instructed them to put the

traceflag in place BPA is a mechanism that proactively advises you and instructs you on dealing with

common known issues

Page 42

9 ADDITIONAL INFORMATION

91 PowerShell

To use the functionality of the Baseline Configuration Analyzer with PowerShell you must import this

module first

Import-module BaselineConfigurationAnalyzer

You can list the commands of this module with the following syntax

$x=Get-Module BaselineConfigurationAnalyzer

$xExportedCommands

The following commands are stored in this module

Get-MbcaModel

Get-MbcaResult

Invoke-MbcaModel

Set-MbcaResult

You get help of this command with the following syntax

Get-help ltcommandgt -full

911 Get-MBCAModel

SYNOPSIS

The Get-MBCAModel cmdlet lets you retrieve and view the list of models that are supported by

Microsoft Baseline Configuration Analyzer (MBCA) and that are installed on a computer

SYNTAX

Get-MBCAModel [[-ModelId] ltstring[]gt] [[-SubModelId] ltstringgt] [ltCommonParametersgt]

DESCRIPTION

The Get-MBCAModel cmdlet lets you retrieve and view the list of models that are supported by

Microsoft Baseline Configuration Analyzer (MBCA) and installed on the computer If no parameter is

specified Get-MBCAModel returns all models that are installed on the computer If a model is specified

by using the -ModelId parameter information about the specified model is returned

You must be a member of the Administrators group on the computer on which you want to run this

cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with

elevated user rights that is Run as Administrator

The results of the Get-MBCAModel cmdlet include the following details about models

1 Branding information (manufacturer or company display names version number) that is found in

the model manifest

2 Dynamic parameters that are included with the model

3 Submodels that are included with the model

PARAMETERS

-ModelId ltstring[]gt

The -ModelId parameter specifies the ID of the MBCA model about which you want to view

details You can obtain valid values for the ModelId parameter by running the Get-MBCAModel

cmdlet with no parameters and targeted at a computer on which MBCA models are installed

Page 43

This parameter supports wild card characters

Required false

Position 2

Default value

Accept pipeline input true (By Value By Property Name)

Accept wildcard characters False

This must be SQL2008R2BPA for SQL Server 2008 R2 Best Practice Analyzer

-SubModelId ltstringgt

The -SubModelId parameter specifies the ID of the submodel of an MBCA model about which you

want to view details You can obtain valid values for the -SubModelId parameter by running the

Get-MBCAModel cmdlet without parameters and targeted at a computer on which MBCA models

are installed Not all models have submodels

The -ModelId parameter is required with the -SubModelId parameter

Required false

Position 3

Default value

Accept pipeline input false

Accept wildcard characters false

ltCommonParametersgt

This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable

WarningAction WarningVariable OutBuffer and OutVariable For more information type get-

help about_commonparameters

Examples

Get-MBCAModel

In the preceding example Get-MBCAModel with no parameters added returns details about all MBCA

models that are installed on the computer

Get-MBCAModel -ModelId SQL2008R2BPA

The preceding example can be used to return details about the MBCA model that is specified in the -

ModelId parameter represented by Model Id

$model= Get-MBCAModel -ModelId SQL2008R2BPA

$modelParameters

In the preceding example Get-MBCAModel returns details about the specified MBCA model that is

represented by Model Id The results of the cmdlet are stored in the variable $model

In the next line of the example the Parameters property of the model details that were stored in the

$model object returns details about which parameters are supported by the model

Get-MBCAModel -ModelId SQL2008R2BPA -SubModelId ltSubModel Idgt

The preceding example can be used to return details about the MBCA sub-model that is specified by

the -SubModelId parameter represented by SubModel Id Note that the -ModelId parameter is

required by the -SubModelId parameter

$model= Get-MBCAModel -ModelId SQL2008R2BPA

Page 44

$modelSubModels

In the preceding example Get-MBCAModel returns details about the specified MBCA model that is

represented by Model Id The results of the cmdlet are stored in the variable $model

In the next line of the example the SubModels property of the model details that were stored in the

$model object returns a list of the submodels of the model specified in the first line

912 Invoke-MBCAModel

SYNOPSIS

The Invoke-MBCAModel cmdlet lets you start a Microsoft Baseline Configuration Analyzer (MBCA)

scan for a specific model that is installed on your computer

SYNTAX

Invoke-MBCAModel [-ModelId] ltstringgt -SubModelId ltstringgt [-Authentication

ltAuthenticationMechanismgt] [-CertificateThumbprint ltstringgt] [-ComputerName

ltstring[]gt] [-ConfigurationName ltstringgt] [-Context ltstringgt] [-Credential

ltstringgt] [-Mode ltModeEnumgt] [-Port ltintgt] [-RepositoryPath ltstringgt] [-

ThrottleLimit ltintgt] [-UseSSL] [ltCommonParametersgt]

DESCRIPTION

The Invoke-MBCAModel cmdlet allows you to start a Microsoft Baseline Configuration Analyzer

(MBCA) scan for a specific model that is installed on your computer The model is specified either by

using the parameter -ModelId or by piping the results of the Get-MBCAModel cmdlet into an Invoke-

MBCAMode cmdlet

After the MBCA scan has been performed the results of the scan are available to be retrieved by Get-

MBCAResult cmdlet

You must be a member of the Administrators group on the computer on which you want to run this

cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with

elevated user rights that is Run as Administrator

PARAMETERS

-Authentication ltAuthenticationMechanismgt

Specifies the authentication mechanism that is used to authenticate the users credentials Valid

values include Default Basic CredSSP Digest Kerberos Negotiate and

NegotiateWithImplicitCredential The default value is Default

For more information about the -Authentication parameter type the following and then press

Enter

Get-Help Invoke-Command -Parameter Authentication

Required false

Position named

Default value Default

Accept pipeline input false

Accept wildcard characters false

-CertificateThumbprint ltstringgt

Page 45

Specifies the digital public key certificate (X509) of a user account that has rights to perform the

cmdlet action The valid value is the certificate thumbprint of the certificate

For more information about this parameter type the following and then press Enter

Get-Help Invoke-Command -Parameter Certificate Thumbprint

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-ComputerName ltstring[]gt

The Invoke-MBCAModel cmdlet lets you run an MBCA scan of a submodel on a specific

computer by adding this parameter Valid values include NETBOS names IP addresses or fully-

qualified domain names of one or more computers in a comma-separated list To specify the local

computer type the computer name or localhost

All formats that are accepted by the -ComputerName parameter in Invoke-Command are

accepted

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-ConfigurationName ltstringgt

Specifies the session configuration that is used for a new PSSession

Enter a configuration name or the fully-qualified resource URI for a session configuration

Session configuration data is found on the remote computer on which you want to run a cmdlet

For more information about this parameter type the following and then press Enter

Get-Help Invoke-Command -Parameter ConfigurationName

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-Context ltstringgt

The -Context parameter lets you run scans on a submodel in the context of a specific model (one

that is different from the parent model of the submodel) For example an administrator might

want to run a scan on the Backend submodel of the SQL model but only those in the context

of a third model a technology that relies upon SQL Server

The -SubModelId parameter is required by the -Context parameter

Page 46

A model ID is the valid value of the -Context parameter

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-Credential ltstringgt

Specifies a user account that has permission to run this cmdlet The default value is the current

user

For more information about this parameter type the following and then press Enter

Get-Help Invoke-Command -Parameter Credential

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-Mode ltModeEnumgt

The -Mode parameter lets you run a scan that is exclusively either analysis of existing discovered

documents or discovery The default is to perform both discovery and analysis or All

If you do not add the -Mode parameter to the Invoke-MBCAModel cmdlet both discovery and

analysis are performed during a scan

Valid values are Discovery Analysis and All

Required false

Position named

Default value All

Accept pipeline input false

Accept wildcard characters false

-ModelId ltstringgt

The -ModelId parameter specifies the ID of the MBCA model that you want to scan You can

obtain valid values for the ModelId parameter by running the Get-MBCAModel cmdlet targeted at

a computer on which MBCA models are installed

Required true

Position 2

Default value

Accept pipeline input true (By Value By Property Name)

Accept wildcard characters False

Page 47

This must be SQL2008R2BPA for SQL Server 2008 R2 Best Practice Analyzer

-Port ltintgt

Specifies the network port on a remote computer on which you want to run a scan The default

value is port 80

For more information on this parameter type the following and then press Enter

Get-Help Invoke-Command -Parameter Port

Required false

Position named

Default value 80

Accept pipeline input false

Accept wildcard characters false

-RepositoryPath ltstringgt

The -RepositoryPath parameter is used to specify a non-default location of the results repository

The valid value for this parameter is a pathname If the parameter is not used the cmdlet writes

results to the default result repository

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-SubModelId ltstringgt

The -SubModelId parameter specifies the ID of the submodel of an MBCA model that you want to

scan You can obtain valid values for the -SubModelId parameter by running the Get-MBCAModel

cmdlet targeted at a computer on which MBCA models are installed Not all models have

submodels

The -ModelId parameter is required with the -SubModelId parameter

Required true

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-ThrottleLimit ltintgt

Specifies the maximum number of concurrent connections that can be established to run the

cmdlet If you omit this parameter or enter a value of 0 the default value of 32 is used

For more information about this parameter type the following and then press Enter

Get-Help Invoke-Command -Parameter ThrottleLimit

Required false

Page 48

Position named

Default value 32

Accept pipeline input false

Accept wildcard characters false

-UseSSL [ltSwitchParametergt]

Uses the Secure Sockets Layer (SSL) protocol to establish a connection on a remote computer

By default SSL is not used

For more information about this parameter type the following and then press Enter

Get-Help Invoke-Command -Parameter UseSSL

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

ltCommonParametersgt

This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable

WarningAction WarningVariable OutBuffer and OutVariable For more information type get-

help about_commonparameters

OUTPUTS

SystemCollectionsGenericListltMicrosoftBestPracticesCoreInterfaceInvokeBpaModelOutputgt

The output object encapsulates the results of the cmdlet that you entered It contains information such

as the MBCA model ID the success or failure of the cmdlet and other details

NOTES

If the cmdlet is used to perform a single-model scan and the cmdlet is cancelled (by using CTRL+C)

before the temporary results file is copied to its final location the temporary file is discarded and any

previous scan results file for the role are preserved The message Processing of Invoke-MBCAModel

cancelled by user is displayed if the command is cancelled before existing scan results files are

overwritten

If the cmdlet is used to perform a scan of multiple models by piping in results from the Get-MBCAModel

cmdlet and the command is cancelled scans that were completed before the cancel command was

entered cannot be cancelled A scan in progress behaves as described above in the single-model scan

cancellation scenario Subsequent scans in the pipeline are cancelled

If a concurrent scan of the same model is attempted the cmdlet returns the following error message

Another scan for this MBCA model is in progress Only one scan is allowed at a time

-------------------------- EXAMPLE 1 --------------------------

Invoke-MBCAModel -ModelId SQL2008R2BPA

Description

The preceding example starts a MBCA scan on the model that is represented by ltModel Idgt

-------------------------- EXAMPLE 2 --------------------------

Page 49

Invoke-MBCAModel -ModelId SQL2008R2BPA -Scope domain -Name

redmondmicrosoftcom

Description

The preceding example starts an MBCA scan on the model ID that is specified by Model Id

The administrator starts the MBCA scan with additional model-specific parameters that are exposed by

the model (For an example of how to obtain model-specific parameters see the examples for the Get-

MBCAModel cmdlet)

For example to scan a model that requires model-specific parameters (such as -Scope and -Name) to

be passed to the command the administrator can specify the values of these model-specific

parameters with the Invoke-MBCAModel cmdlet

-------------------------- EXAMPLE 3 --------------------------

Invoke-MBCAModel -ModelId SQL2008R2BPA -Mode Discovery

Description

The preceding example starts an MBCA scan on the model that is represented by Model Id The

cmdlet is instructed by the -Mode parameter to perform only the discovery -- not the analysis -- portion

of the scan

-------------------------- EXAMPLE 4 --------------------------

Invoke-MBCAModel -ModelId SQL2008R2BPA -Mode Analysis -RepositoryPath

ltRepository Pathgt

Description

The preceding example starts an MBCA scan on the model that is represented by Model Id The -

Mode parameter value of Analysis indicates that the scan will perform analysis -- not discovery -- on

existing documents that are specified in the non-default repository path provided with the -Repository

Path parameter

-------------------------- EXAMPLE 5 --------------------------

Invoke-MBCAModel -Id ltModel Idgt -SubModelId ltSubModel Idgt -ComputerName

ltServergt -Context ltContext Model Idgt -RepositoryPath ltRespository Pathgt -

AsJob -Authentication ltAuthenticatonMechanismgt -Port ltPort Numbergt -UseSSL -

ThrottleLimit ltThrottle Limitgt

Description

The preceding example starts an MBCA scan on the submodel that is represented by SubModel Id

and on the computer that is represented by Server

Because the administrator only wants to see results from the submodel that apply in the context of a

third model the administrator runs the scan within the context of the model ID that is specified in the -

Context parameter The cmdlet results are saved to the non-default repository path that is specified in

the -RepositoryPath parameter

Because the -AsJob parameter is added the scan runs in the background The -AsJob -

Authentication -Port -UseSSL and -ThrottleLimit parameters are passed through for use by the

Invoke-Command cmdlet to perform discovery on a remote computer For more information about

these parameters see the Help for the Invoke-Command cmdlet available in Windows PowerShell V2

913 Get-MBCAResult

SYNOPSIS

Page 50

The Get-MBCAResult cmdlet lets you retrieve and view the results of a Microsoft Baseline

Configuration Analyzer scan on a specific model or the configuration data that was used to run a scan

SYNTAX

Get-MBCAResult [-ModelId] ltstringgt [[-CollectedConfiguration]] -SubModelId

ltstringgt [-ComputerName ltstring[]gt] [-Context ltstringgt] [-Filter

ltFilterEnumgt] [-RepositoryPath ltstringgt] [ltCommonParametersgt]

DESCRIPTION

The Get-MBCAResult cmdlet lets you retrieve and view the results of a Microsoft Baseline

Configuration Analyzer scan on a specific model or the configuration data that was used to run a scan

To use the command add the -ModelId parameter and then specify the model ID for which you want

to view the most recent MBCA scan results or collected configuration data If you want to retrieve the

configuration data collected add the -CollectedConfiguration switch parameter

You must be a member of the Administrators group on the computer on which you want to run this

cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with

elevated user rights that is Run as Administrator

PARAMETERS

-CollectedConfiguration [ltSwitchParametergt]

The -CollectedConfiguration parameter allows you to obtain the configuration data that was

collected for the most recent MBCA scan If this switch parameter is added to Get-MBCAResults

the cmdlet returns only the configuration data that was collected for a scan

Required false

Position 3

Default value

Accept pipeline input false

Accept wildcard characters false

-ComputerName ltstring[]gt

The -ComputerName parameter lets you obtain scan results that were collected for the most

recent MBCA scan of a submodel on a specific computer To specify the local computer type the

computer name or localhost Multiple values for -ComputerName can be separated by

commas

The -SubModelId parameter is required by the -ComputerName parameter

Valid values for the -ComputerName parameter include localhost a NET BIOS name an IP

address or a fully-qualified domain name (FQDN) of one or more computers in a comma-

separated list

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-Context ltstringgt

Page 51

The -Context parameter lets you obtain scan results that were collected for the most recent

MBCA scan of a submodel in the context of a specific model (one that is different from the parent

model of the submodel) For example an administrator might want to display scan results for the

Backend submodel of the SQL model but only those in the context of a third model a

technology that relies upon SQL Server

The -SubModelId parameter is required by the -Context parameter

A model ID is the valid value of the -Context parameter

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-Filter ltFilterEnumgt

The -Filter parameter lets you instruct the Get-MBCAResult cmdlet to return only Compliant

Noncompliant or All results Valid values are Noncompliant Compliant or All The default value

is All

The -Filter parameter is ignored if the -CollectedConfiguration switch parameter is added

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-ModelId ltstringgt

The -ModelId parameter specifies the ID of the MBCA model for which you want to view scan

results You can obtain valid values for the ModelId parameter by running the Get-MBCAModel

cmdlet targeted at a computer on which MBCA models are installed

Required true

Position 2

Default value

Accept pipeline input true (By Value By Property Name)

Accept wildcard characters False

This must be SQL2008R2BPA for SQL Server 2008 R2 Best Practice Analyzer

-RepositoryPath ltstringgt

The -RepositoryPath parameter is used to specify a non-default location of the results repository

The valid value for this parameter is a path name If the parameter is not used the cmdlet obtains

results from the default result repository

Required false

Position named

Page 52

Default value

Accept pipeline input false

Accept wildcard characters false

-SubModelId ltstringgt

The -SubModelId parameter specifies the ID of the submodel of an MBCA model for which you

want to view scan results You can obtain valid values for the -SubModelId parameter by running

the Get-MBCAModel cmdlet targeted at a computer on which MBCA models are installed Not all

models have submodels

The -ModelId parameter is required with the -SubModelId parameter

Required true

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

ltCommonParametersgt

This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable

WarningAction WarningVariable OutBuffer and OutVariable For more information type get-

help about_commonparameters

OUTPUTS

SystemCollectionsGenericListltMicrosoftBestPracticesCoreInterfaceResultgt OR

SystemXmlXmlDocument (if -CollectedData specified)

If you do not use the -CollectedConfiguration parameter verbose output can be any of the following

1 Initializing MBCA engine for getting MBCA Results

2 Attempting to get MBCA results for Model Id = 0

3 Completed getting MBCA results for Model Id = 0 Number of Results = 1

If you add the -CollectedConfiguration parameter to display configuration data that was used for a

scan verbose output can be any of the following

1 Initializing MBCA engine for getting MBCA Configuration Data

2 Attempting to get MBCA collected configuration data for Model Id = 0

3 Completed getting MBCA collected configuration data for Model Id = 0

NOTES

The Get-MBCAResult cmdlet must be run by a member of the Administrators group and it does not

start a new scan

Cancellation behaviour

Single Model - To cancel this cmdlet you must press Ctrl+C before the ResultCollection is displayed

on the console The operation is cancelled and results are not displayed on the console

Multiple Models or Pipelining - If you cancel this cmdlet while it is retrieving results for multiple models

the cmdlet generates only those results that were displayed on the console before the cancellation

Any subsequent results in the pipeline are cancelled and not displayed

Page 53

-------------------------- EXAMPLE 1 --------------------------

Get-MBCAResult -Id SQL2008R2BPA

Description

The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results

for the model that is represented by Model Id

-------------------------- EXAMPLE 2 --------------------------

Get-MBCAModel | Get-MBCAResult

In the preceding example Get-MBCAModel is used to return a list of all MBCA models that are

installed on the computer The results of the Get-MBCAModel cmdlet are piped to the Get-

MBCAResult cmdlet to retrieve the most recent MBCA scan results for all models that are both

supported by MBCA and installed on the computer at which the cmdlet is targeted

-------------------------- EXAMPLE 3 --------------------------

$result = Get-MBCAResult SQL2008R2BPA -CollectedConfiguration

$resultDiscoveryDocument

Description

In the preceding example configuration data (in XML form) that was collected during the most recent

Microsoft Baseline Configuration Analyzer scan of the model that is represented by Model Id is

retrieved and stored as a property in the variable $result $resultDiscoveryDocument is of type

SystemXmlXmlDocument

-------------------------- EXAMPLE 4 --------------------------

Get-MBCAResult SQL2008R2BPA -Filter Noncompliant

Description

The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results

for the model that is represented by Model Id and then applies a filter to show only Noncompliant

results

------------------------- EXAMPLE 5 --------------------------

Get-MBCAResult SQL2008R2BPA -SubModelId ltSubModel Idgt

Description

The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results

for the submodel that is represented by SubModelId Note that the parent model ID must be specified

to use the -SubModelId parameter

------------------------- EXAMPLE 6 --------------------------

Get-MBCAResult SQL2008R2BPA -SubModelId ltSubModel Idgt -ComputerName ltServergt

-Context ltContext Model Idgt -RepositoryPath ltRepository Pathgt

Description

The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results

for the submodel that is represented by SubModelId The parent model ID is provided as required by

the -SubModelID parameter

The -Context parameter indicates that the administrator wants to see only those scan results that are in

the context of the model that is represented by Context Model Id for example only those results from

a SQL Server scan that specifically apply to another technology such as Web Server (IIS)

Page 54

The scan results are further narrowed to only those from a computer that is specified in the -

ComputerName parameter as Server and only those results found in the non-default results

repository that is represented by Repository Path

914 Set-MBCAResult

SYNOPSIS

The Set-MBCAResult cmdlet lets you exclude or include existing results of a Microsoft Baseline

Configuration Analyzer (MBCA) scan to show you only the scan results that you want to see

SYNTAX

Set-MBCAResult [[-Exclude] ltBooleangt] [-Results] ltResultgtgt [[-

RepostitoryPath] ltstringgt] [ltCommonParametersgt]

DESCRIPTION

The Set-MBCAResult cmdlet lets you exclude or include existing results of a Microsoft Baseline

Configuration Analyzer (MBCA) scan to show you only the scan results that you want to see

The action specified in the cmdlet (Exclude for example) determines how the existing results of an

MBCA scan are updated Set-MBCAResult is typically applied after using the Get-MBCAResult cmdlet

to return a collection of scan results

You can apply filters to results that are returned by the Get-MBCAResult cmdlet and then pipe the

filtered collection of results to the Set-MBCAResult cmdlet specifying either to include or exclude

filtered scan results

You must be a member of the Administrators group on the computer on which you want to run this

cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with

elevated user rights that is Run as Administrator

PARAMETERS

-Exclude ltBooleangt

Excludes scan results from the results collection that were previously obtained by the Get-

MBCAResult command To exclude results by using the -Exclude parameter add the value $true

following the parameter as shown

-Exclude $true

To include results that have been excluded use the $false value for the -Exclude parameter

Required false

Position 2

Default value

Accept pipeline input false

Accept wildcard characters false

-RepostitoryPath ltstringgt

The -RepositoryPath parameter is used to specify a non-default location of the results repository

The valid value for this parameter is a path name If the parameter is not used the cmdlet

modifies results from the default result repository

Required false

Page 55

Position 4

Default value

Accept pipeline input false

Accept wildcard characters false

-Results ltResultgtgt

Specifies the result collection to be updated by the Set-MBCAResult cmdlet The -Results

parameter is typically used to specify a filtered subset of scan results that has already been

stored in a variable the variable name is provided as the valid value for the -Results parameter

For example if you have created a variable $allPerformance to store all the Performance

category results for an MBCA scan of all models on a computer and you want to exclude those

Performance results from the complete collection of scan results you add the parameter -Results

$all Performance to a Set-MBCAResult cmdlet

For a more detailed example see the Examples section of the Help for this cmdlet

Required true

Position 3

Default value

Accept pipeline input true (ByValue)

Accept wildcard characters false

ltCommonParametersgt

This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable

WarningAction WarningVariable OutBuffer and OutVariable For more information type ldquoget-

help about_commonparameters

NOTES

If the Set-MBCAResult command is cancelled before the results are written to a file the operation is

cancelled and the results file is not modified If cancellation occurs after the results file has been

modified the commands actions are carried out and the command cannot be cancelled

-------------------------- EXAMPLE 1 --------------------------

Get-MBCAResult -ModelId SQL2008R2BPA | Where $_Category -eq

Performance | Set-MBCAResult -Exclude $true

Description

The first section of the preceding example to the left of the first pipe character (|) uses the Get-

MBCAResult cmdlet to retrieve Baseline Configuration Analyzer scan results for the model ID that is

represented by Model Id

The second section of the command filters the results of the Get-MBCAResult cmdlet to get only those

scan results for which the category name is equal to Performance

The final section of the example following the second pipe character excludes the Performance

results that were filtered by the previous section of the example

-------------------------- EXAMPLE 2 --------------------------

$rcPolicy = Get-MBCAResult -ModelId SQL2008R2BPA -RepositoryPath

CReposPath | Where $_Category -eq Policy

Page 56

Set-MBCAResult -Exclude $true -RepositoryPath CReposPath -Results

$rcPolicy

Description

The first line of the preceding example to the left of the pipe character (|) instructs the Get-

MBCAResult cmdlet to retrieve Baseline Configuration Analyzer scan results for the model that is

represented by Specified Model Id from the specified non-default repository path

The second section of the example after the pipe character filters the results of the Get-MBCAResult

cmdlet to return only those scan results for which the category name is equal to (note the -eq option)

Policy The variable $rcPolicy is created to store the filtered results of the Get-MBCAResult cmdlet this

variable can be used in subsequent commands to represent those results

The second line of the command uses the Set-MBCAResult cmdlet to exclude the set of results that

are stored in the $rcPolicy variable In this example the -Results parameter is added because the

administrator wants to exclude a specific subset of scan results for that model and has created the

variable $rcPolicy to represent that subset of results The repository root is specified in the second line

because the administrator wants to modify the results in the same non-default repository from which

the data in $rcPolicy was retrieved

915 MBCA Model Authoring

Further information about configuration and usage of MBCA models you can in the

MBCA_ModelAuthoringGuidedocx

Page 57

Did this paper help you Please give us your feedback Tell us on a scale of 1 (poor) to 5 (excellent)

how would you rate this paper and why have you given it this rating For example

Are you rating it high due to having good examples excellent screen shots clear writing or

another reason

Are you rating it low due to poor examples fuzzy screen shots or unclear writing

This feedback will help us improve the quality of white papers we release

Send feedback

Page 30: SQL2008R2 BPA Whitepaper v10

Page 30

57 Installation

571 PowerShell error

After getting through the Pre-Reqs for BPA (PowerShell 20 MBCA NET Framework) you may hit

one of two scenarios when installing BPA

In all of the cases of an install failure you will see the following error

There is a problem with this Windows Installer package A program run as part of the setup did not

finish as expected Contact your support personnel or package vendor

In your Application Event Log for both of these scenarios you will also see the following entry

Log Name Application

Source MsiInstaller

Date 6102010 83818 AM

Event ID 11722

Task Category None

Level Error

Keywords Classic

User ltUsernamegt

Computer ltMachine namegt

Description

Product Microsoft SQL Server 2008 R2 BPA -- Error 1722 There is a problem

with this Windows Installer package A program run as part of the setup did

not finish as expected Contact your support personnel or package

vendor Action EnablePSRemoting location powershellexe command -NoLogo

-NoProfile -Command Enable-PSRemoting ndashforce

Page 31

This is an indicator that PowerShell is not configured You must run the following command

powershellexe -NoLogo -NoProfile -Command Enable-PSRemoting ndashforce

572 Workgroup or Non-Domain computer

In this scenario the Enable-PSRemoting command should execute fine from a PowerShell prompt

The actual error coming back from the PowerShell command within the Installer is ldquoAccess Deniedrdquo

To work around this issue you can do the following

1 Open a command prompt with Administrative Privileges

2 Change to the directory where the msi file resides

3 Type msiexec i ltMSI Namegt SKIPCA=1

4 MSI Name will either be SQL2008R2BPA_Setup32msi or SQL2008R2BPA_Setup64msi

depending on your platform

5 Once BPA is installed open a PowerShell prompt with Administrative Privileges

6 Execute the following commands

a Enable-PSRemoting

b winrm set winrmconfigwinrs ``MaxShellsPerUser=`10``

This should allow BPA to be successfully installed in the workgroup scenario

573 Kerberos Failure

This scenario is that you are failing with the above due to a Kerberos issue This particular issue could

actually show up after you have installed BPA depending on how you have configured your

environment

The issue stems from the fact that the Windows Remoting Windows Service uses the Network Service

account Windows Remoting also uses SOAP calls over HTTP and defaults to using Kerberos As a

result it will be using the HOST Service Principal Name (SPN) that is on the Machine Account as it is

running under that context You may have an HTTP SPN that resides on a different account with that

host name For example if you are running an IIS Web Application such as SharePoint or if you are

using Reporting Services and the service account is set to a Domain User account instead of Network

Service or Local System If your URL of your application matches the machine name then your HTTP

SPN will be the same Thatrsquos where this problem comes in WinRM will stop working at that point and

give you a message similar to the following

Set-WSManQuickConfig WinRM cannot process the request The following error

occured while using Negotiate authentication An unknown security error

occurred

Possible causes are

-The user name or password specified are invalid

-Kerberos is used when no authentication method and no user name are

specified

-Kerberos accepts domain user names but not local user names

-The Service Principal Name (SPN) for the remote computer name and port

does not exist

-The client and remote computers are in different domains and there is no

trust between the two domains

After checking for the above issues try the following

-Check the Event Viewer for events related to authentication

-Change the authentication method add the destination computer to the

WinRM TrustedHosts configuration setting or use HTTPS transport

Note that computers in the TrustedHosts list might not be authenticated

-For more information about WinRM configuration run the following

Page 32

command winrm help config

At line50 char33

+ Set-WSManQuickConfig ltltltlt -force

+ CategoryInfo InvalidOperation () [Set-WSManQuickConfig]

InvalidOperationException

+ FullyQualifiedErrorId

WsManErrorMicrosoftWSManManagementSetWSManQuickConfigCommand

You can get this type of error from WinRM for muliple reasons The one that

we saw in our testing was the HTTP SPN scenario

If you do have an HTTP SPN defined on a Domain Account that is using the name of your machine

you have some options First you can follow the steps mentioned above to get BPA installed The

Enable-PSRemoting command will give you the above error You can temporarily remove the HTTP

SPN to get remoting enabled and then re-add the HTTP SPN

Once BPA is setup you will still not be able to run BPA if you put the HTTP SPN back in place You will

see the following when you attempt to perform a scan

This will occur regardless of which component you try to scan It could be the Engine Setup RS etchellip

One option to perform the scan successfully is to temporarily remove the HTTP SPN again run the

scan and then put the HTTP SPN back in place Another option but one that will probably require

further testing from your applicationrsquos end would be to run the application under a Host Header and

then your HTTP SPN would not include the machine name allowing BPA to run without issue

Page 33

6 RULES

Searching for ldquoSQL Server 20087 R2 BPArdquo at Microsoftcom reveals

Here is an example of one of these articles that talks about a rule to check for a recent ldquocleanrdquo

CHECKDB

Page 34

BPA works by measuring a rolersquos compliance with best practice rules in eight different categories of a

rolersquos effectiveness trustworthiness and reliability Results of measurements can be any of the three

severity levels described in the following table

Severity level Description

Noncompliant Noncompliant results are returned when a role does not satisfy the conditions of a rule

Compliant Compliant results are returned when a role satisfies the conditions of a rule

Warning Warning results are returned when a role is compliant as operating currently but may not satisfy the conditions of a

rule if changes are not made to its configuration or policy settings For example a scan of Remote Desktop Services

might show a warning result if a license server is unavailable to the role because even if no remote connections are

active at the time of the scan not having the license server prevents new remote connections from obtaining valid

client access licenses

Page 35

BPA rule categories

The following table describes the categories of best practice rules against which roles are measured

during a BPA scan

Category Name Description

Security Security rules are applied to measure a rolersquos relative risk for exposure to threats such as unauthorized or malicious

users or loss or theft of confidential or proprietary data

Performance Performance rules are applied to measure a rolersquos ability to process requests and perform its prescribed duties in

the enterprise within expected periods of time given the rolersquos workload

Configuration Configuration rules are applied to identify role settings that might require modification for the role to perform

optimally Configuration rules can help prevent setting conflicts that can result in error messages or prevent the role

from performing its prescribed duties in an enterprise

Policy Policy rules are applied to identify Group Policy or Windows Registry settings that might require modification for the

role to operate optimally and securely

Operation Operation rules are applied to identify possible failures of a role to perform its prescribed tasks in the enterprise

Predeployment Predeployment rules are applied before an installed role is deployed in the enterprise to let administrators to

evaluate whether best practices were satisfied before you use the role in production

Postdeployment Postdeployment rules are applied after all required services have started for a role and the role is running in the

enterprise

BPA Prerequisites BPA Prerequisite rules explain configuration settings policy settings and features that are required for the role

before BPA can apply specific rules from other categories A prerequisite in scan results indicates that an incorrect

setting a missing role role service or feature an incorrectly enabled or disabled policy a registry key setting or

other configuration has prevented BPA from applying one or more rules during a scan A prerequisite result does

not imply compliance or noncompliance It means that a rule could not be applied and therefore is not part of the

scan results

61 Engine Rules

Please find below a summary of the 74 Engine Rules with the links to the rule descriptions These rules

are checking that you have a secure resilient and well performing SQL configuration

Authentication Mode (httpsupportmicrosoftcomkb2028697)

Lightweight Pooling is enabled (httpsupportmicrosoftcomkb2160691)

Locks Configuration Not Dynamic (httpsupportmicrosoftcomkb2199576)

non-default network packet size in use (httpsupportmicrosoftcomkb2157175)

degree of parallelism not set to recommended value (httpsupportmicrosoftcomkb2023536)

Use Database Mail instead of SQL Mail (httpsupportmicrosoftcomkb2028584)

SQL Server Agent Proxy Account (httpsupportmicrosoftcomkb2160741)

SQL Login Password Policy Strength and password expiry

(httpsupportmicrosoftcomkb2028712)

Trustworthy Bit (httpsupportmicrosoftcomkb2183687)

Symmetric Keys Check (httpsupportmicrosoftcomkb2162020)

Asymmetric Keys Check (httpsupportmicrosoftcomkb2162020)

SQL Server installed on PDC BDC (httpsupportmicrosoftcomkb2032911)

Page 36

SQL Server Admin role membership check (httpsupportmicrosoftcomkb2184138)

Windows API calls intercepted (httpsupportmicrosoftcomkb2033238)

unsupported DotNET framework assemblies present (httpsupportmicrosoftcomkb2033344)

Disk partition starting offset may be incorrect (httpsupportmicrosoftcomkb2023571)

non-default max worker threads value configured (httpsupportmicrosoftcomkb2157129)

Guest Permissions (httpsupportmicrosoftcomkb2186935)

Data and Log files on the same volume (httpsupportmicrosoftcomkb2033523)

IO timeouts and IO controller errors detected (httpsupportmicrosoftcomkb2091098)

IO device errors detected (httpsupportmicrosoftcomkb2091098)

IO errors during page faults detected (httpsupportmicrosoftcomkb2091098)

cluster disk corruption encountered (httpsupportmicrosoftcomkb2091098)

disk defragmentation encountered corruption (httpsupportmicrosoftcomkb2091098)

failed IO requests detected (httpsupportmicrosoftcomkb2091098)

IO requests are successful when retried (httpsupportmicrosoftcomkb2015757)

IO Delay Problems reported by SQL Server (httpsupportmicrosoftcomkb2137408)

This system experienced unexpected shutdowns (httpsupportmicrosoftcomkb2091098)

tempdb corruption errors fix missing (httpsupportmicrosoftcomkb960770)

Critical SQL database inconsistency errors found (httpsupportmicrosoftcomkb2152734)

Logical consistency errors detected (httpsupportmicrosoftcomkb2152472)

Database have auto shrink option enabled (httpsupportmicrosoftcomkb2160663)

SQL Server Error logs are very big (httpsupportmicrosoftcomkb2199578)

incorrect affinity mask settings detected httpsupportmicrosoftcomkb2157114

Very low blocked process threshold setting detected httpsupportmicrosoftcomkb2157154

Potential security issue with legacy DTS stored procedures

httpsupportmicrosoftcomkb2202875

Winsock LSP loaded into SQL httpsupportmicrosoftcomkb2033448

Databases using simple recovery model httpsupportmicrosoftcomkb2137539

User database collation different from model httpsupportmicrosoftcomkb2026108

Database files and backups exist on the same volume httpsupportmicrosoftcomkb2027537

Databases have auto close option enabled httpsupportmicrosoftcomkb2160685

LSI SAS drivers needs update httpsupportmicrosoftcomkb2121098

SQL tempdb database not configured optimally httpsupportmicrosoftcomkb2154845

SQL Database file has sparse attribute set httpsupportmicrosoftcomkb2028447

Invalid startup parameters httpsupportmicrosoftcomkb2028433

MSDTC settings not configured optimally httpsupportmicrosoftcomkb2027550

sql incorrect results fix missing httpsupportmicrosoftcomkb971780

File System needs tuning for better FileStream performance

httpsupportmicrosoftcomkb2160002

linked server memory leak fix missing httpsupportmicrosoftcomkb971622EN-US

Windows service pack is not at recommended level httpsupportmicrosoftcomkb2121098

default extended event health session not in expected state

httpsupportmicrosoftcomkb2160570

TcpSysAndChimneyCheck httpsupportmicrosoftcomKB918483

FDHOST Launcher service is not configured properly httpsupportmicrosoftcomkb2160720

Unrecommended SQL Server Agent service account httpsupportmicrosoftcomkb2160720

A required Windows fix to avoid sparse file related problems is missing

httpsupportmicrosoftcomkb2002606

Page 37

Significant Portion of SQL Server Memory Has Been Paged Out

httpsupportmicrosoftcomkb2028324

Server Exception or Hang Detected on Server httpsupportmicrosoftcomkb2028589

Databases exist without CHECKSUM protection httpsupportmicrosoftcomkb2078345

backups outdated for databases httpsupportmicrosoftcomkb2027537

Database consistency check not current httpsupportmicrosoftcomkb2033590

SQL Server Memory settings are incorrect httpsupportmicrosoftcomKB918483EN-US

Autogrow Failed or took a long time httpsupportmicrosoftcomkb2091024

Storport driver fix from KBA 940467 missing httpsupportmicrosoftcomkb2121098

Storport driver fix from KBA 950903 missing httpsupportmicrosoftcomkb2121098

SQLCLR needs additional memory configuration httpsupportmicrosoftcomkb969962EN-US

Operating System files and drivers needs update for working set trimming

httpsupportmicrosoftcomkb2121098

Agent Token Replacement httpsupportmicrosoftcomkb2202637

Auditing Log in failures httpsupportmicrosoftcomkb2187161

Databases with high number of VLF present httpsupportmicrosoftcomkb2028436

Transparent Data Encryption Certificate httpsupportmicrosoftcomkb2201900

Permission on the Binn folder httpsupportmicrosoftcomkb2029023

Index Statistics Are Outdated

Server public permissions httpsupportmicrosoftcomkb2160698

Detected use of older versions of SQLNCLI httpsupportmicrosoftcomkb979779

62 AS Rules

Please find below a summary of the 34 Analysis Server Rules with the links to the rule descriptions

Flight Recorder Enabled for SQL Server Analysis Services

httpsupportmicrosoftcomkb2128005

Excessive amount of memory preallocated to Analysis Services

httpsupportmicrosoftcomkb2027474

Server not configured for optimal concurrent query throughput

httpsupportmicrosoftcomkb2135031

Non standard value detected for Analysis Services memory configuration

httpsupportmicrosoftcomkb2027472

Process Thread Pool Max limit above recommended limit

httpsupportmicrosoftcomkb2134497

Process Thread Pool Minimum is below the recommended limit

httpsupportmicrosoftcomkb2134855

Server is running a build with a known regression httpsupportmicrosoftcomkb2157941

Slice not set on a ROLAP partition or a partition where proactive caching is enabled and

ROLAP storage ay occur httpsupportmicrosoftcomkb2027754

Server is ignoring duplicate key errors httpsupportmicrosoftcomkb2027761

No default member defined for non-aggregatable attribute

httpsupportmicrosoftcomkb2027769

UnknownMember set to hidden httpsupportmicrosoftcomkb2027628

Non-numeric key column for high cardinality attribute httpsupportmicrosoftcomkb2028138

Attribute hiearchy enabled for high cardinality non-key attribute

httpsupportmicrosoftcomkb2028143

ROLAP storage or OnlineMode set to immediate for dimension with custom rollup definition

detected httpsupportmicrosoftcomkb2132742

Page 38

Account or Time attribute types defined in a non-matching dimension type

httpsupportmicrosoftcomkb2157299

An Account or Time dimension has no matching attribute defined

httpsupportmicrosoftcomkb2027418

Dimension has no attribute defined with the same type

httpsupportmicrosoftcomkb2027443

Attribute Dimension type mismatch httpsupportmicrosoftcomkb2157327

Mismatched dimension attribute types detected in dimension

httpsupportmicrosoftcomkb2027459

Possible incorrect order of levels defined in hierarchy httpsupportmicrosoftcomkb2027460

Define attribute relationships as Rigid where possible httpsupportmicrosoftcomkb2027468

Redundant attribute relationships detected httpsupportmicrosoftcomkb2127437

Diamond-shape relationship detected httpsupportmicrosoftcomkb2127570

Non-Standard Attribute Relationship name detected httpsupportmicrosoftcomkb2127862

Proactive Caching set for dimension without a processing query

httpsupportmicrosoftcomkb2027541

No Time dimension detected httpsupportmicrosoftcomkb2027532

More than 3 parent-child dimensions with custom rollups defined

httpsupportmicrosoftcomkb2134431

Encountered a parent-child dimension with more than 500000 members

httpsupportmicrosoftcomkb2131918

Single attribute dimensions detected httpsupportmicrosoftcomkb2141654

Measure groups with zero dimensional overlap detected in cube

httpsupportmicrosoftcomkb2027609

Proactive Caching set for a partition without a processing query

Default measure for perspective not in the perspective

httpsupportmicrosoftcomkb2027603

Use MOLAP storage for dimensions that participate in semi-additive measure groups

httpsupportmicrosoftcomkb2135112

Measure group defined with no partition httpsupportmicrosoftcomkb2027545

63 RS Rules

RSWindowsNegotiate is missing from your configuration

httpsupportmicrosoftcomkb2145506

HTTP Logging is not enabled httpsupportmicrosoftcomkb2145909

Verbose logging is enabled httpsupportmicrosoftcomkb2146315

NTLM authentication may fail for local httpsupportmicrosoftcomkb2146369

Missing extended protection settings httpsupportmicrosoftcomkb2146062

64 IS Rules

Logging task missing for package httpsupportmicrosoftcomkb2027723

ActiveX Script task detected in package httpsupportmicrosoftcomkb2027712

Unrecommended Integration Services service account detected

httpsupportmicrosoftcomkb2027684

Integration Services logging table found in system database master and or msdb

httpsupportmicrosoftcomkb2027706

Integration Services memory dump detected httpsupportmicrosoftcomkb2027727

Page 39

65 Setup Rules

Unsupported Operating System Version Detected httpsupportmicrosoftcomkb2022909

WOW64 not supported for SQL Failover Clustering httpsupportmicrosoftcomkb2157198

Installer cache is missing for the SQL Installation httpsupportmicrosoftcomkb2015100

SQL Server WMI Provider Health Check

66 Replication Rules

Replication Timeout Alerts Type httpsupportmicrosoftcomkb2118349

Replication Pub and Sub out of sync (Data Validation) httpsupportmicrosoftcomkb2118386

Replication Pub and Sub out of sync (Constraint Violations)

httpsupportmicrosoftcomkb2118410

Replication Pub and Sub out of sync (Skipped Transactions)

httpsupportmicrosoftcomkb2194498

Merge Replication Health Check httpsupportmicrosoftcomkb2118445

Subscriptions Approaching Expiration httpgomicrosoftcomfwlinkLinkId=184483

Replication Cleanup and Retention Health Check httpsupportmicrosoftcomkb2118485

Replication Latency Threshold violations httpsupportmicrosoftcomkb2118425

Page 40

7 HOW TO DEAL WITH DEVIATIONS

Deviations from these Best Practices may indicate potential issues and configuration changes may be

necessary Make sure you have tested any intended changes in a test environment before deploying

them to a production environment You could also find deviations from Best Practices that are

acceptable or even necessary for your environment For example

SAP has its special Network Packet Size of 8 KB

Existing Non-Microsoft Clients ndash would require Mixed Mode Authentication

Page 41

8 MOTIVATION TO USE SQL BPA R2

Bob Ward explained in his Article ldquoWhy use SQL Server 2008 R2 BPA Case 1 Missing Updatesrdquo

the common pitfalls during maintenance and operation of SQL Server and how address them by using

the SQL BPA

In brief itrsquos a customer scenario where the customer is facing an issue after a major update to

SQL2008 After some troubleshooting and an update to a certain CU (that is meant to fix the issue) the

problem still occurs Bobs article states the common resulting consequences ndash the involvement of

Microsoft Support and the final solution ndash adding a needed traceflag

The good news in this story is that the customer would not have needed to go to all that effort if they

would have run the SQL BPA It would have told them about the update and instructed them to put the

traceflag in place BPA is a mechanism that proactively advises you and instructs you on dealing with

common known issues

Page 42

9 ADDITIONAL INFORMATION

91 PowerShell

To use the functionality of the Baseline Configuration Analyzer with PowerShell you must import this

module first

Import-module BaselineConfigurationAnalyzer

You can list the commands of this module with the following syntax

$x=Get-Module BaselineConfigurationAnalyzer

$xExportedCommands

The following commands are stored in this module

Get-MbcaModel

Get-MbcaResult

Invoke-MbcaModel

Set-MbcaResult

You get help of this command with the following syntax

Get-help ltcommandgt -full

911 Get-MBCAModel

SYNOPSIS

The Get-MBCAModel cmdlet lets you retrieve and view the list of models that are supported by

Microsoft Baseline Configuration Analyzer (MBCA) and that are installed on a computer

SYNTAX

Get-MBCAModel [[-ModelId] ltstring[]gt] [[-SubModelId] ltstringgt] [ltCommonParametersgt]

DESCRIPTION

The Get-MBCAModel cmdlet lets you retrieve and view the list of models that are supported by

Microsoft Baseline Configuration Analyzer (MBCA) and installed on the computer If no parameter is

specified Get-MBCAModel returns all models that are installed on the computer If a model is specified

by using the -ModelId parameter information about the specified model is returned

You must be a member of the Administrators group on the computer on which you want to run this

cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with

elevated user rights that is Run as Administrator

The results of the Get-MBCAModel cmdlet include the following details about models

1 Branding information (manufacturer or company display names version number) that is found in

the model manifest

2 Dynamic parameters that are included with the model

3 Submodels that are included with the model

PARAMETERS

-ModelId ltstring[]gt

The -ModelId parameter specifies the ID of the MBCA model about which you want to view

details You can obtain valid values for the ModelId parameter by running the Get-MBCAModel

cmdlet with no parameters and targeted at a computer on which MBCA models are installed

Page 43

This parameter supports wild card characters

Required false

Position 2

Default value

Accept pipeline input true (By Value By Property Name)

Accept wildcard characters False

This must be SQL2008R2BPA for SQL Server 2008 R2 Best Practice Analyzer

-SubModelId ltstringgt

The -SubModelId parameter specifies the ID of the submodel of an MBCA model about which you

want to view details You can obtain valid values for the -SubModelId parameter by running the

Get-MBCAModel cmdlet without parameters and targeted at a computer on which MBCA models

are installed Not all models have submodels

The -ModelId parameter is required with the -SubModelId parameter

Required false

Position 3

Default value

Accept pipeline input false

Accept wildcard characters false

ltCommonParametersgt

This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable

WarningAction WarningVariable OutBuffer and OutVariable For more information type get-

help about_commonparameters

Examples

Get-MBCAModel

In the preceding example Get-MBCAModel with no parameters added returns details about all MBCA

models that are installed on the computer

Get-MBCAModel -ModelId SQL2008R2BPA

The preceding example can be used to return details about the MBCA model that is specified in the -

ModelId parameter represented by Model Id

$model= Get-MBCAModel -ModelId SQL2008R2BPA

$modelParameters

In the preceding example Get-MBCAModel returns details about the specified MBCA model that is

represented by Model Id The results of the cmdlet are stored in the variable $model

In the next line of the example the Parameters property of the model details that were stored in the

$model object returns details about which parameters are supported by the model

Get-MBCAModel -ModelId SQL2008R2BPA -SubModelId ltSubModel Idgt

The preceding example can be used to return details about the MBCA sub-model that is specified by

the -SubModelId parameter represented by SubModel Id Note that the -ModelId parameter is

required by the -SubModelId parameter

$model= Get-MBCAModel -ModelId SQL2008R2BPA

Page 44

$modelSubModels

In the preceding example Get-MBCAModel returns details about the specified MBCA model that is

represented by Model Id The results of the cmdlet are stored in the variable $model

In the next line of the example the SubModels property of the model details that were stored in the

$model object returns a list of the submodels of the model specified in the first line

912 Invoke-MBCAModel

SYNOPSIS

The Invoke-MBCAModel cmdlet lets you start a Microsoft Baseline Configuration Analyzer (MBCA)

scan for a specific model that is installed on your computer

SYNTAX

Invoke-MBCAModel [-ModelId] ltstringgt -SubModelId ltstringgt [-Authentication

ltAuthenticationMechanismgt] [-CertificateThumbprint ltstringgt] [-ComputerName

ltstring[]gt] [-ConfigurationName ltstringgt] [-Context ltstringgt] [-Credential

ltstringgt] [-Mode ltModeEnumgt] [-Port ltintgt] [-RepositoryPath ltstringgt] [-

ThrottleLimit ltintgt] [-UseSSL] [ltCommonParametersgt]

DESCRIPTION

The Invoke-MBCAModel cmdlet allows you to start a Microsoft Baseline Configuration Analyzer

(MBCA) scan for a specific model that is installed on your computer The model is specified either by

using the parameter -ModelId or by piping the results of the Get-MBCAModel cmdlet into an Invoke-

MBCAMode cmdlet

After the MBCA scan has been performed the results of the scan are available to be retrieved by Get-

MBCAResult cmdlet

You must be a member of the Administrators group on the computer on which you want to run this

cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with

elevated user rights that is Run as Administrator

PARAMETERS

-Authentication ltAuthenticationMechanismgt

Specifies the authentication mechanism that is used to authenticate the users credentials Valid

values include Default Basic CredSSP Digest Kerberos Negotiate and

NegotiateWithImplicitCredential The default value is Default

For more information about the -Authentication parameter type the following and then press

Enter

Get-Help Invoke-Command -Parameter Authentication

Required false

Position named

Default value Default

Accept pipeline input false

Accept wildcard characters false

-CertificateThumbprint ltstringgt

Page 45

Specifies the digital public key certificate (X509) of a user account that has rights to perform the

cmdlet action The valid value is the certificate thumbprint of the certificate

For more information about this parameter type the following and then press Enter

Get-Help Invoke-Command -Parameter Certificate Thumbprint

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-ComputerName ltstring[]gt

The Invoke-MBCAModel cmdlet lets you run an MBCA scan of a submodel on a specific

computer by adding this parameter Valid values include NETBOS names IP addresses or fully-

qualified domain names of one or more computers in a comma-separated list To specify the local

computer type the computer name or localhost

All formats that are accepted by the -ComputerName parameter in Invoke-Command are

accepted

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-ConfigurationName ltstringgt

Specifies the session configuration that is used for a new PSSession

Enter a configuration name or the fully-qualified resource URI for a session configuration

Session configuration data is found on the remote computer on which you want to run a cmdlet

For more information about this parameter type the following and then press Enter

Get-Help Invoke-Command -Parameter ConfigurationName

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-Context ltstringgt

The -Context parameter lets you run scans on a submodel in the context of a specific model (one

that is different from the parent model of the submodel) For example an administrator might

want to run a scan on the Backend submodel of the SQL model but only those in the context

of a third model a technology that relies upon SQL Server

The -SubModelId parameter is required by the -Context parameter

Page 46

A model ID is the valid value of the -Context parameter

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-Credential ltstringgt

Specifies a user account that has permission to run this cmdlet The default value is the current

user

For more information about this parameter type the following and then press Enter

Get-Help Invoke-Command -Parameter Credential

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-Mode ltModeEnumgt

The -Mode parameter lets you run a scan that is exclusively either analysis of existing discovered

documents or discovery The default is to perform both discovery and analysis or All

If you do not add the -Mode parameter to the Invoke-MBCAModel cmdlet both discovery and

analysis are performed during a scan

Valid values are Discovery Analysis and All

Required false

Position named

Default value All

Accept pipeline input false

Accept wildcard characters false

-ModelId ltstringgt

The -ModelId parameter specifies the ID of the MBCA model that you want to scan You can

obtain valid values for the ModelId parameter by running the Get-MBCAModel cmdlet targeted at

a computer on which MBCA models are installed

Required true

Position 2

Default value

Accept pipeline input true (By Value By Property Name)

Accept wildcard characters False

Page 47

This must be SQL2008R2BPA for SQL Server 2008 R2 Best Practice Analyzer

-Port ltintgt

Specifies the network port on a remote computer on which you want to run a scan The default

value is port 80

For more information on this parameter type the following and then press Enter

Get-Help Invoke-Command -Parameter Port

Required false

Position named

Default value 80

Accept pipeline input false

Accept wildcard characters false

-RepositoryPath ltstringgt

The -RepositoryPath parameter is used to specify a non-default location of the results repository

The valid value for this parameter is a pathname If the parameter is not used the cmdlet writes

results to the default result repository

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-SubModelId ltstringgt

The -SubModelId parameter specifies the ID of the submodel of an MBCA model that you want to

scan You can obtain valid values for the -SubModelId parameter by running the Get-MBCAModel

cmdlet targeted at a computer on which MBCA models are installed Not all models have

submodels

The -ModelId parameter is required with the -SubModelId parameter

Required true

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-ThrottleLimit ltintgt

Specifies the maximum number of concurrent connections that can be established to run the

cmdlet If you omit this parameter or enter a value of 0 the default value of 32 is used

For more information about this parameter type the following and then press Enter

Get-Help Invoke-Command -Parameter ThrottleLimit

Required false

Page 48

Position named

Default value 32

Accept pipeline input false

Accept wildcard characters false

-UseSSL [ltSwitchParametergt]

Uses the Secure Sockets Layer (SSL) protocol to establish a connection on a remote computer

By default SSL is not used

For more information about this parameter type the following and then press Enter

Get-Help Invoke-Command -Parameter UseSSL

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

ltCommonParametersgt

This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable

WarningAction WarningVariable OutBuffer and OutVariable For more information type get-

help about_commonparameters

OUTPUTS

SystemCollectionsGenericListltMicrosoftBestPracticesCoreInterfaceInvokeBpaModelOutputgt

The output object encapsulates the results of the cmdlet that you entered It contains information such

as the MBCA model ID the success or failure of the cmdlet and other details

NOTES

If the cmdlet is used to perform a single-model scan and the cmdlet is cancelled (by using CTRL+C)

before the temporary results file is copied to its final location the temporary file is discarded and any

previous scan results file for the role are preserved The message Processing of Invoke-MBCAModel

cancelled by user is displayed if the command is cancelled before existing scan results files are

overwritten

If the cmdlet is used to perform a scan of multiple models by piping in results from the Get-MBCAModel

cmdlet and the command is cancelled scans that were completed before the cancel command was

entered cannot be cancelled A scan in progress behaves as described above in the single-model scan

cancellation scenario Subsequent scans in the pipeline are cancelled

If a concurrent scan of the same model is attempted the cmdlet returns the following error message

Another scan for this MBCA model is in progress Only one scan is allowed at a time

-------------------------- EXAMPLE 1 --------------------------

Invoke-MBCAModel -ModelId SQL2008R2BPA

Description

The preceding example starts a MBCA scan on the model that is represented by ltModel Idgt

-------------------------- EXAMPLE 2 --------------------------

Page 49

Invoke-MBCAModel -ModelId SQL2008R2BPA -Scope domain -Name

redmondmicrosoftcom

Description

The preceding example starts an MBCA scan on the model ID that is specified by Model Id

The administrator starts the MBCA scan with additional model-specific parameters that are exposed by

the model (For an example of how to obtain model-specific parameters see the examples for the Get-

MBCAModel cmdlet)

For example to scan a model that requires model-specific parameters (such as -Scope and -Name) to

be passed to the command the administrator can specify the values of these model-specific

parameters with the Invoke-MBCAModel cmdlet

-------------------------- EXAMPLE 3 --------------------------

Invoke-MBCAModel -ModelId SQL2008R2BPA -Mode Discovery

Description

The preceding example starts an MBCA scan on the model that is represented by Model Id The

cmdlet is instructed by the -Mode parameter to perform only the discovery -- not the analysis -- portion

of the scan

-------------------------- EXAMPLE 4 --------------------------

Invoke-MBCAModel -ModelId SQL2008R2BPA -Mode Analysis -RepositoryPath

ltRepository Pathgt

Description

The preceding example starts an MBCA scan on the model that is represented by Model Id The -

Mode parameter value of Analysis indicates that the scan will perform analysis -- not discovery -- on

existing documents that are specified in the non-default repository path provided with the -Repository

Path parameter

-------------------------- EXAMPLE 5 --------------------------

Invoke-MBCAModel -Id ltModel Idgt -SubModelId ltSubModel Idgt -ComputerName

ltServergt -Context ltContext Model Idgt -RepositoryPath ltRespository Pathgt -

AsJob -Authentication ltAuthenticatonMechanismgt -Port ltPort Numbergt -UseSSL -

ThrottleLimit ltThrottle Limitgt

Description

The preceding example starts an MBCA scan on the submodel that is represented by SubModel Id

and on the computer that is represented by Server

Because the administrator only wants to see results from the submodel that apply in the context of a

third model the administrator runs the scan within the context of the model ID that is specified in the -

Context parameter The cmdlet results are saved to the non-default repository path that is specified in

the -RepositoryPath parameter

Because the -AsJob parameter is added the scan runs in the background The -AsJob -

Authentication -Port -UseSSL and -ThrottleLimit parameters are passed through for use by the

Invoke-Command cmdlet to perform discovery on a remote computer For more information about

these parameters see the Help for the Invoke-Command cmdlet available in Windows PowerShell V2

913 Get-MBCAResult

SYNOPSIS

Page 50

The Get-MBCAResult cmdlet lets you retrieve and view the results of a Microsoft Baseline

Configuration Analyzer scan on a specific model or the configuration data that was used to run a scan

SYNTAX

Get-MBCAResult [-ModelId] ltstringgt [[-CollectedConfiguration]] -SubModelId

ltstringgt [-ComputerName ltstring[]gt] [-Context ltstringgt] [-Filter

ltFilterEnumgt] [-RepositoryPath ltstringgt] [ltCommonParametersgt]

DESCRIPTION

The Get-MBCAResult cmdlet lets you retrieve and view the results of a Microsoft Baseline

Configuration Analyzer scan on a specific model or the configuration data that was used to run a scan

To use the command add the -ModelId parameter and then specify the model ID for which you want

to view the most recent MBCA scan results or collected configuration data If you want to retrieve the

configuration data collected add the -CollectedConfiguration switch parameter

You must be a member of the Administrators group on the computer on which you want to run this

cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with

elevated user rights that is Run as Administrator

PARAMETERS

-CollectedConfiguration [ltSwitchParametergt]

The -CollectedConfiguration parameter allows you to obtain the configuration data that was

collected for the most recent MBCA scan If this switch parameter is added to Get-MBCAResults

the cmdlet returns only the configuration data that was collected for a scan

Required false

Position 3

Default value

Accept pipeline input false

Accept wildcard characters false

-ComputerName ltstring[]gt

The -ComputerName parameter lets you obtain scan results that were collected for the most

recent MBCA scan of a submodel on a specific computer To specify the local computer type the

computer name or localhost Multiple values for -ComputerName can be separated by

commas

The -SubModelId parameter is required by the -ComputerName parameter

Valid values for the -ComputerName parameter include localhost a NET BIOS name an IP

address or a fully-qualified domain name (FQDN) of one or more computers in a comma-

separated list

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-Context ltstringgt

Page 51

The -Context parameter lets you obtain scan results that were collected for the most recent

MBCA scan of a submodel in the context of a specific model (one that is different from the parent

model of the submodel) For example an administrator might want to display scan results for the

Backend submodel of the SQL model but only those in the context of a third model a

technology that relies upon SQL Server

The -SubModelId parameter is required by the -Context parameter

A model ID is the valid value of the -Context parameter

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-Filter ltFilterEnumgt

The -Filter parameter lets you instruct the Get-MBCAResult cmdlet to return only Compliant

Noncompliant or All results Valid values are Noncompliant Compliant or All The default value

is All

The -Filter parameter is ignored if the -CollectedConfiguration switch parameter is added

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-ModelId ltstringgt

The -ModelId parameter specifies the ID of the MBCA model for which you want to view scan

results You can obtain valid values for the ModelId parameter by running the Get-MBCAModel

cmdlet targeted at a computer on which MBCA models are installed

Required true

Position 2

Default value

Accept pipeline input true (By Value By Property Name)

Accept wildcard characters False

This must be SQL2008R2BPA for SQL Server 2008 R2 Best Practice Analyzer

-RepositoryPath ltstringgt

The -RepositoryPath parameter is used to specify a non-default location of the results repository

The valid value for this parameter is a path name If the parameter is not used the cmdlet obtains

results from the default result repository

Required false

Position named

Page 52

Default value

Accept pipeline input false

Accept wildcard characters false

-SubModelId ltstringgt

The -SubModelId parameter specifies the ID of the submodel of an MBCA model for which you

want to view scan results You can obtain valid values for the -SubModelId parameter by running

the Get-MBCAModel cmdlet targeted at a computer on which MBCA models are installed Not all

models have submodels

The -ModelId parameter is required with the -SubModelId parameter

Required true

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

ltCommonParametersgt

This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable

WarningAction WarningVariable OutBuffer and OutVariable For more information type get-

help about_commonparameters

OUTPUTS

SystemCollectionsGenericListltMicrosoftBestPracticesCoreInterfaceResultgt OR

SystemXmlXmlDocument (if -CollectedData specified)

If you do not use the -CollectedConfiguration parameter verbose output can be any of the following

1 Initializing MBCA engine for getting MBCA Results

2 Attempting to get MBCA results for Model Id = 0

3 Completed getting MBCA results for Model Id = 0 Number of Results = 1

If you add the -CollectedConfiguration parameter to display configuration data that was used for a

scan verbose output can be any of the following

1 Initializing MBCA engine for getting MBCA Configuration Data

2 Attempting to get MBCA collected configuration data for Model Id = 0

3 Completed getting MBCA collected configuration data for Model Id = 0

NOTES

The Get-MBCAResult cmdlet must be run by a member of the Administrators group and it does not

start a new scan

Cancellation behaviour

Single Model - To cancel this cmdlet you must press Ctrl+C before the ResultCollection is displayed

on the console The operation is cancelled and results are not displayed on the console

Multiple Models or Pipelining - If you cancel this cmdlet while it is retrieving results for multiple models

the cmdlet generates only those results that were displayed on the console before the cancellation

Any subsequent results in the pipeline are cancelled and not displayed

Page 53

-------------------------- EXAMPLE 1 --------------------------

Get-MBCAResult -Id SQL2008R2BPA

Description

The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results

for the model that is represented by Model Id

-------------------------- EXAMPLE 2 --------------------------

Get-MBCAModel | Get-MBCAResult

In the preceding example Get-MBCAModel is used to return a list of all MBCA models that are

installed on the computer The results of the Get-MBCAModel cmdlet are piped to the Get-

MBCAResult cmdlet to retrieve the most recent MBCA scan results for all models that are both

supported by MBCA and installed on the computer at which the cmdlet is targeted

-------------------------- EXAMPLE 3 --------------------------

$result = Get-MBCAResult SQL2008R2BPA -CollectedConfiguration

$resultDiscoveryDocument

Description

In the preceding example configuration data (in XML form) that was collected during the most recent

Microsoft Baseline Configuration Analyzer scan of the model that is represented by Model Id is

retrieved and stored as a property in the variable $result $resultDiscoveryDocument is of type

SystemXmlXmlDocument

-------------------------- EXAMPLE 4 --------------------------

Get-MBCAResult SQL2008R2BPA -Filter Noncompliant

Description

The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results

for the model that is represented by Model Id and then applies a filter to show only Noncompliant

results

------------------------- EXAMPLE 5 --------------------------

Get-MBCAResult SQL2008R2BPA -SubModelId ltSubModel Idgt

Description

The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results

for the submodel that is represented by SubModelId Note that the parent model ID must be specified

to use the -SubModelId parameter

------------------------- EXAMPLE 6 --------------------------

Get-MBCAResult SQL2008R2BPA -SubModelId ltSubModel Idgt -ComputerName ltServergt

-Context ltContext Model Idgt -RepositoryPath ltRepository Pathgt

Description

The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results

for the submodel that is represented by SubModelId The parent model ID is provided as required by

the -SubModelID parameter

The -Context parameter indicates that the administrator wants to see only those scan results that are in

the context of the model that is represented by Context Model Id for example only those results from

a SQL Server scan that specifically apply to another technology such as Web Server (IIS)

Page 54

The scan results are further narrowed to only those from a computer that is specified in the -

ComputerName parameter as Server and only those results found in the non-default results

repository that is represented by Repository Path

914 Set-MBCAResult

SYNOPSIS

The Set-MBCAResult cmdlet lets you exclude or include existing results of a Microsoft Baseline

Configuration Analyzer (MBCA) scan to show you only the scan results that you want to see

SYNTAX

Set-MBCAResult [[-Exclude] ltBooleangt] [-Results] ltResultgtgt [[-

RepostitoryPath] ltstringgt] [ltCommonParametersgt]

DESCRIPTION

The Set-MBCAResult cmdlet lets you exclude or include existing results of a Microsoft Baseline

Configuration Analyzer (MBCA) scan to show you only the scan results that you want to see

The action specified in the cmdlet (Exclude for example) determines how the existing results of an

MBCA scan are updated Set-MBCAResult is typically applied after using the Get-MBCAResult cmdlet

to return a collection of scan results

You can apply filters to results that are returned by the Get-MBCAResult cmdlet and then pipe the

filtered collection of results to the Set-MBCAResult cmdlet specifying either to include or exclude

filtered scan results

You must be a member of the Administrators group on the computer on which you want to run this

cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with

elevated user rights that is Run as Administrator

PARAMETERS

-Exclude ltBooleangt

Excludes scan results from the results collection that were previously obtained by the Get-

MBCAResult command To exclude results by using the -Exclude parameter add the value $true

following the parameter as shown

-Exclude $true

To include results that have been excluded use the $false value for the -Exclude parameter

Required false

Position 2

Default value

Accept pipeline input false

Accept wildcard characters false

-RepostitoryPath ltstringgt

The -RepositoryPath parameter is used to specify a non-default location of the results repository

The valid value for this parameter is a path name If the parameter is not used the cmdlet

modifies results from the default result repository

Required false

Page 55

Position 4

Default value

Accept pipeline input false

Accept wildcard characters false

-Results ltResultgtgt

Specifies the result collection to be updated by the Set-MBCAResult cmdlet The -Results

parameter is typically used to specify a filtered subset of scan results that has already been

stored in a variable the variable name is provided as the valid value for the -Results parameter

For example if you have created a variable $allPerformance to store all the Performance

category results for an MBCA scan of all models on a computer and you want to exclude those

Performance results from the complete collection of scan results you add the parameter -Results

$all Performance to a Set-MBCAResult cmdlet

For a more detailed example see the Examples section of the Help for this cmdlet

Required true

Position 3

Default value

Accept pipeline input true (ByValue)

Accept wildcard characters false

ltCommonParametersgt

This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable

WarningAction WarningVariable OutBuffer and OutVariable For more information type ldquoget-

help about_commonparameters

NOTES

If the Set-MBCAResult command is cancelled before the results are written to a file the operation is

cancelled and the results file is not modified If cancellation occurs after the results file has been

modified the commands actions are carried out and the command cannot be cancelled

-------------------------- EXAMPLE 1 --------------------------

Get-MBCAResult -ModelId SQL2008R2BPA | Where $_Category -eq

Performance | Set-MBCAResult -Exclude $true

Description

The first section of the preceding example to the left of the first pipe character (|) uses the Get-

MBCAResult cmdlet to retrieve Baseline Configuration Analyzer scan results for the model ID that is

represented by Model Id

The second section of the command filters the results of the Get-MBCAResult cmdlet to get only those

scan results for which the category name is equal to Performance

The final section of the example following the second pipe character excludes the Performance

results that were filtered by the previous section of the example

-------------------------- EXAMPLE 2 --------------------------

$rcPolicy = Get-MBCAResult -ModelId SQL2008R2BPA -RepositoryPath

CReposPath | Where $_Category -eq Policy

Page 56

Set-MBCAResult -Exclude $true -RepositoryPath CReposPath -Results

$rcPolicy

Description

The first line of the preceding example to the left of the pipe character (|) instructs the Get-

MBCAResult cmdlet to retrieve Baseline Configuration Analyzer scan results for the model that is

represented by Specified Model Id from the specified non-default repository path

The second section of the example after the pipe character filters the results of the Get-MBCAResult

cmdlet to return only those scan results for which the category name is equal to (note the -eq option)

Policy The variable $rcPolicy is created to store the filtered results of the Get-MBCAResult cmdlet this

variable can be used in subsequent commands to represent those results

The second line of the command uses the Set-MBCAResult cmdlet to exclude the set of results that

are stored in the $rcPolicy variable In this example the -Results parameter is added because the

administrator wants to exclude a specific subset of scan results for that model and has created the

variable $rcPolicy to represent that subset of results The repository root is specified in the second line

because the administrator wants to modify the results in the same non-default repository from which

the data in $rcPolicy was retrieved

915 MBCA Model Authoring

Further information about configuration and usage of MBCA models you can in the

MBCA_ModelAuthoringGuidedocx

Page 57

Did this paper help you Please give us your feedback Tell us on a scale of 1 (poor) to 5 (excellent)

how would you rate this paper and why have you given it this rating For example

Are you rating it high due to having good examples excellent screen shots clear writing or

another reason

Are you rating it low due to poor examples fuzzy screen shots or unclear writing

This feedback will help us improve the quality of white papers we release

Send feedback

Page 31: SQL2008R2 BPA Whitepaper v10

Page 31

This is an indicator that PowerShell is not configured You must run the following command

powershellexe -NoLogo -NoProfile -Command Enable-PSRemoting ndashforce

572 Workgroup or Non-Domain computer

In this scenario the Enable-PSRemoting command should execute fine from a PowerShell prompt

The actual error coming back from the PowerShell command within the Installer is ldquoAccess Deniedrdquo

To work around this issue you can do the following

1 Open a command prompt with Administrative Privileges

2 Change to the directory where the msi file resides

3 Type msiexec i ltMSI Namegt SKIPCA=1

4 MSI Name will either be SQL2008R2BPA_Setup32msi or SQL2008R2BPA_Setup64msi

depending on your platform

5 Once BPA is installed open a PowerShell prompt with Administrative Privileges

6 Execute the following commands

a Enable-PSRemoting

b winrm set winrmconfigwinrs ``MaxShellsPerUser=`10``

This should allow BPA to be successfully installed in the workgroup scenario

573 Kerberos Failure

This scenario is that you are failing with the above due to a Kerberos issue This particular issue could

actually show up after you have installed BPA depending on how you have configured your

environment

The issue stems from the fact that the Windows Remoting Windows Service uses the Network Service

account Windows Remoting also uses SOAP calls over HTTP and defaults to using Kerberos As a

result it will be using the HOST Service Principal Name (SPN) that is on the Machine Account as it is

running under that context You may have an HTTP SPN that resides on a different account with that

host name For example if you are running an IIS Web Application such as SharePoint or if you are

using Reporting Services and the service account is set to a Domain User account instead of Network

Service or Local System If your URL of your application matches the machine name then your HTTP

SPN will be the same Thatrsquos where this problem comes in WinRM will stop working at that point and

give you a message similar to the following

Set-WSManQuickConfig WinRM cannot process the request The following error

occured while using Negotiate authentication An unknown security error

occurred

Possible causes are

-The user name or password specified are invalid

-Kerberos is used when no authentication method and no user name are

specified

-Kerberos accepts domain user names but not local user names

-The Service Principal Name (SPN) for the remote computer name and port

does not exist

-The client and remote computers are in different domains and there is no

trust between the two domains

After checking for the above issues try the following

-Check the Event Viewer for events related to authentication

-Change the authentication method add the destination computer to the

WinRM TrustedHosts configuration setting or use HTTPS transport

Note that computers in the TrustedHosts list might not be authenticated

-For more information about WinRM configuration run the following

Page 32

command winrm help config

At line50 char33

+ Set-WSManQuickConfig ltltltlt -force

+ CategoryInfo InvalidOperation () [Set-WSManQuickConfig]

InvalidOperationException

+ FullyQualifiedErrorId

WsManErrorMicrosoftWSManManagementSetWSManQuickConfigCommand

You can get this type of error from WinRM for muliple reasons The one that

we saw in our testing was the HTTP SPN scenario

If you do have an HTTP SPN defined on a Domain Account that is using the name of your machine

you have some options First you can follow the steps mentioned above to get BPA installed The

Enable-PSRemoting command will give you the above error You can temporarily remove the HTTP

SPN to get remoting enabled and then re-add the HTTP SPN

Once BPA is setup you will still not be able to run BPA if you put the HTTP SPN back in place You will

see the following when you attempt to perform a scan

This will occur regardless of which component you try to scan It could be the Engine Setup RS etchellip

One option to perform the scan successfully is to temporarily remove the HTTP SPN again run the

scan and then put the HTTP SPN back in place Another option but one that will probably require

further testing from your applicationrsquos end would be to run the application under a Host Header and

then your HTTP SPN would not include the machine name allowing BPA to run without issue

Page 33

6 RULES

Searching for ldquoSQL Server 20087 R2 BPArdquo at Microsoftcom reveals

Here is an example of one of these articles that talks about a rule to check for a recent ldquocleanrdquo

CHECKDB

Page 34

BPA works by measuring a rolersquos compliance with best practice rules in eight different categories of a

rolersquos effectiveness trustworthiness and reliability Results of measurements can be any of the three

severity levels described in the following table

Severity level Description

Noncompliant Noncompliant results are returned when a role does not satisfy the conditions of a rule

Compliant Compliant results are returned when a role satisfies the conditions of a rule

Warning Warning results are returned when a role is compliant as operating currently but may not satisfy the conditions of a

rule if changes are not made to its configuration or policy settings For example a scan of Remote Desktop Services

might show a warning result if a license server is unavailable to the role because even if no remote connections are

active at the time of the scan not having the license server prevents new remote connections from obtaining valid

client access licenses

Page 35

BPA rule categories

The following table describes the categories of best practice rules against which roles are measured

during a BPA scan

Category Name Description

Security Security rules are applied to measure a rolersquos relative risk for exposure to threats such as unauthorized or malicious

users or loss or theft of confidential or proprietary data

Performance Performance rules are applied to measure a rolersquos ability to process requests and perform its prescribed duties in

the enterprise within expected periods of time given the rolersquos workload

Configuration Configuration rules are applied to identify role settings that might require modification for the role to perform

optimally Configuration rules can help prevent setting conflicts that can result in error messages or prevent the role

from performing its prescribed duties in an enterprise

Policy Policy rules are applied to identify Group Policy or Windows Registry settings that might require modification for the

role to operate optimally and securely

Operation Operation rules are applied to identify possible failures of a role to perform its prescribed tasks in the enterprise

Predeployment Predeployment rules are applied before an installed role is deployed in the enterprise to let administrators to

evaluate whether best practices were satisfied before you use the role in production

Postdeployment Postdeployment rules are applied after all required services have started for a role and the role is running in the

enterprise

BPA Prerequisites BPA Prerequisite rules explain configuration settings policy settings and features that are required for the role

before BPA can apply specific rules from other categories A prerequisite in scan results indicates that an incorrect

setting a missing role role service or feature an incorrectly enabled or disabled policy a registry key setting or

other configuration has prevented BPA from applying one or more rules during a scan A prerequisite result does

not imply compliance or noncompliance It means that a rule could not be applied and therefore is not part of the

scan results

61 Engine Rules

Please find below a summary of the 74 Engine Rules with the links to the rule descriptions These rules

are checking that you have a secure resilient and well performing SQL configuration

Authentication Mode (httpsupportmicrosoftcomkb2028697)

Lightweight Pooling is enabled (httpsupportmicrosoftcomkb2160691)

Locks Configuration Not Dynamic (httpsupportmicrosoftcomkb2199576)

non-default network packet size in use (httpsupportmicrosoftcomkb2157175)

degree of parallelism not set to recommended value (httpsupportmicrosoftcomkb2023536)

Use Database Mail instead of SQL Mail (httpsupportmicrosoftcomkb2028584)

SQL Server Agent Proxy Account (httpsupportmicrosoftcomkb2160741)

SQL Login Password Policy Strength and password expiry

(httpsupportmicrosoftcomkb2028712)

Trustworthy Bit (httpsupportmicrosoftcomkb2183687)

Symmetric Keys Check (httpsupportmicrosoftcomkb2162020)

Asymmetric Keys Check (httpsupportmicrosoftcomkb2162020)

SQL Server installed on PDC BDC (httpsupportmicrosoftcomkb2032911)

Page 36

SQL Server Admin role membership check (httpsupportmicrosoftcomkb2184138)

Windows API calls intercepted (httpsupportmicrosoftcomkb2033238)

unsupported DotNET framework assemblies present (httpsupportmicrosoftcomkb2033344)

Disk partition starting offset may be incorrect (httpsupportmicrosoftcomkb2023571)

non-default max worker threads value configured (httpsupportmicrosoftcomkb2157129)

Guest Permissions (httpsupportmicrosoftcomkb2186935)

Data and Log files on the same volume (httpsupportmicrosoftcomkb2033523)

IO timeouts and IO controller errors detected (httpsupportmicrosoftcomkb2091098)

IO device errors detected (httpsupportmicrosoftcomkb2091098)

IO errors during page faults detected (httpsupportmicrosoftcomkb2091098)

cluster disk corruption encountered (httpsupportmicrosoftcomkb2091098)

disk defragmentation encountered corruption (httpsupportmicrosoftcomkb2091098)

failed IO requests detected (httpsupportmicrosoftcomkb2091098)

IO requests are successful when retried (httpsupportmicrosoftcomkb2015757)

IO Delay Problems reported by SQL Server (httpsupportmicrosoftcomkb2137408)

This system experienced unexpected shutdowns (httpsupportmicrosoftcomkb2091098)

tempdb corruption errors fix missing (httpsupportmicrosoftcomkb960770)

Critical SQL database inconsistency errors found (httpsupportmicrosoftcomkb2152734)

Logical consistency errors detected (httpsupportmicrosoftcomkb2152472)

Database have auto shrink option enabled (httpsupportmicrosoftcomkb2160663)

SQL Server Error logs are very big (httpsupportmicrosoftcomkb2199578)

incorrect affinity mask settings detected httpsupportmicrosoftcomkb2157114

Very low blocked process threshold setting detected httpsupportmicrosoftcomkb2157154

Potential security issue with legacy DTS stored procedures

httpsupportmicrosoftcomkb2202875

Winsock LSP loaded into SQL httpsupportmicrosoftcomkb2033448

Databases using simple recovery model httpsupportmicrosoftcomkb2137539

User database collation different from model httpsupportmicrosoftcomkb2026108

Database files and backups exist on the same volume httpsupportmicrosoftcomkb2027537

Databases have auto close option enabled httpsupportmicrosoftcomkb2160685

LSI SAS drivers needs update httpsupportmicrosoftcomkb2121098

SQL tempdb database not configured optimally httpsupportmicrosoftcomkb2154845

SQL Database file has sparse attribute set httpsupportmicrosoftcomkb2028447

Invalid startup parameters httpsupportmicrosoftcomkb2028433

MSDTC settings not configured optimally httpsupportmicrosoftcomkb2027550

sql incorrect results fix missing httpsupportmicrosoftcomkb971780

File System needs tuning for better FileStream performance

httpsupportmicrosoftcomkb2160002

linked server memory leak fix missing httpsupportmicrosoftcomkb971622EN-US

Windows service pack is not at recommended level httpsupportmicrosoftcomkb2121098

default extended event health session not in expected state

httpsupportmicrosoftcomkb2160570

TcpSysAndChimneyCheck httpsupportmicrosoftcomKB918483

FDHOST Launcher service is not configured properly httpsupportmicrosoftcomkb2160720

Unrecommended SQL Server Agent service account httpsupportmicrosoftcomkb2160720

A required Windows fix to avoid sparse file related problems is missing

httpsupportmicrosoftcomkb2002606

Page 37

Significant Portion of SQL Server Memory Has Been Paged Out

httpsupportmicrosoftcomkb2028324

Server Exception or Hang Detected on Server httpsupportmicrosoftcomkb2028589

Databases exist without CHECKSUM protection httpsupportmicrosoftcomkb2078345

backups outdated for databases httpsupportmicrosoftcomkb2027537

Database consistency check not current httpsupportmicrosoftcomkb2033590

SQL Server Memory settings are incorrect httpsupportmicrosoftcomKB918483EN-US

Autogrow Failed or took a long time httpsupportmicrosoftcomkb2091024

Storport driver fix from KBA 940467 missing httpsupportmicrosoftcomkb2121098

Storport driver fix from KBA 950903 missing httpsupportmicrosoftcomkb2121098

SQLCLR needs additional memory configuration httpsupportmicrosoftcomkb969962EN-US

Operating System files and drivers needs update for working set trimming

httpsupportmicrosoftcomkb2121098

Agent Token Replacement httpsupportmicrosoftcomkb2202637

Auditing Log in failures httpsupportmicrosoftcomkb2187161

Databases with high number of VLF present httpsupportmicrosoftcomkb2028436

Transparent Data Encryption Certificate httpsupportmicrosoftcomkb2201900

Permission on the Binn folder httpsupportmicrosoftcomkb2029023

Index Statistics Are Outdated

Server public permissions httpsupportmicrosoftcomkb2160698

Detected use of older versions of SQLNCLI httpsupportmicrosoftcomkb979779

62 AS Rules

Please find below a summary of the 34 Analysis Server Rules with the links to the rule descriptions

Flight Recorder Enabled for SQL Server Analysis Services

httpsupportmicrosoftcomkb2128005

Excessive amount of memory preallocated to Analysis Services

httpsupportmicrosoftcomkb2027474

Server not configured for optimal concurrent query throughput

httpsupportmicrosoftcomkb2135031

Non standard value detected for Analysis Services memory configuration

httpsupportmicrosoftcomkb2027472

Process Thread Pool Max limit above recommended limit

httpsupportmicrosoftcomkb2134497

Process Thread Pool Minimum is below the recommended limit

httpsupportmicrosoftcomkb2134855

Server is running a build with a known regression httpsupportmicrosoftcomkb2157941

Slice not set on a ROLAP partition or a partition where proactive caching is enabled and

ROLAP storage ay occur httpsupportmicrosoftcomkb2027754

Server is ignoring duplicate key errors httpsupportmicrosoftcomkb2027761

No default member defined for non-aggregatable attribute

httpsupportmicrosoftcomkb2027769

UnknownMember set to hidden httpsupportmicrosoftcomkb2027628

Non-numeric key column for high cardinality attribute httpsupportmicrosoftcomkb2028138

Attribute hiearchy enabled for high cardinality non-key attribute

httpsupportmicrosoftcomkb2028143

ROLAP storage or OnlineMode set to immediate for dimension with custom rollup definition

detected httpsupportmicrosoftcomkb2132742

Page 38

Account or Time attribute types defined in a non-matching dimension type

httpsupportmicrosoftcomkb2157299

An Account or Time dimension has no matching attribute defined

httpsupportmicrosoftcomkb2027418

Dimension has no attribute defined with the same type

httpsupportmicrosoftcomkb2027443

Attribute Dimension type mismatch httpsupportmicrosoftcomkb2157327

Mismatched dimension attribute types detected in dimension

httpsupportmicrosoftcomkb2027459

Possible incorrect order of levels defined in hierarchy httpsupportmicrosoftcomkb2027460

Define attribute relationships as Rigid where possible httpsupportmicrosoftcomkb2027468

Redundant attribute relationships detected httpsupportmicrosoftcomkb2127437

Diamond-shape relationship detected httpsupportmicrosoftcomkb2127570

Non-Standard Attribute Relationship name detected httpsupportmicrosoftcomkb2127862

Proactive Caching set for dimension without a processing query

httpsupportmicrosoftcomkb2027541

No Time dimension detected httpsupportmicrosoftcomkb2027532

More than 3 parent-child dimensions with custom rollups defined

httpsupportmicrosoftcomkb2134431

Encountered a parent-child dimension with more than 500000 members

httpsupportmicrosoftcomkb2131918

Single attribute dimensions detected httpsupportmicrosoftcomkb2141654

Measure groups with zero dimensional overlap detected in cube

httpsupportmicrosoftcomkb2027609

Proactive Caching set for a partition without a processing query

Default measure for perspective not in the perspective

httpsupportmicrosoftcomkb2027603

Use MOLAP storage for dimensions that participate in semi-additive measure groups

httpsupportmicrosoftcomkb2135112

Measure group defined with no partition httpsupportmicrosoftcomkb2027545

63 RS Rules

RSWindowsNegotiate is missing from your configuration

httpsupportmicrosoftcomkb2145506

HTTP Logging is not enabled httpsupportmicrosoftcomkb2145909

Verbose logging is enabled httpsupportmicrosoftcomkb2146315

NTLM authentication may fail for local httpsupportmicrosoftcomkb2146369

Missing extended protection settings httpsupportmicrosoftcomkb2146062

64 IS Rules

Logging task missing for package httpsupportmicrosoftcomkb2027723

ActiveX Script task detected in package httpsupportmicrosoftcomkb2027712

Unrecommended Integration Services service account detected

httpsupportmicrosoftcomkb2027684

Integration Services logging table found in system database master and or msdb

httpsupportmicrosoftcomkb2027706

Integration Services memory dump detected httpsupportmicrosoftcomkb2027727

Page 39

65 Setup Rules

Unsupported Operating System Version Detected httpsupportmicrosoftcomkb2022909

WOW64 not supported for SQL Failover Clustering httpsupportmicrosoftcomkb2157198

Installer cache is missing for the SQL Installation httpsupportmicrosoftcomkb2015100

SQL Server WMI Provider Health Check

66 Replication Rules

Replication Timeout Alerts Type httpsupportmicrosoftcomkb2118349

Replication Pub and Sub out of sync (Data Validation) httpsupportmicrosoftcomkb2118386

Replication Pub and Sub out of sync (Constraint Violations)

httpsupportmicrosoftcomkb2118410

Replication Pub and Sub out of sync (Skipped Transactions)

httpsupportmicrosoftcomkb2194498

Merge Replication Health Check httpsupportmicrosoftcomkb2118445

Subscriptions Approaching Expiration httpgomicrosoftcomfwlinkLinkId=184483

Replication Cleanup and Retention Health Check httpsupportmicrosoftcomkb2118485

Replication Latency Threshold violations httpsupportmicrosoftcomkb2118425

Page 40

7 HOW TO DEAL WITH DEVIATIONS

Deviations from these Best Practices may indicate potential issues and configuration changes may be

necessary Make sure you have tested any intended changes in a test environment before deploying

them to a production environment You could also find deviations from Best Practices that are

acceptable or even necessary for your environment For example

SAP has its special Network Packet Size of 8 KB

Existing Non-Microsoft Clients ndash would require Mixed Mode Authentication

Page 41

8 MOTIVATION TO USE SQL BPA R2

Bob Ward explained in his Article ldquoWhy use SQL Server 2008 R2 BPA Case 1 Missing Updatesrdquo

the common pitfalls during maintenance and operation of SQL Server and how address them by using

the SQL BPA

In brief itrsquos a customer scenario where the customer is facing an issue after a major update to

SQL2008 After some troubleshooting and an update to a certain CU (that is meant to fix the issue) the

problem still occurs Bobs article states the common resulting consequences ndash the involvement of

Microsoft Support and the final solution ndash adding a needed traceflag

The good news in this story is that the customer would not have needed to go to all that effort if they

would have run the SQL BPA It would have told them about the update and instructed them to put the

traceflag in place BPA is a mechanism that proactively advises you and instructs you on dealing with

common known issues

Page 42

9 ADDITIONAL INFORMATION

91 PowerShell

To use the functionality of the Baseline Configuration Analyzer with PowerShell you must import this

module first

Import-module BaselineConfigurationAnalyzer

You can list the commands of this module with the following syntax

$x=Get-Module BaselineConfigurationAnalyzer

$xExportedCommands

The following commands are stored in this module

Get-MbcaModel

Get-MbcaResult

Invoke-MbcaModel

Set-MbcaResult

You get help of this command with the following syntax

Get-help ltcommandgt -full

911 Get-MBCAModel

SYNOPSIS

The Get-MBCAModel cmdlet lets you retrieve and view the list of models that are supported by

Microsoft Baseline Configuration Analyzer (MBCA) and that are installed on a computer

SYNTAX

Get-MBCAModel [[-ModelId] ltstring[]gt] [[-SubModelId] ltstringgt] [ltCommonParametersgt]

DESCRIPTION

The Get-MBCAModel cmdlet lets you retrieve and view the list of models that are supported by

Microsoft Baseline Configuration Analyzer (MBCA) and installed on the computer If no parameter is

specified Get-MBCAModel returns all models that are installed on the computer If a model is specified

by using the -ModelId parameter information about the specified model is returned

You must be a member of the Administrators group on the computer on which you want to run this

cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with

elevated user rights that is Run as Administrator

The results of the Get-MBCAModel cmdlet include the following details about models

1 Branding information (manufacturer or company display names version number) that is found in

the model manifest

2 Dynamic parameters that are included with the model

3 Submodels that are included with the model

PARAMETERS

-ModelId ltstring[]gt

The -ModelId parameter specifies the ID of the MBCA model about which you want to view

details You can obtain valid values for the ModelId parameter by running the Get-MBCAModel

cmdlet with no parameters and targeted at a computer on which MBCA models are installed

Page 43

This parameter supports wild card characters

Required false

Position 2

Default value

Accept pipeline input true (By Value By Property Name)

Accept wildcard characters False

This must be SQL2008R2BPA for SQL Server 2008 R2 Best Practice Analyzer

-SubModelId ltstringgt

The -SubModelId parameter specifies the ID of the submodel of an MBCA model about which you

want to view details You can obtain valid values for the -SubModelId parameter by running the

Get-MBCAModel cmdlet without parameters and targeted at a computer on which MBCA models

are installed Not all models have submodels

The -ModelId parameter is required with the -SubModelId parameter

Required false

Position 3

Default value

Accept pipeline input false

Accept wildcard characters false

ltCommonParametersgt

This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable

WarningAction WarningVariable OutBuffer and OutVariable For more information type get-

help about_commonparameters

Examples

Get-MBCAModel

In the preceding example Get-MBCAModel with no parameters added returns details about all MBCA

models that are installed on the computer

Get-MBCAModel -ModelId SQL2008R2BPA

The preceding example can be used to return details about the MBCA model that is specified in the -

ModelId parameter represented by Model Id

$model= Get-MBCAModel -ModelId SQL2008R2BPA

$modelParameters

In the preceding example Get-MBCAModel returns details about the specified MBCA model that is

represented by Model Id The results of the cmdlet are stored in the variable $model

In the next line of the example the Parameters property of the model details that were stored in the

$model object returns details about which parameters are supported by the model

Get-MBCAModel -ModelId SQL2008R2BPA -SubModelId ltSubModel Idgt

The preceding example can be used to return details about the MBCA sub-model that is specified by

the -SubModelId parameter represented by SubModel Id Note that the -ModelId parameter is

required by the -SubModelId parameter

$model= Get-MBCAModel -ModelId SQL2008R2BPA

Page 44

$modelSubModels

In the preceding example Get-MBCAModel returns details about the specified MBCA model that is

represented by Model Id The results of the cmdlet are stored in the variable $model

In the next line of the example the SubModels property of the model details that were stored in the

$model object returns a list of the submodels of the model specified in the first line

912 Invoke-MBCAModel

SYNOPSIS

The Invoke-MBCAModel cmdlet lets you start a Microsoft Baseline Configuration Analyzer (MBCA)

scan for a specific model that is installed on your computer

SYNTAX

Invoke-MBCAModel [-ModelId] ltstringgt -SubModelId ltstringgt [-Authentication

ltAuthenticationMechanismgt] [-CertificateThumbprint ltstringgt] [-ComputerName

ltstring[]gt] [-ConfigurationName ltstringgt] [-Context ltstringgt] [-Credential

ltstringgt] [-Mode ltModeEnumgt] [-Port ltintgt] [-RepositoryPath ltstringgt] [-

ThrottleLimit ltintgt] [-UseSSL] [ltCommonParametersgt]

DESCRIPTION

The Invoke-MBCAModel cmdlet allows you to start a Microsoft Baseline Configuration Analyzer

(MBCA) scan for a specific model that is installed on your computer The model is specified either by

using the parameter -ModelId or by piping the results of the Get-MBCAModel cmdlet into an Invoke-

MBCAMode cmdlet

After the MBCA scan has been performed the results of the scan are available to be retrieved by Get-

MBCAResult cmdlet

You must be a member of the Administrators group on the computer on which you want to run this

cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with

elevated user rights that is Run as Administrator

PARAMETERS

-Authentication ltAuthenticationMechanismgt

Specifies the authentication mechanism that is used to authenticate the users credentials Valid

values include Default Basic CredSSP Digest Kerberos Negotiate and

NegotiateWithImplicitCredential The default value is Default

For more information about the -Authentication parameter type the following and then press

Enter

Get-Help Invoke-Command -Parameter Authentication

Required false

Position named

Default value Default

Accept pipeline input false

Accept wildcard characters false

-CertificateThumbprint ltstringgt

Page 45

Specifies the digital public key certificate (X509) of a user account that has rights to perform the

cmdlet action The valid value is the certificate thumbprint of the certificate

For more information about this parameter type the following and then press Enter

Get-Help Invoke-Command -Parameter Certificate Thumbprint

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-ComputerName ltstring[]gt

The Invoke-MBCAModel cmdlet lets you run an MBCA scan of a submodel on a specific

computer by adding this parameter Valid values include NETBOS names IP addresses or fully-

qualified domain names of one or more computers in a comma-separated list To specify the local

computer type the computer name or localhost

All formats that are accepted by the -ComputerName parameter in Invoke-Command are

accepted

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-ConfigurationName ltstringgt

Specifies the session configuration that is used for a new PSSession

Enter a configuration name or the fully-qualified resource URI for a session configuration

Session configuration data is found on the remote computer on which you want to run a cmdlet

For more information about this parameter type the following and then press Enter

Get-Help Invoke-Command -Parameter ConfigurationName

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-Context ltstringgt

The -Context parameter lets you run scans on a submodel in the context of a specific model (one

that is different from the parent model of the submodel) For example an administrator might

want to run a scan on the Backend submodel of the SQL model but only those in the context

of a third model a technology that relies upon SQL Server

The -SubModelId parameter is required by the -Context parameter

Page 46

A model ID is the valid value of the -Context parameter

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-Credential ltstringgt

Specifies a user account that has permission to run this cmdlet The default value is the current

user

For more information about this parameter type the following and then press Enter

Get-Help Invoke-Command -Parameter Credential

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-Mode ltModeEnumgt

The -Mode parameter lets you run a scan that is exclusively either analysis of existing discovered

documents or discovery The default is to perform both discovery and analysis or All

If you do not add the -Mode parameter to the Invoke-MBCAModel cmdlet both discovery and

analysis are performed during a scan

Valid values are Discovery Analysis and All

Required false

Position named

Default value All

Accept pipeline input false

Accept wildcard characters false

-ModelId ltstringgt

The -ModelId parameter specifies the ID of the MBCA model that you want to scan You can

obtain valid values for the ModelId parameter by running the Get-MBCAModel cmdlet targeted at

a computer on which MBCA models are installed

Required true

Position 2

Default value

Accept pipeline input true (By Value By Property Name)

Accept wildcard characters False

Page 47

This must be SQL2008R2BPA for SQL Server 2008 R2 Best Practice Analyzer

-Port ltintgt

Specifies the network port on a remote computer on which you want to run a scan The default

value is port 80

For more information on this parameter type the following and then press Enter

Get-Help Invoke-Command -Parameter Port

Required false

Position named

Default value 80

Accept pipeline input false

Accept wildcard characters false

-RepositoryPath ltstringgt

The -RepositoryPath parameter is used to specify a non-default location of the results repository

The valid value for this parameter is a pathname If the parameter is not used the cmdlet writes

results to the default result repository

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-SubModelId ltstringgt

The -SubModelId parameter specifies the ID of the submodel of an MBCA model that you want to

scan You can obtain valid values for the -SubModelId parameter by running the Get-MBCAModel

cmdlet targeted at a computer on which MBCA models are installed Not all models have

submodels

The -ModelId parameter is required with the -SubModelId parameter

Required true

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-ThrottleLimit ltintgt

Specifies the maximum number of concurrent connections that can be established to run the

cmdlet If you omit this parameter or enter a value of 0 the default value of 32 is used

For more information about this parameter type the following and then press Enter

Get-Help Invoke-Command -Parameter ThrottleLimit

Required false

Page 48

Position named

Default value 32

Accept pipeline input false

Accept wildcard characters false

-UseSSL [ltSwitchParametergt]

Uses the Secure Sockets Layer (SSL) protocol to establish a connection on a remote computer

By default SSL is not used

For more information about this parameter type the following and then press Enter

Get-Help Invoke-Command -Parameter UseSSL

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

ltCommonParametersgt

This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable

WarningAction WarningVariable OutBuffer and OutVariable For more information type get-

help about_commonparameters

OUTPUTS

SystemCollectionsGenericListltMicrosoftBestPracticesCoreInterfaceInvokeBpaModelOutputgt

The output object encapsulates the results of the cmdlet that you entered It contains information such

as the MBCA model ID the success or failure of the cmdlet and other details

NOTES

If the cmdlet is used to perform a single-model scan and the cmdlet is cancelled (by using CTRL+C)

before the temporary results file is copied to its final location the temporary file is discarded and any

previous scan results file for the role are preserved The message Processing of Invoke-MBCAModel

cancelled by user is displayed if the command is cancelled before existing scan results files are

overwritten

If the cmdlet is used to perform a scan of multiple models by piping in results from the Get-MBCAModel

cmdlet and the command is cancelled scans that were completed before the cancel command was

entered cannot be cancelled A scan in progress behaves as described above in the single-model scan

cancellation scenario Subsequent scans in the pipeline are cancelled

If a concurrent scan of the same model is attempted the cmdlet returns the following error message

Another scan for this MBCA model is in progress Only one scan is allowed at a time

-------------------------- EXAMPLE 1 --------------------------

Invoke-MBCAModel -ModelId SQL2008R2BPA

Description

The preceding example starts a MBCA scan on the model that is represented by ltModel Idgt

-------------------------- EXAMPLE 2 --------------------------

Page 49

Invoke-MBCAModel -ModelId SQL2008R2BPA -Scope domain -Name

redmondmicrosoftcom

Description

The preceding example starts an MBCA scan on the model ID that is specified by Model Id

The administrator starts the MBCA scan with additional model-specific parameters that are exposed by

the model (For an example of how to obtain model-specific parameters see the examples for the Get-

MBCAModel cmdlet)

For example to scan a model that requires model-specific parameters (such as -Scope and -Name) to

be passed to the command the administrator can specify the values of these model-specific

parameters with the Invoke-MBCAModel cmdlet

-------------------------- EXAMPLE 3 --------------------------

Invoke-MBCAModel -ModelId SQL2008R2BPA -Mode Discovery

Description

The preceding example starts an MBCA scan on the model that is represented by Model Id The

cmdlet is instructed by the -Mode parameter to perform only the discovery -- not the analysis -- portion

of the scan

-------------------------- EXAMPLE 4 --------------------------

Invoke-MBCAModel -ModelId SQL2008R2BPA -Mode Analysis -RepositoryPath

ltRepository Pathgt

Description

The preceding example starts an MBCA scan on the model that is represented by Model Id The -

Mode parameter value of Analysis indicates that the scan will perform analysis -- not discovery -- on

existing documents that are specified in the non-default repository path provided with the -Repository

Path parameter

-------------------------- EXAMPLE 5 --------------------------

Invoke-MBCAModel -Id ltModel Idgt -SubModelId ltSubModel Idgt -ComputerName

ltServergt -Context ltContext Model Idgt -RepositoryPath ltRespository Pathgt -

AsJob -Authentication ltAuthenticatonMechanismgt -Port ltPort Numbergt -UseSSL -

ThrottleLimit ltThrottle Limitgt

Description

The preceding example starts an MBCA scan on the submodel that is represented by SubModel Id

and on the computer that is represented by Server

Because the administrator only wants to see results from the submodel that apply in the context of a

third model the administrator runs the scan within the context of the model ID that is specified in the -

Context parameter The cmdlet results are saved to the non-default repository path that is specified in

the -RepositoryPath parameter

Because the -AsJob parameter is added the scan runs in the background The -AsJob -

Authentication -Port -UseSSL and -ThrottleLimit parameters are passed through for use by the

Invoke-Command cmdlet to perform discovery on a remote computer For more information about

these parameters see the Help for the Invoke-Command cmdlet available in Windows PowerShell V2

913 Get-MBCAResult

SYNOPSIS

Page 50

The Get-MBCAResult cmdlet lets you retrieve and view the results of a Microsoft Baseline

Configuration Analyzer scan on a specific model or the configuration data that was used to run a scan

SYNTAX

Get-MBCAResult [-ModelId] ltstringgt [[-CollectedConfiguration]] -SubModelId

ltstringgt [-ComputerName ltstring[]gt] [-Context ltstringgt] [-Filter

ltFilterEnumgt] [-RepositoryPath ltstringgt] [ltCommonParametersgt]

DESCRIPTION

The Get-MBCAResult cmdlet lets you retrieve and view the results of a Microsoft Baseline

Configuration Analyzer scan on a specific model or the configuration data that was used to run a scan

To use the command add the -ModelId parameter and then specify the model ID for which you want

to view the most recent MBCA scan results or collected configuration data If you want to retrieve the

configuration data collected add the -CollectedConfiguration switch parameter

You must be a member of the Administrators group on the computer on which you want to run this

cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with

elevated user rights that is Run as Administrator

PARAMETERS

-CollectedConfiguration [ltSwitchParametergt]

The -CollectedConfiguration parameter allows you to obtain the configuration data that was

collected for the most recent MBCA scan If this switch parameter is added to Get-MBCAResults

the cmdlet returns only the configuration data that was collected for a scan

Required false

Position 3

Default value

Accept pipeline input false

Accept wildcard characters false

-ComputerName ltstring[]gt

The -ComputerName parameter lets you obtain scan results that were collected for the most

recent MBCA scan of a submodel on a specific computer To specify the local computer type the

computer name or localhost Multiple values for -ComputerName can be separated by

commas

The -SubModelId parameter is required by the -ComputerName parameter

Valid values for the -ComputerName parameter include localhost a NET BIOS name an IP

address or a fully-qualified domain name (FQDN) of one or more computers in a comma-

separated list

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-Context ltstringgt

Page 51

The -Context parameter lets you obtain scan results that were collected for the most recent

MBCA scan of a submodel in the context of a specific model (one that is different from the parent

model of the submodel) For example an administrator might want to display scan results for the

Backend submodel of the SQL model but only those in the context of a third model a

technology that relies upon SQL Server

The -SubModelId parameter is required by the -Context parameter

A model ID is the valid value of the -Context parameter

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-Filter ltFilterEnumgt

The -Filter parameter lets you instruct the Get-MBCAResult cmdlet to return only Compliant

Noncompliant or All results Valid values are Noncompliant Compliant or All The default value

is All

The -Filter parameter is ignored if the -CollectedConfiguration switch parameter is added

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-ModelId ltstringgt

The -ModelId parameter specifies the ID of the MBCA model for which you want to view scan

results You can obtain valid values for the ModelId parameter by running the Get-MBCAModel

cmdlet targeted at a computer on which MBCA models are installed

Required true

Position 2

Default value

Accept pipeline input true (By Value By Property Name)

Accept wildcard characters False

This must be SQL2008R2BPA for SQL Server 2008 R2 Best Practice Analyzer

-RepositoryPath ltstringgt

The -RepositoryPath parameter is used to specify a non-default location of the results repository

The valid value for this parameter is a path name If the parameter is not used the cmdlet obtains

results from the default result repository

Required false

Position named

Page 52

Default value

Accept pipeline input false

Accept wildcard characters false

-SubModelId ltstringgt

The -SubModelId parameter specifies the ID of the submodel of an MBCA model for which you

want to view scan results You can obtain valid values for the -SubModelId parameter by running

the Get-MBCAModel cmdlet targeted at a computer on which MBCA models are installed Not all

models have submodels

The -ModelId parameter is required with the -SubModelId parameter

Required true

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

ltCommonParametersgt

This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable

WarningAction WarningVariable OutBuffer and OutVariable For more information type get-

help about_commonparameters

OUTPUTS

SystemCollectionsGenericListltMicrosoftBestPracticesCoreInterfaceResultgt OR

SystemXmlXmlDocument (if -CollectedData specified)

If you do not use the -CollectedConfiguration parameter verbose output can be any of the following

1 Initializing MBCA engine for getting MBCA Results

2 Attempting to get MBCA results for Model Id = 0

3 Completed getting MBCA results for Model Id = 0 Number of Results = 1

If you add the -CollectedConfiguration parameter to display configuration data that was used for a

scan verbose output can be any of the following

1 Initializing MBCA engine for getting MBCA Configuration Data

2 Attempting to get MBCA collected configuration data for Model Id = 0

3 Completed getting MBCA collected configuration data for Model Id = 0

NOTES

The Get-MBCAResult cmdlet must be run by a member of the Administrators group and it does not

start a new scan

Cancellation behaviour

Single Model - To cancel this cmdlet you must press Ctrl+C before the ResultCollection is displayed

on the console The operation is cancelled and results are not displayed on the console

Multiple Models or Pipelining - If you cancel this cmdlet while it is retrieving results for multiple models

the cmdlet generates only those results that were displayed on the console before the cancellation

Any subsequent results in the pipeline are cancelled and not displayed

Page 53

-------------------------- EXAMPLE 1 --------------------------

Get-MBCAResult -Id SQL2008R2BPA

Description

The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results

for the model that is represented by Model Id

-------------------------- EXAMPLE 2 --------------------------

Get-MBCAModel | Get-MBCAResult

In the preceding example Get-MBCAModel is used to return a list of all MBCA models that are

installed on the computer The results of the Get-MBCAModel cmdlet are piped to the Get-

MBCAResult cmdlet to retrieve the most recent MBCA scan results for all models that are both

supported by MBCA and installed on the computer at which the cmdlet is targeted

-------------------------- EXAMPLE 3 --------------------------

$result = Get-MBCAResult SQL2008R2BPA -CollectedConfiguration

$resultDiscoveryDocument

Description

In the preceding example configuration data (in XML form) that was collected during the most recent

Microsoft Baseline Configuration Analyzer scan of the model that is represented by Model Id is

retrieved and stored as a property in the variable $result $resultDiscoveryDocument is of type

SystemXmlXmlDocument

-------------------------- EXAMPLE 4 --------------------------

Get-MBCAResult SQL2008R2BPA -Filter Noncompliant

Description

The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results

for the model that is represented by Model Id and then applies a filter to show only Noncompliant

results

------------------------- EXAMPLE 5 --------------------------

Get-MBCAResult SQL2008R2BPA -SubModelId ltSubModel Idgt

Description

The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results

for the submodel that is represented by SubModelId Note that the parent model ID must be specified

to use the -SubModelId parameter

------------------------- EXAMPLE 6 --------------------------

Get-MBCAResult SQL2008R2BPA -SubModelId ltSubModel Idgt -ComputerName ltServergt

-Context ltContext Model Idgt -RepositoryPath ltRepository Pathgt

Description

The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results

for the submodel that is represented by SubModelId The parent model ID is provided as required by

the -SubModelID parameter

The -Context parameter indicates that the administrator wants to see only those scan results that are in

the context of the model that is represented by Context Model Id for example only those results from

a SQL Server scan that specifically apply to another technology such as Web Server (IIS)

Page 54

The scan results are further narrowed to only those from a computer that is specified in the -

ComputerName parameter as Server and only those results found in the non-default results

repository that is represented by Repository Path

914 Set-MBCAResult

SYNOPSIS

The Set-MBCAResult cmdlet lets you exclude or include existing results of a Microsoft Baseline

Configuration Analyzer (MBCA) scan to show you only the scan results that you want to see

SYNTAX

Set-MBCAResult [[-Exclude] ltBooleangt] [-Results] ltResultgtgt [[-

RepostitoryPath] ltstringgt] [ltCommonParametersgt]

DESCRIPTION

The Set-MBCAResult cmdlet lets you exclude or include existing results of a Microsoft Baseline

Configuration Analyzer (MBCA) scan to show you only the scan results that you want to see

The action specified in the cmdlet (Exclude for example) determines how the existing results of an

MBCA scan are updated Set-MBCAResult is typically applied after using the Get-MBCAResult cmdlet

to return a collection of scan results

You can apply filters to results that are returned by the Get-MBCAResult cmdlet and then pipe the

filtered collection of results to the Set-MBCAResult cmdlet specifying either to include or exclude

filtered scan results

You must be a member of the Administrators group on the computer on which you want to run this

cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with

elevated user rights that is Run as Administrator

PARAMETERS

-Exclude ltBooleangt

Excludes scan results from the results collection that were previously obtained by the Get-

MBCAResult command To exclude results by using the -Exclude parameter add the value $true

following the parameter as shown

-Exclude $true

To include results that have been excluded use the $false value for the -Exclude parameter

Required false

Position 2

Default value

Accept pipeline input false

Accept wildcard characters false

-RepostitoryPath ltstringgt

The -RepositoryPath parameter is used to specify a non-default location of the results repository

The valid value for this parameter is a path name If the parameter is not used the cmdlet

modifies results from the default result repository

Required false

Page 55

Position 4

Default value

Accept pipeline input false

Accept wildcard characters false

-Results ltResultgtgt

Specifies the result collection to be updated by the Set-MBCAResult cmdlet The -Results

parameter is typically used to specify a filtered subset of scan results that has already been

stored in a variable the variable name is provided as the valid value for the -Results parameter

For example if you have created a variable $allPerformance to store all the Performance

category results for an MBCA scan of all models on a computer and you want to exclude those

Performance results from the complete collection of scan results you add the parameter -Results

$all Performance to a Set-MBCAResult cmdlet

For a more detailed example see the Examples section of the Help for this cmdlet

Required true

Position 3

Default value

Accept pipeline input true (ByValue)

Accept wildcard characters false

ltCommonParametersgt

This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable

WarningAction WarningVariable OutBuffer and OutVariable For more information type ldquoget-

help about_commonparameters

NOTES

If the Set-MBCAResult command is cancelled before the results are written to a file the operation is

cancelled and the results file is not modified If cancellation occurs after the results file has been

modified the commands actions are carried out and the command cannot be cancelled

-------------------------- EXAMPLE 1 --------------------------

Get-MBCAResult -ModelId SQL2008R2BPA | Where $_Category -eq

Performance | Set-MBCAResult -Exclude $true

Description

The first section of the preceding example to the left of the first pipe character (|) uses the Get-

MBCAResult cmdlet to retrieve Baseline Configuration Analyzer scan results for the model ID that is

represented by Model Id

The second section of the command filters the results of the Get-MBCAResult cmdlet to get only those

scan results for which the category name is equal to Performance

The final section of the example following the second pipe character excludes the Performance

results that were filtered by the previous section of the example

-------------------------- EXAMPLE 2 --------------------------

$rcPolicy = Get-MBCAResult -ModelId SQL2008R2BPA -RepositoryPath

CReposPath | Where $_Category -eq Policy

Page 56

Set-MBCAResult -Exclude $true -RepositoryPath CReposPath -Results

$rcPolicy

Description

The first line of the preceding example to the left of the pipe character (|) instructs the Get-

MBCAResult cmdlet to retrieve Baseline Configuration Analyzer scan results for the model that is

represented by Specified Model Id from the specified non-default repository path

The second section of the example after the pipe character filters the results of the Get-MBCAResult

cmdlet to return only those scan results for which the category name is equal to (note the -eq option)

Policy The variable $rcPolicy is created to store the filtered results of the Get-MBCAResult cmdlet this

variable can be used in subsequent commands to represent those results

The second line of the command uses the Set-MBCAResult cmdlet to exclude the set of results that

are stored in the $rcPolicy variable In this example the -Results parameter is added because the

administrator wants to exclude a specific subset of scan results for that model and has created the

variable $rcPolicy to represent that subset of results The repository root is specified in the second line

because the administrator wants to modify the results in the same non-default repository from which

the data in $rcPolicy was retrieved

915 MBCA Model Authoring

Further information about configuration and usage of MBCA models you can in the

MBCA_ModelAuthoringGuidedocx

Page 57

Did this paper help you Please give us your feedback Tell us on a scale of 1 (poor) to 5 (excellent)

how would you rate this paper and why have you given it this rating For example

Are you rating it high due to having good examples excellent screen shots clear writing or

another reason

Are you rating it low due to poor examples fuzzy screen shots or unclear writing

This feedback will help us improve the quality of white papers we release

Send feedback

Page 32: SQL2008R2 BPA Whitepaper v10

Page 32

command winrm help config

At line50 char33

+ Set-WSManQuickConfig ltltltlt -force

+ CategoryInfo InvalidOperation () [Set-WSManQuickConfig]

InvalidOperationException

+ FullyQualifiedErrorId

WsManErrorMicrosoftWSManManagementSetWSManQuickConfigCommand

You can get this type of error from WinRM for muliple reasons The one that

we saw in our testing was the HTTP SPN scenario

If you do have an HTTP SPN defined on a Domain Account that is using the name of your machine

you have some options First you can follow the steps mentioned above to get BPA installed The

Enable-PSRemoting command will give you the above error You can temporarily remove the HTTP

SPN to get remoting enabled and then re-add the HTTP SPN

Once BPA is setup you will still not be able to run BPA if you put the HTTP SPN back in place You will

see the following when you attempt to perform a scan

This will occur regardless of which component you try to scan It could be the Engine Setup RS etchellip

One option to perform the scan successfully is to temporarily remove the HTTP SPN again run the

scan and then put the HTTP SPN back in place Another option but one that will probably require

further testing from your applicationrsquos end would be to run the application under a Host Header and

then your HTTP SPN would not include the machine name allowing BPA to run without issue

Page 33

6 RULES

Searching for ldquoSQL Server 20087 R2 BPArdquo at Microsoftcom reveals

Here is an example of one of these articles that talks about a rule to check for a recent ldquocleanrdquo

CHECKDB

Page 34

BPA works by measuring a rolersquos compliance with best practice rules in eight different categories of a

rolersquos effectiveness trustworthiness and reliability Results of measurements can be any of the three

severity levels described in the following table

Severity level Description

Noncompliant Noncompliant results are returned when a role does not satisfy the conditions of a rule

Compliant Compliant results are returned when a role satisfies the conditions of a rule

Warning Warning results are returned when a role is compliant as operating currently but may not satisfy the conditions of a

rule if changes are not made to its configuration or policy settings For example a scan of Remote Desktop Services

might show a warning result if a license server is unavailable to the role because even if no remote connections are

active at the time of the scan not having the license server prevents new remote connections from obtaining valid

client access licenses

Page 35

BPA rule categories

The following table describes the categories of best practice rules against which roles are measured

during a BPA scan

Category Name Description

Security Security rules are applied to measure a rolersquos relative risk for exposure to threats such as unauthorized or malicious

users or loss or theft of confidential or proprietary data

Performance Performance rules are applied to measure a rolersquos ability to process requests and perform its prescribed duties in

the enterprise within expected periods of time given the rolersquos workload

Configuration Configuration rules are applied to identify role settings that might require modification for the role to perform

optimally Configuration rules can help prevent setting conflicts that can result in error messages or prevent the role

from performing its prescribed duties in an enterprise

Policy Policy rules are applied to identify Group Policy or Windows Registry settings that might require modification for the

role to operate optimally and securely

Operation Operation rules are applied to identify possible failures of a role to perform its prescribed tasks in the enterprise

Predeployment Predeployment rules are applied before an installed role is deployed in the enterprise to let administrators to

evaluate whether best practices were satisfied before you use the role in production

Postdeployment Postdeployment rules are applied after all required services have started for a role and the role is running in the

enterprise

BPA Prerequisites BPA Prerequisite rules explain configuration settings policy settings and features that are required for the role

before BPA can apply specific rules from other categories A prerequisite in scan results indicates that an incorrect

setting a missing role role service or feature an incorrectly enabled or disabled policy a registry key setting or

other configuration has prevented BPA from applying one or more rules during a scan A prerequisite result does

not imply compliance or noncompliance It means that a rule could not be applied and therefore is not part of the

scan results

61 Engine Rules

Please find below a summary of the 74 Engine Rules with the links to the rule descriptions These rules

are checking that you have a secure resilient and well performing SQL configuration

Authentication Mode (httpsupportmicrosoftcomkb2028697)

Lightweight Pooling is enabled (httpsupportmicrosoftcomkb2160691)

Locks Configuration Not Dynamic (httpsupportmicrosoftcomkb2199576)

non-default network packet size in use (httpsupportmicrosoftcomkb2157175)

degree of parallelism not set to recommended value (httpsupportmicrosoftcomkb2023536)

Use Database Mail instead of SQL Mail (httpsupportmicrosoftcomkb2028584)

SQL Server Agent Proxy Account (httpsupportmicrosoftcomkb2160741)

SQL Login Password Policy Strength and password expiry

(httpsupportmicrosoftcomkb2028712)

Trustworthy Bit (httpsupportmicrosoftcomkb2183687)

Symmetric Keys Check (httpsupportmicrosoftcomkb2162020)

Asymmetric Keys Check (httpsupportmicrosoftcomkb2162020)

SQL Server installed on PDC BDC (httpsupportmicrosoftcomkb2032911)

Page 36

SQL Server Admin role membership check (httpsupportmicrosoftcomkb2184138)

Windows API calls intercepted (httpsupportmicrosoftcomkb2033238)

unsupported DotNET framework assemblies present (httpsupportmicrosoftcomkb2033344)

Disk partition starting offset may be incorrect (httpsupportmicrosoftcomkb2023571)

non-default max worker threads value configured (httpsupportmicrosoftcomkb2157129)

Guest Permissions (httpsupportmicrosoftcomkb2186935)

Data and Log files on the same volume (httpsupportmicrosoftcomkb2033523)

IO timeouts and IO controller errors detected (httpsupportmicrosoftcomkb2091098)

IO device errors detected (httpsupportmicrosoftcomkb2091098)

IO errors during page faults detected (httpsupportmicrosoftcomkb2091098)

cluster disk corruption encountered (httpsupportmicrosoftcomkb2091098)

disk defragmentation encountered corruption (httpsupportmicrosoftcomkb2091098)

failed IO requests detected (httpsupportmicrosoftcomkb2091098)

IO requests are successful when retried (httpsupportmicrosoftcomkb2015757)

IO Delay Problems reported by SQL Server (httpsupportmicrosoftcomkb2137408)

This system experienced unexpected shutdowns (httpsupportmicrosoftcomkb2091098)

tempdb corruption errors fix missing (httpsupportmicrosoftcomkb960770)

Critical SQL database inconsistency errors found (httpsupportmicrosoftcomkb2152734)

Logical consistency errors detected (httpsupportmicrosoftcomkb2152472)

Database have auto shrink option enabled (httpsupportmicrosoftcomkb2160663)

SQL Server Error logs are very big (httpsupportmicrosoftcomkb2199578)

incorrect affinity mask settings detected httpsupportmicrosoftcomkb2157114

Very low blocked process threshold setting detected httpsupportmicrosoftcomkb2157154

Potential security issue with legacy DTS stored procedures

httpsupportmicrosoftcomkb2202875

Winsock LSP loaded into SQL httpsupportmicrosoftcomkb2033448

Databases using simple recovery model httpsupportmicrosoftcomkb2137539

User database collation different from model httpsupportmicrosoftcomkb2026108

Database files and backups exist on the same volume httpsupportmicrosoftcomkb2027537

Databases have auto close option enabled httpsupportmicrosoftcomkb2160685

LSI SAS drivers needs update httpsupportmicrosoftcomkb2121098

SQL tempdb database not configured optimally httpsupportmicrosoftcomkb2154845

SQL Database file has sparse attribute set httpsupportmicrosoftcomkb2028447

Invalid startup parameters httpsupportmicrosoftcomkb2028433

MSDTC settings not configured optimally httpsupportmicrosoftcomkb2027550

sql incorrect results fix missing httpsupportmicrosoftcomkb971780

File System needs tuning for better FileStream performance

httpsupportmicrosoftcomkb2160002

linked server memory leak fix missing httpsupportmicrosoftcomkb971622EN-US

Windows service pack is not at recommended level httpsupportmicrosoftcomkb2121098

default extended event health session not in expected state

httpsupportmicrosoftcomkb2160570

TcpSysAndChimneyCheck httpsupportmicrosoftcomKB918483

FDHOST Launcher service is not configured properly httpsupportmicrosoftcomkb2160720

Unrecommended SQL Server Agent service account httpsupportmicrosoftcomkb2160720

A required Windows fix to avoid sparse file related problems is missing

httpsupportmicrosoftcomkb2002606

Page 37

Significant Portion of SQL Server Memory Has Been Paged Out

httpsupportmicrosoftcomkb2028324

Server Exception or Hang Detected on Server httpsupportmicrosoftcomkb2028589

Databases exist without CHECKSUM protection httpsupportmicrosoftcomkb2078345

backups outdated for databases httpsupportmicrosoftcomkb2027537

Database consistency check not current httpsupportmicrosoftcomkb2033590

SQL Server Memory settings are incorrect httpsupportmicrosoftcomKB918483EN-US

Autogrow Failed or took a long time httpsupportmicrosoftcomkb2091024

Storport driver fix from KBA 940467 missing httpsupportmicrosoftcomkb2121098

Storport driver fix from KBA 950903 missing httpsupportmicrosoftcomkb2121098

SQLCLR needs additional memory configuration httpsupportmicrosoftcomkb969962EN-US

Operating System files and drivers needs update for working set trimming

httpsupportmicrosoftcomkb2121098

Agent Token Replacement httpsupportmicrosoftcomkb2202637

Auditing Log in failures httpsupportmicrosoftcomkb2187161

Databases with high number of VLF present httpsupportmicrosoftcomkb2028436

Transparent Data Encryption Certificate httpsupportmicrosoftcomkb2201900

Permission on the Binn folder httpsupportmicrosoftcomkb2029023

Index Statistics Are Outdated

Server public permissions httpsupportmicrosoftcomkb2160698

Detected use of older versions of SQLNCLI httpsupportmicrosoftcomkb979779

62 AS Rules

Please find below a summary of the 34 Analysis Server Rules with the links to the rule descriptions

Flight Recorder Enabled for SQL Server Analysis Services

httpsupportmicrosoftcomkb2128005

Excessive amount of memory preallocated to Analysis Services

httpsupportmicrosoftcomkb2027474

Server not configured for optimal concurrent query throughput

httpsupportmicrosoftcomkb2135031

Non standard value detected for Analysis Services memory configuration

httpsupportmicrosoftcomkb2027472

Process Thread Pool Max limit above recommended limit

httpsupportmicrosoftcomkb2134497

Process Thread Pool Minimum is below the recommended limit

httpsupportmicrosoftcomkb2134855

Server is running a build with a known regression httpsupportmicrosoftcomkb2157941

Slice not set on a ROLAP partition or a partition where proactive caching is enabled and

ROLAP storage ay occur httpsupportmicrosoftcomkb2027754

Server is ignoring duplicate key errors httpsupportmicrosoftcomkb2027761

No default member defined for non-aggregatable attribute

httpsupportmicrosoftcomkb2027769

UnknownMember set to hidden httpsupportmicrosoftcomkb2027628

Non-numeric key column for high cardinality attribute httpsupportmicrosoftcomkb2028138

Attribute hiearchy enabled for high cardinality non-key attribute

httpsupportmicrosoftcomkb2028143

ROLAP storage or OnlineMode set to immediate for dimension with custom rollup definition

detected httpsupportmicrosoftcomkb2132742

Page 38

Account or Time attribute types defined in a non-matching dimension type

httpsupportmicrosoftcomkb2157299

An Account or Time dimension has no matching attribute defined

httpsupportmicrosoftcomkb2027418

Dimension has no attribute defined with the same type

httpsupportmicrosoftcomkb2027443

Attribute Dimension type mismatch httpsupportmicrosoftcomkb2157327

Mismatched dimension attribute types detected in dimension

httpsupportmicrosoftcomkb2027459

Possible incorrect order of levels defined in hierarchy httpsupportmicrosoftcomkb2027460

Define attribute relationships as Rigid where possible httpsupportmicrosoftcomkb2027468

Redundant attribute relationships detected httpsupportmicrosoftcomkb2127437

Diamond-shape relationship detected httpsupportmicrosoftcomkb2127570

Non-Standard Attribute Relationship name detected httpsupportmicrosoftcomkb2127862

Proactive Caching set for dimension without a processing query

httpsupportmicrosoftcomkb2027541

No Time dimension detected httpsupportmicrosoftcomkb2027532

More than 3 parent-child dimensions with custom rollups defined

httpsupportmicrosoftcomkb2134431

Encountered a parent-child dimension with more than 500000 members

httpsupportmicrosoftcomkb2131918

Single attribute dimensions detected httpsupportmicrosoftcomkb2141654

Measure groups with zero dimensional overlap detected in cube

httpsupportmicrosoftcomkb2027609

Proactive Caching set for a partition without a processing query

Default measure for perspective not in the perspective

httpsupportmicrosoftcomkb2027603

Use MOLAP storage for dimensions that participate in semi-additive measure groups

httpsupportmicrosoftcomkb2135112

Measure group defined with no partition httpsupportmicrosoftcomkb2027545

63 RS Rules

RSWindowsNegotiate is missing from your configuration

httpsupportmicrosoftcomkb2145506

HTTP Logging is not enabled httpsupportmicrosoftcomkb2145909

Verbose logging is enabled httpsupportmicrosoftcomkb2146315

NTLM authentication may fail for local httpsupportmicrosoftcomkb2146369

Missing extended protection settings httpsupportmicrosoftcomkb2146062

64 IS Rules

Logging task missing for package httpsupportmicrosoftcomkb2027723

ActiveX Script task detected in package httpsupportmicrosoftcomkb2027712

Unrecommended Integration Services service account detected

httpsupportmicrosoftcomkb2027684

Integration Services logging table found in system database master and or msdb

httpsupportmicrosoftcomkb2027706

Integration Services memory dump detected httpsupportmicrosoftcomkb2027727

Page 39

65 Setup Rules

Unsupported Operating System Version Detected httpsupportmicrosoftcomkb2022909

WOW64 not supported for SQL Failover Clustering httpsupportmicrosoftcomkb2157198

Installer cache is missing for the SQL Installation httpsupportmicrosoftcomkb2015100

SQL Server WMI Provider Health Check

66 Replication Rules

Replication Timeout Alerts Type httpsupportmicrosoftcomkb2118349

Replication Pub and Sub out of sync (Data Validation) httpsupportmicrosoftcomkb2118386

Replication Pub and Sub out of sync (Constraint Violations)

httpsupportmicrosoftcomkb2118410

Replication Pub and Sub out of sync (Skipped Transactions)

httpsupportmicrosoftcomkb2194498

Merge Replication Health Check httpsupportmicrosoftcomkb2118445

Subscriptions Approaching Expiration httpgomicrosoftcomfwlinkLinkId=184483

Replication Cleanup and Retention Health Check httpsupportmicrosoftcomkb2118485

Replication Latency Threshold violations httpsupportmicrosoftcomkb2118425

Page 40

7 HOW TO DEAL WITH DEVIATIONS

Deviations from these Best Practices may indicate potential issues and configuration changes may be

necessary Make sure you have tested any intended changes in a test environment before deploying

them to a production environment You could also find deviations from Best Practices that are

acceptable or even necessary for your environment For example

SAP has its special Network Packet Size of 8 KB

Existing Non-Microsoft Clients ndash would require Mixed Mode Authentication

Page 41

8 MOTIVATION TO USE SQL BPA R2

Bob Ward explained in his Article ldquoWhy use SQL Server 2008 R2 BPA Case 1 Missing Updatesrdquo

the common pitfalls during maintenance and operation of SQL Server and how address them by using

the SQL BPA

In brief itrsquos a customer scenario where the customer is facing an issue after a major update to

SQL2008 After some troubleshooting and an update to a certain CU (that is meant to fix the issue) the

problem still occurs Bobs article states the common resulting consequences ndash the involvement of

Microsoft Support and the final solution ndash adding a needed traceflag

The good news in this story is that the customer would not have needed to go to all that effort if they

would have run the SQL BPA It would have told them about the update and instructed them to put the

traceflag in place BPA is a mechanism that proactively advises you and instructs you on dealing with

common known issues

Page 42

9 ADDITIONAL INFORMATION

91 PowerShell

To use the functionality of the Baseline Configuration Analyzer with PowerShell you must import this

module first

Import-module BaselineConfigurationAnalyzer

You can list the commands of this module with the following syntax

$x=Get-Module BaselineConfigurationAnalyzer

$xExportedCommands

The following commands are stored in this module

Get-MbcaModel

Get-MbcaResult

Invoke-MbcaModel

Set-MbcaResult

You get help of this command with the following syntax

Get-help ltcommandgt -full

911 Get-MBCAModel

SYNOPSIS

The Get-MBCAModel cmdlet lets you retrieve and view the list of models that are supported by

Microsoft Baseline Configuration Analyzer (MBCA) and that are installed on a computer

SYNTAX

Get-MBCAModel [[-ModelId] ltstring[]gt] [[-SubModelId] ltstringgt] [ltCommonParametersgt]

DESCRIPTION

The Get-MBCAModel cmdlet lets you retrieve and view the list of models that are supported by

Microsoft Baseline Configuration Analyzer (MBCA) and installed on the computer If no parameter is

specified Get-MBCAModel returns all models that are installed on the computer If a model is specified

by using the -ModelId parameter information about the specified model is returned

You must be a member of the Administrators group on the computer on which you want to run this

cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with

elevated user rights that is Run as Administrator

The results of the Get-MBCAModel cmdlet include the following details about models

1 Branding information (manufacturer or company display names version number) that is found in

the model manifest

2 Dynamic parameters that are included with the model

3 Submodels that are included with the model

PARAMETERS

-ModelId ltstring[]gt

The -ModelId parameter specifies the ID of the MBCA model about which you want to view

details You can obtain valid values for the ModelId parameter by running the Get-MBCAModel

cmdlet with no parameters and targeted at a computer on which MBCA models are installed

Page 43

This parameter supports wild card characters

Required false

Position 2

Default value

Accept pipeline input true (By Value By Property Name)

Accept wildcard characters False

This must be SQL2008R2BPA for SQL Server 2008 R2 Best Practice Analyzer

-SubModelId ltstringgt

The -SubModelId parameter specifies the ID of the submodel of an MBCA model about which you

want to view details You can obtain valid values for the -SubModelId parameter by running the

Get-MBCAModel cmdlet without parameters and targeted at a computer on which MBCA models

are installed Not all models have submodels

The -ModelId parameter is required with the -SubModelId parameter

Required false

Position 3

Default value

Accept pipeline input false

Accept wildcard characters false

ltCommonParametersgt

This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable

WarningAction WarningVariable OutBuffer and OutVariable For more information type get-

help about_commonparameters

Examples

Get-MBCAModel

In the preceding example Get-MBCAModel with no parameters added returns details about all MBCA

models that are installed on the computer

Get-MBCAModel -ModelId SQL2008R2BPA

The preceding example can be used to return details about the MBCA model that is specified in the -

ModelId parameter represented by Model Id

$model= Get-MBCAModel -ModelId SQL2008R2BPA

$modelParameters

In the preceding example Get-MBCAModel returns details about the specified MBCA model that is

represented by Model Id The results of the cmdlet are stored in the variable $model

In the next line of the example the Parameters property of the model details that were stored in the

$model object returns details about which parameters are supported by the model

Get-MBCAModel -ModelId SQL2008R2BPA -SubModelId ltSubModel Idgt

The preceding example can be used to return details about the MBCA sub-model that is specified by

the -SubModelId parameter represented by SubModel Id Note that the -ModelId parameter is

required by the -SubModelId parameter

$model= Get-MBCAModel -ModelId SQL2008R2BPA

Page 44

$modelSubModels

In the preceding example Get-MBCAModel returns details about the specified MBCA model that is

represented by Model Id The results of the cmdlet are stored in the variable $model

In the next line of the example the SubModels property of the model details that were stored in the

$model object returns a list of the submodels of the model specified in the first line

912 Invoke-MBCAModel

SYNOPSIS

The Invoke-MBCAModel cmdlet lets you start a Microsoft Baseline Configuration Analyzer (MBCA)

scan for a specific model that is installed on your computer

SYNTAX

Invoke-MBCAModel [-ModelId] ltstringgt -SubModelId ltstringgt [-Authentication

ltAuthenticationMechanismgt] [-CertificateThumbprint ltstringgt] [-ComputerName

ltstring[]gt] [-ConfigurationName ltstringgt] [-Context ltstringgt] [-Credential

ltstringgt] [-Mode ltModeEnumgt] [-Port ltintgt] [-RepositoryPath ltstringgt] [-

ThrottleLimit ltintgt] [-UseSSL] [ltCommonParametersgt]

DESCRIPTION

The Invoke-MBCAModel cmdlet allows you to start a Microsoft Baseline Configuration Analyzer

(MBCA) scan for a specific model that is installed on your computer The model is specified either by

using the parameter -ModelId or by piping the results of the Get-MBCAModel cmdlet into an Invoke-

MBCAMode cmdlet

After the MBCA scan has been performed the results of the scan are available to be retrieved by Get-

MBCAResult cmdlet

You must be a member of the Administrators group on the computer on which you want to run this

cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with

elevated user rights that is Run as Administrator

PARAMETERS

-Authentication ltAuthenticationMechanismgt

Specifies the authentication mechanism that is used to authenticate the users credentials Valid

values include Default Basic CredSSP Digest Kerberos Negotiate and

NegotiateWithImplicitCredential The default value is Default

For more information about the -Authentication parameter type the following and then press

Enter

Get-Help Invoke-Command -Parameter Authentication

Required false

Position named

Default value Default

Accept pipeline input false

Accept wildcard characters false

-CertificateThumbprint ltstringgt

Page 45

Specifies the digital public key certificate (X509) of a user account that has rights to perform the

cmdlet action The valid value is the certificate thumbprint of the certificate

For more information about this parameter type the following and then press Enter

Get-Help Invoke-Command -Parameter Certificate Thumbprint

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-ComputerName ltstring[]gt

The Invoke-MBCAModel cmdlet lets you run an MBCA scan of a submodel on a specific

computer by adding this parameter Valid values include NETBOS names IP addresses or fully-

qualified domain names of one or more computers in a comma-separated list To specify the local

computer type the computer name or localhost

All formats that are accepted by the -ComputerName parameter in Invoke-Command are

accepted

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-ConfigurationName ltstringgt

Specifies the session configuration that is used for a new PSSession

Enter a configuration name or the fully-qualified resource URI for a session configuration

Session configuration data is found on the remote computer on which you want to run a cmdlet

For more information about this parameter type the following and then press Enter

Get-Help Invoke-Command -Parameter ConfigurationName

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-Context ltstringgt

The -Context parameter lets you run scans on a submodel in the context of a specific model (one

that is different from the parent model of the submodel) For example an administrator might

want to run a scan on the Backend submodel of the SQL model but only those in the context

of a third model a technology that relies upon SQL Server

The -SubModelId parameter is required by the -Context parameter

Page 46

A model ID is the valid value of the -Context parameter

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-Credential ltstringgt

Specifies a user account that has permission to run this cmdlet The default value is the current

user

For more information about this parameter type the following and then press Enter

Get-Help Invoke-Command -Parameter Credential

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-Mode ltModeEnumgt

The -Mode parameter lets you run a scan that is exclusively either analysis of existing discovered

documents or discovery The default is to perform both discovery and analysis or All

If you do not add the -Mode parameter to the Invoke-MBCAModel cmdlet both discovery and

analysis are performed during a scan

Valid values are Discovery Analysis and All

Required false

Position named

Default value All

Accept pipeline input false

Accept wildcard characters false

-ModelId ltstringgt

The -ModelId parameter specifies the ID of the MBCA model that you want to scan You can

obtain valid values for the ModelId parameter by running the Get-MBCAModel cmdlet targeted at

a computer on which MBCA models are installed

Required true

Position 2

Default value

Accept pipeline input true (By Value By Property Name)

Accept wildcard characters False

Page 47

This must be SQL2008R2BPA for SQL Server 2008 R2 Best Practice Analyzer

-Port ltintgt

Specifies the network port on a remote computer on which you want to run a scan The default

value is port 80

For more information on this parameter type the following and then press Enter

Get-Help Invoke-Command -Parameter Port

Required false

Position named

Default value 80

Accept pipeline input false

Accept wildcard characters false

-RepositoryPath ltstringgt

The -RepositoryPath parameter is used to specify a non-default location of the results repository

The valid value for this parameter is a pathname If the parameter is not used the cmdlet writes

results to the default result repository

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-SubModelId ltstringgt

The -SubModelId parameter specifies the ID of the submodel of an MBCA model that you want to

scan You can obtain valid values for the -SubModelId parameter by running the Get-MBCAModel

cmdlet targeted at a computer on which MBCA models are installed Not all models have

submodels

The -ModelId parameter is required with the -SubModelId parameter

Required true

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-ThrottleLimit ltintgt

Specifies the maximum number of concurrent connections that can be established to run the

cmdlet If you omit this parameter or enter a value of 0 the default value of 32 is used

For more information about this parameter type the following and then press Enter

Get-Help Invoke-Command -Parameter ThrottleLimit

Required false

Page 48

Position named

Default value 32

Accept pipeline input false

Accept wildcard characters false

-UseSSL [ltSwitchParametergt]

Uses the Secure Sockets Layer (SSL) protocol to establish a connection on a remote computer

By default SSL is not used

For more information about this parameter type the following and then press Enter

Get-Help Invoke-Command -Parameter UseSSL

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

ltCommonParametersgt

This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable

WarningAction WarningVariable OutBuffer and OutVariable For more information type get-

help about_commonparameters

OUTPUTS

SystemCollectionsGenericListltMicrosoftBestPracticesCoreInterfaceInvokeBpaModelOutputgt

The output object encapsulates the results of the cmdlet that you entered It contains information such

as the MBCA model ID the success or failure of the cmdlet and other details

NOTES

If the cmdlet is used to perform a single-model scan and the cmdlet is cancelled (by using CTRL+C)

before the temporary results file is copied to its final location the temporary file is discarded and any

previous scan results file for the role are preserved The message Processing of Invoke-MBCAModel

cancelled by user is displayed if the command is cancelled before existing scan results files are

overwritten

If the cmdlet is used to perform a scan of multiple models by piping in results from the Get-MBCAModel

cmdlet and the command is cancelled scans that were completed before the cancel command was

entered cannot be cancelled A scan in progress behaves as described above in the single-model scan

cancellation scenario Subsequent scans in the pipeline are cancelled

If a concurrent scan of the same model is attempted the cmdlet returns the following error message

Another scan for this MBCA model is in progress Only one scan is allowed at a time

-------------------------- EXAMPLE 1 --------------------------

Invoke-MBCAModel -ModelId SQL2008R2BPA

Description

The preceding example starts a MBCA scan on the model that is represented by ltModel Idgt

-------------------------- EXAMPLE 2 --------------------------

Page 49

Invoke-MBCAModel -ModelId SQL2008R2BPA -Scope domain -Name

redmondmicrosoftcom

Description

The preceding example starts an MBCA scan on the model ID that is specified by Model Id

The administrator starts the MBCA scan with additional model-specific parameters that are exposed by

the model (For an example of how to obtain model-specific parameters see the examples for the Get-

MBCAModel cmdlet)

For example to scan a model that requires model-specific parameters (such as -Scope and -Name) to

be passed to the command the administrator can specify the values of these model-specific

parameters with the Invoke-MBCAModel cmdlet

-------------------------- EXAMPLE 3 --------------------------

Invoke-MBCAModel -ModelId SQL2008R2BPA -Mode Discovery

Description

The preceding example starts an MBCA scan on the model that is represented by Model Id The

cmdlet is instructed by the -Mode parameter to perform only the discovery -- not the analysis -- portion

of the scan

-------------------------- EXAMPLE 4 --------------------------

Invoke-MBCAModel -ModelId SQL2008R2BPA -Mode Analysis -RepositoryPath

ltRepository Pathgt

Description

The preceding example starts an MBCA scan on the model that is represented by Model Id The -

Mode parameter value of Analysis indicates that the scan will perform analysis -- not discovery -- on

existing documents that are specified in the non-default repository path provided with the -Repository

Path parameter

-------------------------- EXAMPLE 5 --------------------------

Invoke-MBCAModel -Id ltModel Idgt -SubModelId ltSubModel Idgt -ComputerName

ltServergt -Context ltContext Model Idgt -RepositoryPath ltRespository Pathgt -

AsJob -Authentication ltAuthenticatonMechanismgt -Port ltPort Numbergt -UseSSL -

ThrottleLimit ltThrottle Limitgt

Description

The preceding example starts an MBCA scan on the submodel that is represented by SubModel Id

and on the computer that is represented by Server

Because the administrator only wants to see results from the submodel that apply in the context of a

third model the administrator runs the scan within the context of the model ID that is specified in the -

Context parameter The cmdlet results are saved to the non-default repository path that is specified in

the -RepositoryPath parameter

Because the -AsJob parameter is added the scan runs in the background The -AsJob -

Authentication -Port -UseSSL and -ThrottleLimit parameters are passed through for use by the

Invoke-Command cmdlet to perform discovery on a remote computer For more information about

these parameters see the Help for the Invoke-Command cmdlet available in Windows PowerShell V2

913 Get-MBCAResult

SYNOPSIS

Page 50

The Get-MBCAResult cmdlet lets you retrieve and view the results of a Microsoft Baseline

Configuration Analyzer scan on a specific model or the configuration data that was used to run a scan

SYNTAX

Get-MBCAResult [-ModelId] ltstringgt [[-CollectedConfiguration]] -SubModelId

ltstringgt [-ComputerName ltstring[]gt] [-Context ltstringgt] [-Filter

ltFilterEnumgt] [-RepositoryPath ltstringgt] [ltCommonParametersgt]

DESCRIPTION

The Get-MBCAResult cmdlet lets you retrieve and view the results of a Microsoft Baseline

Configuration Analyzer scan on a specific model or the configuration data that was used to run a scan

To use the command add the -ModelId parameter and then specify the model ID for which you want

to view the most recent MBCA scan results or collected configuration data If you want to retrieve the

configuration data collected add the -CollectedConfiguration switch parameter

You must be a member of the Administrators group on the computer on which you want to run this

cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with

elevated user rights that is Run as Administrator

PARAMETERS

-CollectedConfiguration [ltSwitchParametergt]

The -CollectedConfiguration parameter allows you to obtain the configuration data that was

collected for the most recent MBCA scan If this switch parameter is added to Get-MBCAResults

the cmdlet returns only the configuration data that was collected for a scan

Required false

Position 3

Default value

Accept pipeline input false

Accept wildcard characters false

-ComputerName ltstring[]gt

The -ComputerName parameter lets you obtain scan results that were collected for the most

recent MBCA scan of a submodel on a specific computer To specify the local computer type the

computer name or localhost Multiple values for -ComputerName can be separated by

commas

The -SubModelId parameter is required by the -ComputerName parameter

Valid values for the -ComputerName parameter include localhost a NET BIOS name an IP

address or a fully-qualified domain name (FQDN) of one or more computers in a comma-

separated list

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-Context ltstringgt

Page 51

The -Context parameter lets you obtain scan results that were collected for the most recent

MBCA scan of a submodel in the context of a specific model (one that is different from the parent

model of the submodel) For example an administrator might want to display scan results for the

Backend submodel of the SQL model but only those in the context of a third model a

technology that relies upon SQL Server

The -SubModelId parameter is required by the -Context parameter

A model ID is the valid value of the -Context parameter

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-Filter ltFilterEnumgt

The -Filter parameter lets you instruct the Get-MBCAResult cmdlet to return only Compliant

Noncompliant or All results Valid values are Noncompliant Compliant or All The default value

is All

The -Filter parameter is ignored if the -CollectedConfiguration switch parameter is added

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-ModelId ltstringgt

The -ModelId parameter specifies the ID of the MBCA model for which you want to view scan

results You can obtain valid values for the ModelId parameter by running the Get-MBCAModel

cmdlet targeted at a computer on which MBCA models are installed

Required true

Position 2

Default value

Accept pipeline input true (By Value By Property Name)

Accept wildcard characters False

This must be SQL2008R2BPA for SQL Server 2008 R2 Best Practice Analyzer

-RepositoryPath ltstringgt

The -RepositoryPath parameter is used to specify a non-default location of the results repository

The valid value for this parameter is a path name If the parameter is not used the cmdlet obtains

results from the default result repository

Required false

Position named

Page 52

Default value

Accept pipeline input false

Accept wildcard characters false

-SubModelId ltstringgt

The -SubModelId parameter specifies the ID of the submodel of an MBCA model for which you

want to view scan results You can obtain valid values for the -SubModelId parameter by running

the Get-MBCAModel cmdlet targeted at a computer on which MBCA models are installed Not all

models have submodels

The -ModelId parameter is required with the -SubModelId parameter

Required true

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

ltCommonParametersgt

This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable

WarningAction WarningVariable OutBuffer and OutVariable For more information type get-

help about_commonparameters

OUTPUTS

SystemCollectionsGenericListltMicrosoftBestPracticesCoreInterfaceResultgt OR

SystemXmlXmlDocument (if -CollectedData specified)

If you do not use the -CollectedConfiguration parameter verbose output can be any of the following

1 Initializing MBCA engine for getting MBCA Results

2 Attempting to get MBCA results for Model Id = 0

3 Completed getting MBCA results for Model Id = 0 Number of Results = 1

If you add the -CollectedConfiguration parameter to display configuration data that was used for a

scan verbose output can be any of the following

1 Initializing MBCA engine for getting MBCA Configuration Data

2 Attempting to get MBCA collected configuration data for Model Id = 0

3 Completed getting MBCA collected configuration data for Model Id = 0

NOTES

The Get-MBCAResult cmdlet must be run by a member of the Administrators group and it does not

start a new scan

Cancellation behaviour

Single Model - To cancel this cmdlet you must press Ctrl+C before the ResultCollection is displayed

on the console The operation is cancelled and results are not displayed on the console

Multiple Models or Pipelining - If you cancel this cmdlet while it is retrieving results for multiple models

the cmdlet generates only those results that were displayed on the console before the cancellation

Any subsequent results in the pipeline are cancelled and not displayed

Page 53

-------------------------- EXAMPLE 1 --------------------------

Get-MBCAResult -Id SQL2008R2BPA

Description

The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results

for the model that is represented by Model Id

-------------------------- EXAMPLE 2 --------------------------

Get-MBCAModel | Get-MBCAResult

In the preceding example Get-MBCAModel is used to return a list of all MBCA models that are

installed on the computer The results of the Get-MBCAModel cmdlet are piped to the Get-

MBCAResult cmdlet to retrieve the most recent MBCA scan results for all models that are both

supported by MBCA and installed on the computer at which the cmdlet is targeted

-------------------------- EXAMPLE 3 --------------------------

$result = Get-MBCAResult SQL2008R2BPA -CollectedConfiguration

$resultDiscoveryDocument

Description

In the preceding example configuration data (in XML form) that was collected during the most recent

Microsoft Baseline Configuration Analyzer scan of the model that is represented by Model Id is

retrieved and stored as a property in the variable $result $resultDiscoveryDocument is of type

SystemXmlXmlDocument

-------------------------- EXAMPLE 4 --------------------------

Get-MBCAResult SQL2008R2BPA -Filter Noncompliant

Description

The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results

for the model that is represented by Model Id and then applies a filter to show only Noncompliant

results

------------------------- EXAMPLE 5 --------------------------

Get-MBCAResult SQL2008R2BPA -SubModelId ltSubModel Idgt

Description

The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results

for the submodel that is represented by SubModelId Note that the parent model ID must be specified

to use the -SubModelId parameter

------------------------- EXAMPLE 6 --------------------------

Get-MBCAResult SQL2008R2BPA -SubModelId ltSubModel Idgt -ComputerName ltServergt

-Context ltContext Model Idgt -RepositoryPath ltRepository Pathgt

Description

The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results

for the submodel that is represented by SubModelId The parent model ID is provided as required by

the -SubModelID parameter

The -Context parameter indicates that the administrator wants to see only those scan results that are in

the context of the model that is represented by Context Model Id for example only those results from

a SQL Server scan that specifically apply to another technology such as Web Server (IIS)

Page 54

The scan results are further narrowed to only those from a computer that is specified in the -

ComputerName parameter as Server and only those results found in the non-default results

repository that is represented by Repository Path

914 Set-MBCAResult

SYNOPSIS

The Set-MBCAResult cmdlet lets you exclude or include existing results of a Microsoft Baseline

Configuration Analyzer (MBCA) scan to show you only the scan results that you want to see

SYNTAX

Set-MBCAResult [[-Exclude] ltBooleangt] [-Results] ltResultgtgt [[-

RepostitoryPath] ltstringgt] [ltCommonParametersgt]

DESCRIPTION

The Set-MBCAResult cmdlet lets you exclude or include existing results of a Microsoft Baseline

Configuration Analyzer (MBCA) scan to show you only the scan results that you want to see

The action specified in the cmdlet (Exclude for example) determines how the existing results of an

MBCA scan are updated Set-MBCAResult is typically applied after using the Get-MBCAResult cmdlet

to return a collection of scan results

You can apply filters to results that are returned by the Get-MBCAResult cmdlet and then pipe the

filtered collection of results to the Set-MBCAResult cmdlet specifying either to include or exclude

filtered scan results

You must be a member of the Administrators group on the computer on which you want to run this

cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with

elevated user rights that is Run as Administrator

PARAMETERS

-Exclude ltBooleangt

Excludes scan results from the results collection that were previously obtained by the Get-

MBCAResult command To exclude results by using the -Exclude parameter add the value $true

following the parameter as shown

-Exclude $true

To include results that have been excluded use the $false value for the -Exclude parameter

Required false

Position 2

Default value

Accept pipeline input false

Accept wildcard characters false

-RepostitoryPath ltstringgt

The -RepositoryPath parameter is used to specify a non-default location of the results repository

The valid value for this parameter is a path name If the parameter is not used the cmdlet

modifies results from the default result repository

Required false

Page 55

Position 4

Default value

Accept pipeline input false

Accept wildcard characters false

-Results ltResultgtgt

Specifies the result collection to be updated by the Set-MBCAResult cmdlet The -Results

parameter is typically used to specify a filtered subset of scan results that has already been

stored in a variable the variable name is provided as the valid value for the -Results parameter

For example if you have created a variable $allPerformance to store all the Performance

category results for an MBCA scan of all models on a computer and you want to exclude those

Performance results from the complete collection of scan results you add the parameter -Results

$all Performance to a Set-MBCAResult cmdlet

For a more detailed example see the Examples section of the Help for this cmdlet

Required true

Position 3

Default value

Accept pipeline input true (ByValue)

Accept wildcard characters false

ltCommonParametersgt

This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable

WarningAction WarningVariable OutBuffer and OutVariable For more information type ldquoget-

help about_commonparameters

NOTES

If the Set-MBCAResult command is cancelled before the results are written to a file the operation is

cancelled and the results file is not modified If cancellation occurs after the results file has been

modified the commands actions are carried out and the command cannot be cancelled

-------------------------- EXAMPLE 1 --------------------------

Get-MBCAResult -ModelId SQL2008R2BPA | Where $_Category -eq

Performance | Set-MBCAResult -Exclude $true

Description

The first section of the preceding example to the left of the first pipe character (|) uses the Get-

MBCAResult cmdlet to retrieve Baseline Configuration Analyzer scan results for the model ID that is

represented by Model Id

The second section of the command filters the results of the Get-MBCAResult cmdlet to get only those

scan results for which the category name is equal to Performance

The final section of the example following the second pipe character excludes the Performance

results that were filtered by the previous section of the example

-------------------------- EXAMPLE 2 --------------------------

$rcPolicy = Get-MBCAResult -ModelId SQL2008R2BPA -RepositoryPath

CReposPath | Where $_Category -eq Policy

Page 56

Set-MBCAResult -Exclude $true -RepositoryPath CReposPath -Results

$rcPolicy

Description

The first line of the preceding example to the left of the pipe character (|) instructs the Get-

MBCAResult cmdlet to retrieve Baseline Configuration Analyzer scan results for the model that is

represented by Specified Model Id from the specified non-default repository path

The second section of the example after the pipe character filters the results of the Get-MBCAResult

cmdlet to return only those scan results for which the category name is equal to (note the -eq option)

Policy The variable $rcPolicy is created to store the filtered results of the Get-MBCAResult cmdlet this

variable can be used in subsequent commands to represent those results

The second line of the command uses the Set-MBCAResult cmdlet to exclude the set of results that

are stored in the $rcPolicy variable In this example the -Results parameter is added because the

administrator wants to exclude a specific subset of scan results for that model and has created the

variable $rcPolicy to represent that subset of results The repository root is specified in the second line

because the administrator wants to modify the results in the same non-default repository from which

the data in $rcPolicy was retrieved

915 MBCA Model Authoring

Further information about configuration and usage of MBCA models you can in the

MBCA_ModelAuthoringGuidedocx

Page 57

Did this paper help you Please give us your feedback Tell us on a scale of 1 (poor) to 5 (excellent)

how would you rate this paper and why have you given it this rating For example

Are you rating it high due to having good examples excellent screen shots clear writing or

another reason

Are you rating it low due to poor examples fuzzy screen shots or unclear writing

This feedback will help us improve the quality of white papers we release

Send feedback

Page 33: SQL2008R2 BPA Whitepaper v10

Page 33

6 RULES

Searching for ldquoSQL Server 20087 R2 BPArdquo at Microsoftcom reveals

Here is an example of one of these articles that talks about a rule to check for a recent ldquocleanrdquo

CHECKDB

Page 34

BPA works by measuring a rolersquos compliance with best practice rules in eight different categories of a

rolersquos effectiveness trustworthiness and reliability Results of measurements can be any of the three

severity levels described in the following table

Severity level Description

Noncompliant Noncompliant results are returned when a role does not satisfy the conditions of a rule

Compliant Compliant results are returned when a role satisfies the conditions of a rule

Warning Warning results are returned when a role is compliant as operating currently but may not satisfy the conditions of a

rule if changes are not made to its configuration or policy settings For example a scan of Remote Desktop Services

might show a warning result if a license server is unavailable to the role because even if no remote connections are

active at the time of the scan not having the license server prevents new remote connections from obtaining valid

client access licenses

Page 35

BPA rule categories

The following table describes the categories of best practice rules against which roles are measured

during a BPA scan

Category Name Description

Security Security rules are applied to measure a rolersquos relative risk for exposure to threats such as unauthorized or malicious

users or loss or theft of confidential or proprietary data

Performance Performance rules are applied to measure a rolersquos ability to process requests and perform its prescribed duties in

the enterprise within expected periods of time given the rolersquos workload

Configuration Configuration rules are applied to identify role settings that might require modification for the role to perform

optimally Configuration rules can help prevent setting conflicts that can result in error messages or prevent the role

from performing its prescribed duties in an enterprise

Policy Policy rules are applied to identify Group Policy or Windows Registry settings that might require modification for the

role to operate optimally and securely

Operation Operation rules are applied to identify possible failures of a role to perform its prescribed tasks in the enterprise

Predeployment Predeployment rules are applied before an installed role is deployed in the enterprise to let administrators to

evaluate whether best practices were satisfied before you use the role in production

Postdeployment Postdeployment rules are applied after all required services have started for a role and the role is running in the

enterprise

BPA Prerequisites BPA Prerequisite rules explain configuration settings policy settings and features that are required for the role

before BPA can apply specific rules from other categories A prerequisite in scan results indicates that an incorrect

setting a missing role role service or feature an incorrectly enabled or disabled policy a registry key setting or

other configuration has prevented BPA from applying one or more rules during a scan A prerequisite result does

not imply compliance or noncompliance It means that a rule could not be applied and therefore is not part of the

scan results

61 Engine Rules

Please find below a summary of the 74 Engine Rules with the links to the rule descriptions These rules

are checking that you have a secure resilient and well performing SQL configuration

Authentication Mode (httpsupportmicrosoftcomkb2028697)

Lightweight Pooling is enabled (httpsupportmicrosoftcomkb2160691)

Locks Configuration Not Dynamic (httpsupportmicrosoftcomkb2199576)

non-default network packet size in use (httpsupportmicrosoftcomkb2157175)

degree of parallelism not set to recommended value (httpsupportmicrosoftcomkb2023536)

Use Database Mail instead of SQL Mail (httpsupportmicrosoftcomkb2028584)

SQL Server Agent Proxy Account (httpsupportmicrosoftcomkb2160741)

SQL Login Password Policy Strength and password expiry

(httpsupportmicrosoftcomkb2028712)

Trustworthy Bit (httpsupportmicrosoftcomkb2183687)

Symmetric Keys Check (httpsupportmicrosoftcomkb2162020)

Asymmetric Keys Check (httpsupportmicrosoftcomkb2162020)

SQL Server installed on PDC BDC (httpsupportmicrosoftcomkb2032911)

Page 36

SQL Server Admin role membership check (httpsupportmicrosoftcomkb2184138)

Windows API calls intercepted (httpsupportmicrosoftcomkb2033238)

unsupported DotNET framework assemblies present (httpsupportmicrosoftcomkb2033344)

Disk partition starting offset may be incorrect (httpsupportmicrosoftcomkb2023571)

non-default max worker threads value configured (httpsupportmicrosoftcomkb2157129)

Guest Permissions (httpsupportmicrosoftcomkb2186935)

Data and Log files on the same volume (httpsupportmicrosoftcomkb2033523)

IO timeouts and IO controller errors detected (httpsupportmicrosoftcomkb2091098)

IO device errors detected (httpsupportmicrosoftcomkb2091098)

IO errors during page faults detected (httpsupportmicrosoftcomkb2091098)

cluster disk corruption encountered (httpsupportmicrosoftcomkb2091098)

disk defragmentation encountered corruption (httpsupportmicrosoftcomkb2091098)

failed IO requests detected (httpsupportmicrosoftcomkb2091098)

IO requests are successful when retried (httpsupportmicrosoftcomkb2015757)

IO Delay Problems reported by SQL Server (httpsupportmicrosoftcomkb2137408)

This system experienced unexpected shutdowns (httpsupportmicrosoftcomkb2091098)

tempdb corruption errors fix missing (httpsupportmicrosoftcomkb960770)

Critical SQL database inconsistency errors found (httpsupportmicrosoftcomkb2152734)

Logical consistency errors detected (httpsupportmicrosoftcomkb2152472)

Database have auto shrink option enabled (httpsupportmicrosoftcomkb2160663)

SQL Server Error logs are very big (httpsupportmicrosoftcomkb2199578)

incorrect affinity mask settings detected httpsupportmicrosoftcomkb2157114

Very low blocked process threshold setting detected httpsupportmicrosoftcomkb2157154

Potential security issue with legacy DTS stored procedures

httpsupportmicrosoftcomkb2202875

Winsock LSP loaded into SQL httpsupportmicrosoftcomkb2033448

Databases using simple recovery model httpsupportmicrosoftcomkb2137539

User database collation different from model httpsupportmicrosoftcomkb2026108

Database files and backups exist on the same volume httpsupportmicrosoftcomkb2027537

Databases have auto close option enabled httpsupportmicrosoftcomkb2160685

LSI SAS drivers needs update httpsupportmicrosoftcomkb2121098

SQL tempdb database not configured optimally httpsupportmicrosoftcomkb2154845

SQL Database file has sparse attribute set httpsupportmicrosoftcomkb2028447

Invalid startup parameters httpsupportmicrosoftcomkb2028433

MSDTC settings not configured optimally httpsupportmicrosoftcomkb2027550

sql incorrect results fix missing httpsupportmicrosoftcomkb971780

File System needs tuning for better FileStream performance

httpsupportmicrosoftcomkb2160002

linked server memory leak fix missing httpsupportmicrosoftcomkb971622EN-US

Windows service pack is not at recommended level httpsupportmicrosoftcomkb2121098

default extended event health session not in expected state

httpsupportmicrosoftcomkb2160570

TcpSysAndChimneyCheck httpsupportmicrosoftcomKB918483

FDHOST Launcher service is not configured properly httpsupportmicrosoftcomkb2160720

Unrecommended SQL Server Agent service account httpsupportmicrosoftcomkb2160720

A required Windows fix to avoid sparse file related problems is missing

httpsupportmicrosoftcomkb2002606

Page 37

Significant Portion of SQL Server Memory Has Been Paged Out

httpsupportmicrosoftcomkb2028324

Server Exception or Hang Detected on Server httpsupportmicrosoftcomkb2028589

Databases exist without CHECKSUM protection httpsupportmicrosoftcomkb2078345

backups outdated for databases httpsupportmicrosoftcomkb2027537

Database consistency check not current httpsupportmicrosoftcomkb2033590

SQL Server Memory settings are incorrect httpsupportmicrosoftcomKB918483EN-US

Autogrow Failed or took a long time httpsupportmicrosoftcomkb2091024

Storport driver fix from KBA 940467 missing httpsupportmicrosoftcomkb2121098

Storport driver fix from KBA 950903 missing httpsupportmicrosoftcomkb2121098

SQLCLR needs additional memory configuration httpsupportmicrosoftcomkb969962EN-US

Operating System files and drivers needs update for working set trimming

httpsupportmicrosoftcomkb2121098

Agent Token Replacement httpsupportmicrosoftcomkb2202637

Auditing Log in failures httpsupportmicrosoftcomkb2187161

Databases with high number of VLF present httpsupportmicrosoftcomkb2028436

Transparent Data Encryption Certificate httpsupportmicrosoftcomkb2201900

Permission on the Binn folder httpsupportmicrosoftcomkb2029023

Index Statistics Are Outdated

Server public permissions httpsupportmicrosoftcomkb2160698

Detected use of older versions of SQLNCLI httpsupportmicrosoftcomkb979779

62 AS Rules

Please find below a summary of the 34 Analysis Server Rules with the links to the rule descriptions

Flight Recorder Enabled for SQL Server Analysis Services

httpsupportmicrosoftcomkb2128005

Excessive amount of memory preallocated to Analysis Services

httpsupportmicrosoftcomkb2027474

Server not configured for optimal concurrent query throughput

httpsupportmicrosoftcomkb2135031

Non standard value detected for Analysis Services memory configuration

httpsupportmicrosoftcomkb2027472

Process Thread Pool Max limit above recommended limit

httpsupportmicrosoftcomkb2134497

Process Thread Pool Minimum is below the recommended limit

httpsupportmicrosoftcomkb2134855

Server is running a build with a known regression httpsupportmicrosoftcomkb2157941

Slice not set on a ROLAP partition or a partition where proactive caching is enabled and

ROLAP storage ay occur httpsupportmicrosoftcomkb2027754

Server is ignoring duplicate key errors httpsupportmicrosoftcomkb2027761

No default member defined for non-aggregatable attribute

httpsupportmicrosoftcomkb2027769

UnknownMember set to hidden httpsupportmicrosoftcomkb2027628

Non-numeric key column for high cardinality attribute httpsupportmicrosoftcomkb2028138

Attribute hiearchy enabled for high cardinality non-key attribute

httpsupportmicrosoftcomkb2028143

ROLAP storage or OnlineMode set to immediate for dimension with custom rollup definition

detected httpsupportmicrosoftcomkb2132742

Page 38

Account or Time attribute types defined in a non-matching dimension type

httpsupportmicrosoftcomkb2157299

An Account or Time dimension has no matching attribute defined

httpsupportmicrosoftcomkb2027418

Dimension has no attribute defined with the same type

httpsupportmicrosoftcomkb2027443

Attribute Dimension type mismatch httpsupportmicrosoftcomkb2157327

Mismatched dimension attribute types detected in dimension

httpsupportmicrosoftcomkb2027459

Possible incorrect order of levels defined in hierarchy httpsupportmicrosoftcomkb2027460

Define attribute relationships as Rigid where possible httpsupportmicrosoftcomkb2027468

Redundant attribute relationships detected httpsupportmicrosoftcomkb2127437

Diamond-shape relationship detected httpsupportmicrosoftcomkb2127570

Non-Standard Attribute Relationship name detected httpsupportmicrosoftcomkb2127862

Proactive Caching set for dimension without a processing query

httpsupportmicrosoftcomkb2027541

No Time dimension detected httpsupportmicrosoftcomkb2027532

More than 3 parent-child dimensions with custom rollups defined

httpsupportmicrosoftcomkb2134431

Encountered a parent-child dimension with more than 500000 members

httpsupportmicrosoftcomkb2131918

Single attribute dimensions detected httpsupportmicrosoftcomkb2141654

Measure groups with zero dimensional overlap detected in cube

httpsupportmicrosoftcomkb2027609

Proactive Caching set for a partition without a processing query

Default measure for perspective not in the perspective

httpsupportmicrosoftcomkb2027603

Use MOLAP storage for dimensions that participate in semi-additive measure groups

httpsupportmicrosoftcomkb2135112

Measure group defined with no partition httpsupportmicrosoftcomkb2027545

63 RS Rules

RSWindowsNegotiate is missing from your configuration

httpsupportmicrosoftcomkb2145506

HTTP Logging is not enabled httpsupportmicrosoftcomkb2145909

Verbose logging is enabled httpsupportmicrosoftcomkb2146315

NTLM authentication may fail for local httpsupportmicrosoftcomkb2146369

Missing extended protection settings httpsupportmicrosoftcomkb2146062

64 IS Rules

Logging task missing for package httpsupportmicrosoftcomkb2027723

ActiveX Script task detected in package httpsupportmicrosoftcomkb2027712

Unrecommended Integration Services service account detected

httpsupportmicrosoftcomkb2027684

Integration Services logging table found in system database master and or msdb

httpsupportmicrosoftcomkb2027706

Integration Services memory dump detected httpsupportmicrosoftcomkb2027727

Page 39

65 Setup Rules

Unsupported Operating System Version Detected httpsupportmicrosoftcomkb2022909

WOW64 not supported for SQL Failover Clustering httpsupportmicrosoftcomkb2157198

Installer cache is missing for the SQL Installation httpsupportmicrosoftcomkb2015100

SQL Server WMI Provider Health Check

66 Replication Rules

Replication Timeout Alerts Type httpsupportmicrosoftcomkb2118349

Replication Pub and Sub out of sync (Data Validation) httpsupportmicrosoftcomkb2118386

Replication Pub and Sub out of sync (Constraint Violations)

httpsupportmicrosoftcomkb2118410

Replication Pub and Sub out of sync (Skipped Transactions)

httpsupportmicrosoftcomkb2194498

Merge Replication Health Check httpsupportmicrosoftcomkb2118445

Subscriptions Approaching Expiration httpgomicrosoftcomfwlinkLinkId=184483

Replication Cleanup and Retention Health Check httpsupportmicrosoftcomkb2118485

Replication Latency Threshold violations httpsupportmicrosoftcomkb2118425

Page 40

7 HOW TO DEAL WITH DEVIATIONS

Deviations from these Best Practices may indicate potential issues and configuration changes may be

necessary Make sure you have tested any intended changes in a test environment before deploying

them to a production environment You could also find deviations from Best Practices that are

acceptable or even necessary for your environment For example

SAP has its special Network Packet Size of 8 KB

Existing Non-Microsoft Clients ndash would require Mixed Mode Authentication

Page 41

8 MOTIVATION TO USE SQL BPA R2

Bob Ward explained in his Article ldquoWhy use SQL Server 2008 R2 BPA Case 1 Missing Updatesrdquo

the common pitfalls during maintenance and operation of SQL Server and how address them by using

the SQL BPA

In brief itrsquos a customer scenario where the customer is facing an issue after a major update to

SQL2008 After some troubleshooting and an update to a certain CU (that is meant to fix the issue) the

problem still occurs Bobs article states the common resulting consequences ndash the involvement of

Microsoft Support and the final solution ndash adding a needed traceflag

The good news in this story is that the customer would not have needed to go to all that effort if they

would have run the SQL BPA It would have told them about the update and instructed them to put the

traceflag in place BPA is a mechanism that proactively advises you and instructs you on dealing with

common known issues

Page 42

9 ADDITIONAL INFORMATION

91 PowerShell

To use the functionality of the Baseline Configuration Analyzer with PowerShell you must import this

module first

Import-module BaselineConfigurationAnalyzer

You can list the commands of this module with the following syntax

$x=Get-Module BaselineConfigurationAnalyzer

$xExportedCommands

The following commands are stored in this module

Get-MbcaModel

Get-MbcaResult

Invoke-MbcaModel

Set-MbcaResult

You get help of this command with the following syntax

Get-help ltcommandgt -full

911 Get-MBCAModel

SYNOPSIS

The Get-MBCAModel cmdlet lets you retrieve and view the list of models that are supported by

Microsoft Baseline Configuration Analyzer (MBCA) and that are installed on a computer

SYNTAX

Get-MBCAModel [[-ModelId] ltstring[]gt] [[-SubModelId] ltstringgt] [ltCommonParametersgt]

DESCRIPTION

The Get-MBCAModel cmdlet lets you retrieve and view the list of models that are supported by

Microsoft Baseline Configuration Analyzer (MBCA) and installed on the computer If no parameter is

specified Get-MBCAModel returns all models that are installed on the computer If a model is specified

by using the -ModelId parameter information about the specified model is returned

You must be a member of the Administrators group on the computer on which you want to run this

cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with

elevated user rights that is Run as Administrator

The results of the Get-MBCAModel cmdlet include the following details about models

1 Branding information (manufacturer or company display names version number) that is found in

the model manifest

2 Dynamic parameters that are included with the model

3 Submodels that are included with the model

PARAMETERS

-ModelId ltstring[]gt

The -ModelId parameter specifies the ID of the MBCA model about which you want to view

details You can obtain valid values for the ModelId parameter by running the Get-MBCAModel

cmdlet with no parameters and targeted at a computer on which MBCA models are installed

Page 43

This parameter supports wild card characters

Required false

Position 2

Default value

Accept pipeline input true (By Value By Property Name)

Accept wildcard characters False

This must be SQL2008R2BPA for SQL Server 2008 R2 Best Practice Analyzer

-SubModelId ltstringgt

The -SubModelId parameter specifies the ID of the submodel of an MBCA model about which you

want to view details You can obtain valid values for the -SubModelId parameter by running the

Get-MBCAModel cmdlet without parameters and targeted at a computer on which MBCA models

are installed Not all models have submodels

The -ModelId parameter is required with the -SubModelId parameter

Required false

Position 3

Default value

Accept pipeline input false

Accept wildcard characters false

ltCommonParametersgt

This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable

WarningAction WarningVariable OutBuffer and OutVariable For more information type get-

help about_commonparameters

Examples

Get-MBCAModel

In the preceding example Get-MBCAModel with no parameters added returns details about all MBCA

models that are installed on the computer

Get-MBCAModel -ModelId SQL2008R2BPA

The preceding example can be used to return details about the MBCA model that is specified in the -

ModelId parameter represented by Model Id

$model= Get-MBCAModel -ModelId SQL2008R2BPA

$modelParameters

In the preceding example Get-MBCAModel returns details about the specified MBCA model that is

represented by Model Id The results of the cmdlet are stored in the variable $model

In the next line of the example the Parameters property of the model details that were stored in the

$model object returns details about which parameters are supported by the model

Get-MBCAModel -ModelId SQL2008R2BPA -SubModelId ltSubModel Idgt

The preceding example can be used to return details about the MBCA sub-model that is specified by

the -SubModelId parameter represented by SubModel Id Note that the -ModelId parameter is

required by the -SubModelId parameter

$model= Get-MBCAModel -ModelId SQL2008R2BPA

Page 44

$modelSubModels

In the preceding example Get-MBCAModel returns details about the specified MBCA model that is

represented by Model Id The results of the cmdlet are stored in the variable $model

In the next line of the example the SubModels property of the model details that were stored in the

$model object returns a list of the submodels of the model specified in the first line

912 Invoke-MBCAModel

SYNOPSIS

The Invoke-MBCAModel cmdlet lets you start a Microsoft Baseline Configuration Analyzer (MBCA)

scan for a specific model that is installed on your computer

SYNTAX

Invoke-MBCAModel [-ModelId] ltstringgt -SubModelId ltstringgt [-Authentication

ltAuthenticationMechanismgt] [-CertificateThumbprint ltstringgt] [-ComputerName

ltstring[]gt] [-ConfigurationName ltstringgt] [-Context ltstringgt] [-Credential

ltstringgt] [-Mode ltModeEnumgt] [-Port ltintgt] [-RepositoryPath ltstringgt] [-

ThrottleLimit ltintgt] [-UseSSL] [ltCommonParametersgt]

DESCRIPTION

The Invoke-MBCAModel cmdlet allows you to start a Microsoft Baseline Configuration Analyzer

(MBCA) scan for a specific model that is installed on your computer The model is specified either by

using the parameter -ModelId or by piping the results of the Get-MBCAModel cmdlet into an Invoke-

MBCAMode cmdlet

After the MBCA scan has been performed the results of the scan are available to be retrieved by Get-

MBCAResult cmdlet

You must be a member of the Administrators group on the computer on which you want to run this

cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with

elevated user rights that is Run as Administrator

PARAMETERS

-Authentication ltAuthenticationMechanismgt

Specifies the authentication mechanism that is used to authenticate the users credentials Valid

values include Default Basic CredSSP Digest Kerberos Negotiate and

NegotiateWithImplicitCredential The default value is Default

For more information about the -Authentication parameter type the following and then press

Enter

Get-Help Invoke-Command -Parameter Authentication

Required false

Position named

Default value Default

Accept pipeline input false

Accept wildcard characters false

-CertificateThumbprint ltstringgt

Page 45

Specifies the digital public key certificate (X509) of a user account that has rights to perform the

cmdlet action The valid value is the certificate thumbprint of the certificate

For more information about this parameter type the following and then press Enter

Get-Help Invoke-Command -Parameter Certificate Thumbprint

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-ComputerName ltstring[]gt

The Invoke-MBCAModel cmdlet lets you run an MBCA scan of a submodel on a specific

computer by adding this parameter Valid values include NETBOS names IP addresses or fully-

qualified domain names of one or more computers in a comma-separated list To specify the local

computer type the computer name or localhost

All formats that are accepted by the -ComputerName parameter in Invoke-Command are

accepted

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-ConfigurationName ltstringgt

Specifies the session configuration that is used for a new PSSession

Enter a configuration name or the fully-qualified resource URI for a session configuration

Session configuration data is found on the remote computer on which you want to run a cmdlet

For more information about this parameter type the following and then press Enter

Get-Help Invoke-Command -Parameter ConfigurationName

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-Context ltstringgt

The -Context parameter lets you run scans on a submodel in the context of a specific model (one

that is different from the parent model of the submodel) For example an administrator might

want to run a scan on the Backend submodel of the SQL model but only those in the context

of a third model a technology that relies upon SQL Server

The -SubModelId parameter is required by the -Context parameter

Page 46

A model ID is the valid value of the -Context parameter

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-Credential ltstringgt

Specifies a user account that has permission to run this cmdlet The default value is the current

user

For more information about this parameter type the following and then press Enter

Get-Help Invoke-Command -Parameter Credential

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-Mode ltModeEnumgt

The -Mode parameter lets you run a scan that is exclusively either analysis of existing discovered

documents or discovery The default is to perform both discovery and analysis or All

If you do not add the -Mode parameter to the Invoke-MBCAModel cmdlet both discovery and

analysis are performed during a scan

Valid values are Discovery Analysis and All

Required false

Position named

Default value All

Accept pipeline input false

Accept wildcard characters false

-ModelId ltstringgt

The -ModelId parameter specifies the ID of the MBCA model that you want to scan You can

obtain valid values for the ModelId parameter by running the Get-MBCAModel cmdlet targeted at

a computer on which MBCA models are installed

Required true

Position 2

Default value

Accept pipeline input true (By Value By Property Name)

Accept wildcard characters False

Page 47

This must be SQL2008R2BPA for SQL Server 2008 R2 Best Practice Analyzer

-Port ltintgt

Specifies the network port on a remote computer on which you want to run a scan The default

value is port 80

For more information on this parameter type the following and then press Enter

Get-Help Invoke-Command -Parameter Port

Required false

Position named

Default value 80

Accept pipeline input false

Accept wildcard characters false

-RepositoryPath ltstringgt

The -RepositoryPath parameter is used to specify a non-default location of the results repository

The valid value for this parameter is a pathname If the parameter is not used the cmdlet writes

results to the default result repository

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-SubModelId ltstringgt

The -SubModelId parameter specifies the ID of the submodel of an MBCA model that you want to

scan You can obtain valid values for the -SubModelId parameter by running the Get-MBCAModel

cmdlet targeted at a computer on which MBCA models are installed Not all models have

submodels

The -ModelId parameter is required with the -SubModelId parameter

Required true

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-ThrottleLimit ltintgt

Specifies the maximum number of concurrent connections that can be established to run the

cmdlet If you omit this parameter or enter a value of 0 the default value of 32 is used

For more information about this parameter type the following and then press Enter

Get-Help Invoke-Command -Parameter ThrottleLimit

Required false

Page 48

Position named

Default value 32

Accept pipeline input false

Accept wildcard characters false

-UseSSL [ltSwitchParametergt]

Uses the Secure Sockets Layer (SSL) protocol to establish a connection on a remote computer

By default SSL is not used

For more information about this parameter type the following and then press Enter

Get-Help Invoke-Command -Parameter UseSSL

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

ltCommonParametersgt

This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable

WarningAction WarningVariable OutBuffer and OutVariable For more information type get-

help about_commonparameters

OUTPUTS

SystemCollectionsGenericListltMicrosoftBestPracticesCoreInterfaceInvokeBpaModelOutputgt

The output object encapsulates the results of the cmdlet that you entered It contains information such

as the MBCA model ID the success or failure of the cmdlet and other details

NOTES

If the cmdlet is used to perform a single-model scan and the cmdlet is cancelled (by using CTRL+C)

before the temporary results file is copied to its final location the temporary file is discarded and any

previous scan results file for the role are preserved The message Processing of Invoke-MBCAModel

cancelled by user is displayed if the command is cancelled before existing scan results files are

overwritten

If the cmdlet is used to perform a scan of multiple models by piping in results from the Get-MBCAModel

cmdlet and the command is cancelled scans that were completed before the cancel command was

entered cannot be cancelled A scan in progress behaves as described above in the single-model scan

cancellation scenario Subsequent scans in the pipeline are cancelled

If a concurrent scan of the same model is attempted the cmdlet returns the following error message

Another scan for this MBCA model is in progress Only one scan is allowed at a time

-------------------------- EXAMPLE 1 --------------------------

Invoke-MBCAModel -ModelId SQL2008R2BPA

Description

The preceding example starts a MBCA scan on the model that is represented by ltModel Idgt

-------------------------- EXAMPLE 2 --------------------------

Page 49

Invoke-MBCAModel -ModelId SQL2008R2BPA -Scope domain -Name

redmondmicrosoftcom

Description

The preceding example starts an MBCA scan on the model ID that is specified by Model Id

The administrator starts the MBCA scan with additional model-specific parameters that are exposed by

the model (For an example of how to obtain model-specific parameters see the examples for the Get-

MBCAModel cmdlet)

For example to scan a model that requires model-specific parameters (such as -Scope and -Name) to

be passed to the command the administrator can specify the values of these model-specific

parameters with the Invoke-MBCAModel cmdlet

-------------------------- EXAMPLE 3 --------------------------

Invoke-MBCAModel -ModelId SQL2008R2BPA -Mode Discovery

Description

The preceding example starts an MBCA scan on the model that is represented by Model Id The

cmdlet is instructed by the -Mode parameter to perform only the discovery -- not the analysis -- portion

of the scan

-------------------------- EXAMPLE 4 --------------------------

Invoke-MBCAModel -ModelId SQL2008R2BPA -Mode Analysis -RepositoryPath

ltRepository Pathgt

Description

The preceding example starts an MBCA scan on the model that is represented by Model Id The -

Mode parameter value of Analysis indicates that the scan will perform analysis -- not discovery -- on

existing documents that are specified in the non-default repository path provided with the -Repository

Path parameter

-------------------------- EXAMPLE 5 --------------------------

Invoke-MBCAModel -Id ltModel Idgt -SubModelId ltSubModel Idgt -ComputerName

ltServergt -Context ltContext Model Idgt -RepositoryPath ltRespository Pathgt -

AsJob -Authentication ltAuthenticatonMechanismgt -Port ltPort Numbergt -UseSSL -

ThrottleLimit ltThrottle Limitgt

Description

The preceding example starts an MBCA scan on the submodel that is represented by SubModel Id

and on the computer that is represented by Server

Because the administrator only wants to see results from the submodel that apply in the context of a

third model the administrator runs the scan within the context of the model ID that is specified in the -

Context parameter The cmdlet results are saved to the non-default repository path that is specified in

the -RepositoryPath parameter

Because the -AsJob parameter is added the scan runs in the background The -AsJob -

Authentication -Port -UseSSL and -ThrottleLimit parameters are passed through for use by the

Invoke-Command cmdlet to perform discovery on a remote computer For more information about

these parameters see the Help for the Invoke-Command cmdlet available in Windows PowerShell V2

913 Get-MBCAResult

SYNOPSIS

Page 50

The Get-MBCAResult cmdlet lets you retrieve and view the results of a Microsoft Baseline

Configuration Analyzer scan on a specific model or the configuration data that was used to run a scan

SYNTAX

Get-MBCAResult [-ModelId] ltstringgt [[-CollectedConfiguration]] -SubModelId

ltstringgt [-ComputerName ltstring[]gt] [-Context ltstringgt] [-Filter

ltFilterEnumgt] [-RepositoryPath ltstringgt] [ltCommonParametersgt]

DESCRIPTION

The Get-MBCAResult cmdlet lets you retrieve and view the results of a Microsoft Baseline

Configuration Analyzer scan on a specific model or the configuration data that was used to run a scan

To use the command add the -ModelId parameter and then specify the model ID for which you want

to view the most recent MBCA scan results or collected configuration data If you want to retrieve the

configuration data collected add the -CollectedConfiguration switch parameter

You must be a member of the Administrators group on the computer on which you want to run this

cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with

elevated user rights that is Run as Administrator

PARAMETERS

-CollectedConfiguration [ltSwitchParametergt]

The -CollectedConfiguration parameter allows you to obtain the configuration data that was

collected for the most recent MBCA scan If this switch parameter is added to Get-MBCAResults

the cmdlet returns only the configuration data that was collected for a scan

Required false

Position 3

Default value

Accept pipeline input false

Accept wildcard characters false

-ComputerName ltstring[]gt

The -ComputerName parameter lets you obtain scan results that were collected for the most

recent MBCA scan of a submodel on a specific computer To specify the local computer type the

computer name or localhost Multiple values for -ComputerName can be separated by

commas

The -SubModelId parameter is required by the -ComputerName parameter

Valid values for the -ComputerName parameter include localhost a NET BIOS name an IP

address or a fully-qualified domain name (FQDN) of one or more computers in a comma-

separated list

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-Context ltstringgt

Page 51

The -Context parameter lets you obtain scan results that were collected for the most recent

MBCA scan of a submodel in the context of a specific model (one that is different from the parent

model of the submodel) For example an administrator might want to display scan results for the

Backend submodel of the SQL model but only those in the context of a third model a

technology that relies upon SQL Server

The -SubModelId parameter is required by the -Context parameter

A model ID is the valid value of the -Context parameter

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-Filter ltFilterEnumgt

The -Filter parameter lets you instruct the Get-MBCAResult cmdlet to return only Compliant

Noncompliant or All results Valid values are Noncompliant Compliant or All The default value

is All

The -Filter parameter is ignored if the -CollectedConfiguration switch parameter is added

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-ModelId ltstringgt

The -ModelId parameter specifies the ID of the MBCA model for which you want to view scan

results You can obtain valid values for the ModelId parameter by running the Get-MBCAModel

cmdlet targeted at a computer on which MBCA models are installed

Required true

Position 2

Default value

Accept pipeline input true (By Value By Property Name)

Accept wildcard characters False

This must be SQL2008R2BPA for SQL Server 2008 R2 Best Practice Analyzer

-RepositoryPath ltstringgt

The -RepositoryPath parameter is used to specify a non-default location of the results repository

The valid value for this parameter is a path name If the parameter is not used the cmdlet obtains

results from the default result repository

Required false

Position named

Page 52

Default value

Accept pipeline input false

Accept wildcard characters false

-SubModelId ltstringgt

The -SubModelId parameter specifies the ID of the submodel of an MBCA model for which you

want to view scan results You can obtain valid values for the -SubModelId parameter by running

the Get-MBCAModel cmdlet targeted at a computer on which MBCA models are installed Not all

models have submodels

The -ModelId parameter is required with the -SubModelId parameter

Required true

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

ltCommonParametersgt

This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable

WarningAction WarningVariable OutBuffer and OutVariable For more information type get-

help about_commonparameters

OUTPUTS

SystemCollectionsGenericListltMicrosoftBestPracticesCoreInterfaceResultgt OR

SystemXmlXmlDocument (if -CollectedData specified)

If you do not use the -CollectedConfiguration parameter verbose output can be any of the following

1 Initializing MBCA engine for getting MBCA Results

2 Attempting to get MBCA results for Model Id = 0

3 Completed getting MBCA results for Model Id = 0 Number of Results = 1

If you add the -CollectedConfiguration parameter to display configuration data that was used for a

scan verbose output can be any of the following

1 Initializing MBCA engine for getting MBCA Configuration Data

2 Attempting to get MBCA collected configuration data for Model Id = 0

3 Completed getting MBCA collected configuration data for Model Id = 0

NOTES

The Get-MBCAResult cmdlet must be run by a member of the Administrators group and it does not

start a new scan

Cancellation behaviour

Single Model - To cancel this cmdlet you must press Ctrl+C before the ResultCollection is displayed

on the console The operation is cancelled and results are not displayed on the console

Multiple Models or Pipelining - If you cancel this cmdlet while it is retrieving results for multiple models

the cmdlet generates only those results that were displayed on the console before the cancellation

Any subsequent results in the pipeline are cancelled and not displayed

Page 53

-------------------------- EXAMPLE 1 --------------------------

Get-MBCAResult -Id SQL2008R2BPA

Description

The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results

for the model that is represented by Model Id

-------------------------- EXAMPLE 2 --------------------------

Get-MBCAModel | Get-MBCAResult

In the preceding example Get-MBCAModel is used to return a list of all MBCA models that are

installed on the computer The results of the Get-MBCAModel cmdlet are piped to the Get-

MBCAResult cmdlet to retrieve the most recent MBCA scan results for all models that are both

supported by MBCA and installed on the computer at which the cmdlet is targeted

-------------------------- EXAMPLE 3 --------------------------

$result = Get-MBCAResult SQL2008R2BPA -CollectedConfiguration

$resultDiscoveryDocument

Description

In the preceding example configuration data (in XML form) that was collected during the most recent

Microsoft Baseline Configuration Analyzer scan of the model that is represented by Model Id is

retrieved and stored as a property in the variable $result $resultDiscoveryDocument is of type

SystemXmlXmlDocument

-------------------------- EXAMPLE 4 --------------------------

Get-MBCAResult SQL2008R2BPA -Filter Noncompliant

Description

The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results

for the model that is represented by Model Id and then applies a filter to show only Noncompliant

results

------------------------- EXAMPLE 5 --------------------------

Get-MBCAResult SQL2008R2BPA -SubModelId ltSubModel Idgt

Description

The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results

for the submodel that is represented by SubModelId Note that the parent model ID must be specified

to use the -SubModelId parameter

------------------------- EXAMPLE 6 --------------------------

Get-MBCAResult SQL2008R2BPA -SubModelId ltSubModel Idgt -ComputerName ltServergt

-Context ltContext Model Idgt -RepositoryPath ltRepository Pathgt

Description

The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results

for the submodel that is represented by SubModelId The parent model ID is provided as required by

the -SubModelID parameter

The -Context parameter indicates that the administrator wants to see only those scan results that are in

the context of the model that is represented by Context Model Id for example only those results from

a SQL Server scan that specifically apply to another technology such as Web Server (IIS)

Page 54

The scan results are further narrowed to only those from a computer that is specified in the -

ComputerName parameter as Server and only those results found in the non-default results

repository that is represented by Repository Path

914 Set-MBCAResult

SYNOPSIS

The Set-MBCAResult cmdlet lets you exclude or include existing results of a Microsoft Baseline

Configuration Analyzer (MBCA) scan to show you only the scan results that you want to see

SYNTAX

Set-MBCAResult [[-Exclude] ltBooleangt] [-Results] ltResultgtgt [[-

RepostitoryPath] ltstringgt] [ltCommonParametersgt]

DESCRIPTION

The Set-MBCAResult cmdlet lets you exclude or include existing results of a Microsoft Baseline

Configuration Analyzer (MBCA) scan to show you only the scan results that you want to see

The action specified in the cmdlet (Exclude for example) determines how the existing results of an

MBCA scan are updated Set-MBCAResult is typically applied after using the Get-MBCAResult cmdlet

to return a collection of scan results

You can apply filters to results that are returned by the Get-MBCAResult cmdlet and then pipe the

filtered collection of results to the Set-MBCAResult cmdlet specifying either to include or exclude

filtered scan results

You must be a member of the Administrators group on the computer on which you want to run this

cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with

elevated user rights that is Run as Administrator

PARAMETERS

-Exclude ltBooleangt

Excludes scan results from the results collection that were previously obtained by the Get-

MBCAResult command To exclude results by using the -Exclude parameter add the value $true

following the parameter as shown

-Exclude $true

To include results that have been excluded use the $false value for the -Exclude parameter

Required false

Position 2

Default value

Accept pipeline input false

Accept wildcard characters false

-RepostitoryPath ltstringgt

The -RepositoryPath parameter is used to specify a non-default location of the results repository

The valid value for this parameter is a path name If the parameter is not used the cmdlet

modifies results from the default result repository

Required false

Page 55

Position 4

Default value

Accept pipeline input false

Accept wildcard characters false

-Results ltResultgtgt

Specifies the result collection to be updated by the Set-MBCAResult cmdlet The -Results

parameter is typically used to specify a filtered subset of scan results that has already been

stored in a variable the variable name is provided as the valid value for the -Results parameter

For example if you have created a variable $allPerformance to store all the Performance

category results for an MBCA scan of all models on a computer and you want to exclude those

Performance results from the complete collection of scan results you add the parameter -Results

$all Performance to a Set-MBCAResult cmdlet

For a more detailed example see the Examples section of the Help for this cmdlet

Required true

Position 3

Default value

Accept pipeline input true (ByValue)

Accept wildcard characters false

ltCommonParametersgt

This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable

WarningAction WarningVariable OutBuffer and OutVariable For more information type ldquoget-

help about_commonparameters

NOTES

If the Set-MBCAResult command is cancelled before the results are written to a file the operation is

cancelled and the results file is not modified If cancellation occurs after the results file has been

modified the commands actions are carried out and the command cannot be cancelled

-------------------------- EXAMPLE 1 --------------------------

Get-MBCAResult -ModelId SQL2008R2BPA | Where $_Category -eq

Performance | Set-MBCAResult -Exclude $true

Description

The first section of the preceding example to the left of the first pipe character (|) uses the Get-

MBCAResult cmdlet to retrieve Baseline Configuration Analyzer scan results for the model ID that is

represented by Model Id

The second section of the command filters the results of the Get-MBCAResult cmdlet to get only those

scan results for which the category name is equal to Performance

The final section of the example following the second pipe character excludes the Performance

results that were filtered by the previous section of the example

-------------------------- EXAMPLE 2 --------------------------

$rcPolicy = Get-MBCAResult -ModelId SQL2008R2BPA -RepositoryPath

CReposPath | Where $_Category -eq Policy

Page 56

Set-MBCAResult -Exclude $true -RepositoryPath CReposPath -Results

$rcPolicy

Description

The first line of the preceding example to the left of the pipe character (|) instructs the Get-

MBCAResult cmdlet to retrieve Baseline Configuration Analyzer scan results for the model that is

represented by Specified Model Id from the specified non-default repository path

The second section of the example after the pipe character filters the results of the Get-MBCAResult

cmdlet to return only those scan results for which the category name is equal to (note the -eq option)

Policy The variable $rcPolicy is created to store the filtered results of the Get-MBCAResult cmdlet this

variable can be used in subsequent commands to represent those results

The second line of the command uses the Set-MBCAResult cmdlet to exclude the set of results that

are stored in the $rcPolicy variable In this example the -Results parameter is added because the

administrator wants to exclude a specific subset of scan results for that model and has created the

variable $rcPolicy to represent that subset of results The repository root is specified in the second line

because the administrator wants to modify the results in the same non-default repository from which

the data in $rcPolicy was retrieved

915 MBCA Model Authoring

Further information about configuration and usage of MBCA models you can in the

MBCA_ModelAuthoringGuidedocx

Page 57

Did this paper help you Please give us your feedback Tell us on a scale of 1 (poor) to 5 (excellent)

how would you rate this paper and why have you given it this rating For example

Are you rating it high due to having good examples excellent screen shots clear writing or

another reason

Are you rating it low due to poor examples fuzzy screen shots or unclear writing

This feedback will help us improve the quality of white papers we release

Send feedback

Page 34: SQL2008R2 BPA Whitepaper v10

Page 34

BPA works by measuring a rolersquos compliance with best practice rules in eight different categories of a

rolersquos effectiveness trustworthiness and reliability Results of measurements can be any of the three

severity levels described in the following table

Severity level Description

Noncompliant Noncompliant results are returned when a role does not satisfy the conditions of a rule

Compliant Compliant results are returned when a role satisfies the conditions of a rule

Warning Warning results are returned when a role is compliant as operating currently but may not satisfy the conditions of a

rule if changes are not made to its configuration or policy settings For example a scan of Remote Desktop Services

might show a warning result if a license server is unavailable to the role because even if no remote connections are

active at the time of the scan not having the license server prevents new remote connections from obtaining valid

client access licenses

Page 35

BPA rule categories

The following table describes the categories of best practice rules against which roles are measured

during a BPA scan

Category Name Description

Security Security rules are applied to measure a rolersquos relative risk for exposure to threats such as unauthorized or malicious

users or loss or theft of confidential or proprietary data

Performance Performance rules are applied to measure a rolersquos ability to process requests and perform its prescribed duties in

the enterprise within expected periods of time given the rolersquos workload

Configuration Configuration rules are applied to identify role settings that might require modification for the role to perform

optimally Configuration rules can help prevent setting conflicts that can result in error messages or prevent the role

from performing its prescribed duties in an enterprise

Policy Policy rules are applied to identify Group Policy or Windows Registry settings that might require modification for the

role to operate optimally and securely

Operation Operation rules are applied to identify possible failures of a role to perform its prescribed tasks in the enterprise

Predeployment Predeployment rules are applied before an installed role is deployed in the enterprise to let administrators to

evaluate whether best practices were satisfied before you use the role in production

Postdeployment Postdeployment rules are applied after all required services have started for a role and the role is running in the

enterprise

BPA Prerequisites BPA Prerequisite rules explain configuration settings policy settings and features that are required for the role

before BPA can apply specific rules from other categories A prerequisite in scan results indicates that an incorrect

setting a missing role role service or feature an incorrectly enabled or disabled policy a registry key setting or

other configuration has prevented BPA from applying one or more rules during a scan A prerequisite result does

not imply compliance or noncompliance It means that a rule could not be applied and therefore is not part of the

scan results

61 Engine Rules

Please find below a summary of the 74 Engine Rules with the links to the rule descriptions These rules

are checking that you have a secure resilient and well performing SQL configuration

Authentication Mode (httpsupportmicrosoftcomkb2028697)

Lightweight Pooling is enabled (httpsupportmicrosoftcomkb2160691)

Locks Configuration Not Dynamic (httpsupportmicrosoftcomkb2199576)

non-default network packet size in use (httpsupportmicrosoftcomkb2157175)

degree of parallelism not set to recommended value (httpsupportmicrosoftcomkb2023536)

Use Database Mail instead of SQL Mail (httpsupportmicrosoftcomkb2028584)

SQL Server Agent Proxy Account (httpsupportmicrosoftcomkb2160741)

SQL Login Password Policy Strength and password expiry

(httpsupportmicrosoftcomkb2028712)

Trustworthy Bit (httpsupportmicrosoftcomkb2183687)

Symmetric Keys Check (httpsupportmicrosoftcomkb2162020)

Asymmetric Keys Check (httpsupportmicrosoftcomkb2162020)

SQL Server installed on PDC BDC (httpsupportmicrosoftcomkb2032911)

Page 36

SQL Server Admin role membership check (httpsupportmicrosoftcomkb2184138)

Windows API calls intercepted (httpsupportmicrosoftcomkb2033238)

unsupported DotNET framework assemblies present (httpsupportmicrosoftcomkb2033344)

Disk partition starting offset may be incorrect (httpsupportmicrosoftcomkb2023571)

non-default max worker threads value configured (httpsupportmicrosoftcomkb2157129)

Guest Permissions (httpsupportmicrosoftcomkb2186935)

Data and Log files on the same volume (httpsupportmicrosoftcomkb2033523)

IO timeouts and IO controller errors detected (httpsupportmicrosoftcomkb2091098)

IO device errors detected (httpsupportmicrosoftcomkb2091098)

IO errors during page faults detected (httpsupportmicrosoftcomkb2091098)

cluster disk corruption encountered (httpsupportmicrosoftcomkb2091098)

disk defragmentation encountered corruption (httpsupportmicrosoftcomkb2091098)

failed IO requests detected (httpsupportmicrosoftcomkb2091098)

IO requests are successful when retried (httpsupportmicrosoftcomkb2015757)

IO Delay Problems reported by SQL Server (httpsupportmicrosoftcomkb2137408)

This system experienced unexpected shutdowns (httpsupportmicrosoftcomkb2091098)

tempdb corruption errors fix missing (httpsupportmicrosoftcomkb960770)

Critical SQL database inconsistency errors found (httpsupportmicrosoftcomkb2152734)

Logical consistency errors detected (httpsupportmicrosoftcomkb2152472)

Database have auto shrink option enabled (httpsupportmicrosoftcomkb2160663)

SQL Server Error logs are very big (httpsupportmicrosoftcomkb2199578)

incorrect affinity mask settings detected httpsupportmicrosoftcomkb2157114

Very low blocked process threshold setting detected httpsupportmicrosoftcomkb2157154

Potential security issue with legacy DTS stored procedures

httpsupportmicrosoftcomkb2202875

Winsock LSP loaded into SQL httpsupportmicrosoftcomkb2033448

Databases using simple recovery model httpsupportmicrosoftcomkb2137539

User database collation different from model httpsupportmicrosoftcomkb2026108

Database files and backups exist on the same volume httpsupportmicrosoftcomkb2027537

Databases have auto close option enabled httpsupportmicrosoftcomkb2160685

LSI SAS drivers needs update httpsupportmicrosoftcomkb2121098

SQL tempdb database not configured optimally httpsupportmicrosoftcomkb2154845

SQL Database file has sparse attribute set httpsupportmicrosoftcomkb2028447

Invalid startup parameters httpsupportmicrosoftcomkb2028433

MSDTC settings not configured optimally httpsupportmicrosoftcomkb2027550

sql incorrect results fix missing httpsupportmicrosoftcomkb971780

File System needs tuning for better FileStream performance

httpsupportmicrosoftcomkb2160002

linked server memory leak fix missing httpsupportmicrosoftcomkb971622EN-US

Windows service pack is not at recommended level httpsupportmicrosoftcomkb2121098

default extended event health session not in expected state

httpsupportmicrosoftcomkb2160570

TcpSysAndChimneyCheck httpsupportmicrosoftcomKB918483

FDHOST Launcher service is not configured properly httpsupportmicrosoftcomkb2160720

Unrecommended SQL Server Agent service account httpsupportmicrosoftcomkb2160720

A required Windows fix to avoid sparse file related problems is missing

httpsupportmicrosoftcomkb2002606

Page 37

Significant Portion of SQL Server Memory Has Been Paged Out

httpsupportmicrosoftcomkb2028324

Server Exception or Hang Detected on Server httpsupportmicrosoftcomkb2028589

Databases exist without CHECKSUM protection httpsupportmicrosoftcomkb2078345

backups outdated for databases httpsupportmicrosoftcomkb2027537

Database consistency check not current httpsupportmicrosoftcomkb2033590

SQL Server Memory settings are incorrect httpsupportmicrosoftcomKB918483EN-US

Autogrow Failed or took a long time httpsupportmicrosoftcomkb2091024

Storport driver fix from KBA 940467 missing httpsupportmicrosoftcomkb2121098

Storport driver fix from KBA 950903 missing httpsupportmicrosoftcomkb2121098

SQLCLR needs additional memory configuration httpsupportmicrosoftcomkb969962EN-US

Operating System files and drivers needs update for working set trimming

httpsupportmicrosoftcomkb2121098

Agent Token Replacement httpsupportmicrosoftcomkb2202637

Auditing Log in failures httpsupportmicrosoftcomkb2187161

Databases with high number of VLF present httpsupportmicrosoftcomkb2028436

Transparent Data Encryption Certificate httpsupportmicrosoftcomkb2201900

Permission on the Binn folder httpsupportmicrosoftcomkb2029023

Index Statistics Are Outdated

Server public permissions httpsupportmicrosoftcomkb2160698

Detected use of older versions of SQLNCLI httpsupportmicrosoftcomkb979779

62 AS Rules

Please find below a summary of the 34 Analysis Server Rules with the links to the rule descriptions

Flight Recorder Enabled for SQL Server Analysis Services

httpsupportmicrosoftcomkb2128005

Excessive amount of memory preallocated to Analysis Services

httpsupportmicrosoftcomkb2027474

Server not configured for optimal concurrent query throughput

httpsupportmicrosoftcomkb2135031

Non standard value detected for Analysis Services memory configuration

httpsupportmicrosoftcomkb2027472

Process Thread Pool Max limit above recommended limit

httpsupportmicrosoftcomkb2134497

Process Thread Pool Minimum is below the recommended limit

httpsupportmicrosoftcomkb2134855

Server is running a build with a known regression httpsupportmicrosoftcomkb2157941

Slice not set on a ROLAP partition or a partition where proactive caching is enabled and

ROLAP storage ay occur httpsupportmicrosoftcomkb2027754

Server is ignoring duplicate key errors httpsupportmicrosoftcomkb2027761

No default member defined for non-aggregatable attribute

httpsupportmicrosoftcomkb2027769

UnknownMember set to hidden httpsupportmicrosoftcomkb2027628

Non-numeric key column for high cardinality attribute httpsupportmicrosoftcomkb2028138

Attribute hiearchy enabled for high cardinality non-key attribute

httpsupportmicrosoftcomkb2028143

ROLAP storage or OnlineMode set to immediate for dimension with custom rollup definition

detected httpsupportmicrosoftcomkb2132742

Page 38

Account or Time attribute types defined in a non-matching dimension type

httpsupportmicrosoftcomkb2157299

An Account or Time dimension has no matching attribute defined

httpsupportmicrosoftcomkb2027418

Dimension has no attribute defined with the same type

httpsupportmicrosoftcomkb2027443

Attribute Dimension type mismatch httpsupportmicrosoftcomkb2157327

Mismatched dimension attribute types detected in dimension

httpsupportmicrosoftcomkb2027459

Possible incorrect order of levels defined in hierarchy httpsupportmicrosoftcomkb2027460

Define attribute relationships as Rigid where possible httpsupportmicrosoftcomkb2027468

Redundant attribute relationships detected httpsupportmicrosoftcomkb2127437

Diamond-shape relationship detected httpsupportmicrosoftcomkb2127570

Non-Standard Attribute Relationship name detected httpsupportmicrosoftcomkb2127862

Proactive Caching set for dimension without a processing query

httpsupportmicrosoftcomkb2027541

No Time dimension detected httpsupportmicrosoftcomkb2027532

More than 3 parent-child dimensions with custom rollups defined

httpsupportmicrosoftcomkb2134431

Encountered a parent-child dimension with more than 500000 members

httpsupportmicrosoftcomkb2131918

Single attribute dimensions detected httpsupportmicrosoftcomkb2141654

Measure groups with zero dimensional overlap detected in cube

httpsupportmicrosoftcomkb2027609

Proactive Caching set for a partition without a processing query

Default measure for perspective not in the perspective

httpsupportmicrosoftcomkb2027603

Use MOLAP storage for dimensions that participate in semi-additive measure groups

httpsupportmicrosoftcomkb2135112

Measure group defined with no partition httpsupportmicrosoftcomkb2027545

63 RS Rules

RSWindowsNegotiate is missing from your configuration

httpsupportmicrosoftcomkb2145506

HTTP Logging is not enabled httpsupportmicrosoftcomkb2145909

Verbose logging is enabled httpsupportmicrosoftcomkb2146315

NTLM authentication may fail for local httpsupportmicrosoftcomkb2146369

Missing extended protection settings httpsupportmicrosoftcomkb2146062

64 IS Rules

Logging task missing for package httpsupportmicrosoftcomkb2027723

ActiveX Script task detected in package httpsupportmicrosoftcomkb2027712

Unrecommended Integration Services service account detected

httpsupportmicrosoftcomkb2027684

Integration Services logging table found in system database master and or msdb

httpsupportmicrosoftcomkb2027706

Integration Services memory dump detected httpsupportmicrosoftcomkb2027727

Page 39

65 Setup Rules

Unsupported Operating System Version Detected httpsupportmicrosoftcomkb2022909

WOW64 not supported for SQL Failover Clustering httpsupportmicrosoftcomkb2157198

Installer cache is missing for the SQL Installation httpsupportmicrosoftcomkb2015100

SQL Server WMI Provider Health Check

66 Replication Rules

Replication Timeout Alerts Type httpsupportmicrosoftcomkb2118349

Replication Pub and Sub out of sync (Data Validation) httpsupportmicrosoftcomkb2118386

Replication Pub and Sub out of sync (Constraint Violations)

httpsupportmicrosoftcomkb2118410

Replication Pub and Sub out of sync (Skipped Transactions)

httpsupportmicrosoftcomkb2194498

Merge Replication Health Check httpsupportmicrosoftcomkb2118445

Subscriptions Approaching Expiration httpgomicrosoftcomfwlinkLinkId=184483

Replication Cleanup and Retention Health Check httpsupportmicrosoftcomkb2118485

Replication Latency Threshold violations httpsupportmicrosoftcomkb2118425

Page 40

7 HOW TO DEAL WITH DEVIATIONS

Deviations from these Best Practices may indicate potential issues and configuration changes may be

necessary Make sure you have tested any intended changes in a test environment before deploying

them to a production environment You could also find deviations from Best Practices that are

acceptable or even necessary for your environment For example

SAP has its special Network Packet Size of 8 KB

Existing Non-Microsoft Clients ndash would require Mixed Mode Authentication

Page 41

8 MOTIVATION TO USE SQL BPA R2

Bob Ward explained in his Article ldquoWhy use SQL Server 2008 R2 BPA Case 1 Missing Updatesrdquo

the common pitfalls during maintenance and operation of SQL Server and how address them by using

the SQL BPA

In brief itrsquos a customer scenario where the customer is facing an issue after a major update to

SQL2008 After some troubleshooting and an update to a certain CU (that is meant to fix the issue) the

problem still occurs Bobs article states the common resulting consequences ndash the involvement of

Microsoft Support and the final solution ndash adding a needed traceflag

The good news in this story is that the customer would not have needed to go to all that effort if they

would have run the SQL BPA It would have told them about the update and instructed them to put the

traceflag in place BPA is a mechanism that proactively advises you and instructs you on dealing with

common known issues

Page 42

9 ADDITIONAL INFORMATION

91 PowerShell

To use the functionality of the Baseline Configuration Analyzer with PowerShell you must import this

module first

Import-module BaselineConfigurationAnalyzer

You can list the commands of this module with the following syntax

$x=Get-Module BaselineConfigurationAnalyzer

$xExportedCommands

The following commands are stored in this module

Get-MbcaModel

Get-MbcaResult

Invoke-MbcaModel

Set-MbcaResult

You get help of this command with the following syntax

Get-help ltcommandgt -full

911 Get-MBCAModel

SYNOPSIS

The Get-MBCAModel cmdlet lets you retrieve and view the list of models that are supported by

Microsoft Baseline Configuration Analyzer (MBCA) and that are installed on a computer

SYNTAX

Get-MBCAModel [[-ModelId] ltstring[]gt] [[-SubModelId] ltstringgt] [ltCommonParametersgt]

DESCRIPTION

The Get-MBCAModel cmdlet lets you retrieve and view the list of models that are supported by

Microsoft Baseline Configuration Analyzer (MBCA) and installed on the computer If no parameter is

specified Get-MBCAModel returns all models that are installed on the computer If a model is specified

by using the -ModelId parameter information about the specified model is returned

You must be a member of the Administrators group on the computer on which you want to run this

cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with

elevated user rights that is Run as Administrator

The results of the Get-MBCAModel cmdlet include the following details about models

1 Branding information (manufacturer or company display names version number) that is found in

the model manifest

2 Dynamic parameters that are included with the model

3 Submodels that are included with the model

PARAMETERS

-ModelId ltstring[]gt

The -ModelId parameter specifies the ID of the MBCA model about which you want to view

details You can obtain valid values for the ModelId parameter by running the Get-MBCAModel

cmdlet with no parameters and targeted at a computer on which MBCA models are installed

Page 43

This parameter supports wild card characters

Required false

Position 2

Default value

Accept pipeline input true (By Value By Property Name)

Accept wildcard characters False

This must be SQL2008R2BPA for SQL Server 2008 R2 Best Practice Analyzer

-SubModelId ltstringgt

The -SubModelId parameter specifies the ID of the submodel of an MBCA model about which you

want to view details You can obtain valid values for the -SubModelId parameter by running the

Get-MBCAModel cmdlet without parameters and targeted at a computer on which MBCA models

are installed Not all models have submodels

The -ModelId parameter is required with the -SubModelId parameter

Required false

Position 3

Default value

Accept pipeline input false

Accept wildcard characters false

ltCommonParametersgt

This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable

WarningAction WarningVariable OutBuffer and OutVariable For more information type get-

help about_commonparameters

Examples

Get-MBCAModel

In the preceding example Get-MBCAModel with no parameters added returns details about all MBCA

models that are installed on the computer

Get-MBCAModel -ModelId SQL2008R2BPA

The preceding example can be used to return details about the MBCA model that is specified in the -

ModelId parameter represented by Model Id

$model= Get-MBCAModel -ModelId SQL2008R2BPA

$modelParameters

In the preceding example Get-MBCAModel returns details about the specified MBCA model that is

represented by Model Id The results of the cmdlet are stored in the variable $model

In the next line of the example the Parameters property of the model details that were stored in the

$model object returns details about which parameters are supported by the model

Get-MBCAModel -ModelId SQL2008R2BPA -SubModelId ltSubModel Idgt

The preceding example can be used to return details about the MBCA sub-model that is specified by

the -SubModelId parameter represented by SubModel Id Note that the -ModelId parameter is

required by the -SubModelId parameter

$model= Get-MBCAModel -ModelId SQL2008R2BPA

Page 44

$modelSubModels

In the preceding example Get-MBCAModel returns details about the specified MBCA model that is

represented by Model Id The results of the cmdlet are stored in the variable $model

In the next line of the example the SubModels property of the model details that were stored in the

$model object returns a list of the submodels of the model specified in the first line

912 Invoke-MBCAModel

SYNOPSIS

The Invoke-MBCAModel cmdlet lets you start a Microsoft Baseline Configuration Analyzer (MBCA)

scan for a specific model that is installed on your computer

SYNTAX

Invoke-MBCAModel [-ModelId] ltstringgt -SubModelId ltstringgt [-Authentication

ltAuthenticationMechanismgt] [-CertificateThumbprint ltstringgt] [-ComputerName

ltstring[]gt] [-ConfigurationName ltstringgt] [-Context ltstringgt] [-Credential

ltstringgt] [-Mode ltModeEnumgt] [-Port ltintgt] [-RepositoryPath ltstringgt] [-

ThrottleLimit ltintgt] [-UseSSL] [ltCommonParametersgt]

DESCRIPTION

The Invoke-MBCAModel cmdlet allows you to start a Microsoft Baseline Configuration Analyzer

(MBCA) scan for a specific model that is installed on your computer The model is specified either by

using the parameter -ModelId or by piping the results of the Get-MBCAModel cmdlet into an Invoke-

MBCAMode cmdlet

After the MBCA scan has been performed the results of the scan are available to be retrieved by Get-

MBCAResult cmdlet

You must be a member of the Administrators group on the computer on which you want to run this

cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with

elevated user rights that is Run as Administrator

PARAMETERS

-Authentication ltAuthenticationMechanismgt

Specifies the authentication mechanism that is used to authenticate the users credentials Valid

values include Default Basic CredSSP Digest Kerberos Negotiate and

NegotiateWithImplicitCredential The default value is Default

For more information about the -Authentication parameter type the following and then press

Enter

Get-Help Invoke-Command -Parameter Authentication

Required false

Position named

Default value Default

Accept pipeline input false

Accept wildcard characters false

-CertificateThumbprint ltstringgt

Page 45

Specifies the digital public key certificate (X509) of a user account that has rights to perform the

cmdlet action The valid value is the certificate thumbprint of the certificate

For more information about this parameter type the following and then press Enter

Get-Help Invoke-Command -Parameter Certificate Thumbprint

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-ComputerName ltstring[]gt

The Invoke-MBCAModel cmdlet lets you run an MBCA scan of a submodel on a specific

computer by adding this parameter Valid values include NETBOS names IP addresses or fully-

qualified domain names of one or more computers in a comma-separated list To specify the local

computer type the computer name or localhost

All formats that are accepted by the -ComputerName parameter in Invoke-Command are

accepted

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-ConfigurationName ltstringgt

Specifies the session configuration that is used for a new PSSession

Enter a configuration name or the fully-qualified resource URI for a session configuration

Session configuration data is found on the remote computer on which you want to run a cmdlet

For more information about this parameter type the following and then press Enter

Get-Help Invoke-Command -Parameter ConfigurationName

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-Context ltstringgt

The -Context parameter lets you run scans on a submodel in the context of a specific model (one

that is different from the parent model of the submodel) For example an administrator might

want to run a scan on the Backend submodel of the SQL model but only those in the context

of a third model a technology that relies upon SQL Server

The -SubModelId parameter is required by the -Context parameter

Page 46

A model ID is the valid value of the -Context parameter

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-Credential ltstringgt

Specifies a user account that has permission to run this cmdlet The default value is the current

user

For more information about this parameter type the following and then press Enter

Get-Help Invoke-Command -Parameter Credential

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-Mode ltModeEnumgt

The -Mode parameter lets you run a scan that is exclusively either analysis of existing discovered

documents or discovery The default is to perform both discovery and analysis or All

If you do not add the -Mode parameter to the Invoke-MBCAModel cmdlet both discovery and

analysis are performed during a scan

Valid values are Discovery Analysis and All

Required false

Position named

Default value All

Accept pipeline input false

Accept wildcard characters false

-ModelId ltstringgt

The -ModelId parameter specifies the ID of the MBCA model that you want to scan You can

obtain valid values for the ModelId parameter by running the Get-MBCAModel cmdlet targeted at

a computer on which MBCA models are installed

Required true

Position 2

Default value

Accept pipeline input true (By Value By Property Name)

Accept wildcard characters False

Page 47

This must be SQL2008R2BPA for SQL Server 2008 R2 Best Practice Analyzer

-Port ltintgt

Specifies the network port on a remote computer on which you want to run a scan The default

value is port 80

For more information on this parameter type the following and then press Enter

Get-Help Invoke-Command -Parameter Port

Required false

Position named

Default value 80

Accept pipeline input false

Accept wildcard characters false

-RepositoryPath ltstringgt

The -RepositoryPath parameter is used to specify a non-default location of the results repository

The valid value for this parameter is a pathname If the parameter is not used the cmdlet writes

results to the default result repository

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-SubModelId ltstringgt

The -SubModelId parameter specifies the ID of the submodel of an MBCA model that you want to

scan You can obtain valid values for the -SubModelId parameter by running the Get-MBCAModel

cmdlet targeted at a computer on which MBCA models are installed Not all models have

submodels

The -ModelId parameter is required with the -SubModelId parameter

Required true

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-ThrottleLimit ltintgt

Specifies the maximum number of concurrent connections that can be established to run the

cmdlet If you omit this parameter or enter a value of 0 the default value of 32 is used

For more information about this parameter type the following and then press Enter

Get-Help Invoke-Command -Parameter ThrottleLimit

Required false

Page 48

Position named

Default value 32

Accept pipeline input false

Accept wildcard characters false

-UseSSL [ltSwitchParametergt]

Uses the Secure Sockets Layer (SSL) protocol to establish a connection on a remote computer

By default SSL is not used

For more information about this parameter type the following and then press Enter

Get-Help Invoke-Command -Parameter UseSSL

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

ltCommonParametersgt

This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable

WarningAction WarningVariable OutBuffer and OutVariable For more information type get-

help about_commonparameters

OUTPUTS

SystemCollectionsGenericListltMicrosoftBestPracticesCoreInterfaceInvokeBpaModelOutputgt

The output object encapsulates the results of the cmdlet that you entered It contains information such

as the MBCA model ID the success or failure of the cmdlet and other details

NOTES

If the cmdlet is used to perform a single-model scan and the cmdlet is cancelled (by using CTRL+C)

before the temporary results file is copied to its final location the temporary file is discarded and any

previous scan results file for the role are preserved The message Processing of Invoke-MBCAModel

cancelled by user is displayed if the command is cancelled before existing scan results files are

overwritten

If the cmdlet is used to perform a scan of multiple models by piping in results from the Get-MBCAModel

cmdlet and the command is cancelled scans that were completed before the cancel command was

entered cannot be cancelled A scan in progress behaves as described above in the single-model scan

cancellation scenario Subsequent scans in the pipeline are cancelled

If a concurrent scan of the same model is attempted the cmdlet returns the following error message

Another scan for this MBCA model is in progress Only one scan is allowed at a time

-------------------------- EXAMPLE 1 --------------------------

Invoke-MBCAModel -ModelId SQL2008R2BPA

Description

The preceding example starts a MBCA scan on the model that is represented by ltModel Idgt

-------------------------- EXAMPLE 2 --------------------------

Page 49

Invoke-MBCAModel -ModelId SQL2008R2BPA -Scope domain -Name

redmondmicrosoftcom

Description

The preceding example starts an MBCA scan on the model ID that is specified by Model Id

The administrator starts the MBCA scan with additional model-specific parameters that are exposed by

the model (For an example of how to obtain model-specific parameters see the examples for the Get-

MBCAModel cmdlet)

For example to scan a model that requires model-specific parameters (such as -Scope and -Name) to

be passed to the command the administrator can specify the values of these model-specific

parameters with the Invoke-MBCAModel cmdlet

-------------------------- EXAMPLE 3 --------------------------

Invoke-MBCAModel -ModelId SQL2008R2BPA -Mode Discovery

Description

The preceding example starts an MBCA scan on the model that is represented by Model Id The

cmdlet is instructed by the -Mode parameter to perform only the discovery -- not the analysis -- portion

of the scan

-------------------------- EXAMPLE 4 --------------------------

Invoke-MBCAModel -ModelId SQL2008R2BPA -Mode Analysis -RepositoryPath

ltRepository Pathgt

Description

The preceding example starts an MBCA scan on the model that is represented by Model Id The -

Mode parameter value of Analysis indicates that the scan will perform analysis -- not discovery -- on

existing documents that are specified in the non-default repository path provided with the -Repository

Path parameter

-------------------------- EXAMPLE 5 --------------------------

Invoke-MBCAModel -Id ltModel Idgt -SubModelId ltSubModel Idgt -ComputerName

ltServergt -Context ltContext Model Idgt -RepositoryPath ltRespository Pathgt -

AsJob -Authentication ltAuthenticatonMechanismgt -Port ltPort Numbergt -UseSSL -

ThrottleLimit ltThrottle Limitgt

Description

The preceding example starts an MBCA scan on the submodel that is represented by SubModel Id

and on the computer that is represented by Server

Because the administrator only wants to see results from the submodel that apply in the context of a

third model the administrator runs the scan within the context of the model ID that is specified in the -

Context parameter The cmdlet results are saved to the non-default repository path that is specified in

the -RepositoryPath parameter

Because the -AsJob parameter is added the scan runs in the background The -AsJob -

Authentication -Port -UseSSL and -ThrottleLimit parameters are passed through for use by the

Invoke-Command cmdlet to perform discovery on a remote computer For more information about

these parameters see the Help for the Invoke-Command cmdlet available in Windows PowerShell V2

913 Get-MBCAResult

SYNOPSIS

Page 50

The Get-MBCAResult cmdlet lets you retrieve and view the results of a Microsoft Baseline

Configuration Analyzer scan on a specific model or the configuration data that was used to run a scan

SYNTAX

Get-MBCAResult [-ModelId] ltstringgt [[-CollectedConfiguration]] -SubModelId

ltstringgt [-ComputerName ltstring[]gt] [-Context ltstringgt] [-Filter

ltFilterEnumgt] [-RepositoryPath ltstringgt] [ltCommonParametersgt]

DESCRIPTION

The Get-MBCAResult cmdlet lets you retrieve and view the results of a Microsoft Baseline

Configuration Analyzer scan on a specific model or the configuration data that was used to run a scan

To use the command add the -ModelId parameter and then specify the model ID for which you want

to view the most recent MBCA scan results or collected configuration data If you want to retrieve the

configuration data collected add the -CollectedConfiguration switch parameter

You must be a member of the Administrators group on the computer on which you want to run this

cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with

elevated user rights that is Run as Administrator

PARAMETERS

-CollectedConfiguration [ltSwitchParametergt]

The -CollectedConfiguration parameter allows you to obtain the configuration data that was

collected for the most recent MBCA scan If this switch parameter is added to Get-MBCAResults

the cmdlet returns only the configuration data that was collected for a scan

Required false

Position 3

Default value

Accept pipeline input false

Accept wildcard characters false

-ComputerName ltstring[]gt

The -ComputerName parameter lets you obtain scan results that were collected for the most

recent MBCA scan of a submodel on a specific computer To specify the local computer type the

computer name or localhost Multiple values for -ComputerName can be separated by

commas

The -SubModelId parameter is required by the -ComputerName parameter

Valid values for the -ComputerName parameter include localhost a NET BIOS name an IP

address or a fully-qualified domain name (FQDN) of one or more computers in a comma-

separated list

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-Context ltstringgt

Page 51

The -Context parameter lets you obtain scan results that were collected for the most recent

MBCA scan of a submodel in the context of a specific model (one that is different from the parent

model of the submodel) For example an administrator might want to display scan results for the

Backend submodel of the SQL model but only those in the context of a third model a

technology that relies upon SQL Server

The -SubModelId parameter is required by the -Context parameter

A model ID is the valid value of the -Context parameter

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-Filter ltFilterEnumgt

The -Filter parameter lets you instruct the Get-MBCAResult cmdlet to return only Compliant

Noncompliant or All results Valid values are Noncompliant Compliant or All The default value

is All

The -Filter parameter is ignored if the -CollectedConfiguration switch parameter is added

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-ModelId ltstringgt

The -ModelId parameter specifies the ID of the MBCA model for which you want to view scan

results You can obtain valid values for the ModelId parameter by running the Get-MBCAModel

cmdlet targeted at a computer on which MBCA models are installed

Required true

Position 2

Default value

Accept pipeline input true (By Value By Property Name)

Accept wildcard characters False

This must be SQL2008R2BPA for SQL Server 2008 R2 Best Practice Analyzer

-RepositoryPath ltstringgt

The -RepositoryPath parameter is used to specify a non-default location of the results repository

The valid value for this parameter is a path name If the parameter is not used the cmdlet obtains

results from the default result repository

Required false

Position named

Page 52

Default value

Accept pipeline input false

Accept wildcard characters false

-SubModelId ltstringgt

The -SubModelId parameter specifies the ID of the submodel of an MBCA model for which you

want to view scan results You can obtain valid values for the -SubModelId parameter by running

the Get-MBCAModel cmdlet targeted at a computer on which MBCA models are installed Not all

models have submodels

The -ModelId parameter is required with the -SubModelId parameter

Required true

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

ltCommonParametersgt

This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable

WarningAction WarningVariable OutBuffer and OutVariable For more information type get-

help about_commonparameters

OUTPUTS

SystemCollectionsGenericListltMicrosoftBestPracticesCoreInterfaceResultgt OR

SystemXmlXmlDocument (if -CollectedData specified)

If you do not use the -CollectedConfiguration parameter verbose output can be any of the following

1 Initializing MBCA engine for getting MBCA Results

2 Attempting to get MBCA results for Model Id = 0

3 Completed getting MBCA results for Model Id = 0 Number of Results = 1

If you add the -CollectedConfiguration parameter to display configuration data that was used for a

scan verbose output can be any of the following

1 Initializing MBCA engine for getting MBCA Configuration Data

2 Attempting to get MBCA collected configuration data for Model Id = 0

3 Completed getting MBCA collected configuration data for Model Id = 0

NOTES

The Get-MBCAResult cmdlet must be run by a member of the Administrators group and it does not

start a new scan

Cancellation behaviour

Single Model - To cancel this cmdlet you must press Ctrl+C before the ResultCollection is displayed

on the console The operation is cancelled and results are not displayed on the console

Multiple Models or Pipelining - If you cancel this cmdlet while it is retrieving results for multiple models

the cmdlet generates only those results that were displayed on the console before the cancellation

Any subsequent results in the pipeline are cancelled and not displayed

Page 53

-------------------------- EXAMPLE 1 --------------------------

Get-MBCAResult -Id SQL2008R2BPA

Description

The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results

for the model that is represented by Model Id

-------------------------- EXAMPLE 2 --------------------------

Get-MBCAModel | Get-MBCAResult

In the preceding example Get-MBCAModel is used to return a list of all MBCA models that are

installed on the computer The results of the Get-MBCAModel cmdlet are piped to the Get-

MBCAResult cmdlet to retrieve the most recent MBCA scan results for all models that are both

supported by MBCA and installed on the computer at which the cmdlet is targeted

-------------------------- EXAMPLE 3 --------------------------

$result = Get-MBCAResult SQL2008R2BPA -CollectedConfiguration

$resultDiscoveryDocument

Description

In the preceding example configuration data (in XML form) that was collected during the most recent

Microsoft Baseline Configuration Analyzer scan of the model that is represented by Model Id is

retrieved and stored as a property in the variable $result $resultDiscoveryDocument is of type

SystemXmlXmlDocument

-------------------------- EXAMPLE 4 --------------------------

Get-MBCAResult SQL2008R2BPA -Filter Noncompliant

Description

The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results

for the model that is represented by Model Id and then applies a filter to show only Noncompliant

results

------------------------- EXAMPLE 5 --------------------------

Get-MBCAResult SQL2008R2BPA -SubModelId ltSubModel Idgt

Description

The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results

for the submodel that is represented by SubModelId Note that the parent model ID must be specified

to use the -SubModelId parameter

------------------------- EXAMPLE 6 --------------------------

Get-MBCAResult SQL2008R2BPA -SubModelId ltSubModel Idgt -ComputerName ltServergt

-Context ltContext Model Idgt -RepositoryPath ltRepository Pathgt

Description

The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results

for the submodel that is represented by SubModelId The parent model ID is provided as required by

the -SubModelID parameter

The -Context parameter indicates that the administrator wants to see only those scan results that are in

the context of the model that is represented by Context Model Id for example only those results from

a SQL Server scan that specifically apply to another technology such as Web Server (IIS)

Page 54

The scan results are further narrowed to only those from a computer that is specified in the -

ComputerName parameter as Server and only those results found in the non-default results

repository that is represented by Repository Path

914 Set-MBCAResult

SYNOPSIS

The Set-MBCAResult cmdlet lets you exclude or include existing results of a Microsoft Baseline

Configuration Analyzer (MBCA) scan to show you only the scan results that you want to see

SYNTAX

Set-MBCAResult [[-Exclude] ltBooleangt] [-Results] ltResultgtgt [[-

RepostitoryPath] ltstringgt] [ltCommonParametersgt]

DESCRIPTION

The Set-MBCAResult cmdlet lets you exclude or include existing results of a Microsoft Baseline

Configuration Analyzer (MBCA) scan to show you only the scan results that you want to see

The action specified in the cmdlet (Exclude for example) determines how the existing results of an

MBCA scan are updated Set-MBCAResult is typically applied after using the Get-MBCAResult cmdlet

to return a collection of scan results

You can apply filters to results that are returned by the Get-MBCAResult cmdlet and then pipe the

filtered collection of results to the Set-MBCAResult cmdlet specifying either to include or exclude

filtered scan results

You must be a member of the Administrators group on the computer on which you want to run this

cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with

elevated user rights that is Run as Administrator

PARAMETERS

-Exclude ltBooleangt

Excludes scan results from the results collection that were previously obtained by the Get-

MBCAResult command To exclude results by using the -Exclude parameter add the value $true

following the parameter as shown

-Exclude $true

To include results that have been excluded use the $false value for the -Exclude parameter

Required false

Position 2

Default value

Accept pipeline input false

Accept wildcard characters false

-RepostitoryPath ltstringgt

The -RepositoryPath parameter is used to specify a non-default location of the results repository

The valid value for this parameter is a path name If the parameter is not used the cmdlet

modifies results from the default result repository

Required false

Page 55

Position 4

Default value

Accept pipeline input false

Accept wildcard characters false

-Results ltResultgtgt

Specifies the result collection to be updated by the Set-MBCAResult cmdlet The -Results

parameter is typically used to specify a filtered subset of scan results that has already been

stored in a variable the variable name is provided as the valid value for the -Results parameter

For example if you have created a variable $allPerformance to store all the Performance

category results for an MBCA scan of all models on a computer and you want to exclude those

Performance results from the complete collection of scan results you add the parameter -Results

$all Performance to a Set-MBCAResult cmdlet

For a more detailed example see the Examples section of the Help for this cmdlet

Required true

Position 3

Default value

Accept pipeline input true (ByValue)

Accept wildcard characters false

ltCommonParametersgt

This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable

WarningAction WarningVariable OutBuffer and OutVariable For more information type ldquoget-

help about_commonparameters

NOTES

If the Set-MBCAResult command is cancelled before the results are written to a file the operation is

cancelled and the results file is not modified If cancellation occurs after the results file has been

modified the commands actions are carried out and the command cannot be cancelled

-------------------------- EXAMPLE 1 --------------------------

Get-MBCAResult -ModelId SQL2008R2BPA | Where $_Category -eq

Performance | Set-MBCAResult -Exclude $true

Description

The first section of the preceding example to the left of the first pipe character (|) uses the Get-

MBCAResult cmdlet to retrieve Baseline Configuration Analyzer scan results for the model ID that is

represented by Model Id

The second section of the command filters the results of the Get-MBCAResult cmdlet to get only those

scan results for which the category name is equal to Performance

The final section of the example following the second pipe character excludes the Performance

results that were filtered by the previous section of the example

-------------------------- EXAMPLE 2 --------------------------

$rcPolicy = Get-MBCAResult -ModelId SQL2008R2BPA -RepositoryPath

CReposPath | Where $_Category -eq Policy

Page 56

Set-MBCAResult -Exclude $true -RepositoryPath CReposPath -Results

$rcPolicy

Description

The first line of the preceding example to the left of the pipe character (|) instructs the Get-

MBCAResult cmdlet to retrieve Baseline Configuration Analyzer scan results for the model that is

represented by Specified Model Id from the specified non-default repository path

The second section of the example after the pipe character filters the results of the Get-MBCAResult

cmdlet to return only those scan results for which the category name is equal to (note the -eq option)

Policy The variable $rcPolicy is created to store the filtered results of the Get-MBCAResult cmdlet this

variable can be used in subsequent commands to represent those results

The second line of the command uses the Set-MBCAResult cmdlet to exclude the set of results that

are stored in the $rcPolicy variable In this example the -Results parameter is added because the

administrator wants to exclude a specific subset of scan results for that model and has created the

variable $rcPolicy to represent that subset of results The repository root is specified in the second line

because the administrator wants to modify the results in the same non-default repository from which

the data in $rcPolicy was retrieved

915 MBCA Model Authoring

Further information about configuration and usage of MBCA models you can in the

MBCA_ModelAuthoringGuidedocx

Page 57

Did this paper help you Please give us your feedback Tell us on a scale of 1 (poor) to 5 (excellent)

how would you rate this paper and why have you given it this rating For example

Are you rating it high due to having good examples excellent screen shots clear writing or

another reason

Are you rating it low due to poor examples fuzzy screen shots or unclear writing

This feedback will help us improve the quality of white papers we release

Send feedback

Page 35: SQL2008R2 BPA Whitepaper v10

Page 35

BPA rule categories

The following table describes the categories of best practice rules against which roles are measured

during a BPA scan

Category Name Description

Security Security rules are applied to measure a rolersquos relative risk for exposure to threats such as unauthorized or malicious

users or loss or theft of confidential or proprietary data

Performance Performance rules are applied to measure a rolersquos ability to process requests and perform its prescribed duties in

the enterprise within expected periods of time given the rolersquos workload

Configuration Configuration rules are applied to identify role settings that might require modification for the role to perform

optimally Configuration rules can help prevent setting conflicts that can result in error messages or prevent the role

from performing its prescribed duties in an enterprise

Policy Policy rules are applied to identify Group Policy or Windows Registry settings that might require modification for the

role to operate optimally and securely

Operation Operation rules are applied to identify possible failures of a role to perform its prescribed tasks in the enterprise

Predeployment Predeployment rules are applied before an installed role is deployed in the enterprise to let administrators to

evaluate whether best practices were satisfied before you use the role in production

Postdeployment Postdeployment rules are applied after all required services have started for a role and the role is running in the

enterprise

BPA Prerequisites BPA Prerequisite rules explain configuration settings policy settings and features that are required for the role

before BPA can apply specific rules from other categories A prerequisite in scan results indicates that an incorrect

setting a missing role role service or feature an incorrectly enabled or disabled policy a registry key setting or

other configuration has prevented BPA from applying one or more rules during a scan A prerequisite result does

not imply compliance or noncompliance It means that a rule could not be applied and therefore is not part of the

scan results

61 Engine Rules

Please find below a summary of the 74 Engine Rules with the links to the rule descriptions These rules

are checking that you have a secure resilient and well performing SQL configuration

Authentication Mode (httpsupportmicrosoftcomkb2028697)

Lightweight Pooling is enabled (httpsupportmicrosoftcomkb2160691)

Locks Configuration Not Dynamic (httpsupportmicrosoftcomkb2199576)

non-default network packet size in use (httpsupportmicrosoftcomkb2157175)

degree of parallelism not set to recommended value (httpsupportmicrosoftcomkb2023536)

Use Database Mail instead of SQL Mail (httpsupportmicrosoftcomkb2028584)

SQL Server Agent Proxy Account (httpsupportmicrosoftcomkb2160741)

SQL Login Password Policy Strength and password expiry

(httpsupportmicrosoftcomkb2028712)

Trustworthy Bit (httpsupportmicrosoftcomkb2183687)

Symmetric Keys Check (httpsupportmicrosoftcomkb2162020)

Asymmetric Keys Check (httpsupportmicrosoftcomkb2162020)

SQL Server installed on PDC BDC (httpsupportmicrosoftcomkb2032911)

Page 36

SQL Server Admin role membership check (httpsupportmicrosoftcomkb2184138)

Windows API calls intercepted (httpsupportmicrosoftcomkb2033238)

unsupported DotNET framework assemblies present (httpsupportmicrosoftcomkb2033344)

Disk partition starting offset may be incorrect (httpsupportmicrosoftcomkb2023571)

non-default max worker threads value configured (httpsupportmicrosoftcomkb2157129)

Guest Permissions (httpsupportmicrosoftcomkb2186935)

Data and Log files on the same volume (httpsupportmicrosoftcomkb2033523)

IO timeouts and IO controller errors detected (httpsupportmicrosoftcomkb2091098)

IO device errors detected (httpsupportmicrosoftcomkb2091098)

IO errors during page faults detected (httpsupportmicrosoftcomkb2091098)

cluster disk corruption encountered (httpsupportmicrosoftcomkb2091098)

disk defragmentation encountered corruption (httpsupportmicrosoftcomkb2091098)

failed IO requests detected (httpsupportmicrosoftcomkb2091098)

IO requests are successful when retried (httpsupportmicrosoftcomkb2015757)

IO Delay Problems reported by SQL Server (httpsupportmicrosoftcomkb2137408)

This system experienced unexpected shutdowns (httpsupportmicrosoftcomkb2091098)

tempdb corruption errors fix missing (httpsupportmicrosoftcomkb960770)

Critical SQL database inconsistency errors found (httpsupportmicrosoftcomkb2152734)

Logical consistency errors detected (httpsupportmicrosoftcomkb2152472)

Database have auto shrink option enabled (httpsupportmicrosoftcomkb2160663)

SQL Server Error logs are very big (httpsupportmicrosoftcomkb2199578)

incorrect affinity mask settings detected httpsupportmicrosoftcomkb2157114

Very low blocked process threshold setting detected httpsupportmicrosoftcomkb2157154

Potential security issue with legacy DTS stored procedures

httpsupportmicrosoftcomkb2202875

Winsock LSP loaded into SQL httpsupportmicrosoftcomkb2033448

Databases using simple recovery model httpsupportmicrosoftcomkb2137539

User database collation different from model httpsupportmicrosoftcomkb2026108

Database files and backups exist on the same volume httpsupportmicrosoftcomkb2027537

Databases have auto close option enabled httpsupportmicrosoftcomkb2160685

LSI SAS drivers needs update httpsupportmicrosoftcomkb2121098

SQL tempdb database not configured optimally httpsupportmicrosoftcomkb2154845

SQL Database file has sparse attribute set httpsupportmicrosoftcomkb2028447

Invalid startup parameters httpsupportmicrosoftcomkb2028433

MSDTC settings not configured optimally httpsupportmicrosoftcomkb2027550

sql incorrect results fix missing httpsupportmicrosoftcomkb971780

File System needs tuning for better FileStream performance

httpsupportmicrosoftcomkb2160002

linked server memory leak fix missing httpsupportmicrosoftcomkb971622EN-US

Windows service pack is not at recommended level httpsupportmicrosoftcomkb2121098

default extended event health session not in expected state

httpsupportmicrosoftcomkb2160570

TcpSysAndChimneyCheck httpsupportmicrosoftcomKB918483

FDHOST Launcher service is not configured properly httpsupportmicrosoftcomkb2160720

Unrecommended SQL Server Agent service account httpsupportmicrosoftcomkb2160720

A required Windows fix to avoid sparse file related problems is missing

httpsupportmicrosoftcomkb2002606

Page 37

Significant Portion of SQL Server Memory Has Been Paged Out

httpsupportmicrosoftcomkb2028324

Server Exception or Hang Detected on Server httpsupportmicrosoftcomkb2028589

Databases exist without CHECKSUM protection httpsupportmicrosoftcomkb2078345

backups outdated for databases httpsupportmicrosoftcomkb2027537

Database consistency check not current httpsupportmicrosoftcomkb2033590

SQL Server Memory settings are incorrect httpsupportmicrosoftcomKB918483EN-US

Autogrow Failed or took a long time httpsupportmicrosoftcomkb2091024

Storport driver fix from KBA 940467 missing httpsupportmicrosoftcomkb2121098

Storport driver fix from KBA 950903 missing httpsupportmicrosoftcomkb2121098

SQLCLR needs additional memory configuration httpsupportmicrosoftcomkb969962EN-US

Operating System files and drivers needs update for working set trimming

httpsupportmicrosoftcomkb2121098

Agent Token Replacement httpsupportmicrosoftcomkb2202637

Auditing Log in failures httpsupportmicrosoftcomkb2187161

Databases with high number of VLF present httpsupportmicrosoftcomkb2028436

Transparent Data Encryption Certificate httpsupportmicrosoftcomkb2201900

Permission on the Binn folder httpsupportmicrosoftcomkb2029023

Index Statistics Are Outdated

Server public permissions httpsupportmicrosoftcomkb2160698

Detected use of older versions of SQLNCLI httpsupportmicrosoftcomkb979779

62 AS Rules

Please find below a summary of the 34 Analysis Server Rules with the links to the rule descriptions

Flight Recorder Enabled for SQL Server Analysis Services

httpsupportmicrosoftcomkb2128005

Excessive amount of memory preallocated to Analysis Services

httpsupportmicrosoftcomkb2027474

Server not configured for optimal concurrent query throughput

httpsupportmicrosoftcomkb2135031

Non standard value detected for Analysis Services memory configuration

httpsupportmicrosoftcomkb2027472

Process Thread Pool Max limit above recommended limit

httpsupportmicrosoftcomkb2134497

Process Thread Pool Minimum is below the recommended limit

httpsupportmicrosoftcomkb2134855

Server is running a build with a known regression httpsupportmicrosoftcomkb2157941

Slice not set on a ROLAP partition or a partition where proactive caching is enabled and

ROLAP storage ay occur httpsupportmicrosoftcomkb2027754

Server is ignoring duplicate key errors httpsupportmicrosoftcomkb2027761

No default member defined for non-aggregatable attribute

httpsupportmicrosoftcomkb2027769

UnknownMember set to hidden httpsupportmicrosoftcomkb2027628

Non-numeric key column for high cardinality attribute httpsupportmicrosoftcomkb2028138

Attribute hiearchy enabled for high cardinality non-key attribute

httpsupportmicrosoftcomkb2028143

ROLAP storage or OnlineMode set to immediate for dimension with custom rollup definition

detected httpsupportmicrosoftcomkb2132742

Page 38

Account or Time attribute types defined in a non-matching dimension type

httpsupportmicrosoftcomkb2157299

An Account or Time dimension has no matching attribute defined

httpsupportmicrosoftcomkb2027418

Dimension has no attribute defined with the same type

httpsupportmicrosoftcomkb2027443

Attribute Dimension type mismatch httpsupportmicrosoftcomkb2157327

Mismatched dimension attribute types detected in dimension

httpsupportmicrosoftcomkb2027459

Possible incorrect order of levels defined in hierarchy httpsupportmicrosoftcomkb2027460

Define attribute relationships as Rigid where possible httpsupportmicrosoftcomkb2027468

Redundant attribute relationships detected httpsupportmicrosoftcomkb2127437

Diamond-shape relationship detected httpsupportmicrosoftcomkb2127570

Non-Standard Attribute Relationship name detected httpsupportmicrosoftcomkb2127862

Proactive Caching set for dimension without a processing query

httpsupportmicrosoftcomkb2027541

No Time dimension detected httpsupportmicrosoftcomkb2027532

More than 3 parent-child dimensions with custom rollups defined

httpsupportmicrosoftcomkb2134431

Encountered a parent-child dimension with more than 500000 members

httpsupportmicrosoftcomkb2131918

Single attribute dimensions detected httpsupportmicrosoftcomkb2141654

Measure groups with zero dimensional overlap detected in cube

httpsupportmicrosoftcomkb2027609

Proactive Caching set for a partition without a processing query

Default measure for perspective not in the perspective

httpsupportmicrosoftcomkb2027603

Use MOLAP storage for dimensions that participate in semi-additive measure groups

httpsupportmicrosoftcomkb2135112

Measure group defined with no partition httpsupportmicrosoftcomkb2027545

63 RS Rules

RSWindowsNegotiate is missing from your configuration

httpsupportmicrosoftcomkb2145506

HTTP Logging is not enabled httpsupportmicrosoftcomkb2145909

Verbose logging is enabled httpsupportmicrosoftcomkb2146315

NTLM authentication may fail for local httpsupportmicrosoftcomkb2146369

Missing extended protection settings httpsupportmicrosoftcomkb2146062

64 IS Rules

Logging task missing for package httpsupportmicrosoftcomkb2027723

ActiveX Script task detected in package httpsupportmicrosoftcomkb2027712

Unrecommended Integration Services service account detected

httpsupportmicrosoftcomkb2027684

Integration Services logging table found in system database master and or msdb

httpsupportmicrosoftcomkb2027706

Integration Services memory dump detected httpsupportmicrosoftcomkb2027727

Page 39

65 Setup Rules

Unsupported Operating System Version Detected httpsupportmicrosoftcomkb2022909

WOW64 not supported for SQL Failover Clustering httpsupportmicrosoftcomkb2157198

Installer cache is missing for the SQL Installation httpsupportmicrosoftcomkb2015100

SQL Server WMI Provider Health Check

66 Replication Rules

Replication Timeout Alerts Type httpsupportmicrosoftcomkb2118349

Replication Pub and Sub out of sync (Data Validation) httpsupportmicrosoftcomkb2118386

Replication Pub and Sub out of sync (Constraint Violations)

httpsupportmicrosoftcomkb2118410

Replication Pub and Sub out of sync (Skipped Transactions)

httpsupportmicrosoftcomkb2194498

Merge Replication Health Check httpsupportmicrosoftcomkb2118445

Subscriptions Approaching Expiration httpgomicrosoftcomfwlinkLinkId=184483

Replication Cleanup and Retention Health Check httpsupportmicrosoftcomkb2118485

Replication Latency Threshold violations httpsupportmicrosoftcomkb2118425

Page 40

7 HOW TO DEAL WITH DEVIATIONS

Deviations from these Best Practices may indicate potential issues and configuration changes may be

necessary Make sure you have tested any intended changes in a test environment before deploying

them to a production environment You could also find deviations from Best Practices that are

acceptable or even necessary for your environment For example

SAP has its special Network Packet Size of 8 KB

Existing Non-Microsoft Clients ndash would require Mixed Mode Authentication

Page 41

8 MOTIVATION TO USE SQL BPA R2

Bob Ward explained in his Article ldquoWhy use SQL Server 2008 R2 BPA Case 1 Missing Updatesrdquo

the common pitfalls during maintenance and operation of SQL Server and how address them by using

the SQL BPA

In brief itrsquos a customer scenario where the customer is facing an issue after a major update to

SQL2008 After some troubleshooting and an update to a certain CU (that is meant to fix the issue) the

problem still occurs Bobs article states the common resulting consequences ndash the involvement of

Microsoft Support and the final solution ndash adding a needed traceflag

The good news in this story is that the customer would not have needed to go to all that effort if they

would have run the SQL BPA It would have told them about the update and instructed them to put the

traceflag in place BPA is a mechanism that proactively advises you and instructs you on dealing with

common known issues

Page 42

9 ADDITIONAL INFORMATION

91 PowerShell

To use the functionality of the Baseline Configuration Analyzer with PowerShell you must import this

module first

Import-module BaselineConfigurationAnalyzer

You can list the commands of this module with the following syntax

$x=Get-Module BaselineConfigurationAnalyzer

$xExportedCommands

The following commands are stored in this module

Get-MbcaModel

Get-MbcaResult

Invoke-MbcaModel

Set-MbcaResult

You get help of this command with the following syntax

Get-help ltcommandgt -full

911 Get-MBCAModel

SYNOPSIS

The Get-MBCAModel cmdlet lets you retrieve and view the list of models that are supported by

Microsoft Baseline Configuration Analyzer (MBCA) and that are installed on a computer

SYNTAX

Get-MBCAModel [[-ModelId] ltstring[]gt] [[-SubModelId] ltstringgt] [ltCommonParametersgt]

DESCRIPTION

The Get-MBCAModel cmdlet lets you retrieve and view the list of models that are supported by

Microsoft Baseline Configuration Analyzer (MBCA) and installed on the computer If no parameter is

specified Get-MBCAModel returns all models that are installed on the computer If a model is specified

by using the -ModelId parameter information about the specified model is returned

You must be a member of the Administrators group on the computer on which you want to run this

cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with

elevated user rights that is Run as Administrator

The results of the Get-MBCAModel cmdlet include the following details about models

1 Branding information (manufacturer or company display names version number) that is found in

the model manifest

2 Dynamic parameters that are included with the model

3 Submodels that are included with the model

PARAMETERS

-ModelId ltstring[]gt

The -ModelId parameter specifies the ID of the MBCA model about which you want to view

details You can obtain valid values for the ModelId parameter by running the Get-MBCAModel

cmdlet with no parameters and targeted at a computer on which MBCA models are installed

Page 43

This parameter supports wild card characters

Required false

Position 2

Default value

Accept pipeline input true (By Value By Property Name)

Accept wildcard characters False

This must be SQL2008R2BPA for SQL Server 2008 R2 Best Practice Analyzer

-SubModelId ltstringgt

The -SubModelId parameter specifies the ID of the submodel of an MBCA model about which you

want to view details You can obtain valid values for the -SubModelId parameter by running the

Get-MBCAModel cmdlet without parameters and targeted at a computer on which MBCA models

are installed Not all models have submodels

The -ModelId parameter is required with the -SubModelId parameter

Required false

Position 3

Default value

Accept pipeline input false

Accept wildcard characters false

ltCommonParametersgt

This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable

WarningAction WarningVariable OutBuffer and OutVariable For more information type get-

help about_commonparameters

Examples

Get-MBCAModel

In the preceding example Get-MBCAModel with no parameters added returns details about all MBCA

models that are installed on the computer

Get-MBCAModel -ModelId SQL2008R2BPA

The preceding example can be used to return details about the MBCA model that is specified in the -

ModelId parameter represented by Model Id

$model= Get-MBCAModel -ModelId SQL2008R2BPA

$modelParameters

In the preceding example Get-MBCAModel returns details about the specified MBCA model that is

represented by Model Id The results of the cmdlet are stored in the variable $model

In the next line of the example the Parameters property of the model details that were stored in the

$model object returns details about which parameters are supported by the model

Get-MBCAModel -ModelId SQL2008R2BPA -SubModelId ltSubModel Idgt

The preceding example can be used to return details about the MBCA sub-model that is specified by

the -SubModelId parameter represented by SubModel Id Note that the -ModelId parameter is

required by the -SubModelId parameter

$model= Get-MBCAModel -ModelId SQL2008R2BPA

Page 44

$modelSubModels

In the preceding example Get-MBCAModel returns details about the specified MBCA model that is

represented by Model Id The results of the cmdlet are stored in the variable $model

In the next line of the example the SubModels property of the model details that were stored in the

$model object returns a list of the submodels of the model specified in the first line

912 Invoke-MBCAModel

SYNOPSIS

The Invoke-MBCAModel cmdlet lets you start a Microsoft Baseline Configuration Analyzer (MBCA)

scan for a specific model that is installed on your computer

SYNTAX

Invoke-MBCAModel [-ModelId] ltstringgt -SubModelId ltstringgt [-Authentication

ltAuthenticationMechanismgt] [-CertificateThumbprint ltstringgt] [-ComputerName

ltstring[]gt] [-ConfigurationName ltstringgt] [-Context ltstringgt] [-Credential

ltstringgt] [-Mode ltModeEnumgt] [-Port ltintgt] [-RepositoryPath ltstringgt] [-

ThrottleLimit ltintgt] [-UseSSL] [ltCommonParametersgt]

DESCRIPTION

The Invoke-MBCAModel cmdlet allows you to start a Microsoft Baseline Configuration Analyzer

(MBCA) scan for a specific model that is installed on your computer The model is specified either by

using the parameter -ModelId or by piping the results of the Get-MBCAModel cmdlet into an Invoke-

MBCAMode cmdlet

After the MBCA scan has been performed the results of the scan are available to be retrieved by Get-

MBCAResult cmdlet

You must be a member of the Administrators group on the computer on which you want to run this

cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with

elevated user rights that is Run as Administrator

PARAMETERS

-Authentication ltAuthenticationMechanismgt

Specifies the authentication mechanism that is used to authenticate the users credentials Valid

values include Default Basic CredSSP Digest Kerberos Negotiate and

NegotiateWithImplicitCredential The default value is Default

For more information about the -Authentication parameter type the following and then press

Enter

Get-Help Invoke-Command -Parameter Authentication

Required false

Position named

Default value Default

Accept pipeline input false

Accept wildcard characters false

-CertificateThumbprint ltstringgt

Page 45

Specifies the digital public key certificate (X509) of a user account that has rights to perform the

cmdlet action The valid value is the certificate thumbprint of the certificate

For more information about this parameter type the following and then press Enter

Get-Help Invoke-Command -Parameter Certificate Thumbprint

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-ComputerName ltstring[]gt

The Invoke-MBCAModel cmdlet lets you run an MBCA scan of a submodel on a specific

computer by adding this parameter Valid values include NETBOS names IP addresses or fully-

qualified domain names of one or more computers in a comma-separated list To specify the local

computer type the computer name or localhost

All formats that are accepted by the -ComputerName parameter in Invoke-Command are

accepted

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-ConfigurationName ltstringgt

Specifies the session configuration that is used for a new PSSession

Enter a configuration name or the fully-qualified resource URI for a session configuration

Session configuration data is found on the remote computer on which you want to run a cmdlet

For more information about this parameter type the following and then press Enter

Get-Help Invoke-Command -Parameter ConfigurationName

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-Context ltstringgt

The -Context parameter lets you run scans on a submodel in the context of a specific model (one

that is different from the parent model of the submodel) For example an administrator might

want to run a scan on the Backend submodel of the SQL model but only those in the context

of a third model a technology that relies upon SQL Server

The -SubModelId parameter is required by the -Context parameter

Page 46

A model ID is the valid value of the -Context parameter

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-Credential ltstringgt

Specifies a user account that has permission to run this cmdlet The default value is the current

user

For more information about this parameter type the following and then press Enter

Get-Help Invoke-Command -Parameter Credential

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-Mode ltModeEnumgt

The -Mode parameter lets you run a scan that is exclusively either analysis of existing discovered

documents or discovery The default is to perform both discovery and analysis or All

If you do not add the -Mode parameter to the Invoke-MBCAModel cmdlet both discovery and

analysis are performed during a scan

Valid values are Discovery Analysis and All

Required false

Position named

Default value All

Accept pipeline input false

Accept wildcard characters false

-ModelId ltstringgt

The -ModelId parameter specifies the ID of the MBCA model that you want to scan You can

obtain valid values for the ModelId parameter by running the Get-MBCAModel cmdlet targeted at

a computer on which MBCA models are installed

Required true

Position 2

Default value

Accept pipeline input true (By Value By Property Name)

Accept wildcard characters False

Page 47

This must be SQL2008R2BPA for SQL Server 2008 R2 Best Practice Analyzer

-Port ltintgt

Specifies the network port on a remote computer on which you want to run a scan The default

value is port 80

For more information on this parameter type the following and then press Enter

Get-Help Invoke-Command -Parameter Port

Required false

Position named

Default value 80

Accept pipeline input false

Accept wildcard characters false

-RepositoryPath ltstringgt

The -RepositoryPath parameter is used to specify a non-default location of the results repository

The valid value for this parameter is a pathname If the parameter is not used the cmdlet writes

results to the default result repository

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-SubModelId ltstringgt

The -SubModelId parameter specifies the ID of the submodel of an MBCA model that you want to

scan You can obtain valid values for the -SubModelId parameter by running the Get-MBCAModel

cmdlet targeted at a computer on which MBCA models are installed Not all models have

submodels

The -ModelId parameter is required with the -SubModelId parameter

Required true

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-ThrottleLimit ltintgt

Specifies the maximum number of concurrent connections that can be established to run the

cmdlet If you omit this parameter or enter a value of 0 the default value of 32 is used

For more information about this parameter type the following and then press Enter

Get-Help Invoke-Command -Parameter ThrottleLimit

Required false

Page 48

Position named

Default value 32

Accept pipeline input false

Accept wildcard characters false

-UseSSL [ltSwitchParametergt]

Uses the Secure Sockets Layer (SSL) protocol to establish a connection on a remote computer

By default SSL is not used

For more information about this parameter type the following and then press Enter

Get-Help Invoke-Command -Parameter UseSSL

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

ltCommonParametersgt

This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable

WarningAction WarningVariable OutBuffer and OutVariable For more information type get-

help about_commonparameters

OUTPUTS

SystemCollectionsGenericListltMicrosoftBestPracticesCoreInterfaceInvokeBpaModelOutputgt

The output object encapsulates the results of the cmdlet that you entered It contains information such

as the MBCA model ID the success or failure of the cmdlet and other details

NOTES

If the cmdlet is used to perform a single-model scan and the cmdlet is cancelled (by using CTRL+C)

before the temporary results file is copied to its final location the temporary file is discarded and any

previous scan results file for the role are preserved The message Processing of Invoke-MBCAModel

cancelled by user is displayed if the command is cancelled before existing scan results files are

overwritten

If the cmdlet is used to perform a scan of multiple models by piping in results from the Get-MBCAModel

cmdlet and the command is cancelled scans that were completed before the cancel command was

entered cannot be cancelled A scan in progress behaves as described above in the single-model scan

cancellation scenario Subsequent scans in the pipeline are cancelled

If a concurrent scan of the same model is attempted the cmdlet returns the following error message

Another scan for this MBCA model is in progress Only one scan is allowed at a time

-------------------------- EXAMPLE 1 --------------------------

Invoke-MBCAModel -ModelId SQL2008R2BPA

Description

The preceding example starts a MBCA scan on the model that is represented by ltModel Idgt

-------------------------- EXAMPLE 2 --------------------------

Page 49

Invoke-MBCAModel -ModelId SQL2008R2BPA -Scope domain -Name

redmondmicrosoftcom

Description

The preceding example starts an MBCA scan on the model ID that is specified by Model Id

The administrator starts the MBCA scan with additional model-specific parameters that are exposed by

the model (For an example of how to obtain model-specific parameters see the examples for the Get-

MBCAModel cmdlet)

For example to scan a model that requires model-specific parameters (such as -Scope and -Name) to

be passed to the command the administrator can specify the values of these model-specific

parameters with the Invoke-MBCAModel cmdlet

-------------------------- EXAMPLE 3 --------------------------

Invoke-MBCAModel -ModelId SQL2008R2BPA -Mode Discovery

Description

The preceding example starts an MBCA scan on the model that is represented by Model Id The

cmdlet is instructed by the -Mode parameter to perform only the discovery -- not the analysis -- portion

of the scan

-------------------------- EXAMPLE 4 --------------------------

Invoke-MBCAModel -ModelId SQL2008R2BPA -Mode Analysis -RepositoryPath

ltRepository Pathgt

Description

The preceding example starts an MBCA scan on the model that is represented by Model Id The -

Mode parameter value of Analysis indicates that the scan will perform analysis -- not discovery -- on

existing documents that are specified in the non-default repository path provided with the -Repository

Path parameter

-------------------------- EXAMPLE 5 --------------------------

Invoke-MBCAModel -Id ltModel Idgt -SubModelId ltSubModel Idgt -ComputerName

ltServergt -Context ltContext Model Idgt -RepositoryPath ltRespository Pathgt -

AsJob -Authentication ltAuthenticatonMechanismgt -Port ltPort Numbergt -UseSSL -

ThrottleLimit ltThrottle Limitgt

Description

The preceding example starts an MBCA scan on the submodel that is represented by SubModel Id

and on the computer that is represented by Server

Because the administrator only wants to see results from the submodel that apply in the context of a

third model the administrator runs the scan within the context of the model ID that is specified in the -

Context parameter The cmdlet results are saved to the non-default repository path that is specified in

the -RepositoryPath parameter

Because the -AsJob parameter is added the scan runs in the background The -AsJob -

Authentication -Port -UseSSL and -ThrottleLimit parameters are passed through for use by the

Invoke-Command cmdlet to perform discovery on a remote computer For more information about

these parameters see the Help for the Invoke-Command cmdlet available in Windows PowerShell V2

913 Get-MBCAResult

SYNOPSIS

Page 50

The Get-MBCAResult cmdlet lets you retrieve and view the results of a Microsoft Baseline

Configuration Analyzer scan on a specific model or the configuration data that was used to run a scan

SYNTAX

Get-MBCAResult [-ModelId] ltstringgt [[-CollectedConfiguration]] -SubModelId

ltstringgt [-ComputerName ltstring[]gt] [-Context ltstringgt] [-Filter

ltFilterEnumgt] [-RepositoryPath ltstringgt] [ltCommonParametersgt]

DESCRIPTION

The Get-MBCAResult cmdlet lets you retrieve and view the results of a Microsoft Baseline

Configuration Analyzer scan on a specific model or the configuration data that was used to run a scan

To use the command add the -ModelId parameter and then specify the model ID for which you want

to view the most recent MBCA scan results or collected configuration data If you want to retrieve the

configuration data collected add the -CollectedConfiguration switch parameter

You must be a member of the Administrators group on the computer on which you want to run this

cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with

elevated user rights that is Run as Administrator

PARAMETERS

-CollectedConfiguration [ltSwitchParametergt]

The -CollectedConfiguration parameter allows you to obtain the configuration data that was

collected for the most recent MBCA scan If this switch parameter is added to Get-MBCAResults

the cmdlet returns only the configuration data that was collected for a scan

Required false

Position 3

Default value

Accept pipeline input false

Accept wildcard characters false

-ComputerName ltstring[]gt

The -ComputerName parameter lets you obtain scan results that were collected for the most

recent MBCA scan of a submodel on a specific computer To specify the local computer type the

computer name or localhost Multiple values for -ComputerName can be separated by

commas

The -SubModelId parameter is required by the -ComputerName parameter

Valid values for the -ComputerName parameter include localhost a NET BIOS name an IP

address or a fully-qualified domain name (FQDN) of one or more computers in a comma-

separated list

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-Context ltstringgt

Page 51

The -Context parameter lets you obtain scan results that were collected for the most recent

MBCA scan of a submodel in the context of a specific model (one that is different from the parent

model of the submodel) For example an administrator might want to display scan results for the

Backend submodel of the SQL model but only those in the context of a third model a

technology that relies upon SQL Server

The -SubModelId parameter is required by the -Context parameter

A model ID is the valid value of the -Context parameter

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-Filter ltFilterEnumgt

The -Filter parameter lets you instruct the Get-MBCAResult cmdlet to return only Compliant

Noncompliant or All results Valid values are Noncompliant Compliant or All The default value

is All

The -Filter parameter is ignored if the -CollectedConfiguration switch parameter is added

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-ModelId ltstringgt

The -ModelId parameter specifies the ID of the MBCA model for which you want to view scan

results You can obtain valid values for the ModelId parameter by running the Get-MBCAModel

cmdlet targeted at a computer on which MBCA models are installed

Required true

Position 2

Default value

Accept pipeline input true (By Value By Property Name)

Accept wildcard characters False

This must be SQL2008R2BPA for SQL Server 2008 R2 Best Practice Analyzer

-RepositoryPath ltstringgt

The -RepositoryPath parameter is used to specify a non-default location of the results repository

The valid value for this parameter is a path name If the parameter is not used the cmdlet obtains

results from the default result repository

Required false

Position named

Page 52

Default value

Accept pipeline input false

Accept wildcard characters false

-SubModelId ltstringgt

The -SubModelId parameter specifies the ID of the submodel of an MBCA model for which you

want to view scan results You can obtain valid values for the -SubModelId parameter by running

the Get-MBCAModel cmdlet targeted at a computer on which MBCA models are installed Not all

models have submodels

The -ModelId parameter is required with the -SubModelId parameter

Required true

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

ltCommonParametersgt

This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable

WarningAction WarningVariable OutBuffer and OutVariable For more information type get-

help about_commonparameters

OUTPUTS

SystemCollectionsGenericListltMicrosoftBestPracticesCoreInterfaceResultgt OR

SystemXmlXmlDocument (if -CollectedData specified)

If you do not use the -CollectedConfiguration parameter verbose output can be any of the following

1 Initializing MBCA engine for getting MBCA Results

2 Attempting to get MBCA results for Model Id = 0

3 Completed getting MBCA results for Model Id = 0 Number of Results = 1

If you add the -CollectedConfiguration parameter to display configuration data that was used for a

scan verbose output can be any of the following

1 Initializing MBCA engine for getting MBCA Configuration Data

2 Attempting to get MBCA collected configuration data for Model Id = 0

3 Completed getting MBCA collected configuration data for Model Id = 0

NOTES

The Get-MBCAResult cmdlet must be run by a member of the Administrators group and it does not

start a new scan

Cancellation behaviour

Single Model - To cancel this cmdlet you must press Ctrl+C before the ResultCollection is displayed

on the console The operation is cancelled and results are not displayed on the console

Multiple Models or Pipelining - If you cancel this cmdlet while it is retrieving results for multiple models

the cmdlet generates only those results that were displayed on the console before the cancellation

Any subsequent results in the pipeline are cancelled and not displayed

Page 53

-------------------------- EXAMPLE 1 --------------------------

Get-MBCAResult -Id SQL2008R2BPA

Description

The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results

for the model that is represented by Model Id

-------------------------- EXAMPLE 2 --------------------------

Get-MBCAModel | Get-MBCAResult

In the preceding example Get-MBCAModel is used to return a list of all MBCA models that are

installed on the computer The results of the Get-MBCAModel cmdlet are piped to the Get-

MBCAResult cmdlet to retrieve the most recent MBCA scan results for all models that are both

supported by MBCA and installed on the computer at which the cmdlet is targeted

-------------------------- EXAMPLE 3 --------------------------

$result = Get-MBCAResult SQL2008R2BPA -CollectedConfiguration

$resultDiscoveryDocument

Description

In the preceding example configuration data (in XML form) that was collected during the most recent

Microsoft Baseline Configuration Analyzer scan of the model that is represented by Model Id is

retrieved and stored as a property in the variable $result $resultDiscoveryDocument is of type

SystemXmlXmlDocument

-------------------------- EXAMPLE 4 --------------------------

Get-MBCAResult SQL2008R2BPA -Filter Noncompliant

Description

The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results

for the model that is represented by Model Id and then applies a filter to show only Noncompliant

results

------------------------- EXAMPLE 5 --------------------------

Get-MBCAResult SQL2008R2BPA -SubModelId ltSubModel Idgt

Description

The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results

for the submodel that is represented by SubModelId Note that the parent model ID must be specified

to use the -SubModelId parameter

------------------------- EXAMPLE 6 --------------------------

Get-MBCAResult SQL2008R2BPA -SubModelId ltSubModel Idgt -ComputerName ltServergt

-Context ltContext Model Idgt -RepositoryPath ltRepository Pathgt

Description

The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results

for the submodel that is represented by SubModelId The parent model ID is provided as required by

the -SubModelID parameter

The -Context parameter indicates that the administrator wants to see only those scan results that are in

the context of the model that is represented by Context Model Id for example only those results from

a SQL Server scan that specifically apply to another technology such as Web Server (IIS)

Page 54

The scan results are further narrowed to only those from a computer that is specified in the -

ComputerName parameter as Server and only those results found in the non-default results

repository that is represented by Repository Path

914 Set-MBCAResult

SYNOPSIS

The Set-MBCAResult cmdlet lets you exclude or include existing results of a Microsoft Baseline

Configuration Analyzer (MBCA) scan to show you only the scan results that you want to see

SYNTAX

Set-MBCAResult [[-Exclude] ltBooleangt] [-Results] ltResultgtgt [[-

RepostitoryPath] ltstringgt] [ltCommonParametersgt]

DESCRIPTION

The Set-MBCAResult cmdlet lets you exclude or include existing results of a Microsoft Baseline

Configuration Analyzer (MBCA) scan to show you only the scan results that you want to see

The action specified in the cmdlet (Exclude for example) determines how the existing results of an

MBCA scan are updated Set-MBCAResult is typically applied after using the Get-MBCAResult cmdlet

to return a collection of scan results

You can apply filters to results that are returned by the Get-MBCAResult cmdlet and then pipe the

filtered collection of results to the Set-MBCAResult cmdlet specifying either to include or exclude

filtered scan results

You must be a member of the Administrators group on the computer on which you want to run this

cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with

elevated user rights that is Run as Administrator

PARAMETERS

-Exclude ltBooleangt

Excludes scan results from the results collection that were previously obtained by the Get-

MBCAResult command To exclude results by using the -Exclude parameter add the value $true

following the parameter as shown

-Exclude $true

To include results that have been excluded use the $false value for the -Exclude parameter

Required false

Position 2

Default value

Accept pipeline input false

Accept wildcard characters false

-RepostitoryPath ltstringgt

The -RepositoryPath parameter is used to specify a non-default location of the results repository

The valid value for this parameter is a path name If the parameter is not used the cmdlet

modifies results from the default result repository

Required false

Page 55

Position 4

Default value

Accept pipeline input false

Accept wildcard characters false

-Results ltResultgtgt

Specifies the result collection to be updated by the Set-MBCAResult cmdlet The -Results

parameter is typically used to specify a filtered subset of scan results that has already been

stored in a variable the variable name is provided as the valid value for the -Results parameter

For example if you have created a variable $allPerformance to store all the Performance

category results for an MBCA scan of all models on a computer and you want to exclude those

Performance results from the complete collection of scan results you add the parameter -Results

$all Performance to a Set-MBCAResult cmdlet

For a more detailed example see the Examples section of the Help for this cmdlet

Required true

Position 3

Default value

Accept pipeline input true (ByValue)

Accept wildcard characters false

ltCommonParametersgt

This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable

WarningAction WarningVariable OutBuffer and OutVariable For more information type ldquoget-

help about_commonparameters

NOTES

If the Set-MBCAResult command is cancelled before the results are written to a file the operation is

cancelled and the results file is not modified If cancellation occurs after the results file has been

modified the commands actions are carried out and the command cannot be cancelled

-------------------------- EXAMPLE 1 --------------------------

Get-MBCAResult -ModelId SQL2008R2BPA | Where $_Category -eq

Performance | Set-MBCAResult -Exclude $true

Description

The first section of the preceding example to the left of the first pipe character (|) uses the Get-

MBCAResult cmdlet to retrieve Baseline Configuration Analyzer scan results for the model ID that is

represented by Model Id

The second section of the command filters the results of the Get-MBCAResult cmdlet to get only those

scan results for which the category name is equal to Performance

The final section of the example following the second pipe character excludes the Performance

results that were filtered by the previous section of the example

-------------------------- EXAMPLE 2 --------------------------

$rcPolicy = Get-MBCAResult -ModelId SQL2008R2BPA -RepositoryPath

CReposPath | Where $_Category -eq Policy

Page 56

Set-MBCAResult -Exclude $true -RepositoryPath CReposPath -Results

$rcPolicy

Description

The first line of the preceding example to the left of the pipe character (|) instructs the Get-

MBCAResult cmdlet to retrieve Baseline Configuration Analyzer scan results for the model that is

represented by Specified Model Id from the specified non-default repository path

The second section of the example after the pipe character filters the results of the Get-MBCAResult

cmdlet to return only those scan results for which the category name is equal to (note the -eq option)

Policy The variable $rcPolicy is created to store the filtered results of the Get-MBCAResult cmdlet this

variable can be used in subsequent commands to represent those results

The second line of the command uses the Set-MBCAResult cmdlet to exclude the set of results that

are stored in the $rcPolicy variable In this example the -Results parameter is added because the

administrator wants to exclude a specific subset of scan results for that model and has created the

variable $rcPolicy to represent that subset of results The repository root is specified in the second line

because the administrator wants to modify the results in the same non-default repository from which

the data in $rcPolicy was retrieved

915 MBCA Model Authoring

Further information about configuration and usage of MBCA models you can in the

MBCA_ModelAuthoringGuidedocx

Page 57

Did this paper help you Please give us your feedback Tell us on a scale of 1 (poor) to 5 (excellent)

how would you rate this paper and why have you given it this rating For example

Are you rating it high due to having good examples excellent screen shots clear writing or

another reason

Are you rating it low due to poor examples fuzzy screen shots or unclear writing

This feedback will help us improve the quality of white papers we release

Send feedback

Page 36: SQL2008R2 BPA Whitepaper v10

Page 36

SQL Server Admin role membership check (httpsupportmicrosoftcomkb2184138)

Windows API calls intercepted (httpsupportmicrosoftcomkb2033238)

unsupported DotNET framework assemblies present (httpsupportmicrosoftcomkb2033344)

Disk partition starting offset may be incorrect (httpsupportmicrosoftcomkb2023571)

non-default max worker threads value configured (httpsupportmicrosoftcomkb2157129)

Guest Permissions (httpsupportmicrosoftcomkb2186935)

Data and Log files on the same volume (httpsupportmicrosoftcomkb2033523)

IO timeouts and IO controller errors detected (httpsupportmicrosoftcomkb2091098)

IO device errors detected (httpsupportmicrosoftcomkb2091098)

IO errors during page faults detected (httpsupportmicrosoftcomkb2091098)

cluster disk corruption encountered (httpsupportmicrosoftcomkb2091098)

disk defragmentation encountered corruption (httpsupportmicrosoftcomkb2091098)

failed IO requests detected (httpsupportmicrosoftcomkb2091098)

IO requests are successful when retried (httpsupportmicrosoftcomkb2015757)

IO Delay Problems reported by SQL Server (httpsupportmicrosoftcomkb2137408)

This system experienced unexpected shutdowns (httpsupportmicrosoftcomkb2091098)

tempdb corruption errors fix missing (httpsupportmicrosoftcomkb960770)

Critical SQL database inconsistency errors found (httpsupportmicrosoftcomkb2152734)

Logical consistency errors detected (httpsupportmicrosoftcomkb2152472)

Database have auto shrink option enabled (httpsupportmicrosoftcomkb2160663)

SQL Server Error logs are very big (httpsupportmicrosoftcomkb2199578)

incorrect affinity mask settings detected httpsupportmicrosoftcomkb2157114

Very low blocked process threshold setting detected httpsupportmicrosoftcomkb2157154

Potential security issue with legacy DTS stored procedures

httpsupportmicrosoftcomkb2202875

Winsock LSP loaded into SQL httpsupportmicrosoftcomkb2033448

Databases using simple recovery model httpsupportmicrosoftcomkb2137539

User database collation different from model httpsupportmicrosoftcomkb2026108

Database files and backups exist on the same volume httpsupportmicrosoftcomkb2027537

Databases have auto close option enabled httpsupportmicrosoftcomkb2160685

LSI SAS drivers needs update httpsupportmicrosoftcomkb2121098

SQL tempdb database not configured optimally httpsupportmicrosoftcomkb2154845

SQL Database file has sparse attribute set httpsupportmicrosoftcomkb2028447

Invalid startup parameters httpsupportmicrosoftcomkb2028433

MSDTC settings not configured optimally httpsupportmicrosoftcomkb2027550

sql incorrect results fix missing httpsupportmicrosoftcomkb971780

File System needs tuning for better FileStream performance

httpsupportmicrosoftcomkb2160002

linked server memory leak fix missing httpsupportmicrosoftcomkb971622EN-US

Windows service pack is not at recommended level httpsupportmicrosoftcomkb2121098

default extended event health session not in expected state

httpsupportmicrosoftcomkb2160570

TcpSysAndChimneyCheck httpsupportmicrosoftcomKB918483

FDHOST Launcher service is not configured properly httpsupportmicrosoftcomkb2160720

Unrecommended SQL Server Agent service account httpsupportmicrosoftcomkb2160720

A required Windows fix to avoid sparse file related problems is missing

httpsupportmicrosoftcomkb2002606

Page 37

Significant Portion of SQL Server Memory Has Been Paged Out

httpsupportmicrosoftcomkb2028324

Server Exception or Hang Detected on Server httpsupportmicrosoftcomkb2028589

Databases exist without CHECKSUM protection httpsupportmicrosoftcomkb2078345

backups outdated for databases httpsupportmicrosoftcomkb2027537

Database consistency check not current httpsupportmicrosoftcomkb2033590

SQL Server Memory settings are incorrect httpsupportmicrosoftcomKB918483EN-US

Autogrow Failed or took a long time httpsupportmicrosoftcomkb2091024

Storport driver fix from KBA 940467 missing httpsupportmicrosoftcomkb2121098

Storport driver fix from KBA 950903 missing httpsupportmicrosoftcomkb2121098

SQLCLR needs additional memory configuration httpsupportmicrosoftcomkb969962EN-US

Operating System files and drivers needs update for working set trimming

httpsupportmicrosoftcomkb2121098

Agent Token Replacement httpsupportmicrosoftcomkb2202637

Auditing Log in failures httpsupportmicrosoftcomkb2187161

Databases with high number of VLF present httpsupportmicrosoftcomkb2028436

Transparent Data Encryption Certificate httpsupportmicrosoftcomkb2201900

Permission on the Binn folder httpsupportmicrosoftcomkb2029023

Index Statistics Are Outdated

Server public permissions httpsupportmicrosoftcomkb2160698

Detected use of older versions of SQLNCLI httpsupportmicrosoftcomkb979779

62 AS Rules

Please find below a summary of the 34 Analysis Server Rules with the links to the rule descriptions

Flight Recorder Enabled for SQL Server Analysis Services

httpsupportmicrosoftcomkb2128005

Excessive amount of memory preallocated to Analysis Services

httpsupportmicrosoftcomkb2027474

Server not configured for optimal concurrent query throughput

httpsupportmicrosoftcomkb2135031

Non standard value detected for Analysis Services memory configuration

httpsupportmicrosoftcomkb2027472

Process Thread Pool Max limit above recommended limit

httpsupportmicrosoftcomkb2134497

Process Thread Pool Minimum is below the recommended limit

httpsupportmicrosoftcomkb2134855

Server is running a build with a known regression httpsupportmicrosoftcomkb2157941

Slice not set on a ROLAP partition or a partition where proactive caching is enabled and

ROLAP storage ay occur httpsupportmicrosoftcomkb2027754

Server is ignoring duplicate key errors httpsupportmicrosoftcomkb2027761

No default member defined for non-aggregatable attribute

httpsupportmicrosoftcomkb2027769

UnknownMember set to hidden httpsupportmicrosoftcomkb2027628

Non-numeric key column for high cardinality attribute httpsupportmicrosoftcomkb2028138

Attribute hiearchy enabled for high cardinality non-key attribute

httpsupportmicrosoftcomkb2028143

ROLAP storage or OnlineMode set to immediate for dimension with custom rollup definition

detected httpsupportmicrosoftcomkb2132742

Page 38

Account or Time attribute types defined in a non-matching dimension type

httpsupportmicrosoftcomkb2157299

An Account or Time dimension has no matching attribute defined

httpsupportmicrosoftcomkb2027418

Dimension has no attribute defined with the same type

httpsupportmicrosoftcomkb2027443

Attribute Dimension type mismatch httpsupportmicrosoftcomkb2157327

Mismatched dimension attribute types detected in dimension

httpsupportmicrosoftcomkb2027459

Possible incorrect order of levels defined in hierarchy httpsupportmicrosoftcomkb2027460

Define attribute relationships as Rigid where possible httpsupportmicrosoftcomkb2027468

Redundant attribute relationships detected httpsupportmicrosoftcomkb2127437

Diamond-shape relationship detected httpsupportmicrosoftcomkb2127570

Non-Standard Attribute Relationship name detected httpsupportmicrosoftcomkb2127862

Proactive Caching set for dimension without a processing query

httpsupportmicrosoftcomkb2027541

No Time dimension detected httpsupportmicrosoftcomkb2027532

More than 3 parent-child dimensions with custom rollups defined

httpsupportmicrosoftcomkb2134431

Encountered a parent-child dimension with more than 500000 members

httpsupportmicrosoftcomkb2131918

Single attribute dimensions detected httpsupportmicrosoftcomkb2141654

Measure groups with zero dimensional overlap detected in cube

httpsupportmicrosoftcomkb2027609

Proactive Caching set for a partition without a processing query

Default measure for perspective not in the perspective

httpsupportmicrosoftcomkb2027603

Use MOLAP storage for dimensions that participate in semi-additive measure groups

httpsupportmicrosoftcomkb2135112

Measure group defined with no partition httpsupportmicrosoftcomkb2027545

63 RS Rules

RSWindowsNegotiate is missing from your configuration

httpsupportmicrosoftcomkb2145506

HTTP Logging is not enabled httpsupportmicrosoftcomkb2145909

Verbose logging is enabled httpsupportmicrosoftcomkb2146315

NTLM authentication may fail for local httpsupportmicrosoftcomkb2146369

Missing extended protection settings httpsupportmicrosoftcomkb2146062

64 IS Rules

Logging task missing for package httpsupportmicrosoftcomkb2027723

ActiveX Script task detected in package httpsupportmicrosoftcomkb2027712

Unrecommended Integration Services service account detected

httpsupportmicrosoftcomkb2027684

Integration Services logging table found in system database master and or msdb

httpsupportmicrosoftcomkb2027706

Integration Services memory dump detected httpsupportmicrosoftcomkb2027727

Page 39

65 Setup Rules

Unsupported Operating System Version Detected httpsupportmicrosoftcomkb2022909

WOW64 not supported for SQL Failover Clustering httpsupportmicrosoftcomkb2157198

Installer cache is missing for the SQL Installation httpsupportmicrosoftcomkb2015100

SQL Server WMI Provider Health Check

66 Replication Rules

Replication Timeout Alerts Type httpsupportmicrosoftcomkb2118349

Replication Pub and Sub out of sync (Data Validation) httpsupportmicrosoftcomkb2118386

Replication Pub and Sub out of sync (Constraint Violations)

httpsupportmicrosoftcomkb2118410

Replication Pub and Sub out of sync (Skipped Transactions)

httpsupportmicrosoftcomkb2194498

Merge Replication Health Check httpsupportmicrosoftcomkb2118445

Subscriptions Approaching Expiration httpgomicrosoftcomfwlinkLinkId=184483

Replication Cleanup and Retention Health Check httpsupportmicrosoftcomkb2118485

Replication Latency Threshold violations httpsupportmicrosoftcomkb2118425

Page 40

7 HOW TO DEAL WITH DEVIATIONS

Deviations from these Best Practices may indicate potential issues and configuration changes may be

necessary Make sure you have tested any intended changes in a test environment before deploying

them to a production environment You could also find deviations from Best Practices that are

acceptable or even necessary for your environment For example

SAP has its special Network Packet Size of 8 KB

Existing Non-Microsoft Clients ndash would require Mixed Mode Authentication

Page 41

8 MOTIVATION TO USE SQL BPA R2

Bob Ward explained in his Article ldquoWhy use SQL Server 2008 R2 BPA Case 1 Missing Updatesrdquo

the common pitfalls during maintenance and operation of SQL Server and how address them by using

the SQL BPA

In brief itrsquos a customer scenario where the customer is facing an issue after a major update to

SQL2008 After some troubleshooting and an update to a certain CU (that is meant to fix the issue) the

problem still occurs Bobs article states the common resulting consequences ndash the involvement of

Microsoft Support and the final solution ndash adding a needed traceflag

The good news in this story is that the customer would not have needed to go to all that effort if they

would have run the SQL BPA It would have told them about the update and instructed them to put the

traceflag in place BPA is a mechanism that proactively advises you and instructs you on dealing with

common known issues

Page 42

9 ADDITIONAL INFORMATION

91 PowerShell

To use the functionality of the Baseline Configuration Analyzer with PowerShell you must import this

module first

Import-module BaselineConfigurationAnalyzer

You can list the commands of this module with the following syntax

$x=Get-Module BaselineConfigurationAnalyzer

$xExportedCommands

The following commands are stored in this module

Get-MbcaModel

Get-MbcaResult

Invoke-MbcaModel

Set-MbcaResult

You get help of this command with the following syntax

Get-help ltcommandgt -full

911 Get-MBCAModel

SYNOPSIS

The Get-MBCAModel cmdlet lets you retrieve and view the list of models that are supported by

Microsoft Baseline Configuration Analyzer (MBCA) and that are installed on a computer

SYNTAX

Get-MBCAModel [[-ModelId] ltstring[]gt] [[-SubModelId] ltstringgt] [ltCommonParametersgt]

DESCRIPTION

The Get-MBCAModel cmdlet lets you retrieve and view the list of models that are supported by

Microsoft Baseline Configuration Analyzer (MBCA) and installed on the computer If no parameter is

specified Get-MBCAModel returns all models that are installed on the computer If a model is specified

by using the -ModelId parameter information about the specified model is returned

You must be a member of the Administrators group on the computer on which you want to run this

cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with

elevated user rights that is Run as Administrator

The results of the Get-MBCAModel cmdlet include the following details about models

1 Branding information (manufacturer or company display names version number) that is found in

the model manifest

2 Dynamic parameters that are included with the model

3 Submodels that are included with the model

PARAMETERS

-ModelId ltstring[]gt

The -ModelId parameter specifies the ID of the MBCA model about which you want to view

details You can obtain valid values for the ModelId parameter by running the Get-MBCAModel

cmdlet with no parameters and targeted at a computer on which MBCA models are installed

Page 43

This parameter supports wild card characters

Required false

Position 2

Default value

Accept pipeline input true (By Value By Property Name)

Accept wildcard characters False

This must be SQL2008R2BPA for SQL Server 2008 R2 Best Practice Analyzer

-SubModelId ltstringgt

The -SubModelId parameter specifies the ID of the submodel of an MBCA model about which you

want to view details You can obtain valid values for the -SubModelId parameter by running the

Get-MBCAModel cmdlet without parameters and targeted at a computer on which MBCA models

are installed Not all models have submodels

The -ModelId parameter is required with the -SubModelId parameter

Required false

Position 3

Default value

Accept pipeline input false

Accept wildcard characters false

ltCommonParametersgt

This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable

WarningAction WarningVariable OutBuffer and OutVariable For more information type get-

help about_commonparameters

Examples

Get-MBCAModel

In the preceding example Get-MBCAModel with no parameters added returns details about all MBCA

models that are installed on the computer

Get-MBCAModel -ModelId SQL2008R2BPA

The preceding example can be used to return details about the MBCA model that is specified in the -

ModelId parameter represented by Model Id

$model= Get-MBCAModel -ModelId SQL2008R2BPA

$modelParameters

In the preceding example Get-MBCAModel returns details about the specified MBCA model that is

represented by Model Id The results of the cmdlet are stored in the variable $model

In the next line of the example the Parameters property of the model details that were stored in the

$model object returns details about which parameters are supported by the model

Get-MBCAModel -ModelId SQL2008R2BPA -SubModelId ltSubModel Idgt

The preceding example can be used to return details about the MBCA sub-model that is specified by

the -SubModelId parameter represented by SubModel Id Note that the -ModelId parameter is

required by the -SubModelId parameter

$model= Get-MBCAModel -ModelId SQL2008R2BPA

Page 44

$modelSubModels

In the preceding example Get-MBCAModel returns details about the specified MBCA model that is

represented by Model Id The results of the cmdlet are stored in the variable $model

In the next line of the example the SubModels property of the model details that were stored in the

$model object returns a list of the submodels of the model specified in the first line

912 Invoke-MBCAModel

SYNOPSIS

The Invoke-MBCAModel cmdlet lets you start a Microsoft Baseline Configuration Analyzer (MBCA)

scan for a specific model that is installed on your computer

SYNTAX

Invoke-MBCAModel [-ModelId] ltstringgt -SubModelId ltstringgt [-Authentication

ltAuthenticationMechanismgt] [-CertificateThumbprint ltstringgt] [-ComputerName

ltstring[]gt] [-ConfigurationName ltstringgt] [-Context ltstringgt] [-Credential

ltstringgt] [-Mode ltModeEnumgt] [-Port ltintgt] [-RepositoryPath ltstringgt] [-

ThrottleLimit ltintgt] [-UseSSL] [ltCommonParametersgt]

DESCRIPTION

The Invoke-MBCAModel cmdlet allows you to start a Microsoft Baseline Configuration Analyzer

(MBCA) scan for a specific model that is installed on your computer The model is specified either by

using the parameter -ModelId or by piping the results of the Get-MBCAModel cmdlet into an Invoke-

MBCAMode cmdlet

After the MBCA scan has been performed the results of the scan are available to be retrieved by Get-

MBCAResult cmdlet

You must be a member of the Administrators group on the computer on which you want to run this

cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with

elevated user rights that is Run as Administrator

PARAMETERS

-Authentication ltAuthenticationMechanismgt

Specifies the authentication mechanism that is used to authenticate the users credentials Valid

values include Default Basic CredSSP Digest Kerberos Negotiate and

NegotiateWithImplicitCredential The default value is Default

For more information about the -Authentication parameter type the following and then press

Enter

Get-Help Invoke-Command -Parameter Authentication

Required false

Position named

Default value Default

Accept pipeline input false

Accept wildcard characters false

-CertificateThumbprint ltstringgt

Page 45

Specifies the digital public key certificate (X509) of a user account that has rights to perform the

cmdlet action The valid value is the certificate thumbprint of the certificate

For more information about this parameter type the following and then press Enter

Get-Help Invoke-Command -Parameter Certificate Thumbprint

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-ComputerName ltstring[]gt

The Invoke-MBCAModel cmdlet lets you run an MBCA scan of a submodel on a specific

computer by adding this parameter Valid values include NETBOS names IP addresses or fully-

qualified domain names of one or more computers in a comma-separated list To specify the local

computer type the computer name or localhost

All formats that are accepted by the -ComputerName parameter in Invoke-Command are

accepted

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-ConfigurationName ltstringgt

Specifies the session configuration that is used for a new PSSession

Enter a configuration name or the fully-qualified resource URI for a session configuration

Session configuration data is found on the remote computer on which you want to run a cmdlet

For more information about this parameter type the following and then press Enter

Get-Help Invoke-Command -Parameter ConfigurationName

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-Context ltstringgt

The -Context parameter lets you run scans on a submodel in the context of a specific model (one

that is different from the parent model of the submodel) For example an administrator might

want to run a scan on the Backend submodel of the SQL model but only those in the context

of a third model a technology that relies upon SQL Server

The -SubModelId parameter is required by the -Context parameter

Page 46

A model ID is the valid value of the -Context parameter

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-Credential ltstringgt

Specifies a user account that has permission to run this cmdlet The default value is the current

user

For more information about this parameter type the following and then press Enter

Get-Help Invoke-Command -Parameter Credential

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-Mode ltModeEnumgt

The -Mode parameter lets you run a scan that is exclusively either analysis of existing discovered

documents or discovery The default is to perform both discovery and analysis or All

If you do not add the -Mode parameter to the Invoke-MBCAModel cmdlet both discovery and

analysis are performed during a scan

Valid values are Discovery Analysis and All

Required false

Position named

Default value All

Accept pipeline input false

Accept wildcard characters false

-ModelId ltstringgt

The -ModelId parameter specifies the ID of the MBCA model that you want to scan You can

obtain valid values for the ModelId parameter by running the Get-MBCAModel cmdlet targeted at

a computer on which MBCA models are installed

Required true

Position 2

Default value

Accept pipeline input true (By Value By Property Name)

Accept wildcard characters False

Page 47

This must be SQL2008R2BPA for SQL Server 2008 R2 Best Practice Analyzer

-Port ltintgt

Specifies the network port on a remote computer on which you want to run a scan The default

value is port 80

For more information on this parameter type the following and then press Enter

Get-Help Invoke-Command -Parameter Port

Required false

Position named

Default value 80

Accept pipeline input false

Accept wildcard characters false

-RepositoryPath ltstringgt

The -RepositoryPath parameter is used to specify a non-default location of the results repository

The valid value for this parameter is a pathname If the parameter is not used the cmdlet writes

results to the default result repository

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-SubModelId ltstringgt

The -SubModelId parameter specifies the ID of the submodel of an MBCA model that you want to

scan You can obtain valid values for the -SubModelId parameter by running the Get-MBCAModel

cmdlet targeted at a computer on which MBCA models are installed Not all models have

submodels

The -ModelId parameter is required with the -SubModelId parameter

Required true

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-ThrottleLimit ltintgt

Specifies the maximum number of concurrent connections that can be established to run the

cmdlet If you omit this parameter or enter a value of 0 the default value of 32 is used

For more information about this parameter type the following and then press Enter

Get-Help Invoke-Command -Parameter ThrottleLimit

Required false

Page 48

Position named

Default value 32

Accept pipeline input false

Accept wildcard characters false

-UseSSL [ltSwitchParametergt]

Uses the Secure Sockets Layer (SSL) protocol to establish a connection on a remote computer

By default SSL is not used

For more information about this parameter type the following and then press Enter

Get-Help Invoke-Command -Parameter UseSSL

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

ltCommonParametersgt

This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable

WarningAction WarningVariable OutBuffer and OutVariable For more information type get-

help about_commonparameters

OUTPUTS

SystemCollectionsGenericListltMicrosoftBestPracticesCoreInterfaceInvokeBpaModelOutputgt

The output object encapsulates the results of the cmdlet that you entered It contains information such

as the MBCA model ID the success or failure of the cmdlet and other details

NOTES

If the cmdlet is used to perform a single-model scan and the cmdlet is cancelled (by using CTRL+C)

before the temporary results file is copied to its final location the temporary file is discarded and any

previous scan results file for the role are preserved The message Processing of Invoke-MBCAModel

cancelled by user is displayed if the command is cancelled before existing scan results files are

overwritten

If the cmdlet is used to perform a scan of multiple models by piping in results from the Get-MBCAModel

cmdlet and the command is cancelled scans that were completed before the cancel command was

entered cannot be cancelled A scan in progress behaves as described above in the single-model scan

cancellation scenario Subsequent scans in the pipeline are cancelled

If a concurrent scan of the same model is attempted the cmdlet returns the following error message

Another scan for this MBCA model is in progress Only one scan is allowed at a time

-------------------------- EXAMPLE 1 --------------------------

Invoke-MBCAModel -ModelId SQL2008R2BPA

Description

The preceding example starts a MBCA scan on the model that is represented by ltModel Idgt

-------------------------- EXAMPLE 2 --------------------------

Page 49

Invoke-MBCAModel -ModelId SQL2008R2BPA -Scope domain -Name

redmondmicrosoftcom

Description

The preceding example starts an MBCA scan on the model ID that is specified by Model Id

The administrator starts the MBCA scan with additional model-specific parameters that are exposed by

the model (For an example of how to obtain model-specific parameters see the examples for the Get-

MBCAModel cmdlet)

For example to scan a model that requires model-specific parameters (such as -Scope and -Name) to

be passed to the command the administrator can specify the values of these model-specific

parameters with the Invoke-MBCAModel cmdlet

-------------------------- EXAMPLE 3 --------------------------

Invoke-MBCAModel -ModelId SQL2008R2BPA -Mode Discovery

Description

The preceding example starts an MBCA scan on the model that is represented by Model Id The

cmdlet is instructed by the -Mode parameter to perform only the discovery -- not the analysis -- portion

of the scan

-------------------------- EXAMPLE 4 --------------------------

Invoke-MBCAModel -ModelId SQL2008R2BPA -Mode Analysis -RepositoryPath

ltRepository Pathgt

Description

The preceding example starts an MBCA scan on the model that is represented by Model Id The -

Mode parameter value of Analysis indicates that the scan will perform analysis -- not discovery -- on

existing documents that are specified in the non-default repository path provided with the -Repository

Path parameter

-------------------------- EXAMPLE 5 --------------------------

Invoke-MBCAModel -Id ltModel Idgt -SubModelId ltSubModel Idgt -ComputerName

ltServergt -Context ltContext Model Idgt -RepositoryPath ltRespository Pathgt -

AsJob -Authentication ltAuthenticatonMechanismgt -Port ltPort Numbergt -UseSSL -

ThrottleLimit ltThrottle Limitgt

Description

The preceding example starts an MBCA scan on the submodel that is represented by SubModel Id

and on the computer that is represented by Server

Because the administrator only wants to see results from the submodel that apply in the context of a

third model the administrator runs the scan within the context of the model ID that is specified in the -

Context parameter The cmdlet results are saved to the non-default repository path that is specified in

the -RepositoryPath parameter

Because the -AsJob parameter is added the scan runs in the background The -AsJob -

Authentication -Port -UseSSL and -ThrottleLimit parameters are passed through for use by the

Invoke-Command cmdlet to perform discovery on a remote computer For more information about

these parameters see the Help for the Invoke-Command cmdlet available in Windows PowerShell V2

913 Get-MBCAResult

SYNOPSIS

Page 50

The Get-MBCAResult cmdlet lets you retrieve and view the results of a Microsoft Baseline

Configuration Analyzer scan on a specific model or the configuration data that was used to run a scan

SYNTAX

Get-MBCAResult [-ModelId] ltstringgt [[-CollectedConfiguration]] -SubModelId

ltstringgt [-ComputerName ltstring[]gt] [-Context ltstringgt] [-Filter

ltFilterEnumgt] [-RepositoryPath ltstringgt] [ltCommonParametersgt]

DESCRIPTION

The Get-MBCAResult cmdlet lets you retrieve and view the results of a Microsoft Baseline

Configuration Analyzer scan on a specific model or the configuration data that was used to run a scan

To use the command add the -ModelId parameter and then specify the model ID for which you want

to view the most recent MBCA scan results or collected configuration data If you want to retrieve the

configuration data collected add the -CollectedConfiguration switch parameter

You must be a member of the Administrators group on the computer on which you want to run this

cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with

elevated user rights that is Run as Administrator

PARAMETERS

-CollectedConfiguration [ltSwitchParametergt]

The -CollectedConfiguration parameter allows you to obtain the configuration data that was

collected for the most recent MBCA scan If this switch parameter is added to Get-MBCAResults

the cmdlet returns only the configuration data that was collected for a scan

Required false

Position 3

Default value

Accept pipeline input false

Accept wildcard characters false

-ComputerName ltstring[]gt

The -ComputerName parameter lets you obtain scan results that were collected for the most

recent MBCA scan of a submodel on a specific computer To specify the local computer type the

computer name or localhost Multiple values for -ComputerName can be separated by

commas

The -SubModelId parameter is required by the -ComputerName parameter

Valid values for the -ComputerName parameter include localhost a NET BIOS name an IP

address or a fully-qualified domain name (FQDN) of one or more computers in a comma-

separated list

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-Context ltstringgt

Page 51

The -Context parameter lets you obtain scan results that were collected for the most recent

MBCA scan of a submodel in the context of a specific model (one that is different from the parent

model of the submodel) For example an administrator might want to display scan results for the

Backend submodel of the SQL model but only those in the context of a third model a

technology that relies upon SQL Server

The -SubModelId parameter is required by the -Context parameter

A model ID is the valid value of the -Context parameter

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-Filter ltFilterEnumgt

The -Filter parameter lets you instruct the Get-MBCAResult cmdlet to return only Compliant

Noncompliant or All results Valid values are Noncompliant Compliant or All The default value

is All

The -Filter parameter is ignored if the -CollectedConfiguration switch parameter is added

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-ModelId ltstringgt

The -ModelId parameter specifies the ID of the MBCA model for which you want to view scan

results You can obtain valid values for the ModelId parameter by running the Get-MBCAModel

cmdlet targeted at a computer on which MBCA models are installed

Required true

Position 2

Default value

Accept pipeline input true (By Value By Property Name)

Accept wildcard characters False

This must be SQL2008R2BPA for SQL Server 2008 R2 Best Practice Analyzer

-RepositoryPath ltstringgt

The -RepositoryPath parameter is used to specify a non-default location of the results repository

The valid value for this parameter is a path name If the parameter is not used the cmdlet obtains

results from the default result repository

Required false

Position named

Page 52

Default value

Accept pipeline input false

Accept wildcard characters false

-SubModelId ltstringgt

The -SubModelId parameter specifies the ID of the submodel of an MBCA model for which you

want to view scan results You can obtain valid values for the -SubModelId parameter by running

the Get-MBCAModel cmdlet targeted at a computer on which MBCA models are installed Not all

models have submodels

The -ModelId parameter is required with the -SubModelId parameter

Required true

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

ltCommonParametersgt

This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable

WarningAction WarningVariable OutBuffer and OutVariable For more information type get-

help about_commonparameters

OUTPUTS

SystemCollectionsGenericListltMicrosoftBestPracticesCoreInterfaceResultgt OR

SystemXmlXmlDocument (if -CollectedData specified)

If you do not use the -CollectedConfiguration parameter verbose output can be any of the following

1 Initializing MBCA engine for getting MBCA Results

2 Attempting to get MBCA results for Model Id = 0

3 Completed getting MBCA results for Model Id = 0 Number of Results = 1

If you add the -CollectedConfiguration parameter to display configuration data that was used for a

scan verbose output can be any of the following

1 Initializing MBCA engine for getting MBCA Configuration Data

2 Attempting to get MBCA collected configuration data for Model Id = 0

3 Completed getting MBCA collected configuration data for Model Id = 0

NOTES

The Get-MBCAResult cmdlet must be run by a member of the Administrators group and it does not

start a new scan

Cancellation behaviour

Single Model - To cancel this cmdlet you must press Ctrl+C before the ResultCollection is displayed

on the console The operation is cancelled and results are not displayed on the console

Multiple Models or Pipelining - If you cancel this cmdlet while it is retrieving results for multiple models

the cmdlet generates only those results that were displayed on the console before the cancellation

Any subsequent results in the pipeline are cancelled and not displayed

Page 53

-------------------------- EXAMPLE 1 --------------------------

Get-MBCAResult -Id SQL2008R2BPA

Description

The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results

for the model that is represented by Model Id

-------------------------- EXAMPLE 2 --------------------------

Get-MBCAModel | Get-MBCAResult

In the preceding example Get-MBCAModel is used to return a list of all MBCA models that are

installed on the computer The results of the Get-MBCAModel cmdlet are piped to the Get-

MBCAResult cmdlet to retrieve the most recent MBCA scan results for all models that are both

supported by MBCA and installed on the computer at which the cmdlet is targeted

-------------------------- EXAMPLE 3 --------------------------

$result = Get-MBCAResult SQL2008R2BPA -CollectedConfiguration

$resultDiscoveryDocument

Description

In the preceding example configuration data (in XML form) that was collected during the most recent

Microsoft Baseline Configuration Analyzer scan of the model that is represented by Model Id is

retrieved and stored as a property in the variable $result $resultDiscoveryDocument is of type

SystemXmlXmlDocument

-------------------------- EXAMPLE 4 --------------------------

Get-MBCAResult SQL2008R2BPA -Filter Noncompliant

Description

The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results

for the model that is represented by Model Id and then applies a filter to show only Noncompliant

results

------------------------- EXAMPLE 5 --------------------------

Get-MBCAResult SQL2008R2BPA -SubModelId ltSubModel Idgt

Description

The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results

for the submodel that is represented by SubModelId Note that the parent model ID must be specified

to use the -SubModelId parameter

------------------------- EXAMPLE 6 --------------------------

Get-MBCAResult SQL2008R2BPA -SubModelId ltSubModel Idgt -ComputerName ltServergt

-Context ltContext Model Idgt -RepositoryPath ltRepository Pathgt

Description

The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results

for the submodel that is represented by SubModelId The parent model ID is provided as required by

the -SubModelID parameter

The -Context parameter indicates that the administrator wants to see only those scan results that are in

the context of the model that is represented by Context Model Id for example only those results from

a SQL Server scan that specifically apply to another technology such as Web Server (IIS)

Page 54

The scan results are further narrowed to only those from a computer that is specified in the -

ComputerName parameter as Server and only those results found in the non-default results

repository that is represented by Repository Path

914 Set-MBCAResult

SYNOPSIS

The Set-MBCAResult cmdlet lets you exclude or include existing results of a Microsoft Baseline

Configuration Analyzer (MBCA) scan to show you only the scan results that you want to see

SYNTAX

Set-MBCAResult [[-Exclude] ltBooleangt] [-Results] ltResultgtgt [[-

RepostitoryPath] ltstringgt] [ltCommonParametersgt]

DESCRIPTION

The Set-MBCAResult cmdlet lets you exclude or include existing results of a Microsoft Baseline

Configuration Analyzer (MBCA) scan to show you only the scan results that you want to see

The action specified in the cmdlet (Exclude for example) determines how the existing results of an

MBCA scan are updated Set-MBCAResult is typically applied after using the Get-MBCAResult cmdlet

to return a collection of scan results

You can apply filters to results that are returned by the Get-MBCAResult cmdlet and then pipe the

filtered collection of results to the Set-MBCAResult cmdlet specifying either to include or exclude

filtered scan results

You must be a member of the Administrators group on the computer on which you want to run this

cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with

elevated user rights that is Run as Administrator

PARAMETERS

-Exclude ltBooleangt

Excludes scan results from the results collection that were previously obtained by the Get-

MBCAResult command To exclude results by using the -Exclude parameter add the value $true

following the parameter as shown

-Exclude $true

To include results that have been excluded use the $false value for the -Exclude parameter

Required false

Position 2

Default value

Accept pipeline input false

Accept wildcard characters false

-RepostitoryPath ltstringgt

The -RepositoryPath parameter is used to specify a non-default location of the results repository

The valid value for this parameter is a path name If the parameter is not used the cmdlet

modifies results from the default result repository

Required false

Page 55

Position 4

Default value

Accept pipeline input false

Accept wildcard characters false

-Results ltResultgtgt

Specifies the result collection to be updated by the Set-MBCAResult cmdlet The -Results

parameter is typically used to specify a filtered subset of scan results that has already been

stored in a variable the variable name is provided as the valid value for the -Results parameter

For example if you have created a variable $allPerformance to store all the Performance

category results for an MBCA scan of all models on a computer and you want to exclude those

Performance results from the complete collection of scan results you add the parameter -Results

$all Performance to a Set-MBCAResult cmdlet

For a more detailed example see the Examples section of the Help for this cmdlet

Required true

Position 3

Default value

Accept pipeline input true (ByValue)

Accept wildcard characters false

ltCommonParametersgt

This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable

WarningAction WarningVariable OutBuffer and OutVariable For more information type ldquoget-

help about_commonparameters

NOTES

If the Set-MBCAResult command is cancelled before the results are written to a file the operation is

cancelled and the results file is not modified If cancellation occurs after the results file has been

modified the commands actions are carried out and the command cannot be cancelled

-------------------------- EXAMPLE 1 --------------------------

Get-MBCAResult -ModelId SQL2008R2BPA | Where $_Category -eq

Performance | Set-MBCAResult -Exclude $true

Description

The first section of the preceding example to the left of the first pipe character (|) uses the Get-

MBCAResult cmdlet to retrieve Baseline Configuration Analyzer scan results for the model ID that is

represented by Model Id

The second section of the command filters the results of the Get-MBCAResult cmdlet to get only those

scan results for which the category name is equal to Performance

The final section of the example following the second pipe character excludes the Performance

results that were filtered by the previous section of the example

-------------------------- EXAMPLE 2 --------------------------

$rcPolicy = Get-MBCAResult -ModelId SQL2008R2BPA -RepositoryPath

CReposPath | Where $_Category -eq Policy

Page 56

Set-MBCAResult -Exclude $true -RepositoryPath CReposPath -Results

$rcPolicy

Description

The first line of the preceding example to the left of the pipe character (|) instructs the Get-

MBCAResult cmdlet to retrieve Baseline Configuration Analyzer scan results for the model that is

represented by Specified Model Id from the specified non-default repository path

The second section of the example after the pipe character filters the results of the Get-MBCAResult

cmdlet to return only those scan results for which the category name is equal to (note the -eq option)

Policy The variable $rcPolicy is created to store the filtered results of the Get-MBCAResult cmdlet this

variable can be used in subsequent commands to represent those results

The second line of the command uses the Set-MBCAResult cmdlet to exclude the set of results that

are stored in the $rcPolicy variable In this example the -Results parameter is added because the

administrator wants to exclude a specific subset of scan results for that model and has created the

variable $rcPolicy to represent that subset of results The repository root is specified in the second line

because the administrator wants to modify the results in the same non-default repository from which

the data in $rcPolicy was retrieved

915 MBCA Model Authoring

Further information about configuration and usage of MBCA models you can in the

MBCA_ModelAuthoringGuidedocx

Page 57

Did this paper help you Please give us your feedback Tell us on a scale of 1 (poor) to 5 (excellent)

how would you rate this paper and why have you given it this rating For example

Are you rating it high due to having good examples excellent screen shots clear writing or

another reason

Are you rating it low due to poor examples fuzzy screen shots or unclear writing

This feedback will help us improve the quality of white papers we release

Send feedback

Page 37: SQL2008R2 BPA Whitepaper v10

Page 37

Significant Portion of SQL Server Memory Has Been Paged Out

httpsupportmicrosoftcomkb2028324

Server Exception or Hang Detected on Server httpsupportmicrosoftcomkb2028589

Databases exist without CHECKSUM protection httpsupportmicrosoftcomkb2078345

backups outdated for databases httpsupportmicrosoftcomkb2027537

Database consistency check not current httpsupportmicrosoftcomkb2033590

SQL Server Memory settings are incorrect httpsupportmicrosoftcomKB918483EN-US

Autogrow Failed or took a long time httpsupportmicrosoftcomkb2091024

Storport driver fix from KBA 940467 missing httpsupportmicrosoftcomkb2121098

Storport driver fix from KBA 950903 missing httpsupportmicrosoftcomkb2121098

SQLCLR needs additional memory configuration httpsupportmicrosoftcomkb969962EN-US

Operating System files and drivers needs update for working set trimming

httpsupportmicrosoftcomkb2121098

Agent Token Replacement httpsupportmicrosoftcomkb2202637

Auditing Log in failures httpsupportmicrosoftcomkb2187161

Databases with high number of VLF present httpsupportmicrosoftcomkb2028436

Transparent Data Encryption Certificate httpsupportmicrosoftcomkb2201900

Permission on the Binn folder httpsupportmicrosoftcomkb2029023

Index Statistics Are Outdated

Server public permissions httpsupportmicrosoftcomkb2160698

Detected use of older versions of SQLNCLI httpsupportmicrosoftcomkb979779

62 AS Rules

Please find below a summary of the 34 Analysis Server Rules with the links to the rule descriptions

Flight Recorder Enabled for SQL Server Analysis Services

httpsupportmicrosoftcomkb2128005

Excessive amount of memory preallocated to Analysis Services

httpsupportmicrosoftcomkb2027474

Server not configured for optimal concurrent query throughput

httpsupportmicrosoftcomkb2135031

Non standard value detected for Analysis Services memory configuration

httpsupportmicrosoftcomkb2027472

Process Thread Pool Max limit above recommended limit

httpsupportmicrosoftcomkb2134497

Process Thread Pool Minimum is below the recommended limit

httpsupportmicrosoftcomkb2134855

Server is running a build with a known regression httpsupportmicrosoftcomkb2157941

Slice not set on a ROLAP partition or a partition where proactive caching is enabled and

ROLAP storage ay occur httpsupportmicrosoftcomkb2027754

Server is ignoring duplicate key errors httpsupportmicrosoftcomkb2027761

No default member defined for non-aggregatable attribute

httpsupportmicrosoftcomkb2027769

UnknownMember set to hidden httpsupportmicrosoftcomkb2027628

Non-numeric key column for high cardinality attribute httpsupportmicrosoftcomkb2028138

Attribute hiearchy enabled for high cardinality non-key attribute

httpsupportmicrosoftcomkb2028143

ROLAP storage or OnlineMode set to immediate for dimension with custom rollup definition

detected httpsupportmicrosoftcomkb2132742

Page 38

Account or Time attribute types defined in a non-matching dimension type

httpsupportmicrosoftcomkb2157299

An Account or Time dimension has no matching attribute defined

httpsupportmicrosoftcomkb2027418

Dimension has no attribute defined with the same type

httpsupportmicrosoftcomkb2027443

Attribute Dimension type mismatch httpsupportmicrosoftcomkb2157327

Mismatched dimension attribute types detected in dimension

httpsupportmicrosoftcomkb2027459

Possible incorrect order of levels defined in hierarchy httpsupportmicrosoftcomkb2027460

Define attribute relationships as Rigid where possible httpsupportmicrosoftcomkb2027468

Redundant attribute relationships detected httpsupportmicrosoftcomkb2127437

Diamond-shape relationship detected httpsupportmicrosoftcomkb2127570

Non-Standard Attribute Relationship name detected httpsupportmicrosoftcomkb2127862

Proactive Caching set for dimension without a processing query

httpsupportmicrosoftcomkb2027541

No Time dimension detected httpsupportmicrosoftcomkb2027532

More than 3 parent-child dimensions with custom rollups defined

httpsupportmicrosoftcomkb2134431

Encountered a parent-child dimension with more than 500000 members

httpsupportmicrosoftcomkb2131918

Single attribute dimensions detected httpsupportmicrosoftcomkb2141654

Measure groups with zero dimensional overlap detected in cube

httpsupportmicrosoftcomkb2027609

Proactive Caching set for a partition without a processing query

Default measure for perspective not in the perspective

httpsupportmicrosoftcomkb2027603

Use MOLAP storage for dimensions that participate in semi-additive measure groups

httpsupportmicrosoftcomkb2135112

Measure group defined with no partition httpsupportmicrosoftcomkb2027545

63 RS Rules

RSWindowsNegotiate is missing from your configuration

httpsupportmicrosoftcomkb2145506

HTTP Logging is not enabled httpsupportmicrosoftcomkb2145909

Verbose logging is enabled httpsupportmicrosoftcomkb2146315

NTLM authentication may fail for local httpsupportmicrosoftcomkb2146369

Missing extended protection settings httpsupportmicrosoftcomkb2146062

64 IS Rules

Logging task missing for package httpsupportmicrosoftcomkb2027723

ActiveX Script task detected in package httpsupportmicrosoftcomkb2027712

Unrecommended Integration Services service account detected

httpsupportmicrosoftcomkb2027684

Integration Services logging table found in system database master and or msdb

httpsupportmicrosoftcomkb2027706

Integration Services memory dump detected httpsupportmicrosoftcomkb2027727

Page 39

65 Setup Rules

Unsupported Operating System Version Detected httpsupportmicrosoftcomkb2022909

WOW64 not supported for SQL Failover Clustering httpsupportmicrosoftcomkb2157198

Installer cache is missing for the SQL Installation httpsupportmicrosoftcomkb2015100

SQL Server WMI Provider Health Check

66 Replication Rules

Replication Timeout Alerts Type httpsupportmicrosoftcomkb2118349

Replication Pub and Sub out of sync (Data Validation) httpsupportmicrosoftcomkb2118386

Replication Pub and Sub out of sync (Constraint Violations)

httpsupportmicrosoftcomkb2118410

Replication Pub and Sub out of sync (Skipped Transactions)

httpsupportmicrosoftcomkb2194498

Merge Replication Health Check httpsupportmicrosoftcomkb2118445

Subscriptions Approaching Expiration httpgomicrosoftcomfwlinkLinkId=184483

Replication Cleanup and Retention Health Check httpsupportmicrosoftcomkb2118485

Replication Latency Threshold violations httpsupportmicrosoftcomkb2118425

Page 40

7 HOW TO DEAL WITH DEVIATIONS

Deviations from these Best Practices may indicate potential issues and configuration changes may be

necessary Make sure you have tested any intended changes in a test environment before deploying

them to a production environment You could also find deviations from Best Practices that are

acceptable or even necessary for your environment For example

SAP has its special Network Packet Size of 8 KB

Existing Non-Microsoft Clients ndash would require Mixed Mode Authentication

Page 41

8 MOTIVATION TO USE SQL BPA R2

Bob Ward explained in his Article ldquoWhy use SQL Server 2008 R2 BPA Case 1 Missing Updatesrdquo

the common pitfalls during maintenance and operation of SQL Server and how address them by using

the SQL BPA

In brief itrsquos a customer scenario where the customer is facing an issue after a major update to

SQL2008 After some troubleshooting and an update to a certain CU (that is meant to fix the issue) the

problem still occurs Bobs article states the common resulting consequences ndash the involvement of

Microsoft Support and the final solution ndash adding a needed traceflag

The good news in this story is that the customer would not have needed to go to all that effort if they

would have run the SQL BPA It would have told them about the update and instructed them to put the

traceflag in place BPA is a mechanism that proactively advises you and instructs you on dealing with

common known issues

Page 42

9 ADDITIONAL INFORMATION

91 PowerShell

To use the functionality of the Baseline Configuration Analyzer with PowerShell you must import this

module first

Import-module BaselineConfigurationAnalyzer

You can list the commands of this module with the following syntax

$x=Get-Module BaselineConfigurationAnalyzer

$xExportedCommands

The following commands are stored in this module

Get-MbcaModel

Get-MbcaResult

Invoke-MbcaModel

Set-MbcaResult

You get help of this command with the following syntax

Get-help ltcommandgt -full

911 Get-MBCAModel

SYNOPSIS

The Get-MBCAModel cmdlet lets you retrieve and view the list of models that are supported by

Microsoft Baseline Configuration Analyzer (MBCA) and that are installed on a computer

SYNTAX

Get-MBCAModel [[-ModelId] ltstring[]gt] [[-SubModelId] ltstringgt] [ltCommonParametersgt]

DESCRIPTION

The Get-MBCAModel cmdlet lets you retrieve and view the list of models that are supported by

Microsoft Baseline Configuration Analyzer (MBCA) and installed on the computer If no parameter is

specified Get-MBCAModel returns all models that are installed on the computer If a model is specified

by using the -ModelId parameter information about the specified model is returned

You must be a member of the Administrators group on the computer on which you want to run this

cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with

elevated user rights that is Run as Administrator

The results of the Get-MBCAModel cmdlet include the following details about models

1 Branding information (manufacturer or company display names version number) that is found in

the model manifest

2 Dynamic parameters that are included with the model

3 Submodels that are included with the model

PARAMETERS

-ModelId ltstring[]gt

The -ModelId parameter specifies the ID of the MBCA model about which you want to view

details You can obtain valid values for the ModelId parameter by running the Get-MBCAModel

cmdlet with no parameters and targeted at a computer on which MBCA models are installed

Page 43

This parameter supports wild card characters

Required false

Position 2

Default value

Accept pipeline input true (By Value By Property Name)

Accept wildcard characters False

This must be SQL2008R2BPA for SQL Server 2008 R2 Best Practice Analyzer

-SubModelId ltstringgt

The -SubModelId parameter specifies the ID of the submodel of an MBCA model about which you

want to view details You can obtain valid values for the -SubModelId parameter by running the

Get-MBCAModel cmdlet without parameters and targeted at a computer on which MBCA models

are installed Not all models have submodels

The -ModelId parameter is required with the -SubModelId parameter

Required false

Position 3

Default value

Accept pipeline input false

Accept wildcard characters false

ltCommonParametersgt

This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable

WarningAction WarningVariable OutBuffer and OutVariable For more information type get-

help about_commonparameters

Examples

Get-MBCAModel

In the preceding example Get-MBCAModel with no parameters added returns details about all MBCA

models that are installed on the computer

Get-MBCAModel -ModelId SQL2008R2BPA

The preceding example can be used to return details about the MBCA model that is specified in the -

ModelId parameter represented by Model Id

$model= Get-MBCAModel -ModelId SQL2008R2BPA

$modelParameters

In the preceding example Get-MBCAModel returns details about the specified MBCA model that is

represented by Model Id The results of the cmdlet are stored in the variable $model

In the next line of the example the Parameters property of the model details that were stored in the

$model object returns details about which parameters are supported by the model

Get-MBCAModel -ModelId SQL2008R2BPA -SubModelId ltSubModel Idgt

The preceding example can be used to return details about the MBCA sub-model that is specified by

the -SubModelId parameter represented by SubModel Id Note that the -ModelId parameter is

required by the -SubModelId parameter

$model= Get-MBCAModel -ModelId SQL2008R2BPA

Page 44

$modelSubModels

In the preceding example Get-MBCAModel returns details about the specified MBCA model that is

represented by Model Id The results of the cmdlet are stored in the variable $model

In the next line of the example the SubModels property of the model details that were stored in the

$model object returns a list of the submodels of the model specified in the first line

912 Invoke-MBCAModel

SYNOPSIS

The Invoke-MBCAModel cmdlet lets you start a Microsoft Baseline Configuration Analyzer (MBCA)

scan for a specific model that is installed on your computer

SYNTAX

Invoke-MBCAModel [-ModelId] ltstringgt -SubModelId ltstringgt [-Authentication

ltAuthenticationMechanismgt] [-CertificateThumbprint ltstringgt] [-ComputerName

ltstring[]gt] [-ConfigurationName ltstringgt] [-Context ltstringgt] [-Credential

ltstringgt] [-Mode ltModeEnumgt] [-Port ltintgt] [-RepositoryPath ltstringgt] [-

ThrottleLimit ltintgt] [-UseSSL] [ltCommonParametersgt]

DESCRIPTION

The Invoke-MBCAModel cmdlet allows you to start a Microsoft Baseline Configuration Analyzer

(MBCA) scan for a specific model that is installed on your computer The model is specified either by

using the parameter -ModelId or by piping the results of the Get-MBCAModel cmdlet into an Invoke-

MBCAMode cmdlet

After the MBCA scan has been performed the results of the scan are available to be retrieved by Get-

MBCAResult cmdlet

You must be a member of the Administrators group on the computer on which you want to run this

cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with

elevated user rights that is Run as Administrator

PARAMETERS

-Authentication ltAuthenticationMechanismgt

Specifies the authentication mechanism that is used to authenticate the users credentials Valid

values include Default Basic CredSSP Digest Kerberos Negotiate and

NegotiateWithImplicitCredential The default value is Default

For more information about the -Authentication parameter type the following and then press

Enter

Get-Help Invoke-Command -Parameter Authentication

Required false

Position named

Default value Default

Accept pipeline input false

Accept wildcard characters false

-CertificateThumbprint ltstringgt

Page 45

Specifies the digital public key certificate (X509) of a user account that has rights to perform the

cmdlet action The valid value is the certificate thumbprint of the certificate

For more information about this parameter type the following and then press Enter

Get-Help Invoke-Command -Parameter Certificate Thumbprint

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-ComputerName ltstring[]gt

The Invoke-MBCAModel cmdlet lets you run an MBCA scan of a submodel on a specific

computer by adding this parameter Valid values include NETBOS names IP addresses or fully-

qualified domain names of one or more computers in a comma-separated list To specify the local

computer type the computer name or localhost

All formats that are accepted by the -ComputerName parameter in Invoke-Command are

accepted

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-ConfigurationName ltstringgt

Specifies the session configuration that is used for a new PSSession

Enter a configuration name or the fully-qualified resource URI for a session configuration

Session configuration data is found on the remote computer on which you want to run a cmdlet

For more information about this parameter type the following and then press Enter

Get-Help Invoke-Command -Parameter ConfigurationName

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-Context ltstringgt

The -Context parameter lets you run scans on a submodel in the context of a specific model (one

that is different from the parent model of the submodel) For example an administrator might

want to run a scan on the Backend submodel of the SQL model but only those in the context

of a third model a technology that relies upon SQL Server

The -SubModelId parameter is required by the -Context parameter

Page 46

A model ID is the valid value of the -Context parameter

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-Credential ltstringgt

Specifies a user account that has permission to run this cmdlet The default value is the current

user

For more information about this parameter type the following and then press Enter

Get-Help Invoke-Command -Parameter Credential

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-Mode ltModeEnumgt

The -Mode parameter lets you run a scan that is exclusively either analysis of existing discovered

documents or discovery The default is to perform both discovery and analysis or All

If you do not add the -Mode parameter to the Invoke-MBCAModel cmdlet both discovery and

analysis are performed during a scan

Valid values are Discovery Analysis and All

Required false

Position named

Default value All

Accept pipeline input false

Accept wildcard characters false

-ModelId ltstringgt

The -ModelId parameter specifies the ID of the MBCA model that you want to scan You can

obtain valid values for the ModelId parameter by running the Get-MBCAModel cmdlet targeted at

a computer on which MBCA models are installed

Required true

Position 2

Default value

Accept pipeline input true (By Value By Property Name)

Accept wildcard characters False

Page 47

This must be SQL2008R2BPA for SQL Server 2008 R2 Best Practice Analyzer

-Port ltintgt

Specifies the network port on a remote computer on which you want to run a scan The default

value is port 80

For more information on this parameter type the following and then press Enter

Get-Help Invoke-Command -Parameter Port

Required false

Position named

Default value 80

Accept pipeline input false

Accept wildcard characters false

-RepositoryPath ltstringgt

The -RepositoryPath parameter is used to specify a non-default location of the results repository

The valid value for this parameter is a pathname If the parameter is not used the cmdlet writes

results to the default result repository

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-SubModelId ltstringgt

The -SubModelId parameter specifies the ID of the submodel of an MBCA model that you want to

scan You can obtain valid values for the -SubModelId parameter by running the Get-MBCAModel

cmdlet targeted at a computer on which MBCA models are installed Not all models have

submodels

The -ModelId parameter is required with the -SubModelId parameter

Required true

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-ThrottleLimit ltintgt

Specifies the maximum number of concurrent connections that can be established to run the

cmdlet If you omit this parameter or enter a value of 0 the default value of 32 is used

For more information about this parameter type the following and then press Enter

Get-Help Invoke-Command -Parameter ThrottleLimit

Required false

Page 48

Position named

Default value 32

Accept pipeline input false

Accept wildcard characters false

-UseSSL [ltSwitchParametergt]

Uses the Secure Sockets Layer (SSL) protocol to establish a connection on a remote computer

By default SSL is not used

For more information about this parameter type the following and then press Enter

Get-Help Invoke-Command -Parameter UseSSL

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

ltCommonParametersgt

This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable

WarningAction WarningVariable OutBuffer and OutVariable For more information type get-

help about_commonparameters

OUTPUTS

SystemCollectionsGenericListltMicrosoftBestPracticesCoreInterfaceInvokeBpaModelOutputgt

The output object encapsulates the results of the cmdlet that you entered It contains information such

as the MBCA model ID the success or failure of the cmdlet and other details

NOTES

If the cmdlet is used to perform a single-model scan and the cmdlet is cancelled (by using CTRL+C)

before the temporary results file is copied to its final location the temporary file is discarded and any

previous scan results file for the role are preserved The message Processing of Invoke-MBCAModel

cancelled by user is displayed if the command is cancelled before existing scan results files are

overwritten

If the cmdlet is used to perform a scan of multiple models by piping in results from the Get-MBCAModel

cmdlet and the command is cancelled scans that were completed before the cancel command was

entered cannot be cancelled A scan in progress behaves as described above in the single-model scan

cancellation scenario Subsequent scans in the pipeline are cancelled

If a concurrent scan of the same model is attempted the cmdlet returns the following error message

Another scan for this MBCA model is in progress Only one scan is allowed at a time

-------------------------- EXAMPLE 1 --------------------------

Invoke-MBCAModel -ModelId SQL2008R2BPA

Description

The preceding example starts a MBCA scan on the model that is represented by ltModel Idgt

-------------------------- EXAMPLE 2 --------------------------

Page 49

Invoke-MBCAModel -ModelId SQL2008R2BPA -Scope domain -Name

redmondmicrosoftcom

Description

The preceding example starts an MBCA scan on the model ID that is specified by Model Id

The administrator starts the MBCA scan with additional model-specific parameters that are exposed by

the model (For an example of how to obtain model-specific parameters see the examples for the Get-

MBCAModel cmdlet)

For example to scan a model that requires model-specific parameters (such as -Scope and -Name) to

be passed to the command the administrator can specify the values of these model-specific

parameters with the Invoke-MBCAModel cmdlet

-------------------------- EXAMPLE 3 --------------------------

Invoke-MBCAModel -ModelId SQL2008R2BPA -Mode Discovery

Description

The preceding example starts an MBCA scan on the model that is represented by Model Id The

cmdlet is instructed by the -Mode parameter to perform only the discovery -- not the analysis -- portion

of the scan

-------------------------- EXAMPLE 4 --------------------------

Invoke-MBCAModel -ModelId SQL2008R2BPA -Mode Analysis -RepositoryPath

ltRepository Pathgt

Description

The preceding example starts an MBCA scan on the model that is represented by Model Id The -

Mode parameter value of Analysis indicates that the scan will perform analysis -- not discovery -- on

existing documents that are specified in the non-default repository path provided with the -Repository

Path parameter

-------------------------- EXAMPLE 5 --------------------------

Invoke-MBCAModel -Id ltModel Idgt -SubModelId ltSubModel Idgt -ComputerName

ltServergt -Context ltContext Model Idgt -RepositoryPath ltRespository Pathgt -

AsJob -Authentication ltAuthenticatonMechanismgt -Port ltPort Numbergt -UseSSL -

ThrottleLimit ltThrottle Limitgt

Description

The preceding example starts an MBCA scan on the submodel that is represented by SubModel Id

and on the computer that is represented by Server

Because the administrator only wants to see results from the submodel that apply in the context of a

third model the administrator runs the scan within the context of the model ID that is specified in the -

Context parameter The cmdlet results are saved to the non-default repository path that is specified in

the -RepositoryPath parameter

Because the -AsJob parameter is added the scan runs in the background The -AsJob -

Authentication -Port -UseSSL and -ThrottleLimit parameters are passed through for use by the

Invoke-Command cmdlet to perform discovery on a remote computer For more information about

these parameters see the Help for the Invoke-Command cmdlet available in Windows PowerShell V2

913 Get-MBCAResult

SYNOPSIS

Page 50

The Get-MBCAResult cmdlet lets you retrieve and view the results of a Microsoft Baseline

Configuration Analyzer scan on a specific model or the configuration data that was used to run a scan

SYNTAX

Get-MBCAResult [-ModelId] ltstringgt [[-CollectedConfiguration]] -SubModelId

ltstringgt [-ComputerName ltstring[]gt] [-Context ltstringgt] [-Filter

ltFilterEnumgt] [-RepositoryPath ltstringgt] [ltCommonParametersgt]

DESCRIPTION

The Get-MBCAResult cmdlet lets you retrieve and view the results of a Microsoft Baseline

Configuration Analyzer scan on a specific model or the configuration data that was used to run a scan

To use the command add the -ModelId parameter and then specify the model ID for which you want

to view the most recent MBCA scan results or collected configuration data If you want to retrieve the

configuration data collected add the -CollectedConfiguration switch parameter

You must be a member of the Administrators group on the computer on which you want to run this

cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with

elevated user rights that is Run as Administrator

PARAMETERS

-CollectedConfiguration [ltSwitchParametergt]

The -CollectedConfiguration parameter allows you to obtain the configuration data that was

collected for the most recent MBCA scan If this switch parameter is added to Get-MBCAResults

the cmdlet returns only the configuration data that was collected for a scan

Required false

Position 3

Default value

Accept pipeline input false

Accept wildcard characters false

-ComputerName ltstring[]gt

The -ComputerName parameter lets you obtain scan results that were collected for the most

recent MBCA scan of a submodel on a specific computer To specify the local computer type the

computer name or localhost Multiple values for -ComputerName can be separated by

commas

The -SubModelId parameter is required by the -ComputerName parameter

Valid values for the -ComputerName parameter include localhost a NET BIOS name an IP

address or a fully-qualified domain name (FQDN) of one or more computers in a comma-

separated list

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-Context ltstringgt

Page 51

The -Context parameter lets you obtain scan results that were collected for the most recent

MBCA scan of a submodel in the context of a specific model (one that is different from the parent

model of the submodel) For example an administrator might want to display scan results for the

Backend submodel of the SQL model but only those in the context of a third model a

technology that relies upon SQL Server

The -SubModelId parameter is required by the -Context parameter

A model ID is the valid value of the -Context parameter

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-Filter ltFilterEnumgt

The -Filter parameter lets you instruct the Get-MBCAResult cmdlet to return only Compliant

Noncompliant or All results Valid values are Noncompliant Compliant or All The default value

is All

The -Filter parameter is ignored if the -CollectedConfiguration switch parameter is added

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-ModelId ltstringgt

The -ModelId parameter specifies the ID of the MBCA model for which you want to view scan

results You can obtain valid values for the ModelId parameter by running the Get-MBCAModel

cmdlet targeted at a computer on which MBCA models are installed

Required true

Position 2

Default value

Accept pipeline input true (By Value By Property Name)

Accept wildcard characters False

This must be SQL2008R2BPA for SQL Server 2008 R2 Best Practice Analyzer

-RepositoryPath ltstringgt

The -RepositoryPath parameter is used to specify a non-default location of the results repository

The valid value for this parameter is a path name If the parameter is not used the cmdlet obtains

results from the default result repository

Required false

Position named

Page 52

Default value

Accept pipeline input false

Accept wildcard characters false

-SubModelId ltstringgt

The -SubModelId parameter specifies the ID of the submodel of an MBCA model for which you

want to view scan results You can obtain valid values for the -SubModelId parameter by running

the Get-MBCAModel cmdlet targeted at a computer on which MBCA models are installed Not all

models have submodels

The -ModelId parameter is required with the -SubModelId parameter

Required true

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

ltCommonParametersgt

This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable

WarningAction WarningVariable OutBuffer and OutVariable For more information type get-

help about_commonparameters

OUTPUTS

SystemCollectionsGenericListltMicrosoftBestPracticesCoreInterfaceResultgt OR

SystemXmlXmlDocument (if -CollectedData specified)

If you do not use the -CollectedConfiguration parameter verbose output can be any of the following

1 Initializing MBCA engine for getting MBCA Results

2 Attempting to get MBCA results for Model Id = 0

3 Completed getting MBCA results for Model Id = 0 Number of Results = 1

If you add the -CollectedConfiguration parameter to display configuration data that was used for a

scan verbose output can be any of the following

1 Initializing MBCA engine for getting MBCA Configuration Data

2 Attempting to get MBCA collected configuration data for Model Id = 0

3 Completed getting MBCA collected configuration data for Model Id = 0

NOTES

The Get-MBCAResult cmdlet must be run by a member of the Administrators group and it does not

start a new scan

Cancellation behaviour

Single Model - To cancel this cmdlet you must press Ctrl+C before the ResultCollection is displayed

on the console The operation is cancelled and results are not displayed on the console

Multiple Models or Pipelining - If you cancel this cmdlet while it is retrieving results for multiple models

the cmdlet generates only those results that were displayed on the console before the cancellation

Any subsequent results in the pipeline are cancelled and not displayed

Page 53

-------------------------- EXAMPLE 1 --------------------------

Get-MBCAResult -Id SQL2008R2BPA

Description

The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results

for the model that is represented by Model Id

-------------------------- EXAMPLE 2 --------------------------

Get-MBCAModel | Get-MBCAResult

In the preceding example Get-MBCAModel is used to return a list of all MBCA models that are

installed on the computer The results of the Get-MBCAModel cmdlet are piped to the Get-

MBCAResult cmdlet to retrieve the most recent MBCA scan results for all models that are both

supported by MBCA and installed on the computer at which the cmdlet is targeted

-------------------------- EXAMPLE 3 --------------------------

$result = Get-MBCAResult SQL2008R2BPA -CollectedConfiguration

$resultDiscoveryDocument

Description

In the preceding example configuration data (in XML form) that was collected during the most recent

Microsoft Baseline Configuration Analyzer scan of the model that is represented by Model Id is

retrieved and stored as a property in the variable $result $resultDiscoveryDocument is of type

SystemXmlXmlDocument

-------------------------- EXAMPLE 4 --------------------------

Get-MBCAResult SQL2008R2BPA -Filter Noncompliant

Description

The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results

for the model that is represented by Model Id and then applies a filter to show only Noncompliant

results

------------------------- EXAMPLE 5 --------------------------

Get-MBCAResult SQL2008R2BPA -SubModelId ltSubModel Idgt

Description

The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results

for the submodel that is represented by SubModelId Note that the parent model ID must be specified

to use the -SubModelId parameter

------------------------- EXAMPLE 6 --------------------------

Get-MBCAResult SQL2008R2BPA -SubModelId ltSubModel Idgt -ComputerName ltServergt

-Context ltContext Model Idgt -RepositoryPath ltRepository Pathgt

Description

The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results

for the submodel that is represented by SubModelId The parent model ID is provided as required by

the -SubModelID parameter

The -Context parameter indicates that the administrator wants to see only those scan results that are in

the context of the model that is represented by Context Model Id for example only those results from

a SQL Server scan that specifically apply to another technology such as Web Server (IIS)

Page 54

The scan results are further narrowed to only those from a computer that is specified in the -

ComputerName parameter as Server and only those results found in the non-default results

repository that is represented by Repository Path

914 Set-MBCAResult

SYNOPSIS

The Set-MBCAResult cmdlet lets you exclude or include existing results of a Microsoft Baseline

Configuration Analyzer (MBCA) scan to show you only the scan results that you want to see

SYNTAX

Set-MBCAResult [[-Exclude] ltBooleangt] [-Results] ltResultgtgt [[-

RepostitoryPath] ltstringgt] [ltCommonParametersgt]

DESCRIPTION

The Set-MBCAResult cmdlet lets you exclude or include existing results of a Microsoft Baseline

Configuration Analyzer (MBCA) scan to show you only the scan results that you want to see

The action specified in the cmdlet (Exclude for example) determines how the existing results of an

MBCA scan are updated Set-MBCAResult is typically applied after using the Get-MBCAResult cmdlet

to return a collection of scan results

You can apply filters to results that are returned by the Get-MBCAResult cmdlet and then pipe the

filtered collection of results to the Set-MBCAResult cmdlet specifying either to include or exclude

filtered scan results

You must be a member of the Administrators group on the computer on which you want to run this

cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with

elevated user rights that is Run as Administrator

PARAMETERS

-Exclude ltBooleangt

Excludes scan results from the results collection that were previously obtained by the Get-

MBCAResult command To exclude results by using the -Exclude parameter add the value $true

following the parameter as shown

-Exclude $true

To include results that have been excluded use the $false value for the -Exclude parameter

Required false

Position 2

Default value

Accept pipeline input false

Accept wildcard characters false

-RepostitoryPath ltstringgt

The -RepositoryPath parameter is used to specify a non-default location of the results repository

The valid value for this parameter is a path name If the parameter is not used the cmdlet

modifies results from the default result repository

Required false

Page 55

Position 4

Default value

Accept pipeline input false

Accept wildcard characters false

-Results ltResultgtgt

Specifies the result collection to be updated by the Set-MBCAResult cmdlet The -Results

parameter is typically used to specify a filtered subset of scan results that has already been

stored in a variable the variable name is provided as the valid value for the -Results parameter

For example if you have created a variable $allPerformance to store all the Performance

category results for an MBCA scan of all models on a computer and you want to exclude those

Performance results from the complete collection of scan results you add the parameter -Results

$all Performance to a Set-MBCAResult cmdlet

For a more detailed example see the Examples section of the Help for this cmdlet

Required true

Position 3

Default value

Accept pipeline input true (ByValue)

Accept wildcard characters false

ltCommonParametersgt

This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable

WarningAction WarningVariable OutBuffer and OutVariable For more information type ldquoget-

help about_commonparameters

NOTES

If the Set-MBCAResult command is cancelled before the results are written to a file the operation is

cancelled and the results file is not modified If cancellation occurs after the results file has been

modified the commands actions are carried out and the command cannot be cancelled

-------------------------- EXAMPLE 1 --------------------------

Get-MBCAResult -ModelId SQL2008R2BPA | Where $_Category -eq

Performance | Set-MBCAResult -Exclude $true

Description

The first section of the preceding example to the left of the first pipe character (|) uses the Get-

MBCAResult cmdlet to retrieve Baseline Configuration Analyzer scan results for the model ID that is

represented by Model Id

The second section of the command filters the results of the Get-MBCAResult cmdlet to get only those

scan results for which the category name is equal to Performance

The final section of the example following the second pipe character excludes the Performance

results that were filtered by the previous section of the example

-------------------------- EXAMPLE 2 --------------------------

$rcPolicy = Get-MBCAResult -ModelId SQL2008R2BPA -RepositoryPath

CReposPath | Where $_Category -eq Policy

Page 56

Set-MBCAResult -Exclude $true -RepositoryPath CReposPath -Results

$rcPolicy

Description

The first line of the preceding example to the left of the pipe character (|) instructs the Get-

MBCAResult cmdlet to retrieve Baseline Configuration Analyzer scan results for the model that is

represented by Specified Model Id from the specified non-default repository path

The second section of the example after the pipe character filters the results of the Get-MBCAResult

cmdlet to return only those scan results for which the category name is equal to (note the -eq option)

Policy The variable $rcPolicy is created to store the filtered results of the Get-MBCAResult cmdlet this

variable can be used in subsequent commands to represent those results

The second line of the command uses the Set-MBCAResult cmdlet to exclude the set of results that

are stored in the $rcPolicy variable In this example the -Results parameter is added because the

administrator wants to exclude a specific subset of scan results for that model and has created the

variable $rcPolicy to represent that subset of results The repository root is specified in the second line

because the administrator wants to modify the results in the same non-default repository from which

the data in $rcPolicy was retrieved

915 MBCA Model Authoring

Further information about configuration and usage of MBCA models you can in the

MBCA_ModelAuthoringGuidedocx

Page 57

Did this paper help you Please give us your feedback Tell us on a scale of 1 (poor) to 5 (excellent)

how would you rate this paper and why have you given it this rating For example

Are you rating it high due to having good examples excellent screen shots clear writing or

another reason

Are you rating it low due to poor examples fuzzy screen shots or unclear writing

This feedback will help us improve the quality of white papers we release

Send feedback

Page 38: SQL2008R2 BPA Whitepaper v10

Page 38

Account or Time attribute types defined in a non-matching dimension type

httpsupportmicrosoftcomkb2157299

An Account or Time dimension has no matching attribute defined

httpsupportmicrosoftcomkb2027418

Dimension has no attribute defined with the same type

httpsupportmicrosoftcomkb2027443

Attribute Dimension type mismatch httpsupportmicrosoftcomkb2157327

Mismatched dimension attribute types detected in dimension

httpsupportmicrosoftcomkb2027459

Possible incorrect order of levels defined in hierarchy httpsupportmicrosoftcomkb2027460

Define attribute relationships as Rigid where possible httpsupportmicrosoftcomkb2027468

Redundant attribute relationships detected httpsupportmicrosoftcomkb2127437

Diamond-shape relationship detected httpsupportmicrosoftcomkb2127570

Non-Standard Attribute Relationship name detected httpsupportmicrosoftcomkb2127862

Proactive Caching set for dimension without a processing query

httpsupportmicrosoftcomkb2027541

No Time dimension detected httpsupportmicrosoftcomkb2027532

More than 3 parent-child dimensions with custom rollups defined

httpsupportmicrosoftcomkb2134431

Encountered a parent-child dimension with more than 500000 members

httpsupportmicrosoftcomkb2131918

Single attribute dimensions detected httpsupportmicrosoftcomkb2141654

Measure groups with zero dimensional overlap detected in cube

httpsupportmicrosoftcomkb2027609

Proactive Caching set for a partition without a processing query

Default measure for perspective not in the perspective

httpsupportmicrosoftcomkb2027603

Use MOLAP storage for dimensions that participate in semi-additive measure groups

httpsupportmicrosoftcomkb2135112

Measure group defined with no partition httpsupportmicrosoftcomkb2027545

63 RS Rules

RSWindowsNegotiate is missing from your configuration

httpsupportmicrosoftcomkb2145506

HTTP Logging is not enabled httpsupportmicrosoftcomkb2145909

Verbose logging is enabled httpsupportmicrosoftcomkb2146315

NTLM authentication may fail for local httpsupportmicrosoftcomkb2146369

Missing extended protection settings httpsupportmicrosoftcomkb2146062

64 IS Rules

Logging task missing for package httpsupportmicrosoftcomkb2027723

ActiveX Script task detected in package httpsupportmicrosoftcomkb2027712

Unrecommended Integration Services service account detected

httpsupportmicrosoftcomkb2027684

Integration Services logging table found in system database master and or msdb

httpsupportmicrosoftcomkb2027706

Integration Services memory dump detected httpsupportmicrosoftcomkb2027727

Page 39

65 Setup Rules

Unsupported Operating System Version Detected httpsupportmicrosoftcomkb2022909

WOW64 not supported for SQL Failover Clustering httpsupportmicrosoftcomkb2157198

Installer cache is missing for the SQL Installation httpsupportmicrosoftcomkb2015100

SQL Server WMI Provider Health Check

66 Replication Rules

Replication Timeout Alerts Type httpsupportmicrosoftcomkb2118349

Replication Pub and Sub out of sync (Data Validation) httpsupportmicrosoftcomkb2118386

Replication Pub and Sub out of sync (Constraint Violations)

httpsupportmicrosoftcomkb2118410

Replication Pub and Sub out of sync (Skipped Transactions)

httpsupportmicrosoftcomkb2194498

Merge Replication Health Check httpsupportmicrosoftcomkb2118445

Subscriptions Approaching Expiration httpgomicrosoftcomfwlinkLinkId=184483

Replication Cleanup and Retention Health Check httpsupportmicrosoftcomkb2118485

Replication Latency Threshold violations httpsupportmicrosoftcomkb2118425

Page 40

7 HOW TO DEAL WITH DEVIATIONS

Deviations from these Best Practices may indicate potential issues and configuration changes may be

necessary Make sure you have tested any intended changes in a test environment before deploying

them to a production environment You could also find deviations from Best Practices that are

acceptable or even necessary for your environment For example

SAP has its special Network Packet Size of 8 KB

Existing Non-Microsoft Clients ndash would require Mixed Mode Authentication

Page 41

8 MOTIVATION TO USE SQL BPA R2

Bob Ward explained in his Article ldquoWhy use SQL Server 2008 R2 BPA Case 1 Missing Updatesrdquo

the common pitfalls during maintenance and operation of SQL Server and how address them by using

the SQL BPA

In brief itrsquos a customer scenario where the customer is facing an issue after a major update to

SQL2008 After some troubleshooting and an update to a certain CU (that is meant to fix the issue) the

problem still occurs Bobs article states the common resulting consequences ndash the involvement of

Microsoft Support and the final solution ndash adding a needed traceflag

The good news in this story is that the customer would not have needed to go to all that effort if they

would have run the SQL BPA It would have told them about the update and instructed them to put the

traceflag in place BPA is a mechanism that proactively advises you and instructs you on dealing with

common known issues

Page 42

9 ADDITIONAL INFORMATION

91 PowerShell

To use the functionality of the Baseline Configuration Analyzer with PowerShell you must import this

module first

Import-module BaselineConfigurationAnalyzer

You can list the commands of this module with the following syntax

$x=Get-Module BaselineConfigurationAnalyzer

$xExportedCommands

The following commands are stored in this module

Get-MbcaModel

Get-MbcaResult

Invoke-MbcaModel

Set-MbcaResult

You get help of this command with the following syntax

Get-help ltcommandgt -full

911 Get-MBCAModel

SYNOPSIS

The Get-MBCAModel cmdlet lets you retrieve and view the list of models that are supported by

Microsoft Baseline Configuration Analyzer (MBCA) and that are installed on a computer

SYNTAX

Get-MBCAModel [[-ModelId] ltstring[]gt] [[-SubModelId] ltstringgt] [ltCommonParametersgt]

DESCRIPTION

The Get-MBCAModel cmdlet lets you retrieve and view the list of models that are supported by

Microsoft Baseline Configuration Analyzer (MBCA) and installed on the computer If no parameter is

specified Get-MBCAModel returns all models that are installed on the computer If a model is specified

by using the -ModelId parameter information about the specified model is returned

You must be a member of the Administrators group on the computer on which you want to run this

cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with

elevated user rights that is Run as Administrator

The results of the Get-MBCAModel cmdlet include the following details about models

1 Branding information (manufacturer or company display names version number) that is found in

the model manifest

2 Dynamic parameters that are included with the model

3 Submodels that are included with the model

PARAMETERS

-ModelId ltstring[]gt

The -ModelId parameter specifies the ID of the MBCA model about which you want to view

details You can obtain valid values for the ModelId parameter by running the Get-MBCAModel

cmdlet with no parameters and targeted at a computer on which MBCA models are installed

Page 43

This parameter supports wild card characters

Required false

Position 2

Default value

Accept pipeline input true (By Value By Property Name)

Accept wildcard characters False

This must be SQL2008R2BPA for SQL Server 2008 R2 Best Practice Analyzer

-SubModelId ltstringgt

The -SubModelId parameter specifies the ID of the submodel of an MBCA model about which you

want to view details You can obtain valid values for the -SubModelId parameter by running the

Get-MBCAModel cmdlet without parameters and targeted at a computer on which MBCA models

are installed Not all models have submodels

The -ModelId parameter is required with the -SubModelId parameter

Required false

Position 3

Default value

Accept pipeline input false

Accept wildcard characters false

ltCommonParametersgt

This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable

WarningAction WarningVariable OutBuffer and OutVariable For more information type get-

help about_commonparameters

Examples

Get-MBCAModel

In the preceding example Get-MBCAModel with no parameters added returns details about all MBCA

models that are installed on the computer

Get-MBCAModel -ModelId SQL2008R2BPA

The preceding example can be used to return details about the MBCA model that is specified in the -

ModelId parameter represented by Model Id

$model= Get-MBCAModel -ModelId SQL2008R2BPA

$modelParameters

In the preceding example Get-MBCAModel returns details about the specified MBCA model that is

represented by Model Id The results of the cmdlet are stored in the variable $model

In the next line of the example the Parameters property of the model details that were stored in the

$model object returns details about which parameters are supported by the model

Get-MBCAModel -ModelId SQL2008R2BPA -SubModelId ltSubModel Idgt

The preceding example can be used to return details about the MBCA sub-model that is specified by

the -SubModelId parameter represented by SubModel Id Note that the -ModelId parameter is

required by the -SubModelId parameter

$model= Get-MBCAModel -ModelId SQL2008R2BPA

Page 44

$modelSubModels

In the preceding example Get-MBCAModel returns details about the specified MBCA model that is

represented by Model Id The results of the cmdlet are stored in the variable $model

In the next line of the example the SubModels property of the model details that were stored in the

$model object returns a list of the submodels of the model specified in the first line

912 Invoke-MBCAModel

SYNOPSIS

The Invoke-MBCAModel cmdlet lets you start a Microsoft Baseline Configuration Analyzer (MBCA)

scan for a specific model that is installed on your computer

SYNTAX

Invoke-MBCAModel [-ModelId] ltstringgt -SubModelId ltstringgt [-Authentication

ltAuthenticationMechanismgt] [-CertificateThumbprint ltstringgt] [-ComputerName

ltstring[]gt] [-ConfigurationName ltstringgt] [-Context ltstringgt] [-Credential

ltstringgt] [-Mode ltModeEnumgt] [-Port ltintgt] [-RepositoryPath ltstringgt] [-

ThrottleLimit ltintgt] [-UseSSL] [ltCommonParametersgt]

DESCRIPTION

The Invoke-MBCAModel cmdlet allows you to start a Microsoft Baseline Configuration Analyzer

(MBCA) scan for a specific model that is installed on your computer The model is specified either by

using the parameter -ModelId or by piping the results of the Get-MBCAModel cmdlet into an Invoke-

MBCAMode cmdlet

After the MBCA scan has been performed the results of the scan are available to be retrieved by Get-

MBCAResult cmdlet

You must be a member of the Administrators group on the computer on which you want to run this

cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with

elevated user rights that is Run as Administrator

PARAMETERS

-Authentication ltAuthenticationMechanismgt

Specifies the authentication mechanism that is used to authenticate the users credentials Valid

values include Default Basic CredSSP Digest Kerberos Negotiate and

NegotiateWithImplicitCredential The default value is Default

For more information about the -Authentication parameter type the following and then press

Enter

Get-Help Invoke-Command -Parameter Authentication

Required false

Position named

Default value Default

Accept pipeline input false

Accept wildcard characters false

-CertificateThumbprint ltstringgt

Page 45

Specifies the digital public key certificate (X509) of a user account that has rights to perform the

cmdlet action The valid value is the certificate thumbprint of the certificate

For more information about this parameter type the following and then press Enter

Get-Help Invoke-Command -Parameter Certificate Thumbprint

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-ComputerName ltstring[]gt

The Invoke-MBCAModel cmdlet lets you run an MBCA scan of a submodel on a specific

computer by adding this parameter Valid values include NETBOS names IP addresses or fully-

qualified domain names of one or more computers in a comma-separated list To specify the local

computer type the computer name or localhost

All formats that are accepted by the -ComputerName parameter in Invoke-Command are

accepted

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-ConfigurationName ltstringgt

Specifies the session configuration that is used for a new PSSession

Enter a configuration name or the fully-qualified resource URI for a session configuration

Session configuration data is found on the remote computer on which you want to run a cmdlet

For more information about this parameter type the following and then press Enter

Get-Help Invoke-Command -Parameter ConfigurationName

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-Context ltstringgt

The -Context parameter lets you run scans on a submodel in the context of a specific model (one

that is different from the parent model of the submodel) For example an administrator might

want to run a scan on the Backend submodel of the SQL model but only those in the context

of a third model a technology that relies upon SQL Server

The -SubModelId parameter is required by the -Context parameter

Page 46

A model ID is the valid value of the -Context parameter

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-Credential ltstringgt

Specifies a user account that has permission to run this cmdlet The default value is the current

user

For more information about this parameter type the following and then press Enter

Get-Help Invoke-Command -Parameter Credential

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-Mode ltModeEnumgt

The -Mode parameter lets you run a scan that is exclusively either analysis of existing discovered

documents or discovery The default is to perform both discovery and analysis or All

If you do not add the -Mode parameter to the Invoke-MBCAModel cmdlet both discovery and

analysis are performed during a scan

Valid values are Discovery Analysis and All

Required false

Position named

Default value All

Accept pipeline input false

Accept wildcard characters false

-ModelId ltstringgt

The -ModelId parameter specifies the ID of the MBCA model that you want to scan You can

obtain valid values for the ModelId parameter by running the Get-MBCAModel cmdlet targeted at

a computer on which MBCA models are installed

Required true

Position 2

Default value

Accept pipeline input true (By Value By Property Name)

Accept wildcard characters False

Page 47

This must be SQL2008R2BPA for SQL Server 2008 R2 Best Practice Analyzer

-Port ltintgt

Specifies the network port on a remote computer on which you want to run a scan The default

value is port 80

For more information on this parameter type the following and then press Enter

Get-Help Invoke-Command -Parameter Port

Required false

Position named

Default value 80

Accept pipeline input false

Accept wildcard characters false

-RepositoryPath ltstringgt

The -RepositoryPath parameter is used to specify a non-default location of the results repository

The valid value for this parameter is a pathname If the parameter is not used the cmdlet writes

results to the default result repository

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-SubModelId ltstringgt

The -SubModelId parameter specifies the ID of the submodel of an MBCA model that you want to

scan You can obtain valid values for the -SubModelId parameter by running the Get-MBCAModel

cmdlet targeted at a computer on which MBCA models are installed Not all models have

submodels

The -ModelId parameter is required with the -SubModelId parameter

Required true

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-ThrottleLimit ltintgt

Specifies the maximum number of concurrent connections that can be established to run the

cmdlet If you omit this parameter or enter a value of 0 the default value of 32 is used

For more information about this parameter type the following and then press Enter

Get-Help Invoke-Command -Parameter ThrottleLimit

Required false

Page 48

Position named

Default value 32

Accept pipeline input false

Accept wildcard characters false

-UseSSL [ltSwitchParametergt]

Uses the Secure Sockets Layer (SSL) protocol to establish a connection on a remote computer

By default SSL is not used

For more information about this parameter type the following and then press Enter

Get-Help Invoke-Command -Parameter UseSSL

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

ltCommonParametersgt

This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable

WarningAction WarningVariable OutBuffer and OutVariable For more information type get-

help about_commonparameters

OUTPUTS

SystemCollectionsGenericListltMicrosoftBestPracticesCoreInterfaceInvokeBpaModelOutputgt

The output object encapsulates the results of the cmdlet that you entered It contains information such

as the MBCA model ID the success or failure of the cmdlet and other details

NOTES

If the cmdlet is used to perform a single-model scan and the cmdlet is cancelled (by using CTRL+C)

before the temporary results file is copied to its final location the temporary file is discarded and any

previous scan results file for the role are preserved The message Processing of Invoke-MBCAModel

cancelled by user is displayed if the command is cancelled before existing scan results files are

overwritten

If the cmdlet is used to perform a scan of multiple models by piping in results from the Get-MBCAModel

cmdlet and the command is cancelled scans that were completed before the cancel command was

entered cannot be cancelled A scan in progress behaves as described above in the single-model scan

cancellation scenario Subsequent scans in the pipeline are cancelled

If a concurrent scan of the same model is attempted the cmdlet returns the following error message

Another scan for this MBCA model is in progress Only one scan is allowed at a time

-------------------------- EXAMPLE 1 --------------------------

Invoke-MBCAModel -ModelId SQL2008R2BPA

Description

The preceding example starts a MBCA scan on the model that is represented by ltModel Idgt

-------------------------- EXAMPLE 2 --------------------------

Page 49

Invoke-MBCAModel -ModelId SQL2008R2BPA -Scope domain -Name

redmondmicrosoftcom

Description

The preceding example starts an MBCA scan on the model ID that is specified by Model Id

The administrator starts the MBCA scan with additional model-specific parameters that are exposed by

the model (For an example of how to obtain model-specific parameters see the examples for the Get-

MBCAModel cmdlet)

For example to scan a model that requires model-specific parameters (such as -Scope and -Name) to

be passed to the command the administrator can specify the values of these model-specific

parameters with the Invoke-MBCAModel cmdlet

-------------------------- EXAMPLE 3 --------------------------

Invoke-MBCAModel -ModelId SQL2008R2BPA -Mode Discovery

Description

The preceding example starts an MBCA scan on the model that is represented by Model Id The

cmdlet is instructed by the -Mode parameter to perform only the discovery -- not the analysis -- portion

of the scan

-------------------------- EXAMPLE 4 --------------------------

Invoke-MBCAModel -ModelId SQL2008R2BPA -Mode Analysis -RepositoryPath

ltRepository Pathgt

Description

The preceding example starts an MBCA scan on the model that is represented by Model Id The -

Mode parameter value of Analysis indicates that the scan will perform analysis -- not discovery -- on

existing documents that are specified in the non-default repository path provided with the -Repository

Path parameter

-------------------------- EXAMPLE 5 --------------------------

Invoke-MBCAModel -Id ltModel Idgt -SubModelId ltSubModel Idgt -ComputerName

ltServergt -Context ltContext Model Idgt -RepositoryPath ltRespository Pathgt -

AsJob -Authentication ltAuthenticatonMechanismgt -Port ltPort Numbergt -UseSSL -

ThrottleLimit ltThrottle Limitgt

Description

The preceding example starts an MBCA scan on the submodel that is represented by SubModel Id

and on the computer that is represented by Server

Because the administrator only wants to see results from the submodel that apply in the context of a

third model the administrator runs the scan within the context of the model ID that is specified in the -

Context parameter The cmdlet results are saved to the non-default repository path that is specified in

the -RepositoryPath parameter

Because the -AsJob parameter is added the scan runs in the background The -AsJob -

Authentication -Port -UseSSL and -ThrottleLimit parameters are passed through for use by the

Invoke-Command cmdlet to perform discovery on a remote computer For more information about

these parameters see the Help for the Invoke-Command cmdlet available in Windows PowerShell V2

913 Get-MBCAResult

SYNOPSIS

Page 50

The Get-MBCAResult cmdlet lets you retrieve and view the results of a Microsoft Baseline

Configuration Analyzer scan on a specific model or the configuration data that was used to run a scan

SYNTAX

Get-MBCAResult [-ModelId] ltstringgt [[-CollectedConfiguration]] -SubModelId

ltstringgt [-ComputerName ltstring[]gt] [-Context ltstringgt] [-Filter

ltFilterEnumgt] [-RepositoryPath ltstringgt] [ltCommonParametersgt]

DESCRIPTION

The Get-MBCAResult cmdlet lets you retrieve and view the results of a Microsoft Baseline

Configuration Analyzer scan on a specific model or the configuration data that was used to run a scan

To use the command add the -ModelId parameter and then specify the model ID for which you want

to view the most recent MBCA scan results or collected configuration data If you want to retrieve the

configuration data collected add the -CollectedConfiguration switch parameter

You must be a member of the Administrators group on the computer on which you want to run this

cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with

elevated user rights that is Run as Administrator

PARAMETERS

-CollectedConfiguration [ltSwitchParametergt]

The -CollectedConfiguration parameter allows you to obtain the configuration data that was

collected for the most recent MBCA scan If this switch parameter is added to Get-MBCAResults

the cmdlet returns only the configuration data that was collected for a scan

Required false

Position 3

Default value

Accept pipeline input false

Accept wildcard characters false

-ComputerName ltstring[]gt

The -ComputerName parameter lets you obtain scan results that were collected for the most

recent MBCA scan of a submodel on a specific computer To specify the local computer type the

computer name or localhost Multiple values for -ComputerName can be separated by

commas

The -SubModelId parameter is required by the -ComputerName parameter

Valid values for the -ComputerName parameter include localhost a NET BIOS name an IP

address or a fully-qualified domain name (FQDN) of one or more computers in a comma-

separated list

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-Context ltstringgt

Page 51

The -Context parameter lets you obtain scan results that were collected for the most recent

MBCA scan of a submodel in the context of a specific model (one that is different from the parent

model of the submodel) For example an administrator might want to display scan results for the

Backend submodel of the SQL model but only those in the context of a third model a

technology that relies upon SQL Server

The -SubModelId parameter is required by the -Context parameter

A model ID is the valid value of the -Context parameter

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-Filter ltFilterEnumgt

The -Filter parameter lets you instruct the Get-MBCAResult cmdlet to return only Compliant

Noncompliant or All results Valid values are Noncompliant Compliant or All The default value

is All

The -Filter parameter is ignored if the -CollectedConfiguration switch parameter is added

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-ModelId ltstringgt

The -ModelId parameter specifies the ID of the MBCA model for which you want to view scan

results You can obtain valid values for the ModelId parameter by running the Get-MBCAModel

cmdlet targeted at a computer on which MBCA models are installed

Required true

Position 2

Default value

Accept pipeline input true (By Value By Property Name)

Accept wildcard characters False

This must be SQL2008R2BPA for SQL Server 2008 R2 Best Practice Analyzer

-RepositoryPath ltstringgt

The -RepositoryPath parameter is used to specify a non-default location of the results repository

The valid value for this parameter is a path name If the parameter is not used the cmdlet obtains

results from the default result repository

Required false

Position named

Page 52

Default value

Accept pipeline input false

Accept wildcard characters false

-SubModelId ltstringgt

The -SubModelId parameter specifies the ID of the submodel of an MBCA model for which you

want to view scan results You can obtain valid values for the -SubModelId parameter by running

the Get-MBCAModel cmdlet targeted at a computer on which MBCA models are installed Not all

models have submodels

The -ModelId parameter is required with the -SubModelId parameter

Required true

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

ltCommonParametersgt

This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable

WarningAction WarningVariable OutBuffer and OutVariable For more information type get-

help about_commonparameters

OUTPUTS

SystemCollectionsGenericListltMicrosoftBestPracticesCoreInterfaceResultgt OR

SystemXmlXmlDocument (if -CollectedData specified)

If you do not use the -CollectedConfiguration parameter verbose output can be any of the following

1 Initializing MBCA engine for getting MBCA Results

2 Attempting to get MBCA results for Model Id = 0

3 Completed getting MBCA results for Model Id = 0 Number of Results = 1

If you add the -CollectedConfiguration parameter to display configuration data that was used for a

scan verbose output can be any of the following

1 Initializing MBCA engine for getting MBCA Configuration Data

2 Attempting to get MBCA collected configuration data for Model Id = 0

3 Completed getting MBCA collected configuration data for Model Id = 0

NOTES

The Get-MBCAResult cmdlet must be run by a member of the Administrators group and it does not

start a new scan

Cancellation behaviour

Single Model - To cancel this cmdlet you must press Ctrl+C before the ResultCollection is displayed

on the console The operation is cancelled and results are not displayed on the console

Multiple Models or Pipelining - If you cancel this cmdlet while it is retrieving results for multiple models

the cmdlet generates only those results that were displayed on the console before the cancellation

Any subsequent results in the pipeline are cancelled and not displayed

Page 53

-------------------------- EXAMPLE 1 --------------------------

Get-MBCAResult -Id SQL2008R2BPA

Description

The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results

for the model that is represented by Model Id

-------------------------- EXAMPLE 2 --------------------------

Get-MBCAModel | Get-MBCAResult

In the preceding example Get-MBCAModel is used to return a list of all MBCA models that are

installed on the computer The results of the Get-MBCAModel cmdlet are piped to the Get-

MBCAResult cmdlet to retrieve the most recent MBCA scan results for all models that are both

supported by MBCA and installed on the computer at which the cmdlet is targeted

-------------------------- EXAMPLE 3 --------------------------

$result = Get-MBCAResult SQL2008R2BPA -CollectedConfiguration

$resultDiscoveryDocument

Description

In the preceding example configuration data (in XML form) that was collected during the most recent

Microsoft Baseline Configuration Analyzer scan of the model that is represented by Model Id is

retrieved and stored as a property in the variable $result $resultDiscoveryDocument is of type

SystemXmlXmlDocument

-------------------------- EXAMPLE 4 --------------------------

Get-MBCAResult SQL2008R2BPA -Filter Noncompliant

Description

The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results

for the model that is represented by Model Id and then applies a filter to show only Noncompliant

results

------------------------- EXAMPLE 5 --------------------------

Get-MBCAResult SQL2008R2BPA -SubModelId ltSubModel Idgt

Description

The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results

for the submodel that is represented by SubModelId Note that the parent model ID must be specified

to use the -SubModelId parameter

------------------------- EXAMPLE 6 --------------------------

Get-MBCAResult SQL2008R2BPA -SubModelId ltSubModel Idgt -ComputerName ltServergt

-Context ltContext Model Idgt -RepositoryPath ltRepository Pathgt

Description

The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results

for the submodel that is represented by SubModelId The parent model ID is provided as required by

the -SubModelID parameter

The -Context parameter indicates that the administrator wants to see only those scan results that are in

the context of the model that is represented by Context Model Id for example only those results from

a SQL Server scan that specifically apply to another technology such as Web Server (IIS)

Page 54

The scan results are further narrowed to only those from a computer that is specified in the -

ComputerName parameter as Server and only those results found in the non-default results

repository that is represented by Repository Path

914 Set-MBCAResult

SYNOPSIS

The Set-MBCAResult cmdlet lets you exclude or include existing results of a Microsoft Baseline

Configuration Analyzer (MBCA) scan to show you only the scan results that you want to see

SYNTAX

Set-MBCAResult [[-Exclude] ltBooleangt] [-Results] ltResultgtgt [[-

RepostitoryPath] ltstringgt] [ltCommonParametersgt]

DESCRIPTION

The Set-MBCAResult cmdlet lets you exclude or include existing results of a Microsoft Baseline

Configuration Analyzer (MBCA) scan to show you only the scan results that you want to see

The action specified in the cmdlet (Exclude for example) determines how the existing results of an

MBCA scan are updated Set-MBCAResult is typically applied after using the Get-MBCAResult cmdlet

to return a collection of scan results

You can apply filters to results that are returned by the Get-MBCAResult cmdlet and then pipe the

filtered collection of results to the Set-MBCAResult cmdlet specifying either to include or exclude

filtered scan results

You must be a member of the Administrators group on the computer on which you want to run this

cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with

elevated user rights that is Run as Administrator

PARAMETERS

-Exclude ltBooleangt

Excludes scan results from the results collection that were previously obtained by the Get-

MBCAResult command To exclude results by using the -Exclude parameter add the value $true

following the parameter as shown

-Exclude $true

To include results that have been excluded use the $false value for the -Exclude parameter

Required false

Position 2

Default value

Accept pipeline input false

Accept wildcard characters false

-RepostitoryPath ltstringgt

The -RepositoryPath parameter is used to specify a non-default location of the results repository

The valid value for this parameter is a path name If the parameter is not used the cmdlet

modifies results from the default result repository

Required false

Page 55

Position 4

Default value

Accept pipeline input false

Accept wildcard characters false

-Results ltResultgtgt

Specifies the result collection to be updated by the Set-MBCAResult cmdlet The -Results

parameter is typically used to specify a filtered subset of scan results that has already been

stored in a variable the variable name is provided as the valid value for the -Results parameter

For example if you have created a variable $allPerformance to store all the Performance

category results for an MBCA scan of all models on a computer and you want to exclude those

Performance results from the complete collection of scan results you add the parameter -Results

$all Performance to a Set-MBCAResult cmdlet

For a more detailed example see the Examples section of the Help for this cmdlet

Required true

Position 3

Default value

Accept pipeline input true (ByValue)

Accept wildcard characters false

ltCommonParametersgt

This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable

WarningAction WarningVariable OutBuffer and OutVariable For more information type ldquoget-

help about_commonparameters

NOTES

If the Set-MBCAResult command is cancelled before the results are written to a file the operation is

cancelled and the results file is not modified If cancellation occurs after the results file has been

modified the commands actions are carried out and the command cannot be cancelled

-------------------------- EXAMPLE 1 --------------------------

Get-MBCAResult -ModelId SQL2008R2BPA | Where $_Category -eq

Performance | Set-MBCAResult -Exclude $true

Description

The first section of the preceding example to the left of the first pipe character (|) uses the Get-

MBCAResult cmdlet to retrieve Baseline Configuration Analyzer scan results for the model ID that is

represented by Model Id

The second section of the command filters the results of the Get-MBCAResult cmdlet to get only those

scan results for which the category name is equal to Performance

The final section of the example following the second pipe character excludes the Performance

results that were filtered by the previous section of the example

-------------------------- EXAMPLE 2 --------------------------

$rcPolicy = Get-MBCAResult -ModelId SQL2008R2BPA -RepositoryPath

CReposPath | Where $_Category -eq Policy

Page 56

Set-MBCAResult -Exclude $true -RepositoryPath CReposPath -Results

$rcPolicy

Description

The first line of the preceding example to the left of the pipe character (|) instructs the Get-

MBCAResult cmdlet to retrieve Baseline Configuration Analyzer scan results for the model that is

represented by Specified Model Id from the specified non-default repository path

The second section of the example after the pipe character filters the results of the Get-MBCAResult

cmdlet to return only those scan results for which the category name is equal to (note the -eq option)

Policy The variable $rcPolicy is created to store the filtered results of the Get-MBCAResult cmdlet this

variable can be used in subsequent commands to represent those results

The second line of the command uses the Set-MBCAResult cmdlet to exclude the set of results that

are stored in the $rcPolicy variable In this example the -Results parameter is added because the

administrator wants to exclude a specific subset of scan results for that model and has created the

variable $rcPolicy to represent that subset of results The repository root is specified in the second line

because the administrator wants to modify the results in the same non-default repository from which

the data in $rcPolicy was retrieved

915 MBCA Model Authoring

Further information about configuration and usage of MBCA models you can in the

MBCA_ModelAuthoringGuidedocx

Page 57

Did this paper help you Please give us your feedback Tell us on a scale of 1 (poor) to 5 (excellent)

how would you rate this paper and why have you given it this rating For example

Are you rating it high due to having good examples excellent screen shots clear writing or

another reason

Are you rating it low due to poor examples fuzzy screen shots or unclear writing

This feedback will help us improve the quality of white papers we release

Send feedback

Page 39: SQL2008R2 BPA Whitepaper v10

Page 39

65 Setup Rules

Unsupported Operating System Version Detected httpsupportmicrosoftcomkb2022909

WOW64 not supported for SQL Failover Clustering httpsupportmicrosoftcomkb2157198

Installer cache is missing for the SQL Installation httpsupportmicrosoftcomkb2015100

SQL Server WMI Provider Health Check

66 Replication Rules

Replication Timeout Alerts Type httpsupportmicrosoftcomkb2118349

Replication Pub and Sub out of sync (Data Validation) httpsupportmicrosoftcomkb2118386

Replication Pub and Sub out of sync (Constraint Violations)

httpsupportmicrosoftcomkb2118410

Replication Pub and Sub out of sync (Skipped Transactions)

httpsupportmicrosoftcomkb2194498

Merge Replication Health Check httpsupportmicrosoftcomkb2118445

Subscriptions Approaching Expiration httpgomicrosoftcomfwlinkLinkId=184483

Replication Cleanup and Retention Health Check httpsupportmicrosoftcomkb2118485

Replication Latency Threshold violations httpsupportmicrosoftcomkb2118425

Page 40

7 HOW TO DEAL WITH DEVIATIONS

Deviations from these Best Practices may indicate potential issues and configuration changes may be

necessary Make sure you have tested any intended changes in a test environment before deploying

them to a production environment You could also find deviations from Best Practices that are

acceptable or even necessary for your environment For example

SAP has its special Network Packet Size of 8 KB

Existing Non-Microsoft Clients ndash would require Mixed Mode Authentication

Page 41

8 MOTIVATION TO USE SQL BPA R2

Bob Ward explained in his Article ldquoWhy use SQL Server 2008 R2 BPA Case 1 Missing Updatesrdquo

the common pitfalls during maintenance and operation of SQL Server and how address them by using

the SQL BPA

In brief itrsquos a customer scenario where the customer is facing an issue after a major update to

SQL2008 After some troubleshooting and an update to a certain CU (that is meant to fix the issue) the

problem still occurs Bobs article states the common resulting consequences ndash the involvement of

Microsoft Support and the final solution ndash adding a needed traceflag

The good news in this story is that the customer would not have needed to go to all that effort if they

would have run the SQL BPA It would have told them about the update and instructed them to put the

traceflag in place BPA is a mechanism that proactively advises you and instructs you on dealing with

common known issues

Page 42

9 ADDITIONAL INFORMATION

91 PowerShell

To use the functionality of the Baseline Configuration Analyzer with PowerShell you must import this

module first

Import-module BaselineConfigurationAnalyzer

You can list the commands of this module with the following syntax

$x=Get-Module BaselineConfigurationAnalyzer

$xExportedCommands

The following commands are stored in this module

Get-MbcaModel

Get-MbcaResult

Invoke-MbcaModel

Set-MbcaResult

You get help of this command with the following syntax

Get-help ltcommandgt -full

911 Get-MBCAModel

SYNOPSIS

The Get-MBCAModel cmdlet lets you retrieve and view the list of models that are supported by

Microsoft Baseline Configuration Analyzer (MBCA) and that are installed on a computer

SYNTAX

Get-MBCAModel [[-ModelId] ltstring[]gt] [[-SubModelId] ltstringgt] [ltCommonParametersgt]

DESCRIPTION

The Get-MBCAModel cmdlet lets you retrieve and view the list of models that are supported by

Microsoft Baseline Configuration Analyzer (MBCA) and installed on the computer If no parameter is

specified Get-MBCAModel returns all models that are installed on the computer If a model is specified

by using the -ModelId parameter information about the specified model is returned

You must be a member of the Administrators group on the computer on which you want to run this

cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with

elevated user rights that is Run as Administrator

The results of the Get-MBCAModel cmdlet include the following details about models

1 Branding information (manufacturer or company display names version number) that is found in

the model manifest

2 Dynamic parameters that are included with the model

3 Submodels that are included with the model

PARAMETERS

-ModelId ltstring[]gt

The -ModelId parameter specifies the ID of the MBCA model about which you want to view

details You can obtain valid values for the ModelId parameter by running the Get-MBCAModel

cmdlet with no parameters and targeted at a computer on which MBCA models are installed

Page 43

This parameter supports wild card characters

Required false

Position 2

Default value

Accept pipeline input true (By Value By Property Name)

Accept wildcard characters False

This must be SQL2008R2BPA for SQL Server 2008 R2 Best Practice Analyzer

-SubModelId ltstringgt

The -SubModelId parameter specifies the ID of the submodel of an MBCA model about which you

want to view details You can obtain valid values for the -SubModelId parameter by running the

Get-MBCAModel cmdlet without parameters and targeted at a computer on which MBCA models

are installed Not all models have submodels

The -ModelId parameter is required with the -SubModelId parameter

Required false

Position 3

Default value

Accept pipeline input false

Accept wildcard characters false

ltCommonParametersgt

This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable

WarningAction WarningVariable OutBuffer and OutVariable For more information type get-

help about_commonparameters

Examples

Get-MBCAModel

In the preceding example Get-MBCAModel with no parameters added returns details about all MBCA

models that are installed on the computer

Get-MBCAModel -ModelId SQL2008R2BPA

The preceding example can be used to return details about the MBCA model that is specified in the -

ModelId parameter represented by Model Id

$model= Get-MBCAModel -ModelId SQL2008R2BPA

$modelParameters

In the preceding example Get-MBCAModel returns details about the specified MBCA model that is

represented by Model Id The results of the cmdlet are stored in the variable $model

In the next line of the example the Parameters property of the model details that were stored in the

$model object returns details about which parameters are supported by the model

Get-MBCAModel -ModelId SQL2008R2BPA -SubModelId ltSubModel Idgt

The preceding example can be used to return details about the MBCA sub-model that is specified by

the -SubModelId parameter represented by SubModel Id Note that the -ModelId parameter is

required by the -SubModelId parameter

$model= Get-MBCAModel -ModelId SQL2008R2BPA

Page 44

$modelSubModels

In the preceding example Get-MBCAModel returns details about the specified MBCA model that is

represented by Model Id The results of the cmdlet are stored in the variable $model

In the next line of the example the SubModels property of the model details that were stored in the

$model object returns a list of the submodels of the model specified in the first line

912 Invoke-MBCAModel

SYNOPSIS

The Invoke-MBCAModel cmdlet lets you start a Microsoft Baseline Configuration Analyzer (MBCA)

scan for a specific model that is installed on your computer

SYNTAX

Invoke-MBCAModel [-ModelId] ltstringgt -SubModelId ltstringgt [-Authentication

ltAuthenticationMechanismgt] [-CertificateThumbprint ltstringgt] [-ComputerName

ltstring[]gt] [-ConfigurationName ltstringgt] [-Context ltstringgt] [-Credential

ltstringgt] [-Mode ltModeEnumgt] [-Port ltintgt] [-RepositoryPath ltstringgt] [-

ThrottleLimit ltintgt] [-UseSSL] [ltCommonParametersgt]

DESCRIPTION

The Invoke-MBCAModel cmdlet allows you to start a Microsoft Baseline Configuration Analyzer

(MBCA) scan for a specific model that is installed on your computer The model is specified either by

using the parameter -ModelId or by piping the results of the Get-MBCAModel cmdlet into an Invoke-

MBCAMode cmdlet

After the MBCA scan has been performed the results of the scan are available to be retrieved by Get-

MBCAResult cmdlet

You must be a member of the Administrators group on the computer on which you want to run this

cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with

elevated user rights that is Run as Administrator

PARAMETERS

-Authentication ltAuthenticationMechanismgt

Specifies the authentication mechanism that is used to authenticate the users credentials Valid

values include Default Basic CredSSP Digest Kerberos Negotiate and

NegotiateWithImplicitCredential The default value is Default

For more information about the -Authentication parameter type the following and then press

Enter

Get-Help Invoke-Command -Parameter Authentication

Required false

Position named

Default value Default

Accept pipeline input false

Accept wildcard characters false

-CertificateThumbprint ltstringgt

Page 45

Specifies the digital public key certificate (X509) of a user account that has rights to perform the

cmdlet action The valid value is the certificate thumbprint of the certificate

For more information about this parameter type the following and then press Enter

Get-Help Invoke-Command -Parameter Certificate Thumbprint

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-ComputerName ltstring[]gt

The Invoke-MBCAModel cmdlet lets you run an MBCA scan of a submodel on a specific

computer by adding this parameter Valid values include NETBOS names IP addresses or fully-

qualified domain names of one or more computers in a comma-separated list To specify the local

computer type the computer name or localhost

All formats that are accepted by the -ComputerName parameter in Invoke-Command are

accepted

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-ConfigurationName ltstringgt

Specifies the session configuration that is used for a new PSSession

Enter a configuration name or the fully-qualified resource URI for a session configuration

Session configuration data is found on the remote computer on which you want to run a cmdlet

For more information about this parameter type the following and then press Enter

Get-Help Invoke-Command -Parameter ConfigurationName

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-Context ltstringgt

The -Context parameter lets you run scans on a submodel in the context of a specific model (one

that is different from the parent model of the submodel) For example an administrator might

want to run a scan on the Backend submodel of the SQL model but only those in the context

of a third model a technology that relies upon SQL Server

The -SubModelId parameter is required by the -Context parameter

Page 46

A model ID is the valid value of the -Context parameter

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-Credential ltstringgt

Specifies a user account that has permission to run this cmdlet The default value is the current

user

For more information about this parameter type the following and then press Enter

Get-Help Invoke-Command -Parameter Credential

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-Mode ltModeEnumgt

The -Mode parameter lets you run a scan that is exclusively either analysis of existing discovered

documents or discovery The default is to perform both discovery and analysis or All

If you do not add the -Mode parameter to the Invoke-MBCAModel cmdlet both discovery and

analysis are performed during a scan

Valid values are Discovery Analysis and All

Required false

Position named

Default value All

Accept pipeline input false

Accept wildcard characters false

-ModelId ltstringgt

The -ModelId parameter specifies the ID of the MBCA model that you want to scan You can

obtain valid values for the ModelId parameter by running the Get-MBCAModel cmdlet targeted at

a computer on which MBCA models are installed

Required true

Position 2

Default value

Accept pipeline input true (By Value By Property Name)

Accept wildcard characters False

Page 47

This must be SQL2008R2BPA for SQL Server 2008 R2 Best Practice Analyzer

-Port ltintgt

Specifies the network port on a remote computer on which you want to run a scan The default

value is port 80

For more information on this parameter type the following and then press Enter

Get-Help Invoke-Command -Parameter Port

Required false

Position named

Default value 80

Accept pipeline input false

Accept wildcard characters false

-RepositoryPath ltstringgt

The -RepositoryPath parameter is used to specify a non-default location of the results repository

The valid value for this parameter is a pathname If the parameter is not used the cmdlet writes

results to the default result repository

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-SubModelId ltstringgt

The -SubModelId parameter specifies the ID of the submodel of an MBCA model that you want to

scan You can obtain valid values for the -SubModelId parameter by running the Get-MBCAModel

cmdlet targeted at a computer on which MBCA models are installed Not all models have

submodels

The -ModelId parameter is required with the -SubModelId parameter

Required true

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-ThrottleLimit ltintgt

Specifies the maximum number of concurrent connections that can be established to run the

cmdlet If you omit this parameter or enter a value of 0 the default value of 32 is used

For more information about this parameter type the following and then press Enter

Get-Help Invoke-Command -Parameter ThrottleLimit

Required false

Page 48

Position named

Default value 32

Accept pipeline input false

Accept wildcard characters false

-UseSSL [ltSwitchParametergt]

Uses the Secure Sockets Layer (SSL) protocol to establish a connection on a remote computer

By default SSL is not used

For more information about this parameter type the following and then press Enter

Get-Help Invoke-Command -Parameter UseSSL

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

ltCommonParametersgt

This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable

WarningAction WarningVariable OutBuffer and OutVariable For more information type get-

help about_commonparameters

OUTPUTS

SystemCollectionsGenericListltMicrosoftBestPracticesCoreInterfaceInvokeBpaModelOutputgt

The output object encapsulates the results of the cmdlet that you entered It contains information such

as the MBCA model ID the success or failure of the cmdlet and other details

NOTES

If the cmdlet is used to perform a single-model scan and the cmdlet is cancelled (by using CTRL+C)

before the temporary results file is copied to its final location the temporary file is discarded and any

previous scan results file for the role are preserved The message Processing of Invoke-MBCAModel

cancelled by user is displayed if the command is cancelled before existing scan results files are

overwritten

If the cmdlet is used to perform a scan of multiple models by piping in results from the Get-MBCAModel

cmdlet and the command is cancelled scans that were completed before the cancel command was

entered cannot be cancelled A scan in progress behaves as described above in the single-model scan

cancellation scenario Subsequent scans in the pipeline are cancelled

If a concurrent scan of the same model is attempted the cmdlet returns the following error message

Another scan for this MBCA model is in progress Only one scan is allowed at a time

-------------------------- EXAMPLE 1 --------------------------

Invoke-MBCAModel -ModelId SQL2008R2BPA

Description

The preceding example starts a MBCA scan on the model that is represented by ltModel Idgt

-------------------------- EXAMPLE 2 --------------------------

Page 49

Invoke-MBCAModel -ModelId SQL2008R2BPA -Scope domain -Name

redmondmicrosoftcom

Description

The preceding example starts an MBCA scan on the model ID that is specified by Model Id

The administrator starts the MBCA scan with additional model-specific parameters that are exposed by

the model (For an example of how to obtain model-specific parameters see the examples for the Get-

MBCAModel cmdlet)

For example to scan a model that requires model-specific parameters (such as -Scope and -Name) to

be passed to the command the administrator can specify the values of these model-specific

parameters with the Invoke-MBCAModel cmdlet

-------------------------- EXAMPLE 3 --------------------------

Invoke-MBCAModel -ModelId SQL2008R2BPA -Mode Discovery

Description

The preceding example starts an MBCA scan on the model that is represented by Model Id The

cmdlet is instructed by the -Mode parameter to perform only the discovery -- not the analysis -- portion

of the scan

-------------------------- EXAMPLE 4 --------------------------

Invoke-MBCAModel -ModelId SQL2008R2BPA -Mode Analysis -RepositoryPath

ltRepository Pathgt

Description

The preceding example starts an MBCA scan on the model that is represented by Model Id The -

Mode parameter value of Analysis indicates that the scan will perform analysis -- not discovery -- on

existing documents that are specified in the non-default repository path provided with the -Repository

Path parameter

-------------------------- EXAMPLE 5 --------------------------

Invoke-MBCAModel -Id ltModel Idgt -SubModelId ltSubModel Idgt -ComputerName

ltServergt -Context ltContext Model Idgt -RepositoryPath ltRespository Pathgt -

AsJob -Authentication ltAuthenticatonMechanismgt -Port ltPort Numbergt -UseSSL -

ThrottleLimit ltThrottle Limitgt

Description

The preceding example starts an MBCA scan on the submodel that is represented by SubModel Id

and on the computer that is represented by Server

Because the administrator only wants to see results from the submodel that apply in the context of a

third model the administrator runs the scan within the context of the model ID that is specified in the -

Context parameter The cmdlet results are saved to the non-default repository path that is specified in

the -RepositoryPath parameter

Because the -AsJob parameter is added the scan runs in the background The -AsJob -

Authentication -Port -UseSSL and -ThrottleLimit parameters are passed through for use by the

Invoke-Command cmdlet to perform discovery on a remote computer For more information about

these parameters see the Help for the Invoke-Command cmdlet available in Windows PowerShell V2

913 Get-MBCAResult

SYNOPSIS

Page 50

The Get-MBCAResult cmdlet lets you retrieve and view the results of a Microsoft Baseline

Configuration Analyzer scan on a specific model or the configuration data that was used to run a scan

SYNTAX

Get-MBCAResult [-ModelId] ltstringgt [[-CollectedConfiguration]] -SubModelId

ltstringgt [-ComputerName ltstring[]gt] [-Context ltstringgt] [-Filter

ltFilterEnumgt] [-RepositoryPath ltstringgt] [ltCommonParametersgt]

DESCRIPTION

The Get-MBCAResult cmdlet lets you retrieve and view the results of a Microsoft Baseline

Configuration Analyzer scan on a specific model or the configuration data that was used to run a scan

To use the command add the -ModelId parameter and then specify the model ID for which you want

to view the most recent MBCA scan results or collected configuration data If you want to retrieve the

configuration data collected add the -CollectedConfiguration switch parameter

You must be a member of the Administrators group on the computer on which you want to run this

cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with

elevated user rights that is Run as Administrator

PARAMETERS

-CollectedConfiguration [ltSwitchParametergt]

The -CollectedConfiguration parameter allows you to obtain the configuration data that was

collected for the most recent MBCA scan If this switch parameter is added to Get-MBCAResults

the cmdlet returns only the configuration data that was collected for a scan

Required false

Position 3

Default value

Accept pipeline input false

Accept wildcard characters false

-ComputerName ltstring[]gt

The -ComputerName parameter lets you obtain scan results that were collected for the most

recent MBCA scan of a submodel on a specific computer To specify the local computer type the

computer name or localhost Multiple values for -ComputerName can be separated by

commas

The -SubModelId parameter is required by the -ComputerName parameter

Valid values for the -ComputerName parameter include localhost a NET BIOS name an IP

address or a fully-qualified domain name (FQDN) of one or more computers in a comma-

separated list

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-Context ltstringgt

Page 51

The -Context parameter lets you obtain scan results that were collected for the most recent

MBCA scan of a submodel in the context of a specific model (one that is different from the parent

model of the submodel) For example an administrator might want to display scan results for the

Backend submodel of the SQL model but only those in the context of a third model a

technology that relies upon SQL Server

The -SubModelId parameter is required by the -Context parameter

A model ID is the valid value of the -Context parameter

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-Filter ltFilterEnumgt

The -Filter parameter lets you instruct the Get-MBCAResult cmdlet to return only Compliant

Noncompliant or All results Valid values are Noncompliant Compliant or All The default value

is All

The -Filter parameter is ignored if the -CollectedConfiguration switch parameter is added

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-ModelId ltstringgt

The -ModelId parameter specifies the ID of the MBCA model for which you want to view scan

results You can obtain valid values for the ModelId parameter by running the Get-MBCAModel

cmdlet targeted at a computer on which MBCA models are installed

Required true

Position 2

Default value

Accept pipeline input true (By Value By Property Name)

Accept wildcard characters False

This must be SQL2008R2BPA for SQL Server 2008 R2 Best Practice Analyzer

-RepositoryPath ltstringgt

The -RepositoryPath parameter is used to specify a non-default location of the results repository

The valid value for this parameter is a path name If the parameter is not used the cmdlet obtains

results from the default result repository

Required false

Position named

Page 52

Default value

Accept pipeline input false

Accept wildcard characters false

-SubModelId ltstringgt

The -SubModelId parameter specifies the ID of the submodel of an MBCA model for which you

want to view scan results You can obtain valid values for the -SubModelId parameter by running

the Get-MBCAModel cmdlet targeted at a computer on which MBCA models are installed Not all

models have submodels

The -ModelId parameter is required with the -SubModelId parameter

Required true

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

ltCommonParametersgt

This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable

WarningAction WarningVariable OutBuffer and OutVariable For more information type get-

help about_commonparameters

OUTPUTS

SystemCollectionsGenericListltMicrosoftBestPracticesCoreInterfaceResultgt OR

SystemXmlXmlDocument (if -CollectedData specified)

If you do not use the -CollectedConfiguration parameter verbose output can be any of the following

1 Initializing MBCA engine for getting MBCA Results

2 Attempting to get MBCA results for Model Id = 0

3 Completed getting MBCA results for Model Id = 0 Number of Results = 1

If you add the -CollectedConfiguration parameter to display configuration data that was used for a

scan verbose output can be any of the following

1 Initializing MBCA engine for getting MBCA Configuration Data

2 Attempting to get MBCA collected configuration data for Model Id = 0

3 Completed getting MBCA collected configuration data for Model Id = 0

NOTES

The Get-MBCAResult cmdlet must be run by a member of the Administrators group and it does not

start a new scan

Cancellation behaviour

Single Model - To cancel this cmdlet you must press Ctrl+C before the ResultCollection is displayed

on the console The operation is cancelled and results are not displayed on the console

Multiple Models or Pipelining - If you cancel this cmdlet while it is retrieving results for multiple models

the cmdlet generates only those results that were displayed on the console before the cancellation

Any subsequent results in the pipeline are cancelled and not displayed

Page 53

-------------------------- EXAMPLE 1 --------------------------

Get-MBCAResult -Id SQL2008R2BPA

Description

The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results

for the model that is represented by Model Id

-------------------------- EXAMPLE 2 --------------------------

Get-MBCAModel | Get-MBCAResult

In the preceding example Get-MBCAModel is used to return a list of all MBCA models that are

installed on the computer The results of the Get-MBCAModel cmdlet are piped to the Get-

MBCAResult cmdlet to retrieve the most recent MBCA scan results for all models that are both

supported by MBCA and installed on the computer at which the cmdlet is targeted

-------------------------- EXAMPLE 3 --------------------------

$result = Get-MBCAResult SQL2008R2BPA -CollectedConfiguration

$resultDiscoveryDocument

Description

In the preceding example configuration data (in XML form) that was collected during the most recent

Microsoft Baseline Configuration Analyzer scan of the model that is represented by Model Id is

retrieved and stored as a property in the variable $result $resultDiscoveryDocument is of type

SystemXmlXmlDocument

-------------------------- EXAMPLE 4 --------------------------

Get-MBCAResult SQL2008R2BPA -Filter Noncompliant

Description

The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results

for the model that is represented by Model Id and then applies a filter to show only Noncompliant

results

------------------------- EXAMPLE 5 --------------------------

Get-MBCAResult SQL2008R2BPA -SubModelId ltSubModel Idgt

Description

The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results

for the submodel that is represented by SubModelId Note that the parent model ID must be specified

to use the -SubModelId parameter

------------------------- EXAMPLE 6 --------------------------

Get-MBCAResult SQL2008R2BPA -SubModelId ltSubModel Idgt -ComputerName ltServergt

-Context ltContext Model Idgt -RepositoryPath ltRepository Pathgt

Description

The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results

for the submodel that is represented by SubModelId The parent model ID is provided as required by

the -SubModelID parameter

The -Context parameter indicates that the administrator wants to see only those scan results that are in

the context of the model that is represented by Context Model Id for example only those results from

a SQL Server scan that specifically apply to another technology such as Web Server (IIS)

Page 54

The scan results are further narrowed to only those from a computer that is specified in the -

ComputerName parameter as Server and only those results found in the non-default results

repository that is represented by Repository Path

914 Set-MBCAResult

SYNOPSIS

The Set-MBCAResult cmdlet lets you exclude or include existing results of a Microsoft Baseline

Configuration Analyzer (MBCA) scan to show you only the scan results that you want to see

SYNTAX

Set-MBCAResult [[-Exclude] ltBooleangt] [-Results] ltResultgtgt [[-

RepostitoryPath] ltstringgt] [ltCommonParametersgt]

DESCRIPTION

The Set-MBCAResult cmdlet lets you exclude or include existing results of a Microsoft Baseline

Configuration Analyzer (MBCA) scan to show you only the scan results that you want to see

The action specified in the cmdlet (Exclude for example) determines how the existing results of an

MBCA scan are updated Set-MBCAResult is typically applied after using the Get-MBCAResult cmdlet

to return a collection of scan results

You can apply filters to results that are returned by the Get-MBCAResult cmdlet and then pipe the

filtered collection of results to the Set-MBCAResult cmdlet specifying either to include or exclude

filtered scan results

You must be a member of the Administrators group on the computer on which you want to run this

cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with

elevated user rights that is Run as Administrator

PARAMETERS

-Exclude ltBooleangt

Excludes scan results from the results collection that were previously obtained by the Get-

MBCAResult command To exclude results by using the -Exclude parameter add the value $true

following the parameter as shown

-Exclude $true

To include results that have been excluded use the $false value for the -Exclude parameter

Required false

Position 2

Default value

Accept pipeline input false

Accept wildcard characters false

-RepostitoryPath ltstringgt

The -RepositoryPath parameter is used to specify a non-default location of the results repository

The valid value for this parameter is a path name If the parameter is not used the cmdlet

modifies results from the default result repository

Required false

Page 55

Position 4

Default value

Accept pipeline input false

Accept wildcard characters false

-Results ltResultgtgt

Specifies the result collection to be updated by the Set-MBCAResult cmdlet The -Results

parameter is typically used to specify a filtered subset of scan results that has already been

stored in a variable the variable name is provided as the valid value for the -Results parameter

For example if you have created a variable $allPerformance to store all the Performance

category results for an MBCA scan of all models on a computer and you want to exclude those

Performance results from the complete collection of scan results you add the parameter -Results

$all Performance to a Set-MBCAResult cmdlet

For a more detailed example see the Examples section of the Help for this cmdlet

Required true

Position 3

Default value

Accept pipeline input true (ByValue)

Accept wildcard characters false

ltCommonParametersgt

This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable

WarningAction WarningVariable OutBuffer and OutVariable For more information type ldquoget-

help about_commonparameters

NOTES

If the Set-MBCAResult command is cancelled before the results are written to a file the operation is

cancelled and the results file is not modified If cancellation occurs after the results file has been

modified the commands actions are carried out and the command cannot be cancelled

-------------------------- EXAMPLE 1 --------------------------

Get-MBCAResult -ModelId SQL2008R2BPA | Where $_Category -eq

Performance | Set-MBCAResult -Exclude $true

Description

The first section of the preceding example to the left of the first pipe character (|) uses the Get-

MBCAResult cmdlet to retrieve Baseline Configuration Analyzer scan results for the model ID that is

represented by Model Id

The second section of the command filters the results of the Get-MBCAResult cmdlet to get only those

scan results for which the category name is equal to Performance

The final section of the example following the second pipe character excludes the Performance

results that were filtered by the previous section of the example

-------------------------- EXAMPLE 2 --------------------------

$rcPolicy = Get-MBCAResult -ModelId SQL2008R2BPA -RepositoryPath

CReposPath | Where $_Category -eq Policy

Page 56

Set-MBCAResult -Exclude $true -RepositoryPath CReposPath -Results

$rcPolicy

Description

The first line of the preceding example to the left of the pipe character (|) instructs the Get-

MBCAResult cmdlet to retrieve Baseline Configuration Analyzer scan results for the model that is

represented by Specified Model Id from the specified non-default repository path

The second section of the example after the pipe character filters the results of the Get-MBCAResult

cmdlet to return only those scan results for which the category name is equal to (note the -eq option)

Policy The variable $rcPolicy is created to store the filtered results of the Get-MBCAResult cmdlet this

variable can be used in subsequent commands to represent those results

The second line of the command uses the Set-MBCAResult cmdlet to exclude the set of results that

are stored in the $rcPolicy variable In this example the -Results parameter is added because the

administrator wants to exclude a specific subset of scan results for that model and has created the

variable $rcPolicy to represent that subset of results The repository root is specified in the second line

because the administrator wants to modify the results in the same non-default repository from which

the data in $rcPolicy was retrieved

915 MBCA Model Authoring

Further information about configuration and usage of MBCA models you can in the

MBCA_ModelAuthoringGuidedocx

Page 57

Did this paper help you Please give us your feedback Tell us on a scale of 1 (poor) to 5 (excellent)

how would you rate this paper and why have you given it this rating For example

Are you rating it high due to having good examples excellent screen shots clear writing or

another reason

Are you rating it low due to poor examples fuzzy screen shots or unclear writing

This feedback will help us improve the quality of white papers we release

Send feedback

Page 40: SQL2008R2 BPA Whitepaper v10

Page 40

7 HOW TO DEAL WITH DEVIATIONS

Deviations from these Best Practices may indicate potential issues and configuration changes may be

necessary Make sure you have tested any intended changes in a test environment before deploying

them to a production environment You could also find deviations from Best Practices that are

acceptable or even necessary for your environment For example

SAP has its special Network Packet Size of 8 KB

Existing Non-Microsoft Clients ndash would require Mixed Mode Authentication

Page 41

8 MOTIVATION TO USE SQL BPA R2

Bob Ward explained in his Article ldquoWhy use SQL Server 2008 R2 BPA Case 1 Missing Updatesrdquo

the common pitfalls during maintenance and operation of SQL Server and how address them by using

the SQL BPA

In brief itrsquos a customer scenario where the customer is facing an issue after a major update to

SQL2008 After some troubleshooting and an update to a certain CU (that is meant to fix the issue) the

problem still occurs Bobs article states the common resulting consequences ndash the involvement of

Microsoft Support and the final solution ndash adding a needed traceflag

The good news in this story is that the customer would not have needed to go to all that effort if they

would have run the SQL BPA It would have told them about the update and instructed them to put the

traceflag in place BPA is a mechanism that proactively advises you and instructs you on dealing with

common known issues

Page 42

9 ADDITIONAL INFORMATION

91 PowerShell

To use the functionality of the Baseline Configuration Analyzer with PowerShell you must import this

module first

Import-module BaselineConfigurationAnalyzer

You can list the commands of this module with the following syntax

$x=Get-Module BaselineConfigurationAnalyzer

$xExportedCommands

The following commands are stored in this module

Get-MbcaModel

Get-MbcaResult

Invoke-MbcaModel

Set-MbcaResult

You get help of this command with the following syntax

Get-help ltcommandgt -full

911 Get-MBCAModel

SYNOPSIS

The Get-MBCAModel cmdlet lets you retrieve and view the list of models that are supported by

Microsoft Baseline Configuration Analyzer (MBCA) and that are installed on a computer

SYNTAX

Get-MBCAModel [[-ModelId] ltstring[]gt] [[-SubModelId] ltstringgt] [ltCommonParametersgt]

DESCRIPTION

The Get-MBCAModel cmdlet lets you retrieve and view the list of models that are supported by

Microsoft Baseline Configuration Analyzer (MBCA) and installed on the computer If no parameter is

specified Get-MBCAModel returns all models that are installed on the computer If a model is specified

by using the -ModelId parameter information about the specified model is returned

You must be a member of the Administrators group on the computer on which you want to run this

cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with

elevated user rights that is Run as Administrator

The results of the Get-MBCAModel cmdlet include the following details about models

1 Branding information (manufacturer or company display names version number) that is found in

the model manifest

2 Dynamic parameters that are included with the model

3 Submodels that are included with the model

PARAMETERS

-ModelId ltstring[]gt

The -ModelId parameter specifies the ID of the MBCA model about which you want to view

details You can obtain valid values for the ModelId parameter by running the Get-MBCAModel

cmdlet with no parameters and targeted at a computer on which MBCA models are installed

Page 43

This parameter supports wild card characters

Required false

Position 2

Default value

Accept pipeline input true (By Value By Property Name)

Accept wildcard characters False

This must be SQL2008R2BPA for SQL Server 2008 R2 Best Practice Analyzer

-SubModelId ltstringgt

The -SubModelId parameter specifies the ID of the submodel of an MBCA model about which you

want to view details You can obtain valid values for the -SubModelId parameter by running the

Get-MBCAModel cmdlet without parameters and targeted at a computer on which MBCA models

are installed Not all models have submodels

The -ModelId parameter is required with the -SubModelId parameter

Required false

Position 3

Default value

Accept pipeline input false

Accept wildcard characters false

ltCommonParametersgt

This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable

WarningAction WarningVariable OutBuffer and OutVariable For more information type get-

help about_commonparameters

Examples

Get-MBCAModel

In the preceding example Get-MBCAModel with no parameters added returns details about all MBCA

models that are installed on the computer

Get-MBCAModel -ModelId SQL2008R2BPA

The preceding example can be used to return details about the MBCA model that is specified in the -

ModelId parameter represented by Model Id

$model= Get-MBCAModel -ModelId SQL2008R2BPA

$modelParameters

In the preceding example Get-MBCAModel returns details about the specified MBCA model that is

represented by Model Id The results of the cmdlet are stored in the variable $model

In the next line of the example the Parameters property of the model details that were stored in the

$model object returns details about which parameters are supported by the model

Get-MBCAModel -ModelId SQL2008R2BPA -SubModelId ltSubModel Idgt

The preceding example can be used to return details about the MBCA sub-model that is specified by

the -SubModelId parameter represented by SubModel Id Note that the -ModelId parameter is

required by the -SubModelId parameter

$model= Get-MBCAModel -ModelId SQL2008R2BPA

Page 44

$modelSubModels

In the preceding example Get-MBCAModel returns details about the specified MBCA model that is

represented by Model Id The results of the cmdlet are stored in the variable $model

In the next line of the example the SubModels property of the model details that were stored in the

$model object returns a list of the submodels of the model specified in the first line

912 Invoke-MBCAModel

SYNOPSIS

The Invoke-MBCAModel cmdlet lets you start a Microsoft Baseline Configuration Analyzer (MBCA)

scan for a specific model that is installed on your computer

SYNTAX

Invoke-MBCAModel [-ModelId] ltstringgt -SubModelId ltstringgt [-Authentication

ltAuthenticationMechanismgt] [-CertificateThumbprint ltstringgt] [-ComputerName

ltstring[]gt] [-ConfigurationName ltstringgt] [-Context ltstringgt] [-Credential

ltstringgt] [-Mode ltModeEnumgt] [-Port ltintgt] [-RepositoryPath ltstringgt] [-

ThrottleLimit ltintgt] [-UseSSL] [ltCommonParametersgt]

DESCRIPTION

The Invoke-MBCAModel cmdlet allows you to start a Microsoft Baseline Configuration Analyzer

(MBCA) scan for a specific model that is installed on your computer The model is specified either by

using the parameter -ModelId or by piping the results of the Get-MBCAModel cmdlet into an Invoke-

MBCAMode cmdlet

After the MBCA scan has been performed the results of the scan are available to be retrieved by Get-

MBCAResult cmdlet

You must be a member of the Administrators group on the computer on which you want to run this

cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with

elevated user rights that is Run as Administrator

PARAMETERS

-Authentication ltAuthenticationMechanismgt

Specifies the authentication mechanism that is used to authenticate the users credentials Valid

values include Default Basic CredSSP Digest Kerberos Negotiate and

NegotiateWithImplicitCredential The default value is Default

For more information about the -Authentication parameter type the following and then press

Enter

Get-Help Invoke-Command -Parameter Authentication

Required false

Position named

Default value Default

Accept pipeline input false

Accept wildcard characters false

-CertificateThumbprint ltstringgt

Page 45

Specifies the digital public key certificate (X509) of a user account that has rights to perform the

cmdlet action The valid value is the certificate thumbprint of the certificate

For more information about this parameter type the following and then press Enter

Get-Help Invoke-Command -Parameter Certificate Thumbprint

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-ComputerName ltstring[]gt

The Invoke-MBCAModel cmdlet lets you run an MBCA scan of a submodel on a specific

computer by adding this parameter Valid values include NETBOS names IP addresses or fully-

qualified domain names of one or more computers in a comma-separated list To specify the local

computer type the computer name or localhost

All formats that are accepted by the -ComputerName parameter in Invoke-Command are

accepted

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-ConfigurationName ltstringgt

Specifies the session configuration that is used for a new PSSession

Enter a configuration name or the fully-qualified resource URI for a session configuration

Session configuration data is found on the remote computer on which you want to run a cmdlet

For more information about this parameter type the following and then press Enter

Get-Help Invoke-Command -Parameter ConfigurationName

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-Context ltstringgt

The -Context parameter lets you run scans on a submodel in the context of a specific model (one

that is different from the parent model of the submodel) For example an administrator might

want to run a scan on the Backend submodel of the SQL model but only those in the context

of a third model a technology that relies upon SQL Server

The -SubModelId parameter is required by the -Context parameter

Page 46

A model ID is the valid value of the -Context parameter

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-Credential ltstringgt

Specifies a user account that has permission to run this cmdlet The default value is the current

user

For more information about this parameter type the following and then press Enter

Get-Help Invoke-Command -Parameter Credential

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-Mode ltModeEnumgt

The -Mode parameter lets you run a scan that is exclusively either analysis of existing discovered

documents or discovery The default is to perform both discovery and analysis or All

If you do not add the -Mode parameter to the Invoke-MBCAModel cmdlet both discovery and

analysis are performed during a scan

Valid values are Discovery Analysis and All

Required false

Position named

Default value All

Accept pipeline input false

Accept wildcard characters false

-ModelId ltstringgt

The -ModelId parameter specifies the ID of the MBCA model that you want to scan You can

obtain valid values for the ModelId parameter by running the Get-MBCAModel cmdlet targeted at

a computer on which MBCA models are installed

Required true

Position 2

Default value

Accept pipeline input true (By Value By Property Name)

Accept wildcard characters False

Page 47

This must be SQL2008R2BPA for SQL Server 2008 R2 Best Practice Analyzer

-Port ltintgt

Specifies the network port on a remote computer on which you want to run a scan The default

value is port 80

For more information on this parameter type the following and then press Enter

Get-Help Invoke-Command -Parameter Port

Required false

Position named

Default value 80

Accept pipeline input false

Accept wildcard characters false

-RepositoryPath ltstringgt

The -RepositoryPath parameter is used to specify a non-default location of the results repository

The valid value for this parameter is a pathname If the parameter is not used the cmdlet writes

results to the default result repository

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-SubModelId ltstringgt

The -SubModelId parameter specifies the ID of the submodel of an MBCA model that you want to

scan You can obtain valid values for the -SubModelId parameter by running the Get-MBCAModel

cmdlet targeted at a computer on which MBCA models are installed Not all models have

submodels

The -ModelId parameter is required with the -SubModelId parameter

Required true

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-ThrottleLimit ltintgt

Specifies the maximum number of concurrent connections that can be established to run the

cmdlet If you omit this parameter or enter a value of 0 the default value of 32 is used

For more information about this parameter type the following and then press Enter

Get-Help Invoke-Command -Parameter ThrottleLimit

Required false

Page 48

Position named

Default value 32

Accept pipeline input false

Accept wildcard characters false

-UseSSL [ltSwitchParametergt]

Uses the Secure Sockets Layer (SSL) protocol to establish a connection on a remote computer

By default SSL is not used

For more information about this parameter type the following and then press Enter

Get-Help Invoke-Command -Parameter UseSSL

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

ltCommonParametersgt

This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable

WarningAction WarningVariable OutBuffer and OutVariable For more information type get-

help about_commonparameters

OUTPUTS

SystemCollectionsGenericListltMicrosoftBestPracticesCoreInterfaceInvokeBpaModelOutputgt

The output object encapsulates the results of the cmdlet that you entered It contains information such

as the MBCA model ID the success or failure of the cmdlet and other details

NOTES

If the cmdlet is used to perform a single-model scan and the cmdlet is cancelled (by using CTRL+C)

before the temporary results file is copied to its final location the temporary file is discarded and any

previous scan results file for the role are preserved The message Processing of Invoke-MBCAModel

cancelled by user is displayed if the command is cancelled before existing scan results files are

overwritten

If the cmdlet is used to perform a scan of multiple models by piping in results from the Get-MBCAModel

cmdlet and the command is cancelled scans that were completed before the cancel command was

entered cannot be cancelled A scan in progress behaves as described above in the single-model scan

cancellation scenario Subsequent scans in the pipeline are cancelled

If a concurrent scan of the same model is attempted the cmdlet returns the following error message

Another scan for this MBCA model is in progress Only one scan is allowed at a time

-------------------------- EXAMPLE 1 --------------------------

Invoke-MBCAModel -ModelId SQL2008R2BPA

Description

The preceding example starts a MBCA scan on the model that is represented by ltModel Idgt

-------------------------- EXAMPLE 2 --------------------------

Page 49

Invoke-MBCAModel -ModelId SQL2008R2BPA -Scope domain -Name

redmondmicrosoftcom

Description

The preceding example starts an MBCA scan on the model ID that is specified by Model Id

The administrator starts the MBCA scan with additional model-specific parameters that are exposed by

the model (For an example of how to obtain model-specific parameters see the examples for the Get-

MBCAModel cmdlet)

For example to scan a model that requires model-specific parameters (such as -Scope and -Name) to

be passed to the command the administrator can specify the values of these model-specific

parameters with the Invoke-MBCAModel cmdlet

-------------------------- EXAMPLE 3 --------------------------

Invoke-MBCAModel -ModelId SQL2008R2BPA -Mode Discovery

Description

The preceding example starts an MBCA scan on the model that is represented by Model Id The

cmdlet is instructed by the -Mode parameter to perform only the discovery -- not the analysis -- portion

of the scan

-------------------------- EXAMPLE 4 --------------------------

Invoke-MBCAModel -ModelId SQL2008R2BPA -Mode Analysis -RepositoryPath

ltRepository Pathgt

Description

The preceding example starts an MBCA scan on the model that is represented by Model Id The -

Mode parameter value of Analysis indicates that the scan will perform analysis -- not discovery -- on

existing documents that are specified in the non-default repository path provided with the -Repository

Path parameter

-------------------------- EXAMPLE 5 --------------------------

Invoke-MBCAModel -Id ltModel Idgt -SubModelId ltSubModel Idgt -ComputerName

ltServergt -Context ltContext Model Idgt -RepositoryPath ltRespository Pathgt -

AsJob -Authentication ltAuthenticatonMechanismgt -Port ltPort Numbergt -UseSSL -

ThrottleLimit ltThrottle Limitgt

Description

The preceding example starts an MBCA scan on the submodel that is represented by SubModel Id

and on the computer that is represented by Server

Because the administrator only wants to see results from the submodel that apply in the context of a

third model the administrator runs the scan within the context of the model ID that is specified in the -

Context parameter The cmdlet results are saved to the non-default repository path that is specified in

the -RepositoryPath parameter

Because the -AsJob parameter is added the scan runs in the background The -AsJob -

Authentication -Port -UseSSL and -ThrottleLimit parameters are passed through for use by the

Invoke-Command cmdlet to perform discovery on a remote computer For more information about

these parameters see the Help for the Invoke-Command cmdlet available in Windows PowerShell V2

913 Get-MBCAResult

SYNOPSIS

Page 50

The Get-MBCAResult cmdlet lets you retrieve and view the results of a Microsoft Baseline

Configuration Analyzer scan on a specific model or the configuration data that was used to run a scan

SYNTAX

Get-MBCAResult [-ModelId] ltstringgt [[-CollectedConfiguration]] -SubModelId

ltstringgt [-ComputerName ltstring[]gt] [-Context ltstringgt] [-Filter

ltFilterEnumgt] [-RepositoryPath ltstringgt] [ltCommonParametersgt]

DESCRIPTION

The Get-MBCAResult cmdlet lets you retrieve and view the results of a Microsoft Baseline

Configuration Analyzer scan on a specific model or the configuration data that was used to run a scan

To use the command add the -ModelId parameter and then specify the model ID for which you want

to view the most recent MBCA scan results or collected configuration data If you want to retrieve the

configuration data collected add the -CollectedConfiguration switch parameter

You must be a member of the Administrators group on the computer on which you want to run this

cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with

elevated user rights that is Run as Administrator

PARAMETERS

-CollectedConfiguration [ltSwitchParametergt]

The -CollectedConfiguration parameter allows you to obtain the configuration data that was

collected for the most recent MBCA scan If this switch parameter is added to Get-MBCAResults

the cmdlet returns only the configuration data that was collected for a scan

Required false

Position 3

Default value

Accept pipeline input false

Accept wildcard characters false

-ComputerName ltstring[]gt

The -ComputerName parameter lets you obtain scan results that were collected for the most

recent MBCA scan of a submodel on a specific computer To specify the local computer type the

computer name or localhost Multiple values for -ComputerName can be separated by

commas

The -SubModelId parameter is required by the -ComputerName parameter

Valid values for the -ComputerName parameter include localhost a NET BIOS name an IP

address or a fully-qualified domain name (FQDN) of one or more computers in a comma-

separated list

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-Context ltstringgt

Page 51

The -Context parameter lets you obtain scan results that were collected for the most recent

MBCA scan of a submodel in the context of a specific model (one that is different from the parent

model of the submodel) For example an administrator might want to display scan results for the

Backend submodel of the SQL model but only those in the context of a third model a

technology that relies upon SQL Server

The -SubModelId parameter is required by the -Context parameter

A model ID is the valid value of the -Context parameter

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-Filter ltFilterEnumgt

The -Filter parameter lets you instruct the Get-MBCAResult cmdlet to return only Compliant

Noncompliant or All results Valid values are Noncompliant Compliant or All The default value

is All

The -Filter parameter is ignored if the -CollectedConfiguration switch parameter is added

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-ModelId ltstringgt

The -ModelId parameter specifies the ID of the MBCA model for which you want to view scan

results You can obtain valid values for the ModelId parameter by running the Get-MBCAModel

cmdlet targeted at a computer on which MBCA models are installed

Required true

Position 2

Default value

Accept pipeline input true (By Value By Property Name)

Accept wildcard characters False

This must be SQL2008R2BPA for SQL Server 2008 R2 Best Practice Analyzer

-RepositoryPath ltstringgt

The -RepositoryPath parameter is used to specify a non-default location of the results repository

The valid value for this parameter is a path name If the parameter is not used the cmdlet obtains

results from the default result repository

Required false

Position named

Page 52

Default value

Accept pipeline input false

Accept wildcard characters false

-SubModelId ltstringgt

The -SubModelId parameter specifies the ID of the submodel of an MBCA model for which you

want to view scan results You can obtain valid values for the -SubModelId parameter by running

the Get-MBCAModel cmdlet targeted at a computer on which MBCA models are installed Not all

models have submodels

The -ModelId parameter is required with the -SubModelId parameter

Required true

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

ltCommonParametersgt

This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable

WarningAction WarningVariable OutBuffer and OutVariable For more information type get-

help about_commonparameters

OUTPUTS

SystemCollectionsGenericListltMicrosoftBestPracticesCoreInterfaceResultgt OR

SystemXmlXmlDocument (if -CollectedData specified)

If you do not use the -CollectedConfiguration parameter verbose output can be any of the following

1 Initializing MBCA engine for getting MBCA Results

2 Attempting to get MBCA results for Model Id = 0

3 Completed getting MBCA results for Model Id = 0 Number of Results = 1

If you add the -CollectedConfiguration parameter to display configuration data that was used for a

scan verbose output can be any of the following

1 Initializing MBCA engine for getting MBCA Configuration Data

2 Attempting to get MBCA collected configuration data for Model Id = 0

3 Completed getting MBCA collected configuration data for Model Id = 0

NOTES

The Get-MBCAResult cmdlet must be run by a member of the Administrators group and it does not

start a new scan

Cancellation behaviour

Single Model - To cancel this cmdlet you must press Ctrl+C before the ResultCollection is displayed

on the console The operation is cancelled and results are not displayed on the console

Multiple Models or Pipelining - If you cancel this cmdlet while it is retrieving results for multiple models

the cmdlet generates only those results that were displayed on the console before the cancellation

Any subsequent results in the pipeline are cancelled and not displayed

Page 53

-------------------------- EXAMPLE 1 --------------------------

Get-MBCAResult -Id SQL2008R2BPA

Description

The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results

for the model that is represented by Model Id

-------------------------- EXAMPLE 2 --------------------------

Get-MBCAModel | Get-MBCAResult

In the preceding example Get-MBCAModel is used to return a list of all MBCA models that are

installed on the computer The results of the Get-MBCAModel cmdlet are piped to the Get-

MBCAResult cmdlet to retrieve the most recent MBCA scan results for all models that are both

supported by MBCA and installed on the computer at which the cmdlet is targeted

-------------------------- EXAMPLE 3 --------------------------

$result = Get-MBCAResult SQL2008R2BPA -CollectedConfiguration

$resultDiscoveryDocument

Description

In the preceding example configuration data (in XML form) that was collected during the most recent

Microsoft Baseline Configuration Analyzer scan of the model that is represented by Model Id is

retrieved and stored as a property in the variable $result $resultDiscoveryDocument is of type

SystemXmlXmlDocument

-------------------------- EXAMPLE 4 --------------------------

Get-MBCAResult SQL2008R2BPA -Filter Noncompliant

Description

The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results

for the model that is represented by Model Id and then applies a filter to show only Noncompliant

results

------------------------- EXAMPLE 5 --------------------------

Get-MBCAResult SQL2008R2BPA -SubModelId ltSubModel Idgt

Description

The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results

for the submodel that is represented by SubModelId Note that the parent model ID must be specified

to use the -SubModelId parameter

------------------------- EXAMPLE 6 --------------------------

Get-MBCAResult SQL2008R2BPA -SubModelId ltSubModel Idgt -ComputerName ltServergt

-Context ltContext Model Idgt -RepositoryPath ltRepository Pathgt

Description

The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results

for the submodel that is represented by SubModelId The parent model ID is provided as required by

the -SubModelID parameter

The -Context parameter indicates that the administrator wants to see only those scan results that are in

the context of the model that is represented by Context Model Id for example only those results from

a SQL Server scan that specifically apply to another technology such as Web Server (IIS)

Page 54

The scan results are further narrowed to only those from a computer that is specified in the -

ComputerName parameter as Server and only those results found in the non-default results

repository that is represented by Repository Path

914 Set-MBCAResult

SYNOPSIS

The Set-MBCAResult cmdlet lets you exclude or include existing results of a Microsoft Baseline

Configuration Analyzer (MBCA) scan to show you only the scan results that you want to see

SYNTAX

Set-MBCAResult [[-Exclude] ltBooleangt] [-Results] ltResultgtgt [[-

RepostitoryPath] ltstringgt] [ltCommonParametersgt]

DESCRIPTION

The Set-MBCAResult cmdlet lets you exclude or include existing results of a Microsoft Baseline

Configuration Analyzer (MBCA) scan to show you only the scan results that you want to see

The action specified in the cmdlet (Exclude for example) determines how the existing results of an

MBCA scan are updated Set-MBCAResult is typically applied after using the Get-MBCAResult cmdlet

to return a collection of scan results

You can apply filters to results that are returned by the Get-MBCAResult cmdlet and then pipe the

filtered collection of results to the Set-MBCAResult cmdlet specifying either to include or exclude

filtered scan results

You must be a member of the Administrators group on the computer on which you want to run this

cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with

elevated user rights that is Run as Administrator

PARAMETERS

-Exclude ltBooleangt

Excludes scan results from the results collection that were previously obtained by the Get-

MBCAResult command To exclude results by using the -Exclude parameter add the value $true

following the parameter as shown

-Exclude $true

To include results that have been excluded use the $false value for the -Exclude parameter

Required false

Position 2

Default value

Accept pipeline input false

Accept wildcard characters false

-RepostitoryPath ltstringgt

The -RepositoryPath parameter is used to specify a non-default location of the results repository

The valid value for this parameter is a path name If the parameter is not used the cmdlet

modifies results from the default result repository

Required false

Page 55

Position 4

Default value

Accept pipeline input false

Accept wildcard characters false

-Results ltResultgtgt

Specifies the result collection to be updated by the Set-MBCAResult cmdlet The -Results

parameter is typically used to specify a filtered subset of scan results that has already been

stored in a variable the variable name is provided as the valid value for the -Results parameter

For example if you have created a variable $allPerformance to store all the Performance

category results for an MBCA scan of all models on a computer and you want to exclude those

Performance results from the complete collection of scan results you add the parameter -Results

$all Performance to a Set-MBCAResult cmdlet

For a more detailed example see the Examples section of the Help for this cmdlet

Required true

Position 3

Default value

Accept pipeline input true (ByValue)

Accept wildcard characters false

ltCommonParametersgt

This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable

WarningAction WarningVariable OutBuffer and OutVariable For more information type ldquoget-

help about_commonparameters

NOTES

If the Set-MBCAResult command is cancelled before the results are written to a file the operation is

cancelled and the results file is not modified If cancellation occurs after the results file has been

modified the commands actions are carried out and the command cannot be cancelled

-------------------------- EXAMPLE 1 --------------------------

Get-MBCAResult -ModelId SQL2008R2BPA | Where $_Category -eq

Performance | Set-MBCAResult -Exclude $true

Description

The first section of the preceding example to the left of the first pipe character (|) uses the Get-

MBCAResult cmdlet to retrieve Baseline Configuration Analyzer scan results for the model ID that is

represented by Model Id

The second section of the command filters the results of the Get-MBCAResult cmdlet to get only those

scan results for which the category name is equal to Performance

The final section of the example following the second pipe character excludes the Performance

results that were filtered by the previous section of the example

-------------------------- EXAMPLE 2 --------------------------

$rcPolicy = Get-MBCAResult -ModelId SQL2008R2BPA -RepositoryPath

CReposPath | Where $_Category -eq Policy

Page 56

Set-MBCAResult -Exclude $true -RepositoryPath CReposPath -Results

$rcPolicy

Description

The first line of the preceding example to the left of the pipe character (|) instructs the Get-

MBCAResult cmdlet to retrieve Baseline Configuration Analyzer scan results for the model that is

represented by Specified Model Id from the specified non-default repository path

The second section of the example after the pipe character filters the results of the Get-MBCAResult

cmdlet to return only those scan results for which the category name is equal to (note the -eq option)

Policy The variable $rcPolicy is created to store the filtered results of the Get-MBCAResult cmdlet this

variable can be used in subsequent commands to represent those results

The second line of the command uses the Set-MBCAResult cmdlet to exclude the set of results that

are stored in the $rcPolicy variable In this example the -Results parameter is added because the

administrator wants to exclude a specific subset of scan results for that model and has created the

variable $rcPolicy to represent that subset of results The repository root is specified in the second line

because the administrator wants to modify the results in the same non-default repository from which

the data in $rcPolicy was retrieved

915 MBCA Model Authoring

Further information about configuration and usage of MBCA models you can in the

MBCA_ModelAuthoringGuidedocx

Page 57

Did this paper help you Please give us your feedback Tell us on a scale of 1 (poor) to 5 (excellent)

how would you rate this paper and why have you given it this rating For example

Are you rating it high due to having good examples excellent screen shots clear writing or

another reason

Are you rating it low due to poor examples fuzzy screen shots or unclear writing

This feedback will help us improve the quality of white papers we release

Send feedback

Page 41: SQL2008R2 BPA Whitepaper v10

Page 41

8 MOTIVATION TO USE SQL BPA R2

Bob Ward explained in his Article ldquoWhy use SQL Server 2008 R2 BPA Case 1 Missing Updatesrdquo

the common pitfalls during maintenance and operation of SQL Server and how address them by using

the SQL BPA

In brief itrsquos a customer scenario where the customer is facing an issue after a major update to

SQL2008 After some troubleshooting and an update to a certain CU (that is meant to fix the issue) the

problem still occurs Bobs article states the common resulting consequences ndash the involvement of

Microsoft Support and the final solution ndash adding a needed traceflag

The good news in this story is that the customer would not have needed to go to all that effort if they

would have run the SQL BPA It would have told them about the update and instructed them to put the

traceflag in place BPA is a mechanism that proactively advises you and instructs you on dealing with

common known issues

Page 42

9 ADDITIONAL INFORMATION

91 PowerShell

To use the functionality of the Baseline Configuration Analyzer with PowerShell you must import this

module first

Import-module BaselineConfigurationAnalyzer

You can list the commands of this module with the following syntax

$x=Get-Module BaselineConfigurationAnalyzer

$xExportedCommands

The following commands are stored in this module

Get-MbcaModel

Get-MbcaResult

Invoke-MbcaModel

Set-MbcaResult

You get help of this command with the following syntax

Get-help ltcommandgt -full

911 Get-MBCAModel

SYNOPSIS

The Get-MBCAModel cmdlet lets you retrieve and view the list of models that are supported by

Microsoft Baseline Configuration Analyzer (MBCA) and that are installed on a computer

SYNTAX

Get-MBCAModel [[-ModelId] ltstring[]gt] [[-SubModelId] ltstringgt] [ltCommonParametersgt]

DESCRIPTION

The Get-MBCAModel cmdlet lets you retrieve and view the list of models that are supported by

Microsoft Baseline Configuration Analyzer (MBCA) and installed on the computer If no parameter is

specified Get-MBCAModel returns all models that are installed on the computer If a model is specified

by using the -ModelId parameter information about the specified model is returned

You must be a member of the Administrators group on the computer on which you want to run this

cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with

elevated user rights that is Run as Administrator

The results of the Get-MBCAModel cmdlet include the following details about models

1 Branding information (manufacturer or company display names version number) that is found in

the model manifest

2 Dynamic parameters that are included with the model

3 Submodels that are included with the model

PARAMETERS

-ModelId ltstring[]gt

The -ModelId parameter specifies the ID of the MBCA model about which you want to view

details You can obtain valid values for the ModelId parameter by running the Get-MBCAModel

cmdlet with no parameters and targeted at a computer on which MBCA models are installed

Page 43

This parameter supports wild card characters

Required false

Position 2

Default value

Accept pipeline input true (By Value By Property Name)

Accept wildcard characters False

This must be SQL2008R2BPA for SQL Server 2008 R2 Best Practice Analyzer

-SubModelId ltstringgt

The -SubModelId parameter specifies the ID of the submodel of an MBCA model about which you

want to view details You can obtain valid values for the -SubModelId parameter by running the

Get-MBCAModel cmdlet without parameters and targeted at a computer on which MBCA models

are installed Not all models have submodels

The -ModelId parameter is required with the -SubModelId parameter

Required false

Position 3

Default value

Accept pipeline input false

Accept wildcard characters false

ltCommonParametersgt

This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable

WarningAction WarningVariable OutBuffer and OutVariable For more information type get-

help about_commonparameters

Examples

Get-MBCAModel

In the preceding example Get-MBCAModel with no parameters added returns details about all MBCA

models that are installed on the computer

Get-MBCAModel -ModelId SQL2008R2BPA

The preceding example can be used to return details about the MBCA model that is specified in the -

ModelId parameter represented by Model Id

$model= Get-MBCAModel -ModelId SQL2008R2BPA

$modelParameters

In the preceding example Get-MBCAModel returns details about the specified MBCA model that is

represented by Model Id The results of the cmdlet are stored in the variable $model

In the next line of the example the Parameters property of the model details that were stored in the

$model object returns details about which parameters are supported by the model

Get-MBCAModel -ModelId SQL2008R2BPA -SubModelId ltSubModel Idgt

The preceding example can be used to return details about the MBCA sub-model that is specified by

the -SubModelId parameter represented by SubModel Id Note that the -ModelId parameter is

required by the -SubModelId parameter

$model= Get-MBCAModel -ModelId SQL2008R2BPA

Page 44

$modelSubModels

In the preceding example Get-MBCAModel returns details about the specified MBCA model that is

represented by Model Id The results of the cmdlet are stored in the variable $model

In the next line of the example the SubModels property of the model details that were stored in the

$model object returns a list of the submodels of the model specified in the first line

912 Invoke-MBCAModel

SYNOPSIS

The Invoke-MBCAModel cmdlet lets you start a Microsoft Baseline Configuration Analyzer (MBCA)

scan for a specific model that is installed on your computer

SYNTAX

Invoke-MBCAModel [-ModelId] ltstringgt -SubModelId ltstringgt [-Authentication

ltAuthenticationMechanismgt] [-CertificateThumbprint ltstringgt] [-ComputerName

ltstring[]gt] [-ConfigurationName ltstringgt] [-Context ltstringgt] [-Credential

ltstringgt] [-Mode ltModeEnumgt] [-Port ltintgt] [-RepositoryPath ltstringgt] [-

ThrottleLimit ltintgt] [-UseSSL] [ltCommonParametersgt]

DESCRIPTION

The Invoke-MBCAModel cmdlet allows you to start a Microsoft Baseline Configuration Analyzer

(MBCA) scan for a specific model that is installed on your computer The model is specified either by

using the parameter -ModelId or by piping the results of the Get-MBCAModel cmdlet into an Invoke-

MBCAMode cmdlet

After the MBCA scan has been performed the results of the scan are available to be retrieved by Get-

MBCAResult cmdlet

You must be a member of the Administrators group on the computer on which you want to run this

cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with

elevated user rights that is Run as Administrator

PARAMETERS

-Authentication ltAuthenticationMechanismgt

Specifies the authentication mechanism that is used to authenticate the users credentials Valid

values include Default Basic CredSSP Digest Kerberos Negotiate and

NegotiateWithImplicitCredential The default value is Default

For more information about the -Authentication parameter type the following and then press

Enter

Get-Help Invoke-Command -Parameter Authentication

Required false

Position named

Default value Default

Accept pipeline input false

Accept wildcard characters false

-CertificateThumbprint ltstringgt

Page 45

Specifies the digital public key certificate (X509) of a user account that has rights to perform the

cmdlet action The valid value is the certificate thumbprint of the certificate

For more information about this parameter type the following and then press Enter

Get-Help Invoke-Command -Parameter Certificate Thumbprint

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-ComputerName ltstring[]gt

The Invoke-MBCAModel cmdlet lets you run an MBCA scan of a submodel on a specific

computer by adding this parameter Valid values include NETBOS names IP addresses or fully-

qualified domain names of one or more computers in a comma-separated list To specify the local

computer type the computer name or localhost

All formats that are accepted by the -ComputerName parameter in Invoke-Command are

accepted

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-ConfigurationName ltstringgt

Specifies the session configuration that is used for a new PSSession

Enter a configuration name or the fully-qualified resource URI for a session configuration

Session configuration data is found on the remote computer on which you want to run a cmdlet

For more information about this parameter type the following and then press Enter

Get-Help Invoke-Command -Parameter ConfigurationName

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-Context ltstringgt

The -Context parameter lets you run scans on a submodel in the context of a specific model (one

that is different from the parent model of the submodel) For example an administrator might

want to run a scan on the Backend submodel of the SQL model but only those in the context

of a third model a technology that relies upon SQL Server

The -SubModelId parameter is required by the -Context parameter

Page 46

A model ID is the valid value of the -Context parameter

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-Credential ltstringgt

Specifies a user account that has permission to run this cmdlet The default value is the current

user

For more information about this parameter type the following and then press Enter

Get-Help Invoke-Command -Parameter Credential

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-Mode ltModeEnumgt

The -Mode parameter lets you run a scan that is exclusively either analysis of existing discovered

documents or discovery The default is to perform both discovery and analysis or All

If you do not add the -Mode parameter to the Invoke-MBCAModel cmdlet both discovery and

analysis are performed during a scan

Valid values are Discovery Analysis and All

Required false

Position named

Default value All

Accept pipeline input false

Accept wildcard characters false

-ModelId ltstringgt

The -ModelId parameter specifies the ID of the MBCA model that you want to scan You can

obtain valid values for the ModelId parameter by running the Get-MBCAModel cmdlet targeted at

a computer on which MBCA models are installed

Required true

Position 2

Default value

Accept pipeline input true (By Value By Property Name)

Accept wildcard characters False

Page 47

This must be SQL2008R2BPA for SQL Server 2008 R2 Best Practice Analyzer

-Port ltintgt

Specifies the network port on a remote computer on which you want to run a scan The default

value is port 80

For more information on this parameter type the following and then press Enter

Get-Help Invoke-Command -Parameter Port

Required false

Position named

Default value 80

Accept pipeline input false

Accept wildcard characters false

-RepositoryPath ltstringgt

The -RepositoryPath parameter is used to specify a non-default location of the results repository

The valid value for this parameter is a pathname If the parameter is not used the cmdlet writes

results to the default result repository

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-SubModelId ltstringgt

The -SubModelId parameter specifies the ID of the submodel of an MBCA model that you want to

scan You can obtain valid values for the -SubModelId parameter by running the Get-MBCAModel

cmdlet targeted at a computer on which MBCA models are installed Not all models have

submodels

The -ModelId parameter is required with the -SubModelId parameter

Required true

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-ThrottleLimit ltintgt

Specifies the maximum number of concurrent connections that can be established to run the

cmdlet If you omit this parameter or enter a value of 0 the default value of 32 is used

For more information about this parameter type the following and then press Enter

Get-Help Invoke-Command -Parameter ThrottleLimit

Required false

Page 48

Position named

Default value 32

Accept pipeline input false

Accept wildcard characters false

-UseSSL [ltSwitchParametergt]

Uses the Secure Sockets Layer (SSL) protocol to establish a connection on a remote computer

By default SSL is not used

For more information about this parameter type the following and then press Enter

Get-Help Invoke-Command -Parameter UseSSL

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

ltCommonParametersgt

This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable

WarningAction WarningVariable OutBuffer and OutVariable For more information type get-

help about_commonparameters

OUTPUTS

SystemCollectionsGenericListltMicrosoftBestPracticesCoreInterfaceInvokeBpaModelOutputgt

The output object encapsulates the results of the cmdlet that you entered It contains information such

as the MBCA model ID the success or failure of the cmdlet and other details

NOTES

If the cmdlet is used to perform a single-model scan and the cmdlet is cancelled (by using CTRL+C)

before the temporary results file is copied to its final location the temporary file is discarded and any

previous scan results file for the role are preserved The message Processing of Invoke-MBCAModel

cancelled by user is displayed if the command is cancelled before existing scan results files are

overwritten

If the cmdlet is used to perform a scan of multiple models by piping in results from the Get-MBCAModel

cmdlet and the command is cancelled scans that were completed before the cancel command was

entered cannot be cancelled A scan in progress behaves as described above in the single-model scan

cancellation scenario Subsequent scans in the pipeline are cancelled

If a concurrent scan of the same model is attempted the cmdlet returns the following error message

Another scan for this MBCA model is in progress Only one scan is allowed at a time

-------------------------- EXAMPLE 1 --------------------------

Invoke-MBCAModel -ModelId SQL2008R2BPA

Description

The preceding example starts a MBCA scan on the model that is represented by ltModel Idgt

-------------------------- EXAMPLE 2 --------------------------

Page 49

Invoke-MBCAModel -ModelId SQL2008R2BPA -Scope domain -Name

redmondmicrosoftcom

Description

The preceding example starts an MBCA scan on the model ID that is specified by Model Id

The administrator starts the MBCA scan with additional model-specific parameters that are exposed by

the model (For an example of how to obtain model-specific parameters see the examples for the Get-

MBCAModel cmdlet)

For example to scan a model that requires model-specific parameters (such as -Scope and -Name) to

be passed to the command the administrator can specify the values of these model-specific

parameters with the Invoke-MBCAModel cmdlet

-------------------------- EXAMPLE 3 --------------------------

Invoke-MBCAModel -ModelId SQL2008R2BPA -Mode Discovery

Description

The preceding example starts an MBCA scan on the model that is represented by Model Id The

cmdlet is instructed by the -Mode parameter to perform only the discovery -- not the analysis -- portion

of the scan

-------------------------- EXAMPLE 4 --------------------------

Invoke-MBCAModel -ModelId SQL2008R2BPA -Mode Analysis -RepositoryPath

ltRepository Pathgt

Description

The preceding example starts an MBCA scan on the model that is represented by Model Id The -

Mode parameter value of Analysis indicates that the scan will perform analysis -- not discovery -- on

existing documents that are specified in the non-default repository path provided with the -Repository

Path parameter

-------------------------- EXAMPLE 5 --------------------------

Invoke-MBCAModel -Id ltModel Idgt -SubModelId ltSubModel Idgt -ComputerName

ltServergt -Context ltContext Model Idgt -RepositoryPath ltRespository Pathgt -

AsJob -Authentication ltAuthenticatonMechanismgt -Port ltPort Numbergt -UseSSL -

ThrottleLimit ltThrottle Limitgt

Description

The preceding example starts an MBCA scan on the submodel that is represented by SubModel Id

and on the computer that is represented by Server

Because the administrator only wants to see results from the submodel that apply in the context of a

third model the administrator runs the scan within the context of the model ID that is specified in the -

Context parameter The cmdlet results are saved to the non-default repository path that is specified in

the -RepositoryPath parameter

Because the -AsJob parameter is added the scan runs in the background The -AsJob -

Authentication -Port -UseSSL and -ThrottleLimit parameters are passed through for use by the

Invoke-Command cmdlet to perform discovery on a remote computer For more information about

these parameters see the Help for the Invoke-Command cmdlet available in Windows PowerShell V2

913 Get-MBCAResult

SYNOPSIS

Page 50

The Get-MBCAResult cmdlet lets you retrieve and view the results of a Microsoft Baseline

Configuration Analyzer scan on a specific model or the configuration data that was used to run a scan

SYNTAX

Get-MBCAResult [-ModelId] ltstringgt [[-CollectedConfiguration]] -SubModelId

ltstringgt [-ComputerName ltstring[]gt] [-Context ltstringgt] [-Filter

ltFilterEnumgt] [-RepositoryPath ltstringgt] [ltCommonParametersgt]

DESCRIPTION

The Get-MBCAResult cmdlet lets you retrieve and view the results of a Microsoft Baseline

Configuration Analyzer scan on a specific model or the configuration data that was used to run a scan

To use the command add the -ModelId parameter and then specify the model ID for which you want

to view the most recent MBCA scan results or collected configuration data If you want to retrieve the

configuration data collected add the -CollectedConfiguration switch parameter

You must be a member of the Administrators group on the computer on which you want to run this

cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with

elevated user rights that is Run as Administrator

PARAMETERS

-CollectedConfiguration [ltSwitchParametergt]

The -CollectedConfiguration parameter allows you to obtain the configuration data that was

collected for the most recent MBCA scan If this switch parameter is added to Get-MBCAResults

the cmdlet returns only the configuration data that was collected for a scan

Required false

Position 3

Default value

Accept pipeline input false

Accept wildcard characters false

-ComputerName ltstring[]gt

The -ComputerName parameter lets you obtain scan results that were collected for the most

recent MBCA scan of a submodel on a specific computer To specify the local computer type the

computer name or localhost Multiple values for -ComputerName can be separated by

commas

The -SubModelId parameter is required by the -ComputerName parameter

Valid values for the -ComputerName parameter include localhost a NET BIOS name an IP

address or a fully-qualified domain name (FQDN) of one or more computers in a comma-

separated list

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-Context ltstringgt

Page 51

The -Context parameter lets you obtain scan results that were collected for the most recent

MBCA scan of a submodel in the context of a specific model (one that is different from the parent

model of the submodel) For example an administrator might want to display scan results for the

Backend submodel of the SQL model but only those in the context of a third model a

technology that relies upon SQL Server

The -SubModelId parameter is required by the -Context parameter

A model ID is the valid value of the -Context parameter

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-Filter ltFilterEnumgt

The -Filter parameter lets you instruct the Get-MBCAResult cmdlet to return only Compliant

Noncompliant or All results Valid values are Noncompliant Compliant or All The default value

is All

The -Filter parameter is ignored if the -CollectedConfiguration switch parameter is added

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-ModelId ltstringgt

The -ModelId parameter specifies the ID of the MBCA model for which you want to view scan

results You can obtain valid values for the ModelId parameter by running the Get-MBCAModel

cmdlet targeted at a computer on which MBCA models are installed

Required true

Position 2

Default value

Accept pipeline input true (By Value By Property Name)

Accept wildcard characters False

This must be SQL2008R2BPA for SQL Server 2008 R2 Best Practice Analyzer

-RepositoryPath ltstringgt

The -RepositoryPath parameter is used to specify a non-default location of the results repository

The valid value for this parameter is a path name If the parameter is not used the cmdlet obtains

results from the default result repository

Required false

Position named

Page 52

Default value

Accept pipeline input false

Accept wildcard characters false

-SubModelId ltstringgt

The -SubModelId parameter specifies the ID of the submodel of an MBCA model for which you

want to view scan results You can obtain valid values for the -SubModelId parameter by running

the Get-MBCAModel cmdlet targeted at a computer on which MBCA models are installed Not all

models have submodels

The -ModelId parameter is required with the -SubModelId parameter

Required true

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

ltCommonParametersgt

This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable

WarningAction WarningVariable OutBuffer and OutVariable For more information type get-

help about_commonparameters

OUTPUTS

SystemCollectionsGenericListltMicrosoftBestPracticesCoreInterfaceResultgt OR

SystemXmlXmlDocument (if -CollectedData specified)

If you do not use the -CollectedConfiguration parameter verbose output can be any of the following

1 Initializing MBCA engine for getting MBCA Results

2 Attempting to get MBCA results for Model Id = 0

3 Completed getting MBCA results for Model Id = 0 Number of Results = 1

If you add the -CollectedConfiguration parameter to display configuration data that was used for a

scan verbose output can be any of the following

1 Initializing MBCA engine for getting MBCA Configuration Data

2 Attempting to get MBCA collected configuration data for Model Id = 0

3 Completed getting MBCA collected configuration data for Model Id = 0

NOTES

The Get-MBCAResult cmdlet must be run by a member of the Administrators group and it does not

start a new scan

Cancellation behaviour

Single Model - To cancel this cmdlet you must press Ctrl+C before the ResultCollection is displayed

on the console The operation is cancelled and results are not displayed on the console

Multiple Models or Pipelining - If you cancel this cmdlet while it is retrieving results for multiple models

the cmdlet generates only those results that were displayed on the console before the cancellation

Any subsequent results in the pipeline are cancelled and not displayed

Page 53

-------------------------- EXAMPLE 1 --------------------------

Get-MBCAResult -Id SQL2008R2BPA

Description

The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results

for the model that is represented by Model Id

-------------------------- EXAMPLE 2 --------------------------

Get-MBCAModel | Get-MBCAResult

In the preceding example Get-MBCAModel is used to return a list of all MBCA models that are

installed on the computer The results of the Get-MBCAModel cmdlet are piped to the Get-

MBCAResult cmdlet to retrieve the most recent MBCA scan results for all models that are both

supported by MBCA and installed on the computer at which the cmdlet is targeted

-------------------------- EXAMPLE 3 --------------------------

$result = Get-MBCAResult SQL2008R2BPA -CollectedConfiguration

$resultDiscoveryDocument

Description

In the preceding example configuration data (in XML form) that was collected during the most recent

Microsoft Baseline Configuration Analyzer scan of the model that is represented by Model Id is

retrieved and stored as a property in the variable $result $resultDiscoveryDocument is of type

SystemXmlXmlDocument

-------------------------- EXAMPLE 4 --------------------------

Get-MBCAResult SQL2008R2BPA -Filter Noncompliant

Description

The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results

for the model that is represented by Model Id and then applies a filter to show only Noncompliant

results

------------------------- EXAMPLE 5 --------------------------

Get-MBCAResult SQL2008R2BPA -SubModelId ltSubModel Idgt

Description

The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results

for the submodel that is represented by SubModelId Note that the parent model ID must be specified

to use the -SubModelId parameter

------------------------- EXAMPLE 6 --------------------------

Get-MBCAResult SQL2008R2BPA -SubModelId ltSubModel Idgt -ComputerName ltServergt

-Context ltContext Model Idgt -RepositoryPath ltRepository Pathgt

Description

The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results

for the submodel that is represented by SubModelId The parent model ID is provided as required by

the -SubModelID parameter

The -Context parameter indicates that the administrator wants to see only those scan results that are in

the context of the model that is represented by Context Model Id for example only those results from

a SQL Server scan that specifically apply to another technology such as Web Server (IIS)

Page 54

The scan results are further narrowed to only those from a computer that is specified in the -

ComputerName parameter as Server and only those results found in the non-default results

repository that is represented by Repository Path

914 Set-MBCAResult

SYNOPSIS

The Set-MBCAResult cmdlet lets you exclude or include existing results of a Microsoft Baseline

Configuration Analyzer (MBCA) scan to show you only the scan results that you want to see

SYNTAX

Set-MBCAResult [[-Exclude] ltBooleangt] [-Results] ltResultgtgt [[-

RepostitoryPath] ltstringgt] [ltCommonParametersgt]

DESCRIPTION

The Set-MBCAResult cmdlet lets you exclude or include existing results of a Microsoft Baseline

Configuration Analyzer (MBCA) scan to show you only the scan results that you want to see

The action specified in the cmdlet (Exclude for example) determines how the existing results of an

MBCA scan are updated Set-MBCAResult is typically applied after using the Get-MBCAResult cmdlet

to return a collection of scan results

You can apply filters to results that are returned by the Get-MBCAResult cmdlet and then pipe the

filtered collection of results to the Set-MBCAResult cmdlet specifying either to include or exclude

filtered scan results

You must be a member of the Administrators group on the computer on which you want to run this

cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with

elevated user rights that is Run as Administrator

PARAMETERS

-Exclude ltBooleangt

Excludes scan results from the results collection that were previously obtained by the Get-

MBCAResult command To exclude results by using the -Exclude parameter add the value $true

following the parameter as shown

-Exclude $true

To include results that have been excluded use the $false value for the -Exclude parameter

Required false

Position 2

Default value

Accept pipeline input false

Accept wildcard characters false

-RepostitoryPath ltstringgt

The -RepositoryPath parameter is used to specify a non-default location of the results repository

The valid value for this parameter is a path name If the parameter is not used the cmdlet

modifies results from the default result repository

Required false

Page 55

Position 4

Default value

Accept pipeline input false

Accept wildcard characters false

-Results ltResultgtgt

Specifies the result collection to be updated by the Set-MBCAResult cmdlet The -Results

parameter is typically used to specify a filtered subset of scan results that has already been

stored in a variable the variable name is provided as the valid value for the -Results parameter

For example if you have created a variable $allPerformance to store all the Performance

category results for an MBCA scan of all models on a computer and you want to exclude those

Performance results from the complete collection of scan results you add the parameter -Results

$all Performance to a Set-MBCAResult cmdlet

For a more detailed example see the Examples section of the Help for this cmdlet

Required true

Position 3

Default value

Accept pipeline input true (ByValue)

Accept wildcard characters false

ltCommonParametersgt

This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable

WarningAction WarningVariable OutBuffer and OutVariable For more information type ldquoget-

help about_commonparameters

NOTES

If the Set-MBCAResult command is cancelled before the results are written to a file the operation is

cancelled and the results file is not modified If cancellation occurs after the results file has been

modified the commands actions are carried out and the command cannot be cancelled

-------------------------- EXAMPLE 1 --------------------------

Get-MBCAResult -ModelId SQL2008R2BPA | Where $_Category -eq

Performance | Set-MBCAResult -Exclude $true

Description

The first section of the preceding example to the left of the first pipe character (|) uses the Get-

MBCAResult cmdlet to retrieve Baseline Configuration Analyzer scan results for the model ID that is

represented by Model Id

The second section of the command filters the results of the Get-MBCAResult cmdlet to get only those

scan results for which the category name is equal to Performance

The final section of the example following the second pipe character excludes the Performance

results that were filtered by the previous section of the example

-------------------------- EXAMPLE 2 --------------------------

$rcPolicy = Get-MBCAResult -ModelId SQL2008R2BPA -RepositoryPath

CReposPath | Where $_Category -eq Policy

Page 56

Set-MBCAResult -Exclude $true -RepositoryPath CReposPath -Results

$rcPolicy

Description

The first line of the preceding example to the left of the pipe character (|) instructs the Get-

MBCAResult cmdlet to retrieve Baseline Configuration Analyzer scan results for the model that is

represented by Specified Model Id from the specified non-default repository path

The second section of the example after the pipe character filters the results of the Get-MBCAResult

cmdlet to return only those scan results for which the category name is equal to (note the -eq option)

Policy The variable $rcPolicy is created to store the filtered results of the Get-MBCAResult cmdlet this

variable can be used in subsequent commands to represent those results

The second line of the command uses the Set-MBCAResult cmdlet to exclude the set of results that

are stored in the $rcPolicy variable In this example the -Results parameter is added because the

administrator wants to exclude a specific subset of scan results for that model and has created the

variable $rcPolicy to represent that subset of results The repository root is specified in the second line

because the administrator wants to modify the results in the same non-default repository from which

the data in $rcPolicy was retrieved

915 MBCA Model Authoring

Further information about configuration and usage of MBCA models you can in the

MBCA_ModelAuthoringGuidedocx

Page 57

Did this paper help you Please give us your feedback Tell us on a scale of 1 (poor) to 5 (excellent)

how would you rate this paper and why have you given it this rating For example

Are you rating it high due to having good examples excellent screen shots clear writing or

another reason

Are you rating it low due to poor examples fuzzy screen shots or unclear writing

This feedback will help us improve the quality of white papers we release

Send feedback

Page 42: SQL2008R2 BPA Whitepaper v10

Page 42

9 ADDITIONAL INFORMATION

91 PowerShell

To use the functionality of the Baseline Configuration Analyzer with PowerShell you must import this

module first

Import-module BaselineConfigurationAnalyzer

You can list the commands of this module with the following syntax

$x=Get-Module BaselineConfigurationAnalyzer

$xExportedCommands

The following commands are stored in this module

Get-MbcaModel

Get-MbcaResult

Invoke-MbcaModel

Set-MbcaResult

You get help of this command with the following syntax

Get-help ltcommandgt -full

911 Get-MBCAModel

SYNOPSIS

The Get-MBCAModel cmdlet lets you retrieve and view the list of models that are supported by

Microsoft Baseline Configuration Analyzer (MBCA) and that are installed on a computer

SYNTAX

Get-MBCAModel [[-ModelId] ltstring[]gt] [[-SubModelId] ltstringgt] [ltCommonParametersgt]

DESCRIPTION

The Get-MBCAModel cmdlet lets you retrieve and view the list of models that are supported by

Microsoft Baseline Configuration Analyzer (MBCA) and installed on the computer If no parameter is

specified Get-MBCAModel returns all models that are installed on the computer If a model is specified

by using the -ModelId parameter information about the specified model is returned

You must be a member of the Administrators group on the computer on which you want to run this

cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with

elevated user rights that is Run as Administrator

The results of the Get-MBCAModel cmdlet include the following details about models

1 Branding information (manufacturer or company display names version number) that is found in

the model manifest

2 Dynamic parameters that are included with the model

3 Submodels that are included with the model

PARAMETERS

-ModelId ltstring[]gt

The -ModelId parameter specifies the ID of the MBCA model about which you want to view

details You can obtain valid values for the ModelId parameter by running the Get-MBCAModel

cmdlet with no parameters and targeted at a computer on which MBCA models are installed

Page 43

This parameter supports wild card characters

Required false

Position 2

Default value

Accept pipeline input true (By Value By Property Name)

Accept wildcard characters False

This must be SQL2008R2BPA for SQL Server 2008 R2 Best Practice Analyzer

-SubModelId ltstringgt

The -SubModelId parameter specifies the ID of the submodel of an MBCA model about which you

want to view details You can obtain valid values for the -SubModelId parameter by running the

Get-MBCAModel cmdlet without parameters and targeted at a computer on which MBCA models

are installed Not all models have submodels

The -ModelId parameter is required with the -SubModelId parameter

Required false

Position 3

Default value

Accept pipeline input false

Accept wildcard characters false

ltCommonParametersgt

This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable

WarningAction WarningVariable OutBuffer and OutVariable For more information type get-

help about_commonparameters

Examples

Get-MBCAModel

In the preceding example Get-MBCAModel with no parameters added returns details about all MBCA

models that are installed on the computer

Get-MBCAModel -ModelId SQL2008R2BPA

The preceding example can be used to return details about the MBCA model that is specified in the -

ModelId parameter represented by Model Id

$model= Get-MBCAModel -ModelId SQL2008R2BPA

$modelParameters

In the preceding example Get-MBCAModel returns details about the specified MBCA model that is

represented by Model Id The results of the cmdlet are stored in the variable $model

In the next line of the example the Parameters property of the model details that were stored in the

$model object returns details about which parameters are supported by the model

Get-MBCAModel -ModelId SQL2008R2BPA -SubModelId ltSubModel Idgt

The preceding example can be used to return details about the MBCA sub-model that is specified by

the -SubModelId parameter represented by SubModel Id Note that the -ModelId parameter is

required by the -SubModelId parameter

$model= Get-MBCAModel -ModelId SQL2008R2BPA

Page 44

$modelSubModels

In the preceding example Get-MBCAModel returns details about the specified MBCA model that is

represented by Model Id The results of the cmdlet are stored in the variable $model

In the next line of the example the SubModels property of the model details that were stored in the

$model object returns a list of the submodels of the model specified in the first line

912 Invoke-MBCAModel

SYNOPSIS

The Invoke-MBCAModel cmdlet lets you start a Microsoft Baseline Configuration Analyzer (MBCA)

scan for a specific model that is installed on your computer

SYNTAX

Invoke-MBCAModel [-ModelId] ltstringgt -SubModelId ltstringgt [-Authentication

ltAuthenticationMechanismgt] [-CertificateThumbprint ltstringgt] [-ComputerName

ltstring[]gt] [-ConfigurationName ltstringgt] [-Context ltstringgt] [-Credential

ltstringgt] [-Mode ltModeEnumgt] [-Port ltintgt] [-RepositoryPath ltstringgt] [-

ThrottleLimit ltintgt] [-UseSSL] [ltCommonParametersgt]

DESCRIPTION

The Invoke-MBCAModel cmdlet allows you to start a Microsoft Baseline Configuration Analyzer

(MBCA) scan for a specific model that is installed on your computer The model is specified either by

using the parameter -ModelId or by piping the results of the Get-MBCAModel cmdlet into an Invoke-

MBCAMode cmdlet

After the MBCA scan has been performed the results of the scan are available to be retrieved by Get-

MBCAResult cmdlet

You must be a member of the Administrators group on the computer on which you want to run this

cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with

elevated user rights that is Run as Administrator

PARAMETERS

-Authentication ltAuthenticationMechanismgt

Specifies the authentication mechanism that is used to authenticate the users credentials Valid

values include Default Basic CredSSP Digest Kerberos Negotiate and

NegotiateWithImplicitCredential The default value is Default

For more information about the -Authentication parameter type the following and then press

Enter

Get-Help Invoke-Command -Parameter Authentication

Required false

Position named

Default value Default

Accept pipeline input false

Accept wildcard characters false

-CertificateThumbprint ltstringgt

Page 45

Specifies the digital public key certificate (X509) of a user account that has rights to perform the

cmdlet action The valid value is the certificate thumbprint of the certificate

For more information about this parameter type the following and then press Enter

Get-Help Invoke-Command -Parameter Certificate Thumbprint

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-ComputerName ltstring[]gt

The Invoke-MBCAModel cmdlet lets you run an MBCA scan of a submodel on a specific

computer by adding this parameter Valid values include NETBOS names IP addresses or fully-

qualified domain names of one or more computers in a comma-separated list To specify the local

computer type the computer name or localhost

All formats that are accepted by the -ComputerName parameter in Invoke-Command are

accepted

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-ConfigurationName ltstringgt

Specifies the session configuration that is used for a new PSSession

Enter a configuration name or the fully-qualified resource URI for a session configuration

Session configuration data is found on the remote computer on which you want to run a cmdlet

For more information about this parameter type the following and then press Enter

Get-Help Invoke-Command -Parameter ConfigurationName

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-Context ltstringgt

The -Context parameter lets you run scans on a submodel in the context of a specific model (one

that is different from the parent model of the submodel) For example an administrator might

want to run a scan on the Backend submodel of the SQL model but only those in the context

of a third model a technology that relies upon SQL Server

The -SubModelId parameter is required by the -Context parameter

Page 46

A model ID is the valid value of the -Context parameter

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-Credential ltstringgt

Specifies a user account that has permission to run this cmdlet The default value is the current

user

For more information about this parameter type the following and then press Enter

Get-Help Invoke-Command -Parameter Credential

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-Mode ltModeEnumgt

The -Mode parameter lets you run a scan that is exclusively either analysis of existing discovered

documents or discovery The default is to perform both discovery and analysis or All

If you do not add the -Mode parameter to the Invoke-MBCAModel cmdlet both discovery and

analysis are performed during a scan

Valid values are Discovery Analysis and All

Required false

Position named

Default value All

Accept pipeline input false

Accept wildcard characters false

-ModelId ltstringgt

The -ModelId parameter specifies the ID of the MBCA model that you want to scan You can

obtain valid values for the ModelId parameter by running the Get-MBCAModel cmdlet targeted at

a computer on which MBCA models are installed

Required true

Position 2

Default value

Accept pipeline input true (By Value By Property Name)

Accept wildcard characters False

Page 47

This must be SQL2008R2BPA for SQL Server 2008 R2 Best Practice Analyzer

-Port ltintgt

Specifies the network port on a remote computer on which you want to run a scan The default

value is port 80

For more information on this parameter type the following and then press Enter

Get-Help Invoke-Command -Parameter Port

Required false

Position named

Default value 80

Accept pipeline input false

Accept wildcard characters false

-RepositoryPath ltstringgt

The -RepositoryPath parameter is used to specify a non-default location of the results repository

The valid value for this parameter is a pathname If the parameter is not used the cmdlet writes

results to the default result repository

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-SubModelId ltstringgt

The -SubModelId parameter specifies the ID of the submodel of an MBCA model that you want to

scan You can obtain valid values for the -SubModelId parameter by running the Get-MBCAModel

cmdlet targeted at a computer on which MBCA models are installed Not all models have

submodels

The -ModelId parameter is required with the -SubModelId parameter

Required true

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-ThrottleLimit ltintgt

Specifies the maximum number of concurrent connections that can be established to run the

cmdlet If you omit this parameter or enter a value of 0 the default value of 32 is used

For more information about this parameter type the following and then press Enter

Get-Help Invoke-Command -Parameter ThrottleLimit

Required false

Page 48

Position named

Default value 32

Accept pipeline input false

Accept wildcard characters false

-UseSSL [ltSwitchParametergt]

Uses the Secure Sockets Layer (SSL) protocol to establish a connection on a remote computer

By default SSL is not used

For more information about this parameter type the following and then press Enter

Get-Help Invoke-Command -Parameter UseSSL

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

ltCommonParametersgt

This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable

WarningAction WarningVariable OutBuffer and OutVariable For more information type get-

help about_commonparameters

OUTPUTS

SystemCollectionsGenericListltMicrosoftBestPracticesCoreInterfaceInvokeBpaModelOutputgt

The output object encapsulates the results of the cmdlet that you entered It contains information such

as the MBCA model ID the success or failure of the cmdlet and other details

NOTES

If the cmdlet is used to perform a single-model scan and the cmdlet is cancelled (by using CTRL+C)

before the temporary results file is copied to its final location the temporary file is discarded and any

previous scan results file for the role are preserved The message Processing of Invoke-MBCAModel

cancelled by user is displayed if the command is cancelled before existing scan results files are

overwritten

If the cmdlet is used to perform a scan of multiple models by piping in results from the Get-MBCAModel

cmdlet and the command is cancelled scans that were completed before the cancel command was

entered cannot be cancelled A scan in progress behaves as described above in the single-model scan

cancellation scenario Subsequent scans in the pipeline are cancelled

If a concurrent scan of the same model is attempted the cmdlet returns the following error message

Another scan for this MBCA model is in progress Only one scan is allowed at a time

-------------------------- EXAMPLE 1 --------------------------

Invoke-MBCAModel -ModelId SQL2008R2BPA

Description

The preceding example starts a MBCA scan on the model that is represented by ltModel Idgt

-------------------------- EXAMPLE 2 --------------------------

Page 49

Invoke-MBCAModel -ModelId SQL2008R2BPA -Scope domain -Name

redmondmicrosoftcom

Description

The preceding example starts an MBCA scan on the model ID that is specified by Model Id

The administrator starts the MBCA scan with additional model-specific parameters that are exposed by

the model (For an example of how to obtain model-specific parameters see the examples for the Get-

MBCAModel cmdlet)

For example to scan a model that requires model-specific parameters (such as -Scope and -Name) to

be passed to the command the administrator can specify the values of these model-specific

parameters with the Invoke-MBCAModel cmdlet

-------------------------- EXAMPLE 3 --------------------------

Invoke-MBCAModel -ModelId SQL2008R2BPA -Mode Discovery

Description

The preceding example starts an MBCA scan on the model that is represented by Model Id The

cmdlet is instructed by the -Mode parameter to perform only the discovery -- not the analysis -- portion

of the scan

-------------------------- EXAMPLE 4 --------------------------

Invoke-MBCAModel -ModelId SQL2008R2BPA -Mode Analysis -RepositoryPath

ltRepository Pathgt

Description

The preceding example starts an MBCA scan on the model that is represented by Model Id The -

Mode parameter value of Analysis indicates that the scan will perform analysis -- not discovery -- on

existing documents that are specified in the non-default repository path provided with the -Repository

Path parameter

-------------------------- EXAMPLE 5 --------------------------

Invoke-MBCAModel -Id ltModel Idgt -SubModelId ltSubModel Idgt -ComputerName

ltServergt -Context ltContext Model Idgt -RepositoryPath ltRespository Pathgt -

AsJob -Authentication ltAuthenticatonMechanismgt -Port ltPort Numbergt -UseSSL -

ThrottleLimit ltThrottle Limitgt

Description

The preceding example starts an MBCA scan on the submodel that is represented by SubModel Id

and on the computer that is represented by Server

Because the administrator only wants to see results from the submodel that apply in the context of a

third model the administrator runs the scan within the context of the model ID that is specified in the -

Context parameter The cmdlet results are saved to the non-default repository path that is specified in

the -RepositoryPath parameter

Because the -AsJob parameter is added the scan runs in the background The -AsJob -

Authentication -Port -UseSSL and -ThrottleLimit parameters are passed through for use by the

Invoke-Command cmdlet to perform discovery on a remote computer For more information about

these parameters see the Help for the Invoke-Command cmdlet available in Windows PowerShell V2

913 Get-MBCAResult

SYNOPSIS

Page 50

The Get-MBCAResult cmdlet lets you retrieve and view the results of a Microsoft Baseline

Configuration Analyzer scan on a specific model or the configuration data that was used to run a scan

SYNTAX

Get-MBCAResult [-ModelId] ltstringgt [[-CollectedConfiguration]] -SubModelId

ltstringgt [-ComputerName ltstring[]gt] [-Context ltstringgt] [-Filter

ltFilterEnumgt] [-RepositoryPath ltstringgt] [ltCommonParametersgt]

DESCRIPTION

The Get-MBCAResult cmdlet lets you retrieve and view the results of a Microsoft Baseline

Configuration Analyzer scan on a specific model or the configuration data that was used to run a scan

To use the command add the -ModelId parameter and then specify the model ID for which you want

to view the most recent MBCA scan results or collected configuration data If you want to retrieve the

configuration data collected add the -CollectedConfiguration switch parameter

You must be a member of the Administrators group on the computer on which you want to run this

cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with

elevated user rights that is Run as Administrator

PARAMETERS

-CollectedConfiguration [ltSwitchParametergt]

The -CollectedConfiguration parameter allows you to obtain the configuration data that was

collected for the most recent MBCA scan If this switch parameter is added to Get-MBCAResults

the cmdlet returns only the configuration data that was collected for a scan

Required false

Position 3

Default value

Accept pipeline input false

Accept wildcard characters false

-ComputerName ltstring[]gt

The -ComputerName parameter lets you obtain scan results that were collected for the most

recent MBCA scan of a submodel on a specific computer To specify the local computer type the

computer name or localhost Multiple values for -ComputerName can be separated by

commas

The -SubModelId parameter is required by the -ComputerName parameter

Valid values for the -ComputerName parameter include localhost a NET BIOS name an IP

address or a fully-qualified domain name (FQDN) of one or more computers in a comma-

separated list

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-Context ltstringgt

Page 51

The -Context parameter lets you obtain scan results that were collected for the most recent

MBCA scan of a submodel in the context of a specific model (one that is different from the parent

model of the submodel) For example an administrator might want to display scan results for the

Backend submodel of the SQL model but only those in the context of a third model a

technology that relies upon SQL Server

The -SubModelId parameter is required by the -Context parameter

A model ID is the valid value of the -Context parameter

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-Filter ltFilterEnumgt

The -Filter parameter lets you instruct the Get-MBCAResult cmdlet to return only Compliant

Noncompliant or All results Valid values are Noncompliant Compliant or All The default value

is All

The -Filter parameter is ignored if the -CollectedConfiguration switch parameter is added

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-ModelId ltstringgt

The -ModelId parameter specifies the ID of the MBCA model for which you want to view scan

results You can obtain valid values for the ModelId parameter by running the Get-MBCAModel

cmdlet targeted at a computer on which MBCA models are installed

Required true

Position 2

Default value

Accept pipeline input true (By Value By Property Name)

Accept wildcard characters False

This must be SQL2008R2BPA for SQL Server 2008 R2 Best Practice Analyzer

-RepositoryPath ltstringgt

The -RepositoryPath parameter is used to specify a non-default location of the results repository

The valid value for this parameter is a path name If the parameter is not used the cmdlet obtains

results from the default result repository

Required false

Position named

Page 52

Default value

Accept pipeline input false

Accept wildcard characters false

-SubModelId ltstringgt

The -SubModelId parameter specifies the ID of the submodel of an MBCA model for which you

want to view scan results You can obtain valid values for the -SubModelId parameter by running

the Get-MBCAModel cmdlet targeted at a computer on which MBCA models are installed Not all

models have submodels

The -ModelId parameter is required with the -SubModelId parameter

Required true

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

ltCommonParametersgt

This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable

WarningAction WarningVariable OutBuffer and OutVariable For more information type get-

help about_commonparameters

OUTPUTS

SystemCollectionsGenericListltMicrosoftBestPracticesCoreInterfaceResultgt OR

SystemXmlXmlDocument (if -CollectedData specified)

If you do not use the -CollectedConfiguration parameter verbose output can be any of the following

1 Initializing MBCA engine for getting MBCA Results

2 Attempting to get MBCA results for Model Id = 0

3 Completed getting MBCA results for Model Id = 0 Number of Results = 1

If you add the -CollectedConfiguration parameter to display configuration data that was used for a

scan verbose output can be any of the following

1 Initializing MBCA engine for getting MBCA Configuration Data

2 Attempting to get MBCA collected configuration data for Model Id = 0

3 Completed getting MBCA collected configuration data for Model Id = 0

NOTES

The Get-MBCAResult cmdlet must be run by a member of the Administrators group and it does not

start a new scan

Cancellation behaviour

Single Model - To cancel this cmdlet you must press Ctrl+C before the ResultCollection is displayed

on the console The operation is cancelled and results are not displayed on the console

Multiple Models or Pipelining - If you cancel this cmdlet while it is retrieving results for multiple models

the cmdlet generates only those results that were displayed on the console before the cancellation

Any subsequent results in the pipeline are cancelled and not displayed

Page 53

-------------------------- EXAMPLE 1 --------------------------

Get-MBCAResult -Id SQL2008R2BPA

Description

The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results

for the model that is represented by Model Id

-------------------------- EXAMPLE 2 --------------------------

Get-MBCAModel | Get-MBCAResult

In the preceding example Get-MBCAModel is used to return a list of all MBCA models that are

installed on the computer The results of the Get-MBCAModel cmdlet are piped to the Get-

MBCAResult cmdlet to retrieve the most recent MBCA scan results for all models that are both

supported by MBCA and installed on the computer at which the cmdlet is targeted

-------------------------- EXAMPLE 3 --------------------------

$result = Get-MBCAResult SQL2008R2BPA -CollectedConfiguration

$resultDiscoveryDocument

Description

In the preceding example configuration data (in XML form) that was collected during the most recent

Microsoft Baseline Configuration Analyzer scan of the model that is represented by Model Id is

retrieved and stored as a property in the variable $result $resultDiscoveryDocument is of type

SystemXmlXmlDocument

-------------------------- EXAMPLE 4 --------------------------

Get-MBCAResult SQL2008R2BPA -Filter Noncompliant

Description

The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results

for the model that is represented by Model Id and then applies a filter to show only Noncompliant

results

------------------------- EXAMPLE 5 --------------------------

Get-MBCAResult SQL2008R2BPA -SubModelId ltSubModel Idgt

Description

The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results

for the submodel that is represented by SubModelId Note that the parent model ID must be specified

to use the -SubModelId parameter

------------------------- EXAMPLE 6 --------------------------

Get-MBCAResult SQL2008R2BPA -SubModelId ltSubModel Idgt -ComputerName ltServergt

-Context ltContext Model Idgt -RepositoryPath ltRepository Pathgt

Description

The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results

for the submodel that is represented by SubModelId The parent model ID is provided as required by

the -SubModelID parameter

The -Context parameter indicates that the administrator wants to see only those scan results that are in

the context of the model that is represented by Context Model Id for example only those results from

a SQL Server scan that specifically apply to another technology such as Web Server (IIS)

Page 54

The scan results are further narrowed to only those from a computer that is specified in the -

ComputerName parameter as Server and only those results found in the non-default results

repository that is represented by Repository Path

914 Set-MBCAResult

SYNOPSIS

The Set-MBCAResult cmdlet lets you exclude or include existing results of a Microsoft Baseline

Configuration Analyzer (MBCA) scan to show you only the scan results that you want to see

SYNTAX

Set-MBCAResult [[-Exclude] ltBooleangt] [-Results] ltResultgtgt [[-

RepostitoryPath] ltstringgt] [ltCommonParametersgt]

DESCRIPTION

The Set-MBCAResult cmdlet lets you exclude or include existing results of a Microsoft Baseline

Configuration Analyzer (MBCA) scan to show you only the scan results that you want to see

The action specified in the cmdlet (Exclude for example) determines how the existing results of an

MBCA scan are updated Set-MBCAResult is typically applied after using the Get-MBCAResult cmdlet

to return a collection of scan results

You can apply filters to results that are returned by the Get-MBCAResult cmdlet and then pipe the

filtered collection of results to the Set-MBCAResult cmdlet specifying either to include or exclude

filtered scan results

You must be a member of the Administrators group on the computer on which you want to run this

cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with

elevated user rights that is Run as Administrator

PARAMETERS

-Exclude ltBooleangt

Excludes scan results from the results collection that were previously obtained by the Get-

MBCAResult command To exclude results by using the -Exclude parameter add the value $true

following the parameter as shown

-Exclude $true

To include results that have been excluded use the $false value for the -Exclude parameter

Required false

Position 2

Default value

Accept pipeline input false

Accept wildcard characters false

-RepostitoryPath ltstringgt

The -RepositoryPath parameter is used to specify a non-default location of the results repository

The valid value for this parameter is a path name If the parameter is not used the cmdlet

modifies results from the default result repository

Required false

Page 55

Position 4

Default value

Accept pipeline input false

Accept wildcard characters false

-Results ltResultgtgt

Specifies the result collection to be updated by the Set-MBCAResult cmdlet The -Results

parameter is typically used to specify a filtered subset of scan results that has already been

stored in a variable the variable name is provided as the valid value for the -Results parameter

For example if you have created a variable $allPerformance to store all the Performance

category results for an MBCA scan of all models on a computer and you want to exclude those

Performance results from the complete collection of scan results you add the parameter -Results

$all Performance to a Set-MBCAResult cmdlet

For a more detailed example see the Examples section of the Help for this cmdlet

Required true

Position 3

Default value

Accept pipeline input true (ByValue)

Accept wildcard characters false

ltCommonParametersgt

This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable

WarningAction WarningVariable OutBuffer and OutVariable For more information type ldquoget-

help about_commonparameters

NOTES

If the Set-MBCAResult command is cancelled before the results are written to a file the operation is

cancelled and the results file is not modified If cancellation occurs after the results file has been

modified the commands actions are carried out and the command cannot be cancelled

-------------------------- EXAMPLE 1 --------------------------

Get-MBCAResult -ModelId SQL2008R2BPA | Where $_Category -eq

Performance | Set-MBCAResult -Exclude $true

Description

The first section of the preceding example to the left of the first pipe character (|) uses the Get-

MBCAResult cmdlet to retrieve Baseline Configuration Analyzer scan results for the model ID that is

represented by Model Id

The second section of the command filters the results of the Get-MBCAResult cmdlet to get only those

scan results for which the category name is equal to Performance

The final section of the example following the second pipe character excludes the Performance

results that were filtered by the previous section of the example

-------------------------- EXAMPLE 2 --------------------------

$rcPolicy = Get-MBCAResult -ModelId SQL2008R2BPA -RepositoryPath

CReposPath | Where $_Category -eq Policy

Page 56

Set-MBCAResult -Exclude $true -RepositoryPath CReposPath -Results

$rcPolicy

Description

The first line of the preceding example to the left of the pipe character (|) instructs the Get-

MBCAResult cmdlet to retrieve Baseline Configuration Analyzer scan results for the model that is

represented by Specified Model Id from the specified non-default repository path

The second section of the example after the pipe character filters the results of the Get-MBCAResult

cmdlet to return only those scan results for which the category name is equal to (note the -eq option)

Policy The variable $rcPolicy is created to store the filtered results of the Get-MBCAResult cmdlet this

variable can be used in subsequent commands to represent those results

The second line of the command uses the Set-MBCAResult cmdlet to exclude the set of results that

are stored in the $rcPolicy variable In this example the -Results parameter is added because the

administrator wants to exclude a specific subset of scan results for that model and has created the

variable $rcPolicy to represent that subset of results The repository root is specified in the second line

because the administrator wants to modify the results in the same non-default repository from which

the data in $rcPolicy was retrieved

915 MBCA Model Authoring

Further information about configuration and usage of MBCA models you can in the

MBCA_ModelAuthoringGuidedocx

Page 57

Did this paper help you Please give us your feedback Tell us on a scale of 1 (poor) to 5 (excellent)

how would you rate this paper and why have you given it this rating For example

Are you rating it high due to having good examples excellent screen shots clear writing or

another reason

Are you rating it low due to poor examples fuzzy screen shots or unclear writing

This feedback will help us improve the quality of white papers we release

Send feedback

Page 43: SQL2008R2 BPA Whitepaper v10

Page 43

This parameter supports wild card characters

Required false

Position 2

Default value

Accept pipeline input true (By Value By Property Name)

Accept wildcard characters False

This must be SQL2008R2BPA for SQL Server 2008 R2 Best Practice Analyzer

-SubModelId ltstringgt

The -SubModelId parameter specifies the ID of the submodel of an MBCA model about which you

want to view details You can obtain valid values for the -SubModelId parameter by running the

Get-MBCAModel cmdlet without parameters and targeted at a computer on which MBCA models

are installed Not all models have submodels

The -ModelId parameter is required with the -SubModelId parameter

Required false

Position 3

Default value

Accept pipeline input false

Accept wildcard characters false

ltCommonParametersgt

This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable

WarningAction WarningVariable OutBuffer and OutVariable For more information type get-

help about_commonparameters

Examples

Get-MBCAModel

In the preceding example Get-MBCAModel with no parameters added returns details about all MBCA

models that are installed on the computer

Get-MBCAModel -ModelId SQL2008R2BPA

The preceding example can be used to return details about the MBCA model that is specified in the -

ModelId parameter represented by Model Id

$model= Get-MBCAModel -ModelId SQL2008R2BPA

$modelParameters

In the preceding example Get-MBCAModel returns details about the specified MBCA model that is

represented by Model Id The results of the cmdlet are stored in the variable $model

In the next line of the example the Parameters property of the model details that were stored in the

$model object returns details about which parameters are supported by the model

Get-MBCAModel -ModelId SQL2008R2BPA -SubModelId ltSubModel Idgt

The preceding example can be used to return details about the MBCA sub-model that is specified by

the -SubModelId parameter represented by SubModel Id Note that the -ModelId parameter is

required by the -SubModelId parameter

$model= Get-MBCAModel -ModelId SQL2008R2BPA

Page 44

$modelSubModels

In the preceding example Get-MBCAModel returns details about the specified MBCA model that is

represented by Model Id The results of the cmdlet are stored in the variable $model

In the next line of the example the SubModels property of the model details that were stored in the

$model object returns a list of the submodels of the model specified in the first line

912 Invoke-MBCAModel

SYNOPSIS

The Invoke-MBCAModel cmdlet lets you start a Microsoft Baseline Configuration Analyzer (MBCA)

scan for a specific model that is installed on your computer

SYNTAX

Invoke-MBCAModel [-ModelId] ltstringgt -SubModelId ltstringgt [-Authentication

ltAuthenticationMechanismgt] [-CertificateThumbprint ltstringgt] [-ComputerName

ltstring[]gt] [-ConfigurationName ltstringgt] [-Context ltstringgt] [-Credential

ltstringgt] [-Mode ltModeEnumgt] [-Port ltintgt] [-RepositoryPath ltstringgt] [-

ThrottleLimit ltintgt] [-UseSSL] [ltCommonParametersgt]

DESCRIPTION

The Invoke-MBCAModel cmdlet allows you to start a Microsoft Baseline Configuration Analyzer

(MBCA) scan for a specific model that is installed on your computer The model is specified either by

using the parameter -ModelId or by piping the results of the Get-MBCAModel cmdlet into an Invoke-

MBCAMode cmdlet

After the MBCA scan has been performed the results of the scan are available to be retrieved by Get-

MBCAResult cmdlet

You must be a member of the Administrators group on the computer on which you want to run this

cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with

elevated user rights that is Run as Administrator

PARAMETERS

-Authentication ltAuthenticationMechanismgt

Specifies the authentication mechanism that is used to authenticate the users credentials Valid

values include Default Basic CredSSP Digest Kerberos Negotiate and

NegotiateWithImplicitCredential The default value is Default

For more information about the -Authentication parameter type the following and then press

Enter

Get-Help Invoke-Command -Parameter Authentication

Required false

Position named

Default value Default

Accept pipeline input false

Accept wildcard characters false

-CertificateThumbprint ltstringgt

Page 45

Specifies the digital public key certificate (X509) of a user account that has rights to perform the

cmdlet action The valid value is the certificate thumbprint of the certificate

For more information about this parameter type the following and then press Enter

Get-Help Invoke-Command -Parameter Certificate Thumbprint

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-ComputerName ltstring[]gt

The Invoke-MBCAModel cmdlet lets you run an MBCA scan of a submodel on a specific

computer by adding this parameter Valid values include NETBOS names IP addresses or fully-

qualified domain names of one or more computers in a comma-separated list To specify the local

computer type the computer name or localhost

All formats that are accepted by the -ComputerName parameter in Invoke-Command are

accepted

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-ConfigurationName ltstringgt

Specifies the session configuration that is used for a new PSSession

Enter a configuration name or the fully-qualified resource URI for a session configuration

Session configuration data is found on the remote computer on which you want to run a cmdlet

For more information about this parameter type the following and then press Enter

Get-Help Invoke-Command -Parameter ConfigurationName

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-Context ltstringgt

The -Context parameter lets you run scans on a submodel in the context of a specific model (one

that is different from the parent model of the submodel) For example an administrator might

want to run a scan on the Backend submodel of the SQL model but only those in the context

of a third model a technology that relies upon SQL Server

The -SubModelId parameter is required by the -Context parameter

Page 46

A model ID is the valid value of the -Context parameter

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-Credential ltstringgt

Specifies a user account that has permission to run this cmdlet The default value is the current

user

For more information about this parameter type the following and then press Enter

Get-Help Invoke-Command -Parameter Credential

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-Mode ltModeEnumgt

The -Mode parameter lets you run a scan that is exclusively either analysis of existing discovered

documents or discovery The default is to perform both discovery and analysis or All

If you do not add the -Mode parameter to the Invoke-MBCAModel cmdlet both discovery and

analysis are performed during a scan

Valid values are Discovery Analysis and All

Required false

Position named

Default value All

Accept pipeline input false

Accept wildcard characters false

-ModelId ltstringgt

The -ModelId parameter specifies the ID of the MBCA model that you want to scan You can

obtain valid values for the ModelId parameter by running the Get-MBCAModel cmdlet targeted at

a computer on which MBCA models are installed

Required true

Position 2

Default value

Accept pipeline input true (By Value By Property Name)

Accept wildcard characters False

Page 47

This must be SQL2008R2BPA for SQL Server 2008 R2 Best Practice Analyzer

-Port ltintgt

Specifies the network port on a remote computer on which you want to run a scan The default

value is port 80

For more information on this parameter type the following and then press Enter

Get-Help Invoke-Command -Parameter Port

Required false

Position named

Default value 80

Accept pipeline input false

Accept wildcard characters false

-RepositoryPath ltstringgt

The -RepositoryPath parameter is used to specify a non-default location of the results repository

The valid value for this parameter is a pathname If the parameter is not used the cmdlet writes

results to the default result repository

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-SubModelId ltstringgt

The -SubModelId parameter specifies the ID of the submodel of an MBCA model that you want to

scan You can obtain valid values for the -SubModelId parameter by running the Get-MBCAModel

cmdlet targeted at a computer on which MBCA models are installed Not all models have

submodels

The -ModelId parameter is required with the -SubModelId parameter

Required true

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-ThrottleLimit ltintgt

Specifies the maximum number of concurrent connections that can be established to run the

cmdlet If you omit this parameter or enter a value of 0 the default value of 32 is used

For more information about this parameter type the following and then press Enter

Get-Help Invoke-Command -Parameter ThrottleLimit

Required false

Page 48

Position named

Default value 32

Accept pipeline input false

Accept wildcard characters false

-UseSSL [ltSwitchParametergt]

Uses the Secure Sockets Layer (SSL) protocol to establish a connection on a remote computer

By default SSL is not used

For more information about this parameter type the following and then press Enter

Get-Help Invoke-Command -Parameter UseSSL

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

ltCommonParametersgt

This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable

WarningAction WarningVariable OutBuffer and OutVariable For more information type get-

help about_commonparameters

OUTPUTS

SystemCollectionsGenericListltMicrosoftBestPracticesCoreInterfaceInvokeBpaModelOutputgt

The output object encapsulates the results of the cmdlet that you entered It contains information such

as the MBCA model ID the success or failure of the cmdlet and other details

NOTES

If the cmdlet is used to perform a single-model scan and the cmdlet is cancelled (by using CTRL+C)

before the temporary results file is copied to its final location the temporary file is discarded and any

previous scan results file for the role are preserved The message Processing of Invoke-MBCAModel

cancelled by user is displayed if the command is cancelled before existing scan results files are

overwritten

If the cmdlet is used to perform a scan of multiple models by piping in results from the Get-MBCAModel

cmdlet and the command is cancelled scans that were completed before the cancel command was

entered cannot be cancelled A scan in progress behaves as described above in the single-model scan

cancellation scenario Subsequent scans in the pipeline are cancelled

If a concurrent scan of the same model is attempted the cmdlet returns the following error message

Another scan for this MBCA model is in progress Only one scan is allowed at a time

-------------------------- EXAMPLE 1 --------------------------

Invoke-MBCAModel -ModelId SQL2008R2BPA

Description

The preceding example starts a MBCA scan on the model that is represented by ltModel Idgt

-------------------------- EXAMPLE 2 --------------------------

Page 49

Invoke-MBCAModel -ModelId SQL2008R2BPA -Scope domain -Name

redmondmicrosoftcom

Description

The preceding example starts an MBCA scan on the model ID that is specified by Model Id

The administrator starts the MBCA scan with additional model-specific parameters that are exposed by

the model (For an example of how to obtain model-specific parameters see the examples for the Get-

MBCAModel cmdlet)

For example to scan a model that requires model-specific parameters (such as -Scope and -Name) to

be passed to the command the administrator can specify the values of these model-specific

parameters with the Invoke-MBCAModel cmdlet

-------------------------- EXAMPLE 3 --------------------------

Invoke-MBCAModel -ModelId SQL2008R2BPA -Mode Discovery

Description

The preceding example starts an MBCA scan on the model that is represented by Model Id The

cmdlet is instructed by the -Mode parameter to perform only the discovery -- not the analysis -- portion

of the scan

-------------------------- EXAMPLE 4 --------------------------

Invoke-MBCAModel -ModelId SQL2008R2BPA -Mode Analysis -RepositoryPath

ltRepository Pathgt

Description

The preceding example starts an MBCA scan on the model that is represented by Model Id The -

Mode parameter value of Analysis indicates that the scan will perform analysis -- not discovery -- on

existing documents that are specified in the non-default repository path provided with the -Repository

Path parameter

-------------------------- EXAMPLE 5 --------------------------

Invoke-MBCAModel -Id ltModel Idgt -SubModelId ltSubModel Idgt -ComputerName

ltServergt -Context ltContext Model Idgt -RepositoryPath ltRespository Pathgt -

AsJob -Authentication ltAuthenticatonMechanismgt -Port ltPort Numbergt -UseSSL -

ThrottleLimit ltThrottle Limitgt

Description

The preceding example starts an MBCA scan on the submodel that is represented by SubModel Id

and on the computer that is represented by Server

Because the administrator only wants to see results from the submodel that apply in the context of a

third model the administrator runs the scan within the context of the model ID that is specified in the -

Context parameter The cmdlet results are saved to the non-default repository path that is specified in

the -RepositoryPath parameter

Because the -AsJob parameter is added the scan runs in the background The -AsJob -

Authentication -Port -UseSSL and -ThrottleLimit parameters are passed through for use by the

Invoke-Command cmdlet to perform discovery on a remote computer For more information about

these parameters see the Help for the Invoke-Command cmdlet available in Windows PowerShell V2

913 Get-MBCAResult

SYNOPSIS

Page 50

The Get-MBCAResult cmdlet lets you retrieve and view the results of a Microsoft Baseline

Configuration Analyzer scan on a specific model or the configuration data that was used to run a scan

SYNTAX

Get-MBCAResult [-ModelId] ltstringgt [[-CollectedConfiguration]] -SubModelId

ltstringgt [-ComputerName ltstring[]gt] [-Context ltstringgt] [-Filter

ltFilterEnumgt] [-RepositoryPath ltstringgt] [ltCommonParametersgt]

DESCRIPTION

The Get-MBCAResult cmdlet lets you retrieve and view the results of a Microsoft Baseline

Configuration Analyzer scan on a specific model or the configuration data that was used to run a scan

To use the command add the -ModelId parameter and then specify the model ID for which you want

to view the most recent MBCA scan results or collected configuration data If you want to retrieve the

configuration data collected add the -CollectedConfiguration switch parameter

You must be a member of the Administrators group on the computer on which you want to run this

cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with

elevated user rights that is Run as Administrator

PARAMETERS

-CollectedConfiguration [ltSwitchParametergt]

The -CollectedConfiguration parameter allows you to obtain the configuration data that was

collected for the most recent MBCA scan If this switch parameter is added to Get-MBCAResults

the cmdlet returns only the configuration data that was collected for a scan

Required false

Position 3

Default value

Accept pipeline input false

Accept wildcard characters false

-ComputerName ltstring[]gt

The -ComputerName parameter lets you obtain scan results that were collected for the most

recent MBCA scan of a submodel on a specific computer To specify the local computer type the

computer name or localhost Multiple values for -ComputerName can be separated by

commas

The -SubModelId parameter is required by the -ComputerName parameter

Valid values for the -ComputerName parameter include localhost a NET BIOS name an IP

address or a fully-qualified domain name (FQDN) of one or more computers in a comma-

separated list

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-Context ltstringgt

Page 51

The -Context parameter lets you obtain scan results that were collected for the most recent

MBCA scan of a submodel in the context of a specific model (one that is different from the parent

model of the submodel) For example an administrator might want to display scan results for the

Backend submodel of the SQL model but only those in the context of a third model a

technology that relies upon SQL Server

The -SubModelId parameter is required by the -Context parameter

A model ID is the valid value of the -Context parameter

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-Filter ltFilterEnumgt

The -Filter parameter lets you instruct the Get-MBCAResult cmdlet to return only Compliant

Noncompliant or All results Valid values are Noncompliant Compliant or All The default value

is All

The -Filter parameter is ignored if the -CollectedConfiguration switch parameter is added

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-ModelId ltstringgt

The -ModelId parameter specifies the ID of the MBCA model for which you want to view scan

results You can obtain valid values for the ModelId parameter by running the Get-MBCAModel

cmdlet targeted at a computer on which MBCA models are installed

Required true

Position 2

Default value

Accept pipeline input true (By Value By Property Name)

Accept wildcard characters False

This must be SQL2008R2BPA for SQL Server 2008 R2 Best Practice Analyzer

-RepositoryPath ltstringgt

The -RepositoryPath parameter is used to specify a non-default location of the results repository

The valid value for this parameter is a path name If the parameter is not used the cmdlet obtains

results from the default result repository

Required false

Position named

Page 52

Default value

Accept pipeline input false

Accept wildcard characters false

-SubModelId ltstringgt

The -SubModelId parameter specifies the ID of the submodel of an MBCA model for which you

want to view scan results You can obtain valid values for the -SubModelId parameter by running

the Get-MBCAModel cmdlet targeted at a computer on which MBCA models are installed Not all

models have submodels

The -ModelId parameter is required with the -SubModelId parameter

Required true

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

ltCommonParametersgt

This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable

WarningAction WarningVariable OutBuffer and OutVariable For more information type get-

help about_commonparameters

OUTPUTS

SystemCollectionsGenericListltMicrosoftBestPracticesCoreInterfaceResultgt OR

SystemXmlXmlDocument (if -CollectedData specified)

If you do not use the -CollectedConfiguration parameter verbose output can be any of the following

1 Initializing MBCA engine for getting MBCA Results

2 Attempting to get MBCA results for Model Id = 0

3 Completed getting MBCA results for Model Id = 0 Number of Results = 1

If you add the -CollectedConfiguration parameter to display configuration data that was used for a

scan verbose output can be any of the following

1 Initializing MBCA engine for getting MBCA Configuration Data

2 Attempting to get MBCA collected configuration data for Model Id = 0

3 Completed getting MBCA collected configuration data for Model Id = 0

NOTES

The Get-MBCAResult cmdlet must be run by a member of the Administrators group and it does not

start a new scan

Cancellation behaviour

Single Model - To cancel this cmdlet you must press Ctrl+C before the ResultCollection is displayed

on the console The operation is cancelled and results are not displayed on the console

Multiple Models or Pipelining - If you cancel this cmdlet while it is retrieving results for multiple models

the cmdlet generates only those results that were displayed on the console before the cancellation

Any subsequent results in the pipeline are cancelled and not displayed

Page 53

-------------------------- EXAMPLE 1 --------------------------

Get-MBCAResult -Id SQL2008R2BPA

Description

The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results

for the model that is represented by Model Id

-------------------------- EXAMPLE 2 --------------------------

Get-MBCAModel | Get-MBCAResult

In the preceding example Get-MBCAModel is used to return a list of all MBCA models that are

installed on the computer The results of the Get-MBCAModel cmdlet are piped to the Get-

MBCAResult cmdlet to retrieve the most recent MBCA scan results for all models that are both

supported by MBCA and installed on the computer at which the cmdlet is targeted

-------------------------- EXAMPLE 3 --------------------------

$result = Get-MBCAResult SQL2008R2BPA -CollectedConfiguration

$resultDiscoveryDocument

Description

In the preceding example configuration data (in XML form) that was collected during the most recent

Microsoft Baseline Configuration Analyzer scan of the model that is represented by Model Id is

retrieved and stored as a property in the variable $result $resultDiscoveryDocument is of type

SystemXmlXmlDocument

-------------------------- EXAMPLE 4 --------------------------

Get-MBCAResult SQL2008R2BPA -Filter Noncompliant

Description

The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results

for the model that is represented by Model Id and then applies a filter to show only Noncompliant

results

------------------------- EXAMPLE 5 --------------------------

Get-MBCAResult SQL2008R2BPA -SubModelId ltSubModel Idgt

Description

The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results

for the submodel that is represented by SubModelId Note that the parent model ID must be specified

to use the -SubModelId parameter

------------------------- EXAMPLE 6 --------------------------

Get-MBCAResult SQL2008R2BPA -SubModelId ltSubModel Idgt -ComputerName ltServergt

-Context ltContext Model Idgt -RepositoryPath ltRepository Pathgt

Description

The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results

for the submodel that is represented by SubModelId The parent model ID is provided as required by

the -SubModelID parameter

The -Context parameter indicates that the administrator wants to see only those scan results that are in

the context of the model that is represented by Context Model Id for example only those results from

a SQL Server scan that specifically apply to another technology such as Web Server (IIS)

Page 54

The scan results are further narrowed to only those from a computer that is specified in the -

ComputerName parameter as Server and only those results found in the non-default results

repository that is represented by Repository Path

914 Set-MBCAResult

SYNOPSIS

The Set-MBCAResult cmdlet lets you exclude or include existing results of a Microsoft Baseline

Configuration Analyzer (MBCA) scan to show you only the scan results that you want to see

SYNTAX

Set-MBCAResult [[-Exclude] ltBooleangt] [-Results] ltResultgtgt [[-

RepostitoryPath] ltstringgt] [ltCommonParametersgt]

DESCRIPTION

The Set-MBCAResult cmdlet lets you exclude or include existing results of a Microsoft Baseline

Configuration Analyzer (MBCA) scan to show you only the scan results that you want to see

The action specified in the cmdlet (Exclude for example) determines how the existing results of an

MBCA scan are updated Set-MBCAResult is typically applied after using the Get-MBCAResult cmdlet

to return a collection of scan results

You can apply filters to results that are returned by the Get-MBCAResult cmdlet and then pipe the

filtered collection of results to the Set-MBCAResult cmdlet specifying either to include or exclude

filtered scan results

You must be a member of the Administrators group on the computer on which you want to run this

cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with

elevated user rights that is Run as Administrator

PARAMETERS

-Exclude ltBooleangt

Excludes scan results from the results collection that were previously obtained by the Get-

MBCAResult command To exclude results by using the -Exclude parameter add the value $true

following the parameter as shown

-Exclude $true

To include results that have been excluded use the $false value for the -Exclude parameter

Required false

Position 2

Default value

Accept pipeline input false

Accept wildcard characters false

-RepostitoryPath ltstringgt

The -RepositoryPath parameter is used to specify a non-default location of the results repository

The valid value for this parameter is a path name If the parameter is not used the cmdlet

modifies results from the default result repository

Required false

Page 55

Position 4

Default value

Accept pipeline input false

Accept wildcard characters false

-Results ltResultgtgt

Specifies the result collection to be updated by the Set-MBCAResult cmdlet The -Results

parameter is typically used to specify a filtered subset of scan results that has already been

stored in a variable the variable name is provided as the valid value for the -Results parameter

For example if you have created a variable $allPerformance to store all the Performance

category results for an MBCA scan of all models on a computer and you want to exclude those

Performance results from the complete collection of scan results you add the parameter -Results

$all Performance to a Set-MBCAResult cmdlet

For a more detailed example see the Examples section of the Help for this cmdlet

Required true

Position 3

Default value

Accept pipeline input true (ByValue)

Accept wildcard characters false

ltCommonParametersgt

This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable

WarningAction WarningVariable OutBuffer and OutVariable For more information type ldquoget-

help about_commonparameters

NOTES

If the Set-MBCAResult command is cancelled before the results are written to a file the operation is

cancelled and the results file is not modified If cancellation occurs after the results file has been

modified the commands actions are carried out and the command cannot be cancelled

-------------------------- EXAMPLE 1 --------------------------

Get-MBCAResult -ModelId SQL2008R2BPA | Where $_Category -eq

Performance | Set-MBCAResult -Exclude $true

Description

The first section of the preceding example to the left of the first pipe character (|) uses the Get-

MBCAResult cmdlet to retrieve Baseline Configuration Analyzer scan results for the model ID that is

represented by Model Id

The second section of the command filters the results of the Get-MBCAResult cmdlet to get only those

scan results for which the category name is equal to Performance

The final section of the example following the second pipe character excludes the Performance

results that were filtered by the previous section of the example

-------------------------- EXAMPLE 2 --------------------------

$rcPolicy = Get-MBCAResult -ModelId SQL2008R2BPA -RepositoryPath

CReposPath | Where $_Category -eq Policy

Page 56

Set-MBCAResult -Exclude $true -RepositoryPath CReposPath -Results

$rcPolicy

Description

The first line of the preceding example to the left of the pipe character (|) instructs the Get-

MBCAResult cmdlet to retrieve Baseline Configuration Analyzer scan results for the model that is

represented by Specified Model Id from the specified non-default repository path

The second section of the example after the pipe character filters the results of the Get-MBCAResult

cmdlet to return only those scan results for which the category name is equal to (note the -eq option)

Policy The variable $rcPolicy is created to store the filtered results of the Get-MBCAResult cmdlet this

variable can be used in subsequent commands to represent those results

The second line of the command uses the Set-MBCAResult cmdlet to exclude the set of results that

are stored in the $rcPolicy variable In this example the -Results parameter is added because the

administrator wants to exclude a specific subset of scan results for that model and has created the

variable $rcPolicy to represent that subset of results The repository root is specified in the second line

because the administrator wants to modify the results in the same non-default repository from which

the data in $rcPolicy was retrieved

915 MBCA Model Authoring

Further information about configuration and usage of MBCA models you can in the

MBCA_ModelAuthoringGuidedocx

Page 57

Did this paper help you Please give us your feedback Tell us on a scale of 1 (poor) to 5 (excellent)

how would you rate this paper and why have you given it this rating For example

Are you rating it high due to having good examples excellent screen shots clear writing or

another reason

Are you rating it low due to poor examples fuzzy screen shots or unclear writing

This feedback will help us improve the quality of white papers we release

Send feedback

Page 44: SQL2008R2 BPA Whitepaper v10

Page 44

$modelSubModels

In the preceding example Get-MBCAModel returns details about the specified MBCA model that is

represented by Model Id The results of the cmdlet are stored in the variable $model

In the next line of the example the SubModels property of the model details that were stored in the

$model object returns a list of the submodels of the model specified in the first line

912 Invoke-MBCAModel

SYNOPSIS

The Invoke-MBCAModel cmdlet lets you start a Microsoft Baseline Configuration Analyzer (MBCA)

scan for a specific model that is installed on your computer

SYNTAX

Invoke-MBCAModel [-ModelId] ltstringgt -SubModelId ltstringgt [-Authentication

ltAuthenticationMechanismgt] [-CertificateThumbprint ltstringgt] [-ComputerName

ltstring[]gt] [-ConfigurationName ltstringgt] [-Context ltstringgt] [-Credential

ltstringgt] [-Mode ltModeEnumgt] [-Port ltintgt] [-RepositoryPath ltstringgt] [-

ThrottleLimit ltintgt] [-UseSSL] [ltCommonParametersgt]

DESCRIPTION

The Invoke-MBCAModel cmdlet allows you to start a Microsoft Baseline Configuration Analyzer

(MBCA) scan for a specific model that is installed on your computer The model is specified either by

using the parameter -ModelId or by piping the results of the Get-MBCAModel cmdlet into an Invoke-

MBCAMode cmdlet

After the MBCA scan has been performed the results of the scan are available to be retrieved by Get-

MBCAResult cmdlet

You must be a member of the Administrators group on the computer on which you want to run this

cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with

elevated user rights that is Run as Administrator

PARAMETERS

-Authentication ltAuthenticationMechanismgt

Specifies the authentication mechanism that is used to authenticate the users credentials Valid

values include Default Basic CredSSP Digest Kerberos Negotiate and

NegotiateWithImplicitCredential The default value is Default

For more information about the -Authentication parameter type the following and then press

Enter

Get-Help Invoke-Command -Parameter Authentication

Required false

Position named

Default value Default

Accept pipeline input false

Accept wildcard characters false

-CertificateThumbprint ltstringgt

Page 45

Specifies the digital public key certificate (X509) of a user account that has rights to perform the

cmdlet action The valid value is the certificate thumbprint of the certificate

For more information about this parameter type the following and then press Enter

Get-Help Invoke-Command -Parameter Certificate Thumbprint

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-ComputerName ltstring[]gt

The Invoke-MBCAModel cmdlet lets you run an MBCA scan of a submodel on a specific

computer by adding this parameter Valid values include NETBOS names IP addresses or fully-

qualified domain names of one or more computers in a comma-separated list To specify the local

computer type the computer name or localhost

All formats that are accepted by the -ComputerName parameter in Invoke-Command are

accepted

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-ConfigurationName ltstringgt

Specifies the session configuration that is used for a new PSSession

Enter a configuration name or the fully-qualified resource URI for a session configuration

Session configuration data is found on the remote computer on which you want to run a cmdlet

For more information about this parameter type the following and then press Enter

Get-Help Invoke-Command -Parameter ConfigurationName

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-Context ltstringgt

The -Context parameter lets you run scans on a submodel in the context of a specific model (one

that is different from the parent model of the submodel) For example an administrator might

want to run a scan on the Backend submodel of the SQL model but only those in the context

of a third model a technology that relies upon SQL Server

The -SubModelId parameter is required by the -Context parameter

Page 46

A model ID is the valid value of the -Context parameter

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-Credential ltstringgt

Specifies a user account that has permission to run this cmdlet The default value is the current

user

For more information about this parameter type the following and then press Enter

Get-Help Invoke-Command -Parameter Credential

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-Mode ltModeEnumgt

The -Mode parameter lets you run a scan that is exclusively either analysis of existing discovered

documents or discovery The default is to perform both discovery and analysis or All

If you do not add the -Mode parameter to the Invoke-MBCAModel cmdlet both discovery and

analysis are performed during a scan

Valid values are Discovery Analysis and All

Required false

Position named

Default value All

Accept pipeline input false

Accept wildcard characters false

-ModelId ltstringgt

The -ModelId parameter specifies the ID of the MBCA model that you want to scan You can

obtain valid values for the ModelId parameter by running the Get-MBCAModel cmdlet targeted at

a computer on which MBCA models are installed

Required true

Position 2

Default value

Accept pipeline input true (By Value By Property Name)

Accept wildcard characters False

Page 47

This must be SQL2008R2BPA for SQL Server 2008 R2 Best Practice Analyzer

-Port ltintgt

Specifies the network port on a remote computer on which you want to run a scan The default

value is port 80

For more information on this parameter type the following and then press Enter

Get-Help Invoke-Command -Parameter Port

Required false

Position named

Default value 80

Accept pipeline input false

Accept wildcard characters false

-RepositoryPath ltstringgt

The -RepositoryPath parameter is used to specify a non-default location of the results repository

The valid value for this parameter is a pathname If the parameter is not used the cmdlet writes

results to the default result repository

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-SubModelId ltstringgt

The -SubModelId parameter specifies the ID of the submodel of an MBCA model that you want to

scan You can obtain valid values for the -SubModelId parameter by running the Get-MBCAModel

cmdlet targeted at a computer on which MBCA models are installed Not all models have

submodels

The -ModelId parameter is required with the -SubModelId parameter

Required true

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-ThrottleLimit ltintgt

Specifies the maximum number of concurrent connections that can be established to run the

cmdlet If you omit this parameter or enter a value of 0 the default value of 32 is used

For more information about this parameter type the following and then press Enter

Get-Help Invoke-Command -Parameter ThrottleLimit

Required false

Page 48

Position named

Default value 32

Accept pipeline input false

Accept wildcard characters false

-UseSSL [ltSwitchParametergt]

Uses the Secure Sockets Layer (SSL) protocol to establish a connection on a remote computer

By default SSL is not used

For more information about this parameter type the following and then press Enter

Get-Help Invoke-Command -Parameter UseSSL

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

ltCommonParametersgt

This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable

WarningAction WarningVariable OutBuffer and OutVariable For more information type get-

help about_commonparameters

OUTPUTS

SystemCollectionsGenericListltMicrosoftBestPracticesCoreInterfaceInvokeBpaModelOutputgt

The output object encapsulates the results of the cmdlet that you entered It contains information such

as the MBCA model ID the success or failure of the cmdlet and other details

NOTES

If the cmdlet is used to perform a single-model scan and the cmdlet is cancelled (by using CTRL+C)

before the temporary results file is copied to its final location the temporary file is discarded and any

previous scan results file for the role are preserved The message Processing of Invoke-MBCAModel

cancelled by user is displayed if the command is cancelled before existing scan results files are

overwritten

If the cmdlet is used to perform a scan of multiple models by piping in results from the Get-MBCAModel

cmdlet and the command is cancelled scans that were completed before the cancel command was

entered cannot be cancelled A scan in progress behaves as described above in the single-model scan

cancellation scenario Subsequent scans in the pipeline are cancelled

If a concurrent scan of the same model is attempted the cmdlet returns the following error message

Another scan for this MBCA model is in progress Only one scan is allowed at a time

-------------------------- EXAMPLE 1 --------------------------

Invoke-MBCAModel -ModelId SQL2008R2BPA

Description

The preceding example starts a MBCA scan on the model that is represented by ltModel Idgt

-------------------------- EXAMPLE 2 --------------------------

Page 49

Invoke-MBCAModel -ModelId SQL2008R2BPA -Scope domain -Name

redmondmicrosoftcom

Description

The preceding example starts an MBCA scan on the model ID that is specified by Model Id

The administrator starts the MBCA scan with additional model-specific parameters that are exposed by

the model (For an example of how to obtain model-specific parameters see the examples for the Get-

MBCAModel cmdlet)

For example to scan a model that requires model-specific parameters (such as -Scope and -Name) to

be passed to the command the administrator can specify the values of these model-specific

parameters with the Invoke-MBCAModel cmdlet

-------------------------- EXAMPLE 3 --------------------------

Invoke-MBCAModel -ModelId SQL2008R2BPA -Mode Discovery

Description

The preceding example starts an MBCA scan on the model that is represented by Model Id The

cmdlet is instructed by the -Mode parameter to perform only the discovery -- not the analysis -- portion

of the scan

-------------------------- EXAMPLE 4 --------------------------

Invoke-MBCAModel -ModelId SQL2008R2BPA -Mode Analysis -RepositoryPath

ltRepository Pathgt

Description

The preceding example starts an MBCA scan on the model that is represented by Model Id The -

Mode parameter value of Analysis indicates that the scan will perform analysis -- not discovery -- on

existing documents that are specified in the non-default repository path provided with the -Repository

Path parameter

-------------------------- EXAMPLE 5 --------------------------

Invoke-MBCAModel -Id ltModel Idgt -SubModelId ltSubModel Idgt -ComputerName

ltServergt -Context ltContext Model Idgt -RepositoryPath ltRespository Pathgt -

AsJob -Authentication ltAuthenticatonMechanismgt -Port ltPort Numbergt -UseSSL -

ThrottleLimit ltThrottle Limitgt

Description

The preceding example starts an MBCA scan on the submodel that is represented by SubModel Id

and on the computer that is represented by Server

Because the administrator only wants to see results from the submodel that apply in the context of a

third model the administrator runs the scan within the context of the model ID that is specified in the -

Context parameter The cmdlet results are saved to the non-default repository path that is specified in

the -RepositoryPath parameter

Because the -AsJob parameter is added the scan runs in the background The -AsJob -

Authentication -Port -UseSSL and -ThrottleLimit parameters are passed through for use by the

Invoke-Command cmdlet to perform discovery on a remote computer For more information about

these parameters see the Help for the Invoke-Command cmdlet available in Windows PowerShell V2

913 Get-MBCAResult

SYNOPSIS

Page 50

The Get-MBCAResult cmdlet lets you retrieve and view the results of a Microsoft Baseline

Configuration Analyzer scan on a specific model or the configuration data that was used to run a scan

SYNTAX

Get-MBCAResult [-ModelId] ltstringgt [[-CollectedConfiguration]] -SubModelId

ltstringgt [-ComputerName ltstring[]gt] [-Context ltstringgt] [-Filter

ltFilterEnumgt] [-RepositoryPath ltstringgt] [ltCommonParametersgt]

DESCRIPTION

The Get-MBCAResult cmdlet lets you retrieve and view the results of a Microsoft Baseline

Configuration Analyzer scan on a specific model or the configuration data that was used to run a scan

To use the command add the -ModelId parameter and then specify the model ID for which you want

to view the most recent MBCA scan results or collected configuration data If you want to retrieve the

configuration data collected add the -CollectedConfiguration switch parameter

You must be a member of the Administrators group on the computer on which you want to run this

cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with

elevated user rights that is Run as Administrator

PARAMETERS

-CollectedConfiguration [ltSwitchParametergt]

The -CollectedConfiguration parameter allows you to obtain the configuration data that was

collected for the most recent MBCA scan If this switch parameter is added to Get-MBCAResults

the cmdlet returns only the configuration data that was collected for a scan

Required false

Position 3

Default value

Accept pipeline input false

Accept wildcard characters false

-ComputerName ltstring[]gt

The -ComputerName parameter lets you obtain scan results that were collected for the most

recent MBCA scan of a submodel on a specific computer To specify the local computer type the

computer name or localhost Multiple values for -ComputerName can be separated by

commas

The -SubModelId parameter is required by the -ComputerName parameter

Valid values for the -ComputerName parameter include localhost a NET BIOS name an IP

address or a fully-qualified domain name (FQDN) of one or more computers in a comma-

separated list

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-Context ltstringgt

Page 51

The -Context parameter lets you obtain scan results that were collected for the most recent

MBCA scan of a submodel in the context of a specific model (one that is different from the parent

model of the submodel) For example an administrator might want to display scan results for the

Backend submodel of the SQL model but only those in the context of a third model a

technology that relies upon SQL Server

The -SubModelId parameter is required by the -Context parameter

A model ID is the valid value of the -Context parameter

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-Filter ltFilterEnumgt

The -Filter parameter lets you instruct the Get-MBCAResult cmdlet to return only Compliant

Noncompliant or All results Valid values are Noncompliant Compliant or All The default value

is All

The -Filter parameter is ignored if the -CollectedConfiguration switch parameter is added

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-ModelId ltstringgt

The -ModelId parameter specifies the ID of the MBCA model for which you want to view scan

results You can obtain valid values for the ModelId parameter by running the Get-MBCAModel

cmdlet targeted at a computer on which MBCA models are installed

Required true

Position 2

Default value

Accept pipeline input true (By Value By Property Name)

Accept wildcard characters False

This must be SQL2008R2BPA for SQL Server 2008 R2 Best Practice Analyzer

-RepositoryPath ltstringgt

The -RepositoryPath parameter is used to specify a non-default location of the results repository

The valid value for this parameter is a path name If the parameter is not used the cmdlet obtains

results from the default result repository

Required false

Position named

Page 52

Default value

Accept pipeline input false

Accept wildcard characters false

-SubModelId ltstringgt

The -SubModelId parameter specifies the ID of the submodel of an MBCA model for which you

want to view scan results You can obtain valid values for the -SubModelId parameter by running

the Get-MBCAModel cmdlet targeted at a computer on which MBCA models are installed Not all

models have submodels

The -ModelId parameter is required with the -SubModelId parameter

Required true

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

ltCommonParametersgt

This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable

WarningAction WarningVariable OutBuffer and OutVariable For more information type get-

help about_commonparameters

OUTPUTS

SystemCollectionsGenericListltMicrosoftBestPracticesCoreInterfaceResultgt OR

SystemXmlXmlDocument (if -CollectedData specified)

If you do not use the -CollectedConfiguration parameter verbose output can be any of the following

1 Initializing MBCA engine for getting MBCA Results

2 Attempting to get MBCA results for Model Id = 0

3 Completed getting MBCA results for Model Id = 0 Number of Results = 1

If you add the -CollectedConfiguration parameter to display configuration data that was used for a

scan verbose output can be any of the following

1 Initializing MBCA engine for getting MBCA Configuration Data

2 Attempting to get MBCA collected configuration data for Model Id = 0

3 Completed getting MBCA collected configuration data for Model Id = 0

NOTES

The Get-MBCAResult cmdlet must be run by a member of the Administrators group and it does not

start a new scan

Cancellation behaviour

Single Model - To cancel this cmdlet you must press Ctrl+C before the ResultCollection is displayed

on the console The operation is cancelled and results are not displayed on the console

Multiple Models or Pipelining - If you cancel this cmdlet while it is retrieving results for multiple models

the cmdlet generates only those results that were displayed on the console before the cancellation

Any subsequent results in the pipeline are cancelled and not displayed

Page 53

-------------------------- EXAMPLE 1 --------------------------

Get-MBCAResult -Id SQL2008R2BPA

Description

The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results

for the model that is represented by Model Id

-------------------------- EXAMPLE 2 --------------------------

Get-MBCAModel | Get-MBCAResult

In the preceding example Get-MBCAModel is used to return a list of all MBCA models that are

installed on the computer The results of the Get-MBCAModel cmdlet are piped to the Get-

MBCAResult cmdlet to retrieve the most recent MBCA scan results for all models that are both

supported by MBCA and installed on the computer at which the cmdlet is targeted

-------------------------- EXAMPLE 3 --------------------------

$result = Get-MBCAResult SQL2008R2BPA -CollectedConfiguration

$resultDiscoveryDocument

Description

In the preceding example configuration data (in XML form) that was collected during the most recent

Microsoft Baseline Configuration Analyzer scan of the model that is represented by Model Id is

retrieved and stored as a property in the variable $result $resultDiscoveryDocument is of type

SystemXmlXmlDocument

-------------------------- EXAMPLE 4 --------------------------

Get-MBCAResult SQL2008R2BPA -Filter Noncompliant

Description

The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results

for the model that is represented by Model Id and then applies a filter to show only Noncompliant

results

------------------------- EXAMPLE 5 --------------------------

Get-MBCAResult SQL2008R2BPA -SubModelId ltSubModel Idgt

Description

The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results

for the submodel that is represented by SubModelId Note that the parent model ID must be specified

to use the -SubModelId parameter

------------------------- EXAMPLE 6 --------------------------

Get-MBCAResult SQL2008R2BPA -SubModelId ltSubModel Idgt -ComputerName ltServergt

-Context ltContext Model Idgt -RepositoryPath ltRepository Pathgt

Description

The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results

for the submodel that is represented by SubModelId The parent model ID is provided as required by

the -SubModelID parameter

The -Context parameter indicates that the administrator wants to see only those scan results that are in

the context of the model that is represented by Context Model Id for example only those results from

a SQL Server scan that specifically apply to another technology such as Web Server (IIS)

Page 54

The scan results are further narrowed to only those from a computer that is specified in the -

ComputerName parameter as Server and only those results found in the non-default results

repository that is represented by Repository Path

914 Set-MBCAResult

SYNOPSIS

The Set-MBCAResult cmdlet lets you exclude or include existing results of a Microsoft Baseline

Configuration Analyzer (MBCA) scan to show you only the scan results that you want to see

SYNTAX

Set-MBCAResult [[-Exclude] ltBooleangt] [-Results] ltResultgtgt [[-

RepostitoryPath] ltstringgt] [ltCommonParametersgt]

DESCRIPTION

The Set-MBCAResult cmdlet lets you exclude or include existing results of a Microsoft Baseline

Configuration Analyzer (MBCA) scan to show you only the scan results that you want to see

The action specified in the cmdlet (Exclude for example) determines how the existing results of an

MBCA scan are updated Set-MBCAResult is typically applied after using the Get-MBCAResult cmdlet

to return a collection of scan results

You can apply filters to results that are returned by the Get-MBCAResult cmdlet and then pipe the

filtered collection of results to the Set-MBCAResult cmdlet specifying either to include or exclude

filtered scan results

You must be a member of the Administrators group on the computer on which you want to run this

cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with

elevated user rights that is Run as Administrator

PARAMETERS

-Exclude ltBooleangt

Excludes scan results from the results collection that were previously obtained by the Get-

MBCAResult command To exclude results by using the -Exclude parameter add the value $true

following the parameter as shown

-Exclude $true

To include results that have been excluded use the $false value for the -Exclude parameter

Required false

Position 2

Default value

Accept pipeline input false

Accept wildcard characters false

-RepostitoryPath ltstringgt

The -RepositoryPath parameter is used to specify a non-default location of the results repository

The valid value for this parameter is a path name If the parameter is not used the cmdlet

modifies results from the default result repository

Required false

Page 55

Position 4

Default value

Accept pipeline input false

Accept wildcard characters false

-Results ltResultgtgt

Specifies the result collection to be updated by the Set-MBCAResult cmdlet The -Results

parameter is typically used to specify a filtered subset of scan results that has already been

stored in a variable the variable name is provided as the valid value for the -Results parameter

For example if you have created a variable $allPerformance to store all the Performance

category results for an MBCA scan of all models on a computer and you want to exclude those

Performance results from the complete collection of scan results you add the parameter -Results

$all Performance to a Set-MBCAResult cmdlet

For a more detailed example see the Examples section of the Help for this cmdlet

Required true

Position 3

Default value

Accept pipeline input true (ByValue)

Accept wildcard characters false

ltCommonParametersgt

This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable

WarningAction WarningVariable OutBuffer and OutVariable For more information type ldquoget-

help about_commonparameters

NOTES

If the Set-MBCAResult command is cancelled before the results are written to a file the operation is

cancelled and the results file is not modified If cancellation occurs after the results file has been

modified the commands actions are carried out and the command cannot be cancelled

-------------------------- EXAMPLE 1 --------------------------

Get-MBCAResult -ModelId SQL2008R2BPA | Where $_Category -eq

Performance | Set-MBCAResult -Exclude $true

Description

The first section of the preceding example to the left of the first pipe character (|) uses the Get-

MBCAResult cmdlet to retrieve Baseline Configuration Analyzer scan results for the model ID that is

represented by Model Id

The second section of the command filters the results of the Get-MBCAResult cmdlet to get only those

scan results for which the category name is equal to Performance

The final section of the example following the second pipe character excludes the Performance

results that were filtered by the previous section of the example

-------------------------- EXAMPLE 2 --------------------------

$rcPolicy = Get-MBCAResult -ModelId SQL2008R2BPA -RepositoryPath

CReposPath | Where $_Category -eq Policy

Page 56

Set-MBCAResult -Exclude $true -RepositoryPath CReposPath -Results

$rcPolicy

Description

The first line of the preceding example to the left of the pipe character (|) instructs the Get-

MBCAResult cmdlet to retrieve Baseline Configuration Analyzer scan results for the model that is

represented by Specified Model Id from the specified non-default repository path

The second section of the example after the pipe character filters the results of the Get-MBCAResult

cmdlet to return only those scan results for which the category name is equal to (note the -eq option)

Policy The variable $rcPolicy is created to store the filtered results of the Get-MBCAResult cmdlet this

variable can be used in subsequent commands to represent those results

The second line of the command uses the Set-MBCAResult cmdlet to exclude the set of results that

are stored in the $rcPolicy variable In this example the -Results parameter is added because the

administrator wants to exclude a specific subset of scan results for that model and has created the

variable $rcPolicy to represent that subset of results The repository root is specified in the second line

because the administrator wants to modify the results in the same non-default repository from which

the data in $rcPolicy was retrieved

915 MBCA Model Authoring

Further information about configuration and usage of MBCA models you can in the

MBCA_ModelAuthoringGuidedocx

Page 57

Did this paper help you Please give us your feedback Tell us on a scale of 1 (poor) to 5 (excellent)

how would you rate this paper and why have you given it this rating For example

Are you rating it high due to having good examples excellent screen shots clear writing or

another reason

Are you rating it low due to poor examples fuzzy screen shots or unclear writing

This feedback will help us improve the quality of white papers we release

Send feedback

Page 45: SQL2008R2 BPA Whitepaper v10

Page 45

Specifies the digital public key certificate (X509) of a user account that has rights to perform the

cmdlet action The valid value is the certificate thumbprint of the certificate

For more information about this parameter type the following and then press Enter

Get-Help Invoke-Command -Parameter Certificate Thumbprint

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-ComputerName ltstring[]gt

The Invoke-MBCAModel cmdlet lets you run an MBCA scan of a submodel on a specific

computer by adding this parameter Valid values include NETBOS names IP addresses or fully-

qualified domain names of one or more computers in a comma-separated list To specify the local

computer type the computer name or localhost

All formats that are accepted by the -ComputerName parameter in Invoke-Command are

accepted

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-ConfigurationName ltstringgt

Specifies the session configuration that is used for a new PSSession

Enter a configuration name or the fully-qualified resource URI for a session configuration

Session configuration data is found on the remote computer on which you want to run a cmdlet

For more information about this parameter type the following and then press Enter

Get-Help Invoke-Command -Parameter ConfigurationName

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-Context ltstringgt

The -Context parameter lets you run scans on a submodel in the context of a specific model (one

that is different from the parent model of the submodel) For example an administrator might

want to run a scan on the Backend submodel of the SQL model but only those in the context

of a third model a technology that relies upon SQL Server

The -SubModelId parameter is required by the -Context parameter

Page 46

A model ID is the valid value of the -Context parameter

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-Credential ltstringgt

Specifies a user account that has permission to run this cmdlet The default value is the current

user

For more information about this parameter type the following and then press Enter

Get-Help Invoke-Command -Parameter Credential

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-Mode ltModeEnumgt

The -Mode parameter lets you run a scan that is exclusively either analysis of existing discovered

documents or discovery The default is to perform both discovery and analysis or All

If you do not add the -Mode parameter to the Invoke-MBCAModel cmdlet both discovery and

analysis are performed during a scan

Valid values are Discovery Analysis and All

Required false

Position named

Default value All

Accept pipeline input false

Accept wildcard characters false

-ModelId ltstringgt

The -ModelId parameter specifies the ID of the MBCA model that you want to scan You can

obtain valid values for the ModelId parameter by running the Get-MBCAModel cmdlet targeted at

a computer on which MBCA models are installed

Required true

Position 2

Default value

Accept pipeline input true (By Value By Property Name)

Accept wildcard characters False

Page 47

This must be SQL2008R2BPA for SQL Server 2008 R2 Best Practice Analyzer

-Port ltintgt

Specifies the network port on a remote computer on which you want to run a scan The default

value is port 80

For more information on this parameter type the following and then press Enter

Get-Help Invoke-Command -Parameter Port

Required false

Position named

Default value 80

Accept pipeline input false

Accept wildcard characters false

-RepositoryPath ltstringgt

The -RepositoryPath parameter is used to specify a non-default location of the results repository

The valid value for this parameter is a pathname If the parameter is not used the cmdlet writes

results to the default result repository

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-SubModelId ltstringgt

The -SubModelId parameter specifies the ID of the submodel of an MBCA model that you want to

scan You can obtain valid values for the -SubModelId parameter by running the Get-MBCAModel

cmdlet targeted at a computer on which MBCA models are installed Not all models have

submodels

The -ModelId parameter is required with the -SubModelId parameter

Required true

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-ThrottleLimit ltintgt

Specifies the maximum number of concurrent connections that can be established to run the

cmdlet If you omit this parameter or enter a value of 0 the default value of 32 is used

For more information about this parameter type the following and then press Enter

Get-Help Invoke-Command -Parameter ThrottleLimit

Required false

Page 48

Position named

Default value 32

Accept pipeline input false

Accept wildcard characters false

-UseSSL [ltSwitchParametergt]

Uses the Secure Sockets Layer (SSL) protocol to establish a connection on a remote computer

By default SSL is not used

For more information about this parameter type the following and then press Enter

Get-Help Invoke-Command -Parameter UseSSL

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

ltCommonParametersgt

This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable

WarningAction WarningVariable OutBuffer and OutVariable For more information type get-

help about_commonparameters

OUTPUTS

SystemCollectionsGenericListltMicrosoftBestPracticesCoreInterfaceInvokeBpaModelOutputgt

The output object encapsulates the results of the cmdlet that you entered It contains information such

as the MBCA model ID the success or failure of the cmdlet and other details

NOTES

If the cmdlet is used to perform a single-model scan and the cmdlet is cancelled (by using CTRL+C)

before the temporary results file is copied to its final location the temporary file is discarded and any

previous scan results file for the role are preserved The message Processing of Invoke-MBCAModel

cancelled by user is displayed if the command is cancelled before existing scan results files are

overwritten

If the cmdlet is used to perform a scan of multiple models by piping in results from the Get-MBCAModel

cmdlet and the command is cancelled scans that were completed before the cancel command was

entered cannot be cancelled A scan in progress behaves as described above in the single-model scan

cancellation scenario Subsequent scans in the pipeline are cancelled

If a concurrent scan of the same model is attempted the cmdlet returns the following error message

Another scan for this MBCA model is in progress Only one scan is allowed at a time

-------------------------- EXAMPLE 1 --------------------------

Invoke-MBCAModel -ModelId SQL2008R2BPA

Description

The preceding example starts a MBCA scan on the model that is represented by ltModel Idgt

-------------------------- EXAMPLE 2 --------------------------

Page 49

Invoke-MBCAModel -ModelId SQL2008R2BPA -Scope domain -Name

redmondmicrosoftcom

Description

The preceding example starts an MBCA scan on the model ID that is specified by Model Id

The administrator starts the MBCA scan with additional model-specific parameters that are exposed by

the model (For an example of how to obtain model-specific parameters see the examples for the Get-

MBCAModel cmdlet)

For example to scan a model that requires model-specific parameters (such as -Scope and -Name) to

be passed to the command the administrator can specify the values of these model-specific

parameters with the Invoke-MBCAModel cmdlet

-------------------------- EXAMPLE 3 --------------------------

Invoke-MBCAModel -ModelId SQL2008R2BPA -Mode Discovery

Description

The preceding example starts an MBCA scan on the model that is represented by Model Id The

cmdlet is instructed by the -Mode parameter to perform only the discovery -- not the analysis -- portion

of the scan

-------------------------- EXAMPLE 4 --------------------------

Invoke-MBCAModel -ModelId SQL2008R2BPA -Mode Analysis -RepositoryPath

ltRepository Pathgt

Description

The preceding example starts an MBCA scan on the model that is represented by Model Id The -

Mode parameter value of Analysis indicates that the scan will perform analysis -- not discovery -- on

existing documents that are specified in the non-default repository path provided with the -Repository

Path parameter

-------------------------- EXAMPLE 5 --------------------------

Invoke-MBCAModel -Id ltModel Idgt -SubModelId ltSubModel Idgt -ComputerName

ltServergt -Context ltContext Model Idgt -RepositoryPath ltRespository Pathgt -

AsJob -Authentication ltAuthenticatonMechanismgt -Port ltPort Numbergt -UseSSL -

ThrottleLimit ltThrottle Limitgt

Description

The preceding example starts an MBCA scan on the submodel that is represented by SubModel Id

and on the computer that is represented by Server

Because the administrator only wants to see results from the submodel that apply in the context of a

third model the administrator runs the scan within the context of the model ID that is specified in the -

Context parameter The cmdlet results are saved to the non-default repository path that is specified in

the -RepositoryPath parameter

Because the -AsJob parameter is added the scan runs in the background The -AsJob -

Authentication -Port -UseSSL and -ThrottleLimit parameters are passed through for use by the

Invoke-Command cmdlet to perform discovery on a remote computer For more information about

these parameters see the Help for the Invoke-Command cmdlet available in Windows PowerShell V2

913 Get-MBCAResult

SYNOPSIS

Page 50

The Get-MBCAResult cmdlet lets you retrieve and view the results of a Microsoft Baseline

Configuration Analyzer scan on a specific model or the configuration data that was used to run a scan

SYNTAX

Get-MBCAResult [-ModelId] ltstringgt [[-CollectedConfiguration]] -SubModelId

ltstringgt [-ComputerName ltstring[]gt] [-Context ltstringgt] [-Filter

ltFilterEnumgt] [-RepositoryPath ltstringgt] [ltCommonParametersgt]

DESCRIPTION

The Get-MBCAResult cmdlet lets you retrieve and view the results of a Microsoft Baseline

Configuration Analyzer scan on a specific model or the configuration data that was used to run a scan

To use the command add the -ModelId parameter and then specify the model ID for which you want

to view the most recent MBCA scan results or collected configuration data If you want to retrieve the

configuration data collected add the -CollectedConfiguration switch parameter

You must be a member of the Administrators group on the computer on which you want to run this

cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with

elevated user rights that is Run as Administrator

PARAMETERS

-CollectedConfiguration [ltSwitchParametergt]

The -CollectedConfiguration parameter allows you to obtain the configuration data that was

collected for the most recent MBCA scan If this switch parameter is added to Get-MBCAResults

the cmdlet returns only the configuration data that was collected for a scan

Required false

Position 3

Default value

Accept pipeline input false

Accept wildcard characters false

-ComputerName ltstring[]gt

The -ComputerName parameter lets you obtain scan results that were collected for the most

recent MBCA scan of a submodel on a specific computer To specify the local computer type the

computer name or localhost Multiple values for -ComputerName can be separated by

commas

The -SubModelId parameter is required by the -ComputerName parameter

Valid values for the -ComputerName parameter include localhost a NET BIOS name an IP

address or a fully-qualified domain name (FQDN) of one or more computers in a comma-

separated list

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-Context ltstringgt

Page 51

The -Context parameter lets you obtain scan results that were collected for the most recent

MBCA scan of a submodel in the context of a specific model (one that is different from the parent

model of the submodel) For example an administrator might want to display scan results for the

Backend submodel of the SQL model but only those in the context of a third model a

technology that relies upon SQL Server

The -SubModelId parameter is required by the -Context parameter

A model ID is the valid value of the -Context parameter

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-Filter ltFilterEnumgt

The -Filter parameter lets you instruct the Get-MBCAResult cmdlet to return only Compliant

Noncompliant or All results Valid values are Noncompliant Compliant or All The default value

is All

The -Filter parameter is ignored if the -CollectedConfiguration switch parameter is added

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-ModelId ltstringgt

The -ModelId parameter specifies the ID of the MBCA model for which you want to view scan

results You can obtain valid values for the ModelId parameter by running the Get-MBCAModel

cmdlet targeted at a computer on which MBCA models are installed

Required true

Position 2

Default value

Accept pipeline input true (By Value By Property Name)

Accept wildcard characters False

This must be SQL2008R2BPA for SQL Server 2008 R2 Best Practice Analyzer

-RepositoryPath ltstringgt

The -RepositoryPath parameter is used to specify a non-default location of the results repository

The valid value for this parameter is a path name If the parameter is not used the cmdlet obtains

results from the default result repository

Required false

Position named

Page 52

Default value

Accept pipeline input false

Accept wildcard characters false

-SubModelId ltstringgt

The -SubModelId parameter specifies the ID of the submodel of an MBCA model for which you

want to view scan results You can obtain valid values for the -SubModelId parameter by running

the Get-MBCAModel cmdlet targeted at a computer on which MBCA models are installed Not all

models have submodels

The -ModelId parameter is required with the -SubModelId parameter

Required true

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

ltCommonParametersgt

This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable

WarningAction WarningVariable OutBuffer and OutVariable For more information type get-

help about_commonparameters

OUTPUTS

SystemCollectionsGenericListltMicrosoftBestPracticesCoreInterfaceResultgt OR

SystemXmlXmlDocument (if -CollectedData specified)

If you do not use the -CollectedConfiguration parameter verbose output can be any of the following

1 Initializing MBCA engine for getting MBCA Results

2 Attempting to get MBCA results for Model Id = 0

3 Completed getting MBCA results for Model Id = 0 Number of Results = 1

If you add the -CollectedConfiguration parameter to display configuration data that was used for a

scan verbose output can be any of the following

1 Initializing MBCA engine for getting MBCA Configuration Data

2 Attempting to get MBCA collected configuration data for Model Id = 0

3 Completed getting MBCA collected configuration data for Model Id = 0

NOTES

The Get-MBCAResult cmdlet must be run by a member of the Administrators group and it does not

start a new scan

Cancellation behaviour

Single Model - To cancel this cmdlet you must press Ctrl+C before the ResultCollection is displayed

on the console The operation is cancelled and results are not displayed on the console

Multiple Models or Pipelining - If you cancel this cmdlet while it is retrieving results for multiple models

the cmdlet generates only those results that were displayed on the console before the cancellation

Any subsequent results in the pipeline are cancelled and not displayed

Page 53

-------------------------- EXAMPLE 1 --------------------------

Get-MBCAResult -Id SQL2008R2BPA

Description

The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results

for the model that is represented by Model Id

-------------------------- EXAMPLE 2 --------------------------

Get-MBCAModel | Get-MBCAResult

In the preceding example Get-MBCAModel is used to return a list of all MBCA models that are

installed on the computer The results of the Get-MBCAModel cmdlet are piped to the Get-

MBCAResult cmdlet to retrieve the most recent MBCA scan results for all models that are both

supported by MBCA and installed on the computer at which the cmdlet is targeted

-------------------------- EXAMPLE 3 --------------------------

$result = Get-MBCAResult SQL2008R2BPA -CollectedConfiguration

$resultDiscoveryDocument

Description

In the preceding example configuration data (in XML form) that was collected during the most recent

Microsoft Baseline Configuration Analyzer scan of the model that is represented by Model Id is

retrieved and stored as a property in the variable $result $resultDiscoveryDocument is of type

SystemXmlXmlDocument

-------------------------- EXAMPLE 4 --------------------------

Get-MBCAResult SQL2008R2BPA -Filter Noncompliant

Description

The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results

for the model that is represented by Model Id and then applies a filter to show only Noncompliant

results

------------------------- EXAMPLE 5 --------------------------

Get-MBCAResult SQL2008R2BPA -SubModelId ltSubModel Idgt

Description

The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results

for the submodel that is represented by SubModelId Note that the parent model ID must be specified

to use the -SubModelId parameter

------------------------- EXAMPLE 6 --------------------------

Get-MBCAResult SQL2008R2BPA -SubModelId ltSubModel Idgt -ComputerName ltServergt

-Context ltContext Model Idgt -RepositoryPath ltRepository Pathgt

Description

The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results

for the submodel that is represented by SubModelId The parent model ID is provided as required by

the -SubModelID parameter

The -Context parameter indicates that the administrator wants to see only those scan results that are in

the context of the model that is represented by Context Model Id for example only those results from

a SQL Server scan that specifically apply to another technology such as Web Server (IIS)

Page 54

The scan results are further narrowed to only those from a computer that is specified in the -

ComputerName parameter as Server and only those results found in the non-default results

repository that is represented by Repository Path

914 Set-MBCAResult

SYNOPSIS

The Set-MBCAResult cmdlet lets you exclude or include existing results of a Microsoft Baseline

Configuration Analyzer (MBCA) scan to show you only the scan results that you want to see

SYNTAX

Set-MBCAResult [[-Exclude] ltBooleangt] [-Results] ltResultgtgt [[-

RepostitoryPath] ltstringgt] [ltCommonParametersgt]

DESCRIPTION

The Set-MBCAResult cmdlet lets you exclude or include existing results of a Microsoft Baseline

Configuration Analyzer (MBCA) scan to show you only the scan results that you want to see

The action specified in the cmdlet (Exclude for example) determines how the existing results of an

MBCA scan are updated Set-MBCAResult is typically applied after using the Get-MBCAResult cmdlet

to return a collection of scan results

You can apply filters to results that are returned by the Get-MBCAResult cmdlet and then pipe the

filtered collection of results to the Set-MBCAResult cmdlet specifying either to include or exclude

filtered scan results

You must be a member of the Administrators group on the computer on which you want to run this

cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with

elevated user rights that is Run as Administrator

PARAMETERS

-Exclude ltBooleangt

Excludes scan results from the results collection that were previously obtained by the Get-

MBCAResult command To exclude results by using the -Exclude parameter add the value $true

following the parameter as shown

-Exclude $true

To include results that have been excluded use the $false value for the -Exclude parameter

Required false

Position 2

Default value

Accept pipeline input false

Accept wildcard characters false

-RepostitoryPath ltstringgt

The -RepositoryPath parameter is used to specify a non-default location of the results repository

The valid value for this parameter is a path name If the parameter is not used the cmdlet

modifies results from the default result repository

Required false

Page 55

Position 4

Default value

Accept pipeline input false

Accept wildcard characters false

-Results ltResultgtgt

Specifies the result collection to be updated by the Set-MBCAResult cmdlet The -Results

parameter is typically used to specify a filtered subset of scan results that has already been

stored in a variable the variable name is provided as the valid value for the -Results parameter

For example if you have created a variable $allPerformance to store all the Performance

category results for an MBCA scan of all models on a computer and you want to exclude those

Performance results from the complete collection of scan results you add the parameter -Results

$all Performance to a Set-MBCAResult cmdlet

For a more detailed example see the Examples section of the Help for this cmdlet

Required true

Position 3

Default value

Accept pipeline input true (ByValue)

Accept wildcard characters false

ltCommonParametersgt

This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable

WarningAction WarningVariable OutBuffer and OutVariable For more information type ldquoget-

help about_commonparameters

NOTES

If the Set-MBCAResult command is cancelled before the results are written to a file the operation is

cancelled and the results file is not modified If cancellation occurs after the results file has been

modified the commands actions are carried out and the command cannot be cancelled

-------------------------- EXAMPLE 1 --------------------------

Get-MBCAResult -ModelId SQL2008R2BPA | Where $_Category -eq

Performance | Set-MBCAResult -Exclude $true

Description

The first section of the preceding example to the left of the first pipe character (|) uses the Get-

MBCAResult cmdlet to retrieve Baseline Configuration Analyzer scan results for the model ID that is

represented by Model Id

The second section of the command filters the results of the Get-MBCAResult cmdlet to get only those

scan results for which the category name is equal to Performance

The final section of the example following the second pipe character excludes the Performance

results that were filtered by the previous section of the example

-------------------------- EXAMPLE 2 --------------------------

$rcPolicy = Get-MBCAResult -ModelId SQL2008R2BPA -RepositoryPath

CReposPath | Where $_Category -eq Policy

Page 56

Set-MBCAResult -Exclude $true -RepositoryPath CReposPath -Results

$rcPolicy

Description

The first line of the preceding example to the left of the pipe character (|) instructs the Get-

MBCAResult cmdlet to retrieve Baseline Configuration Analyzer scan results for the model that is

represented by Specified Model Id from the specified non-default repository path

The second section of the example after the pipe character filters the results of the Get-MBCAResult

cmdlet to return only those scan results for which the category name is equal to (note the -eq option)

Policy The variable $rcPolicy is created to store the filtered results of the Get-MBCAResult cmdlet this

variable can be used in subsequent commands to represent those results

The second line of the command uses the Set-MBCAResult cmdlet to exclude the set of results that

are stored in the $rcPolicy variable In this example the -Results parameter is added because the

administrator wants to exclude a specific subset of scan results for that model and has created the

variable $rcPolicy to represent that subset of results The repository root is specified in the second line

because the administrator wants to modify the results in the same non-default repository from which

the data in $rcPolicy was retrieved

915 MBCA Model Authoring

Further information about configuration and usage of MBCA models you can in the

MBCA_ModelAuthoringGuidedocx

Page 57

Did this paper help you Please give us your feedback Tell us on a scale of 1 (poor) to 5 (excellent)

how would you rate this paper and why have you given it this rating For example

Are you rating it high due to having good examples excellent screen shots clear writing or

another reason

Are you rating it low due to poor examples fuzzy screen shots or unclear writing

This feedback will help us improve the quality of white papers we release

Send feedback

Page 46: SQL2008R2 BPA Whitepaper v10

Page 46

A model ID is the valid value of the -Context parameter

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-Credential ltstringgt

Specifies a user account that has permission to run this cmdlet The default value is the current

user

For more information about this parameter type the following and then press Enter

Get-Help Invoke-Command -Parameter Credential

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-Mode ltModeEnumgt

The -Mode parameter lets you run a scan that is exclusively either analysis of existing discovered

documents or discovery The default is to perform both discovery and analysis or All

If you do not add the -Mode parameter to the Invoke-MBCAModel cmdlet both discovery and

analysis are performed during a scan

Valid values are Discovery Analysis and All

Required false

Position named

Default value All

Accept pipeline input false

Accept wildcard characters false

-ModelId ltstringgt

The -ModelId parameter specifies the ID of the MBCA model that you want to scan You can

obtain valid values for the ModelId parameter by running the Get-MBCAModel cmdlet targeted at

a computer on which MBCA models are installed

Required true

Position 2

Default value

Accept pipeline input true (By Value By Property Name)

Accept wildcard characters False

Page 47

This must be SQL2008R2BPA for SQL Server 2008 R2 Best Practice Analyzer

-Port ltintgt

Specifies the network port on a remote computer on which you want to run a scan The default

value is port 80

For more information on this parameter type the following and then press Enter

Get-Help Invoke-Command -Parameter Port

Required false

Position named

Default value 80

Accept pipeline input false

Accept wildcard characters false

-RepositoryPath ltstringgt

The -RepositoryPath parameter is used to specify a non-default location of the results repository

The valid value for this parameter is a pathname If the parameter is not used the cmdlet writes

results to the default result repository

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-SubModelId ltstringgt

The -SubModelId parameter specifies the ID of the submodel of an MBCA model that you want to

scan You can obtain valid values for the -SubModelId parameter by running the Get-MBCAModel

cmdlet targeted at a computer on which MBCA models are installed Not all models have

submodels

The -ModelId parameter is required with the -SubModelId parameter

Required true

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-ThrottleLimit ltintgt

Specifies the maximum number of concurrent connections that can be established to run the

cmdlet If you omit this parameter or enter a value of 0 the default value of 32 is used

For more information about this parameter type the following and then press Enter

Get-Help Invoke-Command -Parameter ThrottleLimit

Required false

Page 48

Position named

Default value 32

Accept pipeline input false

Accept wildcard characters false

-UseSSL [ltSwitchParametergt]

Uses the Secure Sockets Layer (SSL) protocol to establish a connection on a remote computer

By default SSL is not used

For more information about this parameter type the following and then press Enter

Get-Help Invoke-Command -Parameter UseSSL

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

ltCommonParametersgt

This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable

WarningAction WarningVariable OutBuffer and OutVariable For more information type get-

help about_commonparameters

OUTPUTS

SystemCollectionsGenericListltMicrosoftBestPracticesCoreInterfaceInvokeBpaModelOutputgt

The output object encapsulates the results of the cmdlet that you entered It contains information such

as the MBCA model ID the success or failure of the cmdlet and other details

NOTES

If the cmdlet is used to perform a single-model scan and the cmdlet is cancelled (by using CTRL+C)

before the temporary results file is copied to its final location the temporary file is discarded and any

previous scan results file for the role are preserved The message Processing of Invoke-MBCAModel

cancelled by user is displayed if the command is cancelled before existing scan results files are

overwritten

If the cmdlet is used to perform a scan of multiple models by piping in results from the Get-MBCAModel

cmdlet and the command is cancelled scans that were completed before the cancel command was

entered cannot be cancelled A scan in progress behaves as described above in the single-model scan

cancellation scenario Subsequent scans in the pipeline are cancelled

If a concurrent scan of the same model is attempted the cmdlet returns the following error message

Another scan for this MBCA model is in progress Only one scan is allowed at a time

-------------------------- EXAMPLE 1 --------------------------

Invoke-MBCAModel -ModelId SQL2008R2BPA

Description

The preceding example starts a MBCA scan on the model that is represented by ltModel Idgt

-------------------------- EXAMPLE 2 --------------------------

Page 49

Invoke-MBCAModel -ModelId SQL2008R2BPA -Scope domain -Name

redmondmicrosoftcom

Description

The preceding example starts an MBCA scan on the model ID that is specified by Model Id

The administrator starts the MBCA scan with additional model-specific parameters that are exposed by

the model (For an example of how to obtain model-specific parameters see the examples for the Get-

MBCAModel cmdlet)

For example to scan a model that requires model-specific parameters (such as -Scope and -Name) to

be passed to the command the administrator can specify the values of these model-specific

parameters with the Invoke-MBCAModel cmdlet

-------------------------- EXAMPLE 3 --------------------------

Invoke-MBCAModel -ModelId SQL2008R2BPA -Mode Discovery

Description

The preceding example starts an MBCA scan on the model that is represented by Model Id The

cmdlet is instructed by the -Mode parameter to perform only the discovery -- not the analysis -- portion

of the scan

-------------------------- EXAMPLE 4 --------------------------

Invoke-MBCAModel -ModelId SQL2008R2BPA -Mode Analysis -RepositoryPath

ltRepository Pathgt

Description

The preceding example starts an MBCA scan on the model that is represented by Model Id The -

Mode parameter value of Analysis indicates that the scan will perform analysis -- not discovery -- on

existing documents that are specified in the non-default repository path provided with the -Repository

Path parameter

-------------------------- EXAMPLE 5 --------------------------

Invoke-MBCAModel -Id ltModel Idgt -SubModelId ltSubModel Idgt -ComputerName

ltServergt -Context ltContext Model Idgt -RepositoryPath ltRespository Pathgt -

AsJob -Authentication ltAuthenticatonMechanismgt -Port ltPort Numbergt -UseSSL -

ThrottleLimit ltThrottle Limitgt

Description

The preceding example starts an MBCA scan on the submodel that is represented by SubModel Id

and on the computer that is represented by Server

Because the administrator only wants to see results from the submodel that apply in the context of a

third model the administrator runs the scan within the context of the model ID that is specified in the -

Context parameter The cmdlet results are saved to the non-default repository path that is specified in

the -RepositoryPath parameter

Because the -AsJob parameter is added the scan runs in the background The -AsJob -

Authentication -Port -UseSSL and -ThrottleLimit parameters are passed through for use by the

Invoke-Command cmdlet to perform discovery on a remote computer For more information about

these parameters see the Help for the Invoke-Command cmdlet available in Windows PowerShell V2

913 Get-MBCAResult

SYNOPSIS

Page 50

The Get-MBCAResult cmdlet lets you retrieve and view the results of a Microsoft Baseline

Configuration Analyzer scan on a specific model or the configuration data that was used to run a scan

SYNTAX

Get-MBCAResult [-ModelId] ltstringgt [[-CollectedConfiguration]] -SubModelId

ltstringgt [-ComputerName ltstring[]gt] [-Context ltstringgt] [-Filter

ltFilterEnumgt] [-RepositoryPath ltstringgt] [ltCommonParametersgt]

DESCRIPTION

The Get-MBCAResult cmdlet lets you retrieve and view the results of a Microsoft Baseline

Configuration Analyzer scan on a specific model or the configuration data that was used to run a scan

To use the command add the -ModelId parameter and then specify the model ID for which you want

to view the most recent MBCA scan results or collected configuration data If you want to retrieve the

configuration data collected add the -CollectedConfiguration switch parameter

You must be a member of the Administrators group on the computer on which you want to run this

cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with

elevated user rights that is Run as Administrator

PARAMETERS

-CollectedConfiguration [ltSwitchParametergt]

The -CollectedConfiguration parameter allows you to obtain the configuration data that was

collected for the most recent MBCA scan If this switch parameter is added to Get-MBCAResults

the cmdlet returns only the configuration data that was collected for a scan

Required false

Position 3

Default value

Accept pipeline input false

Accept wildcard characters false

-ComputerName ltstring[]gt

The -ComputerName parameter lets you obtain scan results that were collected for the most

recent MBCA scan of a submodel on a specific computer To specify the local computer type the

computer name or localhost Multiple values for -ComputerName can be separated by

commas

The -SubModelId parameter is required by the -ComputerName parameter

Valid values for the -ComputerName parameter include localhost a NET BIOS name an IP

address or a fully-qualified domain name (FQDN) of one or more computers in a comma-

separated list

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-Context ltstringgt

Page 51

The -Context parameter lets you obtain scan results that were collected for the most recent

MBCA scan of a submodel in the context of a specific model (one that is different from the parent

model of the submodel) For example an administrator might want to display scan results for the

Backend submodel of the SQL model but only those in the context of a third model a

technology that relies upon SQL Server

The -SubModelId parameter is required by the -Context parameter

A model ID is the valid value of the -Context parameter

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-Filter ltFilterEnumgt

The -Filter parameter lets you instruct the Get-MBCAResult cmdlet to return only Compliant

Noncompliant or All results Valid values are Noncompliant Compliant or All The default value

is All

The -Filter parameter is ignored if the -CollectedConfiguration switch parameter is added

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-ModelId ltstringgt

The -ModelId parameter specifies the ID of the MBCA model for which you want to view scan

results You can obtain valid values for the ModelId parameter by running the Get-MBCAModel

cmdlet targeted at a computer on which MBCA models are installed

Required true

Position 2

Default value

Accept pipeline input true (By Value By Property Name)

Accept wildcard characters False

This must be SQL2008R2BPA for SQL Server 2008 R2 Best Practice Analyzer

-RepositoryPath ltstringgt

The -RepositoryPath parameter is used to specify a non-default location of the results repository

The valid value for this parameter is a path name If the parameter is not used the cmdlet obtains

results from the default result repository

Required false

Position named

Page 52

Default value

Accept pipeline input false

Accept wildcard characters false

-SubModelId ltstringgt

The -SubModelId parameter specifies the ID of the submodel of an MBCA model for which you

want to view scan results You can obtain valid values for the -SubModelId parameter by running

the Get-MBCAModel cmdlet targeted at a computer on which MBCA models are installed Not all

models have submodels

The -ModelId parameter is required with the -SubModelId parameter

Required true

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

ltCommonParametersgt

This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable

WarningAction WarningVariable OutBuffer and OutVariable For more information type get-

help about_commonparameters

OUTPUTS

SystemCollectionsGenericListltMicrosoftBestPracticesCoreInterfaceResultgt OR

SystemXmlXmlDocument (if -CollectedData specified)

If you do not use the -CollectedConfiguration parameter verbose output can be any of the following

1 Initializing MBCA engine for getting MBCA Results

2 Attempting to get MBCA results for Model Id = 0

3 Completed getting MBCA results for Model Id = 0 Number of Results = 1

If you add the -CollectedConfiguration parameter to display configuration data that was used for a

scan verbose output can be any of the following

1 Initializing MBCA engine for getting MBCA Configuration Data

2 Attempting to get MBCA collected configuration data for Model Id = 0

3 Completed getting MBCA collected configuration data for Model Id = 0

NOTES

The Get-MBCAResult cmdlet must be run by a member of the Administrators group and it does not

start a new scan

Cancellation behaviour

Single Model - To cancel this cmdlet you must press Ctrl+C before the ResultCollection is displayed

on the console The operation is cancelled and results are not displayed on the console

Multiple Models or Pipelining - If you cancel this cmdlet while it is retrieving results for multiple models

the cmdlet generates only those results that were displayed on the console before the cancellation

Any subsequent results in the pipeline are cancelled and not displayed

Page 53

-------------------------- EXAMPLE 1 --------------------------

Get-MBCAResult -Id SQL2008R2BPA

Description

The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results

for the model that is represented by Model Id

-------------------------- EXAMPLE 2 --------------------------

Get-MBCAModel | Get-MBCAResult

In the preceding example Get-MBCAModel is used to return a list of all MBCA models that are

installed on the computer The results of the Get-MBCAModel cmdlet are piped to the Get-

MBCAResult cmdlet to retrieve the most recent MBCA scan results for all models that are both

supported by MBCA and installed on the computer at which the cmdlet is targeted

-------------------------- EXAMPLE 3 --------------------------

$result = Get-MBCAResult SQL2008R2BPA -CollectedConfiguration

$resultDiscoveryDocument

Description

In the preceding example configuration data (in XML form) that was collected during the most recent

Microsoft Baseline Configuration Analyzer scan of the model that is represented by Model Id is

retrieved and stored as a property in the variable $result $resultDiscoveryDocument is of type

SystemXmlXmlDocument

-------------------------- EXAMPLE 4 --------------------------

Get-MBCAResult SQL2008R2BPA -Filter Noncompliant

Description

The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results

for the model that is represented by Model Id and then applies a filter to show only Noncompliant

results

------------------------- EXAMPLE 5 --------------------------

Get-MBCAResult SQL2008R2BPA -SubModelId ltSubModel Idgt

Description

The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results

for the submodel that is represented by SubModelId Note that the parent model ID must be specified

to use the -SubModelId parameter

------------------------- EXAMPLE 6 --------------------------

Get-MBCAResult SQL2008R2BPA -SubModelId ltSubModel Idgt -ComputerName ltServergt

-Context ltContext Model Idgt -RepositoryPath ltRepository Pathgt

Description

The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results

for the submodel that is represented by SubModelId The parent model ID is provided as required by

the -SubModelID parameter

The -Context parameter indicates that the administrator wants to see only those scan results that are in

the context of the model that is represented by Context Model Id for example only those results from

a SQL Server scan that specifically apply to another technology such as Web Server (IIS)

Page 54

The scan results are further narrowed to only those from a computer that is specified in the -

ComputerName parameter as Server and only those results found in the non-default results

repository that is represented by Repository Path

914 Set-MBCAResult

SYNOPSIS

The Set-MBCAResult cmdlet lets you exclude or include existing results of a Microsoft Baseline

Configuration Analyzer (MBCA) scan to show you only the scan results that you want to see

SYNTAX

Set-MBCAResult [[-Exclude] ltBooleangt] [-Results] ltResultgtgt [[-

RepostitoryPath] ltstringgt] [ltCommonParametersgt]

DESCRIPTION

The Set-MBCAResult cmdlet lets you exclude or include existing results of a Microsoft Baseline

Configuration Analyzer (MBCA) scan to show you only the scan results that you want to see

The action specified in the cmdlet (Exclude for example) determines how the existing results of an

MBCA scan are updated Set-MBCAResult is typically applied after using the Get-MBCAResult cmdlet

to return a collection of scan results

You can apply filters to results that are returned by the Get-MBCAResult cmdlet and then pipe the

filtered collection of results to the Set-MBCAResult cmdlet specifying either to include or exclude

filtered scan results

You must be a member of the Administrators group on the computer on which you want to run this

cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with

elevated user rights that is Run as Administrator

PARAMETERS

-Exclude ltBooleangt

Excludes scan results from the results collection that were previously obtained by the Get-

MBCAResult command To exclude results by using the -Exclude parameter add the value $true

following the parameter as shown

-Exclude $true

To include results that have been excluded use the $false value for the -Exclude parameter

Required false

Position 2

Default value

Accept pipeline input false

Accept wildcard characters false

-RepostitoryPath ltstringgt

The -RepositoryPath parameter is used to specify a non-default location of the results repository

The valid value for this parameter is a path name If the parameter is not used the cmdlet

modifies results from the default result repository

Required false

Page 55

Position 4

Default value

Accept pipeline input false

Accept wildcard characters false

-Results ltResultgtgt

Specifies the result collection to be updated by the Set-MBCAResult cmdlet The -Results

parameter is typically used to specify a filtered subset of scan results that has already been

stored in a variable the variable name is provided as the valid value for the -Results parameter

For example if you have created a variable $allPerformance to store all the Performance

category results for an MBCA scan of all models on a computer and you want to exclude those

Performance results from the complete collection of scan results you add the parameter -Results

$all Performance to a Set-MBCAResult cmdlet

For a more detailed example see the Examples section of the Help for this cmdlet

Required true

Position 3

Default value

Accept pipeline input true (ByValue)

Accept wildcard characters false

ltCommonParametersgt

This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable

WarningAction WarningVariable OutBuffer and OutVariable For more information type ldquoget-

help about_commonparameters

NOTES

If the Set-MBCAResult command is cancelled before the results are written to a file the operation is

cancelled and the results file is not modified If cancellation occurs after the results file has been

modified the commands actions are carried out and the command cannot be cancelled

-------------------------- EXAMPLE 1 --------------------------

Get-MBCAResult -ModelId SQL2008R2BPA | Where $_Category -eq

Performance | Set-MBCAResult -Exclude $true

Description

The first section of the preceding example to the left of the first pipe character (|) uses the Get-

MBCAResult cmdlet to retrieve Baseline Configuration Analyzer scan results for the model ID that is

represented by Model Id

The second section of the command filters the results of the Get-MBCAResult cmdlet to get only those

scan results for which the category name is equal to Performance

The final section of the example following the second pipe character excludes the Performance

results that were filtered by the previous section of the example

-------------------------- EXAMPLE 2 --------------------------

$rcPolicy = Get-MBCAResult -ModelId SQL2008R2BPA -RepositoryPath

CReposPath | Where $_Category -eq Policy

Page 56

Set-MBCAResult -Exclude $true -RepositoryPath CReposPath -Results

$rcPolicy

Description

The first line of the preceding example to the left of the pipe character (|) instructs the Get-

MBCAResult cmdlet to retrieve Baseline Configuration Analyzer scan results for the model that is

represented by Specified Model Id from the specified non-default repository path

The second section of the example after the pipe character filters the results of the Get-MBCAResult

cmdlet to return only those scan results for which the category name is equal to (note the -eq option)

Policy The variable $rcPolicy is created to store the filtered results of the Get-MBCAResult cmdlet this

variable can be used in subsequent commands to represent those results

The second line of the command uses the Set-MBCAResult cmdlet to exclude the set of results that

are stored in the $rcPolicy variable In this example the -Results parameter is added because the

administrator wants to exclude a specific subset of scan results for that model and has created the

variable $rcPolicy to represent that subset of results The repository root is specified in the second line

because the administrator wants to modify the results in the same non-default repository from which

the data in $rcPolicy was retrieved

915 MBCA Model Authoring

Further information about configuration and usage of MBCA models you can in the

MBCA_ModelAuthoringGuidedocx

Page 57

Did this paper help you Please give us your feedback Tell us on a scale of 1 (poor) to 5 (excellent)

how would you rate this paper and why have you given it this rating For example

Are you rating it high due to having good examples excellent screen shots clear writing or

another reason

Are you rating it low due to poor examples fuzzy screen shots or unclear writing

This feedback will help us improve the quality of white papers we release

Send feedback

Page 47: SQL2008R2 BPA Whitepaper v10

Page 47

This must be SQL2008R2BPA for SQL Server 2008 R2 Best Practice Analyzer

-Port ltintgt

Specifies the network port on a remote computer on which you want to run a scan The default

value is port 80

For more information on this parameter type the following and then press Enter

Get-Help Invoke-Command -Parameter Port

Required false

Position named

Default value 80

Accept pipeline input false

Accept wildcard characters false

-RepositoryPath ltstringgt

The -RepositoryPath parameter is used to specify a non-default location of the results repository

The valid value for this parameter is a pathname If the parameter is not used the cmdlet writes

results to the default result repository

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-SubModelId ltstringgt

The -SubModelId parameter specifies the ID of the submodel of an MBCA model that you want to

scan You can obtain valid values for the -SubModelId parameter by running the Get-MBCAModel

cmdlet targeted at a computer on which MBCA models are installed Not all models have

submodels

The -ModelId parameter is required with the -SubModelId parameter

Required true

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-ThrottleLimit ltintgt

Specifies the maximum number of concurrent connections that can be established to run the

cmdlet If you omit this parameter or enter a value of 0 the default value of 32 is used

For more information about this parameter type the following and then press Enter

Get-Help Invoke-Command -Parameter ThrottleLimit

Required false

Page 48

Position named

Default value 32

Accept pipeline input false

Accept wildcard characters false

-UseSSL [ltSwitchParametergt]

Uses the Secure Sockets Layer (SSL) protocol to establish a connection on a remote computer

By default SSL is not used

For more information about this parameter type the following and then press Enter

Get-Help Invoke-Command -Parameter UseSSL

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

ltCommonParametersgt

This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable

WarningAction WarningVariable OutBuffer and OutVariable For more information type get-

help about_commonparameters

OUTPUTS

SystemCollectionsGenericListltMicrosoftBestPracticesCoreInterfaceInvokeBpaModelOutputgt

The output object encapsulates the results of the cmdlet that you entered It contains information such

as the MBCA model ID the success or failure of the cmdlet and other details

NOTES

If the cmdlet is used to perform a single-model scan and the cmdlet is cancelled (by using CTRL+C)

before the temporary results file is copied to its final location the temporary file is discarded and any

previous scan results file for the role are preserved The message Processing of Invoke-MBCAModel

cancelled by user is displayed if the command is cancelled before existing scan results files are

overwritten

If the cmdlet is used to perform a scan of multiple models by piping in results from the Get-MBCAModel

cmdlet and the command is cancelled scans that were completed before the cancel command was

entered cannot be cancelled A scan in progress behaves as described above in the single-model scan

cancellation scenario Subsequent scans in the pipeline are cancelled

If a concurrent scan of the same model is attempted the cmdlet returns the following error message

Another scan for this MBCA model is in progress Only one scan is allowed at a time

-------------------------- EXAMPLE 1 --------------------------

Invoke-MBCAModel -ModelId SQL2008R2BPA

Description

The preceding example starts a MBCA scan on the model that is represented by ltModel Idgt

-------------------------- EXAMPLE 2 --------------------------

Page 49

Invoke-MBCAModel -ModelId SQL2008R2BPA -Scope domain -Name

redmondmicrosoftcom

Description

The preceding example starts an MBCA scan on the model ID that is specified by Model Id

The administrator starts the MBCA scan with additional model-specific parameters that are exposed by

the model (For an example of how to obtain model-specific parameters see the examples for the Get-

MBCAModel cmdlet)

For example to scan a model that requires model-specific parameters (such as -Scope and -Name) to

be passed to the command the administrator can specify the values of these model-specific

parameters with the Invoke-MBCAModel cmdlet

-------------------------- EXAMPLE 3 --------------------------

Invoke-MBCAModel -ModelId SQL2008R2BPA -Mode Discovery

Description

The preceding example starts an MBCA scan on the model that is represented by Model Id The

cmdlet is instructed by the -Mode parameter to perform only the discovery -- not the analysis -- portion

of the scan

-------------------------- EXAMPLE 4 --------------------------

Invoke-MBCAModel -ModelId SQL2008R2BPA -Mode Analysis -RepositoryPath

ltRepository Pathgt

Description

The preceding example starts an MBCA scan on the model that is represented by Model Id The -

Mode parameter value of Analysis indicates that the scan will perform analysis -- not discovery -- on

existing documents that are specified in the non-default repository path provided with the -Repository

Path parameter

-------------------------- EXAMPLE 5 --------------------------

Invoke-MBCAModel -Id ltModel Idgt -SubModelId ltSubModel Idgt -ComputerName

ltServergt -Context ltContext Model Idgt -RepositoryPath ltRespository Pathgt -

AsJob -Authentication ltAuthenticatonMechanismgt -Port ltPort Numbergt -UseSSL -

ThrottleLimit ltThrottle Limitgt

Description

The preceding example starts an MBCA scan on the submodel that is represented by SubModel Id

and on the computer that is represented by Server

Because the administrator only wants to see results from the submodel that apply in the context of a

third model the administrator runs the scan within the context of the model ID that is specified in the -

Context parameter The cmdlet results are saved to the non-default repository path that is specified in

the -RepositoryPath parameter

Because the -AsJob parameter is added the scan runs in the background The -AsJob -

Authentication -Port -UseSSL and -ThrottleLimit parameters are passed through for use by the

Invoke-Command cmdlet to perform discovery on a remote computer For more information about

these parameters see the Help for the Invoke-Command cmdlet available in Windows PowerShell V2

913 Get-MBCAResult

SYNOPSIS

Page 50

The Get-MBCAResult cmdlet lets you retrieve and view the results of a Microsoft Baseline

Configuration Analyzer scan on a specific model or the configuration data that was used to run a scan

SYNTAX

Get-MBCAResult [-ModelId] ltstringgt [[-CollectedConfiguration]] -SubModelId

ltstringgt [-ComputerName ltstring[]gt] [-Context ltstringgt] [-Filter

ltFilterEnumgt] [-RepositoryPath ltstringgt] [ltCommonParametersgt]

DESCRIPTION

The Get-MBCAResult cmdlet lets you retrieve and view the results of a Microsoft Baseline

Configuration Analyzer scan on a specific model or the configuration data that was used to run a scan

To use the command add the -ModelId parameter and then specify the model ID for which you want

to view the most recent MBCA scan results or collected configuration data If you want to retrieve the

configuration data collected add the -CollectedConfiguration switch parameter

You must be a member of the Administrators group on the computer on which you want to run this

cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with

elevated user rights that is Run as Administrator

PARAMETERS

-CollectedConfiguration [ltSwitchParametergt]

The -CollectedConfiguration parameter allows you to obtain the configuration data that was

collected for the most recent MBCA scan If this switch parameter is added to Get-MBCAResults

the cmdlet returns only the configuration data that was collected for a scan

Required false

Position 3

Default value

Accept pipeline input false

Accept wildcard characters false

-ComputerName ltstring[]gt

The -ComputerName parameter lets you obtain scan results that were collected for the most

recent MBCA scan of a submodel on a specific computer To specify the local computer type the

computer name or localhost Multiple values for -ComputerName can be separated by

commas

The -SubModelId parameter is required by the -ComputerName parameter

Valid values for the -ComputerName parameter include localhost a NET BIOS name an IP

address or a fully-qualified domain name (FQDN) of one or more computers in a comma-

separated list

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-Context ltstringgt

Page 51

The -Context parameter lets you obtain scan results that were collected for the most recent

MBCA scan of a submodel in the context of a specific model (one that is different from the parent

model of the submodel) For example an administrator might want to display scan results for the

Backend submodel of the SQL model but only those in the context of a third model a

technology that relies upon SQL Server

The -SubModelId parameter is required by the -Context parameter

A model ID is the valid value of the -Context parameter

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-Filter ltFilterEnumgt

The -Filter parameter lets you instruct the Get-MBCAResult cmdlet to return only Compliant

Noncompliant or All results Valid values are Noncompliant Compliant or All The default value

is All

The -Filter parameter is ignored if the -CollectedConfiguration switch parameter is added

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-ModelId ltstringgt

The -ModelId parameter specifies the ID of the MBCA model for which you want to view scan

results You can obtain valid values for the ModelId parameter by running the Get-MBCAModel

cmdlet targeted at a computer on which MBCA models are installed

Required true

Position 2

Default value

Accept pipeline input true (By Value By Property Name)

Accept wildcard characters False

This must be SQL2008R2BPA for SQL Server 2008 R2 Best Practice Analyzer

-RepositoryPath ltstringgt

The -RepositoryPath parameter is used to specify a non-default location of the results repository

The valid value for this parameter is a path name If the parameter is not used the cmdlet obtains

results from the default result repository

Required false

Position named

Page 52

Default value

Accept pipeline input false

Accept wildcard characters false

-SubModelId ltstringgt

The -SubModelId parameter specifies the ID of the submodel of an MBCA model for which you

want to view scan results You can obtain valid values for the -SubModelId parameter by running

the Get-MBCAModel cmdlet targeted at a computer on which MBCA models are installed Not all

models have submodels

The -ModelId parameter is required with the -SubModelId parameter

Required true

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

ltCommonParametersgt

This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable

WarningAction WarningVariable OutBuffer and OutVariable For more information type get-

help about_commonparameters

OUTPUTS

SystemCollectionsGenericListltMicrosoftBestPracticesCoreInterfaceResultgt OR

SystemXmlXmlDocument (if -CollectedData specified)

If you do not use the -CollectedConfiguration parameter verbose output can be any of the following

1 Initializing MBCA engine for getting MBCA Results

2 Attempting to get MBCA results for Model Id = 0

3 Completed getting MBCA results for Model Id = 0 Number of Results = 1

If you add the -CollectedConfiguration parameter to display configuration data that was used for a

scan verbose output can be any of the following

1 Initializing MBCA engine for getting MBCA Configuration Data

2 Attempting to get MBCA collected configuration data for Model Id = 0

3 Completed getting MBCA collected configuration data for Model Id = 0

NOTES

The Get-MBCAResult cmdlet must be run by a member of the Administrators group and it does not

start a new scan

Cancellation behaviour

Single Model - To cancel this cmdlet you must press Ctrl+C before the ResultCollection is displayed

on the console The operation is cancelled and results are not displayed on the console

Multiple Models or Pipelining - If you cancel this cmdlet while it is retrieving results for multiple models

the cmdlet generates only those results that were displayed on the console before the cancellation

Any subsequent results in the pipeline are cancelled and not displayed

Page 53

-------------------------- EXAMPLE 1 --------------------------

Get-MBCAResult -Id SQL2008R2BPA

Description

The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results

for the model that is represented by Model Id

-------------------------- EXAMPLE 2 --------------------------

Get-MBCAModel | Get-MBCAResult

In the preceding example Get-MBCAModel is used to return a list of all MBCA models that are

installed on the computer The results of the Get-MBCAModel cmdlet are piped to the Get-

MBCAResult cmdlet to retrieve the most recent MBCA scan results for all models that are both

supported by MBCA and installed on the computer at which the cmdlet is targeted

-------------------------- EXAMPLE 3 --------------------------

$result = Get-MBCAResult SQL2008R2BPA -CollectedConfiguration

$resultDiscoveryDocument

Description

In the preceding example configuration data (in XML form) that was collected during the most recent

Microsoft Baseline Configuration Analyzer scan of the model that is represented by Model Id is

retrieved and stored as a property in the variable $result $resultDiscoveryDocument is of type

SystemXmlXmlDocument

-------------------------- EXAMPLE 4 --------------------------

Get-MBCAResult SQL2008R2BPA -Filter Noncompliant

Description

The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results

for the model that is represented by Model Id and then applies a filter to show only Noncompliant

results

------------------------- EXAMPLE 5 --------------------------

Get-MBCAResult SQL2008R2BPA -SubModelId ltSubModel Idgt

Description

The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results

for the submodel that is represented by SubModelId Note that the parent model ID must be specified

to use the -SubModelId parameter

------------------------- EXAMPLE 6 --------------------------

Get-MBCAResult SQL2008R2BPA -SubModelId ltSubModel Idgt -ComputerName ltServergt

-Context ltContext Model Idgt -RepositoryPath ltRepository Pathgt

Description

The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results

for the submodel that is represented by SubModelId The parent model ID is provided as required by

the -SubModelID parameter

The -Context parameter indicates that the administrator wants to see only those scan results that are in

the context of the model that is represented by Context Model Id for example only those results from

a SQL Server scan that specifically apply to another technology such as Web Server (IIS)

Page 54

The scan results are further narrowed to only those from a computer that is specified in the -

ComputerName parameter as Server and only those results found in the non-default results

repository that is represented by Repository Path

914 Set-MBCAResult

SYNOPSIS

The Set-MBCAResult cmdlet lets you exclude or include existing results of a Microsoft Baseline

Configuration Analyzer (MBCA) scan to show you only the scan results that you want to see

SYNTAX

Set-MBCAResult [[-Exclude] ltBooleangt] [-Results] ltResultgtgt [[-

RepostitoryPath] ltstringgt] [ltCommonParametersgt]

DESCRIPTION

The Set-MBCAResult cmdlet lets you exclude or include existing results of a Microsoft Baseline

Configuration Analyzer (MBCA) scan to show you only the scan results that you want to see

The action specified in the cmdlet (Exclude for example) determines how the existing results of an

MBCA scan are updated Set-MBCAResult is typically applied after using the Get-MBCAResult cmdlet

to return a collection of scan results

You can apply filters to results that are returned by the Get-MBCAResult cmdlet and then pipe the

filtered collection of results to the Set-MBCAResult cmdlet specifying either to include or exclude

filtered scan results

You must be a member of the Administrators group on the computer on which you want to run this

cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with

elevated user rights that is Run as Administrator

PARAMETERS

-Exclude ltBooleangt

Excludes scan results from the results collection that were previously obtained by the Get-

MBCAResult command To exclude results by using the -Exclude parameter add the value $true

following the parameter as shown

-Exclude $true

To include results that have been excluded use the $false value for the -Exclude parameter

Required false

Position 2

Default value

Accept pipeline input false

Accept wildcard characters false

-RepostitoryPath ltstringgt

The -RepositoryPath parameter is used to specify a non-default location of the results repository

The valid value for this parameter is a path name If the parameter is not used the cmdlet

modifies results from the default result repository

Required false

Page 55

Position 4

Default value

Accept pipeline input false

Accept wildcard characters false

-Results ltResultgtgt

Specifies the result collection to be updated by the Set-MBCAResult cmdlet The -Results

parameter is typically used to specify a filtered subset of scan results that has already been

stored in a variable the variable name is provided as the valid value for the -Results parameter

For example if you have created a variable $allPerformance to store all the Performance

category results for an MBCA scan of all models on a computer and you want to exclude those

Performance results from the complete collection of scan results you add the parameter -Results

$all Performance to a Set-MBCAResult cmdlet

For a more detailed example see the Examples section of the Help for this cmdlet

Required true

Position 3

Default value

Accept pipeline input true (ByValue)

Accept wildcard characters false

ltCommonParametersgt

This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable

WarningAction WarningVariable OutBuffer and OutVariable For more information type ldquoget-

help about_commonparameters

NOTES

If the Set-MBCAResult command is cancelled before the results are written to a file the operation is

cancelled and the results file is not modified If cancellation occurs after the results file has been

modified the commands actions are carried out and the command cannot be cancelled

-------------------------- EXAMPLE 1 --------------------------

Get-MBCAResult -ModelId SQL2008R2BPA | Where $_Category -eq

Performance | Set-MBCAResult -Exclude $true

Description

The first section of the preceding example to the left of the first pipe character (|) uses the Get-

MBCAResult cmdlet to retrieve Baseline Configuration Analyzer scan results for the model ID that is

represented by Model Id

The second section of the command filters the results of the Get-MBCAResult cmdlet to get only those

scan results for which the category name is equal to Performance

The final section of the example following the second pipe character excludes the Performance

results that were filtered by the previous section of the example

-------------------------- EXAMPLE 2 --------------------------

$rcPolicy = Get-MBCAResult -ModelId SQL2008R2BPA -RepositoryPath

CReposPath | Where $_Category -eq Policy

Page 56

Set-MBCAResult -Exclude $true -RepositoryPath CReposPath -Results

$rcPolicy

Description

The first line of the preceding example to the left of the pipe character (|) instructs the Get-

MBCAResult cmdlet to retrieve Baseline Configuration Analyzer scan results for the model that is

represented by Specified Model Id from the specified non-default repository path

The second section of the example after the pipe character filters the results of the Get-MBCAResult

cmdlet to return only those scan results for which the category name is equal to (note the -eq option)

Policy The variable $rcPolicy is created to store the filtered results of the Get-MBCAResult cmdlet this

variable can be used in subsequent commands to represent those results

The second line of the command uses the Set-MBCAResult cmdlet to exclude the set of results that

are stored in the $rcPolicy variable In this example the -Results parameter is added because the

administrator wants to exclude a specific subset of scan results for that model and has created the

variable $rcPolicy to represent that subset of results The repository root is specified in the second line

because the administrator wants to modify the results in the same non-default repository from which

the data in $rcPolicy was retrieved

915 MBCA Model Authoring

Further information about configuration and usage of MBCA models you can in the

MBCA_ModelAuthoringGuidedocx

Page 57

Did this paper help you Please give us your feedback Tell us on a scale of 1 (poor) to 5 (excellent)

how would you rate this paper and why have you given it this rating For example

Are you rating it high due to having good examples excellent screen shots clear writing or

another reason

Are you rating it low due to poor examples fuzzy screen shots or unclear writing

This feedback will help us improve the quality of white papers we release

Send feedback

Page 48: SQL2008R2 BPA Whitepaper v10

Page 48

Position named

Default value 32

Accept pipeline input false

Accept wildcard characters false

-UseSSL [ltSwitchParametergt]

Uses the Secure Sockets Layer (SSL) protocol to establish a connection on a remote computer

By default SSL is not used

For more information about this parameter type the following and then press Enter

Get-Help Invoke-Command -Parameter UseSSL

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

ltCommonParametersgt

This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable

WarningAction WarningVariable OutBuffer and OutVariable For more information type get-

help about_commonparameters

OUTPUTS

SystemCollectionsGenericListltMicrosoftBestPracticesCoreInterfaceInvokeBpaModelOutputgt

The output object encapsulates the results of the cmdlet that you entered It contains information such

as the MBCA model ID the success or failure of the cmdlet and other details

NOTES

If the cmdlet is used to perform a single-model scan and the cmdlet is cancelled (by using CTRL+C)

before the temporary results file is copied to its final location the temporary file is discarded and any

previous scan results file for the role are preserved The message Processing of Invoke-MBCAModel

cancelled by user is displayed if the command is cancelled before existing scan results files are

overwritten

If the cmdlet is used to perform a scan of multiple models by piping in results from the Get-MBCAModel

cmdlet and the command is cancelled scans that were completed before the cancel command was

entered cannot be cancelled A scan in progress behaves as described above in the single-model scan

cancellation scenario Subsequent scans in the pipeline are cancelled

If a concurrent scan of the same model is attempted the cmdlet returns the following error message

Another scan for this MBCA model is in progress Only one scan is allowed at a time

-------------------------- EXAMPLE 1 --------------------------

Invoke-MBCAModel -ModelId SQL2008R2BPA

Description

The preceding example starts a MBCA scan on the model that is represented by ltModel Idgt

-------------------------- EXAMPLE 2 --------------------------

Page 49

Invoke-MBCAModel -ModelId SQL2008R2BPA -Scope domain -Name

redmondmicrosoftcom

Description

The preceding example starts an MBCA scan on the model ID that is specified by Model Id

The administrator starts the MBCA scan with additional model-specific parameters that are exposed by

the model (For an example of how to obtain model-specific parameters see the examples for the Get-

MBCAModel cmdlet)

For example to scan a model that requires model-specific parameters (such as -Scope and -Name) to

be passed to the command the administrator can specify the values of these model-specific

parameters with the Invoke-MBCAModel cmdlet

-------------------------- EXAMPLE 3 --------------------------

Invoke-MBCAModel -ModelId SQL2008R2BPA -Mode Discovery

Description

The preceding example starts an MBCA scan on the model that is represented by Model Id The

cmdlet is instructed by the -Mode parameter to perform only the discovery -- not the analysis -- portion

of the scan

-------------------------- EXAMPLE 4 --------------------------

Invoke-MBCAModel -ModelId SQL2008R2BPA -Mode Analysis -RepositoryPath

ltRepository Pathgt

Description

The preceding example starts an MBCA scan on the model that is represented by Model Id The -

Mode parameter value of Analysis indicates that the scan will perform analysis -- not discovery -- on

existing documents that are specified in the non-default repository path provided with the -Repository

Path parameter

-------------------------- EXAMPLE 5 --------------------------

Invoke-MBCAModel -Id ltModel Idgt -SubModelId ltSubModel Idgt -ComputerName

ltServergt -Context ltContext Model Idgt -RepositoryPath ltRespository Pathgt -

AsJob -Authentication ltAuthenticatonMechanismgt -Port ltPort Numbergt -UseSSL -

ThrottleLimit ltThrottle Limitgt

Description

The preceding example starts an MBCA scan on the submodel that is represented by SubModel Id

and on the computer that is represented by Server

Because the administrator only wants to see results from the submodel that apply in the context of a

third model the administrator runs the scan within the context of the model ID that is specified in the -

Context parameter The cmdlet results are saved to the non-default repository path that is specified in

the -RepositoryPath parameter

Because the -AsJob parameter is added the scan runs in the background The -AsJob -

Authentication -Port -UseSSL and -ThrottleLimit parameters are passed through for use by the

Invoke-Command cmdlet to perform discovery on a remote computer For more information about

these parameters see the Help for the Invoke-Command cmdlet available in Windows PowerShell V2

913 Get-MBCAResult

SYNOPSIS

Page 50

The Get-MBCAResult cmdlet lets you retrieve and view the results of a Microsoft Baseline

Configuration Analyzer scan on a specific model or the configuration data that was used to run a scan

SYNTAX

Get-MBCAResult [-ModelId] ltstringgt [[-CollectedConfiguration]] -SubModelId

ltstringgt [-ComputerName ltstring[]gt] [-Context ltstringgt] [-Filter

ltFilterEnumgt] [-RepositoryPath ltstringgt] [ltCommonParametersgt]

DESCRIPTION

The Get-MBCAResult cmdlet lets you retrieve and view the results of a Microsoft Baseline

Configuration Analyzer scan on a specific model or the configuration data that was used to run a scan

To use the command add the -ModelId parameter and then specify the model ID for which you want

to view the most recent MBCA scan results or collected configuration data If you want to retrieve the

configuration data collected add the -CollectedConfiguration switch parameter

You must be a member of the Administrators group on the computer on which you want to run this

cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with

elevated user rights that is Run as Administrator

PARAMETERS

-CollectedConfiguration [ltSwitchParametergt]

The -CollectedConfiguration parameter allows you to obtain the configuration data that was

collected for the most recent MBCA scan If this switch parameter is added to Get-MBCAResults

the cmdlet returns only the configuration data that was collected for a scan

Required false

Position 3

Default value

Accept pipeline input false

Accept wildcard characters false

-ComputerName ltstring[]gt

The -ComputerName parameter lets you obtain scan results that were collected for the most

recent MBCA scan of a submodel on a specific computer To specify the local computer type the

computer name or localhost Multiple values for -ComputerName can be separated by

commas

The -SubModelId parameter is required by the -ComputerName parameter

Valid values for the -ComputerName parameter include localhost a NET BIOS name an IP

address or a fully-qualified domain name (FQDN) of one or more computers in a comma-

separated list

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-Context ltstringgt

Page 51

The -Context parameter lets you obtain scan results that were collected for the most recent

MBCA scan of a submodel in the context of a specific model (one that is different from the parent

model of the submodel) For example an administrator might want to display scan results for the

Backend submodel of the SQL model but only those in the context of a third model a

technology that relies upon SQL Server

The -SubModelId parameter is required by the -Context parameter

A model ID is the valid value of the -Context parameter

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-Filter ltFilterEnumgt

The -Filter parameter lets you instruct the Get-MBCAResult cmdlet to return only Compliant

Noncompliant or All results Valid values are Noncompliant Compliant or All The default value

is All

The -Filter parameter is ignored if the -CollectedConfiguration switch parameter is added

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-ModelId ltstringgt

The -ModelId parameter specifies the ID of the MBCA model for which you want to view scan

results You can obtain valid values for the ModelId parameter by running the Get-MBCAModel

cmdlet targeted at a computer on which MBCA models are installed

Required true

Position 2

Default value

Accept pipeline input true (By Value By Property Name)

Accept wildcard characters False

This must be SQL2008R2BPA for SQL Server 2008 R2 Best Practice Analyzer

-RepositoryPath ltstringgt

The -RepositoryPath parameter is used to specify a non-default location of the results repository

The valid value for this parameter is a path name If the parameter is not used the cmdlet obtains

results from the default result repository

Required false

Position named

Page 52

Default value

Accept pipeline input false

Accept wildcard characters false

-SubModelId ltstringgt

The -SubModelId parameter specifies the ID of the submodel of an MBCA model for which you

want to view scan results You can obtain valid values for the -SubModelId parameter by running

the Get-MBCAModel cmdlet targeted at a computer on which MBCA models are installed Not all

models have submodels

The -ModelId parameter is required with the -SubModelId parameter

Required true

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

ltCommonParametersgt

This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable

WarningAction WarningVariable OutBuffer and OutVariable For more information type get-

help about_commonparameters

OUTPUTS

SystemCollectionsGenericListltMicrosoftBestPracticesCoreInterfaceResultgt OR

SystemXmlXmlDocument (if -CollectedData specified)

If you do not use the -CollectedConfiguration parameter verbose output can be any of the following

1 Initializing MBCA engine for getting MBCA Results

2 Attempting to get MBCA results for Model Id = 0

3 Completed getting MBCA results for Model Id = 0 Number of Results = 1

If you add the -CollectedConfiguration parameter to display configuration data that was used for a

scan verbose output can be any of the following

1 Initializing MBCA engine for getting MBCA Configuration Data

2 Attempting to get MBCA collected configuration data for Model Id = 0

3 Completed getting MBCA collected configuration data for Model Id = 0

NOTES

The Get-MBCAResult cmdlet must be run by a member of the Administrators group and it does not

start a new scan

Cancellation behaviour

Single Model - To cancel this cmdlet you must press Ctrl+C before the ResultCollection is displayed

on the console The operation is cancelled and results are not displayed on the console

Multiple Models or Pipelining - If you cancel this cmdlet while it is retrieving results for multiple models

the cmdlet generates only those results that were displayed on the console before the cancellation

Any subsequent results in the pipeline are cancelled and not displayed

Page 53

-------------------------- EXAMPLE 1 --------------------------

Get-MBCAResult -Id SQL2008R2BPA

Description

The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results

for the model that is represented by Model Id

-------------------------- EXAMPLE 2 --------------------------

Get-MBCAModel | Get-MBCAResult

In the preceding example Get-MBCAModel is used to return a list of all MBCA models that are

installed on the computer The results of the Get-MBCAModel cmdlet are piped to the Get-

MBCAResult cmdlet to retrieve the most recent MBCA scan results for all models that are both

supported by MBCA and installed on the computer at which the cmdlet is targeted

-------------------------- EXAMPLE 3 --------------------------

$result = Get-MBCAResult SQL2008R2BPA -CollectedConfiguration

$resultDiscoveryDocument

Description

In the preceding example configuration data (in XML form) that was collected during the most recent

Microsoft Baseline Configuration Analyzer scan of the model that is represented by Model Id is

retrieved and stored as a property in the variable $result $resultDiscoveryDocument is of type

SystemXmlXmlDocument

-------------------------- EXAMPLE 4 --------------------------

Get-MBCAResult SQL2008R2BPA -Filter Noncompliant

Description

The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results

for the model that is represented by Model Id and then applies a filter to show only Noncompliant

results

------------------------- EXAMPLE 5 --------------------------

Get-MBCAResult SQL2008R2BPA -SubModelId ltSubModel Idgt

Description

The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results

for the submodel that is represented by SubModelId Note that the parent model ID must be specified

to use the -SubModelId parameter

------------------------- EXAMPLE 6 --------------------------

Get-MBCAResult SQL2008R2BPA -SubModelId ltSubModel Idgt -ComputerName ltServergt

-Context ltContext Model Idgt -RepositoryPath ltRepository Pathgt

Description

The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results

for the submodel that is represented by SubModelId The parent model ID is provided as required by

the -SubModelID parameter

The -Context parameter indicates that the administrator wants to see only those scan results that are in

the context of the model that is represented by Context Model Id for example only those results from

a SQL Server scan that specifically apply to another technology such as Web Server (IIS)

Page 54

The scan results are further narrowed to only those from a computer that is specified in the -

ComputerName parameter as Server and only those results found in the non-default results

repository that is represented by Repository Path

914 Set-MBCAResult

SYNOPSIS

The Set-MBCAResult cmdlet lets you exclude or include existing results of a Microsoft Baseline

Configuration Analyzer (MBCA) scan to show you only the scan results that you want to see

SYNTAX

Set-MBCAResult [[-Exclude] ltBooleangt] [-Results] ltResultgtgt [[-

RepostitoryPath] ltstringgt] [ltCommonParametersgt]

DESCRIPTION

The Set-MBCAResult cmdlet lets you exclude or include existing results of a Microsoft Baseline

Configuration Analyzer (MBCA) scan to show you only the scan results that you want to see

The action specified in the cmdlet (Exclude for example) determines how the existing results of an

MBCA scan are updated Set-MBCAResult is typically applied after using the Get-MBCAResult cmdlet

to return a collection of scan results

You can apply filters to results that are returned by the Get-MBCAResult cmdlet and then pipe the

filtered collection of results to the Set-MBCAResult cmdlet specifying either to include or exclude

filtered scan results

You must be a member of the Administrators group on the computer on which you want to run this

cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with

elevated user rights that is Run as Administrator

PARAMETERS

-Exclude ltBooleangt

Excludes scan results from the results collection that were previously obtained by the Get-

MBCAResult command To exclude results by using the -Exclude parameter add the value $true

following the parameter as shown

-Exclude $true

To include results that have been excluded use the $false value for the -Exclude parameter

Required false

Position 2

Default value

Accept pipeline input false

Accept wildcard characters false

-RepostitoryPath ltstringgt

The -RepositoryPath parameter is used to specify a non-default location of the results repository

The valid value for this parameter is a path name If the parameter is not used the cmdlet

modifies results from the default result repository

Required false

Page 55

Position 4

Default value

Accept pipeline input false

Accept wildcard characters false

-Results ltResultgtgt

Specifies the result collection to be updated by the Set-MBCAResult cmdlet The -Results

parameter is typically used to specify a filtered subset of scan results that has already been

stored in a variable the variable name is provided as the valid value for the -Results parameter

For example if you have created a variable $allPerformance to store all the Performance

category results for an MBCA scan of all models on a computer and you want to exclude those

Performance results from the complete collection of scan results you add the parameter -Results

$all Performance to a Set-MBCAResult cmdlet

For a more detailed example see the Examples section of the Help for this cmdlet

Required true

Position 3

Default value

Accept pipeline input true (ByValue)

Accept wildcard characters false

ltCommonParametersgt

This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable

WarningAction WarningVariable OutBuffer and OutVariable For more information type ldquoget-

help about_commonparameters

NOTES

If the Set-MBCAResult command is cancelled before the results are written to a file the operation is

cancelled and the results file is not modified If cancellation occurs after the results file has been

modified the commands actions are carried out and the command cannot be cancelled

-------------------------- EXAMPLE 1 --------------------------

Get-MBCAResult -ModelId SQL2008R2BPA | Where $_Category -eq

Performance | Set-MBCAResult -Exclude $true

Description

The first section of the preceding example to the left of the first pipe character (|) uses the Get-

MBCAResult cmdlet to retrieve Baseline Configuration Analyzer scan results for the model ID that is

represented by Model Id

The second section of the command filters the results of the Get-MBCAResult cmdlet to get only those

scan results for which the category name is equal to Performance

The final section of the example following the second pipe character excludes the Performance

results that were filtered by the previous section of the example

-------------------------- EXAMPLE 2 --------------------------

$rcPolicy = Get-MBCAResult -ModelId SQL2008R2BPA -RepositoryPath

CReposPath | Where $_Category -eq Policy

Page 56

Set-MBCAResult -Exclude $true -RepositoryPath CReposPath -Results

$rcPolicy

Description

The first line of the preceding example to the left of the pipe character (|) instructs the Get-

MBCAResult cmdlet to retrieve Baseline Configuration Analyzer scan results for the model that is

represented by Specified Model Id from the specified non-default repository path

The second section of the example after the pipe character filters the results of the Get-MBCAResult

cmdlet to return only those scan results for which the category name is equal to (note the -eq option)

Policy The variable $rcPolicy is created to store the filtered results of the Get-MBCAResult cmdlet this

variable can be used in subsequent commands to represent those results

The second line of the command uses the Set-MBCAResult cmdlet to exclude the set of results that

are stored in the $rcPolicy variable In this example the -Results parameter is added because the

administrator wants to exclude a specific subset of scan results for that model and has created the

variable $rcPolicy to represent that subset of results The repository root is specified in the second line

because the administrator wants to modify the results in the same non-default repository from which

the data in $rcPolicy was retrieved

915 MBCA Model Authoring

Further information about configuration and usage of MBCA models you can in the

MBCA_ModelAuthoringGuidedocx

Page 57

Did this paper help you Please give us your feedback Tell us on a scale of 1 (poor) to 5 (excellent)

how would you rate this paper and why have you given it this rating For example

Are you rating it high due to having good examples excellent screen shots clear writing or

another reason

Are you rating it low due to poor examples fuzzy screen shots or unclear writing

This feedback will help us improve the quality of white papers we release

Send feedback

Page 49: SQL2008R2 BPA Whitepaper v10

Page 49

Invoke-MBCAModel -ModelId SQL2008R2BPA -Scope domain -Name

redmondmicrosoftcom

Description

The preceding example starts an MBCA scan on the model ID that is specified by Model Id

The administrator starts the MBCA scan with additional model-specific parameters that are exposed by

the model (For an example of how to obtain model-specific parameters see the examples for the Get-

MBCAModel cmdlet)

For example to scan a model that requires model-specific parameters (such as -Scope and -Name) to

be passed to the command the administrator can specify the values of these model-specific

parameters with the Invoke-MBCAModel cmdlet

-------------------------- EXAMPLE 3 --------------------------

Invoke-MBCAModel -ModelId SQL2008R2BPA -Mode Discovery

Description

The preceding example starts an MBCA scan on the model that is represented by Model Id The

cmdlet is instructed by the -Mode parameter to perform only the discovery -- not the analysis -- portion

of the scan

-------------------------- EXAMPLE 4 --------------------------

Invoke-MBCAModel -ModelId SQL2008R2BPA -Mode Analysis -RepositoryPath

ltRepository Pathgt

Description

The preceding example starts an MBCA scan on the model that is represented by Model Id The -

Mode parameter value of Analysis indicates that the scan will perform analysis -- not discovery -- on

existing documents that are specified in the non-default repository path provided with the -Repository

Path parameter

-------------------------- EXAMPLE 5 --------------------------

Invoke-MBCAModel -Id ltModel Idgt -SubModelId ltSubModel Idgt -ComputerName

ltServergt -Context ltContext Model Idgt -RepositoryPath ltRespository Pathgt -

AsJob -Authentication ltAuthenticatonMechanismgt -Port ltPort Numbergt -UseSSL -

ThrottleLimit ltThrottle Limitgt

Description

The preceding example starts an MBCA scan on the submodel that is represented by SubModel Id

and on the computer that is represented by Server

Because the administrator only wants to see results from the submodel that apply in the context of a

third model the administrator runs the scan within the context of the model ID that is specified in the -

Context parameter The cmdlet results are saved to the non-default repository path that is specified in

the -RepositoryPath parameter

Because the -AsJob parameter is added the scan runs in the background The -AsJob -

Authentication -Port -UseSSL and -ThrottleLimit parameters are passed through for use by the

Invoke-Command cmdlet to perform discovery on a remote computer For more information about

these parameters see the Help for the Invoke-Command cmdlet available in Windows PowerShell V2

913 Get-MBCAResult

SYNOPSIS

Page 50

The Get-MBCAResult cmdlet lets you retrieve and view the results of a Microsoft Baseline

Configuration Analyzer scan on a specific model or the configuration data that was used to run a scan

SYNTAX

Get-MBCAResult [-ModelId] ltstringgt [[-CollectedConfiguration]] -SubModelId

ltstringgt [-ComputerName ltstring[]gt] [-Context ltstringgt] [-Filter

ltFilterEnumgt] [-RepositoryPath ltstringgt] [ltCommonParametersgt]

DESCRIPTION

The Get-MBCAResult cmdlet lets you retrieve and view the results of a Microsoft Baseline

Configuration Analyzer scan on a specific model or the configuration data that was used to run a scan

To use the command add the -ModelId parameter and then specify the model ID for which you want

to view the most recent MBCA scan results or collected configuration data If you want to retrieve the

configuration data collected add the -CollectedConfiguration switch parameter

You must be a member of the Administrators group on the computer on which you want to run this

cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with

elevated user rights that is Run as Administrator

PARAMETERS

-CollectedConfiguration [ltSwitchParametergt]

The -CollectedConfiguration parameter allows you to obtain the configuration data that was

collected for the most recent MBCA scan If this switch parameter is added to Get-MBCAResults

the cmdlet returns only the configuration data that was collected for a scan

Required false

Position 3

Default value

Accept pipeline input false

Accept wildcard characters false

-ComputerName ltstring[]gt

The -ComputerName parameter lets you obtain scan results that were collected for the most

recent MBCA scan of a submodel on a specific computer To specify the local computer type the

computer name or localhost Multiple values for -ComputerName can be separated by

commas

The -SubModelId parameter is required by the -ComputerName parameter

Valid values for the -ComputerName parameter include localhost a NET BIOS name an IP

address or a fully-qualified domain name (FQDN) of one or more computers in a comma-

separated list

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-Context ltstringgt

Page 51

The -Context parameter lets you obtain scan results that were collected for the most recent

MBCA scan of a submodel in the context of a specific model (one that is different from the parent

model of the submodel) For example an administrator might want to display scan results for the

Backend submodel of the SQL model but only those in the context of a third model a

technology that relies upon SQL Server

The -SubModelId parameter is required by the -Context parameter

A model ID is the valid value of the -Context parameter

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-Filter ltFilterEnumgt

The -Filter parameter lets you instruct the Get-MBCAResult cmdlet to return only Compliant

Noncompliant or All results Valid values are Noncompliant Compliant or All The default value

is All

The -Filter parameter is ignored if the -CollectedConfiguration switch parameter is added

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-ModelId ltstringgt

The -ModelId parameter specifies the ID of the MBCA model for which you want to view scan

results You can obtain valid values for the ModelId parameter by running the Get-MBCAModel

cmdlet targeted at a computer on which MBCA models are installed

Required true

Position 2

Default value

Accept pipeline input true (By Value By Property Name)

Accept wildcard characters False

This must be SQL2008R2BPA for SQL Server 2008 R2 Best Practice Analyzer

-RepositoryPath ltstringgt

The -RepositoryPath parameter is used to specify a non-default location of the results repository

The valid value for this parameter is a path name If the parameter is not used the cmdlet obtains

results from the default result repository

Required false

Position named

Page 52

Default value

Accept pipeline input false

Accept wildcard characters false

-SubModelId ltstringgt

The -SubModelId parameter specifies the ID of the submodel of an MBCA model for which you

want to view scan results You can obtain valid values for the -SubModelId parameter by running

the Get-MBCAModel cmdlet targeted at a computer on which MBCA models are installed Not all

models have submodels

The -ModelId parameter is required with the -SubModelId parameter

Required true

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

ltCommonParametersgt

This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable

WarningAction WarningVariable OutBuffer and OutVariable For more information type get-

help about_commonparameters

OUTPUTS

SystemCollectionsGenericListltMicrosoftBestPracticesCoreInterfaceResultgt OR

SystemXmlXmlDocument (if -CollectedData specified)

If you do not use the -CollectedConfiguration parameter verbose output can be any of the following

1 Initializing MBCA engine for getting MBCA Results

2 Attempting to get MBCA results for Model Id = 0

3 Completed getting MBCA results for Model Id = 0 Number of Results = 1

If you add the -CollectedConfiguration parameter to display configuration data that was used for a

scan verbose output can be any of the following

1 Initializing MBCA engine for getting MBCA Configuration Data

2 Attempting to get MBCA collected configuration data for Model Id = 0

3 Completed getting MBCA collected configuration data for Model Id = 0

NOTES

The Get-MBCAResult cmdlet must be run by a member of the Administrators group and it does not

start a new scan

Cancellation behaviour

Single Model - To cancel this cmdlet you must press Ctrl+C before the ResultCollection is displayed

on the console The operation is cancelled and results are not displayed on the console

Multiple Models or Pipelining - If you cancel this cmdlet while it is retrieving results for multiple models

the cmdlet generates only those results that were displayed on the console before the cancellation

Any subsequent results in the pipeline are cancelled and not displayed

Page 53

-------------------------- EXAMPLE 1 --------------------------

Get-MBCAResult -Id SQL2008R2BPA

Description

The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results

for the model that is represented by Model Id

-------------------------- EXAMPLE 2 --------------------------

Get-MBCAModel | Get-MBCAResult

In the preceding example Get-MBCAModel is used to return a list of all MBCA models that are

installed on the computer The results of the Get-MBCAModel cmdlet are piped to the Get-

MBCAResult cmdlet to retrieve the most recent MBCA scan results for all models that are both

supported by MBCA and installed on the computer at which the cmdlet is targeted

-------------------------- EXAMPLE 3 --------------------------

$result = Get-MBCAResult SQL2008R2BPA -CollectedConfiguration

$resultDiscoveryDocument

Description

In the preceding example configuration data (in XML form) that was collected during the most recent

Microsoft Baseline Configuration Analyzer scan of the model that is represented by Model Id is

retrieved and stored as a property in the variable $result $resultDiscoveryDocument is of type

SystemXmlXmlDocument

-------------------------- EXAMPLE 4 --------------------------

Get-MBCAResult SQL2008R2BPA -Filter Noncompliant

Description

The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results

for the model that is represented by Model Id and then applies a filter to show only Noncompliant

results

------------------------- EXAMPLE 5 --------------------------

Get-MBCAResult SQL2008R2BPA -SubModelId ltSubModel Idgt

Description

The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results

for the submodel that is represented by SubModelId Note that the parent model ID must be specified

to use the -SubModelId parameter

------------------------- EXAMPLE 6 --------------------------

Get-MBCAResult SQL2008R2BPA -SubModelId ltSubModel Idgt -ComputerName ltServergt

-Context ltContext Model Idgt -RepositoryPath ltRepository Pathgt

Description

The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results

for the submodel that is represented by SubModelId The parent model ID is provided as required by

the -SubModelID parameter

The -Context parameter indicates that the administrator wants to see only those scan results that are in

the context of the model that is represented by Context Model Id for example only those results from

a SQL Server scan that specifically apply to another technology such as Web Server (IIS)

Page 54

The scan results are further narrowed to only those from a computer that is specified in the -

ComputerName parameter as Server and only those results found in the non-default results

repository that is represented by Repository Path

914 Set-MBCAResult

SYNOPSIS

The Set-MBCAResult cmdlet lets you exclude or include existing results of a Microsoft Baseline

Configuration Analyzer (MBCA) scan to show you only the scan results that you want to see

SYNTAX

Set-MBCAResult [[-Exclude] ltBooleangt] [-Results] ltResultgtgt [[-

RepostitoryPath] ltstringgt] [ltCommonParametersgt]

DESCRIPTION

The Set-MBCAResult cmdlet lets you exclude or include existing results of a Microsoft Baseline

Configuration Analyzer (MBCA) scan to show you only the scan results that you want to see

The action specified in the cmdlet (Exclude for example) determines how the existing results of an

MBCA scan are updated Set-MBCAResult is typically applied after using the Get-MBCAResult cmdlet

to return a collection of scan results

You can apply filters to results that are returned by the Get-MBCAResult cmdlet and then pipe the

filtered collection of results to the Set-MBCAResult cmdlet specifying either to include or exclude

filtered scan results

You must be a member of the Administrators group on the computer on which you want to run this

cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with

elevated user rights that is Run as Administrator

PARAMETERS

-Exclude ltBooleangt

Excludes scan results from the results collection that were previously obtained by the Get-

MBCAResult command To exclude results by using the -Exclude parameter add the value $true

following the parameter as shown

-Exclude $true

To include results that have been excluded use the $false value for the -Exclude parameter

Required false

Position 2

Default value

Accept pipeline input false

Accept wildcard characters false

-RepostitoryPath ltstringgt

The -RepositoryPath parameter is used to specify a non-default location of the results repository

The valid value for this parameter is a path name If the parameter is not used the cmdlet

modifies results from the default result repository

Required false

Page 55

Position 4

Default value

Accept pipeline input false

Accept wildcard characters false

-Results ltResultgtgt

Specifies the result collection to be updated by the Set-MBCAResult cmdlet The -Results

parameter is typically used to specify a filtered subset of scan results that has already been

stored in a variable the variable name is provided as the valid value for the -Results parameter

For example if you have created a variable $allPerformance to store all the Performance

category results for an MBCA scan of all models on a computer and you want to exclude those

Performance results from the complete collection of scan results you add the parameter -Results

$all Performance to a Set-MBCAResult cmdlet

For a more detailed example see the Examples section of the Help for this cmdlet

Required true

Position 3

Default value

Accept pipeline input true (ByValue)

Accept wildcard characters false

ltCommonParametersgt

This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable

WarningAction WarningVariable OutBuffer and OutVariable For more information type ldquoget-

help about_commonparameters

NOTES

If the Set-MBCAResult command is cancelled before the results are written to a file the operation is

cancelled and the results file is not modified If cancellation occurs after the results file has been

modified the commands actions are carried out and the command cannot be cancelled

-------------------------- EXAMPLE 1 --------------------------

Get-MBCAResult -ModelId SQL2008R2BPA | Where $_Category -eq

Performance | Set-MBCAResult -Exclude $true

Description

The first section of the preceding example to the left of the first pipe character (|) uses the Get-

MBCAResult cmdlet to retrieve Baseline Configuration Analyzer scan results for the model ID that is

represented by Model Id

The second section of the command filters the results of the Get-MBCAResult cmdlet to get only those

scan results for which the category name is equal to Performance

The final section of the example following the second pipe character excludes the Performance

results that were filtered by the previous section of the example

-------------------------- EXAMPLE 2 --------------------------

$rcPolicy = Get-MBCAResult -ModelId SQL2008R2BPA -RepositoryPath

CReposPath | Where $_Category -eq Policy

Page 56

Set-MBCAResult -Exclude $true -RepositoryPath CReposPath -Results

$rcPolicy

Description

The first line of the preceding example to the left of the pipe character (|) instructs the Get-

MBCAResult cmdlet to retrieve Baseline Configuration Analyzer scan results for the model that is

represented by Specified Model Id from the specified non-default repository path

The second section of the example after the pipe character filters the results of the Get-MBCAResult

cmdlet to return only those scan results for which the category name is equal to (note the -eq option)

Policy The variable $rcPolicy is created to store the filtered results of the Get-MBCAResult cmdlet this

variable can be used in subsequent commands to represent those results

The second line of the command uses the Set-MBCAResult cmdlet to exclude the set of results that

are stored in the $rcPolicy variable In this example the -Results parameter is added because the

administrator wants to exclude a specific subset of scan results for that model and has created the

variable $rcPolicy to represent that subset of results The repository root is specified in the second line

because the administrator wants to modify the results in the same non-default repository from which

the data in $rcPolicy was retrieved

915 MBCA Model Authoring

Further information about configuration and usage of MBCA models you can in the

MBCA_ModelAuthoringGuidedocx

Page 57

Did this paper help you Please give us your feedback Tell us on a scale of 1 (poor) to 5 (excellent)

how would you rate this paper and why have you given it this rating For example

Are you rating it high due to having good examples excellent screen shots clear writing or

another reason

Are you rating it low due to poor examples fuzzy screen shots or unclear writing

This feedback will help us improve the quality of white papers we release

Send feedback

Page 50: SQL2008R2 BPA Whitepaper v10

Page 50

The Get-MBCAResult cmdlet lets you retrieve and view the results of a Microsoft Baseline

Configuration Analyzer scan on a specific model or the configuration data that was used to run a scan

SYNTAX

Get-MBCAResult [-ModelId] ltstringgt [[-CollectedConfiguration]] -SubModelId

ltstringgt [-ComputerName ltstring[]gt] [-Context ltstringgt] [-Filter

ltFilterEnumgt] [-RepositoryPath ltstringgt] [ltCommonParametersgt]

DESCRIPTION

The Get-MBCAResult cmdlet lets you retrieve and view the results of a Microsoft Baseline

Configuration Analyzer scan on a specific model or the configuration data that was used to run a scan

To use the command add the -ModelId parameter and then specify the model ID for which you want

to view the most recent MBCA scan results or collected configuration data If you want to retrieve the

configuration data collected add the -CollectedConfiguration switch parameter

You must be a member of the Administrators group on the computer on which you want to run this

cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with

elevated user rights that is Run as Administrator

PARAMETERS

-CollectedConfiguration [ltSwitchParametergt]

The -CollectedConfiguration parameter allows you to obtain the configuration data that was

collected for the most recent MBCA scan If this switch parameter is added to Get-MBCAResults

the cmdlet returns only the configuration data that was collected for a scan

Required false

Position 3

Default value

Accept pipeline input false

Accept wildcard characters false

-ComputerName ltstring[]gt

The -ComputerName parameter lets you obtain scan results that were collected for the most

recent MBCA scan of a submodel on a specific computer To specify the local computer type the

computer name or localhost Multiple values for -ComputerName can be separated by

commas

The -SubModelId parameter is required by the -ComputerName parameter

Valid values for the -ComputerName parameter include localhost a NET BIOS name an IP

address or a fully-qualified domain name (FQDN) of one or more computers in a comma-

separated list

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-Context ltstringgt

Page 51

The -Context parameter lets you obtain scan results that were collected for the most recent

MBCA scan of a submodel in the context of a specific model (one that is different from the parent

model of the submodel) For example an administrator might want to display scan results for the

Backend submodel of the SQL model but only those in the context of a third model a

technology that relies upon SQL Server

The -SubModelId parameter is required by the -Context parameter

A model ID is the valid value of the -Context parameter

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-Filter ltFilterEnumgt

The -Filter parameter lets you instruct the Get-MBCAResult cmdlet to return only Compliant

Noncompliant or All results Valid values are Noncompliant Compliant or All The default value

is All

The -Filter parameter is ignored if the -CollectedConfiguration switch parameter is added

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-ModelId ltstringgt

The -ModelId parameter specifies the ID of the MBCA model for which you want to view scan

results You can obtain valid values for the ModelId parameter by running the Get-MBCAModel

cmdlet targeted at a computer on which MBCA models are installed

Required true

Position 2

Default value

Accept pipeline input true (By Value By Property Name)

Accept wildcard characters False

This must be SQL2008R2BPA for SQL Server 2008 R2 Best Practice Analyzer

-RepositoryPath ltstringgt

The -RepositoryPath parameter is used to specify a non-default location of the results repository

The valid value for this parameter is a path name If the parameter is not used the cmdlet obtains

results from the default result repository

Required false

Position named

Page 52

Default value

Accept pipeline input false

Accept wildcard characters false

-SubModelId ltstringgt

The -SubModelId parameter specifies the ID of the submodel of an MBCA model for which you

want to view scan results You can obtain valid values for the -SubModelId parameter by running

the Get-MBCAModel cmdlet targeted at a computer on which MBCA models are installed Not all

models have submodels

The -ModelId parameter is required with the -SubModelId parameter

Required true

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

ltCommonParametersgt

This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable

WarningAction WarningVariable OutBuffer and OutVariable For more information type get-

help about_commonparameters

OUTPUTS

SystemCollectionsGenericListltMicrosoftBestPracticesCoreInterfaceResultgt OR

SystemXmlXmlDocument (if -CollectedData specified)

If you do not use the -CollectedConfiguration parameter verbose output can be any of the following

1 Initializing MBCA engine for getting MBCA Results

2 Attempting to get MBCA results for Model Id = 0

3 Completed getting MBCA results for Model Id = 0 Number of Results = 1

If you add the -CollectedConfiguration parameter to display configuration data that was used for a

scan verbose output can be any of the following

1 Initializing MBCA engine for getting MBCA Configuration Data

2 Attempting to get MBCA collected configuration data for Model Id = 0

3 Completed getting MBCA collected configuration data for Model Id = 0

NOTES

The Get-MBCAResult cmdlet must be run by a member of the Administrators group and it does not

start a new scan

Cancellation behaviour

Single Model - To cancel this cmdlet you must press Ctrl+C before the ResultCollection is displayed

on the console The operation is cancelled and results are not displayed on the console

Multiple Models or Pipelining - If you cancel this cmdlet while it is retrieving results for multiple models

the cmdlet generates only those results that were displayed on the console before the cancellation

Any subsequent results in the pipeline are cancelled and not displayed

Page 53

-------------------------- EXAMPLE 1 --------------------------

Get-MBCAResult -Id SQL2008R2BPA

Description

The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results

for the model that is represented by Model Id

-------------------------- EXAMPLE 2 --------------------------

Get-MBCAModel | Get-MBCAResult

In the preceding example Get-MBCAModel is used to return a list of all MBCA models that are

installed on the computer The results of the Get-MBCAModel cmdlet are piped to the Get-

MBCAResult cmdlet to retrieve the most recent MBCA scan results for all models that are both

supported by MBCA and installed on the computer at which the cmdlet is targeted

-------------------------- EXAMPLE 3 --------------------------

$result = Get-MBCAResult SQL2008R2BPA -CollectedConfiguration

$resultDiscoveryDocument

Description

In the preceding example configuration data (in XML form) that was collected during the most recent

Microsoft Baseline Configuration Analyzer scan of the model that is represented by Model Id is

retrieved and stored as a property in the variable $result $resultDiscoveryDocument is of type

SystemXmlXmlDocument

-------------------------- EXAMPLE 4 --------------------------

Get-MBCAResult SQL2008R2BPA -Filter Noncompliant

Description

The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results

for the model that is represented by Model Id and then applies a filter to show only Noncompliant

results

------------------------- EXAMPLE 5 --------------------------

Get-MBCAResult SQL2008R2BPA -SubModelId ltSubModel Idgt

Description

The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results

for the submodel that is represented by SubModelId Note that the parent model ID must be specified

to use the -SubModelId parameter

------------------------- EXAMPLE 6 --------------------------

Get-MBCAResult SQL2008R2BPA -SubModelId ltSubModel Idgt -ComputerName ltServergt

-Context ltContext Model Idgt -RepositoryPath ltRepository Pathgt

Description

The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results

for the submodel that is represented by SubModelId The parent model ID is provided as required by

the -SubModelID parameter

The -Context parameter indicates that the administrator wants to see only those scan results that are in

the context of the model that is represented by Context Model Id for example only those results from

a SQL Server scan that specifically apply to another technology such as Web Server (IIS)

Page 54

The scan results are further narrowed to only those from a computer that is specified in the -

ComputerName parameter as Server and only those results found in the non-default results

repository that is represented by Repository Path

914 Set-MBCAResult

SYNOPSIS

The Set-MBCAResult cmdlet lets you exclude or include existing results of a Microsoft Baseline

Configuration Analyzer (MBCA) scan to show you only the scan results that you want to see

SYNTAX

Set-MBCAResult [[-Exclude] ltBooleangt] [-Results] ltResultgtgt [[-

RepostitoryPath] ltstringgt] [ltCommonParametersgt]

DESCRIPTION

The Set-MBCAResult cmdlet lets you exclude or include existing results of a Microsoft Baseline

Configuration Analyzer (MBCA) scan to show you only the scan results that you want to see

The action specified in the cmdlet (Exclude for example) determines how the existing results of an

MBCA scan are updated Set-MBCAResult is typically applied after using the Get-MBCAResult cmdlet

to return a collection of scan results

You can apply filters to results that are returned by the Get-MBCAResult cmdlet and then pipe the

filtered collection of results to the Set-MBCAResult cmdlet specifying either to include or exclude

filtered scan results

You must be a member of the Administrators group on the computer on which you want to run this

cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with

elevated user rights that is Run as Administrator

PARAMETERS

-Exclude ltBooleangt

Excludes scan results from the results collection that were previously obtained by the Get-

MBCAResult command To exclude results by using the -Exclude parameter add the value $true

following the parameter as shown

-Exclude $true

To include results that have been excluded use the $false value for the -Exclude parameter

Required false

Position 2

Default value

Accept pipeline input false

Accept wildcard characters false

-RepostitoryPath ltstringgt

The -RepositoryPath parameter is used to specify a non-default location of the results repository

The valid value for this parameter is a path name If the parameter is not used the cmdlet

modifies results from the default result repository

Required false

Page 55

Position 4

Default value

Accept pipeline input false

Accept wildcard characters false

-Results ltResultgtgt

Specifies the result collection to be updated by the Set-MBCAResult cmdlet The -Results

parameter is typically used to specify a filtered subset of scan results that has already been

stored in a variable the variable name is provided as the valid value for the -Results parameter

For example if you have created a variable $allPerformance to store all the Performance

category results for an MBCA scan of all models on a computer and you want to exclude those

Performance results from the complete collection of scan results you add the parameter -Results

$all Performance to a Set-MBCAResult cmdlet

For a more detailed example see the Examples section of the Help for this cmdlet

Required true

Position 3

Default value

Accept pipeline input true (ByValue)

Accept wildcard characters false

ltCommonParametersgt

This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable

WarningAction WarningVariable OutBuffer and OutVariable For more information type ldquoget-

help about_commonparameters

NOTES

If the Set-MBCAResult command is cancelled before the results are written to a file the operation is

cancelled and the results file is not modified If cancellation occurs after the results file has been

modified the commands actions are carried out and the command cannot be cancelled

-------------------------- EXAMPLE 1 --------------------------

Get-MBCAResult -ModelId SQL2008R2BPA | Where $_Category -eq

Performance | Set-MBCAResult -Exclude $true

Description

The first section of the preceding example to the left of the first pipe character (|) uses the Get-

MBCAResult cmdlet to retrieve Baseline Configuration Analyzer scan results for the model ID that is

represented by Model Id

The second section of the command filters the results of the Get-MBCAResult cmdlet to get only those

scan results for which the category name is equal to Performance

The final section of the example following the second pipe character excludes the Performance

results that were filtered by the previous section of the example

-------------------------- EXAMPLE 2 --------------------------

$rcPolicy = Get-MBCAResult -ModelId SQL2008R2BPA -RepositoryPath

CReposPath | Where $_Category -eq Policy

Page 56

Set-MBCAResult -Exclude $true -RepositoryPath CReposPath -Results

$rcPolicy

Description

The first line of the preceding example to the left of the pipe character (|) instructs the Get-

MBCAResult cmdlet to retrieve Baseline Configuration Analyzer scan results for the model that is

represented by Specified Model Id from the specified non-default repository path

The second section of the example after the pipe character filters the results of the Get-MBCAResult

cmdlet to return only those scan results for which the category name is equal to (note the -eq option)

Policy The variable $rcPolicy is created to store the filtered results of the Get-MBCAResult cmdlet this

variable can be used in subsequent commands to represent those results

The second line of the command uses the Set-MBCAResult cmdlet to exclude the set of results that

are stored in the $rcPolicy variable In this example the -Results parameter is added because the

administrator wants to exclude a specific subset of scan results for that model and has created the

variable $rcPolicy to represent that subset of results The repository root is specified in the second line

because the administrator wants to modify the results in the same non-default repository from which

the data in $rcPolicy was retrieved

915 MBCA Model Authoring

Further information about configuration and usage of MBCA models you can in the

MBCA_ModelAuthoringGuidedocx

Page 57

Did this paper help you Please give us your feedback Tell us on a scale of 1 (poor) to 5 (excellent)

how would you rate this paper and why have you given it this rating For example

Are you rating it high due to having good examples excellent screen shots clear writing or

another reason

Are you rating it low due to poor examples fuzzy screen shots or unclear writing

This feedback will help us improve the quality of white papers we release

Send feedback

Page 51: SQL2008R2 BPA Whitepaper v10

Page 51

The -Context parameter lets you obtain scan results that were collected for the most recent

MBCA scan of a submodel in the context of a specific model (one that is different from the parent

model of the submodel) For example an administrator might want to display scan results for the

Backend submodel of the SQL model but only those in the context of a third model a

technology that relies upon SQL Server

The -SubModelId parameter is required by the -Context parameter

A model ID is the valid value of the -Context parameter

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-Filter ltFilterEnumgt

The -Filter parameter lets you instruct the Get-MBCAResult cmdlet to return only Compliant

Noncompliant or All results Valid values are Noncompliant Compliant or All The default value

is All

The -Filter parameter is ignored if the -CollectedConfiguration switch parameter is added

Required false

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

-ModelId ltstringgt

The -ModelId parameter specifies the ID of the MBCA model for which you want to view scan

results You can obtain valid values for the ModelId parameter by running the Get-MBCAModel

cmdlet targeted at a computer on which MBCA models are installed

Required true

Position 2

Default value

Accept pipeline input true (By Value By Property Name)

Accept wildcard characters False

This must be SQL2008R2BPA for SQL Server 2008 R2 Best Practice Analyzer

-RepositoryPath ltstringgt

The -RepositoryPath parameter is used to specify a non-default location of the results repository

The valid value for this parameter is a path name If the parameter is not used the cmdlet obtains

results from the default result repository

Required false

Position named

Page 52

Default value

Accept pipeline input false

Accept wildcard characters false

-SubModelId ltstringgt

The -SubModelId parameter specifies the ID of the submodel of an MBCA model for which you

want to view scan results You can obtain valid values for the -SubModelId parameter by running

the Get-MBCAModel cmdlet targeted at a computer on which MBCA models are installed Not all

models have submodels

The -ModelId parameter is required with the -SubModelId parameter

Required true

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

ltCommonParametersgt

This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable

WarningAction WarningVariable OutBuffer and OutVariable For more information type get-

help about_commonparameters

OUTPUTS

SystemCollectionsGenericListltMicrosoftBestPracticesCoreInterfaceResultgt OR

SystemXmlXmlDocument (if -CollectedData specified)

If you do not use the -CollectedConfiguration parameter verbose output can be any of the following

1 Initializing MBCA engine for getting MBCA Results

2 Attempting to get MBCA results for Model Id = 0

3 Completed getting MBCA results for Model Id = 0 Number of Results = 1

If you add the -CollectedConfiguration parameter to display configuration data that was used for a

scan verbose output can be any of the following

1 Initializing MBCA engine for getting MBCA Configuration Data

2 Attempting to get MBCA collected configuration data for Model Id = 0

3 Completed getting MBCA collected configuration data for Model Id = 0

NOTES

The Get-MBCAResult cmdlet must be run by a member of the Administrators group and it does not

start a new scan

Cancellation behaviour

Single Model - To cancel this cmdlet you must press Ctrl+C before the ResultCollection is displayed

on the console The operation is cancelled and results are not displayed on the console

Multiple Models or Pipelining - If you cancel this cmdlet while it is retrieving results for multiple models

the cmdlet generates only those results that were displayed on the console before the cancellation

Any subsequent results in the pipeline are cancelled and not displayed

Page 53

-------------------------- EXAMPLE 1 --------------------------

Get-MBCAResult -Id SQL2008R2BPA

Description

The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results

for the model that is represented by Model Id

-------------------------- EXAMPLE 2 --------------------------

Get-MBCAModel | Get-MBCAResult

In the preceding example Get-MBCAModel is used to return a list of all MBCA models that are

installed on the computer The results of the Get-MBCAModel cmdlet are piped to the Get-

MBCAResult cmdlet to retrieve the most recent MBCA scan results for all models that are both

supported by MBCA and installed on the computer at which the cmdlet is targeted

-------------------------- EXAMPLE 3 --------------------------

$result = Get-MBCAResult SQL2008R2BPA -CollectedConfiguration

$resultDiscoveryDocument

Description

In the preceding example configuration data (in XML form) that was collected during the most recent

Microsoft Baseline Configuration Analyzer scan of the model that is represented by Model Id is

retrieved and stored as a property in the variable $result $resultDiscoveryDocument is of type

SystemXmlXmlDocument

-------------------------- EXAMPLE 4 --------------------------

Get-MBCAResult SQL2008R2BPA -Filter Noncompliant

Description

The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results

for the model that is represented by Model Id and then applies a filter to show only Noncompliant

results

------------------------- EXAMPLE 5 --------------------------

Get-MBCAResult SQL2008R2BPA -SubModelId ltSubModel Idgt

Description

The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results

for the submodel that is represented by SubModelId Note that the parent model ID must be specified

to use the -SubModelId parameter

------------------------- EXAMPLE 6 --------------------------

Get-MBCAResult SQL2008R2BPA -SubModelId ltSubModel Idgt -ComputerName ltServergt

-Context ltContext Model Idgt -RepositoryPath ltRepository Pathgt

Description

The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results

for the submodel that is represented by SubModelId The parent model ID is provided as required by

the -SubModelID parameter

The -Context parameter indicates that the administrator wants to see only those scan results that are in

the context of the model that is represented by Context Model Id for example only those results from

a SQL Server scan that specifically apply to another technology such as Web Server (IIS)

Page 54

The scan results are further narrowed to only those from a computer that is specified in the -

ComputerName parameter as Server and only those results found in the non-default results

repository that is represented by Repository Path

914 Set-MBCAResult

SYNOPSIS

The Set-MBCAResult cmdlet lets you exclude or include existing results of a Microsoft Baseline

Configuration Analyzer (MBCA) scan to show you only the scan results that you want to see

SYNTAX

Set-MBCAResult [[-Exclude] ltBooleangt] [-Results] ltResultgtgt [[-

RepostitoryPath] ltstringgt] [ltCommonParametersgt]

DESCRIPTION

The Set-MBCAResult cmdlet lets you exclude or include existing results of a Microsoft Baseline

Configuration Analyzer (MBCA) scan to show you only the scan results that you want to see

The action specified in the cmdlet (Exclude for example) determines how the existing results of an

MBCA scan are updated Set-MBCAResult is typically applied after using the Get-MBCAResult cmdlet

to return a collection of scan results

You can apply filters to results that are returned by the Get-MBCAResult cmdlet and then pipe the

filtered collection of results to the Set-MBCAResult cmdlet specifying either to include or exclude

filtered scan results

You must be a member of the Administrators group on the computer on which you want to run this

cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with

elevated user rights that is Run as Administrator

PARAMETERS

-Exclude ltBooleangt

Excludes scan results from the results collection that were previously obtained by the Get-

MBCAResult command To exclude results by using the -Exclude parameter add the value $true

following the parameter as shown

-Exclude $true

To include results that have been excluded use the $false value for the -Exclude parameter

Required false

Position 2

Default value

Accept pipeline input false

Accept wildcard characters false

-RepostitoryPath ltstringgt

The -RepositoryPath parameter is used to specify a non-default location of the results repository

The valid value for this parameter is a path name If the parameter is not used the cmdlet

modifies results from the default result repository

Required false

Page 55

Position 4

Default value

Accept pipeline input false

Accept wildcard characters false

-Results ltResultgtgt

Specifies the result collection to be updated by the Set-MBCAResult cmdlet The -Results

parameter is typically used to specify a filtered subset of scan results that has already been

stored in a variable the variable name is provided as the valid value for the -Results parameter

For example if you have created a variable $allPerformance to store all the Performance

category results for an MBCA scan of all models on a computer and you want to exclude those

Performance results from the complete collection of scan results you add the parameter -Results

$all Performance to a Set-MBCAResult cmdlet

For a more detailed example see the Examples section of the Help for this cmdlet

Required true

Position 3

Default value

Accept pipeline input true (ByValue)

Accept wildcard characters false

ltCommonParametersgt

This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable

WarningAction WarningVariable OutBuffer and OutVariable For more information type ldquoget-

help about_commonparameters

NOTES

If the Set-MBCAResult command is cancelled before the results are written to a file the operation is

cancelled and the results file is not modified If cancellation occurs after the results file has been

modified the commands actions are carried out and the command cannot be cancelled

-------------------------- EXAMPLE 1 --------------------------

Get-MBCAResult -ModelId SQL2008R2BPA | Where $_Category -eq

Performance | Set-MBCAResult -Exclude $true

Description

The first section of the preceding example to the left of the first pipe character (|) uses the Get-

MBCAResult cmdlet to retrieve Baseline Configuration Analyzer scan results for the model ID that is

represented by Model Id

The second section of the command filters the results of the Get-MBCAResult cmdlet to get only those

scan results for which the category name is equal to Performance

The final section of the example following the second pipe character excludes the Performance

results that were filtered by the previous section of the example

-------------------------- EXAMPLE 2 --------------------------

$rcPolicy = Get-MBCAResult -ModelId SQL2008R2BPA -RepositoryPath

CReposPath | Where $_Category -eq Policy

Page 56

Set-MBCAResult -Exclude $true -RepositoryPath CReposPath -Results

$rcPolicy

Description

The first line of the preceding example to the left of the pipe character (|) instructs the Get-

MBCAResult cmdlet to retrieve Baseline Configuration Analyzer scan results for the model that is

represented by Specified Model Id from the specified non-default repository path

The second section of the example after the pipe character filters the results of the Get-MBCAResult

cmdlet to return only those scan results for which the category name is equal to (note the -eq option)

Policy The variable $rcPolicy is created to store the filtered results of the Get-MBCAResult cmdlet this

variable can be used in subsequent commands to represent those results

The second line of the command uses the Set-MBCAResult cmdlet to exclude the set of results that

are stored in the $rcPolicy variable In this example the -Results parameter is added because the

administrator wants to exclude a specific subset of scan results for that model and has created the

variable $rcPolicy to represent that subset of results The repository root is specified in the second line

because the administrator wants to modify the results in the same non-default repository from which

the data in $rcPolicy was retrieved

915 MBCA Model Authoring

Further information about configuration and usage of MBCA models you can in the

MBCA_ModelAuthoringGuidedocx

Page 57

Did this paper help you Please give us your feedback Tell us on a scale of 1 (poor) to 5 (excellent)

how would you rate this paper and why have you given it this rating For example

Are you rating it high due to having good examples excellent screen shots clear writing or

another reason

Are you rating it low due to poor examples fuzzy screen shots or unclear writing

This feedback will help us improve the quality of white papers we release

Send feedback

Page 52: SQL2008R2 BPA Whitepaper v10

Page 52

Default value

Accept pipeline input false

Accept wildcard characters false

-SubModelId ltstringgt

The -SubModelId parameter specifies the ID of the submodel of an MBCA model for which you

want to view scan results You can obtain valid values for the -SubModelId parameter by running

the Get-MBCAModel cmdlet targeted at a computer on which MBCA models are installed Not all

models have submodels

The -ModelId parameter is required with the -SubModelId parameter

Required true

Position named

Default value

Accept pipeline input false

Accept wildcard characters false

ltCommonParametersgt

This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable

WarningAction WarningVariable OutBuffer and OutVariable For more information type get-

help about_commonparameters

OUTPUTS

SystemCollectionsGenericListltMicrosoftBestPracticesCoreInterfaceResultgt OR

SystemXmlXmlDocument (if -CollectedData specified)

If you do not use the -CollectedConfiguration parameter verbose output can be any of the following

1 Initializing MBCA engine for getting MBCA Results

2 Attempting to get MBCA results for Model Id = 0

3 Completed getting MBCA results for Model Id = 0 Number of Results = 1

If you add the -CollectedConfiguration parameter to display configuration data that was used for a

scan verbose output can be any of the following

1 Initializing MBCA engine for getting MBCA Configuration Data

2 Attempting to get MBCA collected configuration data for Model Id = 0

3 Completed getting MBCA collected configuration data for Model Id = 0

NOTES

The Get-MBCAResult cmdlet must be run by a member of the Administrators group and it does not

start a new scan

Cancellation behaviour

Single Model - To cancel this cmdlet you must press Ctrl+C before the ResultCollection is displayed

on the console The operation is cancelled and results are not displayed on the console

Multiple Models or Pipelining - If you cancel this cmdlet while it is retrieving results for multiple models

the cmdlet generates only those results that were displayed on the console before the cancellation

Any subsequent results in the pipeline are cancelled and not displayed

Page 53

-------------------------- EXAMPLE 1 --------------------------

Get-MBCAResult -Id SQL2008R2BPA

Description

The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results

for the model that is represented by Model Id

-------------------------- EXAMPLE 2 --------------------------

Get-MBCAModel | Get-MBCAResult

In the preceding example Get-MBCAModel is used to return a list of all MBCA models that are

installed on the computer The results of the Get-MBCAModel cmdlet are piped to the Get-

MBCAResult cmdlet to retrieve the most recent MBCA scan results for all models that are both

supported by MBCA and installed on the computer at which the cmdlet is targeted

-------------------------- EXAMPLE 3 --------------------------

$result = Get-MBCAResult SQL2008R2BPA -CollectedConfiguration

$resultDiscoveryDocument

Description

In the preceding example configuration data (in XML form) that was collected during the most recent

Microsoft Baseline Configuration Analyzer scan of the model that is represented by Model Id is

retrieved and stored as a property in the variable $result $resultDiscoveryDocument is of type

SystemXmlXmlDocument

-------------------------- EXAMPLE 4 --------------------------

Get-MBCAResult SQL2008R2BPA -Filter Noncompliant

Description

The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results

for the model that is represented by Model Id and then applies a filter to show only Noncompliant

results

------------------------- EXAMPLE 5 --------------------------

Get-MBCAResult SQL2008R2BPA -SubModelId ltSubModel Idgt

Description

The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results

for the submodel that is represented by SubModelId Note that the parent model ID must be specified

to use the -SubModelId parameter

------------------------- EXAMPLE 6 --------------------------

Get-MBCAResult SQL2008R2BPA -SubModelId ltSubModel Idgt -ComputerName ltServergt

-Context ltContext Model Idgt -RepositoryPath ltRepository Pathgt

Description

The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results

for the submodel that is represented by SubModelId The parent model ID is provided as required by

the -SubModelID parameter

The -Context parameter indicates that the administrator wants to see only those scan results that are in

the context of the model that is represented by Context Model Id for example only those results from

a SQL Server scan that specifically apply to another technology such as Web Server (IIS)

Page 54

The scan results are further narrowed to only those from a computer that is specified in the -

ComputerName parameter as Server and only those results found in the non-default results

repository that is represented by Repository Path

914 Set-MBCAResult

SYNOPSIS

The Set-MBCAResult cmdlet lets you exclude or include existing results of a Microsoft Baseline

Configuration Analyzer (MBCA) scan to show you only the scan results that you want to see

SYNTAX

Set-MBCAResult [[-Exclude] ltBooleangt] [-Results] ltResultgtgt [[-

RepostitoryPath] ltstringgt] [ltCommonParametersgt]

DESCRIPTION

The Set-MBCAResult cmdlet lets you exclude or include existing results of a Microsoft Baseline

Configuration Analyzer (MBCA) scan to show you only the scan results that you want to see

The action specified in the cmdlet (Exclude for example) determines how the existing results of an

MBCA scan are updated Set-MBCAResult is typically applied after using the Get-MBCAResult cmdlet

to return a collection of scan results

You can apply filters to results that are returned by the Get-MBCAResult cmdlet and then pipe the

filtered collection of results to the Set-MBCAResult cmdlet specifying either to include or exclude

filtered scan results

You must be a member of the Administrators group on the computer on which you want to run this

cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with

elevated user rights that is Run as Administrator

PARAMETERS

-Exclude ltBooleangt

Excludes scan results from the results collection that were previously obtained by the Get-

MBCAResult command To exclude results by using the -Exclude parameter add the value $true

following the parameter as shown

-Exclude $true

To include results that have been excluded use the $false value for the -Exclude parameter

Required false

Position 2

Default value

Accept pipeline input false

Accept wildcard characters false

-RepostitoryPath ltstringgt

The -RepositoryPath parameter is used to specify a non-default location of the results repository

The valid value for this parameter is a path name If the parameter is not used the cmdlet

modifies results from the default result repository

Required false

Page 55

Position 4

Default value

Accept pipeline input false

Accept wildcard characters false

-Results ltResultgtgt

Specifies the result collection to be updated by the Set-MBCAResult cmdlet The -Results

parameter is typically used to specify a filtered subset of scan results that has already been

stored in a variable the variable name is provided as the valid value for the -Results parameter

For example if you have created a variable $allPerformance to store all the Performance

category results for an MBCA scan of all models on a computer and you want to exclude those

Performance results from the complete collection of scan results you add the parameter -Results

$all Performance to a Set-MBCAResult cmdlet

For a more detailed example see the Examples section of the Help for this cmdlet

Required true

Position 3

Default value

Accept pipeline input true (ByValue)

Accept wildcard characters false

ltCommonParametersgt

This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable

WarningAction WarningVariable OutBuffer and OutVariable For more information type ldquoget-

help about_commonparameters

NOTES

If the Set-MBCAResult command is cancelled before the results are written to a file the operation is

cancelled and the results file is not modified If cancellation occurs after the results file has been

modified the commands actions are carried out and the command cannot be cancelled

-------------------------- EXAMPLE 1 --------------------------

Get-MBCAResult -ModelId SQL2008R2BPA | Where $_Category -eq

Performance | Set-MBCAResult -Exclude $true

Description

The first section of the preceding example to the left of the first pipe character (|) uses the Get-

MBCAResult cmdlet to retrieve Baseline Configuration Analyzer scan results for the model ID that is

represented by Model Id

The second section of the command filters the results of the Get-MBCAResult cmdlet to get only those

scan results for which the category name is equal to Performance

The final section of the example following the second pipe character excludes the Performance

results that were filtered by the previous section of the example

-------------------------- EXAMPLE 2 --------------------------

$rcPolicy = Get-MBCAResult -ModelId SQL2008R2BPA -RepositoryPath

CReposPath | Where $_Category -eq Policy

Page 56

Set-MBCAResult -Exclude $true -RepositoryPath CReposPath -Results

$rcPolicy

Description

The first line of the preceding example to the left of the pipe character (|) instructs the Get-

MBCAResult cmdlet to retrieve Baseline Configuration Analyzer scan results for the model that is

represented by Specified Model Id from the specified non-default repository path

The second section of the example after the pipe character filters the results of the Get-MBCAResult

cmdlet to return only those scan results for which the category name is equal to (note the -eq option)

Policy The variable $rcPolicy is created to store the filtered results of the Get-MBCAResult cmdlet this

variable can be used in subsequent commands to represent those results

The second line of the command uses the Set-MBCAResult cmdlet to exclude the set of results that

are stored in the $rcPolicy variable In this example the -Results parameter is added because the

administrator wants to exclude a specific subset of scan results for that model and has created the

variable $rcPolicy to represent that subset of results The repository root is specified in the second line

because the administrator wants to modify the results in the same non-default repository from which

the data in $rcPolicy was retrieved

915 MBCA Model Authoring

Further information about configuration and usage of MBCA models you can in the

MBCA_ModelAuthoringGuidedocx

Page 57

Did this paper help you Please give us your feedback Tell us on a scale of 1 (poor) to 5 (excellent)

how would you rate this paper and why have you given it this rating For example

Are you rating it high due to having good examples excellent screen shots clear writing or

another reason

Are you rating it low due to poor examples fuzzy screen shots or unclear writing

This feedback will help us improve the quality of white papers we release

Send feedback

Page 53: SQL2008R2 BPA Whitepaper v10

Page 53

-------------------------- EXAMPLE 1 --------------------------

Get-MBCAResult -Id SQL2008R2BPA

Description

The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results

for the model that is represented by Model Id

-------------------------- EXAMPLE 2 --------------------------

Get-MBCAModel | Get-MBCAResult

In the preceding example Get-MBCAModel is used to return a list of all MBCA models that are

installed on the computer The results of the Get-MBCAModel cmdlet are piped to the Get-

MBCAResult cmdlet to retrieve the most recent MBCA scan results for all models that are both

supported by MBCA and installed on the computer at which the cmdlet is targeted

-------------------------- EXAMPLE 3 --------------------------

$result = Get-MBCAResult SQL2008R2BPA -CollectedConfiguration

$resultDiscoveryDocument

Description

In the preceding example configuration data (in XML form) that was collected during the most recent

Microsoft Baseline Configuration Analyzer scan of the model that is represented by Model Id is

retrieved and stored as a property in the variable $result $resultDiscoveryDocument is of type

SystemXmlXmlDocument

-------------------------- EXAMPLE 4 --------------------------

Get-MBCAResult SQL2008R2BPA -Filter Noncompliant

Description

The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results

for the model that is represented by Model Id and then applies a filter to show only Noncompliant

results

------------------------- EXAMPLE 5 --------------------------

Get-MBCAResult SQL2008R2BPA -SubModelId ltSubModel Idgt

Description

The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results

for the submodel that is represented by SubModelId Note that the parent model ID must be specified

to use the -SubModelId parameter

------------------------- EXAMPLE 6 --------------------------

Get-MBCAResult SQL2008R2BPA -SubModelId ltSubModel Idgt -ComputerName ltServergt

-Context ltContext Model Idgt -RepositoryPath ltRepository Pathgt

Description

The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results

for the submodel that is represented by SubModelId The parent model ID is provided as required by

the -SubModelID parameter

The -Context parameter indicates that the administrator wants to see only those scan results that are in

the context of the model that is represented by Context Model Id for example only those results from

a SQL Server scan that specifically apply to another technology such as Web Server (IIS)

Page 54

The scan results are further narrowed to only those from a computer that is specified in the -

ComputerName parameter as Server and only those results found in the non-default results

repository that is represented by Repository Path

914 Set-MBCAResult

SYNOPSIS

The Set-MBCAResult cmdlet lets you exclude or include existing results of a Microsoft Baseline

Configuration Analyzer (MBCA) scan to show you only the scan results that you want to see

SYNTAX

Set-MBCAResult [[-Exclude] ltBooleangt] [-Results] ltResultgtgt [[-

RepostitoryPath] ltstringgt] [ltCommonParametersgt]

DESCRIPTION

The Set-MBCAResult cmdlet lets you exclude or include existing results of a Microsoft Baseline

Configuration Analyzer (MBCA) scan to show you only the scan results that you want to see

The action specified in the cmdlet (Exclude for example) determines how the existing results of an

MBCA scan are updated Set-MBCAResult is typically applied after using the Get-MBCAResult cmdlet

to return a collection of scan results

You can apply filters to results that are returned by the Get-MBCAResult cmdlet and then pipe the

filtered collection of results to the Set-MBCAResult cmdlet specifying either to include or exclude

filtered scan results

You must be a member of the Administrators group on the computer on which you want to run this

cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with

elevated user rights that is Run as Administrator

PARAMETERS

-Exclude ltBooleangt

Excludes scan results from the results collection that were previously obtained by the Get-

MBCAResult command To exclude results by using the -Exclude parameter add the value $true

following the parameter as shown

-Exclude $true

To include results that have been excluded use the $false value for the -Exclude parameter

Required false

Position 2

Default value

Accept pipeline input false

Accept wildcard characters false

-RepostitoryPath ltstringgt

The -RepositoryPath parameter is used to specify a non-default location of the results repository

The valid value for this parameter is a path name If the parameter is not used the cmdlet

modifies results from the default result repository

Required false

Page 55

Position 4

Default value

Accept pipeline input false

Accept wildcard characters false

-Results ltResultgtgt

Specifies the result collection to be updated by the Set-MBCAResult cmdlet The -Results

parameter is typically used to specify a filtered subset of scan results that has already been

stored in a variable the variable name is provided as the valid value for the -Results parameter

For example if you have created a variable $allPerformance to store all the Performance

category results for an MBCA scan of all models on a computer and you want to exclude those

Performance results from the complete collection of scan results you add the parameter -Results

$all Performance to a Set-MBCAResult cmdlet

For a more detailed example see the Examples section of the Help for this cmdlet

Required true

Position 3

Default value

Accept pipeline input true (ByValue)

Accept wildcard characters false

ltCommonParametersgt

This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable

WarningAction WarningVariable OutBuffer and OutVariable For more information type ldquoget-

help about_commonparameters

NOTES

If the Set-MBCAResult command is cancelled before the results are written to a file the operation is

cancelled and the results file is not modified If cancellation occurs after the results file has been

modified the commands actions are carried out and the command cannot be cancelled

-------------------------- EXAMPLE 1 --------------------------

Get-MBCAResult -ModelId SQL2008R2BPA | Where $_Category -eq

Performance | Set-MBCAResult -Exclude $true

Description

The first section of the preceding example to the left of the first pipe character (|) uses the Get-

MBCAResult cmdlet to retrieve Baseline Configuration Analyzer scan results for the model ID that is

represented by Model Id

The second section of the command filters the results of the Get-MBCAResult cmdlet to get only those

scan results for which the category name is equal to Performance

The final section of the example following the second pipe character excludes the Performance

results that were filtered by the previous section of the example

-------------------------- EXAMPLE 2 --------------------------

$rcPolicy = Get-MBCAResult -ModelId SQL2008R2BPA -RepositoryPath

CReposPath | Where $_Category -eq Policy

Page 56

Set-MBCAResult -Exclude $true -RepositoryPath CReposPath -Results

$rcPolicy

Description

The first line of the preceding example to the left of the pipe character (|) instructs the Get-

MBCAResult cmdlet to retrieve Baseline Configuration Analyzer scan results for the model that is

represented by Specified Model Id from the specified non-default repository path

The second section of the example after the pipe character filters the results of the Get-MBCAResult

cmdlet to return only those scan results for which the category name is equal to (note the -eq option)

Policy The variable $rcPolicy is created to store the filtered results of the Get-MBCAResult cmdlet this

variable can be used in subsequent commands to represent those results

The second line of the command uses the Set-MBCAResult cmdlet to exclude the set of results that

are stored in the $rcPolicy variable In this example the -Results parameter is added because the

administrator wants to exclude a specific subset of scan results for that model and has created the

variable $rcPolicy to represent that subset of results The repository root is specified in the second line

because the administrator wants to modify the results in the same non-default repository from which

the data in $rcPolicy was retrieved

915 MBCA Model Authoring

Further information about configuration and usage of MBCA models you can in the

MBCA_ModelAuthoringGuidedocx

Page 57

Did this paper help you Please give us your feedback Tell us on a scale of 1 (poor) to 5 (excellent)

how would you rate this paper and why have you given it this rating For example

Are you rating it high due to having good examples excellent screen shots clear writing or

another reason

Are you rating it low due to poor examples fuzzy screen shots or unclear writing

This feedback will help us improve the quality of white papers we release

Send feedback

Page 54: SQL2008R2 BPA Whitepaper v10

Page 54

The scan results are further narrowed to only those from a computer that is specified in the -

ComputerName parameter as Server and only those results found in the non-default results

repository that is represented by Repository Path

914 Set-MBCAResult

SYNOPSIS

The Set-MBCAResult cmdlet lets you exclude or include existing results of a Microsoft Baseline

Configuration Analyzer (MBCA) scan to show you only the scan results that you want to see

SYNTAX

Set-MBCAResult [[-Exclude] ltBooleangt] [-Results] ltResultgtgt [[-

RepostitoryPath] ltstringgt] [ltCommonParametersgt]

DESCRIPTION

The Set-MBCAResult cmdlet lets you exclude or include existing results of a Microsoft Baseline

Configuration Analyzer (MBCA) scan to show you only the scan results that you want to see

The action specified in the cmdlet (Exclude for example) determines how the existing results of an

MBCA scan are updated Set-MBCAResult is typically applied after using the Get-MBCAResult cmdlet

to return a collection of scan results

You can apply filters to results that are returned by the Get-MBCAResult cmdlet and then pipe the

filtered collection of results to the Set-MBCAResult cmdlet specifying either to include or exclude

filtered scan results

You must be a member of the Administrators group on the computer on which you want to run this

cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with

elevated user rights that is Run as Administrator

PARAMETERS

-Exclude ltBooleangt

Excludes scan results from the results collection that were previously obtained by the Get-

MBCAResult command To exclude results by using the -Exclude parameter add the value $true

following the parameter as shown

-Exclude $true

To include results that have been excluded use the $false value for the -Exclude parameter

Required false

Position 2

Default value

Accept pipeline input false

Accept wildcard characters false

-RepostitoryPath ltstringgt

The -RepositoryPath parameter is used to specify a non-default location of the results repository

The valid value for this parameter is a path name If the parameter is not used the cmdlet

modifies results from the default result repository

Required false

Page 55

Position 4

Default value

Accept pipeline input false

Accept wildcard characters false

-Results ltResultgtgt

Specifies the result collection to be updated by the Set-MBCAResult cmdlet The -Results

parameter is typically used to specify a filtered subset of scan results that has already been

stored in a variable the variable name is provided as the valid value for the -Results parameter

For example if you have created a variable $allPerformance to store all the Performance

category results for an MBCA scan of all models on a computer and you want to exclude those

Performance results from the complete collection of scan results you add the parameter -Results

$all Performance to a Set-MBCAResult cmdlet

For a more detailed example see the Examples section of the Help for this cmdlet

Required true

Position 3

Default value

Accept pipeline input true (ByValue)

Accept wildcard characters false

ltCommonParametersgt

This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable

WarningAction WarningVariable OutBuffer and OutVariable For more information type ldquoget-

help about_commonparameters

NOTES

If the Set-MBCAResult command is cancelled before the results are written to a file the operation is

cancelled and the results file is not modified If cancellation occurs after the results file has been

modified the commands actions are carried out and the command cannot be cancelled

-------------------------- EXAMPLE 1 --------------------------

Get-MBCAResult -ModelId SQL2008R2BPA | Where $_Category -eq

Performance | Set-MBCAResult -Exclude $true

Description

The first section of the preceding example to the left of the first pipe character (|) uses the Get-

MBCAResult cmdlet to retrieve Baseline Configuration Analyzer scan results for the model ID that is

represented by Model Id

The second section of the command filters the results of the Get-MBCAResult cmdlet to get only those

scan results for which the category name is equal to Performance

The final section of the example following the second pipe character excludes the Performance

results that were filtered by the previous section of the example

-------------------------- EXAMPLE 2 --------------------------

$rcPolicy = Get-MBCAResult -ModelId SQL2008R2BPA -RepositoryPath

CReposPath | Where $_Category -eq Policy

Page 56

Set-MBCAResult -Exclude $true -RepositoryPath CReposPath -Results

$rcPolicy

Description

The first line of the preceding example to the left of the pipe character (|) instructs the Get-

MBCAResult cmdlet to retrieve Baseline Configuration Analyzer scan results for the model that is

represented by Specified Model Id from the specified non-default repository path

The second section of the example after the pipe character filters the results of the Get-MBCAResult

cmdlet to return only those scan results for which the category name is equal to (note the -eq option)

Policy The variable $rcPolicy is created to store the filtered results of the Get-MBCAResult cmdlet this

variable can be used in subsequent commands to represent those results

The second line of the command uses the Set-MBCAResult cmdlet to exclude the set of results that

are stored in the $rcPolicy variable In this example the -Results parameter is added because the

administrator wants to exclude a specific subset of scan results for that model and has created the

variable $rcPolicy to represent that subset of results The repository root is specified in the second line

because the administrator wants to modify the results in the same non-default repository from which

the data in $rcPolicy was retrieved

915 MBCA Model Authoring

Further information about configuration and usage of MBCA models you can in the

MBCA_ModelAuthoringGuidedocx

Page 57

Did this paper help you Please give us your feedback Tell us on a scale of 1 (poor) to 5 (excellent)

how would you rate this paper and why have you given it this rating For example

Are you rating it high due to having good examples excellent screen shots clear writing or

another reason

Are you rating it low due to poor examples fuzzy screen shots or unclear writing

This feedback will help us improve the quality of white papers we release

Send feedback

Page 55: SQL2008R2 BPA Whitepaper v10

Page 55

Position 4

Default value

Accept pipeline input false

Accept wildcard characters false

-Results ltResultgtgt

Specifies the result collection to be updated by the Set-MBCAResult cmdlet The -Results

parameter is typically used to specify a filtered subset of scan results that has already been

stored in a variable the variable name is provided as the valid value for the -Results parameter

For example if you have created a variable $allPerformance to store all the Performance

category results for an MBCA scan of all models on a computer and you want to exclude those

Performance results from the complete collection of scan results you add the parameter -Results

$all Performance to a Set-MBCAResult cmdlet

For a more detailed example see the Examples section of the Help for this cmdlet

Required true

Position 3

Default value

Accept pipeline input true (ByValue)

Accept wildcard characters false

ltCommonParametersgt

This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable

WarningAction WarningVariable OutBuffer and OutVariable For more information type ldquoget-

help about_commonparameters

NOTES

If the Set-MBCAResult command is cancelled before the results are written to a file the operation is

cancelled and the results file is not modified If cancellation occurs after the results file has been

modified the commands actions are carried out and the command cannot be cancelled

-------------------------- EXAMPLE 1 --------------------------

Get-MBCAResult -ModelId SQL2008R2BPA | Where $_Category -eq

Performance | Set-MBCAResult -Exclude $true

Description

The first section of the preceding example to the left of the first pipe character (|) uses the Get-

MBCAResult cmdlet to retrieve Baseline Configuration Analyzer scan results for the model ID that is

represented by Model Id

The second section of the command filters the results of the Get-MBCAResult cmdlet to get only those

scan results for which the category name is equal to Performance

The final section of the example following the second pipe character excludes the Performance

results that were filtered by the previous section of the example

-------------------------- EXAMPLE 2 --------------------------

$rcPolicy = Get-MBCAResult -ModelId SQL2008R2BPA -RepositoryPath

CReposPath | Where $_Category -eq Policy

Page 56

Set-MBCAResult -Exclude $true -RepositoryPath CReposPath -Results

$rcPolicy

Description

The first line of the preceding example to the left of the pipe character (|) instructs the Get-

MBCAResult cmdlet to retrieve Baseline Configuration Analyzer scan results for the model that is

represented by Specified Model Id from the specified non-default repository path

The second section of the example after the pipe character filters the results of the Get-MBCAResult

cmdlet to return only those scan results for which the category name is equal to (note the -eq option)

Policy The variable $rcPolicy is created to store the filtered results of the Get-MBCAResult cmdlet this

variable can be used in subsequent commands to represent those results

The second line of the command uses the Set-MBCAResult cmdlet to exclude the set of results that

are stored in the $rcPolicy variable In this example the -Results parameter is added because the

administrator wants to exclude a specific subset of scan results for that model and has created the

variable $rcPolicy to represent that subset of results The repository root is specified in the second line

because the administrator wants to modify the results in the same non-default repository from which

the data in $rcPolicy was retrieved

915 MBCA Model Authoring

Further information about configuration and usage of MBCA models you can in the

MBCA_ModelAuthoringGuidedocx

Page 57

Did this paper help you Please give us your feedback Tell us on a scale of 1 (poor) to 5 (excellent)

how would you rate this paper and why have you given it this rating For example

Are you rating it high due to having good examples excellent screen shots clear writing or

another reason

Are you rating it low due to poor examples fuzzy screen shots or unclear writing

This feedback will help us improve the quality of white papers we release

Send feedback

Page 56: SQL2008R2 BPA Whitepaper v10

Page 56

Set-MBCAResult -Exclude $true -RepositoryPath CReposPath -Results

$rcPolicy

Description

The first line of the preceding example to the left of the pipe character (|) instructs the Get-

MBCAResult cmdlet to retrieve Baseline Configuration Analyzer scan results for the model that is

represented by Specified Model Id from the specified non-default repository path

The second section of the example after the pipe character filters the results of the Get-MBCAResult

cmdlet to return only those scan results for which the category name is equal to (note the -eq option)

Policy The variable $rcPolicy is created to store the filtered results of the Get-MBCAResult cmdlet this

variable can be used in subsequent commands to represent those results

The second line of the command uses the Set-MBCAResult cmdlet to exclude the set of results that

are stored in the $rcPolicy variable In this example the -Results parameter is added because the

administrator wants to exclude a specific subset of scan results for that model and has created the

variable $rcPolicy to represent that subset of results The repository root is specified in the second line

because the administrator wants to modify the results in the same non-default repository from which

the data in $rcPolicy was retrieved

915 MBCA Model Authoring

Further information about configuration and usage of MBCA models you can in the

MBCA_ModelAuthoringGuidedocx

Page 57

Did this paper help you Please give us your feedback Tell us on a scale of 1 (poor) to 5 (excellent)

how would you rate this paper and why have you given it this rating For example

Are you rating it high due to having good examples excellent screen shots clear writing or

another reason

Are you rating it low due to poor examples fuzzy screen shots or unclear writing

This feedback will help us improve the quality of white papers we release

Send feedback

Page 57: SQL2008R2 BPA Whitepaper v10

Page 57

Did this paper help you Please give us your feedback Tell us on a scale of 1 (poor) to 5 (excellent)

how would you rate this paper and why have you given it this rating For example

Are you rating it high due to having good examples excellent screen shots clear writing or

another reason

Are you rating it low due to poor examples fuzzy screen shots or unclear writing

This feedback will help us improve the quality of white papers we release

Send feedback